CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder
7
  Rank = GoodRanking
8

9
  def initialize
10
    super(
11
      'Name'             => 'Echo Command Encoder',
12
      'Description'      => %q{
13
        This encoder uses echo and backlash escapes to avoid commonly restricted characters.
14
      },
15
      'Author'           => 'hdm',
16
      'Arch'             => ARCH_CMD,
17
      'Platform'         => %w[ linux unix ],
18
      'EncoderType'      => Msf::Encoder::Type::CmdPosixEcho)
19
  end
20

21

22
  #
23
  # Encodes the payload
24
  #
25
  def encode_block(state, buf)
26
    # Skip encoding for empty badchars
27
    if state.badchars.length == 0
28
      return buf
29
    end
30

31
    if state.badchars.include?("-")
32
      raise EncodingError
33
    else
34
      # Without an escape character we can't escape anything, so echo
35
      # won't work.
36
      if state.badchars.include?("\\")
37
        raise EncodingError
38
      else
39
        buf = encode_block_bash_echo(state,buf)
40
      end
41
    end
42

43
    return buf
44
  end
45

46
  #
47
  # Uses bash's echo -ne command to hex encode the command string
48
  #
49
  def encode_block_bash_echo(state, buf)
50

51
    hex = ''
52

53
    # Can we use single quotes to enclose the echo arguments?
54
    if state.badchars.include?("'")
55
      hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join
56
    else
57
      hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'"
58
    end
59

60
    # Are pipe characters restricted?
61
    if state.badchars.include?("|")
62
      # How about backticks?
63
      if state.badchars.include?("`")
64
        # Last ditch effort, dollar paren
65
        if state.badchars.include?("$") or state.badchars.include?("(")
66
          raise EncodingError
67
        else
68
          buf = "$(/bin/echo -ne #{hex})"
69
        end
70
      else
71
        buf = "`/bin/echo -ne #{hex}`"
72
      end
73
    else
74
      buf = "/bin/echo -ne #{hex}|sh"
75
    end
76

77
    # Remove spaces from the command string
78
    if state.badchars.include?(" ")
79
      buf.gsub!(/\s/, '${IFS}')
80
    end
81

82
    return buf
83
  end
84
end
85

86