CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/x86/avoid_utf8_tolower.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
#

7
# NOTE: Read this if you plan on using this encoder:

8
#

9
# This encoder has some limitations that must be considered.  First, this

10
# encoder cannot be used with all of the payloads included in the framework.

11
# Most notably, this includes windows/shell_reverse_tcp.  The reason for this

12
# is that some payloads are of a size that leads to a bad character (uppercase

13
# character) being generated in the decoder stub header.

14
#

15
# A second thing to consider is that some IP addresses used in payloads are

16
# incompatible with this encoder depending on their alignment within the

17
# payload.  For example, the use of 127.0.0.1 may not work due to the fact

18
# that it's impossible to reach the bytes 127, 0, and 1 in a single add or sub

19
# due to the algorithm that this encoder uses.

20
#

21
# Here's a description of how it works:

22
#

23
# This encoder is pretty lame.  It has a huge size overhead.  Alas, it

24
# does produce tolower safe and UTF8 safe payloads.  The decoder itself is

25
# split into three distinct chunks.  The first chunk is the header, the second

26
# chunk is the inline-decoding, and the third chunk is where the decoded data

27
# is persisted.  Unlike most encoders, this encoder does not use any branch

28
# instructions and instead runs into the decoded data after it completes due

29
# to the fact that it is decoding inline.

30
#

31
# The basic approach taken to implement the encoder is this.  First, the

32
# decoder header assumes that a register (ecx) points to the first byte

33
# in the decoder stub.  It then proceeds to calculate the offset to the

34
# third chunk of the decoder (the persisted data) and updates the context

35
# register (ecx) to point to the first byte of the third chunk of the decoder

36
# stub.  Following that, the second chunk of the decoder begins executing

37
# which uses a series of add or subtract operations on the third chunk of the

38
# decoder to produce the actual opcodes of the encoded payload.  For each four

39
# bytes of encoded data, a sub or add instruction is used in combination with

40
# complementary information stored in the third chunk of the decoder.

41
#

42
# For example, in order to produce 0x01fdfeff one could do the following:

43
#

44
#   0x5e096f7c

45
# - 0x5c0b707d

46
# ------------

47
#   0x01fdfeff

48
#

49
# After all of the inline decoding operations complete, the payload should

50
# simply fall through into the now-decoded payload that was stored in the

51
# third chunk of the decoder.

52
#

53
# The following is an example encoding of:

54
#

55
# "\xcc\x41\xcc\x41\xcc\x41\xcc\x41\xff\xfe\xfd\x01\xff\x02\x82\x4c"

56
#

57
# 00000000  6A04              push byte +0x4

58
# 00000002  6B3C240B          imul edi,[esp],byte +0xb

59
# 00000006  60                pusha

60
# 00000007  030C24            add ecx,[esp]

61
# 0000000A  6A11              push byte +0x11

62
# 0000000C  030C24            add ecx,[esp]

63
# 0000000F  6A04              push byte +0x4

64
# 00000011  68640F5F31        push dword 0x315f0f64

65
# 00000016  5F                pop edi

66
# 00000017  0139              add [ecx],edi

67
# 00000019  030C24            add ecx,[esp]

68
# 0000001C  6870326B32        push dword 0x326b3270

69
# 00000021  5F                pop edi

70
# 00000022  0139              add [ecx],edi

71
# 00000024  030C24            add ecx,[esp]

72
# 00000027  687D700B5C        push dword 0x5c0b707d

73
# 0000002C  5F                pop edi

74
# 0000002D  2939              sub [ecx],edi

75
# 0000002F  030C24            add ecx,[esp]

76
# 00000032  6804317F32        push dword 0x327f3104

77
# 00000037  5F                pop edi

78
# 00000038  2939              sub [ecx],edi

79
# 0000003A  030C24            add ecx,[esp]

80
# 0000003D  68326D105C        push dword 0x5c106d32

81
# 00000042  0F610F            punpcklwd mm1,[edi]

82
# 00000045  7C6F              jl 0xb6

83
# 00000047  095E03            or [esi+0x3],ebx

84
# 0000004A  3401              xor al,0x1

85
# 0000004C  7F                db 0x7F

86
#

87
class MetasploitModule < Msf::Encoder

88


89
  # This encoder has a manual ranking because it should only be used in cases

90
  # where information has been explicitly supplied, like the BufferOffset.

