Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder::Xor
7

8
  def initialize
9
    super(
10
      'Name'             => 'Single-byte XOR Countdown Encoder',
11
      'Description'      => %q{
12
        This encoder uses the length of the payload as a position-dependent
13
        encoder key to produce a small decoder stub.
14
      },
15
      'Author'           => 'vlad902',
16
      'Arch'             => ARCH_X86,
17
      'License'          => MSF_LICENSE,
18
      'Decoder'          =>
19
        {
20
          'BlockSize' => 1,
21
        })
22
  end
23

24
  #
25
  # Returns the decoder stub that is adjusted for the size of the buffer
26
  # being encoded.
27
  #
28
  def decoder_stub(state)
29

30
    # Sanity check that saved_registers doesn't overlap with modified_registers
31
    if (modified_registers & saved_registers).length > 0
32
      raise BadGenerateError
33
    end
34
    begin
35
      decoder =
36
        Rex::Arch::X86.set(
37
          Rex::Arch::X86::ECX,
38
          state.buf.length - 1,
39
          state.badchars) +
40
        "\xe8\xff\xff\xff" +  # call $+4
41
        "\xff\xc1" +          # inc ecx
42
        "\x5e" +              # pop esi
43
        "\x30\x4c\x0e\x07" +  # xor_loop: xor [esi + ecx + 0x07], cl
44
        "\xe2\xfa"            # loop xor_loop
45

46
      # Initialize the state context to 1
47
      state.context = 1
48
    rescue RuntimeError => e
49
      raise BadcharError if e.message == "No valid set instruction could be created!"
50
    end
51
    return decoder
52
  end
53

54
  #
55
  # Encodes a one byte block with the current index of the length of the
56
  # payload.
57
  #
58
  def encode_block(state, block)
59
    state.context += 1
60

61
    [ block.unpack('C')[0] ^ (state.context - 1) ].pack('C')
62
  end
63

64
  # Indicate that this module can preserve some registers
65
  def can_preserve_registers?
66
    true
67
  end
68

69
  # A list of registers always touched by this encoder
70
  def modified_registers
71
    [ Rex::Arch::X86::ECX, Rex::Arch::X86::ESI ]
72
  end
73

74
  # Convert the SaveRegisters to an array of x86 register constants
75
  def saved_registers
76
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
77
  end
78
end
79

80