Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix #15804, fix powershell read_file on Windows Server 2012 #15808

Merged
merged 15 commits into from
Dec 7, 2021
Merged

fix #15804, fix powershell read_file on Windows Server 2012 #15808

merged 15 commits into from
Dec 7, 2021

Conversation

timwr
Copy link
Contributor

@timwr timwr commented Oct 29, 2021
edited
Loading

Fix #15804 by using the old style powershell syntax (New-Object).

Verification

  • Get a cmd/windows/powershell_reverse_tcp session on Windows Server 2012 and Windows 7
  • Verify the file tests:
loadpath test/modules
use post/test/file
set SESSION -1
set VERBOSE true
  • Get a cmd/windows/powershell_reverse_tcp_ssl session on Windows 10
  • Verify the file tests:
loadpath test/modules
use post/test/file
set SESSION -1
set VERBOSE true

@timwr timwr added the powershell Issues and PRs related to powershell sessions and payloads label Oct 29, 2021
timwr
timwr commented Oct 29, 2021
View reviewed changes
data/exploits/powershell/powerfun.ps1
@@ -1,5 +1,3 @@
# Powerfun - Written by Ben Turner & Dave Hardy
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing this seems to bypass windows defender on Windows 10

timwr
timwr commented Oct 29, 2021
View reviewed changes
lib/msf/base/sessions/powershell.rb
# Read the username and hostname from the initial banner
initial_output = shell_read(-1, 0.01)
initial_output = shell_read(-1, 2)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes the session info

@cdelafuente-r7 cdelafuente-r7 self-assigned this Oct 29, 2021
cdelafuente-r7
cdelafuente-r7 reviewed Nov 3, 2021
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this @timwr ! I just left a comment about other payloads that seem to be affected by this change and might need to be fixed too.

modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb Show resolved Hide resolved
@bwatters-r7
Copy link
Contributor

We had to deal with older TLS in baseline builder. See https://github.com/rapid7/metasploit-baseline-builder/blob/master/scripts/installs/chocolatey.ps1

@timwr
Copy link
Contributor Author

timwr commented Nov 9, 2021

Sorry for the delay on this! I really couldn't figure out how to get the SSL connection working on Windows 7. However I was able to fix it for Windows Server 2012: 970e7cb
Because of this I guess we still need both the ssl and non-ssl payloads, so I've fixed up the pr with those changes (for both the cmd and exe payloads).

@cdelafuente-r7
Copy link
Contributor

Thanks for updating this @timwr ! I verified it works with all payloads against windows Server 2012. On windows 7, the cmd Powershell payloads only work without SSL, as you said. I checked with both post/test/file and the post/multi/manage/fileshare module. I'll go ahead and land it.

Note that post/test/file has an issue with Powershell when it checks for file existence. It uses the %WINDIR% environment variable, which doesn't work with Powershell (the syntax is $Env:windir). Not a big deal, I checked and file? method works fine with full path like C:\....

  • Example output
msf6 payload(cmd/windows/powershell_reverse_tcp_ssl) > previous
msf6 post(test/file) > set session -1
session => -1
msf6 post(test/file) > set verbose true
verbose => true
msf6 post(test/file) > run

[*] Setup: changing working directory to %TEMP%
[!] SESSION may not be compatible with this module:
[!]  * incompatible session type: powershell
[*] Running against session -1
[*] Session type is powershell and platform is windows
[+] should test for file existence
[+] should test for directory existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[*] Writing 31264 bytes
[*] Finished in 0.029119
[+] should write binary data
[*] Read 31264 bytes
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Testing complete in 4.08216
[*] Passed: 11; Failed: 0
[*] Cleanup: changing working directory back to C:\Users\Administrator\Desktop
[*] Post module execution completed

@cdelafuente-r7 cdelafuente-r7 merged commit 389fd55 into rapid7:master Dec 7, 2021
@cdelafuente-r7
Copy link
Contributor

Release Notes

This fixes a compatibility issue with Powershell read_file on Windows Server 2012 by using the old style Powershell syntax (New-Object).

@cdelafuente-r7 cdelafuente-r7 added the rn-fix release notes fix label Dec 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Assignees

@cdelafuente-r7 cdelafuente-r7

Labels
bug powershell Issues and PRs related to powershell sessions and payloads rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Powershell script in lib/msf/core/post/file.rb compatibility issue
3 participants
@timwr @bwatters-r7 @cdelafuente-r7