Merge pull request #20180 from smashery/powershell-impersonate-warning

Warn user if they are using PowerShell with impersonation

Author: smcintyre-r7

lib/rex/post/meterpreter/extensions/powershell/powershell.rb

@@ -53,10 +53,10 @@ def import_file(opts={})
       request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)
       request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)
       client.send_request(request)
-      return true
+      return { loaded: true }
     end
 
-    return false
+    return { loaded: false }
   end
 
   def session_remove(opts={})
@@ -75,7 +75,14 @@ def execute_string(opts={})
     request.add_tlv(TLV_TYPE_POWERSHELL_SESSIONID, opts[:session_id]) if opts[:session_id]
 
     response = client.send_request(request)
-    return response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)
+    result = {}
+    handle = client.sys.config.get_token_handle()
+    if handle != 0
+      result[:warning] = 'Impersonation will not apply to PowerShell.'
+    end
+
+    result[:output] = response.get_tlv_value(TLV_TYPE_POWERSHELL_RESULT)
+    return result
   end
 
   def shell(opts={})
@@ -87,7 +94,16 @@ def shell(opts={})
     if channel_id.nil?
       raise Exception, "We did not get a channel back!"
     end
-    Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS, response)
+
+    result = {}
+    handle = client.sys.config.get_token_handle()
+    if handle != 0
+      result[:warning] = 'Impersonation will not apply to PowerShell.'
+    end
+
+    result[:channel] = Rex::Post::Meterpreter::Channels::Pools::StreamPool.new(client, channel_id, 'powershell_psh', CHANNEL_FLAG_SYNCHRONOUS, response)
+
+    result
   end
 
 end

lib/rex/post/meterpreter/extensions/stdapi/command_ids.rb

@@ -130,6 +130,7 @@ module Stdapi
 COMMAND_ID_STDAPI_SYS_PROCESS_SET_TERM_SIZE          = EXTENSION_ID_STDAPI + 118
 COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_SEARCH          = EXTENSION_ID_STDAPI + 119
 COMMAND_ID_STDAPI_SYS_CONFIG_UPDATE_TOKEN            = EXTENSION_ID_STDAPI + 120
+COMMAND_ID_STDAPI_SYS_CONFIG_GET_TOKEN_HANDLE        = EXTENSION_ID_STDAPI + 121
 
 
 end; end; end; end; end

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -176,6 +176,15 @@ def update_token(token_handle)
   end
 
   #
+  # Gets the current impersonation token
+  #
+  def get_token_handle()
+    req = Packet.create_request(COMMAND_ID_STDAPI_SYS_CONFIG_GET_TOKEN_HANDLE)
+    res = client.send_request(req)
+    res.get_tlv_value(TLV_TYPE_HANDLE)
+  end
+
+#
   # Enables all possible privileges
   #
   def getprivs

lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb

@@ -98,7 +98,14 @@ def cmd_powershell_shell(*args)
       end
     }
 
-    channel = client.powershell.shell(opts)
+    result = client.powershell.shell(opts)
+
+    channel = result[:channel]
+
+    if result[:warning].present?
+      print_warning(result[:warning])
+    end
+
     shell.interact_with_channel(channel)
   end
 
@@ -144,12 +151,17 @@ def cmd_powershell_import(*args)
     }
 
     result = client.powershell.import_file(opts)
-    if result.nil? || result == false
+
+    if result[:warning].present?
+      print_warning(result[:warning])
+    end
+
+    if result[:loaded] == false
       print_error('File failed to load. The file must end in ".ps1" or ".dll".')
-    elsif result == true || result.empty?
+    elsif result[:loaded] == true || result[:output].empty?
       print_good("File successfully imported. No result was returned.")
     else
-      print_good("File successfully imported. Result:\n#{result}")
+      print_good("File successfully imported. Result:\n#{result[:output]}")
     end
   end
 
@@ -186,7 +198,10 @@ def cmd_powershell_execute(*args)
     }
 
     result = client.powershell.execute_string(opts)
-    print_good("Command execution completed:\n#{result}")
+    if result[:warning].present?
+      print_warning(result[:warning])
+    end
+    print_good("Command execution completed:\n#{result[:output]}")
   end
 
 end