New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape braces after all in cmd/brace encoder #18032
Conversation
Previously escaped only commas.
@@ -27,7 +27,7 @@ def encode_block(state, buf) | |||
return buf if state.badchars !~ /\s/ | |||
|
|||
# Perform brace expansion encoding | |||
"{#{buf.gsub(',', '\\,').gsub(/\s+/, ',')}}" | |||
"{#{buf.gsub(/([{,}])/, '\\\\\1').gsub(/\s+/, ',')}}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is terrible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But it works 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so many backslashes i don't even know what's real anymore
I wonder how many hits this PR will generate on searches by owners of reclassified firearms... I think that expression might bear an explanatory comment, or SomeGPT will have a lot of 'splainin to do 😉 |
Before:
|
Updated version showing that braces are now properly encoded as well:
|
Release NotesA bug has been fixed in the |
Previously escaped only commas.
Test:
echo -n "echo hello, {world}" | ./msfvenom -a cmd --platform unix -e cmd/brace -b " "
Updates #10516.