From 2ab10d82aa5e30495078ca8c53b56d43d277d49d Mon Sep 17 00:00:00 2001 From: Kevin Robertson Date: Sun, 22 Jan 2017 18:36:08 -0500 Subject: WMI fix for 0x1C01000B error Fix to prevent certain command lengths from triggering WMI error code 0x1C01000B. Thanks to @vysec for reporting the issue and testing. --- Invoke-WMIExec.ps1 | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/Invoke-WMIExec.ps1 b/Invoke-WMIExec.ps1 index ec14080..43943a8 100644 --- a/Invoke-WMIExec.ps1 +++ b/Invoke-WMIExec.ps1 @@ -1239,10 +1239,26 @@ if($WMI_client_init.Connected) $command_length2 = $command_length2[0,1] [Byte[]]$command_bytes = [System.Text.Encoding]::UTF8.GetBytes($Command) - if([Bool]!($Command.Length % 2)) + + # thanks to @vysec for finding a bug with certain command lengths + [String]$command_padding_check = $Command.Length / 4 + + if($command_padding_check -like "*.75") { $command_bytes += 0x00 } + elseif($command_padding_check -like "*.5") + { + $command_bytes += 0x00,0x00 + } + elseif($command_padding_check -like "*.25") + { + $command_bytes += 0x00,0x00,0x00 + } + else + { + $command_bytes += 0x00,0x00,0x00,0x00 + } $stub_data = 0x05,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + $causality_ID_bytes + @@ -1361,8 +1377,8 @@ if($WMI_client_init.Connected) 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x02,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00 + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x02,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00 } -- cgit v1.2.3