CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/cmd/echo.rb
Views: 11779
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Encoder

7
  Rank = GoodRanking

8


9
  def initialize

10
    super(

11
      'Name'             => 'Echo Command Encoder',

12
      'Description'      => %q{

13
        This encoder uses echo and backlash escapes to avoid commonly restricted characters.

14
      },

15
      'Author'           => 'hdm',

16
      'Arch'             => ARCH_CMD,

17
      'Platform'         => %w[ linux unix ],

18
      'EncoderType'      => Msf::Encoder::Type::CmdPosixEcho)

19
  end

20


21


22
  #

23
  # Encodes the payload

24
  #

25
  def encode_block(state, buf)

26
    # Skip encoding for empty badchars

27
    if state.badchars.length == 0

28
      return buf

29
    end

30


31
    if state.badchars.include?("-")

32
      raise EncodingError

33
    else

34
      # Without an escape character we can't escape anything, so echo

35
      # won't work.

36
      if state.badchars.include?("\\")

37
        raise EncodingError

38
      else

39
        buf = encode_block_bash_echo(state,buf)

40
      end

41
    end

42


43
    return buf

44
  end

45


46
  #

47
  # Uses bash's echo -ne command to hex encode the command string

48
  #

49
  def encode_block_bash_echo(state, buf)

50


51
    hex = ''

52


53
    # Can we use single quotes to enclose the echo arguments?

54
    if state.badchars.include?("'")

55
      hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join

56
    else

57
      hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'"

58
    end

59


60
    # Are pipe characters restricted?

61
    if state.badchars.include?("|")

62
      # How about backticks?

63
      if state.badchars.include?("`")

64
        # Last ditch effort, dollar paren

65
        if state.badchars.include?("$") or state.badchars.include?("(")

66
          raise EncodingError

67
        else

68
          buf = "$(/bin/echo -ne #{hex})"

69
        end

70
      else

71
        buf = "`/bin/echo -ne #{hex}`"

72
      end

73
    else

74
      buf = "/bin/echo -ne #{hex}|sh"

75
    end

76


77
    # Remove spaces from the command string

78
    if state.badchars.include?(" ")

79
      buf.gsub!(/\s/, '${IFS}')

80
    end

81


82
    return buf

83
  end

84
end

85


86