Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
# This class implements a simple NOP generator for RISC-V 64-bit (Little Endian)
7
class MetasploitModule < Msf::Nop
8

9
  def initialize
10
    super(
11
      'Name' => 'Simple',
12
      'Alias' => 'riscv64le_simple',
13
      'Description' => 'Simple NOP generator',
14
      'License' => MSF_LICENSE,
15
      'Author' => ['bcoles'],
16
      'Arch' => ARCH_RISCV64LE)
17
    register_advanced_options([
18
      OptBool.new('RandomNops', [false, 'Generate a random NOP sled', true]),
19
    ])
20
  end
21

22
  def generate_sled(length, opts)
23
    badchars = opts['BadChars'] || ''
24
    random = opts['Random'] || datastore['RandomNops']
25

26
    nops = [
27
      # Safe NULL-free nops using temporary registers (t0 - t6)
28
      [0x400282b3].pack('V'),    # sub t0, t0, 0
29
      [0x40030333].pack('V'),    # sub t1, t1, 0
30
      [0x400383b3].pack('V'),    # sub t2, t2, 0
31
      [0x400e0e33].pack('V'),    # sub t3, t3, 0
32
      [0x400e8eb3].pack('V'),    # sub t4, t4, 0
33
      [0x400f0f33].pack('V'),    # sub t5, t5, 0
34
      [0x400f8fb3].pack('V'),    # sub t6, t6, 0
35

36
      # Safe NULL-free nops using zero register (x0)
37
      [0x01102013].pack('V'),    # slti x0, x0, 0x11
38
      [0x7ff02013].pack('V'),    # slti x0, x0, 0x7ff
39

40
      [0x01103013].pack('V'),    # sltiu x0, x0, 0x11
41
      [0x7ff03013].pack('V'),    # sltiu x0, x0, 0x7ff
42

43
      [0x01105013].pack('V'),    # srli x0, x0, 0x11
44
      [0x03f05013].pack('V'),    # srli x0, x0, 0x3f
45

46
      [0x01101013].pack('V'),    # slli x0, x0, 0x11
47
      [0x03f01013].pack('V'),    # slli x0, x0, 0x3f
48

49
      [0x41105013].pack('V'),    # srai x0, x0, 0x11
50
      [0x43f05013].pack('V'),    # srai x0, x0, 0x3f
51

52
      [0x01106013].pack('V'),    # ori x0, x0, 0x11
53
      [0x7ff06013].pack('V'),    # ori x0, x0, 0x7ff
54

55
      [0x01104013].pack('V'),    # xori x0, x0, 0x11
56
      [0x7ff04013].pack('V'),    # xori x0, x0, 0x7ff
57

58
      [0x01107013].pack('V'),    # andi x0, x0, 0x11
59
      [0x7ff07013].pack('V'),    # andi x0, x0, 0x7ff
60

61
      [0x10101037].pack('V'),    # lui x0, 0x10101
62
      [0xfffff037].pack('V'),    # lui x0, 0xfffff
63

64
      # Safe NULL-free numeric nops using zero register (x0)
65
      # lui x0, 0x????3037
66
      "\x37\x30" + Rex::Text.rand_text_numeric(2, badchars),
67

68
      # Safe NULL-free alphanumeric nops using zero register (x0)
69
      # lui x0, 0x????[357]037
70
      "\x37\x30" + Rex::Text.rand_text_alphanumeric(2, badchars),
71
      "\x37\x50" + Rex::Text.rand_text_alphanumeric(2, badchars),
72
      "\x37\x70" + Rex::Text.rand_text_alphanumeric(2, badchars),
73

74
      # Safe NULL-free english nops using zero register (x0)
75
      # lui x0, 0x????[34567]037
76
      "\x37\x30" + Rex::Text.rand_text_english(2, badchars),
77
      "\x37\x40" + Rex::Text.rand_text_english(2, badchars),
78
      "\x37\x50" + Rex::Text.rand_text_english(2, badchars),
79
      "\x37\x60" + Rex::Text.rand_text_english(2, badchars),
80
      "\x37\x70" + Rex::Text.rand_text_english(2, badchars),
81
    ]
82

83
    # Remove nops containing BadChars
84
    nops.delete_if do |nop|
85
      nop.bytes.any? { |byte| badchars.force_encoding('BINARY').include?(byte.chr) }
86
    end
87

88
    # Give up if no safe nops are available
89
    return if nops.empty?
90

91
    # Use random instructions for all NOPs
92
    if random
93
      sled = ''
94
      (length / 4).times do
95
        sled << nops.sample
96
      end
97
      return sled
98
    end
99

100
    # Use a single instruction for all NOPs
101
    return (nops.sample * (length / 4))
102
  end
103
end
104

105