From baadd1d927873c118c0d8656d2e34e76d21a1bf7 Mon Sep 17 00:00:00 2001 From: zawz Date: Fri, 26 Mar 2021 15:45:00 +0100 Subject: [PATCH] debashify $RANDOM + _lxsh_random extension --- shellcode/random.sh | 3 ++ src/debashify.cpp | 122 ++++++++++++++++++++++++-------------------- src/shellcode.cpp | 1 + 3 files changed, 70 insertions(+), 56 deletions(-) create mode 100644 shellcode/random.sh diff --git a/shellcode/random.sh b/shellcode/random.sh new file mode 100644 index 0000000..c9fac71 --- /dev/null +++ b/shellcode/random.sh @@ -0,0 +1,3 @@ +_lxsh_random() { + printf %d "0x$(head -c"${1-2}" manip != nullptr) + throw std::runtime_error("Cannot debashify manipulations on ${VAR[]}"); + + std::string varname = in->varname; + arg* index = in->index; + in->index=nullptr; + + if(index->string() == "*") + { + delete index; + index = new arg("\\*"); + } + + cmd* c; + if(params->arrays[varname]) + { + c = make_cmd_varindex("_lxsh_map_get", varname, index); + params->require_fct("_lxsh_map_get"); + } + else + { + c = make_cmd_varindex("_lxsh_array_get", varname, index); + params->require_fct("_lxsh_array_get"); + } + + return new subshell(c); +} + +subshell* do_debashify_random(variable* in, debashify_params* params) +{ + if(in->manip != nullptr) + throw std::runtime_error("Cannot debashify manipulations on ${RANDOM}"); + cmd* c = make_cmd("_lxsh_random"); + params->require_fct("_lxsh_random"); + return new subshell(c); +} + +// does multiple debashifies: +// - array +// - RANDOM subshell_arithmetic* do_debashify_arithmetic(arithmetic* in, debashify_params* params) { subshell_arithmetic* ret = nullptr; if(in->type == _obj::arithmetic_variable) { variable_arithmetic* t = dynamic_cast(in); - if(t->var != nullptr && t->var->index != nullptr) + if(t->var != nullptr && t->var->varname == "RANDOM") { - if(t->var->manip != nullptr) - throw std::runtime_error("Cannot debashify manipulations on ${VAR[]}"); - - std::string varname = t->var->varname; - arg* index = t->var->index; - t->var->index=nullptr; - - cmd* c; - if(params->arrays[varname]) - { - c = make_cmd_varindex("_lxsh_map_get", varname, index); - params->require_fct("_lxsh_map_get"); - } - else - { - c = make_cmd_varindex("_lxsh_array_get", varname, index); - params->require_fct("_lxsh_array_get"); - } - - ret = new subshell_arithmetic(new subshell(c)); + ret = new subshell_arithmetic(do_debashify_random(t->var, params)); + } + else if(t->var != nullptr && t->var->index != nullptr) + { + ret = new subshell_arithmetic(do_debashify_array_var_get(t->var, params)); } } return ret; } -bool debashify_array_arithmetic(_obj* o, debashify_params* params) +bool debashify_arithmetic_replace(_obj* o, debashify_params* params) { bool ret=false; switch(o->type) @@ -402,49 +429,32 @@ bool debashify_array_arithmetic(_obj* o, debashify_params* params) return ret; } -bool debashify_array_get(arg* in, debashify_params* params) +bool debashify_subarg_replace(arg* in, debashify_params* params) { bool has_replaced=false; for(auto it=in->sa.begin() ; it!=in->sa.end() ; it++) { + subarg* replacer=nullptr; + bool quoted=(*it)->quoted; if((*it)->type == _obj::subarg_variable) { variable_subarg* t = dynamic_cast(*it); - bool quoted=t->quoted; + if(t->var != nullptr && t->var->varname == "RANDOM") + { + replacer = new subshell_subarg(do_debashify_random(t->var, params)); + } if(t->var != nullptr && t->var->is_manip && t->var->index != nullptr) { - if(t->var->manip != nullptr) - throw std::runtime_error("Cannot debashify manipulations on ${VAR[]}"); - - std::string varname = t->var->varname; - arg* index = t->var->index; - t->var->index=nullptr; - - if(index->string() == "*") - { - delete index; - index = new arg("\\*"); - } - - cmd* c; - if(params->arrays[varname]) - { - c = make_cmd_varindex("_lxsh_map_get", varname, index); - params->require_fct("_lxsh_map_get"); - } - else - { - c = make_cmd_varindex("_lxsh_array_get", varname, index); - params->require_fct("_lxsh_array_get"); - } - - subshell_subarg* sb = new subshell_subarg(new subshell(c)); - sb->quoted=quoted; - delete *it; - *it = sb; - has_replaced=true; + replacer = new subshell_subarg(do_debashify_array_var_get(t->var, params)); } } + if(replacer != nullptr) + { + replacer->quoted=quoted; + delete *it; + *it = replacer; + has_replaced=true; + } } return has_replaced; } @@ -761,7 +771,7 @@ bool debashify_var(variable* in, debashify_params* params) bool r_debashify(_obj* o, debashify_params* params) { // global debashifies - debashify_array_arithmetic(o, params); + debashify_arithmetic_replace(o, params); switch(o->type) { case _obj::_variable: { @@ -770,7 +780,7 @@ bool r_debashify(_obj* o, debashify_params* params) } break; case _obj::_arg: { arg* t = dynamic_cast(o); - debashify_array_get(t, params); + debashify_subarg_replace(t, params); } break; case _obj::_list: { list* t = dynamic_cast(o); diff --git a/src/shellcode.cpp b/src/shellcode.cpp index a71bce7..0d5a563 100644 --- a/src/shellcode.cpp +++ b/src/shellcode.cpp @@ -5,6 +5,7 @@ #include "struc_helper.hpp" const std::map lxsh_extend_fcts = { + { "_lxsh_random", { "[K]", "Generate a random number between 0 and 2^(k*8). Default 2", RANDOM_SH} }, { "_lxsh_random_string", { "[N]", "Generate a random alphanumeric string of length N. Default 20", RANDOM_STRING_SH} }, { "_lxsh_random_tmpfile", { "[N]", "Get a random TMP filepath, with N random chars. Default 20", RANDOM_TMPFILE_SH, {"_lxsh_random_string"} } } };