Powershell CMD Encoder #2964
Powershell CMD Encoder #2964
Conversation
|
Processing! |
|
|
||
| def encode_buf(buf) | ||
| base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c start #{buf}")) | ||
| cmd = "powershell -w hidden -nop -e #{base64}" |
There was a problem hiding this comment.
I'm not sure if it's a very good idea having into account which power shell isn't always available on Windows. I'd say make it with a low ranking, but since it's the only cmd encoder for windows, it would be selected anyway. Thoughts?
There was a problem hiding this comment.
Yeah not too worried about the scoring, theres not huge amounts of competition for this ;)
There was a problem hiding this comment.
heh, so that, let me see what are the feelings from other devs, since it's the only windows cmd encoder, a little worried about it depending on powershell.
There was a problem hiding this comment.
I vote ManualRanking because of the same concern. The printf_php_mq.rb encoding module has the same issue with printf not necessarily supported by all systems, so it's ManualRanking.
There was a problem hiding this comment.
Presumably if the command contains bad-chars then it probably wont work. So it has a better chance of working if powershell is available (most modern systems now).
There was a problem hiding this comment.
Powershell may exist on windows xp. A payload with badchars shouldnt work on XP ;)
There was a problem hiding this comment.
A payload with badchars probably doesn't work anywhere, but that depends on how bad it's mangled. You just gotta ask yourself one question...
There was a problem hiding this comment.
Someone should write a wscript encoder!
There was a problem hiding this comment.
@wchen-r7: How ManualRanking works with encoders? Maybe I forgot something, damn it!
@Meatballs1: A payload with badchars shouldnt work on XP ;) right, the problem is it encoding payloads which would work in raw mode.
I tried to address with #3024, so exploit modules can provide compatibility options for encoders (like with payloads). But maybe ManualRanking could solve :? ping @wchen-r7
There was a problem hiding this comment.
I think #3024 sounds like a better plan, if the module can attest to a specific level of encoders/commands?
|
Hopefully if #3024 is landed we'll be able to land it easily. Providing to exploits the capacity to provide Encoder Compat options! |
|
So @jvazquez-r7, @limhoff-r7 and I had a discussion about this, basically the concern is still the same, because it's possible this powershell encoder may kick in instead of the generic/none encoder (which we assume is the default one). And again, we need to worry about Windows targets that don't necessarily have powershell. Changing the ranking doesn't seem to make it any better either, because according to @jvazquez-r7 it still kicks in. In conclusion, I think we all agree that #3024 should probably be landed first. |
Showing Windows command injection some loving.