Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/nops/sparc/random.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
###

7
#

8
# SingleByte

9
# ----------

10
#

11
# This class implements NOP generator for the SPARC platform

12
#

13
###

14
class MetasploitModule < Msf::Nop

15


16
  # Nop types

17
  InsSethi = 0

18
  InsArithmetic = 1

19
  InsBranch = 2

20


21
  # Generator table

22
  SPARC_Table = [

23
    [ InsSethi, [ ], ],                       # sethi

24
    [ InsArithmetic, [ 0, 0 ], ],             # add

25
    [ InsArithmetic, [ 0, 1 ], ],             # and

26
    [ InsArithmetic, [ 0, 2 ], ],             # or

27
    [ InsArithmetic, [ 0, 3 ], ],             # xor

28
    [ InsArithmetic, [ 0, 4 ], ],             # sub

29
    [ InsArithmetic, [ 0, 5 ], ],             # andn

30
    [ InsArithmetic, [ 0, 6 ], ],             # orn

31
    [ InsArithmetic, [ 0, 7 ], ],             # xnor

32
    [ InsArithmetic, [ 0, 8 ], ],             # addx

33
    [ InsArithmetic, [ 0, 12 ], ],            # subx

34
    [ InsArithmetic, [ 0, 16 ], ],            # addcc

35
    [ InsArithmetic, [ 0, 17 ], ],            # andcc

36
    [ InsArithmetic, [ 0, 18 ], ],            # orcc

37
    [ InsArithmetic, [ 0, 19 ], ],            # xorcc

38
    [ InsArithmetic, [ 0, 20 ], ],            # subcc

39
    [ InsArithmetic, [ 0, 21 ], ],            # andncc

40
    [ InsArithmetic, [ 0, 22 ], ],            # orncc

41
    [ InsArithmetic, [ 0, 23 ], ],            # xnorcc

42
    [ InsArithmetic, [ 0, 24 ], ],            # addxcc

43
    [ InsArithmetic, [ 0, 28 ], ],            # subxcc

44
    [ InsArithmetic, [ 0, 32 ], ],            # taddcc

45
    [ InsArithmetic, [ 0, 33 ], ],            # tsubcc

46
    [ InsArithmetic, [ 0, 36 ], ],            # mulscc

47
    [ InsArithmetic, [ 2, 37 ], ],            # sll

48
    [ InsArithmetic, [ 2, 38 ], ],            # srl

49
    [ InsArithmetic, [ 2, 39 ], ],            # sra

50
    [ InsArithmetic, [ 4, 40 ], ],            # rdy

51
    [ InsArithmetic, [ 3, 48 ], ],            # wry

52
    [ InsBranch, [ 0 ] ],                     # bn[,a]

53
    [ InsBranch, [ 1 ] ],                     # be[,a]

54
    [ InsBranch, [ 2 ] ],                     # ble[,a]

55
    [ InsBranch, [ 3 ] ],                     # bl[,a]

56
    [ InsBranch, [ 4 ] ],                     # bleu[,a]

57
    [ InsBranch, [ 5 ] ],                     # bcs[,a]

58
    [ InsBranch, [ 6 ] ],                     # bneg[,a]

59
    [ InsBranch, [ 7 ] ],                     # bvs[,a]

60
    [ InsBranch, [ 8 ] ],                     # ba[,a]

61
    [ InsBranch, [ 9 ] ],                     # bne[,a]

62
    [ InsBranch, [ 10 ] ],                    # bg[,a]

63
    [ InsBranch, [ 11 ] ],                    # bge[,a]

64
    [ InsBranch, [ 12 ] ],                    # bgu[,a]

65
    [ InsBranch, [ 13 ] ],                    # bcc[,a]

66
    [ InsBranch, [ 14 ] ],                    # bpos[,a]

67
    [ InsBranch, [ 15 ] ],                    # bvc[,a]

68
  ]

69


70
  def initialize

71
    super(

72
      'Name' => 'SPARC NOP Generator',

73
      'Alias' => 'sparc_simple',

74
      'Description' => 'SPARC NOP generator',

75
      'Author' => 'vlad902',

76
      'License' => MSF_LICENSE,

77
      'Arch' => ARCH_SPARC)

78


79
    register_advanced_options(

80
      [

81
        OptBool.new('RandomNops', [ false, 'Generate a random NOP sled', true ])

82
      ]

83
    )

84
  end

85


86
  # Nops are always random...

