1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
###
7
#
8
# MixedNop
9
# ----------
10
#
11
# This class implements a mixed NOP generator for MIPS (big endian)
12
#
13
###
14
class MetasploitModule < Msf::Nop
15

16
  def initialize
17
    super(
18
      'Name' => 'Better',
19
      'Alias' => 'mipsbe_better',
20
      'Description' => 'Better NOP generator',
21
      'Author' => 'jm',
22
      'License' => MSF_LICENSE,
23
      'Arch' => ARCH_MIPSBE)
24

25
    register_advanced_options(
26
      [
27
        OptBool.new('RandomNops', [ false, 'Generate a random NOP sled', true ])
28
      ]
29
    )
30
  end
31

32
  def get_register
33
    return rand(1..27)
34
  end
35

36
  def make_bne(_reg)
37
    op = 0x14000000
38

39
    rand_reg = get_register
40
    offset = rand(65536)
41

42
    op = op | (rand_reg << 21) | (rand_reg << 16) | offset
43
    return op
44
  end
45

46
  def make_or(reg)
47
    op = 0x00000025
48

49
    op = op | (reg << 21) | (reg << 11)
50
    return op
51
  end
52

53
  def make_sll(reg)
54
    op = 0x00000000
55

56
    op = op | (reg << 16) | (reg << 11)
57
    return op
58
  end
59

60
  def make_sra(reg)
61
    op = 0x00000003
62

63
    op = op | (reg << 16) | (reg << 11)
64
    return op
65
  end
66

67
  def make_srl(reg)
68
    op = 0x00000002
69

70
    op = op | (reg << 16) | (reg << 11)
71
    return op
72
  end
73

74
  def make_xori(reg)
75
    op = 0x38000000
76

77
    op = op | (reg << 21) | (reg << 16)
78
    return op
79
  end
80

81
  def make_ori(reg)
82
    op = 0x34000000
83

84
    op = op | (reg << 21) | (reg << 16)
85
    return op
86
  end
87

88
  def generate_sled(length, opts)
89
    nop_fn = %i[make_bne make_or make_sll make_sra make_srl make_xori make_ori]
90
    sled = ''
91

92
    for _ in 1..length / 4 do
93
      n = nop_fn.sample
94
      sled << [send(n, get_register)].pack('N*')
95
    end
96

97
    return sled
98
  end
99
end
100

101