* Renamed Prepare-Payload to Out-EncodedCommand in order to conform to a
standard cmdlet verb.
* Fixed bug in PowerShell v2
* Defaults to full base-64 encoding unless it exceeds the cmd.exe
character limit. Otherwise, it will default to partial base-64 encoding
in an effort to save space. Thanks @Carlos_Perez for the idea!
* User will be prompted if the cmd.exe character limit is exceeded.
* Command-line output uses truncated arguments in order to save space.
Thanks @obscuresec!
* Some payloads were not decoding properly after being uncompressed.
This was due to a bug in how `Get-Content -Encoding ASCII` was
interpreting input. When reading a script from a file, Prepare-payload
no longer makes any assumptions about the script's encoding.
* Prepare-Payload will display a warning if the cmd.exe or base64 string
length maximums are exceeded.
Marshals data from an unmanaged block of memory in an arbitrary process
to a newly allocated managed object of the specified type. In other
words, it will parse and return a structure at a known memory address in
any process.
* The script now silently continues if the ps1xml file is not present.
* Removed compiler parameter code. This was a remnant of the first
version of Get-KernelModuleInfo when it compiled code.
* Improved the heuristics for determining when the last kernel module is
encountered.
Prepare-Payload compresses, Base-64 encodes, and generates command-line
output for a PowerShell payload script. This script was inspired by and
an improvement upon createcmd.ps1
(https://www.trustedsec.com/files/PowerShell_PoC.zip)
Updated Inject-Shellcode. If running a 32-bit Metasploit payload from
64-bit PowerShell, it will prompt the user to execute the payload from
32-bit PowerShell. This fix was in response to Chris Gate's feature
request:
http://carnal0wnage.attackresearch.com/2012/05/powershell-shellcode-metasploit-x64.html
Note, there are some side effects:
1) It takes about one minute to initialize and execute the payload in
the 32-bit process. This is because the execution essentially emulates
copying and pasting its contents into the child process.
2) You will see some output artifacts of the script running in the child
PowerShell process.
I couldn't think of a good way to rectify these problems without
dropping the contents of the script to disk, which would not be
desireable.
New Features/Changes:
- Dramatically simplified parameters. Removed redundancies and named
parameter sets more appropriately
- Added 'Shellcode' parameter. Now, you can optionally specify shellcode
as a byte array rather than having to copy and paste shellcode into the
$Shellcode32 and/or $Shellcode64 variables
- Added 'Payload' parameter. Naming is now consistant with Metasploit
payloads. Currently, only 'windows/meterpreter/reverse_http' and
'windows/meterpreter/reverse_https' payloads are supported.
- Inject-Shellcode will now prompt the user to continue the 'dangerous'
action unless the -Force switch is provided. Hopefully, this will
prevent some people from carrying out stupid/regrettable actions.
- Added the 'ListMetasploitPayloads' switch to display the Metasploit
payloads supported by Inject-Shellcode
Bug fixes/Miscellaneous:
- Added UserAgent parameter to help documentation
- Code is much more readable now
- Changed internal helper functions to 'local' scope
- Now using proper error handling versus Write-Warning statements
- Added a subtle warning to the built-in shellcode...
* All recon scripts not live in the 'Recon' directory
* Added Get-HttpStatus - An http[s] enumeration tool
* Added default dictionary for Get-HttpStatus - .\Dictionaries\admin.txt
* Moved Invoke-ReverseDnsLookup to 'Recon'
Get-PEHeader is a 32 and 64-bit in-memory and on-disk PE parsing
utility.
PETools is now a PowerShell module that can be loaded with
`Import-Module PETools`
bitform