From a42e97395b7066e1255efdd24bde4da0fe90c8a4 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 8 Feb 2014 19:09:57 +0000
Subject: [PATCH] Powershell cmd encoder

---
 modules/encoders/cmd/powershell_base64.rb | 54 +++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 modules/encoders/cmd/powershell_base64.rb

diff --git a/modules/encoders/cmd/powershell_base64.rb b/modules/encoders/cmd/powershell_base64.rb
new file mode 100644
index 0000000000..e32019ba23
--- /dev/null
+++ b/modules/encoders/cmd/powershell_base64.rb
@@ -0,0 +1,54 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Encoder
+  Rank = ExcellentRanking
+
+  def initialize
+    super(
+      'Name'             => 'Powershell Base64 Command Encoder',
+      'Description'      => %q{
+        This encodes the command as a base64 encoded command for powershell.
+      },
+      'Author'           => 'Ben Campbell',
+      'Arch'             => ARCH_CMD,
+      'Platform'         => 'win')
+  end
+
+
+  #
+  # Encodes the payload
+  #
+  def encode_block(state, buf)
+
+    # Skip encoding for empty badchars
+    if state.badchars.length == 0
+      return buf
+    end
+
+    if state.badchars.include? '-'
+      return buf
+    end
+
+    cmd = encode_buf(buf)
+
+    if state.badchars.include? '='
+        while cmd.include? '='
+          buf << " "
+          cmd = encode_buf(buf)
+        end
+    end
+
+    cmd
+  end
+
+  def encode_buf(buf)
+    base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c \"#{buf}\""))
+    cmd = "powershell -nop -e #{base64}"
+  end
+
+end