Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
###
7
#
8
# SingleByte
9
# ----------
10
#
11
# This class implements NOP generator for the SPARC platform
12
#
13
###
14
class MetasploitModule < Msf::Nop
15

16
  # Nop types
17
  InsSethi      = 0
18
  InsArithmetic = 1
19
  InsBranch     = 2
20

21
  # Generator table
22
  SPARC_Table = [
23
    [ InsSethi, [ ], ],                       # sethi
24
    [ InsArithmetic, [ 0, 0 ], ],             # add
25
    [ InsArithmetic, [ 0, 1 ], ],             # and
26
    [ InsArithmetic, [ 0, 2 ], ],             # or
27
    [ InsArithmetic, [ 0, 3 ], ],             # xor
28
    [ InsArithmetic, [ 0, 4 ], ],             # sub
29
    [ InsArithmetic, [ 0, 5 ], ],             # andn
30
    [ InsArithmetic, [ 0, 6 ], ],             # orn
31
    [ InsArithmetic, [ 0, 7 ], ],             # xnor
32
    [ InsArithmetic, [ 0, 8 ], ],             # addx
33
    [ InsArithmetic, [ 0, 12 ], ],            # subx
34
    [ InsArithmetic, [ 0, 16 ], ],            # addcc
35
    [ InsArithmetic, [ 0, 17 ], ],            # andcc
36
    [ InsArithmetic, [ 0, 18 ], ],            # orcc
37
    [ InsArithmetic, [ 0, 19 ], ],            # xorcc
38
    [ InsArithmetic, [ 0, 20 ], ],            # subcc
39
    [ InsArithmetic, [ 0, 21 ], ],            # andncc
40
    [ InsArithmetic, [ 0, 22 ], ],            # orncc
41
    [ InsArithmetic, [ 0, 23 ], ],            # xnorcc
42
    [ InsArithmetic, [ 0, 24 ], ],            # addxcc
43
    [ InsArithmetic, [ 0, 28 ], ],            # subxcc
44
    [ InsArithmetic, [ 0, 32 ], ],            # taddcc
45
    [ InsArithmetic, [ 0, 33 ], ],            # tsubcc
46
    [ InsArithmetic, [ 0, 36 ], ],            # mulscc
47
    [ InsArithmetic, [ 2, 37 ], ],            # sll
48
    [ InsArithmetic, [ 2, 38 ], ],            # srl
49
    [ InsArithmetic, [ 2, 39 ], ],            # sra
50
    [ InsArithmetic, [ 4, 40 ], ],            # rdy
51
    [ InsArithmetic, [ 3, 48 ], ],            # wry
52
    [ InsBranch, [ 0 ] ],                     # bn[,a]
53
    [ InsBranch, [ 1 ] ],                     # be[,a]
54
    [ InsBranch, [ 2 ] ],                     # ble[,a]
55
    [ InsBranch, [ 3 ] ],                     # bl[,a]
56
    [ InsBranch, [ 4 ] ],                     # bleu[,a]
57
    [ InsBranch, [ 5 ] ],                     # bcs[,a]
58
    [ InsBranch, [ 6 ] ],                     # bneg[,a]
59
    [ InsBranch, [ 7 ] ],                     # bvs[,a]
60
    [ InsBranch, [ 8 ] ],                     # ba[,a]
61
    [ InsBranch, [ 9 ] ],                     # bne[,a]
62
    [ InsBranch, [ 10 ] ],                    # bg[,a]
63
    [ InsBranch, [ 11 ] ],                    # bge[,a]
64
    [ InsBranch, [ 12 ] ],                    # bgu[,a]
65
    [ InsBranch, [ 13 ] ],                    # bcc[,a]
66
    [ InsBranch, [ 14 ] ],                    # bpos[,a]
67
    [ InsBranch, [ 15 ] ],                    # bvc[,a]
68
  ]
69

70
  def initialize
71
    super(
72
      'Name'        => 'SPARC NOP Generator',
73
      'Alias'       => 'sparc_simple',
74
      'Description' => 'SPARC NOP generator',
75
      'Author'      => 'vlad902',
76
      'License'     => MSF_LICENSE,
77
      'Arch'        => ARCH_SPARC)
78

