Class: Rex::Exploitation::CmdStagerBase

Inherits:

Object

• Object
• Rex::Exploitation::CmdStagerBase

Defined in:

lib/rex/exploitation/cmdstager/base.rb

Overview

This class provides an interface to generating cmdstagers.

Direct Known Subclasses

CmdStagerDebugAsm, CmdStagerDebugWrite, CmdStagerTFTP, CmdStagerVBS

Instance Method Summary

• #cmd_concat_operator ⇒ Object

  Can be overriden.

• #compress_commands(cmds, opts) ⇒ Object

  Compress commands into as few lines as possible.

• #encode_payload(opts) ⇒ Object

  This method is intended to be override by the child class.

• #generate(opts = {}) ⇒ Object

  Generates the cmd payload including the h2bv2 decoder and encoded payload.

• #generate_cmds(opts) ⇒ Object

  This does the work of actually building an array of commands that when executed will create and run an executable payload.

• #generate_cmds_decoder(opts) ⇒ Object

  Generate the commands that will decode the file we just created.

• #generate_cmds_payload(opts) ⇒ Object

  Generate the commands to create an encoded version of the payload file.

• #initialize(exe) ⇒ CmdStagerBase constructor

  A new instance of CmdStagerBase.

• #parts_to_commands(parts, opts) ⇒ Object

  Combine the parts of the encoded file with the stuff that goes before / after it – example “echo ” and “ >>file”.

• #slice_up_payload(encoded, opts) ⇒ Object

  We take a string of data and turn it into an array of parts.

Constructor Details

#initialize(exe) ⇒ CmdStagerBase

Returns a new instance of CmdStagerBase.

# File 'lib/rex/exploitation/cmdstager/base.rb', line 16

def initialize(exe)
	@linemax     = 2047 # covers most likely cases
	@exe         = exe
end

Instance Method Details

#cmd_concat_operator ⇒ Object

Can be overriden. For exmaple, use for unix use “;” instead

# File 'lib/rex/exploitation/cmdstager/base.rb', line 169

def cmd_concat_operator
	nil
end

#compress_commands(cmds, opts) ⇒ Object

Compress commands into as few lines as possible. Minimizes the number of commands to execute while maximizing the number of commands per execution.

# File 'lib/rex/exploitation/cmdstager/base.rb', line 126

def compress_commands(cmds, opts)
	new_cmds = []
	line = ''
	concat = cmd_concat_operator

	# We cannot compress commands if there is no way to combine commands on
	# a single line.
	return cmds if not concat

	cmds.each { |cmd|

		# If this command will fit, concat it and move on.
		if ((line.length + cmd.length + concat.length) < opts[:linemax])
			line << concat if line.length > 0
			line << cmd
			next
		end

		# The command wont fit concat'd to this line, if we have something,
		# we have to add it to the array now.
		if (line.length > 0)
			new_cmds << line
			line = ''
		end

		# If it won't fit even after emptying the current line, error out..
		if (cmd.length > opts[:linemax])
			raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
		end

		# It will indeed fit by itself, lets add it.
		line << cmd

	}
	new_cmds << line if (line.length > 0)

	# Return the final array.
	new_cmds
end

#encode_payload(opts) ⇒ Object

This method is intended to be override by the child class

# File 'lib/rex/exploitation/cmdstager/base.rb', line 77

def encode_payload(opts)
	# Defaults to nothing
	""
end

#generate(opts = {}) ⇒ Object

Generates the cmd payload including the h2bv2 decoder and encoded payload. The resulting commands also perform cleanup, removing any left over files

# File 'lib/rex/exploitation/cmdstager/base.rb', line 25

def generate(opts = {})
	# Allow temporary directory override
	@tempdir = opts[:temp]
	@tempdir ||= "%TEMP%\\"
	if (@tempdir == '.')
		@tempdir = ''
	end

	opts[:linemax] ||= @linemax

	generate_cmds(opts)
end

#generate_cmds(opts) ⇒ Object

This does the work of actually building an array of commands that when executed will create and run an executable payload.

# File 'lib/rex/exploitation/cmdstager/base.rb', line 43

def generate_cmds(opts)

	# Initialize an arry of commands to execute
	cmds = []

	# Add the exe building commands
	cmds += generate_cmds_payload(opts)

	# Add the decoder script building commands
	cmds += generate_cmds_decoder(opts)

	compress_commands(cmds, opts)
end

#generate_cmds_decoder(opts) ⇒ Object

Generate the commands that will decode the file we just created

# File 'lib/rex/exploitation/cmdstager/base.rb', line 115

def generate_cmds_decoder(opts)
	# Defaults to no commands.
	[]
end

#generate_cmds_payload(opts) ⇒ Object

Generate the commands to create an encoded version of the payload file

# File 'lib/rex/exploitation/cmdstager/base.rb', line 62

def generate_cmds_payload(opts)

	# First encode the payload
	encoded = encode_payload(opts)

	# Now split it up into usable pieces
	parts = slice_up_payload(encoded, opts)

	# Turn each part into a valid command
	parts_to_commands(parts, opts)
end

#parts_to_commands(parts, opts) ⇒ Object

Combine the parts of the encoded file with the stuff that goes before / after it – example “echo ” and “ >>file”

# File 'lib/rex/exploitation/cmdstager/base.rb', line 105

def parts_to_commands(parts, opts)
	# Return as-is
	parts
end

#slice_up_payload(encoded, opts) ⇒ Object

We take a string of data and turn it into an array of parts.

We save opts bytes out of every opts for the parts appended and prepended to the resulting elements.

# File 'lib/rex/exploitation/cmdstager/base.rb', line 88

def slice_up_payload(encoded, opts)
	tmp = encoded.dup

	parts = []
	xtra_len = opts[:extra]
	xtra_len ||= 0
	while (tmp.length > 0)
		parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
	end

	parts
end