91
  Rank = ManualRanking

92


93
  def initialize

94
    super(

95
      'Name'             => 'Avoid UTF8/tolower',

96
      'Description'      => 'UTF8 Safe, tolower Safe Encoder',

97
      'Author'           => 'skape',

98
      'Arch'             => ARCH_X86,

99
      'License'          => MSF_LICENSE,

100
      'EncoderType'      => Msf::Encoder::Type::NonUpperUtf8Safe,

101
      'Decoder'          =>

102
        {

103
          'KeySize'    => 4,

104
          'BlockSize'  => 4,

105
        })

106
  end

107


108
  #

109
  # Returns the decoder stub that is adjusted for the size of

110
  # the buffer being encoded

111
  #

112
  def decoder_stub(state)

113
    len = ((state.buf.length + 3) & (~0x3)) / 4

114


115
    # Grab the number of additional bytes that we need to adjust by in order

116
    # to get the context register to point immediately after the stub header

117
    off = (datastore['BufferOffset'] || 0).to_i

118


119
    # Check to make sure that the length is a valid size

120
    if is_badchar(state, len)

121
      raise EncodingError.new("The payload being encoded is of an incompatible size (#{len} bytes)")

122
    end

123


124
    decoder =

125
      "\x6a" + [len].pack('C')      +  # push len

126
      "\x6b\x3c\x24\x0b"            +  # imul 0xb

127
      "\x60"                        +  # pusha

128
      "\x03\x0c\x24"                +  # add ecx, [esp]

129
      "\x6a" + [0x11+off].pack('C') +  # push byte 0x11 + off

130
      "\x03\x0c\x24"                +  # add ecx, [esp]

131
      "\x6a\x04"                       # push byte 0x4

132


133
    # encoded sled

134
    state.context = ''

135


136
    return decoder

137
  end

138


139
  def encode_block(state, block)

140
    buf = try_add(state, block)

141


142
    if (buf.nil?)

143
      buf = try_sub(state, block)

144
    end

145


146
    if (buf.nil?)

147
      raise BadcharError.new(state.encoded, 0, 0, 0)

148
    end

149


150
    buf

151
  end

152


153
  #

154
  # Appends the encoded context portion.

155
  #

156
  def encode_end(state)

157
    state.encoded += state.context

158
  end

159


160
  #

161
  # Generate the instructions that will be used to produce a valid

162
  # block after decoding using the sub instruction in conjunction with

163
  # two UTF8/tolower safe values.

164
  #

165
  def try_sub(state, block)

166
    buf   = "\x68";

167
    vbuf  = ''

168
    ctx   = ''

169
    carry = 0

170


171
    block.each_byte { |b|

172
      # It's impossible to reach 0x7f, 0x80, 0x81 with two subs

173
      # of a value that is < 0x80 without NULLs.

174
      return nil if (b == 0x80 or b == 0x81 or b == 0x7f)

175


176
      x          = 0

177
      y          = 0

178
      attempts   = 0

179
      prev_carry = carry

180


181
      begin

182
        carry = prev_carry

183


184
        if (b > 0x80)

185
          diff  = 0x100 - b

186
          y     = rand(0x80 - diff - 1).to_i + 1

187
          x     = (0x100 - (b - y + carry))

188
          carry = 1

189
        else

190
          diff  = 0x7f - b

191
          x     = rand(diff - 1) + 1

192
          y     = (b + x + carry) & 0xff

193
          carry = 0

194
        end

195


196
        attempts += 1

197


198
        # Lame.

199
        return nil if (attempts > 512)

200


201
      end while (is_badchar(state, x) or is_badchar(state, y))

202


203
      vbuf += [x].pack('C')

204
      ctx  += [y].pack('C')

205
    }

206


207
    buf += vbuf + "\x5f\x29\x39\x03\x0c\x24"

208


209
    state.context += ctx

210


211
    return buf

212


213
  end

214


215
  #

216
  # Generate instructions that will be used to produce a valid block after

217
  # decoding using the add instruction in conjunction with two UTF8/tolower

218
  # safe values.

219
  #

220
  def try_add(state, block)

221
    buf  = "\x68"

222
    vbuf = ''

223
    ctx  = ''

224


225
    block.each_byte { |b|

226
      # It's impossible to produce 0xff and 0x01 using two non-NULL,

227
      # tolower safe, and UTF8 safe values.

228
      return nil if (b == 0xff or b == 0x01 or b == 0x00)

229


230
      attempts = 0

231


232
      begin

233
        xv = rand(b - 1) + 1

234


235
        attempts += 1

236


237
        # Lame.

238
        return nil if (attempts > 512)

239


240
      end while (is_badchar(state, xv) or is_badchar(state, b - xv))

241


242
      vbuf += [xv].pack('C')

243
      ctx  += [b - xv].pack('C')

244
    }

245


246
    buf += vbuf + "\x5f\x01\x39\x03\x0c\x24"

247


248
    state.context += ctx

249


250
    return buf

251
  end

252


253
  def is_badchar(state, val)

254
    ((val >= 0x41 and val <= 0x5a) or val >= 0x80) or Rex::Text.badchar_index([val].pack('C'), state.badchars)

255
  end

256
end

257


258