CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/encoders/cmd/perl.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder6Rank = NormalRanking78def initialize9super(10'Name' => 'Perl Command Encoder',11'Description' => %q{12This encoder uses perl to avoid commonly restricted characters.13},14'Author' => 'hdm',15'Arch' => ARCH_CMD,16'Platform' => %w[ linux unix ],17'EncoderType' => Msf::Encoder::Type::CmdPosixPerl)18end192021#22# Encodes the payload23#24def encode_block(state, buf)2526# Skip encoding for empty badchars27if state.badchars.length == 028return buf29end3031if state.badchars.include?("-")32raise EncodingError33else34buf = encode_block_perl(state,buf)35end3637return buf38end3940#41# Uses the perl command to hex encode the command string42#43def encode_block_perl(state, buf)4445hex = buf.unpack("H*").join46cmd = 'perl -e '47qot = ',-:.=+!@#$%^&'4849# Convert spaces to IFS...50if state.badchars.include?(" ")51if state.badchars.match(/[${IFS}]/n)52raise EncodingError53end54cmd.gsub!(/\s/, '${IFS}')55end5657# Can we use single quotes to enclose the command string?58if state.badchars.include?("'")59if (state.badchars.match(/[()\\]/))60cmd << perl_e(state, qot, hex)61else62# Without quotes, we can use backslash to escape parens so the63# shell doesn't try to interpreter them.64cmd << "system\\(pack\\(#{perl_qq(state, qot, hex)}\\)\\)"65end66else67# Quotes are ok, but we still need parens or spaces68if (state.badchars.match(/[()]/n))69if state.badchars.include?(" ")70cmd << perl_e(state, qot, hex)71else72cmd << "'system pack #{perl_qq(state, qot, hex)}'"73end74else75cmd << "'system(pack(#{perl_qq(state, qot, hex)}))'"76end77end7879return cmd80end8182def perl_e(state, qot, hex)83# We don't have parens, quotes, or backslashes so we have to use84# barewords on the commandline for the argument to the pack85# function. As a consequence, we can't use things that the shell86# would interpret, so $ and & become badchars.87qot.delete("$")88qot.delete("&")8990# Perl chains -e with newlines, but doesn't automatically add91# semicolons, so the following will result in the interpreter92# seeing a file like this:93# system94# pack95# qq^H*^,qq^whatever^96# Since system and pack require arguments (rather than assuming97# $_ when no args are given like many other perl functions),98# this works out to do what we need.99cmd = "system -e pack -e #{perl_qq(state, qot, hex)}"100if state.badchars.include?(" ")101# We already tested above to make sure that these chars are ok102# if space isn't.103cmd.gsub!(" ", "${IFS}")104end105106cmd107end108109def perl_qq(state, qot, hex)110111# Find a quoting character to use112state.badchars.unpack('C*') { |c| qot.delete(c.chr) }113114# Throw an error if we ran out of quotes115raise EncodingError if qot.length == 0116117sep = qot[0].chr118# Use an explicit length for the H specifier instead of just "H*"119# in case * is a badchar for the module, and for the case where this120# ends up unquoted so the shell doesn't try to expand a path.121"qq#{sep}H#{hex.length}#{sep},qq#{sep}#{hex}#{sep}"122end123end124125126