Import Powershell::exec_in_place

Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.

Author: RageLtMan

lib/msf/core/exploit/powershell.rb

@@ -13,6 +13,7 @@ def initialize(info = {})
         OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
         OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
         OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
+        OptBool.new('Powershell::exec_in_place', [true, 'Produce PSH without executable wrapper', false]),
         OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w(net reflection old msil)]),
       ], self.class)
   end
@@ -190,6 +191,7 @@ def cmd_psh_payload(pay, payload_arch, opts = {})
     opts[:persist] ||= datastore['Powershell::persist']
     opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']
     opts[:method] ||= datastore['Powershell::method']
+    opts[:exec_in_place] ||= datastore['Powershell::exec_in_place']
 
     unless opts.key? :shorten
       opts[:shorten] = (datastore['Powershell::method'] != 'old')

modules/exploits/multi/script/web_delivery.rb

@@ -71,7 +71,7 @@ def on_request_uri(cli, _request)
       data = cmd_psh_payload(payload.encoded,
                              payload_instance.arch.first,
                              remove_comspec: true,
-                             use_single_quotes: true
+                             exec_in_place: true
                            )
     else
       data = %Q(#{payload.encoded} )