Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/x86/single_static_bit.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
#

7
# NOTE: this encoder currently has only be tested using bit 5 set to on.

8
#

9
# The decoder has been tested with all possible values, but the decoder stub

10
# is was not designed to bypass restrictions other than "bit 5 must be on"..

11
#

12
class MetasploitModule < Msf::Encoder

13


14
  # This encoder has a manual ranking because it should only be used in cases

15
  # where information has been explicitly supplied, specifically

16
  # BitNumber and BitValue.

17
  Rank = ManualRanking

18


19
  def initialize

20
    super(

21
      'Name' => 'Single Static Bit',

22
      'Description' => 'Static value for specific bit',

23
      'Author' => 'jduck',

24
      'Arch' => ARCH_X86,

25
      'License' => MSF_LICENSE,

26
      'EncoderType' => Msf::Encoder::Type::SingleStaticBit

27
      )

28


29
    # this shouldn't be present in the decoder stub.

30
    @key_marker = 0x1010

31
  end

32


33
  #

34
  # Returns the decoder stub that is adjusted for the size of

35
  # the buffer being encoded

36
  #

37
  def decoder_stub(state)

38
    bit_num = (datastore['BitNumber'] || 5).to_i

39
    datastore['BitValue'] || true

40


41
    # variables:

42
    # bit to ignore                                  (global - hardcoded)

43
    # buf len (can be deduced with a jmp/call/pop)   (global - ebx)

44
    # current source byte ptr                        (global - esi)

45
    # current dest byte ptr                          (global - edi) ?

46
    # current dest byte                              (global - ah)  ?

47
    # number of bits accumulated                     (global - ebp) ?

48
    # current source byte                            (outer  - al)

49
    # bit index (for this byte)                      (inner  - cl)  ?

50
    pre_init = ''

51
    pre_init << "\x31\xed"        # xor ebp, ebp               - no bits accumulated

52
    pre_init << "\x83\xe1\x01"    # and ecx, $0x1              - init inner loop counter (set to 0/1)

53
    pre_init << "\x83\xe3\x01"    # and ebx, $0x1              - init buffer length

54
    pre_init << "\x66\xbb" + [@key_marker].pack('v')         # - load encrypted buffer length

55
    pre_init << "\x66\x81\xf3" + [@key_marker].pack('v')     # - xor decrypt buffer length

56


57
    # we stored an entire byte, move to the next one

58
    next_byte = ''

59
    next_byte << "\x83\xef\xff"  # sub edi, 0xffffffff         - increment dst pointer

60
    next_byte << "\x31\xed"      # xor ebp, ebp                - no bits accumulated

61


62
    # inside the loop, we need to extract a bit, as

63
    # specified by:

64
    #

65
    # ecx-1  - bit number to extract

66
    # al     - byte to extract it from

67
    get_a_bit = ''

68
    get_a_bit << "\x60"          # pusha                       - save all registers

69
    get_a_bit << "\x83\xe9\x01"  # sub ecx, 1                  - account for 1-based counting

70
    get_a_bit << "\x74\x06"      # jz +6                       - skip dividing if bit zero

71
    get_a_bit << "\xb3\x02"      # mov bl, 2                   - set divisor to 2

72
    # divide_it:

73
    get_a_bit << "\xf6\xf3" # div bl                      - do the division

74
    get_a_bit << "\xe2" + [-1 * (2 + 2)].pack('C') # - divide again..

75
    # store_bit:

76
    get_a_bit << "\x83\xe0\x01"  # and eax, 0x01               - we only want the lowest bit

77
    get_a_bit << "\x6b\x2f\x02"  # imul ebp, 2, [edi]          - load [edi], shifted left by 1, to ebp

78
    get_a_bit << "\x09\xe8"      # or ebp, eax                 - set bit 0

79
    get_a_bit << "\xaa"          # stosb al, [edi]             - store byte back

80
    get_a_bit << "\x61"          # popa                        - restore previous ebx/eax

81
    get_a_bit << "\x83\xed\xff"  # sub ebp, 0xffffffff         - increment bits stored

82


83
    inner_init = ''

84
    inner_init << "\xb1\x08" # mov cl, $0x8               - init loop counter

85


86
    inner_loop = ''

87
    # process_bits:

88
    inner_loop << "\x80\xf9" # cmp cl, <ignore_bit + 1>   - is this the one to ignore?

