Add 'Payload' section with 'Size' to psexec_psh

OJ · OJ · commit a93565b5d180 · 2015-05-19T22:11:29.000+10:00
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.

This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
@@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
-      'Description'    => %q{
+      'Name'             => 'Microsoft Windows Authenticated Powershell Command Execution',
+      'Description'      => %q{
           This module uses a valid administrator username and password to execute a powershell
         payload using a similar technique to the "psexec" utility provided by SysInternals. The
         payload is encoded in base64 and executed from the commandline using the -encodedcommand
@@ -31,25 +31,30 @@ def initialize(info = {})
         the window entirely.
       },
 
-      'Author'         => [
+      'Author'           => [
         'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
         'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
       ],
-      'License'        => MSF_LICENSE,
-      'Privileged'     => true,
-      'DefaultOptions' =>
+      'License'          => MSF_LICENSE,
+      'Privileged'       => true,
+      'DefaultOptions'   =>
         {
           'WfsDelay'     => 10,
-          'EXITFUNC' => 'thread'
+          'EXITFUNC'     => 'thread'
         },
-      'Platform'       => 'win',
-      'Targets'        =>
+      'Payload'          =>
+        {
+          'Space'        => 2048,
+          'DisableNops'  => true
+        },
+      'Platform'         => 'win',
+      'Targets'          =>
         [
           [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
         ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => 'Jan 01 1999',
-      'References'     => [
+      'DefaultTarget'    => 0,
+      'DisclosureDate'   => 'Jan 01 1999',
+      'References'       => [
         [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
         [ 'OSVDB', '3106'],
         [ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
