Metasploit-framework: payload windows/powershell_reverse_tcp and windows/x64/powershell_reverse_tcp doesn't work
Steps to reproduce
How'd you do it?
Use exploit/multi/handler set your payload as windows/x64/powershell_reverse_tcp
and set all other relevant variablesGenerate an executable from payload/windows/x64/powershell_reverse_tcp
This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.
Expected behavior
This should return an Powershell interactive Session upon execution form the target machine.
Current behavior
The binary seems to fail to connect back to the listener and windows 10 remains still.
System stuff
Attacker machine
kali linux 2018.2 kernal 4.15.17
victim machine
win 10 v1709 and v1803
Metasploit version
4.16.56
I installed Metasploit with:
I installed with apt get method
OS
kali linux 2018.2
usama7628674
All 23 comments
Sounds like you have a networking problem?
[*] Powershell session session 1 opened (192.168.212.1:4444 -> 192.168.212.129:49686) at 2018-05-16 06:41:22 -0500
It works for me against Win10.
wvu-r7
on 16 May 2018
@wvu-r7 That's weird and my internet connection isn't a problem.You have to look here #9668.
usama7628674
on 16 May 2018
Yeah, I'm not talking about your internet connection. I was thinking firewall or something. Do you have a pcap to share?
wvu-r7
on 16 May 2018
@wvu-r7 I'll share it to you later but in windows 10 v1709 the executable crashes and in v1803 nothing happens.
usama7628674
on 16 May 2018
Okay, so you're specifically generating an executable from it, not executing it as raw PSH. Thanks for the link to the other issue. I'm reopening this.
wvu-r7
on 16 May 2018
@wvu-r7 The windows firewall was off during my testing
usama7628674
on 16 May 2018
Sorry, I thought "executable" might have been a typo.
wvu-r7
on 16 May 2018
@wvu-r7 It's ok and yes it wasn't a typo.
usama7628674
on 16 May 2018
I have an educated guess about what's happening. Looks like the exec stub isn't being prepended to the PSH command within the executable. So it's trying to execute PSH as shellcode, basically. Lol?
wvu-r7
on 16 May 2018
I suspect that super has changed since mixin-ification. Haven't verified this yet, but it wouldn't be the first time this has happened.
wvu-r7
on 16 May 2018
@wvu-r7 So what now?
usama7628674
on 16 May 2018
So now I fix it, presumably.
wvu-r7
on 16 May 2018
@wvu-r7 So the fix will be included in next verison after you push a commit to repo.
usama7628674
on 16 May 2018
@wvu-r7 Thanks for all of your support.
usama7628674
on 16 May 2018
regarding the 1803 everybody should look at that https://blog.cobaltstrike.com/2018/05/24/powershell-shellcode-injection-on-win-10-v1803/
fsacer
on 24 May 2018
@wvu-r7 @fsacer You might wanna look at this PR
https://github.com/EmpireProject/Empire/pull/1146
usama7628674
on 28 May 2018
The solution from EmpireProject/Empire#1146 works well on Windows 10 1803
chervaliery
on 21 Jun 2018
yeah that was the fix so it would be nice to merge it in faster
fsacer
on 21 Jun 2018
Merged, will bump the gem in a bit.
busterb
on 21 Jun 2018
Awesome, thank you!!
wvu-r7
on 21 Jun 2018
Merged, thanks a lot @chervaliery
busterb
on 21 Jun 2018
@busterb Still not working in win 10 v1803 and v1709.
Metasploit version 4.16.65
rex-powershell version 0.1.78
usama7628674
on 9 Jul 2018
10239
wvu-r7
on 16 Jul 2018
Related issues
adrianmihalko
路
3Comments
idetest41
路
3Comments
verapex
路
3Comments
fluit105
路
3Comments
Acidical
路
3Comments
Most helpful comment
Merged, thanks a lot @chervaliery