PolyShell is a script that’s simultaneously valid in Bash, Windows Batch, and PowerShell (i.e. a polyglot).
[Wayback/Archive] llamasoft/polyshell: A Bash/Batch/PowerShell polyglot!
Need to check this out, as often I have scripts that have to go from one language to the other or vice versa.
Maybe it enables one language to bootstrap functionality in the other?
The quest
The above polyglot started with a quest to see if I can could include some PowerShell statements in a batch file with two goals:
- if the batch file started from the PowerShell command prompt, then execute the PowerShell code
- if the batch file started from the
cmd.execommand prompt, then have it start PowerShell with the same command-line arguments
The reasoning is simple:
- PowerShell scripts will start from the PATH only when PowerShell is already running
- Batch files start from the path when either
cmd.exeor PowerShell are running
Lots of users still live in the cmd.exe world, but PowerShell scripts are way more powerful, and since PowerShell is integrated in Windows since version 7, so having a batch file bootstrap PowerShell still makes sense.
Since my guess was about quoting parameters the right way, my initial search for the link below was [Wayback/Archive] powershell execute statement from batch file quoting – Google Search.
I have dug not yet into this, so there are still…
Many links to read
These should give me a good idea how to implement a polyglot batch file/PowerShell script.
- [Wayback/Archive] powershell execute statement from batch file quoting – Google Search
- [Wayback/Archive] How to execute PowerShell commands from a batch file? – Stack Overflow was a step up into getting to the right queries and got me to:
- [Wayback/Archive] PowerShell script in a .bat file | Dmitry’s Blog: Cloud, PowerShell and beyond has convoluted solutions (encoding as base64 or into a single string), but are intriguing as these means are often used to disguise code during attacks (be it from red teams or bad guys).
- [Wayback/Archive] How to execute PowerShell commands from a batch file? – Stack Overflow was a step up into getting to the right queries and got me to:
- [Wayback/Archive] hybrid powershell batch file – Google Search
- [Wayback/Archive] How to run a PowerShell script within a Windows batch file – Stack Overflow has a first answer that does not support parameters, but does show that quoting enables the use of scripts that have spaces in their filenames (always a pain, but still important to support):
-
This one only passes the right lines to PowerShell:
dosps2.cmd:@findstr/v "^@f.*&" "%~f0"|powershell -&goto:eof Write-Output "Hello World" Write-Output "Hello some@com & again"The regular expression excludes the lines starting with@fand including an&and passes everything else to PowerShell.C:\tmp>dosps2 Hello World Hello some@com & again
but the second answer got me in the below polyglot search query
-
It sounds like you’re looking for what is sometimes called a “polyglot script”. For CMD -> PowerShell,
@@:: This prolog allows a PowerShell script to be embedded in a .CMD file. @@:: Any non-PowerShell content must be preceeded by "@@" @@setlocal @@set POWERSHELL_BAT_ARGS=%* @@if defined POWERSHELL_BAT_ARGS set POWERSHELL_BAT_ARGS=%POWERSHELL_BAT_ARGS:"=\"% @@PowerShell -Command Invoke-Expression $('$args=@(^&{$args} %POWERSHELL_BAT_ARGS%);'+[String]::Join([char]10,$((Get-Content '%~f0') -notmatch '^^@@'))) & goto :EOFIf you don’t need to support quoted arguments, you can even make it a one-liner:@PowerShell -Command Invoke-Expression $('$args=@(^&{$args} %*);'+[String]::Join([char]10,(Get-Content '%~f0') -notmatch '^^@PowerShell.*EOF$')) & goto :EOFTaken from http://blogs.msdn.com/jaybaz_ms/archive/2007/04/26/powershell-polyglot.aspx. That was PowerShell v1; it may be simpler in v2, but I haven’t looked.
