Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/mipsbe/longxor.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasm'

7


8
class MetasploitModule < Msf::Encoder::Xor

9


10
  def initialize

11
    super(

12
      'Name' => 'XOR Encoder',

13
      'Description' => %q{

14
        Mips Web server exploit friendly xor encoder.

15
      },

16
      'Author' => [

17
        'Julien Tinnes <julien[at]cr0.org>',  # original shellcode

18
        'Pedro Ribeiro <[email protected]>',   # fix Linux >= 2.6.11 and toupper() compat

19
      ],

20
      'Arch' => ARCH_MIPSBE,

21
      'License' => MSF_LICENSE,

22
      'Decoder' => {

23
        'KeySize' => 4,

24
        'BlockSize' => 4,

25
        'KeyPack' => 'N'

26
      })

27
  end

28


29
  #

30
  # Returns the decoder stub that is adjusted for the size of the buffer

31
  # being encoded.

32
  #

33
  def decoder_stub(state)

34
    # add one xor operation for the key (see comment below)

35
    number_of_passes = state.buf.length / 4 + 1

36
    raise EncodingError, "The payload being encoded is too long (#{state.buf.length} bytes)" if number_of_passes > 10240

37
    raise EncodingError, "The payload is not padded to 4-bytes (#{state.buf.length} bytes)" if state.buf.length % 4 != 0

38


39
    # 16-bits not (again, see below)

40
    reg_10 = (number_of_passes + 1) ^ 0xFFFF

41
    reg_5 = state.buf.length ^ 0xFFFF

42
    decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<~EOS).encoded.data

43
      ;

44
      ; MIPS nul-free xor decoder

45
      ;

46
      ; (C) 2006 Julien TINNES

47
      ; <julien at cr0.org>

48
      ;

49
      ; The first four bytes in encoded shellcode must be the xor key

50
      ; This means that you have to put the xor key right after

51
      ; this xor decoder

52
      ; This key will be considered part of the encoded shellcode

53
      ; by this decoder and will be xored, thus becoming 4NULs, meaning nop

54
      ;

55
      ; This is Linux-only because I use the cacheflush system call

56
      ;

57
      ; You can use shellforge to assemble this, but be sure to discard all

58
      ; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)

59
      ;

60
      ; change 2 bytes in the first instruction's opcode with the number of passes

61
      ; the number of passes is the number of xor operations to apply, which should be

62
      ; 1 (for the key) + the number of 4-bytes words you have in your shellcode

63
      ; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)

64


65


66
      ;.text

67
      ;.align	2

68
      ;.globl	main

69
      ;.ent	main

70
      ;.type		 main,@function

71


72
      main:

73


74
      li macro reg, imm

75
      ;	lui reg, ((imm) >> 16) & 0ffffh

76
      ;	ori reg, reg, (imm) & 0ffffh

77
        addiu reg, $0, imm		    ; sufficient if imm.abs <= 0x7fff

78
      endm

79


80
        li(	$10, #{reg_10})		    ; load number of passes ^ 0xffff

81
        nor	$10, $10, $0		      ; put number of passes in $10

82


83
        li(	$11,-89)		          ; addend to calculated PC is 73

84
      ;.set noreorder

85
      next:

86
        bltzal  $8, next

87
      ;.set reorder

88
        slti    $8, $0, 0x8282

89
        nor     $11, $11, $0	    ; addend in $9

90
        addu	$25, $31, $11		    ; $25 points to encoded shellcode +4

91
        addu	$16, $31, $11		    ; $16 too (used to set up the cacheflush() arg down below)

92


93
      ;	lui	$2, 0xDDDD     		    ; first part of the xor (old method)

94
        slti	$23, $0, 0x8282     ; store 0 in $23 (our counter)

95
      ;	ori	$17, $2, 0xDDDD 	    ; second part of the xor (old method)

96
        lw	$17, -4($25)		      ; load xor key in $17

97


98


99
        li(	$9, -5)

100
        nor	$9, $9, $0		        ; 4 in $9

101


102
        addi	$15, $9, -3		      ; 1 in $15

103
      loop:

104
        lw	$8, -4($25)

105


106
        addu	$23, $23, $15		    ; increment counter

107
        xor	$3, $8, $17

108
        sltu	$30, $23, $10		    ; enough loops?

109
        sw	$3, -4($25)

110
        addi	$6, $9, -1		      ; 3 in $6 (for cacheflush)

111
        bne	$0, $30, loop

112
        addu	$25, $25, $9		    ; next instruction to decode :)

113


114


115
        addiu	$4, $16, -4         ; cacheflush() addr parameter

116
        li(      $10,#{reg_5})    ; cacheflush() nbytes parameter

117
        nor   $5, $10, $0         ; same as above

118
      ;   li      $6,3            ; $6 is set above, 3rd arg for cacheflush()

119


120
      ;	.set    noreorder

121
        li(     $2, 4147)         ; cacheflush

122
      ;   .ascii "\\x01JT\\x0c"   ; nul-free syscall

123
        syscall 0x52950

124
      ;	.set    reorder

125


126


127
      ; write last decoder opcode and decoded shellcode

128
      ;	li      $4,1              ; stdout

129
      ;	addi	$5, $16, -8

130
      ;	li      $6,40             ; how much to write

131
      ;	.set    noreorder

132
      ;	li      $2, 4004          ; write

133
      ;	syscall

134
      ;	.set    reorder

135


136


137
        nop				                ; encoded shellcoded must be here (xor key right here ;)

138
      ; $t9 (aka $25) points here

139


140
    EOS

141
    # put the key at the end of the decoder

142
    state.decoder_key_offset = decoder.length - 4

143


144
    return decoder

145
  end

146
end

147


148