2014-07-22 15:27:45 +00:00
|
|
|
##
|
2014-12-11 22:34:10 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-07-22 15:27:45 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Encoder
|
|
|
|
|
2014-10-07 15:24:32 +00:00
|
|
|
Rank = NormalRanking
|
2014-07-22 15:27:45 +00:00
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Perl Command Encoder',
|
|
|
|
'Description' => %q{
|
|
|
|
This encoder uses perl to avoid commonly restricted characters.
|
|
|
|
},
|
|
|
|
'Author' => 'hdm',
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'Platform' => 'unix',
|
2014-10-06 23:42:21 +00:00
|
|
|
'EncoderType' => Msf::Encoder::Type::CmdUnixPerl)
|
2014-07-22 15:27:45 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Encodes the payload
|
|
|
|
#
|
|
|
|
def encode_block(state, buf)
|
|
|
|
|
|
|
|
# Skip encoding for empty badchars
|
|
|
|
if state.badchars.length == 0
|
|
|
|
return buf
|
|
|
|
end
|
|
|
|
|
|
|
|
if state.badchars.include?("-")
|
2015-05-18 20:33:01 +00:00
|
|
|
raise EncodingError
|
2014-07-22 15:27:45 +00:00
|
|
|
else
|
|
|
|
buf = encode_block_perl(state,buf)
|
|
|
|
end
|
|
|
|
|
|
|
|
return buf
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Uses the perl command to hex encode the command string
|
|
|
|
#
|
|
|
|
def encode_block_perl(state, buf)
|
|
|
|
|
2014-10-07 05:16:16 +00:00
|
|
|
hex = buf.unpack("H*").join
|
2014-07-22 15:27:45 +00:00
|
|
|
cmd = 'perl -e '
|
|
|
|
qot = ',-:.=+!@#$%^&'
|
|
|
|
|
|
|
|
# Convert spaces to IFS...
|
|
|
|
if state.badchars.include?(" ")
|
2014-10-07 05:16:16 +00:00
|
|
|
if state.badchars.match(/[${IFS}]/n)
|
2015-05-18 20:33:01 +00:00
|
|
|
raise EncodingError
|
2014-10-07 05:16:16 +00:00
|
|
|
end
|
2014-07-22 15:27:45 +00:00
|
|
|
cmd.gsub!(/\s/, '${IFS}')
|
|
|
|
end
|
|
|
|
|
|
|
|
# Can we use single quotes to enclose the command string?
|
|
|
|
if state.badchars.include?("'")
|
2014-10-07 05:16:16 +00:00
|
|
|
if (state.badchars.match(/[()\\]/))
|
2014-10-07 15:21:30 +00:00
|
|
|
cmd << perl_e(state, qot, hex)
|
2014-10-07 05:16:16 +00:00
|
|
|
else
|
|
|
|
# Without quotes, we can use backslash to escape parens so the
|
|
|
|
# shell doesn't try to interpreter them.
|
|
|
|
cmd << "system\\(pack\\(#{perl_qq(state, qot, hex)}\\)\\)"
|
2014-07-22 15:27:45 +00:00
|
|
|
end
|
|
|
|
else
|
2014-10-07 05:16:16 +00:00
|
|
|
# Quotes are ok, but we still need parens or spaces
|
|
|
|
if (state.badchars.match(/[()]/n))
|
2014-07-22 15:27:45 +00:00
|
|
|
if state.badchars.include?(" ")
|
2014-10-07 15:21:30 +00:00
|
|
|
cmd << perl_e(state, qot, hex)
|
|
|
|
else
|
|
|
|
cmd << "'system pack #{perl_qq(state, qot, hex)}'"
|
2014-07-22 15:27:45 +00:00
|
|
|
end
|
|
|
|
else
|
2014-10-07 05:16:16 +00:00
|
|
|
cmd << "'system(pack(#{perl_qq(state, qot, hex)}))'"
|
2014-07-22 15:27:45 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return cmd
|
|
|
|
end
|
|
|
|
|
2014-10-07 15:21:30 +00:00
|
|
|
def perl_e(state, qot, hex)
|
|
|
|
# We don't have parens, quotes, or backslashes so we have to use
|
|
|
|
# barewords on the commandline for the argument to the pack
|
|
|
|
# function. As a consequence, we can't use things that the shell
|
|
|
|
# would interpret, so $ and & become badchars.
|
|
|
|
qot.delete("$")
|
|
|
|
qot.delete("&")
|
|
|
|
|
|
|
|
# Perl chains -e with newlines, but doesn't automatically add
|
|
|
|
# semicolons, so the following will result in the interpreter
|
|
|
|
# seeing a file like this:
|
|
|
|
# system
|
|
|
|
# pack
|
|
|
|
# qq^H*^,qq^whatever^
|
|
|
|
# Since system and pack require arguments (rather than assuming
|
|
|
|
# $_ when no args are given like many other perl functions),
|
|
|
|
# this works out to do what we need.
|
|
|
|
cmd = "system -e pack -e #{perl_qq(state, qot, hex)}"
|
|
|
|
if state.badchars.include?(" ")
|
|
|
|
# We already tested above to make sure that these chars are ok
|
|
|
|
# if space isn't.
|
|
|
|
cmd.gsub!(" ", "${IFS}")
|
|
|
|
end
|
|
|
|
|
|
|
|
cmd
|
|
|
|
end
|
|
|
|
|
2014-10-07 05:16:16 +00:00
|
|
|
def perl_qq(state, qot, hex)
|
|
|
|
|
|
|
|
# Find a quoting character to use
|
|
|
|
state.badchars.unpack('C*') { |c| qot.delete(c.chr) }
|
|
|
|
|
|
|
|
# Throw an error if we ran out of quotes
|
2015-05-18 20:33:01 +00:00
|
|
|
raise EncodingError if qot.length == 0
|
2014-10-07 05:16:16 +00:00
|
|
|
|
|
|
|
sep = qot[0].chr
|
|
|
|
# Use an explicit length for the H specifier instead of just "H*"
|
|
|
|
# in case * is a badchar for the module, and for the case where this
|
|
|
|
# ends up unquoted so the shell doesn't try to expand a path.
|
|
|
|
"qq#{sep}H#{hex.length}#{sep},qq#{sep}#{hex}#{sep}"
|
|
|
|
end
|
|
|
|
|
2014-07-22 15:27:45 +00:00
|
|
|
end
|