1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Encoder::XorAdditiveFeedback
7

8
  # Uncomment when we get the poly stuff working again.
9
  # Rank = GreatRanking
10

11
  def initialize
12
    super(
13
      'Name' => 'Jump/Call XOR Additive Feedback Encoder',
14
      'Description' => 'Jump/Call XOR Additive Feedback',
15
      'Author' => 'skape',
16
      'Arch' => ARCH_X86,
17
      'License' => MSF_LICENSE,
18
      'Decoder' => {
19
        'Stub' =>
20
          "\xfc" +                  # cld
21
            "\xbbXORK" +            # mov ebx, key
22
            "\xeb\x0c" +            # jmp short 0x14
23
            "\x5e" +                # pop esi
24
            "\x56" +                # push esi
25
            "\x31\x1e" +            # xor [esi], ebx
26
            "\xad" +                # lodsd
27
            "\x01\xc3" +            # add ebx, eax
28
            "\x85\xc0" +            # test eax, eax
29
            "\x75\xf7" +            # jnz 0xa
30
            "\xc3" +                # ret
31
            "\xe8\xef\xff\xff\xff", # call 0x8
32
        'KeyOffset' => 2,
33
        'KeySize' => 4,
34
        'BlockSize' => 4
35
      })
36
  end
37

38
  #
39
  # Append the termination block.
40
  #
41
  def encode_end(state)
42
    state.encoded += [ state.key ].pack(state.decoder_key_pack)
43
  end
44
end
45

46