Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/cmd/printf_php_mq.rb
21537 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Encoder

7


8
  # Has some issues, but overall it's pretty good

9
  # - printf(1) may not be available

10
  # - requires: "\x7c\x73\x68\x5c\x78"

11
  # - doesn't work on windows

12
  # - min size increase: 4x + 9

13
  # - max size increase: 4x + 14

14
  # However, because it intentionally leaves backslashes unescaped (assuming

15
  # that PHP's magic_quotes_gpc will take care of escaping them) it is

16
  # unsuitable for most exploits.

17
  Rank = ManualRanking

18


19
  def initialize

20
    super(

21
      'Name' => 'printf(1) via PHP magic_quotes Utility Command Encoder',

22
      'Description' => %q{

23
          This encoder uses the printf(1) utility to avoid restricted

24
        characters. Some shell variable substitution may also be used

25
        if needed symbols are blacklisted. Some characters are intentionally

26
        left unescaped since it is assumed that PHP with magic_quotes_gpc

27
        enabled will escape them during request handling.

28
      },

29
      'Author' => 'jduck',

30
      'Arch' => ARCH_CMD,

31
      'Platform' => 'unix',

32
      'EncoderType' => Msf::Encoder::Type::PrintfPHPMagicQuotes)

33
  end

34


35
  #

36
  # Encodes the payload

37
  #

38
  def encode_block(state, buf)

39
    # Skip encoding for empty badchars

40
    if state.badchars.empty?

41
      return buf

42
    end

43


44
    # If backslash is bad, we are screwed.

45
    if state.badchars.include?('\\') ||

46
       state.badchars.include?('|') ||

47
       # We must have at least ONE of these two..

48
       (state.badchars.include?('x') && state.badchars.include?('0'))

49
      raise EncodingError

50
    end

51


52
    # Now we build a string of the original payload with bad characters

53
    # into \0<NNN> or \x<HH>

54
    if state.badchars.include?('x')

55
      hex = buf.unpack('C*').collect { |c| '\\0%o' % c }.join

56
    else

57
      hex = buf.unpack('C*').collect { |c| '\\x%x' % c }.join

58
    end

59


60
    # Build the final output

61
    ret = 'printf'

62


63
    # Special case: <SPACE>, try to use ${IFS}

64
    if state.badchars.include?(' ')

65
      ret << '${IFS}'

66
    else

67
      ret << ' '

68
    end

69


70
    ret << hex << '|sh'

71


72
    return ret

73
  end

74
end

75


76