PolyShell is a script that’s simultaneously valid in Bash, Windows Batch, and PowerShell (i.e. a polyglot).
This makes PolyShell a useful template for penetration testing as it can be executed on most systems without the need for target-specific payloads. PolyShell is also specifically designed to be deliverable via input injection using a USB Rubby Ducky, MalDuino, or similar device.
How To Use It
As a stand-alone script
.sh
, .bat
, or .ps1
).Using input injection
exit
.How It Works
The main trick is to get each other language to “look away” when we want to run code specific to only one of them. This is accomplished by exploiting language quirks surrounding quoting, redirection, and comments.
Consider the following line:
echo \" <<'BATCH_SCRIPT' >/dev/null ">NUL "\" \`" <#"
Each language sees the echo
command, but will interpret the rest of the line differently.
For example, this is what each language will interpret as a string:
echo \" <<'BATCH_SCRIPT' >/dev/null ">NUL "\" \`" <#"
Bash [-----] [---]
Batch [-----------------------------] [-] [---]
PS [-----------------------------] [-]
After executing the line, the bash script will be in a here document, PowerShell script will be in a multiline-comment, and the batch script will continue executing normally. After each language is done executing, we terminate it. This prevents us from needing to work around its quirks later in the script.
Quirks
Obviously, the tricks required to make this polyglot doesn’t follow normal coding conventions.
There are quite a few quirks that were leveraged or had to be worked around:
\
)^
)<
and >
) have special meaning in all three languages unless quoted.echo >output.txt "Hello World"
>
as a redirect even when it directly touches a string, but PowerShell doesn’t.GOTO
statements only work when run as a script, not when run interactively.<#
) must be immediately preceded by whitespace.