Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/x86/alpha_mixed.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rex/encoder/alpha2/alpha_mixed'

7


8
class MetasploitModule < Msf::Encoder::Alphanum

9
  Rank = LowRanking

10


11
  def initialize

12
    super(

13
      'Name' => 'Alpha2 Alphanumeric Mixedcase Encoder',

14
      'Description' => %q{

15
        Encodes payloads as alphanumeric mixedcase text.  This encoder uses

16
        SkyLined's Alpha2 encoding suite.

17
        A pure alpha encoder is impossible without having a register that points at or near the shellcode.

18
        In a default configuration the first few bytes at the beginning are an fnstenv getpc stub (the same as used in shikata_ga_nai) and thus are not alphanumeric.

19
        You can set BufferRegister for full alpha (see Encoder options for details).

20
      },

21
      'Author' => [ 'pusscat', 'skylined' ],

22
      'Arch' => ARCH_X86,

23
      'License' => BSD_LICENSE,

24
      'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

25
      'Decoder' => {

26
        'BlockSize' => 1

27
      })

28
  end

29


30
  #

31
  # Returns the decoder stub that is adjusted for the size of the buffer

32
  # being encoded.

33
  #

34
  def decoder_stub(state)

35
    modified_registers = []

36
    reg = datastore['BufferRegister']

37
    off = (datastore['BufferOffset'] || 0).to_i

38
    buf = ''

39


40
    # We need to create a GetEIP stub for the exploit

41
    if !reg

42
      if datastore['AllowWin32SEH'] && datastore['AllowWin32SEH'].to_s =~ (/^(t|y|1)/i)

43
        buf = 'VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089'

44
        reg = 'ECX'

45
        off = 0

46
        modified_registers.concat(

47
          [

48
            Rex::Arch::X86::ESP,

49
            Rex::Arch::X86::EDI,

50
            Rex::Arch::X86::ESI,

51
            Rex::Arch::X86::EBP,

52
            Rex::Arch::X86::EBX,

53
            Rex::Arch::X86::EDX,

54
            Rex::Arch::X86::ECX,

55
            Rex::Arch::X86::EAX

56
          ]

57
        )

58
      else

59
        res = Rex::Arch::X86.geteip_fpu(state.badchars, modified_registers)

60
        if !res

61
          raise EncodingError, 'Unable to generate geteip code'

62
        end

63


64
        buf, reg, off = res

65
      end

66
    else

67
      reg.upcase!

68
    end

69


70
    stub = buf + Rex::Encoder::Alpha2::AlphaMixed.gen_decoder(reg, off, modified_registers)

71


72
    # Sanity check that saved_registers doesn't overlap with modified_registers

73
    modified_registers.uniq!

74
    if !(modified_registers & saved_registers).empty?

75
      raise BadGenerateError

76
    end

77


78
    stub

79
  end

80


81
  #

82
  # Encodes a one byte block with the current index of the length of the

83
  # payload.

84
  #

85
  def encode_block(state, block)

86
    Rex::Encoder::Alpha2::AlphaMixed.encode_byte(block.unpack('C')[0], state.badchars)

87
  end

88


89
  #

90
  # Tack on our terminator

91
  #

92
  def encode_end(state)

93
    state.encoded += Rex::Encoder::Alpha2::AlphaMixed.add_terminator

94
  end

95


96
  # Indicate that this module can preserve some registers

97
  def can_preserve_registers?

98
    true

99
  end

100


101
  # Convert the SaveRegisters to an array of x86 register constants

102
  def saved_registers

103
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])

104
  end

105
end

106


107