Land rapid7#4403, msfvenom configurable variable name

wvu · wvu · commit c78685269f06 · 2014-12-16T10:10:54.000-06:00
diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb
@@ -18,37 +18,39 @@ module Buffer
   # Serializes a buffer to a provided format.  The formats supported are raw,
   # num, dword, ruby, python, perl, bash, c, js_be, js_le, java and psh
   #
-  def self.transform(buf, fmt = "ruby")
+  def self.transform(buf, fmt = "ruby", var_name = 'buf')
+    default_wrap = 60
+
     case fmt
       when 'raw'
       when 'num'
         buf = Rex::Text.to_num(buf)
       when 'dword', 'dw'
         buf = Rex::Text.to_dword(buf)
       when 'python', 'py'
-        buf = Rex::Text.to_python(buf)
+        buf = Rex::Text.to_python(buf, default_wrap, var_name)
       when 'ruby', 'rb'
-        buf = Rex::Text.to_ruby(buf)
+        buf = Rex::Text.to_ruby(buf, default_wrap, var_name)
       when 'perl', 'pl'
-        buf = Rex::Text.to_perl(buf)
+        buf = Rex::Text.to_perl(buf, default_wrap, var_name)
       when 'bash', 'sh'
-        buf = Rex::Text.to_bash(buf)
+        buf = Rex::Text.to_bash(buf, default_wrap, var_name)
       when 'c'
-        buf = Rex::Text.to_c(buf)
+        buf = Rex::Text.to_c(buf, default_wrap, var_name)
       when 'csharp'
-        buf = Rex::Text.to_csharp(buf)
+        buf = Rex::Text.to_csharp(buf, default_wrap, var_name)
       when 'js_be'
         buf = Rex::Text.to_unescape(buf, ENDIAN_BIG)
       when 'js_le'
         buf = Rex::Text.to_unescape(buf, ENDIAN_LITTLE)
       when 'java'
-        buf = Rex::Text.to_java(buf)
+        buf = Rex::Text.to_java(buf, var_name)
       when 'powershell', 'ps1'
-        buf = Rex::Text.to_powershell(buf)
+        buf = Rex::Text.to_powershell(buf, var_name)
       when 'vbscript'
-        buf = Rex::Text.to_vbscript(buf)
+        buf = Rex::Text.to_vbscript(buf, var_name)
       when 'vbapplication'
-        buf = Rex::Text.to_vbapplication(buf)
+        buf = Rex::Text.to_vbapplication(buf, var_name)
       else
         raise ArgumentError, "Unsupported buffer format: #{fmt}", caller
     end
diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
@@ -70,6 +70,9 @@ class PayloadGenerator
     # @!attribute  template
     #   @return [String] The path to an executable template to use
     attr_accessor :template
+    # @!attribute  var_name
+    #   @return [String] The custom variable string for certain output formats
+    attr_accessor :var_name
 
 
     # @param opts [Hash] The options hash
@@ -105,6 +108,7 @@ def initialize(opts={})
       @space      = opts.fetch(:space, 1.gigabyte)
       @stdin      = opts.fetch(:stdin, nil)
       @template   = opts.fetch(:template, '')
+      @var_name   = opts.fetch(:var_name, 'buf')
 
       @framework  = opts.fetch(:framework)
 
@@ -213,10 +217,10 @@ def format_payload(shellcode)
           if Rex::Arch.endian(arch) != ENDIAN_BIG
             raise IncompatibleEndianess, "Big endian format selected for a non big endian payload"
           else
-            ::Msf::Simple::Buffer.transform(shellcode, format)
+            ::Msf::Simple::Buffer.transform(shellcode, format, @var_name)
           end
         when *::Msf::Simple::Buffer.transform_formats
-          ::Msf::Simple::Buffer.transform(shellcode, format)
+          ::Msf::Simple::Buffer.transform(shellcode, format, @var_name)
         when *::Msf::Util::EXE.to_executable_fmt_formats
           ::Msf::Util::EXE.to_executable_fmt(framework, arch, platform_list, shellcode, format, exe_options)
         else
diff --git a/msfvenom b/msfvenom
@@ -121,6 +121,10 @@ require 'msf/core/payload_generator'
       opts[:list_options] = true
     end
 
+    opt.on('-v', '--var-name <name>', String, 'Specify a custom variable name to use for certain output formats') do |x|
+      opts[:var_name] = x
+    end
+
     opt.on_tail('-h', '--help', 'Show this message') do
       raise UsageError, "#{opt}"
     end
diff --git a/spec/lib/msf/core/payload_generator_spec.rb b/spec/lib/msf/core/payload_generator_spec.rb
@@ -62,6 +62,7 @@
         reference_name: 'x86/shikata_ga_nai'
     )
   }
+  let(:var_name) { 'buf' }
 
   subject(:payload_generator) {
     described_class.new(generator_opts)
@@ -482,7 +483,7 @@
       let(:format) { 'c' }
 
       it 'applies the appropriate transform format' do
-        ::Msf::Simple::Buffer.should_receive(:transform).with(shellcode, format)
+        ::Msf::Simple::Buffer.should_receive(:transform).with(shellcode, format, var_name)
         payload_generator.format_payload(shellcode)
       end
     end

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@`
`62`	`62`	`reference_name: 'x86/shikata_ga_nai'`
`63`	`63`	`)`
`64`	`64`	`}`
	`65`	`+ let(:var_name) { 'buf' }`
`65`	`66`
`66`	`67`	`subject(:payload_generator) {`
`67`	`68`	`described_class.new(generator_opts)`
`@@ -482,7 +483,7 @@`
`482`	`483`	`let(:format) { 'c' }`
`483`	`484`
`484`	`485`	`it 'applies the appropriate transform format' do`
`485`		`- ::Msf::Simple::Buffer.should_receive(:transform).with(shellcode, format)`
	`486`	`+ ::Msf::Simple::Buffer.should_receive(:transform).with(shellcode, format, var_name)`
`486`	`487`	`payload_generator.format_payload(shellcode)`
`487`	`488`	`end`
`488`	`489`	`end`