Land rapid7#3561 - unix cmd generic_sh encoder

Author: wchen-r7

lib/msf/core/encoder.rb

@@ -127,6 +127,18 @@ module Type
     # Special printf(1) via PHP magic_quotes Command Encoder
     #
     PrintfPHPMagicQuotes = "printf_php_mq"
+    #
+    # perl encoding.
+    #
+    CmdUnixPerl = 'perl'
+    #
+    # Bourne shell echo encoding.
+    #
+    CmdUnixEcho = 'echo'
+    #
+    # Bourne shell IFS encoding.
+    #
+    CmdUnixIfs = 'ifs'
   end
 
   #
@@ -273,6 +285,10 @@ def encode(buf, badchars = nil, state = nil, platform = nil)
     # Call encoded_end to do any encoder specific post-processing
     encode_end(state)
 
+    if arch?(ARCH_CMD)
+      dlog("#{self.name} result: #{state.encoded}")
+    end
+
     # Return the encoded buffer to the caller
     return state.encoded
   end

lib/msf/core/payload_generator.rb

@@ -312,7 +312,7 @@ def get_encoders
         end
         encoders.sort_by { |my_encoder| my_encoder.rank }.reverse
       elsif badchars.present?
-        framework.encoders.each_module_ranked('Arch' => [arch]) do |name, mod|
+        framework.encoders.each_module_ranked('Arch' => [arch], 'Platform' => platform_list) do |name, mod|
           encoders << framework.encoders.create(name)
         end
         encoders.sort_by { |my_encoder| my_encoder.rank }.reverse

modules/encoders/cmd/echo.rb

@@ -0,0 +1,90 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Encoder
+
+  Rank = GoodRanking
+
+  def initialize
+    super(
+      'Name'             => 'Echo Command Encoder',
+      'Description'      => %q{
+        This encoder uses echo and backlash escapes to avoid commonly restricted characters.
+      },
+      'Author'           => 'hdm',
+      'Arch'             => ARCH_CMD,
+      'Platform'         => 'unix',
+      'EncoderType'      => Msf::Encoder::Type::CmdUnixEcho)
+  end
+
+
+  #
+  # Encodes the payload
+  #
+  def encode_block(state, buf)
+    # Skip encoding for empty badchars
+    if state.badchars.length == 0
+      return buf
+    end
+
+    if state.badchars.include?("-")
+      raise RuntimeError
+    else
+      # Without an escape character we can't escape anything, so echo
+      # won't work.
+      if state.badchars.include?("\\")
+        raise RuntimeError
+      else
+        buf = encode_block_bash_echo(state,buf)
+      end
+    end
+
+    return buf
+  end
+
+  #
+  # Uses bash's echo -ne command to hex encode the command string
+  #
+  def encode_block_bash_echo(state, buf)
+
+    hex = ''
+
+    # Can we use single quotes to enclose the echo arguments?
+    if state.badchars.include?("'")
+      hex = buf.unpack('C*').collect { |c| "\\\\\\x%.2x" % c }.join
+    else
+      hex = "'" + buf.unpack('C*').collect { |c| "\\x%.2x" % c }.join + "'"
+    end
+
+    # Are pipe characters restricted?
+    if state.badchars.include?("|")
+      # How about backticks?
+      if state.badchars.include?("`")
+        # Last ditch effort, dollar paren
+        if state.badchars.include?("$") or state.badchars.include?("(")
+          raise RuntimeError
+        else
+          buf = "$(/bin/echo -ne #{hex})"
+        end
+      else
+        buf = "`/bin/echo -ne #{hex}`"
+      end
+    else
+      buf = "/bin/echo -ne #{hex}|sh"
+    end
+
+    # Remove spaces from the command string
+    if state.badchars.include?(" ")
+      buf.gsub!(/\s/, '${IFS}')
+    end
+
+    return buf
+  end
+
+end

modules/encoders/cmd/generic_sh.rb

@@ -10,7 +10,7 @@
 class Metasploit3 < Msf::Encoder
 
   # Has some issues, but overall it's pretty good
-  Rank = GoodRanking
+  Rank = ManualRanking
 
   def initialize
     super(

modules/encoders/cmd/ifs.rb

@@ -22,14 +22,25 @@ def initialize
       },
       'Author'           => 'egypt',
       'Arch'             => ARCH_CMD,
-      'Platform'         => 'unix')
+      'Platform'         => 'unix',
+      'EncoderType'      => Msf::Encoder::Type::CmdUnixIfs)
   end
 
