metasploit-framework/modules/encoders/cmd/perl.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class MetasploitModule < Msf::Encoder

  Rank = NormalRanking

  def initialize
    super(
      'Name'             => 'Perl Command Encoder',
      'Description'      => %q{
        This encoder uses perl to avoid commonly restricted characters.
      },
      'Author'           => 'hdm',
      'Arch'             => ARCH_CMD,
      'Platform'         => 'unix',
      'EncoderType'      => Msf::Encoder::Type::CmdUnixPerl)
  end


  #
  # Encodes the payload
  #
  def encode_block(state, buf)

    # Skip encoding for empty badchars
    if state.badchars.length == 0
      return buf
    end

    if state.badchars.include?("-")
      raise EncodingError
    else
      buf = encode_block_perl(state,buf)
    end

    return buf
  end

  #
  # Uses the perl command to hex encode the command string
  #
  def encode_block_perl(state, buf)

    hex = buf.unpack("H*").join
    cmd = 'perl -e '
    qot = ',-:.=+!@#$%^&'

    # Convert spaces to IFS...
    if state.badchars.include?(" ")
      if state.badchars.match(/[${IFS}]/n)
        raise EncodingError
      end
      cmd.gsub!(/\s/, '${IFS}')
    end

    # Can we use single quotes to enclose the command string?
    if state.badchars.include?("'")
      if (state.badchars.match(/[()\\]/))
        cmd << perl_e(state, qot, hex)
      else
        # Without quotes, we can use backslash to escape parens so the
        # shell doesn't try to interpreter them.
        cmd << "system\\(pack\\(#{perl_qq(state, qot, hex)}\\)\\)"
      end
    else
      # Quotes are ok, but we still need parens or spaces
      if (state.badchars.match(/[()]/n))
        if state.badchars.include?(" ")
          cmd << perl_e(state, qot, hex)
        else
          cmd << "'system pack #{perl_qq(state, qot, hex)}'"
        end
      else
        cmd << "'system(pack(#{perl_qq(state, qot, hex)}))'"
      end
    end

    return cmd
  end

  def perl_e(state, qot, hex)
    # We don't have parens, quotes, or backslashes so we have to use
    # barewords on the commandline for the argument to the pack
    # function. As a consequence, we can't use things that the shell
    # would interpret, so $ and & become badchars.
    qot.delete("$")
    qot.delete("&")

    # Perl chains -e with newlines, but doesn't automatically add
    # semicolons, so the following will result in the interpreter
    # seeing a file like this:
    #    system
    #    pack
    #    qq^H*^,qq^whatever^
    # Since system and pack require arguments (rather than assuming
    # $_ when no args are given like many other perl functions),
    # this works out to do what we need.
    cmd = "system -e pack -e #{perl_qq(state, qot, hex)}"
    if state.badchars.include?(" ")
      # We already tested above to make sure that these chars are ok
      # if space isn't.
      cmd.gsub!(" ", "${IFS}")
    end

    cmd
  end

  def perl_qq(state, qot, hex)

    # Find a quoting character to use
    state.badchars.unpack('C*') { |c| qot.delete(c.chr) }

    # Throw an error if we ran out of quotes
    raise EncodingError if qot.length == 0

    sep = qot[0].chr
    # Use an explicit length for the H specifier instead of just "H*"
    # in case * is a badchar for the module, and for the case where this
    # ends up unquoted so the shell doesn't try to expand a path.
    "qq#{sep}H#{hex.length}#{sep},qq#{sep}#{hex}#{sep}"
  end

end
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`##`
fix invalid URI scheme, closes #4362 2014-12-11 22:34:10 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`


			`require 'msf/core'`


use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Encoder`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00
Favor echo encoder for back compatibility 2014-10-07 15:24:32 +00:00			`Rank = NormalRanking`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00
			`def initialize`
			`super(`
			`'Name' => 'Perl Command Encoder',`
			`'Description' => %q{`
			`This encoder uses perl to avoid commonly restricted characters.`
			`},`
			`'Author' => 'hdm',`
			`'Arch' => ARCH_CMD,`
			`'Platform' => 'unix',`
Delete RequiredCmd for unix cmd encoders, favor EncoderType 2014-10-06 23:42:21 +00:00			`'EncoderType' => Msf::Encoder::Type::CmdUnixPerl)`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`end`


