tag:blogger.com,1999:blog-8539880144347728238.post8016437530838734260..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: PowerShell, Shellcode, metasploit, x64Unknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-8539880144347728238.post-26820315347191343372015-03-29T14:49:13.443-04:002015-03-29T14:49:13.443-04:00Mine doesn't work in Win7... i got to the part...Mine doesn't work in Win7... i got to the part where it detects is a X64 however powershell crashes in executing the powershell file...Unknownhttps://www.blogger.com/profile/09512784980609648272noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-64480035879592877752013-03-22T08:27:15.243-04:002013-03-22T08:27:15.243-04:00the post goes though showing you how to invoke the...the post goes though showing you how to invoke the 32 bit powershell so you can do http/httpsCGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-78572800349594426452013-03-21T22:44:07.046-04:002013-03-21T22:44:07.046-04:00Hi CG,
I'm sorta in a situation where everyth...Hi CG,<br /><br />I'm sorta in a situation where everything in a Citrix environment is blocked by Group Policy/Applocker, but I can run macros under Office. Problem though is there is a proxy for outbound http/https and there's no x64 metasploit reverse http/https payloads ! I've tested the other x64 payloads and they seem to work but I cant get to run cmd.exe etc to user powershell as Group/Policy applocker blocks it. Any way outta this ?? <br /><br />~PsYcHPsYcHnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-76742866565043605922012-06-22T03:56:37.771-04:002012-06-22T03:56:37.771-04:00I also use calls CreateThread. The same goes for s...I also use calls CreateThread. The same goes for shellcode generated for PowerSyringe but i I could implement either one or both given enough demand.Facebook Application Developerhttp://www.socialcubix.comnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-16987505781716226052012-05-16T07:52:06.818-04:002012-05-16T07:52:06.818-04:00Hey Chris,
So my question to you is...
Would you...Hey Chris,<br /><br />So my question to you is...<br /><br />Would you rather see pure 64-bit reverse HTTP shellcode or would you be interested in a PowerShell reverse-HTTP stage 1 that just pulled down and executed stage 2? I could implement either one or both given enough demand.Matt Graeberhttps://www.blogger.com/profile/02692973807909017107noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-77929114526843027252012-05-15T12:11:45.095-04:002012-05-15T12:11:45.095-04:00No. You're right about the lack of 64-bit HTTP...No. You're right about the lack of 64-bit HTTP payloads.<br /><br />I was just making the point that the script you referenced will execute more than just calc.<br /><br />As a note, you can also test if you're in 32 vs 64-bit PowerShell via `[IntPtr]::Size`.Matt Graeberhttps://www.blogger.com/profile/02692973807909017107noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-4722796695787570852012-05-15T11:33:23.437-04:002012-05-15T11:33:23.437-04:00yes but the point i was making is that there is no...yes but the point i was making is that there is no x64 HTTP/HTTPS shellcode for msf. <br /><br />you are still going to need x64 shellcode to run on x64 unless you specifically call the x86 powershell and pass it the x86 shellcode correct?CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-53614437451433653612012-05-15T11:22:42.083-04:002012-05-15T11:22:42.083-04:00For the scripts on exploit-monday, any 32/64-bit W...For the scripts on exploit-monday, any 32/64-bit Windows shellcode should work as long as you specify 'thread' as the exit method since the technique I use calls CreateThread. The same goes for shellcode generated for PowerSyringe.<br /><br />Glad you're enjoying the evil applications of PowerShell! ;D<br /><br />~MattMatt Graeberhttps://www.blogger.com/profile/02692973807909017107noreply@blogger.com