Land #18021, Fix #cd for Powershell Sessions

lib/msf/core/exploit/remote/smb/client/psexec.rb

@@ -241,7 +241,7 @@ def execute_command_payload(smbshare)
 
   def execute_command(text, bat, cmd)
     # Try and execute the provided command
-    cmd = cmd.gsub('&', '^&')
+    cmd = Msf::Post::Windows.escape_cmd_literal(cmd, spaces: false)
     execute = "%COMSPEC% /C echo #{cmd} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
     vprint_status("Executing the command: #{execute}")
     begin

lib/msf/core/post/file.rb

@@ -49,7 +49,7 @@ def cd(path)
     if session.type == 'meterpreter'
       session.fs.dir.chdir(e_path)
     elsif session.type == 'powershell'
-      cmd_exec("Set-Location -Path \"#{e_path}\"")
+      cmd_exec("Set-Location -Path \"#{e_path}\";[System.IO.Directory]::SetCurrentDirectory($(Get-Location))")
     else
       session.shell_command_token("cd \"#{e_path}\"")
     end

lib/msf/core/post/windows.rb

@@ -1,4 +1,18 @@
 # -*- coding: binary -*-
 
 module Msf::Post::Windows
+  # Escape a string literal value to be included as an argument to cmd.exe. The escaped value *should not* be placed
+  # within double quotes as this will alter now it is evaluated (e.g. `echo "^"((^&test) Foo^""` is different than
+  # `echo ^"((^&test) Foo^"`.
+  #
+  # @param [String] string The string to escape for use with cmd.exe.
+  # @param [Boolean] spaces Whether or not to escape spaces. If the string is being passed to echo, set this to false
+  #   otherwise if it's an argument, set it to true.
+  # @return [String] The escaped string.
+  def self.escape_cmd_literal(string, spaces:)
+    string = string.dup
+    %w[ ^ & < > | " ].each { |char| string.gsub!(char, "^#{char}") }
+    string.gsub!(' ', '" "') if spaces
+    string
+  end
 end