			`#`
			`# Encodes the payload`
			`#`
			`def encode_block(state, buf)`

			`# Skip encoding for empty badchars`
			`if state.badchars.length == 0`
			`return buf`
			`end`

			`if state.badchars.include?("-")`
Switch RuntimeError -> EncodingError 2015-05-18 20:33:01 +00:00			`raise EncodingError`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`else`
			`buf = encode_block_perl(state,buf)`
			`end`

			`return buf`
			`end`

			`#`
			`# Uses the perl command to hex encode the command string`
			`#`
			`def encode_block_perl(state, buf)`

Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`hex = buf.unpack("H*").join`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`cmd = 'perl -e '`
			`qot = ',-:.=+!@#$%^&'`

			`# Convert spaces to IFS...`
			`if state.badchars.include?(" ")`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`if state.badchars.match(/[${IFS}]/n)`
Switch RuntimeError -> EncodingError 2015-05-18 20:33:01 +00:00			`raise EncodingError`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`end`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`cmd.gsub!(/\s/, '${IFS}')`
			`end`

			`# Can we use single quotes to enclose the command string?`
			`if state.badchars.include?("'")`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`if (state.badchars.match(/[()\\]/))`
Fix ARCH_CMD perl encoding 2014-10-07 15:21:30 +00:00			`cmd << perl_e(state, qot, hex)`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`else`
			`# Without quotes, we can use backslash to escape parens so the`
			`# shell doesn't try to interpreter them.`
			`cmd << "system\\(pack\\(#{perl_qq(state, qot, hex)}\\)\\)"`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`end`
			`else`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`# Quotes are ok, but we still need parens or spaces`
			`if (state.badchars.match(/[()]/n))`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`if state.badchars.include?(" ")`
Fix ARCH_CMD perl encoding 2014-10-07 15:21:30 +00:00			`cmd << perl_e(state, qot, hex)`
			`else`
			`cmd << "'system pack #{perl_qq(state, qot, hex)}'"`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`end`
			`else`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`cmd << "'system(pack(#{perl_qq(state, qot, hex)}))'"`
Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`end`
			`end`

			`return cmd`
			`end`

Fix ARCH_CMD perl encoding 2014-10-07 15:21:30 +00:00			`def perl_e(state, qot, hex)`
			`# We don't have parens, quotes, or backslashes so we have to use`
			`# barewords on the commandline for the argument to the pack`
			`# function. As a consequence, we can't use things that the shell`
			`# would interpret, so $ and & become badchars.`
			`qot.delete("$")`
			`qot.delete("&")`

			`# Perl chains -e with newlines, but doesn't automatically add`
			`# semicolons, so the following will result in the interpreter`
			`# seeing a file like this:`
			`# system`
			`# pack`
			`# qq^H*^,qq^whatever^`
			`# Since system and pack require arguments (rather than assuming`
			`# $_ when no args are given like many other perl functions),`
			`# this works out to do what we need.`
			`cmd = "system -e pack -e #{perl_qq(state, qot, hex)}"`
			`if state.badchars.include?(" ")`
			`# We already tested above to make sure that these chars are ok`
			`# if space isn't.`
			`cmd.gsub!(" ", "${IFS}")`
			`end`

			`cmd`
			`end`

Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00			`def perl_qq(state, qot, hex)`

			`# Find a quoting character to use`
			`state.badchars.unpack('C*') { \|c\| qot.delete(c.chr) }`

			`# Throw an error if we ran out of quotes`
Switch RuntimeError -> EncodingError 2015-05-18 20:33:01 +00:00			`raise EncodingError if qot.length == 0`
Add @jlee-r7's changes to perl encoding 2014-10-07 05:16:16 +00:00
			`sep = qot[0].chr`
			`# Use an explicit length for the H specifier instead of just "H*"`
			`# in case * is a badchar for the module, and for the case where this`
			`# ends up unquoted so the shell doesn't try to expand a path.`
			`"qq#{sep}H#{hex.length}#{sep},qq#{sep}#{hex}#{sep}"`
			`end`

Split generic_sh in echo, perl and ifs encoders 2014-07-22 15:27:45 +00:00			`end`