Land rapid7#6710, Add Powershell meterpreter bindings

Brent Cook · Brent Cook · commit 04caa9affded · 2016-04-01T21:32:26.000-05:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -13,7 +13,7 @@ PATH
       metasploit-concern
       metasploit-credential (= 1.1.0)
       metasploit-model (= 1.1.0)
-      metasploit-payloads (= 1.1.5)
+      metasploit-payloads (= 1.1.6)
       metasploit_data_models (= 1.3.0)
       msgpack
       network_interface (~> 0.0.1)
@@ -130,7 +130,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.1.5)
+    metasploit-payloads (1.1.6)
     metasploit_data_models (1.3.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
diff --git a/lib/rex/post/meterpreter/extensions/powershell/powershell.rb b/lib/rex/post/meterpreter/extensions/powershell/powershell.rb
@@ -31,6 +31,30 @@ def initialize(client)
   end
 
 
+  def import_file(opts={})
+    return nil unless opts[:file]
+
+    # if it's a script, then we'll just use execute_string
+    if opts[:file].end_with?('.ps1')
+      opts[:code] = ::File.read(opts[:file])
+      return execute_string(opts)
+    end
+
+    # if it's a dll (hopefully a .NET 2.0 one) then do something different
+    if opts[:file].end_with?('.dll')
+      # TODO: perhaps do some kind of check to see if the DLL is a .NET assembly?
+      binary = ::File.read(opts[:file])
+
+      request = Packet.create_request('powershell_assembly_load')
+      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)
+      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)
+      client.send_request(request)
+      return true
+    end
+
+    return false
+  end
+
   def execute_string(opts={})
     return nil unless opts[:code]
 
diff --git a/lib/rex/post/meterpreter/extensions/powershell/tlv.rb b/lib/rex/post/meterpreter/extensions/powershell/tlv.rb
@@ -8,6 +8,8 @@ module Powershell
 TLV_TYPE_POWERSHELL_SESSIONID        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 1)
 TLV_TYPE_POWERSHELL_CODE             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
 TLV_TYPE_POWERSHELL_RESULT           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3)
+TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE    = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 4)
+TLV_TYPE_POWERSHELL_ASSEMBLY         = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 5)
 
 end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb
@@ -29,6 +29,7 @@ def name
   #
   def commands
     {
+      'powershell_import'   => 'Import a PS1 script or .NET Assembly DLL',
       'powershell_shell'    => 'Create an interactive Powershell prompt',
       'powershell_execute'  => 'Execute a Powershell command string'
     }
@@ -68,6 +69,51 @@ def cmd_powershell_shell(*args)
     shell.interact_with_channel(channel)
   end
 
+  @@powershell_import_opts = Rex::Parser::Arguments.new(
+    '-s' => [true, 'Specify the id/name of the Powershell session to run the command in.'],
+    '-h' => [false, 'Help banner']
+  )
+
+  def powershell_import_usage
+    print_line('Usage: powershell_import <path to file> [-s session-id]')
+    print_line
+    print_line('Imports a powershell script or assembly into the target.')
+    print_line('The file must end in ".ps1" or ".dll".')
+    print_line('Powershell scripts can be loaded into any session (via -s).')
+    print_line('.NET assemblies are applied to all sessions.')
+    print_line(@@powershell_import_opts.usage)
+  end
+
+  #
+  # Import a script or assembly component into the target.
+  #
+  def cmd_powershell_import(*args)
+    if args.length == 0 || args.include?('-h')
+      powershell_import_usage
+      return false
+    end
+
+    opts = {
+      file: args.shift
+    }
+
+    @@powershell_import_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-s'
+        opts[:session_id] = val
+      end
+    }
+
+    result = client.powershell.import_file(opts)
+    if result.nil? || result == false
+      print_error("File failed to load.")
+    elsif result == true || result.empty?
+      print_good("File successfully imported. No result was returned.")
+    else
+      print_good("File successfully imported. Result:\n#{result}")
+    end
+  end
+
   @@powershell_execute_opts = Rex::Parser::Arguments.new(
     '-s' => [true, 'Specify the id/name of the Powershell session to run the command in.'],
     '-h' => [false, 'Help banner']
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.1.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.1.5'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.6'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.
