CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/encoders/x86/add_sub.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder6Rank = ManualRanking78def initialize9super(10'Name' => 'Add/Sub Encoder',11'Description' => %q{12Encodes payload with add or sub instructions. This idea came13from (offensive-security) muts' hp nnm 7.5.1 exploit.14},15'Author' => 'Melih Sarica <ms[at]sevure.com>',16'Arch' => ARCH_X86,17'License' => MSF_LICENSE,18'Decoder' =>19{20'BlockSize' => 421})22end2324def add_or_sub(avchars)25add = [0x05, 0x50, 0x58, 0x25, 0x54, 0x5C]26sub = [0x2D, 0x50, 0x58, 0x25, 0x54, 0x5C]27return 1 if add.all?{|ch|avchars.include?ch.chr}28return 2 if sub.all?{|ch|avchars.include?ch.chr}29return 030end3132def write_inst(inst, mcode)33@data << inst34if mcode != 035for i in 0...436t = mcode & 0x000000FF;37@data << t38mcode = mcode >> 8;39end40end41end4243def rand_with_av_chars()44t2 = 045for i in 0...446c = @avchars[rand(@avchars.size)].ord.to_i()47t2 = t2 <<848t2 += c49end50return t251end5253def check_non_av_chars(target)54for i in 0...455t = target & 0x000000FF;56return true if not @avchars.include?t.chr57target = target >> 8;58end59return false60end6162def encode_inst(target)63begin64a = rand_with_av_chars()65b = rand_with_av_chars()66c = target - a - b if @set == 167c = 0 - target - a - b if @set == 268c = c%(0xFFFFFFFF+1)69end while check_non_av_chars(c) == true70write_inst(@inst["opcode"], a)71write_inst(@inst["opcode"], b)72write_inst(@inst["opcode"], c)73end7475def encode_shellcode(target, z1, z2)76write_inst(@inst["and"], z1);77write_inst(@inst["and"], z2);78encode_inst(target);79write_inst(@inst["push"], 0);80end8182def decoder_stub(state)83buf = ""84shellcode = state.buf.split(//)85while shellcode.size>086buf << shellcode.pop(4).join87end88state.buf = buf89@data = ""90@avchars = ""91for i in 0..25592@avchars = @avchars + i.chr.to_s if not state.badchars.include?i.chr.to_s93end94offset = (datastore['BufferOffset'] || 0).to_i95@inst = {}96@set = add_or_sub(@avchars)97if @set == 0 then98raise EncodingError, "Bad character list includes essential characters."99exit100elsif @set == 1 then #add101@inst["opcode"] = 0x05102else #sub103@inst["opcode"] = 0x2d104end105@inst["push"] = 0x50106@inst["pop"] = 0x58107@inst["and"] = 0x25108@inst["push_esp"] = 0x54109@inst["pop_esp"] = 0x5c110if state.buf.size%4 != 0 then111raise EncodingError, "Shellcode size must be divisible by 4, try nop padding."112exit113end114#init115write_inst(@inst["push_esp"], 0)116write_inst(@inst["pop"], 0)117encode_inst(offset)118write_inst(@inst["push"], 0)119write_inst(@inst["pop_esp"], 0)120#zeroing registers121begin122@z1 = rand_with_av_chars()123@z2 = rand_with_av_chars()124end while @z1&@z2 != 0125decoder = @data126return decoder127end128129def encode_block(state, block)130#encoding shellcode131@data = ""132target = block.split(//)133return if target.size<4134t = 0135for i in 0..3136t1 = target[3-i][0].ord.to_i137t = t<<8138t = t + t1139end140encode_shellcode(t, @z1, @z2);141encoded = @data142return encoded143end144end145146147148