* Add a random sentinel to close channel when terminates
* Replace spaces with tabs to be consistent
* Remove unnecessary escaped quotes and use include? instead of regex
- Powershell script was outdated.
Updated from https://www.exploit-db.com/exploits/39719
- Powershell script was buggy when current directory
was set to e.g. C:\ProgramData. (Get-Item Error)
Fixed.
- Stager was being dropped to current directory, but
it is not guaranteed that we always have permission
to write a file there. Use %TEMP% instead.
- Exploit only seems to work when executed under
a powershell of the same architecture as the
host. (Not WOW64)
This module now ensures that no matter the
architecture of the meterpreter, a powershell
of the same architecture as the host is being
run. (Using Sysnative directory when on WOW64)
- Stager was broken, now generating stager with Rex
and dropping stager as `.ps1` instead of `.txt`.
Ideally the exploit should be rewritten to
accept a shellcode payload directly or a smaller
stager powershell should be created so that it
fits in under 1024 bytes and can be fed directly
to CreateProcessWithLogonW without dropping to
disk.
MS16-032 ps1 moved to external file. This ps1 will now detect windir
to find cmd.exe. The module now also detects windir to find
powershell.exe. The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
is now standard. The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
cdelafuente-r7