Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100755 301 lines (253 sloc) 7.114 kB
8865806 @hmoore-r7 /usr/bin/ruby vs /usr/bin/env ruby
hmoore-r7 authored
1 #!/usr/bin/env ruby
d656e31 @hmoore-r7 Mark all libraries as defaulting to 8-bit strings
hmoore-r7 authored
2 # -*- coding: binary -*-
0e72894 @jduck more cleanups
jduck authored
3 #
4 # $Id$
5 # $Revision$
6 #
5f8cad5 msfencode works
Matt Miller authored
7
beb0cc7 @hmoore-r7 Patch from Jonathan Steel to fix double-symlinks
hmoore-r7 authored
8 msfbase = __FILE__
9 while File.symlink?(msfbase)
10 msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
11 end
12
bdf8d06 @hmoore-r7 Load from the absolute, not relative path
hmoore-r7 authored
13 $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
bfc32f4 Adds fastlib and lib/metasploit.fastlib to the include path
HD Moore authored
14 require 'fastlib'
4bcbdc5 @todb Cutting over rails3 to master.
todb authored
15 require 'msfenv'
bfc32f4 Adds fastlib and lib/metasploit.fastlib to the include path
HD Moore authored
16
7d2b2b1 @hmoore-r7 Fix up bad line removals
hmoore-r7 authored
17
bfc32f4 Adds fastlib and lib/metasploit.fastlib to the include path
HD Moore authored
18
271822d @hmoore-r7 Merged revisions 5386-5391 via svnmerge from
hmoore-r7 authored
19 $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
5f8cad5 msfencode works
Matt Miller authored
20
21 require 'rex'
22 require 'msf/ui'
23 require 'msf/base'
24
25 OutStatus = "[*] "
26 OutError = "[-] "
27
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
28 # Load supported formats
29 supported_formats = Msf::Simple::Buffer.transform_formats + Msf::Util::EXE.to_executable_fmt_formats
30
5f8cad5 msfencode works
Matt Miller authored
31 $args = Rex::Parser::Arguments.new(
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
32 "-h" => [ false, "Help banner" ],
33 "-l" => [ false, "List available encoders" ],
e3e57d4 @jduck add verbosity flag, disable stack traces w/o it
jduck authored
34 "-v" => [ false, "Increase verbosity" ],
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
35 # input/output
5f8cad5 msfencode works
Matt Miller authored
36 "-i" => [ true, "Encode the contents of the supplied file path" ],
06ac34f fixes #9, added MODULEPATH var, and msfencode/msfpayload support it a…
Matt Miller authored
37 "-m" => [ true, "Specifies an additional module search path" ],
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
38 "-o" => [ true, "The output file" ],
39 # architecture/platform
5f8cad5 msfencode works
Matt Miller authored
40 "-a" => [ true, "The architecture to encode as" ],
7e4d03b @hmoore-r7 This adds support for the old exe format to msfencode using -t exe-sm…
hmoore-r7 authored
41 "-p" => [ true, "The platform to encode for" ],
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
42 # format options
43 "-t" => [ true, "The output format: #{supported_formats.join(',')}" ],
44 # encoder options
45 "-e" => [ true, "The encoder to use" ],
46 "-n" => [ false, "Dump encoder information" ],
5f8cad5 msfencode works
Matt Miller authored
47 "-b" => [ true, "The list of characters to avoid: '\\x00\\xff'" ],
48 "-s" => [ true, "The maximum size of the encoded data" ],
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
49 "-c" => [ true, "The number of times to encode the data" ],
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
50 # EXE generation options
51 "-d" => [ true, "Specify the directory in which to look for EXE templates" ],
52 "-x" => [ true, "Specify an alternate executable template" ],
53 "-k" => [ false, "Keep template working; run payload in new thread (use with -x)" ]
54 )
5f8cad5 msfencode works
Matt Miller authored
55
56 #
57 # Dump the list of encoders
58 #
59 def dump_encoders(arch = nil)
60 tbl = Rex::Ui::Text::Table.new(
61 'Indent' => 4,
62 'Header' => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""),
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
63 'Columns' =>
5f8cad5 msfencode works
Matt Miller authored
64 [
65 "Name",
66 "Rank",
67 "Description"
68 ])
69 cnt = 0
70
71 $framework.encoders.each_module(
72 'Arch' => arch ? arch.split(',') : nil) { |name, mod|
7274308 fix msfencode -l
Matt Miller authored
73 tbl << [ name, mod.rank_to_s, mod.new.name ]
5f8cad5 msfencode works
Matt Miller authored
74
75 cnt += 1
76 }
77
78 (cnt > 0) ? "\n" + tbl.to_s + "\n" : "\nNo compatible encoders found.\n\n"
79 end
80
81 #
82 # Returns the list of encoders to try
83 #
84 def get_encoders(arch, encoder)
85 encoders = []
86
87 if (encoder)
88 encoders << $framework.encoders.create(encoder)
89 else
90 $framework.encoders.each_module_ranked(
91 'Arch' => arch ? arch.split(',') : nil) { |name, mod|
92 encoders << mod.new
93 }
94 end
95
96 encoders
97 end
98
99 #
100 # Nuff said.