87
  def generate_sled(length, opts)

88
    badchars = opts['BadChars'] || ''

89
    blen = length

90


91
    buff = ''

92
    count = 0

93
    while (buff.length < blen)

94
      r = SPARC_Table[rand(SPARC_Table.length)]

95
      t = ''

96


97
      case r[0]

98
      when InsSethi

99
        t = ins_sethi(r[1], blen - buff.length)

100
      when InsArithmetic

101
        t = ins_arithmetic(r[1], blen - buff.length)

102
      when InsBranch

103
        t = ins_branch(r[1], blen - buff.length)

104
      else

105
        print_status('Invalid opcode type')

106
        raise RuntimeError

107
      end

108


109
      failed = false

110


111
      t.each_byte do |c|

112
        failed = true if badchars.include?(c.chr)

113
      end

114


115
      if !failed

116
        buff << t

117
        count = -100

118
      end

119


120
      if (count > length + 1000)

121
        if !buff.empty?

122
          return buff.slice(0, 4) * (blen / 4)

123
        end

124


125
        print_status('The SPARC nop generator could not create a usable sled')

126
        raise RuntimeError

127
      end

128


129
      count += 1

130
    end

131


132
    return buff

133
  end

134


135
  def get_dst_reg

136
    reg = rand(30).to_i

137
    reg += 1 if (reg >= 14)		# %sp

138
    reg += 1 if (reg >= 30)		# %fp

139
    return reg

140
  end

141


142
  def get_src_reg

143
    return rand(32).to_i

144
  end

145


146
  def ins_sethi(_ref, _len = 0)

147
    [(get_dst_reg << 25) | (4 << 22) | rand(1 << 22)].pack('N')

148
  end

149


150
  def ins_arithmetic(ref, _len = 0)

151
    dst = get_dst_reg

152
    ver = ref[0]

153


154
    # WRY fixups

155
    if (ver == 3)

156
      dst = 0

157
      ver = 1

158
    end

159


160
    # 0, ~1, !2, ~3, !4

161
    # Use one src reg with a signed 13-bit immediate (non-0)

162
    if (ver == 0 && rand(2)) || ver == 1

163
      return [

164
        (2 << 30) |

165
        (dst << 25) |

166
        (ref[1] << 19) |

167
        (get_src_reg << 14) |

168
        (1 << 13) |

169
        (rand((1 << 13) - 1) + 1)

170
      ].pack('N')

171
    end

172


173
    # ref[1] could be replaced with a static value since this only encodes for one function but it's done this way for

174
    # conistancy/clarity.

175
    if (ver == 4)

176
      return [(2 << 30) | (dst << 25) | (ref[1] << 19)].pack('N')

177
    end

178


179
    # Use two src regs

180
    return [

181
      (2 << 30) |

182
      (dst << 25) |

183
      (ref[1] << 19) |

184
      (get_src_reg << 14) |

185
      get_src_reg

186
    ].pack('N')

187
  end

188


189
  def ins_branch(ref, len)

190
    # We jump to 1 instruction before the payload so in cases where the delay slot is another branch instruction that is

191
    # not taken with the anull bit set the first bit of the payload is not anulled.

192
    len = (len / 4) - 1

193


194
    return '' if len == 0

195


196
    len = 0x3fffff if (len >= 0x400000)

197


198
    a = rand(2).floor

199
    b = ref[0]

200
    c = rand(len - 1).floor

201


202
    return [

203
      (a << 29) |

204
      (b << 25) |

205
      (2 << 22) |

206
      c + 1

207
    ].pack('N')

208
  end

209
end

210


211