Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/x86/alpha_upper.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'rex/encoder/alpha2/alpha_upper'

7


8
class MetasploitModule < Msf::Encoder::Alphanum

9
  Rank = LowRanking

10


11
  def initialize

12
    super(

13
      'Name' => 'Alpha2 Alphanumeric Uppercase Encoder',

14
      'Description' => %q{

15
        Encodes payloads as alphanumeric uppercase text.  This encoder uses

16
        SkyLined's Alpha2 encoding suite.

17
        A pure alpha encoder is impossible without having a register that points at or near the shellcode.

18
        In a default configuration the first few bytes at the beginning are an fnstenv getpc stub (the same as used in shikata_ga_nai) and thus are not alphanumeric.

19
        You can set BufferRegister for full alpha (see Encoder options for details).

20
      },

21
      'Author' => [ 'pusscat', 'skylined' ],

22
      'Arch' => ARCH_X86,

23
      'License' => BSD_LICENSE,

24
      'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

25
      'Decoder' => {

26
        'BlockSize' => 1

27
      })

28
  end

29


30
  #

31
  # Returns the decoder stub that is adjusted for the size of the buffer

32
  # being encoded.

33
  #

34
  def decoder_stub(state)

35
    modified_registers = []

36
    reg = datastore['BufferRegister']

37
    off = (datastore['BufferOffset'] || 0).to_i

38
    buf = ''

39


40
    # We need to create a GetEIP stub for the exploit

41
    if !reg

42
      if datastore['AllowWin32SEH'] && datastore['AllowWin32SEH'].to_s =~ (/^(t|y|1)/i)

43
        buf = 'VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816'

44
        reg = 'ECX'

45
        off = 0

46
        modified_registers.concat(

47
          [

48
            Rex::Arch::X86::ESP,

49
            Rex::Arch::X86::EDI,

50
            Rex::Arch::X86::ESI,

51
            Rex::Arch::X86::EAX

52
          ]

53
        )

54
      else

55
        res = Rex::Arch::X86.geteip_fpu(state.badchars, modified_registers)

56
        if !res

57
          raise EncodingError, 'Unable to generate geteip code'

58
        end

59


60
        buf, reg, off = res

61
      end

62
    else

63
      reg.upcase!

64
    end

65


66
    stub = buf + Rex::Encoder::Alpha2::AlphaUpper.gen_decoder(reg, off, modified_registers)

67


68
    # Sanity check that saved_registers doesn't overlap with modified_registers

69
    modified_registers.uniq!

70
    if !(modified_registers & saved_registers).empty?

71
      raise BadGenerateError

72
    end

73


74
    stub

75
  end

76


77
  #

78
  # Encodes a one byte block with the current index of the length of the

79
  # payload.

80
  #

81
  def encode_block(state, block)

82
    return Rex::Encoder::Alpha2::AlphaUpper.encode_byte(block.unpack('C')[0], state.badchars)

83
  end

84


85
  #

86
  # Tack on our terminator

87
  #

88
  def encode_end(state)

89
    state.encoded += Rex::Encoder::Alpha2::AlphaUpper.add_terminator

90
  end

91


92
  # Indicate that this module can preserve some registers

93
  def can_preserve_registers?

94
    true

95
  end

96


97
  # Convert the SaveRegisters to an array of x86 register constants

98
  def saved_registers

99
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])

100
  end

101
end

102


103