improved unix cmd encoder
git-svn-id: file:///home/svn/framework3/trunk@6738 4d416f70-5f16-0410-b530-b9f4589650daunstable
James Lee
parent
54b9c3e3f5
commit
01953f7c16
|
|
@ -33,9 +33,21 @@ class Metasploit3 < Msf::Encoder
|
||||||
#
|
#
|
||||||
def encode_block(state, buf)
|
def encode_block(state, buf)
|
||||||
|
|
||||||
# Remove spaces from the command string
|
if (state.badchars.include?("-"))
|
||||||
if (state.badchars.include?(" "))
|
# Then neither of the others will work. Get rid of spaces and hope
|
||||||
buf.gsub!(/\s/, '${IFS}')
|
# for the best. This obviously won't work if the command already
|
||||||
|
# has other badchars in it, in which case we're basically screwed.
|
||||||
|
if (state.badchars.include?(" "))
|
||||||
|
buf.gsub!(/\s/, '${IFS}')
|
||||||
|
end
|
||||||
|
else
|
||||||
|
# Without an escape character we can't escape anything, so echo
|
||||||
|
# won't work. Try perl.
|
||||||
|
if (state.badchars.include?("\\"))
|
||||||
|
buf = encode_block_perl(state,buf)
|
||||||
|
else
|
||||||
|
buf = encode_block_bash_echo(state,buf)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
return buf
|
return buf
|
||||||
|
|
@ -51,7 +63,7 @@ class Metasploit3 < Msf::Encoder
|
||||||
qot = ',-:.=+!@#$%^&'
|
qot = ',-:.=+!@#$%^&'
|
||||||
|
|
||||||
# Find a quoting character to use
|
# Find a quoting character to use
|
||||||
state.badchars.unpack('C*') { |c| quot.delete(c.chr) }
|
state.badchars.unpack('C*') { |c| qot.delete(c.chr) }
|
||||||
|
|
||||||
# Throw an error if we ran out of quotes
|
# Throw an error if we ran out of quotes
|
||||||
raise RuntimeError if qot.length == 0
|
raise RuntimeError if qot.length == 0
|
||||||
|
|
@ -72,7 +84,7 @@ class Metasploit3 < Msf::Encoder
|
||||||
raise RuntimeError
|
raise RuntimeError
|
||||||
end
|
end
|
||||||
|
|
||||||
cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},#{hex}\\)\\)"
|
cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},qq#{sep}#{hex}#{sep}\\)\\)"
|
||||||
|
|
||||||
else
|
else
|
||||||
if (state.badchars.match(/\(|\)/))
|
if (state.badchars.match(/\(|\)/))
|
||||||
|
|
@ -81,9 +93,9 @@ class Metasploit3 < Msf::Encoder
|
||||||
raise RuntimeError
|
raise RuntimeError
|
||||||
end
|
end
|
||||||
|
|
||||||
cmd << "'system pack qq#{sep}H*#{sep},#{hex}'"
|
cmd << "'system pack qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}'"
|
||||||
else
|
else
|
||||||
cmd << "'system(pack(qq#{sep}H*#{sep},#{hex}))'"
|
cmd << "'system(pack(qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}))'"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -106,10 +118,14 @@ class Metasploit3 < Msf::Encoder
|
||||||
|
|
||||||
# Are pipe characters restricted?
|
# Are pipe characters restricted?
|
||||||
if (state.badchars.include?("|"))
|
if (state.badchars.include?("|"))
|
||||||
|
|
||||||
# How about backticks?
|
# How about backticks?
|
||||||
if (state.badchars.include?("`"))
|
if (state.badchars.include?("`"))
|
||||||
raise RuntimeError
|
# Last ditch effort, dollar paren
|
||||||
|
if (state.badchars.include?("$") or state.badchars.include?("("))
|
||||||
|
raise RuntimeError
|
||||||
|
else
|
||||||
|
buf = "$(echo -ne #{hex})"
|
||||||
|
end
|
||||||
else
|
else
|
||||||
buf = "`echo -ne #{hex}`"
|
buf = "`echo -ne #{hex}`"
|
||||||
end
|
end
|
||||||
|
|
@ -125,5 +141,4 @@ class Metasploit3 < Msf::Encoder
|
||||||
return buf
|
return buf
|
||||||
end
|
end
|
||||||
|
|
||||||
|
end
|
||||||
end
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue