lib/msf/base/sessions/powershell.rb

# -*- coding: binary -*-
require 'msf/base/sessions/command_shell'

class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
  #
  # Execute any specified auto-run scripts for this session
  #
  def process_autoruns(datastore)

    # Read the username and hostname from the initial banner
    initial_output = shell_read(-1, 0.01)
    if initial_output =~ /running as user ([^\s]+) on ([^\s]+)/
      username = $1
      hostname = $2
      self.info = "#{username} @ #{hostname}"
    else
      self.info = initial_output.gsub(/[\r\n]/, ' ')
    end

    # Call our parent class's autoruns processing method
    super
  end
  #
  # Returns the type of session.
  #
  def self.type
    "powershell"
  end

  #
  # Returns the session platform.
  #
  def platform
    "win"
  end

  #
  # Returns the session description.
  #
  def desc
    "Powershell session"
  end

  #
  # Takes over the shell_command of the parent
  #
  def shell_command(cmd, timeout = 1800)
    # insert random marker
    strm = Rex::Text.rand_text_alpha(15)
    endm = Rex::Text.rand_text_alpha(15)

    # Send the shell channel's stdin.
    shell_write(";'#{strm}'\n" + cmd + "\n'#{endm}';\n")

    etime = ::Time.now.to_f + timeout

    buff = ""
    # Keep reading data until the marker has been received or the 30 minture timeout has occured
    while (::Time.now.to_f < etime)
      res = shell_read(-1, timeout)
      break unless res
      timeout = etime - ::Time.now.to_f

      buff << res
      if buff.include?(endm)
        # if you see the end marker, read the buffer from the start marker to the end and then display back to screen
        buff = buff.split(/#{strm}\r\n/)[-1]
        buff = buff.split(endm)[0]
        buff.gsub!(/(?<=\r\n)PS [^>]*>/, '')
        return buff
      end
    end
    buff
  end
end
new session type 2015-04-23 23:12:02 +01:00			`# -- coding: binary --`
Inserted ARCH_X86 payloads, removed interactive_powershell and updated base powershell session 2015-04-26 18:50:42 +01:00			`require 'msf/base/sessions/command_shell'`
new session type 2015-04-23 23:12:02 +01:00
Inserted ARCH_X86 payloads, removed interactive_powershell and updated base powershell session 2015-04-26 18:50:42 +01:00			`class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell`
session info 2015-04-26 20:13:18 +01:00			`#`
			`# Execute any specified auto-run scripts for this session`
			`#`
			`def process_autoruns(datastore)`
Fallback if the regex fails for some reason 2015-04-26 15:59:36 -05:00
			`# Read the username and hostname from the initial banner`
session info 2015-04-26 20:13:18 +01:00			`initial_output = shell_read(-1, 0.01)`
Update session to display username and hostname 2015-04-26 21:47:49 +01:00			`if initial_output =~ /running as user ([^\s]+) on ([^\s]+)/`
			`username = $1`
			`hostname = $2`
Fallback if the regex fails for some reason 2015-04-26 15:59:36 -05:00			`self.info = "#{username} @ #{hostname}"`
			`else`
			`self.info = initial_output.gsub(/[\r\n]/, ' ')`
Update session to display username and hostname 2015-04-26 21:47:49 +01:00			`end`
Fallback if the regex fails for some reason 2015-04-26 15:59:36 -05:00
session info 2015-04-26 20:13:18 +01:00			`# Call our parent class's autoruns processing method`
			`super`
			`end`
new session type 2015-04-23 23:12:02 +01:00			`#`
			`# Returns the type of session.`
			`#`
			`def self.type`
			`"powershell"`
			`end`

support upgrading a powershell session to meterpreter 2015-09-08 15:37:42 +02:00			`#`
			`# Returns the session platform.`
			`#`
			`def platform`
			`"win"`
			`end`

new session type 2015-04-23 23:12:02 +01:00			`#`
			`# Returns the session description.`
			`#`
			`def desc`
			`"Powershell session"`
			`end`
Allow sessions -c command on powershell 2015-05-04 22:07:22 +01:00
			`#`
Spaces 2015-05-04 22:17:08 +01:00			`# Takes over the shell_command of the parent`
Allow sessions -c command on powershell 2015-05-04 22:07:22 +01:00			`#`
Do changes to have into account powershell sesions are not cmd sessions 2015-10-02 15:26:42 -05:00			`def shell_command(cmd, timeout = 1800)`
Start and End Markers 2015-05-07 19:06:36 +01:00			`# insert random marker`
Markers 2015-05-07 22:50:09 +01:00			`strm = Rex::Text.rand_text_alpha(15)`
			`endm = Rex::Text.rand_text_alpha(15)`
New shell_command markers 2015-05-05 19:20:03 +01:00
			`# Send the shell channel's stdin.`
Markers 2015-05-07 22:50:09 +01:00			`shell_write(";'#{strm}'\n" + cmd + "\n'#{endm}';\n")`
Allow sessions -c command on powershell 2015-05-04 22:07:22 +01:00
New shell_command markers 2015-05-05 19:20:03 +01:00			`etime = ::Time.now.to_f + timeout`
Allow sessions -c command on powershell 2015-05-04 22:07:22 +01:00
New shell_command markers 2015-05-05 19:20:03 +01:00			`buff = ""`
			`# Keep reading data until the marker has been received or the 30 minture timeout has occured`
			`while (::Time.now.to_f < etime)`
			`res = shell_read(-1, timeout)`
			`break unless res`
			`timeout = etime - ::Time.now.to_f`
Start and End Markers 2015-05-07 19:06:36 +01:00
New shell_command markers 2015-05-05 19:20:03 +01:00			`buff << res`
We don't need no stinking regexes.... 2019-10-23 13:47:46 -05:00			`if buff.include?(endm)`
Start and End Markers 2015-05-07 19:06:36 +01:00			`# if you see the end marker, read the buffer from the start marker to the end and then display back to screen`
Edit spaces within the powershell session command 2015-05-25 20:10:29 +01:00			`buff = buff.split(/#{strm}\r\n/)[-1]`
We don't need no stinking regexes.... 2019-10-23 13:47:46 -05:00			`buff = buff.split(endm)[0]`
Fix delimiter selection on commands 2019-10-16 20:06:50 -05:00			`buff.gsub!(/(?<=\r\n)PS [^>]*>/, '')`
Clearly, I fail at ruby implicit returns 2019-10-22 11:51:00 -05:00			`return buff`
New shell_command markers 2015-05-05 19:20:03 +01:00			`end`
Allow sessions -c command on powershell 2015-05-04 22:07:22 +01:00			`end`
			`buff`
			`end`
new session type 2015-04-23 23:12:02 +01:00			`end`