Land rapid7#1840, fix exe-small modifying payload

Calls to `EXE.to_win32pe_old` would modify the payload in place,
potentially causing trouble if it is used after being turned into an
executable (which doesn't usually happen in exploits, which is probably
why no one noticed til now).

Author: egypt

lib/msf/util/exe.rb

@@ -402,6 +402,7 @@ def self.to_win32pe_only(framework, code, opts={})
 
 	def self.to_win32pe_old(framework, code, opts={})
 
+		payload = code.dup
 		# Allow the user to specify their own EXE template
 		set_template_default(opts, "template_x86_windows_old.exe")
 
@@ -410,17 +411,17 @@ def self.to_win32pe_old(framework, code, opts={})
 			pe = fd.read(fd.stat.size)
 		}
 
-		if(code.length < 2048)
-			code << Rex::Text.rand_text(2048-code.length)
+		if(payload.length < 2048)
+			payload << Rex::Text.rand_text(2048-payload.length)
 		end
 
-		if(code.length > 2048)
+		if(payload.length > 2048)
 			raise RuntimeError, "The EXE generator now has a max size of 2048 bytes, please fix the calling module"
 		end
 
 		bo = pe.index('PAYLOAD:')
 		raise RuntimeError, "Invalid Win32 PE OLD EXE template: missing \"PAYLOAD:\" tag" if not bo
-		pe[bo, code.length] = code
+		pe[bo, payload.length] = payload
 
 		pe[136, 4] = [rand(0x100000000)].pack('V')
 

msfvenom

@@ -376,7 +376,6 @@ if opts[:encode]
 			if not opts[:iterations]
 				opts[:iterations] = 1
 			end
-			#puts opts[:badchars].inspect
 
 			1.upto(opts[:iterations].to_i) do |iteration|
 					begin
@@ -400,7 +399,7 @@ if opts[:encode]
 					end
 			end
 			next if skip
-			exe = Msf::Util::EXE.to_executable_fmt($framework, opts[:arch], opts[:platform], payload_raw, opts[:format], exeopts)
+
 		rescue ::Errno::ENOENT, ::Errno::EINVAL
 			print_error("#{enc.refname} failed: #{$!}")
 			break