Psexec via PSH related fixes

RageLtMan · RageLtMan · commit 1a3fe02db1ea · 2017-07-16T05:48:11.000-04:00
Implement removal of comspec and use of the noninteractive option in powershell payloads. This is the Msf side of #6 for rex-powershell. Testing: In-house testing on 2016 standard edition and win10, 201707 revs.
diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
@@ -14,6 +14,8 @@ def initialize(info = {})
         OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
         OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
         OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]),
+        OptBool.new('Powershell::remove_comspec', [true, 'Produce script calling powershell directly', false]),
+        OptBool.new('Powershell::noninteractive', [true, 'Execute powershell without interaction', true]),
         OptBool.new('Powershell::encode_final_payload', [true, 'Encode final payload for -EncodedCommand', false]),
         OptBool.new('Powershell::encode_inner_payload', [true, 'Encode inner payload for -EncodedCommand', false]),
         OptBool.new('Powershell::use_single_quotes', [true, 'Wraps the -Command argument in single quotes', false]),
@@ -220,9 +222,8 @@ def run_hidden_psh(ps_code, payload_arch, encoded)
   #
   # @return [String] Powershell command line with payload
   def cmd_psh_payload(pay, payload_arch, opts = {})
-    options.validate(datastore)
-
-    %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload use_single_quotes no_equals method].map do |opt|
+    %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload
+    remove_comspec noninteractive use_single_quotes no_equals method].map do |opt|
       opts[opt] ||= datastore["Powershell::#{opt}"]
     end
 
