Land rapid7#6691, initial meterpreter powershell extension support

Author: Brent Cook

Gemfile.lock

@@ -13,7 +13,7 @@ PATH
       metasploit-concern
       metasploit-credential (= 1.1.0)
       metasploit-model (= 1.1.0)
-      metasploit-payloads (= 1.1.3)
+      metasploit-payloads (= 1.1.4)
       metasploit_data_models (= 1.3.0)
       msgpack
       network_interface (~> 0.0.1)
@@ -124,7 +124,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.1.3)
+    metasploit-payloads (1.1.4)
     metasploit_data_models (1.3.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

lib/rex/post/meterpreter/extensions/powershell/powershell.rb

@@ -0,0 +1,59 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/powershell/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Powershell
+
+###
+#
+# This meterpreter extensions a privilege escalation interface that is capable
+# of doing things like dumping password hashes and performing local
+# exploitation.
+#
+###
+class Powershell < Extension
+
+
+  def initialize(client)
+    super(client, 'powershell')
+
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'powershell',
+          'ext'  => self
+        },
+      ])
+  end
+
+
+  def execute_string(opts={})
+    return nil unless opts[:code]
+
+    request = Packet.create_request('powershell_execute')
+    request.add_tlv(TLV_TYPE_POWERSHELL_CODE, opts[:code])
+    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
+
+    response = client.send_request(request)
+    return response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)
+  end
+
+  def shell(opts={})
+    request = Packet.create_request('powershell_shell')
+    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
+
+    response = client.send_request(request)
+    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+    if channel_id.nil?
+      raise Exception, "We did not get a channel back!"
+    end
+    Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS)
+  end
+
+end
+
+end; end; end; end; end

lib/rex/post/meterpreter/extensions/powershell/tlv.rb

@@ -0,0 +1,16 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Powershell
+
+TLV_TYPE_POWERSHELL_SESSIONID        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 1)
+TLV_TYPE_POWERSHELL_CODE             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
+TLV_TYPE_POWERSHELL_RESULT           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3)
+
+end
+end
+end
+end
+end

lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb

@@ -0,0 +1,113 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Powershell extension - interact with a Powershell interpreter
+#
+###
+class Console::CommandDispatcher::Powershell
+
+  Klass = Console::CommandDispatcher::Powershell
+
+  include Console::CommandDispatcher
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    'Powershell'
+  end
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      'powershell_shell'    => 'Create an interactive Powershell prompt',
+      'powershell_execute'  => 'Execute a Powershell command string'
+    }
+  end
+
+  @@powershell_shell_opts = Rex::Parser::Arguments.new(
+    '-s' => [true, 'Specify the id/name of the Powershell session to interact with.'],
+    '-h' => [false, 'Help banner']
+  )
+
+  def powershell_shell_usage
+    print_line('Usage: powershell_shell [-s session-id]')
+    print_line
+    print_line('Creates an interactive Powershell prompt.')
+    print_line(@@powershell_shell_opts.usage)
+  end
+
+  #
+  # Create an interactive powershell prompts
+  #
+  def cmd_powershell_shell(*args)
+    if args.include?('-h')
+      powershell_shell_usage
+      return false
+    end
+
+    opts = {}
+
+    @@powershell_shell_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-s'
+        opts[:session_id] = val
+      end
+    }
+
+    channel = client.powershell.shell(opts)
+    shell.interact_with_channel(channel)
+  end
+
+  @@powershell_execute_opts = Rex::Parser::Arguments.new(
+    '-s' => [true, 'Specify the id/name of the Powershell session to run the command in.'],
+    '-h' => [false, 'Help banner']
+  )
+
+  def powershell_execute_usage
+    print_line('Usage: powershell_execute <powershell code> [-s session-id]')
+    print_line
+    print_line('Runs the given Powershell string on the target.')
+    print_line(@@powershell_execute_opts.usage)
+  end
+
+  #
+  # Execute a simple Powershell command string
+  #
+  def cmd_powershell_execute(*args)
+    if args.length == 0 || args.include?('-h')
+      powershell_execute_usage
+      return false
+    end
+
+    opts = {
+      code: args.shift
+    }
+
+    @@powershell_execute_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-s'
+        opts[:session_id] = val
+      end
+    }
+
+    result = client.powershell.execute_string(opts)
+    print_good("Command execution completed:\n#{result}")
+  end
+
+end
+
+end
+end
+end
+end
+

metasploit-framework.gemspec

@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.1.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.1.3'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.4'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.