rapid7 / rex-powershell

Rex library for dealing with Powershell Scripts
Other
53 stars 34 forks source link

Output and command improvements for Win10 #6

Closed sempervictus closed 7 years ago

sempervictus commented 7 years ago

Newer versions of windows implement script filtering approaches to block and log PowerShell execution which appears suspicious. The Rex::Powershell::Output decompressors utilize invoke-expression as "IEX" which makes these defenses unhappy. Convert the gzip decompressor mechanism to stop using inline vars, drop the IEX invocation, and replace it with &(scriptblock), where the scriptblock is generated from the existing stream processors which have been reformatted for inline delivery of content from the compressed payload into the scriptblock as text.

Rex::Powershell::Command did not properly address the single quotes option when generating arguments for command execution. When use_single_quotes is not true, double quote wrap the argument to -Command when and prevent escaping of single quotes

sempervictus commented 7 years ago

ping @dmaloney-r7 @busterb: could you guys take a peek at this? Authenticated RCE is sort of useful. Psexec itself will probably need to improve a bit in Msf as i'm seeing that members of the local administrators group can't psexec while the actual administrator can, but these fixes seem to address the AV script hooks and filters they've tossed in.

We need to test large script staging and a few other things, and i'll replace all viable invoke-expression call sites in a separate PR once we can actually ensure that the &(scriptblock) bit works as intended.