CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/encoders/cmd/generic_sh.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder67# Has some issues, but overall it's pretty good8Rank = ManualRanking910def initialize11super(12'Name' => 'Generic Shell Variable Substitution Command Encoder',13'Description' => %q{14This encoder uses standard Bourne shell variable substitution15tricks to avoid commonly restricted characters.16},17'Author' => 'hdm',18'Arch' => ARCH_CMD,19'Platform' => 'unix')20end212223#24# Encodes the payload25#26def encode_block(state, buf)2728# Skip encoding for empty badchars29if(state.badchars.length == 0)30return buf31end3233if (state.badchars.include?("-"))34# Then neither of the others will work. Get rid of spaces and hope35# for the best. This obviously won't work if the command already36# has other badchars in it, in which case we're basically screwed.37if (state.badchars.include?(" "))38buf.gsub!(/\s/, '${IFS}')39end40else41# Without an escape character we can't escape anything, so echo42# won't work. Try perl.43if (state.badchars.include?("\\"))44buf = encode_block_perl(state,buf)45else46buf = encode_block_bash_echo(state,buf)47end48end4950return buf51end5253#54# Uses the perl command to hex encode the command string55#56def encode_block_perl(state, buf)5758hex = buf.unpack("H*")59cmd = 'perl -e '60qot = ',-:.=+!@#$%^&'6162# Find a quoting character to use63state.badchars.unpack('C*') { |c| qot.delete(c.chr) }6465# Throw an error if we ran out of quotes66raise EncodingError if qot.length == 06768sep = qot[0].chr6970# Convert spaces to IFS...71if (state.badchars.include?(" "))72cmd.gsub!(/\s/, '${IFS}')73end7475# Can we use single quotes to enclose the command string?76if (state.badchars.include?("'"))7778if (state.badchars.match(/\(|\)/))7980# No parenthesis...81raise EncodingError82end8384cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},qq#{sep}#{hex}#{sep}\\)\\)"8586else87if (state.badchars.match(/\(|\)/))88if (state.badchars.include?(" "))89# No spaces allowed, no parenthesis, give up...90raise EncodingError91end9293cmd << "'system pack qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}'"94else95cmd << "'system(pack(qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}))'"96end97end9899return cmd100end101102#103# Uses bash's echo -ne command to hex encode the command string104#105def encode_block_bash_echo(state, buf)106107hex = ''108109# Can we use single quotes to enclose the echo arguments?110if (state.badchars.include?("'"))111hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join112else113hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'"114end115116# Are pipe characters restricted?117if (state.badchars.include?("|"))118# How about backticks?119if (state.badchars.include?("`"))120# Last ditch effort, dollar paren121if (state.badchars.include?("$") or state.badchars.include?("("))122raise EncodingError123else124buf = "$(/bin/echo -ne #{hex})"125end126else127buf = "`/bin/echo -ne #{hex}`"128end129else130buf = "/bin/echo -ne #{hex}|sh"131end132133# Remove spaces from the command string134if (state.badchars.include?(" "))135buf.gsub!(/\s/, '${IFS}')136end137138return buf139end140end141142143