diff --git a/README.md b/README.md index c08c3e72..7ad82cf3 100644 --- a/README.md +++ b/README.md @@ -208,6 +208,7 @@ $ ronin-payloads encoders js/hex_encode js/node/base64_encode php/base64_encode + php/hex_encode powershell/hex_encode python/base64_encode python/hex_encode diff --git a/lib/ronin/payloads/encoders/builtin/php/hex_encode.rb b/lib/ronin/payloads/encoders/builtin/php/hex_encode.rb new file mode 100644 index 00000000..faf707ff --- /dev/null +++ b/lib/ronin/payloads/encoders/builtin/php/hex_encode.rb @@ -0,0 +1,70 @@ +# frozen_string_literal: true +# +# ronin-payloads - A Ruby micro-framework for writing and running exploit +# payloads. +# +# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com) +# +# ronin-payloads is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published +# by the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# ronin-payloads is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with ronin-payloads. If not, see . +# + +require 'ronin/payloads/encoders/php_encoder' +require 'ronin/support/encoding/hex' + +module Ronin + module Payloads + module Encoders + module PHP + # + # A php encoder that encodes the given PHP code as an hex string, then + # decodes it using `hex2bin()`, and then evaluates the decoded PHP code + # using `eval()`. + # + # echo 'PWNED'; -> eval(hex2bin("6563686f202750574e4544273b")) + # + # @since 0.3.0 + # + class HexEncode < PHPEncoder + + register 'php/hex_encode' + + summary 'Encodes PHP as a hex string' + + description <<~DESC + Encodes the given PHP code as an hex string, then decodes it using + `hex2bin()`, and then evaluates the decoded PHP code using `eval()`. + + echo 'PWNED'; -> eval(hex2bin("6563686f202750574e4544273b")) + + DESC + + # + # Encodes the given PHP code. + # + # @param [String] php + # The PHP code to encode. + # + # @return [String] + # + def encode(php) + hex = Support::Encoding::Hex.encode(php) + + %{eval(hex2bin("#{hex}"))} + end + + end + end + end + end +end diff --git a/spec/encoders/builtin/php/hex_encode_spec.rb b/spec/encoders/builtin/php/hex_encode_spec.rb new file mode 100644 index 00000000..c4fc7e5e --- /dev/null +++ b/spec/encoders/builtin/php/hex_encode_spec.rb @@ -0,0 +1,17 @@ +require 'spec_helper' +require 'ronin/payloads/encoders/builtin/php/hex_encode' + +describe Ronin::Payloads::Encoders::PHP::HexEncode do + it "must inherit from Ronin::Payloads::Encoders::PHPEncoder" do + expect(described_class).to be < Ronin::Payloads::Encoders::PHPEncoder + end + + describe "#encode" do + let(:php) { "echo 'PWNED';" } + let(:encoded) { %{eval(hex2bin("6563686f202750574e4544273b"))} } + + it "must encode the given PHP code as a hex string and embed it into the 'eval(hex2bin(\"...\"))' string" do + expect(subject.encode(php)).to eq(encoded) + end + end +end