Path: blob/master/modules/encoders/cmd/base64.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder6Rank = GoodRanking78BASE64_BYTES = [9'A'.ord...'Z'.ord,10'a'.ord...'z'.ord,11'0'.ord...'9'.ord12].map(&:to_a).flatten + '+/='.bytes1314def initialize15super(16'Name' => 'Base64 Command Encoder',17'Description' => %q{18This encoder uses base64 encoding to avoid bad characters.19},20'Author' => 'Spencer McIntyre',21'Arch' => ARCH_CMD,22'Platform' => %w[bsd bsdi linux osx solaris unix],23'EncoderType' => Msf::Encoder::Type::CmdPosixBase64)2425register_advanced_options(26[27OptString.new('Base64Decoder', [ false, 'The binary to use for base64 decoding', '', %w[base64 base64-long base64-short openssl] ])28]29)30end3132#33# Encodes the payload34# All unnecessary spaces from your payload inside the () are removed to avoid shell POSIX command lauguage conflicts35# The only things allowed after compound commands are redirections, shell keywords, and the various command separators36# such as (;, &, |, &&, ||)37#38def encode_block(state, buf)39return buf if (buf.bytes & state.badchars.bytes).empty?4041raise EncodingError if (state.badchars.bytes & BASE64_BYTES).any?42raise EncodingError if state.badchars.include?('-')4344ifs_encode_spaces = state.badchars.include?(' ')45raise EncodingError if ifs_encode_spaces && (state.badchars.bytes & '${}'.bytes).any?4647base64_buf = Base64.strict_encode64(buf)48case datastore['Base64Decoder']49when 'base64'50raise EncodingError if (state.badchars.bytes & '(|)'.bytes).any?5152base64_decoder = '(base64 --decode||base64 -d)'53when 'base64-long'54base64_decoder = 'base64 --decode'55when 'base64-short'56base64_decoder = 'base64 -d'57when 'openssl'58base64_decoder = 'openssl enc -base64 -d'59else60# find a decoder at runtime if we can use the necessary characters61if (state.badchars.bytes & '(|)>/&'.bytes).empty?62base64_decoder = '((command -v base64>/dev/null&&(base64 --decode||base64 -d))||(command -v openssl>/dev/null&&openssl enc -base64 -d))'63elsif (state.badchars.bytes & '(|)'.bytes).empty?64base64_decoder = '(base64 --decode||base64 -d)'65else66base64_decoder = 'openssl enc -base64 -d'67end68end6970if (state.badchars.bytes & '|'.bytes).empty?71buf = "echo #{base64_buf}|#{base64_decoder}|sh"72elsif (state.badchars.bytes & '<()'.bytes).empty?73buf = "sh < <(#{base64_decoder} < <(echo #{base64_buf}))"74elsif (state.badchars.bytes & '<`\''.bytes).empty?75buf = "sh<<<`#{base64_decoder}<<<'#{base64_buf}'`"76else77raise EncodingError78end7980buf = buf.gsub(/ +/, '${IFS}') if ifs_encode_spaces81buf82end83end848586