0

I try to execute a meterpreter shellcode to a windows machine. In order to bypass the AV, I try to load the shellcode in the memory thanks to the DelegateType Reflection technique. Below, the first lines of the powershell commands:

$systemdll = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') })
$unsafeObj = $systemdll.GetType('Microsoft.Win32.UnsafeNativeMethods')
$GetModuleHandle = $unsafeObj.GetMethod('GetModuleHandle')
$GetProcAddress = $unsafeObj.GetMethod('GetProcAddress')
$kernel32 = $GetModuleHandle.Invoke($null, @("kernel32.dll"))

At this point, the commands work well without errors but when I try to invoke my function with GetProcAddress, the method returns nothing:

$kernel32 = $GetModuleHandle.Invoke($null, @("kernel32.dll"))
$GetProcAddress.Invoke($null, @($kernel32, "CreateThread"))

I tried with MessageBoxA from the user32.dll library too and I got the same result.

The path of the system32.dll: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089

The version of Windows 10:

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      14393  0

The version of powershell:

Name                           Value                                           
----                           -----                                           
PSVersion                      5.1.14393.2273                                  
PSEdition                      Desktop                                         
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                         
BuildVersion                   10.0.14393.2273                                 
CLRVersion                     4.0.30319.42000                                 
WSManStackVersion              3.0                                             
PSRemotingProtocolVersion      2.3                                             
SerializationVersion           1.1.0.1
salt
  • 259
  • 2
  • 11
  • What is the value of $kernel32 after the GetModuleHandle call? What is the result of Marshal.GetLastWin32Error()? – Polynomial Sep 23 '21 at 01:36
  • $kernel32 contains the adress of kernel32.dll i the memory: 140710415695872 and for Marshal.GetLastWin32Error(), I execute the command in my powershell prompt and it returns nothing. – salt Sep 23 '21 at 16:04
  • If you're not getting a number back from Marshal.GetLastWin32Error() then you've got a problem with your command syntax or some other part of the interface, which you'll have to troubleshoot yourself before continuing. – Polynomial Sep 23 '21 at 17:25
  • $GetProcAdress, $GetModuleHandle and $kernel32 return the good value so I don't think I have any syntax problem with the first commands. And for $GetProcAddress.Invoke($null, @($kernel32, "CreateThread")) where is my syntax error? I used the good parameters values isn't he? – salt Sep 23 '21 at 20:42
  • It's not about whether the syntax is correct elsewhere, it's about whether the right values are being returned in a way that you can see them in this interactive context. The Marshal.GetLastWin32Error() function always returns a value, so if you're calling that and you're not seeing a response, there's something going wrong that is causing the return value not to be displayed to you. That's not a Powershell / .NET issue, that's a specific issue with your interactive shell environment. – Polynomial Sep 23 '21 at 20:50
  • Normally, I'm supposed to can redirect the output to a file isn't? Because I tried with Marshal.GetLastWin32Error() 3>&1 2>&1 > my.log but my.log file is not created. – salt Sep 23 '21 at 20:56
  • I don't know. This is a meterpreter support question, you'd be better off asking them directly. – Polynomial Sep 23 '21 at 20:57
  • It is a powershell reverse shell. I can get the shell through netcat. I don't need msfconsole. – salt Sep 23 '21 at 20:58
  • So [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() is giving you nothing? And if that's not what you were running, you should've gotten errors that told you what was wrong with the command you tried. – Polynomial Sep 23 '21 at 21:01
  • [System.Runtime.InteropServices.Marshal]::GetLastWin32Error() returns 203!!!! – salt Sep 24 '21 at 01:55
  • Right. So the problem is almost certainly that you're using the wrong syntax in the rest of the stuff you're trying to do, and errors aren't coming back to tell you that. So I recommend exploring why that is, and reading up on some more Powershell stuff to get familiar with how it works. Unfortunately interactive support isn't something we do here. – Polynomial Sep 24 '21 at 15:07
  • But the error 203 means a problem with the environment variable isn't he? – salt Sep 24 '21 at 15:23
  • That's just the last Win32 error that occurred on the process, which means any API call that occurred between you executing the last command and this command could've set it. Could mean anything in this context since you're not running it immediately after the API call (i.e. in one single command, before control flow comes back to the Powershell host). Environment variables definitely don't affect GetProcAddress or GetModuleHandle calls. – Polynomial Sep 24 '21 at 15:34
  • But, as I said, this isn't something we can help with here. It primarily seems like you're trying to do Powershell exploitation before really learning Powershell. So I'd recommend starting there first, then figuring out why the Powershell errors aren't coming back in your shell (redirect thing? powershell option? impossible to know from here), then trying the actual exploitation side. – Polynomial Sep 24 '21 at 15:37

0 Answers0