101 #
102 def usage
cc23a24 options
Matt Miller authored
103 $stderr.puts("\n" + " Usage: #{$0} <options>\n" + $args.usage)
5f8cad5 msfencode works
Matt Miller authored
104 exit
105 end
106
99da531 @jlee-r7 add dll output to msfencode, refactor some junk
jlee-r7 authored
107 def write_encoded(buf)
108 if (not $output)
109 $stdout.write(buf)
110 else
111 File.open($output, "wb") do |fd|
112 fd.write(buf)
113 end
114 end
115 end
116
5f8cad5 msfencode works
Matt Miller authored
117 # Defaults
e3e57d4 @jduck add verbosity flag, disable stack traces w/o it
jduck authored
118 verbose = 0
5f8cad5 msfencode works
Matt Miller authored
119 cmd = "encode"
120 arch = nil
121 badchars = ''
122 space = nil
123 encoder = nil
15e39e9 @hmoore-r7 Fixes #386. Adds a persistent VBS payload option (keep running the pa…
hmoore-r7 authored
124 fmt = nil
5f8cad5 msfencode works
Matt Miller authored
125 input = $stdin
cc23a24 options
Matt Miller authored
126 options = ''
a6726c8 fix for option import issue when options had spaces
Matt Miller authored
127 delim = '_|_'
6d5ac7e @hmoore-r7 Switches the executable template to something a little nicer and adds…
hmoore-r7 authored
128 output = nil
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
129 ecount = 1
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
130 plat = nil
131
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
132 altexe = nil
2efa31c @hmoore-r7 Closes #1244 with a caveat. If the template injected calls ExitProces…
hmoore-r7 authored
133 inject = false
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
134 exedir = nil # use default
5f8cad5 msfencode works
Matt Miller authored
135
136 # Parse the argument and rock that shit.
