POSH URI 2: The Command!

In my last post I talked about using a URI to invoke a Powershell script. I didn’t want to get into the details immediately because I didn’t want people to follow to closely and get themselves into a position where they could fall into  a clever trap.Before posting any details I wanted to be sure that what I did post was going to be resistant to any code injection, since any URI that could exploit any bugs could be on any web page on Earth.

Today I’m talking specifically about what command is to be associated with any “PoSH” URIs. One thing that was a big limiter here is that powershell.exe doesn’t have any way to explicitly separate code from data. Using Powershell I had to find a way to place the data (i.e. the URI) into the code either without the data ever being parsed or, even if the data is parsed, it is not executed. The way I accomplished that is to place a return statement at the end of the command, followed by a hash mark(#), followed by the URI.

powershell.exe -command "Invoke-PoshUri ([Environment]::CommandLine -replace '^.*?#{3}(.*)#{3}.*?$' , '$1'); return ###%1###"

That command makes it so that in 99.9999% of cases the URI is not even parsed by powershell. Powershell thinks that the URI is a comment. In the other 0.0001% of cases the URI may be malformed in a way that it would insert a new line character into the command(yes, I managed to do that) and powershell would then begin parsing the rest of the data. However, we are still safe since powershell.exe will close as soon as it progresses to the return statement.

When it comes to the Invoke-Poshuri function, you’re on your own. I have not even finished my own yet. But if you do decide to place the above command into the appropriate locations in your system registry, be careful of the behavior of the associated function. I don’t want to hear about someones computer going haywire because they navigated to a page that had a malformed URI hidden in a javascript file.

As an additional note: I have considered making a powershell host that doesn’t treat its command line as code. It would be a simple host that would read its command line and hand it over to some preconfigured script. That would simplify the above problem and may also have other applications. If anyone has any reasonable doubts about the security of the command shown above, or would be interested in having a powershell host like the one I just suggested then just speak up.

Advertisements

~ by lunaticexperimentalist on October 8, 2008.

One Response to “POSH URI 2: The Command!”

  1. Interesting, but I think I’ll pass until we have version 2 restricted runspaces. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: