diff --git a/lib/ronin/payloads/encoders/builtin/shell/hex_escape.rb b/lib/ronin/payloads/encoders/builtin/shell/hex_escape.rb index 06bef460..038cd6dd 100644 --- a/lib/ronin/payloads/encoders/builtin/shell/hex_escape.rb +++ b/lib/ronin/payloads/encoders/builtin/shell/hex_escape.rb @@ -47,7 +47,7 @@ class HexEscape < ShellCommandEncoder Encodes the arguments of a given command String as hex escaped shell strings then executes it as a command in a sub-shell. - ls -la -> $'\\x6c\\x73' $'\\x2d\\x6c\\x61' + ls -la -> bash -c "$'\\x6c\\x73' $'\\x2d\\x6c\\x61'" Note: supports bash, zsh, mksh, but *not* the dash shell which is the default system shell on Ubuntu and Debian. @@ -61,9 +61,11 @@ class HexEscape < ShellCommandEncoder # @return [String] # def encode(command) - Shellwords.shellsplit(command).map { |arg| + escaped_command = Shellwords.shellsplit(command).map { |arg| "$'#{Support::Encoding::Shell.encode(arg)}'" }.join(' ') + + %{bash -c "#{escaped_command}"} end end diff --git a/spec/encoders/builtin/shell/hex_escape_spec.rb b/spec/encoders/builtin/shell/hex_escape_spec.rb index 59c44b51..d1576ba9 100644 --- a/spec/encoders/builtin/shell/hex_escape_spec.rb +++ b/spec/encoders/builtin/shell/hex_escape_spec.rb @@ -16,14 +16,14 @@ describe "#encode" do let(:command) { "echo PWNED" } - let(:encoded) { "$'\\x65\\x63\\x68\\x6f' $'\\x50\\x57\\x4e\\x45\\x44'" } + let(:encoded) { %{bash -c "$'\\x65\\x63\\x68\\x6f' $'\\x50\\x57\\x4e\\x45\\x44'"} } it "must encode each argument in the given command string into a hex strings" do expect(subject.encode(command)).to eq(encoded) end it "must return a valid shell command", :integration do - expect(`bash -c "#{subject.encode(command)}"`).to eq("PWNED#{$/}") + expect(`#{subject.encode(command)}`).to eq("PWNED#{$/}") end end end