Land rapid7#19377, Add compressinon to php/base64

jheysel-r7 · jheysel-r7 · commit 49d382692a7d · 2024-08-27T10:27:45.000-04:00
This enables users to set a datastore option in enocoders/php/base64
which will compress the payload using zlib, greatly reducing its size
diff --git a/modules/encoders/php/base64.rb b/modules/encoders/php/base64.rb
@@ -17,6 +17,11 @@ def initialize
       'Author' => 'egypt',
       'License' => BSD_LICENSE,
       'Arch' => ARCH_PHP)
+    register_options(
+      [
+        OptBool.new('Compress', [ true, 'Compress the payload with zlib', false ]) # Disabled by default as it relies on having php compiled with zlib, which might not be available on come exotic setups.
+      ],
+      self.class)
   end
 
   def encode_block(state, buf)
@@ -26,6 +31,12 @@ def encode_block(state, buf)
       raise BadcharError if state.badchars.include?(c)
     end
 
+    if datastore['Compress']
+      %w[g z u n c o m p r e s s].uniq.each do |c|
+        raise BadcharError if state.badchars.include?(c)
+      end
+    end
+
     # Modern versions of PHP choke on unquoted literal strings.
     quote = "'"
     if state.badchars.include?("'")
@@ -34,6 +45,10 @@ def encode_block(state, buf)
       quote = '"'
     end
 
+    if datastore['Compress']
+      buf = Zlib::Deflate.deflate(buf)
+    end
+
     # PHP escapes quotes by default with magic_quotes_gpc, so we use some
     # tricks to get around using them.
     #
@@ -98,6 +113,10 @@ def encode_block(state, buf)
     # cause a syntax error.  Remove any trailing dots.
     b64.chomp!('.')
 
-    return 'eval(base64_decode(' + quote + b64 + quote + '));'
+    if datastore['Compress']
+      return 'eval(gzuncompress(base64_decode(' + quote + b64 + quote + ')));'
+    else
+      return 'eval(base64_decode(' + quote + b64 + quote + '));'
+    end
   end
 end
