CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
#
2
# Simple script to test a group of encoders against every exploit in the framework,
3
# specifically for the exploits badchars, to see if a payload can be encoded. We ignore
4
# the target arch/platform of the exploit as we just want to pull out real world bad chars.
5
#
6

7
msfbase = __FILE__
8
while File.symlink?(msfbase)
9
  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
10
end
11

12
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
13

14
require 'msfenv'
15

16
$msf = Msf::Simple::Framework.create
17

18
EXPLOITS = $msf.exploits
19

20
def print_line(message)
21
  $stdout.puts(message)
22
end
23

24
def format_badchars(badchars)
25
  str = ''
26
  if (badchars)
27
    badchars.each_byte do |b|
28
      str << "\\x%02X" % [ b ]
29
    end
30
  end
31
  str
32
end
33

34
def encoder_v_payload(encoder_name, payload, verbose = false)
35
  success = 0
36
  fail = 0
37
  EXPLOITS.each_module do |name, mod|
38
    exploit = mod.new
39
    print_line("\n#{encoder_name} v #{name} (#{format_badchars(exploit.payload_badchars)})") if verbose
40
    begin
41
      encoder = $msf.encoders.create(encoder_name)
42
      raw = encoder.encode(payload, exploit.payload_badchars, nil, nil)
43
      success += 1
44
    rescue
45
      print_line("    FAILED! badchars=#{format_badchars(exploit.payload_badchars)}\n") if verbose
46
      fail += 1
47
    end
48
  end
49
  return [ success, fail ]
50
end
51

52
def generate_payload(name)
53
  payload = $msf.payloads.create(name)
54

55
  # set options for a reverse_tcp payload
56
  payload.datastore['LHOST'] = '192.168.2.1'
57
  payload.datastore['RHOST'] = '192.168.2.254'
58
  payload.datastore['RPORT'] = '5432'
59
  payload.datastore['LPORT'] = '4444'
60
  # set options for an exec payload
61
  payload.datastore['CMD'] = 'calc'
62
  # set generic options
63
  payload.datastore['EXITFUNC'] = 'thread'
64

65
  return payload.generate
66
end
67

68
def run(encoders, payload_name, verbose = false)
69
  payload = generate_payload(payload_name)
70

71
  table = Rex::Text::Table.new(
72
    'Header' => 'Encoder v Payload Test - ' + ::Time.new.strftime("%d-%b-%Y %H:%M:%S"),
73
    'Indent' => 4,
74
    'Columns' => [ 'Encoder Name', 'Success', 'Fail' ]
75
  )
76

77
  encoders.each do |encoder_name|
78
    success, fail = encoder_v_payload(encoder_name, payload, verbose)
79

80
    table << [ encoder_name, success, fail ]
81
  end
82

83
  return table
84
end
85

86
if ($0 == __FILE__)
87

88
  print_line("[+] Starting.\n")
89

90
  encoders = [
91
    'x86/bloxor',
92
    'x86/shikata_ga_nai',
93
    'x86/jmp_call_additive',
94
    'x86/fnstenv_mov',
95
    'x86/countdown',
96
    'x86/call4_dword_xor'
97
  ]
98

99
  payload_name = 'windows/shell/reverse_tcp'
100

101
  verbose = false
102

103
  result_table = run(encoders, payload_name, verbose)
104

105
  print_line("\n\n#{result_table.to_s}\n\n")
106

107
  print_line("[+] Finished.\n")
108
end
109

110