CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/rex/post/meterpreter/extensions/powershell/powershell.rb
Views: 1904
1
# -*- coding: binary -*-

2


3
require 'rex/post/meterpreter/extensions/powershell/tlv'

4
require 'rex/post/meterpreter/extensions/powershell/command_ids'

5


6
module Rex

7
module Post

8
module Meterpreter

9
module Extensions

10
module Powershell

11


12
###

13
#

14
# This meterpreter extensions a privilege escalation interface that is capable

15
# of doing things like dumping password hashes and performing local

16
# exploitation.

17
#

18
###

19
class Powershell < Extension

20


21
  def self.extension_id

22
    EXTENSION_ID_POWERSHELL

23
  end

24


25
  def initialize(client)

26
    super(client, 'powershell')

27


28
    client.register_extension_aliases(

29
      [

30
        {

31
          'name' => 'powershell',

32
          'ext'  => self

33
        },

34
      ])

35
  end

36


37


38
  def import_file(opts={})

39
    return nil unless opts[:file]

40


41
    # if it's a script, then we'll just use execute_string

42
    if opts[:file].end_with?('.ps1')

43
      opts[:code] = ::File.read(opts[:file])

44
      return execute_string(opts)

45
    end

46


47
    # if it's a dll (hopefully a .NET 2.0 one) then do something different

48
    if opts[:file].end_with?('.dll')

49
      # TODO: perhaps do some kind of check to see if the DLL is a .NET assembly?

50
      binary = ::File.read(opts[:file])

51


52
      request = Packet.create_request(COMMAND_ID_POWERSHELL_ASSEMBLY_LOAD)

53
      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)

54
      request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)

55
      client.send_request(request)

56
      return true

57
    end

58


59
    return false

60
  end

61


62
  def session_remove(opts={})

63
    return false unless opts[:session_id]

64
    request = Packet.create_request(COMMAND_ID_POWERSHELL_SESSION_REMOVE)

65
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

66
    client.send_request(request)

67
    return true

68
  end

69


70
  def execute_string(opts={})

71
    return nil unless opts[:code]

72


73
    request = Packet.create_request(COMMAND_ID_POWERSHELL_EXECUTE)

74
    request.add_tlv(TLV_TYPE_POWERSHELL_CODE, opts[:code])

75
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

76


77
    response = client.send_request(request)

78
    return response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)

79
  end

80


81
  def shell(opts={})

82
    request = Packet.create_request(COMMAND_ID_POWERSHELL_SHELL)

83
    request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

84


85
    response = client.send_request(request)

86
    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)

87
    if channel_id.nil?

88
      raise Exception, "We did not get a channel back!"

89
    end

90
    Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS, response)

91
  end

92


93
end

94


95
end; end; end; end; end

96


97