Path: blob/master/modules/encoders/generic/eicar.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder67# Set to ManualRanking because actually using this encoder will8# certainly destroy any possibility of a successful shell.9#10Rank = ManualRanking1112def initialize13super(14'Name' => 'The EICAR Encoder',15'Description' => %q{16This encoder merely replaces the given payload with the EICAR test string.17Note, this is sure to ruin your payload.1819Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus20standards should alert and do what it would normally do when malware is21transmitted across the wire.22},23'Author' => 'todb',24'License' => MSF_LICENSE,25'Arch' => ARCH_ALL,26'EncoderType' => Msf::Encoder::Type::Unspecified)27end2829# Avoid stating the string directly, don't want to get caught by local30# antivirus!31def eicar_test_string32obfus_eicar = ['x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar', 'standard', 'antivirus', 'test', 'file!$h+h*']33obfus_eicar.join('-').upcase34end3536# TODO: add an option to merely prepend and not delete, using37# prepend_buf. Now, technically, EICAR should be all by itself38# and not part of a larger whole. Problem is, OptBool is39# acting funny here as an encoder option.40#41def encode_block(_state, _buf)42eicar_test_string43end44end454647