search

trustedsec / unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
https://www.trustedsec.com
Other
3.74k stars 817 forks source link

Meterpreter Session URI unescape is obsolete #141

Closed fs0c1ety-sec closed 4 years ago

fs0c1ety-sec commented 4 years ago

Hi,

I'm having problems with unicor... i'm getting an URI unescape warning after the Meterpreter session opened and can only "exit -y" to stop it.

Unicorn version used: Newest. Just did a git clone a few hours ago.

Payload: windows/meterpreter/reverse_http Lhost: 192.168.178.26 Lport: 11111

First i'm getting a problem even when i try to execute the obfuscated powershell payload on my Windows 10 x64 Pro Machine. It's not executing correctly. I have to turn off Windows Defender and execute the payload otherwise i won't get a session back. But Windows Defender is not picking up the payload it's not detecting the powershell injection.

ps_before_execute Running Powershell before executing the payload. ps_code Executing the Payload in Powershell. image Started Handler and waiting for connections. ps_multiple After turning off Windows Defender the payload gets executed... but it opens multiple powershell instances. image2 Getting Meterpreter Session opened with URI unescape warning...

Thank You in advance for any help!

HackingDave commented 4 years ago

What version of Metasploit are you using?

fs0c1ety-sec commented 4 years ago

My Metasploit version is 5.0.86

HackingDave commented 4 years ago

Tested on the latest version of Metasploit and Unicorn, it is working. Thanks for the report!