actually fix expand_path

2025-02-22 03:19:04 +01:00 · 2019-06-01 06:39:36 +08:00 · 2019-06-01 06:39:36 +08:00 · ebac0d33a9
commit ebac0d33a9
parent ae7d26c258
1 changed files with 34 additions and 11 deletions
--- a/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_fs_file_expand_path.java
+++ b/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_fs_file_expand_path.java
@ -1,6 +1,8 @@
 package com.metasploit.meterpreter.stdapi;

 import java.io.File;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 import com.metasploit.meterpreter.Meterpreter;
 import com.metasploit.meterpreter.TLVPacket;
@ -10,6 +12,37 @@ import com.metasploit.meterpreter.command.NotYetImplementedCommand;

 public class stdapi_fs_file_expand_path implements Command {

+    /**
+     * Pattern for capturing variables. Either $xyz, ${xyz} or ${a.b} but not $a.b, while ignoring "$$"
+      */
+    private static final Pattern VARIABLE = Pattern.compile("\\$([A-Za-z0-9_]+|\\{[A-Za-z0-9_.]+\\}|\\%[A-Za-z0-9_.]+\\%|\\$)");
+
+    private static String expandPath(String s) {
+        int idx=0;
+        while (true) {
+            Matcher m = VARIABLE.matcher(s);
+            if (!m.find(idx)) {
+                return s;
+            }
+
+            String key = m.group().substring(1);
+            String value;
+            if (key.charAt(0) == '$') {
+                value = "$";
+            } else {
+                if (key.charAt(0) == '{' || key.charAt(0) == '%')  key = key.substring(1,key.length()-1);
+                value = System.getenv(key);
+            }
+
+            if (value == null) {
+                value = "";
+            }
+
+            s = s.substring(0, m.start()) + value + s.substring(m.end());
+            idx = m.start() + value.length();
+        }
+    }
+
    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
        String path = request.getStringValue(TLVType.TLV_TYPE_FILE_PATH);
        if (path.equals("%COMSPEC%")) {
@ -19,17 +52,7 @@ public class stdapi_fs_file_expand_path implements Command {
            response.add(TLVType.TLV_TYPE_FILE_PATH, System.getenv("TEMP"));
            return ERROR_SUCCESS;
        } else {
-            if (path.startsWith("$") || path.startsWith("%")) {
-                path = path.substring(1);
-            }
-            if (path.endsWith("$") || path.endsWith("%")) {
-                path = path.substring(0, path.length() - 1);
-            }
-            String value = System.getenv(path);
-            if (value == null) {
-                return ERROR_FAILURE;
-            }
-            response.add(TLVType.TLV_TYPE_FILE_PATH, value);
+            response.add(TLVType.TLV_TYPE_FILE_PATH, expandPath(path));
            return ERROR_SUCCESS;
        }
    }