Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/encoders/cmd/base64.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Encoder
7
Rank = GoodRanking
8
9
BASE64_BYTES = [
10
'A'.ord...'Z'.ord,
11
'a'.ord...'z'.ord,
12
'0'.ord...'9'.ord
13
].map(&:to_a).flatten + '+/='.bytes
14
15
def initialize
16
super(
17
'Name' => 'Base64 Command Encoder',
18
'Description' => %q{
19
This encoder uses base64 encoding to avoid bad characters.
20
},
21
'Author' => 'Spencer McIntyre',
22
'Arch' => ARCH_CMD,
23
'Platform' => %w[bsd bsdi linux osx solaris unix],
24
'EncoderType' => Msf::Encoder::Type::CmdPosixBase64)
25
26
register_advanced_options(
27
[
28
OptString.new('Base64Decoder', [ false, 'The binary to use for base64 decoding', '', %w[base64 base64-long base64-short openssl] ])
29
]
30
)
31
end
32
33
#
34
# Encodes the payload
35
# All unnecessary spaces from your payload inside the () are removed to avoid shell POSIX command lauguage conflicts
36
# The only things allowed after compound commands are redirections, shell keywords, and the various command separators
37
# such as (;, &, |, &&, ||)
38
#
39
def encode_block(state, buf)
40
return buf if (buf.bytes & state.badchars.bytes).empty?
41
42
raise EncodingError if (state.badchars.bytes & BASE64_BYTES).any?
43
raise EncodingError if state.badchars.include?('-')
44
45
ifs_encode_spaces = state.badchars.include?(' ')
46
raise EncodingError if ifs_encode_spaces && (state.badchars.bytes & '${}'.bytes).any?
47
48
base64_buf = Base64.strict_encode64(buf)
49
case datastore['Base64Decoder']
50
when 'base64'
51
raise EncodingError if (state.badchars.bytes & '(|)'.bytes).any?
52
53
base64_decoder = '(base64 --decode||base64 -d)'
54
when 'base64-long'
55
base64_decoder = 'base64 --decode'
56
when 'base64-short'
57
base64_decoder = 'base64 -d'
58
when 'openssl'
59
base64_decoder = 'openssl enc -base64 -d'
60
else
61
# find a decoder at runtime if we can use the necessary characters
62
if (state.badchars.bytes & '(|)>/&'.bytes).empty?
63
base64_decoder = '((command -v base64>/dev/null&&(base64 --decode||base64 -d))||(command -v openssl>/dev/null&&openssl enc -base64 -d))'
64
elsif (state.badchars.bytes & '(|)'.bytes).empty?
65
base64_decoder = '(base64 --decode||base64 -d)'
66
else
67
base64_decoder = 'openssl enc -base64 -d'
68
end
69
end
70
71
if (state.badchars.bytes & '|'.bytes).empty?
72
buf = "echo #{base64_buf}|#{base64_decoder}|sh"
73
elsif (state.badchars.bytes & '<()'.bytes).empty?
74
buf = "sh < <(#{base64_decoder} < <(echo #{base64_buf}))"
75
elsif (state.badchars.bytes & '<`\''.bytes).empty?
76
buf = "sh<<<`#{base64_decoder}<<<'#{base64_buf}'`"
77
else
78
raise EncodingError
79
end
80
81
buf = buf.gsub(/ +/, '${IFS}') if ifs_encode_spaces
82
buf
83
end
84
end
85
86