137 $args.parse(ARGV) { |opt, idx, val|
138 case opt
139 when "-i"
140 begin
ebd2573 @jduck fix some silly input/output translation bugs with msfencode
jduck authored
141 input = File.open(val, 'rb')
5f8cad5 msfencode works
Matt Miller authored
142 rescue
143 $stderr.puts(OutError + "Failed to open file #{val}: #{$!}")
144 exit
145 end
06ac34f fixes #9, added MODULEPATH var, and msfencode/msfpayload support it a…
Matt Miller authored
146 when "-m"
147 $framework.modules.add_module_path(val)
5f8cad5 msfencode works
Matt Miller authored
148 when "-l"
149 cmd = "list"
150 when "-n"
151 cmd = "dump"
152 when "-a"
153 arch = val
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
154 when "-c"
155 ecount = val.to_i
5f8cad5 msfencode works
Matt Miller authored
156 when "-b"
157 badchars = Rex::Text.hex_to_raw(val)
7e4d03b @hmoore-r7 This adds support for the old exe format to msfencode using -t exe-sm…
hmoore-r7 authored
158 when "-p"
159 plat = Msf::Module::PlatformList.transform(val)
5f8cad5 msfencode works
Matt Miller authored
160 when "-s"
161 space = val.to_i
162 when "-t"
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
163 if supported_formats.include?(val)
5f8cad5 msfencode works
Matt Miller authored
164 fmt = val
165 else
166 $stderr.puts(OutError + "Invalid format: #{val}")
167 exit
168 end
6d5ac7e @hmoore-r7 Switches the executable template to something a little nicer and adds…
hmoore-r7 authored
169 when "-o"
99da531 @jlee-r7 add dll output to msfencode, refactor some junk
jlee-r7 authored
170 $output = val
5f8cad5 msfencode works
Matt Miller authored
171 when "-e"
172 encoder = val
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
173
174 when "-d"
175 exedir = val
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
176 when "-x"
177 altexe = val
2efa31c @hmoore-r7 Closes #1244 with a caveat. If the template injected calls ExitProces…
hmoore-r7 authored
178 when "-k"
179 inject = true
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
180
5f8cad5 msfencode works
Matt Miller authored
181 when "-h"
182 usage
a27a545 @jduck Fixes #3712, Do not keep looping on ENOENT or EINVAL
jduck authored
183
e3e57d4 @jduck add verbosity flag, disable stack traces w/o it
jduck authored
184 when "-v"
185 verbose += 1
186
cc23a24 options
Matt Miller authored
187 else
188 if (val =~ /=/)
a6726c8 fix for option import issue when options had spaces
Matt Miller authored
189 options += ((options.length > 0) ? delim : "") + "#{val}"
cc23a24 options
Matt Miller authored
190 end
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
191 end
5f8cad5 msfencode works
Matt Miller authored
192 }
193
15e39e9 @hmoore-r7 Fixes #386. Adds a persistent VBS payload option (keep running the pa…
hmoore-r7 authored
194
0fff5e5 @hmoore-r7 Fix msfencode -l, thanks _sinn3r
hmoore-r7 authored
195 if(not fmt and output)
15e39e9 @hmoore-r7 Fixes #386. Adds a persistent VBS payload option (keep running the pa…
hmoore-r7 authored
196 pre,ext = output.split('.')
197 if(ext and not ext.empty?)
198 fmt = ext
199 end
200 end
201
2efa31c @hmoore-r7 Closes #1244 with a caveat. If the template injected calls ExitProces…
hmoore-r7 authored
202 if inject and not altexe
203 $stderr.puts "[*] Error: the injection option must use a custom EXE template via -x, otherwise the injected payload will immediately exit when the main process dies."
204 exit(1)
205 end
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
206 exeopts = {
207 :inject => inject,
208 :template => altexe,
209 :template_path => exedir
210 }
2efa31c @hmoore-r7 Closes #1244 with a caveat. If the template injected calls ExitProces…
hmoore-r7 authored
211
99b4f00 @jlee-r7 parse options before creating so -h is faster
jlee-r7 authored
212 # Initialize the simplified framework instance.
213 $framework = Msf::Simple::Framework.create(
19d350f @jduck prevent loading activerecord for msf{payload,encode}
jduck authored
214 :module_types => [ Msf::MODULE_ENCODER, Msf::MODULE_NOP ],
215 'DisableDatabase' => true
99b4f00 @jlee-r7 parse options before creating so -h is faster
jlee-r7 authored
216 )
217
5f8cad5 msfencode works
Matt Miller authored
218 # Get the list of encoders to try
219 encoders = get_encoders(arch, encoder)
220
221 # Process the actual command
222 case cmd
223 when "list"
224 $stderr.puts(dump_encoders(arch))
225 when "dump"
4770e8d @hmoore-r7 Print an error when no encoder is specified
hmoore-r7 authored
226 enc = encoder ? $framework.encoders.create(encoder) : nil
5f8cad5 msfencode works
Matt Miller authored
227
228 if (enc)
229 $stderr.puts(Msf::Serializer::ReadableText.dump_module(enc))
230 else
231 $stderr.puts(OutError + "Invalid encoder specified.")
