Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/encoders/generic/eicar.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Encoder
7
8
# Set to ManualRanking because actually using this encoder will
9
# certainly destroy any possibility of a successful shell.
10
#
11
Rank = ManualRanking
12
13
def initialize
14
super(
15
'Name' => 'The EICAR Encoder',
16
'Description' => %q{
17
This encoder merely replaces the given payload with the EICAR test string.
18
Note, this is sure to ruin your payload.
19
20
Any content-aware firewall, proxy, IDS, or IPS that follows anti-virus
21
standards should alert and do what it would normally do when malware is
22
transmitted across the wire.
23
},
24
'Author' => 'todb',
25
'License' => MSF_LICENSE,
26
'Arch' => ARCH_ALL,
27
'EncoderType' => Msf::Encoder::Type::Unspecified)
28
end
29
30
# Avoid stating the string directly, don't want to get caught by local
31
# antivirus!
32
def eicar_test_string
33
obfus_eicar = ['x5o!p%@ap[4\\pzx54(p^)7cc)7}$eicar', 'standard', 'antivirus', 'test', 'file!$h+h*']
34
obfus_eicar.join('-').upcase
35
end
36
37
# TODO: add an option to merely prepend and not delete, using
38
# prepend_buf. Now, technically, EICAR should be all by itself
39
# and not part of a larger whole. Problem is, OptBool is
40
# acting funny here as an encoder option.
41
#
42
def encode_block(_state, _buf)
43
eicar_test_string
44
end
45
end
46
47