Module: Msf::Post::Windows

Defined in:
lib/msf/core/post/windows.rb,
lib/msf/core/post/windows/lsa.rb,
lib/msf/core/post/windows/kiwi.rb,
lib/msf/core/post/windows/ldap.rb,
lib/msf/core/post/windows/wmic.rb,
lib/msf/core/post/windows/mssql.rb,
lib/msf/core/post/windows/extapi.rb,
lib/msf/core/post/windows/system.rb,
lib/msf/core/post/windows/net_api.rb,
lib/msf/core/post/windows/packrat.rb,
lib/msf/core/post/windows/process.rb,
lib/msf/core/post/windows/accounts.rb,
lib/msf/core/post/windows/eventlog.rb,
lib/msf/core/post/windows/registry.rb,
lib/msf/core/post/windows/services.rb,
lib/msf/core/post/windows/cli_parse.rb,
lib/msf/core/post/windows/file_info.rb,
lib/msf/core/post/windows/powershell.rb,
lib/msf/core/post/windows/file_system.rb,
lib/msf/core/post/windows/shadow_copy.rb,
lib/msf/core/post/windows/user_profiles.rb,
lib/msf/core/post/windows/task_scheduler.rb

Defined Under Namespace

Modules: Accounts, CliParse, Dotnet, Error, Eventlog, ExtAPI, FileInfo, FileSystem, Kiwi, LDAP, Lsa, MSSQL, NetAPI, Packrat, Powershell, Priv, Process, ReflectiveDLLInjection, Registry, Runas, Services, ShadowCopy, System, TaskScheduler, UserProfiles, Version, WMIC, WindowsServices

Class Method Summary collapse

Class Method Details

.escape_cmd_literal(string, spaces:) ⇒ String

Escape a string literal value to be included as an argument to cmd.exe. The escaped value *should not* be placed within double quotes as this will alter now it is evaluated (e.g. ‘echo “^”((^&test) Foo^“”` is different than `echo ^“((^&test) Foo^”`.

Parameters:

  • string (String)

    The string to escape for use with cmd.exe.

  • spaces (Boolean)

    Whether or not to escape spaces. If the string is being passed to echo, set this to false otherwise if it's an argument, set it to true.

Returns:

  • (String)

    The escaped string.



12
13
14
15
16
17
# File 'lib/msf/core/post/windows.rb', line 12

def self.escape_cmd_literal(string, spaces:)
  string = string.dup
  %w[ ^ & < > | " ].each { |char| string.gsub!(char, "^#{char}") }
  string.gsub!(' ', '" "') if spaces
  string
end

.escape_powershell_literal(string) ⇒ String

Escape a string literal value to be included as an argument to powershell.exe. The escaped value *should be* placed within single quotes which is a Powershell verbatim string. See: learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules?view=powershell-7.4#single-quoted-strings

This will help in cases where one might need to use & as in PowerShell this is a reserved character whereas in cmd.exe this is used to indicate the start of an additional command to execute.

Example (without this escaping): powershell -Command “cmd /c echo hello & echo world” <- This will result in errors as & is a reserved character. powershell -Command “cmd.exe /c ‘echo hello & echo world’” <- This will succeed as & is interpreted as part of a string by PowerShell.

In our case we use PowerShell quoting as described at learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules?view=powershell-7.3 which states that to use a single quote inside of a single quoted string, use a second consecutive single quote. Therefore this is valid in PowerShell: ‘don”t’ Which in turn becomes the string “don’t” (sans double quotes) inside PowerShell.

Parameters:

  • string (String)

    The string to escape for use with powershell.exe.

Returns:

  • (String)

    The escaped string.



38
39
40
41
42
# File 'lib/msf/core/post/windows.rb', line 38

def self.escape_powershell_literal(string)
  string = string.dup
  string.gsub!("'", "''")
  string
end