Add the interactive shell prompt with sessions

Author: OJ

lib/rex/post/meterpreter/extensions/powershell/powershell.rb

@@ -31,14 +31,29 @@ def initialize(client)
   end
 
 
-  def execute_string(code)
+  def execute_string(opts={})
+    return nil unless opts[:code]
+
     request = Packet.create_request('powershell_execute')
-    request.add_tlv(TLV_TYPE_POWERSHELL_CODE, code)
+    request.add_tlv(TLV_TYPE_POWERSHELL_CODE, opts[:code])
+    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
 
     response = client.send_request(request)
     return response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)
   end
 
+  def shell(opts={})
+    request = Packet.create_request('powershell_shell')
+    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
+
+    response = client.send_request(request)
+    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+    if channel_id.nil?
+      raise Exception, "We did not get a channel back!"
+    end
+    Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS)
+  end
+
 end
 
 end; end; end; end; end

lib/rex/post/meterpreter/extensions/powershell/tlv.rb

@@ -5,8 +5,9 @@ module Meterpreter
 module Extensions
 module Powershell
 
-TLV_TYPE_POWERSHELL_CODE             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 1)
-TLV_TYPE_POWERSHELL_RESULT           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
+TLV_TYPE_POWERSHELL_SESSIONID        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 1)
+TLV_TYPE_POWERSHELL_CODE             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
+TLV_TYPE_POWERSHELL_RESULT           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3)
 
 end
 end

lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb

@@ -29,16 +29,52 @@ def name
   #
   def commands
     {
-      'powershell_execute'            => 'Execute a Powershell command string',
+      'powershell_shell'    => 'Create an interactive Powershell prompt',
+      'powershell_execute'  => 'Execute a Powershell command string'
     }
   end
 
+  @@powershell_shell_opts = Rex::Parser::Arguments.new(
+    '-s' => [true, 'Specify the id/name of the Powershell session to interact with.'],
+    '-h' => [false, 'Help banner']
+  )
+
+  def powershell_shell_usage
+    print_line('Usage: powershell_shell [-s session-id]')
+    print_line
+    print_line('Creates an interactive Powershell prompt.')
+    print_line(@@powershell_shell_opts.usage)
+  end
+
+  #
+  # Create an interactive powershell prompts
+  #
+  def cmd_powershell_shell(*args)
+    if args.include?('-h')
+      powershell_shell_usage
+      return false
+    end
+
+    opts = {}
+
+    @@powershell_shell_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-s'
+        opts[:session_id] = val
+      end
+    }
+
+    channel = client.powershell.shell(opts)
+    shell.interact_with_channel(channel)
+  end
+
   @@powershell_execute_opts = Rex::Parser::Arguments.new(
+    '-s' => [true, 'Specify the id/name of the Powershell session to run the command in.'],
     '-h' => [false, 'Help banner']
   )
 
   def powershell_execute_usage
-    print_line('Usage: powershell_execute <powershell code>')
+    print_line('Usage: powershell_execute <powershell code> [-s session-id]')
     print_line
     print_line('Runs the given Powershell string on the target.')
     print_line(@@powershell_execute_opts.usage)
@@ -53,16 +89,18 @@ def cmd_powershell_execute(*args)
       return false
     end
 
-    code = args.shift
+    opts = {
+      code: args.shift
+    }
 
     @@powershell_execute_opts.parse(args) { |opt, idx, val|
-      #case opt
-      #when '-r'
-      #  result_var = val
-      #end
+      case opt
+      when '-s'
+        opts[:session_id] = val
+      end
     }
 
-    result = client.powershell.execute_string(code)
+    result = client.powershell.execute_string(opts)
     print_good("Command execution completed:\n#{result}")
   end