WMI fix for 0x1C01000B error

Fix to prevent certain command lengths from triggering WMI error code 0x1C01000B. Thanks to @vysec for reporting the issue and testing.
author: Kevin Robertson <robertsonk@gmail.com> 2017-01-22 18:36:08 -0500
committer: Kevin Robertson <robertsonk@gmail.com> 2017-01-22 18:36:08 -0500
commit: 2ab10d82aa5e30495078ca8c53b56d43d277d49d (patch)
tree: faf84b8451f2afada3e2b2c76cbf6969d40309c7
parent: 2318def4dbf419c31a088cf4a222d0ac9851b5d9 (diff)
download: Invoke-TheHash-2ab10d82aa5e30495078ca8c53b56d43d277d49d.tar.gz
Invoke-TheHash-2ab10d82aa5e30495078ca8c53b56d43d277d49d.zip
1 files changed, 19 insertions, 3 deletions
diff --git a/Invoke-WMIExec.ps1 b/Invoke-WMIExec.ps1
index ec14080..43943a8 100644
--- a/Invoke-WMIExec.ps1
+++ b/Invoke-WMIExec.ps1
@@ -1239,10 +1239,26 @@ if($WMI_client_init.Connected)
                                 $command_length2 = $command_length2[0,1]
                                 [Byte[]]$command_bytes = [System.Text.Encoding]::UTF8.GetBytes($Command)
 
-                                if([Bool]!($Command.Length % 2))
+
+                                # thanks to @vysec for finding a bug with certain command lengths
+                                [String]$command_padding_check = $Command.Length / 4
+
+                                if($command_padding_check -like "*.75")
                                 {
                                     $command_bytes += 0x00
                                 }
+                                elseif($command_padding_check -like "*.5")
+                                {
+                                    $command_bytes += 0x00,0x00
+                                }
+                                elseif($command_padding_check -like "*.25")
+                                {
+                                    $command_bytes += 0x00,0x00,0x00
+                                }
+                                else
+                                {
+                                    $command_bytes += 0x00,0x00,0x00,0x00
+                                }
 
                                 $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +
                                                 $causality_ID_bytes +
@@ -1361,8 +1377,8 @@ if($WMI_client_init.Connected)
                                                 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
                                                 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
                                                 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-                                                0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x02,0x00,0x00,
-                                                0x00,0x00,0x00,0x00,0x00,0x00,0x00
+                                                0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x02,0x00,0x00,0x00,
+                                                0x00,0x00,0x00,0x00,0x00,0x00
 
                             }
author	Kevin Robertson <robertsonk@gmail.com>	2017-01-22 18:36:08 -0500
committer	Kevin Robertson <robertsonk@gmail.com>	2017-01-22 18:36:08 -0500
commit	2ab10d82aa5e30495078ca8c53b56d43d277d49d (patch)
tree	faf84b8451f2afada3e2b2c76cbf6969d40309c7
parent	2318def4dbf419c31a088cf4a222d0ac9851b5d9 (diff)
download	Invoke-TheHash-2ab10d82aa5e30495078ca8c53b56d43d277d49d.tar.gz Invoke-TheHash-2ab10d82aa5e30495078ca8c53b56d43d277d49d.zip