Land rapid7#8369, add PSH decompressor & decoder convenience methods

Brent Cook · Brent Cook · commit cc7285084772 · 2017-05-14T21:28:02.000-05:00
diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
@@ -18,22 +18,23 @@ def initialize(info = {})
         OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]),
         OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]),
         OptBool.new('Powershell::no_equals', [true, 'Pad base64 until no "=" remains', false]),
-        OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w(net reflection old msil)]),
-      ], self.class)
+        OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w[net reflection old msil]])
+      ]
+    )
   end
 
   #
   # Return a script from path or string
   #
   def read_script(script_path)
-    return Rex::Powershell::Script.new(script_path)
+    Rex::Powershell::Script.new(script_path)
   end
 
   #
   # Return an array of substitutions for use in make_subs
   #
   def process_subs(subs)
-    return [] if subs.nil? or subs.empty?
+    return [] if subs.nil? || subs.empty?
     new_subs = []
     subs.split(';').each do |set|
       new_subs << set.split(',', 2)
@@ -49,11 +50,12 @@ def process_subs(subs)
   #
   def make_subs(script, subs)
     subs.each do |set|
-      script.gsub!(set[0],set[1])
+      script.gsub!(set[0], set[1])
     end
 
     script
   end
+
   #
   # Return an encoded powershell script
   # Will invoke PSH modifiers as enabled
@@ -71,6 +73,20 @@ def encode_script(script_in, eof = nil)
     Rex::Powershell::Command.encode_script(script_in, eof, opts)
   end
 
+  #
+  # Return an decoded powershell script
+  #
+  # @param script_in [String] Encoded contents
+  #
+  # @return [String] Decoded script
+  def decode_script(script_in)
+    return script_in unless
+      script_in.to_s.match(%r{[A-Za-z0-9+/]+={0,3}})[0] == script_in.to_s &&
+      (script_in.to_s.length % 4).zero?
+
+    Rex::Powershell::Command.decode_script(script_in)
+  end
+
   #
   # Return a gzip compressed powershell script
   # Will invoke PSH modifiers as enabled
@@ -79,7 +95,7 @@ def encode_script(script_in, eof = nil)
   # @param eof [String] Marker to indicate the end of file appended to script
   #
   # @return [String] Compressed script with decompression stub
-  def compress_script(script_in, eof=nil)
+  def compress_script(script_in, eof = nil)
     opts = {}
     datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ && v }.keys.map do |k|
       mod_method = k.split('::').last.intern
@@ -89,6 +105,18 @@ def compress_script(script_in, eof=nil)
     Rex::Powershell::Command.compress_script(script_in, eof, opts)
   end
 
+  #
+  # Return a decompressed powershell sript
+  #
+  # @param script_in [String] Compressed contents with decompression stub
+  #
+  # @return [String] Decompressed script
+  def decompress_script(script_in)
+    return script_in unless script_in.match?(/FromBase64String/)
+
+    Rex::Powershell::Command.decompress_script(script_in)
+  end
+
   #
   # Generate a powershell command line, options are passed on to
   # generate_psh_args
@@ -155,8 +183,8 @@ def generate_psh_args(opts)
   # @return [String] Wrapped powershell code
   def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
-        noprofile: true,
-        windowstyle: 'hidden',
+      noprofile: true,
+      windowstyle: 'hidden'
     }
 
     # Old technique fails if powershell exits..
@@ -194,26 +222,21 @@ def run_hidden_psh(ps_code, payload_arch, encoded)
   def cmd_psh_payload(pay, payload_arch, opts = {})
     options.validate(datastore)
 
-    [ :persist, :prepend_sleep, :exec_in_place, :encode_final_payload,
-      :encode_inner_payload, :use_single_quotes, :no_equals, :method ].map { |opt|
+    %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload use_single_quotes no_equals method].map do |opt|
       opts[opt] ||= datastore["Powershell::#{opt}"]
-    }
+    end
 
     unless opts.key? :shorten
       opts[:shorten] = (datastore['Powershell::method'] != 'old')
     end
-    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
 
-    command = Rex::Powershell::Command.cmd_psh_payload(pay,
-                                                                     payload_arch,
-                                                                     template_path,
-                                                                     opts)
+    template_path = Rex::Powershell::Templates::TEMPLATE_DIR
+    command = Rex::Powershell::Command.cmd_psh_payload(pay, payload_arch, template_path, opts)
     vprint_status("Powershell command length: #{command.length}")
 
     command
   end
 
-
   #
   # Useful method cache
   #