79
    register_advanced_options(
80
      [
81
        OptBool.new('RandomNops', [ false, "Generate a random NOP sled", true ])
82
      ])
83
  end
84

85

86

87
  # Nops are always random...
88
  def generate_sled(length, opts)
89

90
    badchars = opts['BadChars'] || ''
91
    random   = opts['Random']   || datastore['RandomNops']
92
    blen     = length
93

94
    buff  = ''
95
    count = 0
96
    while (buff.length < blen)
97
      r = SPARC_Table[ rand(SPARC_Table.length) ]
98
      t = ''
99

100
      case r[0]
101
        when InsSethi
102
          t = ins_sethi(r[1], blen - buff.length)
103
        when InsArithmetic
104
          t = ins_arithmetic(r[1], blen - buff.length)
105
        when InsBranch
106
          t = ins_branch(r[1], blen - buff.length)
107
        else
108
          print_status("Invalid opcode type")
109
          raise RuntimeError
110
      end
111

112
      failed = false
113

114
      t.each_byte do |c|
115
        failed = true if badchars.include?(c.chr)
116
      end
117

118
      if (not failed)
119
        buff << t
120
        count = -100
121
      end
122

123
      if (count > length + 1000)
124
        if(buff.length != 0)
125
          return buff.slice(0, 4) * (blen / 4)
126
        end
127
        print_status("The SPARC nop generator could not create a usable sled")
128
        raise RuntimeError
129
      end
130

131
      count += 1
132
    end
133

134
    return buff
135
  end
136

137
  def get_dst_reg
138
    reg = rand(30).to_i
139
    reg += 1 if (reg >= 14)		# %sp
140
    reg += 1 if (reg >= 30)		# %fp
141
    return reg
142
  end
143

144
  def get_src_reg
145
    return rand(32).to_i
146
  end
147

148
  def ins_sethi(ref, len=0)
149
    [(get_dst_reg() << 25) | (4 << 22) | rand(1 << 22)].pack('N')
150
  end
151

152
  def ins_arithmetic(ref, len=0)
153
    dst = get_dst_reg()
154
    ver = ref[0]
155

156
    # WRY fixups
157
    if (ver == 3)
158
      dst = 0
159
      ver = 1
160
    end
161

162
    # 0, ~1, !2, ~3, !4
163
    # Use one src reg with a signed 13-bit immediate (non-0)
164
    if((ver == 0 && rand(2)) || ver == 1)
165
      return [
166
        (2 << 30)               |
167
        (dst << 25)             |
168
        (ref[1] << 19)          |
169
        (get_src_reg() << 14)   |
170
        (1 << 13)               |
171
        (rand((1 << 13) - 1) + 1)
172
      ].pack('N')
173
    end
174

175
    # ref[1] could be replaced with a static value since this only encodes for one function but it's done this way for
176
    # conistancy/clarity.
177
    if (ver == 4)
178
      return [(2 << 30) | (dst << 25) | (ref[1] << 19)].pack('N')
179
    end
180

181
    # Use two src regs
182
    return [
183
      (2 << 30) |
184
      (dst << 25) |
185
      (ref[1] << 19) |
186
      (get_src_reg() << 14) |
187
      get_src_reg()
188
    ].pack('N')
189
  end
190

191
  def ins_branch(ref, len)
192
    # We jump to 1 instruction before the payload so in cases where the delay slot is another branch instruction that is
193
    # not taken with the anull bit set the first bit of the payload is not anulled.
194
    len = (len / 4) - 1
195

196
    return '' if len == 0
197
    len = 0x3fffff if (len >= 0x400000)
198

199
    a = rand(2).floor
200
    b = ref[0]
201
    c = rand(len - 1).floor
202

203
    return [
204
      (a << 29)  |
205
      (b << 25)  |
206
      (2 << 22)  |
207
      c + 1
208
    ].pack('N')
209
  end
210
end
211

212