PoSHMagiC0de Posted February 13, 2019 Share Posted February 13, 2019 (edited) Oneliners got you down? Trying to type out all that text and including escapes getting confusing and then modifying later on is even more frustrating? Well, lets try having our one liner a multiliner in the beginning and encode it, all from bash. Complete with all the bash variables you want to pass and powershell variables you want to be unharmed. The original premise is from @elkentaro post about PowerRun he wrote using iconv. This can convert files to whatever encoding you want. Well, we are not converting files here, we will be converting echoed text...or echoed variable. Lets do the example as a payload since most of you may not run linux or if you do, do not run Powershell 6 on it to test seamlessly. This is a hacky way of doing it but it works. LED SETUP MYTEXT="Charles" MYSCRIPT=" \$name = \"$MYTEXT\"; cls; Start-Sleep -s 2; Write-Host \"Hello there, \$(\$name).\"; " ENCODED=$(echo $MYSCRIPT | iconv -t utf-16le | base64 -w 0) ATTACKMODE HID Q DELAY 5000 LED ATTACK GUI r Q STRING "cmd" Q DELAY 500 Q ENTER Q DELAY 2000 Q STRING "powershell -E \"$ENCODED\"" Q DELAY 700 Q ENTER LED FINISH So, you still have to escape (") when inside quotes or use single quotes instead but isn't that much easier to follow? You also still need to escape ($) where you want to them passed to powershell rather than bash replace with its own value it has. Also, since bash concatenates each line, you will have to add a semicolon to each line except where a loop starts and begin or statement like below. MYTEXT=" while \$true { Start-Sleep -s 1; Write-Host \"Running loop\"; } " #or MYTEXT=" if(\$i -eq 4) { Write-Host \"Item is 4.\"; } " Now, if you do not need to pass any values to from bash then you can have all your Powershell in a file all neat and formatted without all the escapes and stuff and then use the PowerRun method to encode. This is a lost gem I decided to resurrect and show a spin on. Edited February 23, 2019 by PoSHMagiC0de Missing a ";" in code. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.