-
- [Wayback/Archive] PowerShell polyglot | Microsoft Docs
- [Wayback/Archive] How to run a PowerShell script within a Windows batch file – Stack Overflow has a first answer that does not support parameters, but does show that quoting enables the use of scripts that have spaces in their filenames (always a pain, but still important to support):
- [Wayback/Archive] powershell polyglot – Google Search
- [Wayback/Archive] Command Line Interpreters: POSIX Shell, Cmd.exe, PowerShell – Hyperpolyglot (a great table with differences between the various command-line interpreters / scripting engines)
- [Wayback/Archive] PowerShell embedded in a batch script, AKA Polyglot script – Microsoft Tech Community (this solution looks very unreadable to me, but that might be because the listing in it is neither indented, nor syntax highlighted)
- [Wayback/Archive] PolyShell: a Bash/Batch/PowerShell polyglot template for input injection : programming
- [Wayback/Archive] Polyshell : A Bash/Batch/PowerShell Polyglot 2020 gave much insight, especially on the how:
…
There are quite a few quirks that were leveraged or had to be worked around:- All three languages have different escape characters:
- Bash: backslash (
\) - Batch: caret (
^) - PowerShell: backtick (
`)
- Bash: backslash (
- Escape characters work inside Bash and PowerShell strings, but not batch strings.
- Redirects (i.e.
<and>) have special meaning in all three languages unless quoted. - Redirects don’t have to be at the end of a command.
- This is valid Bash/Batch/PowerShell:
echo >output.txt "Hello World"
- This is valid Bash/Batch/PowerShell:
- Batch is the only language without multi-line strings or comments.
- Batch treats
>as a redirect even when it directly touches a string, but PowerShell doesn’t. - Batch script
GOTOstatements only work when run as a script, not when run interactively. - PowerShell’s multi-line comment (
<#) must be immediately preceded by whitespace. - Bash’s here documents may begin anywhere so long as it’s unquoted and not a comment.
…
It also pointed me to the above repository on GitHub, so lets include it here as well:
- All three languages have different escape characters:
- [Wayback/Archive] Polyshell : A Bash/Batch/PowerShell Polyglot 2020 gave much insight, especially on the how:
- [Wayback/Archive] koma-private/Polyglots: PowerShell scripts encapsulated into batch files
I had a short play around with it from a
cmd.exeprompt, and it hides that prompt after finishing. Need to figure out why, and if it can be prevented or undone.The culprit is the below call in [Wayback/Archive] Polyglots/PSWrapper.cmd at master · koma-private/Polyglots · GitHub:hideWindow $script:cmdPid # Prevent user from closing command prompt - [Wayback/Archive] windows – Strange redirect in Batch/Powershell polyglot – Stack Overflow basically asks all the questions I have (how does a polyglot actually work?)
- [Wayback/Archive] Powerglot – encodes offensive powershell scripts using polyglots
- [Wayback/Archive] mindcrypt/powerglot: Powerglot encodes offensive powershell scripts using polyglots . Offensive security tool useful for stego-malware, privilege escalation, lateral movement, reverse shell, etc.
Powerglot encodes several kind of scripts using polyglots, for example, offensive powershell scripts. It is not needed a loader to run the payload.
It basically is a Python script that allows you to generate a polyglot from multiple separate scripts.
- [Wayback/Archive] mindcrypt/powerglot: Powerglot encodes offensive powershell scripts using polyglots . Offensive security tool useful for stego-malware, privilege escalation, lateral movement, reverse shell, etc.
- [Wayback/Archive] Powerglot – encodes offensive powershell scripts using polyglots
- [Wayback/Archive] powershell batch polyglot – Google Search (still need to check out the results there if I bump into issues creating one myself)
- [Wayback/Archive] powershell batch hybrid – Google Search
- [Wayback/Archive] powershell batch hybrid iex – Google Search (to see if some part of the script could be automatically downloaded by
iex, aka [Wayback/Archive] Invoke-Expression (Microsoft.PowerShell.Utility) – PowerShell | Microsoft Docs) - [Wayback/Archive] How to enable execution of PowerShell scripts? – Super User
- [Wayback/Archive] command line – Set up PowerShell Script for Automatic Execution – Stack Overflow
- [Wayback/Archive] PowerShell polyglot – jaybaz [MS] WebLog – Site Home – MSDN Blogs, which does not exist any more, but this does:
- [Wayback/Archive] Wrapping some other scripting language inside a batch file – The Old New Thing showing how to do polyglot with Batch Files and either Perl or JavaScript.
- [Wayback/Archive] PowerShell polyglot – jaybaz [MS] WebLog – Site Home – MSDN Blogs, which does not exist any more, but this does:
- [Wayback/Archive] command line – Set up PowerShell Script for Automatic Execution – Stack Overflow
–jeroen
The Wiert Corner - irregular stream of stuff 