Unable to run Powershell interactively

[OJ]

For some reason the interaction with Powershell through Meterpreter doesn't work interactively:

meterpreter > execute -f C:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -c -H -i
Process 2356 created.
Channel 2 created.
meterpreter > shell
Process 1704 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\oj\Desktop>powershell
powershell
Windows PowerShell 
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

exit
exit
^C
Terminate channel 3? [y/N]  y
meterpreter >

😞

It looks like it might have something to do with the way that the std handles are managed. This isn't great. We should try to figure out what's going on here so that people can run interactive powershell prompts through Meterpreter. At the time time, it'd be nice to have a powershell command that behaves like shell, but gives a powershell prompt instead of a command prompt.

[Meatballs1]

#13

[OJ]

Yeah I remember that dude. I'm actually thinking of baking in some kind of PS functionality directly into Meterpreter instead of trying to shim it in/out through the the usual means. Hence the new issue.

Thoughts?

[Meatballs1]

Definitely would be . Trying to grab the stdout handles from powershell is just painful. Could wrap scripts to redirect output to clipboard/files/or some other handle but could break depending on script.

Better solution could be to implement https://github.com/silentbreaksec/UnmanagedPowerShell as a reflective DLL/meterpreter plugin. This would bypass software restriction policies on powershell.exe etc. Metasploit side may have to track the functions within the Powershell (regex ftw) or the user may have to specify the function to run after the Powershell script is injected?

[Meatballs1]

N.b. powershell -C/E command will generally work OK. But obviously limited to the command line length of 8192 which is easily reached when encoding larger scripts.

[OJ]

One challenge with the RDI approach (which I'd much prefer than shimming text across process boundaries) is that we could be running this inside a process that already has the CLR running. This is an issue I'm keen to solve in general which could allow us to push and load .NET extensions.

I'll try to get some time to look into this at some point soon.

[bcook-r7]

the result of echo "echo hello" | powershell vs echo "echo hello" | cmd may be a clue - powershell doesn't seem to read from its stdin pipe.

In fact, if you just do: execute -f powershell -i, you can go interact with the blank window that pops up.

[OJ]

Yup, exactly. PS does some horrible shit with handles. I think automating it via an extension is the way to go. Investigation added to the ever-growing list of things to do.

[MacysGitHub]

Try dropping it directly into powershell before a normal shell. It could be blocking the powershell from executing since you are already in a less privileged shell.

[larssb]

Was this ever solved? Having kind of the same issue, just with NW, if you could spare me 5, please see: nwjs/nw.js#4409

[OJ]

Not yet. It is being actively discussed. We are pondering solutions at the moment.

[larssb]

I was able to get this to work in the NWjs project. Maybe you can get inspired by the way NodeJS does this with their child_process option: https://nodejs.org/api/child_process.html

Have a great day.

[OJ]

You didn't just invoke node on me did you? ;) I'm afraid the way node operates is completely different to how meterpreter operates. The implementations will be very different. Cheers!

[GhostNaix]

Is it me or is the powershell in meterpreter broken ?

meterpreter > powershell_shell PS > Get-SmbServerConfiguration ERROR: Get-SmbServerConfiguration : The term 'Get-SmbServerConfiguration' is not recognized as the name of a cmdlet, function, ERROR: script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is c ERROR: orrect and try again. ERROR: ERROR: At line:1 char:27 ERROR: + Get-SmbServerConfiguration <<<< ERROR: + CategoryInfo : ObjectNotFound: (Get-SmbServerConfiguration:String) [], CommandNotFoundException ERROR: + FullyQualifiedErrorId : CommandNotFoundException ERROR: PS >

[busterb]

It's not broken, and is not the right place for this comment @5p3c7r3.

Try get-module -list to see what modules and cmdlets are loaded. Get-SmbServerConfiguration isn't loaded by default. If you would like to have the smbshare module loaded too, file a new issue, or even submit a PR.