Polyshell : A Bash/Batch/PowerShell Polyglot

PolyShell is a script that’s simultaneously valid in Bash, Windows Batch, and PowerShell. This makes PolyShell a useful template for penetration testing as it can be executed on most systems without the need for target-specific payloads.

It is also specifically designed to be deliverable via input injection using a USB Rubby Ducky, MalDuino, or similar device.

Also Read – SSF : Secure Socket Funneling Network Tool

How To Use It?

  • As a stand-alone script
  1. Copy/rename the script so it has the correct file extension (.sh, .bat, or .ps1).
  2. Run the script with a Unix shell, as a batch file, or with PowerShell.

  • Using input injection
  1. Open a terminal on the target machine.
  2. Run the payload.
  3. Press Ctrl-C, then run exit.

The input injection method will behave slightly differently than the script method. When run as a script, the payload will exit immediately once a language has been processed. When delivered via injection, the payload runs a read loop instead. Without it, the payload would close the terminal window but continue typing into an unknown window instead. The Ctrl-C breaks the script out of the read loop, allowing it run without unintended side-effects.

Additionally, pasting the script into a terminal might fail. Once the script reaches the read loop, some terminals will treat the remaining pasted text as the read loop’s input (good), but others may continue executing the script when the read loop exits (bad).

How It Works?

The main trick is to get each other language to “look away” when we want to run code specific to only one of them. This is accomplished by exploiting language quirks surrounding quoting, redirection, and comments.
Consider the following line:

echo \” <<‘BATCH_SCRIPT’ >/dev/null “>NUL “\” `” <#”

Each language sees the echo command, but will interpret the rest of the line differently.
For example, this is what each language will interpret as a string:

      echo \" <<'BATCH_SCRIPT' >/dev/null ">NUL "\" \`" <#"
Bash                                      [-----]     [---]
Batch       [-----------------------------]     [-]   [---]
PS          [-----------------------------]     [-]

After executing the line, the bash script will be in a here document, PowerShell script will be in a multiline-comment, and the batch script will continue executing normally. After each language is done executing, we terminate it. This prevents us from needing to work around its quirks later in the script.

Quirks

Obviously, the tricks required to make this polyglot doesn’t follow normal coding conventions.
There are quite a few quirks that were leveraged or had to be worked around:

  • All three languages have different escape characters:
    • Bash: backslash (\)
    • Batch: caret (^)
    • PowerShell: backtick (`)
  • Escape characters work inside Bash and PowerShell strings, but not batch strings.
  • Redirects (i.e. < and >) have special meaning in all three languages unless quoted.
  • Redirects don’t have to be at the end of a command.
    • This is valid Bash/Batch/PowerShell: echo >output.txt "Hello World"
  • Batch is the only language without multi-line strings or comments.
  • Batch treats > as a redirect even when it directly touches a string, but PowerShell doesn’t.
  • Batch script GOTO statements only work when run as a script, not when run interactively.
  • PowerShell’s multi-line comment (<#) must be immediately preceded by whitespace.
  • Bash’s here documents may begin anywhere so long as it’s unquoted and not a comment.
R K

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

14 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

14 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

14 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

14 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

15 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

17 hours ago