CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/x86/countdown.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Encoder::Xor

7


8
  def initialize

9
    super(

10
      'Name'             => 'Single-byte XOR Countdown Encoder',

11
      'Description'      => %q{

12
        This encoder uses the length of the payload as a position-dependent

13
        encoder key to produce a small decoder stub.

14
      },

15
      'Author'           => 'vlad902',

16
      'Arch'             => ARCH_X86,

17
      'License'          => MSF_LICENSE,

18
      'Decoder'          =>

19
        {

20
          'BlockSize' => 1,

21
        })

22
  end

23


24
  #

25
  # Returns the decoder stub that is adjusted for the size of the buffer

26
  # being encoded.

27
  #

28
  def decoder_stub(state)

29


30
    # Sanity check that saved_registers doesn't overlap with modified_registers

31
    if (modified_registers & saved_registers).length > 0

32
      raise BadGenerateError

33
    end

34
    begin

35
      decoder =

36
        Rex::Arch::X86.set(

37
          Rex::Arch::X86::ECX,

38
          state.buf.length - 1,

39
          state.badchars) +

40
        "\xe8\xff\xff\xff" +  # call $+4

41
        "\xff\xc1" +          # inc ecx

42
        "\x5e" +              # pop esi

43
        "\x30\x4c\x0e\x07" +  # xor_loop: xor [esi + ecx + 0x07], cl

44
        "\xe2\xfa"            # loop xor_loop

45


46
      # Initialize the state context to 1

47
      state.context = 1

48
    rescue RuntimeError => e

49
      raise BadcharError if e.message == "No valid set instruction could be created!"

50
    end

51
    return decoder

52
  end

53


54
  #

55
  # Encodes a one byte block with the current index of the length of the

56
  # payload.

57
  #

58
  def encode_block(state, block)

59
    state.context += 1

60


61
    [ block.unpack('C')[0] ^ (state.context - 1) ].pack('C')

62
  end

63


64
  # Indicate that this module can preserve some registers

65
  def can_preserve_registers?

66
    true

67
  end

68


69
  # A list of registers always touched by this encoder

70
  def modified_registers

71
    [ Rex::Arch::X86::ECX, Rex::Arch::X86::ESI ]

72
  end

73


74
  # Convert the SaveRegisters to an array of x86 register constants

75
  def saved_registers

76
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])

77
  end

78
end

79


80