89
    inner_loop << [(bit_num + 1)].pack('C')

90
    len = get_a_bit.length + 3 + 2 + next_byte.length

91
    inner_loop << "\x74" + [len].pack('C') # - je next_bit

92
    inner_loop << get_a_bit

93
    inner_loop << "\x83\xfd\x08" # cmp ebp, $0x8              - got 8 bits now?

94
    inner_loop << "\x75" + [next_byte.length].pack('C') # - jne to next_bit

95
    # next_dst_byte:

96
    inner_loop << next_byte

97
    # next_bit:

98
    # I really wish this silly padding wasn't necessary, however removing the bad characters in the

99
    # jump/call displacements has proven difficult otherwise.

100
    inner_loop << "\x90" * 0x1a # nops                       - for padding (so relative jumps don't have badchars)

101
    len = -1 * (inner_loop.length + 2)

102
    inner_loop << "\xe2" + [len].pack('C') # - loop process_bits

103


104
    # prefixed by:                # jmp data_beg_call

105
    outer_init = ''

106
    # get_data_beg:

107
    outer_init << "\x5e"          # pop esi                    - ptr to beginning of data

108
    outer_init << pre_init

109
    outer_init << "\x89\xf7"      # mov edi, esi               - decode in place, init dst ptr

110


111
    outer_loop = ''

112
    # outer_loop << "\x90" * (0xd+6)

113
    outer_loop << "\x83\xe0\x7f"  # and eax, 0x7f              - we only want the low byte

114
    outer_loop << "\xac"          # lods   al, [esi]           - load src byte

115
    outer_loop << inner_init << inner_loop

116
    outer_loop << "\x83\xeb\x01"  # sub ebx, 1                 - 1 byte down!

117
    outer_loop << "\x74\x07"      # jz +(2+5)                  - jump to data!

118
    len = -1 * (outer_loop.length + 2)

119
    # next_byte:

120
    outer_loop << "\xeb" + [len].pack('C') # - jmp process_byte

121
    # data_beg_call:

122


123
    decoder = outer_init + outer_loop

124
    jmp = "\xeb" + [decoder.length].pack('C')

125
    call = "\xe8" + [-1 * (decoder.length + 5)].pack('V')

126
    decoder = jmp + decoder + call

127


128
    # encoded sled

129
    state.context = ''

130


131
    return decoder

132
  end

133


134
  def encode_block(_state, block)

135
    bit_num = (datastore['BitNumber'] || 5).to_i

136
    bit_num = (7 - bit_num)

137
    bit_val = datastore['BitValue'] || true

138


139
    encoded = ''

140
    new_byte = 0

141
    nbits = 0

142


143
    block.unpack('C*').each do |ch|

144
      7.step(0, -1) do |x|

145
        # is this the special bit?

146
        if (nbits == bit_num)

147
          new_byte <<= 1 if nbits > 0

148
          new_byte |= 1 if bit_val

149
          nbits += 1

150


151
          # do we have a full byte?

152
          if nbits == 8

153
            encoded << new_byte.chr

154
            new_byte = 0

155
            nbits = 0

156
          end

157
        end

158


159
        # we have space, add it in

160
        new_byte <<= 1 if nbits > 0

161
        new_byte += 1 if (((ch >> x) & 1) > 0)

162
        nbits += 1

163


164
        # do we have a full byte?

165
        if nbits == 8

166
          encoded << new_byte.chr

167
          new_byte = 0

168
          nbits = 0

169
        end

170
      end

171
    end

172


173
    # if we have bits left, pad out to a whole byte

174
    if nbits > 0

175
      while nbits < 8

176
        new_byte <<= 1

177
        new_byte |= 1 if (nbits == bit_num) && bit_val

178
        nbits += 1

179
      end

180
      encoded << new_byte.chr

181
    end

182


183
    return encoded

184
  end

185


186
  #

187
  # Appends the encoded context portion.

188
  #

189
  def encode_end(state)

190
    state.encoded += state.context

191


192
    xor_key = 0

193
    xor_key_str = ''

194
    enc_len_str = ''

195
    loop do

196
      xor_key = rand(0x10000)

197
      xor_key_str = [xor_key].pack('v')

198
      enc_len_str = [state.encoded.length ^ xor_key].pack('v')

199
      next if has_badchars?(xor_key_str, state.badchars)

200
      next if has_badchars?(enc_len_str, state.badchars)

201


202
      break

203
    end

204


205
    marker_str = [@key_marker].pack('v')

206


207
    state.encoded.sub!(marker_str, enc_len_str)

208
    state.encoded.sub!(marker_str, xor_key_str)

209
  end

210
end

211


212