metasploit-framework/modules/encoders/cmd/perl.rb

131 lines
3.4 KiB
Ruby
Raw Normal View History

##
2014-12-11 22:34:10 +00:00
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Encoder
Rank = NormalRanking
def initialize
super(
'Name' => 'Perl Command Encoder',
'Description' => %q{
This encoder uses perl to avoid commonly restricted characters.
},
'Author' => 'hdm',
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'EncoderType' => Msf::Encoder::Type::CmdUnixPerl)
end
#
# Encodes the payload
#
def encode_block(state, buf)
# Skip encoding for empty badchars
if state.badchars.length == 0
return buf
end
if state.badchars.include?("-")
2015-05-18 20:33:01 +00:00
raise EncodingError
else
buf = encode_block_perl(state,buf)
end
return buf
end
#
# Uses the perl command to hex encode the command string
#
def encode_block_perl(state, buf)
hex = buf.unpack("H*").join
cmd = 'perl -e '
qot = ',-:.=+!@#$%^&'
# Convert spaces to IFS...
if state.badchars.include?(" ")
if state.badchars.match(/[${IFS}]/n)
2015-05-18 20:33:01 +00:00
raise EncodingError
end
cmd.gsub!(/\s/, '${IFS}')
end
# Can we use single quotes to enclose the command string?
if state.badchars.include?("'")
if (state.badchars.match(/[()\\]/))
2014-10-07 15:21:30 +00:00
cmd << perl_e(state, qot, hex)
else
# Without quotes, we can use backslash to escape parens so the
# shell doesn't try to interpreter them.
cmd << "system\\(pack\\(#{perl_qq(state, qot, hex)}\\)\\)"
end
else
# Quotes are ok, but we still need parens or spaces
if (state.badchars.match(/[()]/n))
if state.badchars.include?(" ")
2014-10-07 15:21:30 +00:00
cmd << perl_e(state, qot, hex)
else
cmd << "'system pack #{perl_qq(state, qot, hex)}'"
end
else
cmd << "'system(pack(#{perl_qq(state, qot, hex)}))'"
end
end
return cmd
end
2014-10-07 15:21:30 +00:00
def perl_e(state, qot, hex)
# We don't have parens, quotes, or backslashes so we have to use
# barewords on the commandline for the argument to the pack
# function. As a consequence, we can't use things that the shell
# would interpret, so $ and & become badchars.
qot.delete("$")
qot.delete("&")
# Perl chains -e with newlines, but doesn't automatically add
# semicolons, so the following will result in the interpreter
# seeing a file like this:
# system
# pack
# qq^H*^,qq^whatever^
# Since system and pack require arguments (rather than assuming
# $_ when no args are given like many other perl functions),
# this works out to do what we need.
cmd = "system -e pack -e #{perl_qq(state, qot, hex)}"
if state.badchars.include?(" ")
# We already tested above to make sure that these chars are ok
# if space isn't.
cmd.gsub!(" ", "${IFS}")
end
cmd
end
def perl_qq(state, qot, hex)
# Find a quoting character to use
state.badchars.unpack('C*') { |c| qot.delete(c.chr) }
# Throw an error if we ran out of quotes
2015-05-18 20:33:01 +00:00
raise EncodingError if qot.length == 0
sep = qot[0].chr
# Use an explicit length for the H specifier instead of just "H*"
# in case * is a badchar for the module, and for the case where this
# ends up unquoted so the shell doesn't try to expand a path.
"qq#{sep}H#{hex.length}#{sep},qq#{sep}#{hex}#{sep}"
end
end