 
   #
   # Encodes the payload
   #
   def encode_block(state, buf)
+    # Skip encoding for empty badchars
+    if state.badchars.length == 0
+      return buf
+    end
+
+    # Skip encoding unless space is a badchar
+    unless state.badchars.include?(" ")
+      return buf
+    end
+
     buf.gsub!(/\s/, '${IFS}')
     return buf
   end

modules/encoders/cmd/perl.rb

@@ -0,0 +1,130 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Encoder
+
+  Rank = NormalRanking
+
+  def initialize
+    super(
+      'Name'             => 'Perl Command Encoder',
+      'Description'      => %q{
+        This encoder uses perl to avoid commonly restricted characters.
+      },
+      'Author'           => 'hdm',
+      'Arch'             => ARCH_CMD,
+      'Platform'         => 'unix',
+      'EncoderType'      => Msf::Encoder::Type::CmdUnixPerl)
+  end
+
+
+  #
+  # Encodes the payload
+  #
+  def encode_block(state, buf)
+
+    # Skip encoding for empty badchars
+    if state.badchars.length == 0
+      return buf
+    end
+
+    if state.badchars.include?("-")
+      raise RuntimeError
+    else
+      buf = encode_block_perl(state,buf)
+    end
+
+    return buf
+  end
+
+  #
+  # Uses the perl command to hex encode the command string
+  #
+  def encode_block_perl(state, buf)
+
+    hex = buf.unpack("H*").join
+    cmd = 'perl -e '
+    qot = ',-:.=+!@#$%^&'
+
+    # Convert spaces to IFS...
+    if state.badchars.include?(" ")
+      if state.badchars.match(/[${IFS}]/n)
+        raise RuntimeError
+      end
+      cmd.gsub!(/\s/, '${IFS}')
+    end
+
+    # Can we use single quotes to enclose the command string?
+    if state.badchars.include?("'")
+      if (state.badchars.match(/[()\\]/))
+        cmd << perl_e(state, qot, hex)
+      else
+        # Without quotes, we can use backslash to escape parens so the
+        # shell doesn't try to interpreter them.
+        cmd << "system\\(pack\\(#{perl_qq(state, qot, hex)}\\)\\)"
+      end
+    else
+      # Quotes are ok, but we still need parens or spaces
+      if (state.badchars.match(/[()]/n))
+        if state.badchars.include?(" ")
+          cmd << perl_e(state, qot, hex)
+        else
+          cmd << "'system pack #{perl_qq(state, qot, hex)}'"
+        end
+      else
+        cmd << "'system(pack(#{perl_qq(state, qot, hex)}))'"
+      end
+    end
+
+    return cmd
+  end
+
+  def perl_e(state, qot, hex)
+    # We don't have parens, quotes, or backslashes so we have to use
+    # barewords on the commandline for the argument to the pack
+    # function. As a consequence, we can't use things that the shell
+    # would interpret, so $ and & become badchars.
+    qot.delete("$")
+    qot.delete("&")
+
+    # Perl chains -e with newlines, but doesn't automatically add
+    # semicolons, so the following will result in the interpreter
+    # seeing a file like this:
+    #    system
+    #    pack
+    #    qq^H*^,qq^whatever^
+    # Since system and pack require arguments (rather than assuming
+    # $_ when no args are given like many other perl functions),
+    # this works out to do what we need.
+    cmd = "system -e pack -e #{perl_qq(state, qot, hex)}"
+    if state.badchars.include?(" ")
+      # We already tested above to make sure that these chars are ok
+      # if space isn't.
+      cmd.gsub!(" ", "${IFS}")
+    end
+
+    cmd
+  end
+
+  def perl_qq(state, qot, hex)
+
+    # Find a quoting character to use
+    state.badchars.unpack('C*') { |c| qot.delete(c.chr) }
+
+    # Throw an error if we ran out of quotes
+    raise RuntimeError if qot.length == 0
+
+    sep = qot[0].chr
+    # Use an explicit length for the H specifier instead of just "H*"
+    # in case * is a badchar for the module, and for the case where this
+    # ends up unquoted so the shell doesn't try to expand a path.
+    "qq#{sep}H#{hex.length}#{sep},qq#{sep}#{hex}#{sep}"
+  end
+
+end

modules/exploits/linux/http/nginx_chunked_size.rb

@@ -38,7 +38,7 @@ def initialize(info = {})
       'Privileged'     => false,
       'Payload'        =>
         {
-          'BadChars' => "\x0d\x0a",
+          'BadChars'    => "\x0d\x0a"
         },
       'Arch' => ARCH_CMD,
       'Platform' => 'unix',