Skip to content

Instantly share code, notes, and snippets.

@idavis
Last active August 29, 2015 14:22
Show Gist options
  • Save idavis/aae3d699b5bd842c0f8e to your computer and use it in GitHub Desktop.
Save idavis/aae3d699b5bd842c0f8e to your computer and use it in GitHub Desktop.
Stealing Private Data
$module = New-Module -Name "monkey" -ScriptBlock {
$credentials = Get-Credential
function Get-Files($source) {
New-PSDrive -Name target -PSProvider FileSystem -Credential $credentials -Root "$target" | Out-Null
$results = Get-ChildItem -Path target:\ -Recurse -Force | % { $_.Name }
Remove-PSDrive target
return $results
}
Export-ModuleMember Get-Files
}
try {
Import-Module $module -Global -Force
$loadedModule = Get-Module monkey # we could use $module here, but this is showing that we can pull loaded modules.
$stolenCredentials = (. $loadedModule { $credentials } )
# or load the data into the parent scope
#$stolenCredentials = $null
#. $loadedModule {
# Set-Variable -Name stolenCredentials -Scope 1 -Value $credentials
#}
if($stolenCredentials.UserName -ne $null) {
Write-Output "I've got the golden ticket."
Write-Output "Nice password: $($stolenCredentials.GetNetworkCredential().Password)"
}
# We could invoke this, but the code was just for show
#Get-Files "C:\some\path" | Out-Null
} finally {
Remove-Module [m]onkey
}
@{
# Script module or binary module file associated with this manifest.
RootModule = 'Monkey.psm1'
# Version number of this module.
ModuleVersion = '1.0'
# ID used to uniquely identify this module
GUID = '4d4390dc-a8ad-4bce-8d69-f53ccf8e4163'
# Author of this module
Author = 'Ian Davis'
# Copyright statement for this module
Copyright = '(c) 2015 Ian Davis. All rights reserved.'
# Functions to export from this module
FunctionsToExport = 'Update-Credentials', 'Get-Files'
# Variables to export from this module
VariablesToExport = $null
}
function Update-Credentials($cred) {
if($cred) {
$script:credentials = $cred
} else {
$script:credentials = Get-Credential
}
}
function Get-Files($source) {
New-PSDrive -Name target -PSProvider FileSystem -Credential $credentials -Root "$target" | Out-Null
$results = Get-ChildItem -Path target:\ -Recurse -Force | % { $_.Name }
Remove-PSDrive target
return $results
}
Describe "Update-Credentials" {
Context "Funtion Sets private credentials" {
Import-Module (Join-Path $PSScriptRoot Monkey.psd1)
$username = "domain01\admin01"
$password = ConvertTo-SecureString "secret" -asplaintext -force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Update-Credentials $cred
$module = $null
BeforeEach { $module = Get-Module "Monkey" }
AfterEach { Remove-Module [m]onkey }
It "Should be possible to steal the data" {
$stolenCredentials = (. $module { $credentials } )
$($stolenCredentials.GetNetworkCredential().Password) | Should Be "secret"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment