New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add printf CmdStager #2412
Add printf CmdStager #2412
Conversation
w00t! Portability! |
Processing... |
Hi @mwulftange mwulftange#1 tries to clean and fix this pull request. The stager wasn't working on my tests when calling execute_cmdstager with a small linemax. For example:
I hope this fix to the slice_up_payload method has sense for you and I haven't break something else. Please feel free to check, review, test, discuss, etc etc and land once you feel comfortable with it :). Once done, I guess it's ready to be landed. I've used the exploits/multi/ssh/sshexec to test this cmd stager:
|
@mwulftange you are going to quickly become @jlee-r7 's best friend if you're not careful with this ;) |
Clean up of the CmdStagerPrintf as discussed in #1
# | ||
def generate_cmds(opts) | ||
@cmd_start = "printf '" | ||
@cmd_end = "'>>#{@tempdir}#{@var_elf}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we omit the single quotes surrounding the printf
argument here? I mean, it would be one character less to worry about (may not be allowed in certain situations) but would double the number of backspaces.
So what do you think of the single quotes around the |
@mwulftange , about the single quote thing, I think the space is a very important requirement when writing cmd stagers. So my opinion is to use the quote by default, and maybe allow the stager to work without quotes if an option is specified. This option can be exposed just to module developers, through the hash of opts when calling execute_cmdstager. Or can also be exposed to the user, through a datastore option registered by the mixin. On my opinion it's an option for module developers, and allowing the user to set the use or not of single quotes could make an exploit to not work properly. Thoughts? |
@mwulftange I'm going to land this pull request since I think is good enough to go :) If you're still interested in allow an option to disable the single quotes, another pull request is welcome :) |
@jvazquez-r7 The quote-less variant requires even less space (one additional backspace in exchange to two single quotes). #2489 |
This CmdStager uses
printf
’s support for octal escapes to drop an ELF payload. Since the support for octal escapes is part of POSIX’printf
, this CmdStager should work in all POSIX compliant shells.The idea of a
printf
CmdStager was originally discussed in #2371 as the required options-e
and-n
for the proposedecho
CmdStager are not implemented in all shells, e. g., csh’secho
does neither have-e
nor-n
. However, csh does have a POSIX-compliantprintf
.