Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/encoder/alpha2/alpha_upper'
7

8
class MetasploitModule < Msf::Encoder::Alphanum
9
  Rank = LowRanking
10

11
  def initialize
12
    super(
13
      'Name'             => "Alpha2 Alphanumeric Uppercase Encoder",
14
      'Description'      => %q{
15
        Encodes payloads as alphanumeric uppercase text.  This encoder uses
16
        SkyLined's Alpha2 encoding suite.
17
        A pure alpha encoder is impossible without having a register that points at or near the shellcode.
18
        In a default configuration the first few bytes at the beginning are an fnstenv getpc stub (the same as used in shikata_ga_nai) and thus are not alphanumeric.
19
        You can set BufferRegister for full alpha (see Encoder options for details).
20
      },
21
      'Author'           => [ 'pusscat', 'skylined' ],
22
      'Arch'             => ARCH_X86,
23
      'License'          => BSD_LICENSE,
24
      'EncoderType'      => Msf::Encoder::Type::AlphanumUpper,
25
      'Decoder'          =>
26
        {
27
          'BlockSize' => 1,
28
        })
29
  end
30

31
  #
32
  # Returns the decoder stub that is adjusted for the size of the buffer
33
  # being encoded.
34
  #
35
  def decoder_stub(state)
36
    modified_registers = []
37
    reg = datastore['BufferRegister']
38
    off = (datastore['BufferOffset'] || 0).to_i
39
    buf = ''
40

41
    # We need to create a GetEIP stub for the exploit
42
    if (not reg)
43
      if(datastore['AllowWin32SEH'] and datastore['AllowWin32SEH'].to_s =~ /^(t|y|1)/i)
44
        buf = 'VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816'
45
        reg = 'ECX'
46
        off = 0
47
        modified_registers.concat (
48
          [
49
            Rex::Arch::X86::ESP,
50
            Rex::Arch::X86::EDI,
51
            Rex::Arch::X86::ESI,
52
            Rex::Arch::X86::EAX
53
          ])
54
      else
55
        res = Rex::Arch::X86.geteip_fpu(state.badchars, modified_registers)
56
        if (not res)
57
          raise EncodingError, "Unable to generate geteip code"
58
        end
59
      buf, reg, off = res
60
      end
61
    else
62
      reg.upcase!
63
    end
64

65
    stub = buf + Rex::Encoder::Alpha2::AlphaUpper::gen_decoder(reg, off, modified_registers)
66

67
    # Sanity check that saved_registers doesn't overlap with modified_registers
68
    modified_registers.uniq!
69
    if (modified_registers & saved_registers).length > 0
70
      raise BadGenerateError
71
    end
72

73
    stub
74
  end
75

76
  #
77
  # Encodes a one byte block with the current index of the length of the
78
  # payload.
79
  #
80
  def encode_block(state, block)
81
    return Rex::Encoder::Alpha2::AlphaUpper::encode_byte(block.unpack('C')[0], state.badchars)
82
  end
83

84
  #
85
  # Tack on our terminator
86
  #
87
  def encode_end(state)
88
    state.encoded += Rex::Encoder::Alpha2::AlphaUpper::add_terminator()
89
  end
90

91
  # Indicate that this module can preserve some registers
92
  def can_preserve_registers?
93
    true
94
  end
95

96
  # Convert the SaveRegisters to an array of x86 register constants
97
  def saved_registers
98
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
99
  end
100
end
101

102