New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Powershell CMD Encoder #2964
Powershell CMD Encoder #2964
Conversation
Processing! |
|
||
def encode_buf(buf) | ||
base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c start #{buf}")) | ||
cmd = "powershell -w hidden -nop -e #{base64}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if it's a very good idea having into account which power shell isn't always available on Windows. I'd say make it with a low ranking, but since it's the only cmd encoder for windows, it would be selected anyway. Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah not too worried about the scoring, theres not huge amounts of competition for this ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
heh, so that, let me see what are the feelings from other devs, since it's the only windows cmd encoder, a little worried about it depending on powershell.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I vote ManualRanking because of the same concern. The printf_php_mq.rb encoding module has the same issue with printf
not necessarily supported by all systems, so it's ManualRanking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Presumably if the command contains bad-chars then it probably wont work. So it has a better chance of working if powershell is available (most modern systems now).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Powershell may exist on windows xp. A payload with badchars shouldnt work on XP ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Someone should write a wscript encoder!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wchen-r7: How ManualRanking works with encoders? Maybe I forgot something, damn it!
@Meatballs1: A payload with badchars shouldnt work on XP ;)
right, the problem is it encoding payloads which would work in raw mode.
I tried to address with #3024, so exploit modules can provide compatibility options for encoders (like with payloads). But maybe ManualRanking
could solve :? ping @wchen-r7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think #3024 sounds like a better plan, if the module can attest to a specific level of encoders/commands?
Hopefully if #3024 is landed we'll be able to land it easily. Providing to exploits the capacity to provide Encoder Compat options! |
So @jvazquez-r7, @limhoff-r7 and I had a discussion about this, basically the concern is still the same, because it's possible this powershell encoder may kick in instead of the generic/none encoder (which we assume is the default one). And again, we need to worry about Windows targets that don't necessarily have powershell. Changing the ranking doesn't seem to make it any better either, because according to @jvazquez-r7 it still kicks in. In conclusion, I think we all agree that #3024 should probably be landed first. |
Showing Windows command injection some loving.