232 end
233 when "encode"
ebd2573 @jduck fix some silly input/output translation bugs with msfencode
jduck authored
234 input.binmode # ensure its in binary mode
ea23e52 @hmoore-r7 Always use IO.read vs IO.readlines.join
hmoore-r7 authored
235 buf = input.read
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
236
5f8cad5 msfencode works
Matt Miller authored
237 encoders.each { |enc|
0434183 @hmoore-r7 Bug fix to msfencode when invalid -e is specified
hmoore-r7 authored
238 next if not enc
5f8cad5 msfencode works
Matt Miller authored
239 begin
cc23a24 options
Matt Miller authored
240 # Imports options
a6726c8 fix for option import issue when options had spaces
Matt Miller authored
241 enc.datastore.import_options_from_s(options, delim)
cc23a24 options
Matt Miller authored
242
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
243 skip = false
244 eout = buf.dup
245 raw = nil
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
246
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
247 1.upto(ecount) do |iteration|
5f8cad5 msfencode works
Matt Miller authored
248
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
249 # Encode it up
7e4d03b @hmoore-r7 This adds support for the old exe format to msfencode using -t exe-sm…
hmoore-r7 authored
250 raw = enc.encode(eout, badchars, nil, plat)
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
251
252 # Is it too big?
253 if (space and space > 0 and raw.length > space)
254 $stderr.puts(OutError + "#{enc.refname} created buffer that is too big (#{raw.length})")
255 skip = true
256 break
257 end
5f8cad5 msfencode works
Matt Miller authored
258
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
259 # Print it out
260 $stderr.puts(OutStatus + "#{enc.refname} succeeded with size #{raw.length} (iteration=#{iteration})\n\n")
261 eout = raw
262 end
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
263
4007503 @hmoore-r7 Allow -c option to msfencode to specify encode count
hmoore-r7 authored
264 next if skip
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
265
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
266 output = Msf::Util::EXE.to_executable_fmt($framework, arch, plat, raw, fmt, exeopts)
1d1f945 @hmoore-r7 Add -t asp to msfencode :)
hmoore-r7 authored
267
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
268 if not output
8309599 @hmoore-r7 Fixes #463. Missing a return value in exe.rb and missing a default fo…
hmoore-r7 authored
269 fmt ||= "ruby"
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
270 output = Msf::Simple::Buffer.transform(raw, fmt)
6d5ac7e @hmoore-r7 Switches the executable template to something a little nicer and adds…
hmoore-r7 authored
271 end
21e82d8 @hmoore-r7 This patch implements a much more flexible executable creation scheme…
hmoore-r7 authored
272
8e5cf31 @jduck big exe/dll update, see #2017
jduck authored
273 if exeopts[:fellback]
274 $stderr.puts(OutError + "Warning: Falling back to default template: #{exeopts[:fellback]}")
275 end
276
277 write_encoded(output)
278
5f8cad5 msfencode works
Matt Miller authored
279 exit
280
a27a545 @jduck Fixes #3712, Do not keep looping on ENOENT or EINVAL
jduck authored
281 #
282 # These exception codes are fatal, we shouldn't expect them to succeed on the next
283 # iteration, nor the next encoder.
284 #
285 rescue ::Errno::ENOENT, ::Errno::EINVAL
286 $stderr.puts(OutError + "#{enc.refname} failed: #{$!}")
287 break
288
f78482d @hmoore-r7 Indicate lack of support for ruby 1.9.0, indicate experimental suppor…
hmoore-r7 authored
289 rescue => e
e3e57d4 @jduck add verbosity flag, disable stack traces w/o it
jduck authored
290 $stderr.puts(OutError + "#{enc.refname} failed: #{e}")
291 if verbose > 0
292 e.backtrace.each { |el|
293 $stderr.puts(OutError + el.to_s)
294 }
295 end
5f8cad5 msfencode works
Matt Miller authored
296 end
297 }
298
299 $stderr.puts(OutError + "No encoders succeeded.")
a70e982 @hmoore-r7 Adds utlities for creating VBA scripts from an EXE (or payload)
hmoore-r7 authored
300 end
Something went wrong with that request. Please try again.