I have finally gotten around to adding version 2.2 of the social-engineer toolkit. After several months of working on it, it’s finally here! This release has the cool new attack vector by Matthew Graeber that leverages powershell to directly load shellcode into memory. I’ve added this attack to the teensy HID attack vector within SET. I’ve also rewritten the Java Applet to automatically grab a Metasploit payload, put it in the right format, unicode it, then base64 encode it then embed itself into a parameter that gets pulled from the Java Applet.

This will deploy a payload straight into memory through PowerShell and never touch the disk. Ever. Now what I have to say is that this is somewhat experimental, you can turn this on and test through the config/set_config. There’s a new menu option:

# THIS WILL ENABLE THE POWERSHELL SHELLCODE INJECTION TECHNIQUE WITH EACH JAVA APPLET. IT WILL BE # USED AS A SECOND FORM IN CASE THE FIRST METHOD FAILS. PLEASE NOTE THAT THIS IS EXTREMELY EXPERIMENTAL AT #THIS POINT. IT IS NOT 100 PERCENT WORKING YET.
POWERSHELL_INJECTION=OFF

I’ve noticed some potential instabilities that I’m working through, but need the community to test it. The Java Applet first detects if powershell is installed, if it is, then actually inject it straight into memory versus deploying the normal meterpreter-based executable. Powershell is installed by default on Windows Vista and Windows 7.

Amongst that change, I have decided to not release the legitimately signed Java Applet. The default unsigned applet is still included in SET. In addition to this release, the Java Applet has much more stability now as far as the Java Repeater and the deployment of shellcodeexec.