Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
require 'rex/post/meterpreter/extensions/powershell/tlv'
4
require 'rex/post/meterpreter/extensions/powershell/command_ids'
5

6
module Rex
7
module Post
8
module Meterpreter
9
module Extensions
10
module Powershell
11

12
###
13
#
14
# This meterpreter extensions a privilege escalation interface that is capable
15
# of doing things like dumping password hashes and performing local
16
# exploitation.
17
#
18
###
19
class Powershell < Extension
20

21
  def self.extension_id
22
    EXTENSION_ID_POWERSHELL
23
  end
24

25
  def initialize(client)
26
    super(client, 'powershell')
27

28
    client.register_extension_aliases(
29
      [
30
        {
31
          'name' => 'powershell',
32
          'ext'  => self
33
        },
34
      ])
35
  end
36

37

38
  def import_file(opts={})
39
    return nil unless opts[:file]
40

41
    # if it's a script, then we'll just use execute_string
42
    if opts[:file].end_with?('.ps1')
43
      opts[:code] = ::File.read(opts[:file])
44
      return execute_string(opts)
45
    end
46

47
    # if it's a dll (hopefully a .NET 2.0 one) then do something different
48
    if opts[:file].end_with?('.dll')
49
      # TODO: perhaps do some kind of check to see if the DLL is a .NET assembly?
50
      binary = ::File.read(opts[:file])
51

52
      request = Packet.create_request(COMMAND_ID_POWERSHELL_ASSEMBLY_LOAD)
53
      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)
54
      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)
55
      client.send_request(request)
56
      return true
57
    end
58

59
    return false
60
  end
61

62
  def session_remove(opts={})
63
    return false unless opts[:session_id]
64
    request = Packet.create_request(COMMAND_ID_POWERSHELL_SESSION_REMOVE)
65
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
66
    client.send_request(request)
67
    return true
68
  end
69

70
  def execute_string(opts={})
71
    return nil unless opts[:code]
72

73
    request = Packet.create_request(COMMAND_ID_POWERSHELL_EXECUTE)
74
    request.add_tlv(TLV_TYPE_POWERSHELL_CODE, opts[:code])
75
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
76

77
    response = client.send_request(request)
78
    return response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)
79
  end
80

81
  def shell(opts={})
82
    request = Packet.create_request(COMMAND_ID_POWERSHELL_SHELL)
83
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
84

85
    response = client.send_request(request)
86
    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
87
    if channel_id.nil?
88
      raise Exception, "We did not get a channel back!"
89
    end
90
    Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS, response)
91
  end
92

93
end
94

95
end; end; end; end; end
96

97