This is a quick blog post based on my slides from the May 2012 NovaHackers Meeting
Two posts got me started looking at PowerShell and its ability to execute shellcode
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
and
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
The first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!
![]()
The second post talks about doing something more than calc.exe...getting shell whooo hooooo
You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.
![]()
I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...
![]()
CG was a sad panda.
![]()
This left me with two options:
Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests
or
Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)
So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here: http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx
You will need to set the execution policy for v1.0 powershell, or possibly try a bypass technique.
I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell. You'll have to set the execution policy for it first.
now it works
![]()
Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.
References:
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx
![]()
Two posts got me started looking at PowerShell and its ability to execute shellcode
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
and
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
The first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!
The second post talks about doing something more than calc.exe...getting shell whooo hooooo
You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.
I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...
CG was a sad panda.
Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests
or
Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)
So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here: http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx
You will need to set the execution policy for v1.0 powershell, or possibly try a bypass technique.
I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell. You'll have to set the execution policy for it first.
[Byte[]]$sc = $sc32
if ($env:Processor_Architecture -ne "x86")
{
write-warning "WTF! This is 64x, switching to 32x and continuing script."
&"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass
exit
}now it works
Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.
References:
http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx
