2013-01-10 17:39:40 +00:00
|
|
|
#
|
|
|
|
# Simple script to test a group of encoders against every exploit in the framework,
|
|
|
|
# specifically for the exploits badchars, to see if a payload can be encoded. We ignore
|
|
|
|
# the target arch/platform of the exploit as we just want to pull out real world bad chars.
|
|
|
|
#
|
|
|
|
|
|
|
|
msfbase = __FILE__
|
|
|
|
while File.symlink?(msfbase)
|
2013-09-30 18:47:53 +00:00
|
|
|
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
|
|
|
|
|
|
|
|
require 'msfenv'
|
|
|
|
require 'msf/base'
|
|
|
|
|
|
|
|
$msf = Msf::Simple::Framework.create
|
|
|
|
|
|
|
|
EXPLOITS = $msf.exploits
|
|
|
|
|
|
|
|
def print_line( message )
|
2013-09-30 18:47:53 +00:00
|
|
|
$stdout.puts( message )
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def format_badchars( badchars )
|
2013-09-30 18:47:53 +00:00
|
|
|
str = ''
|
|
|
|
if( badchars )
|
|
|
|
badchars.each_byte do | b |
|
|
|
|
str << "\\x%02X" % [ b ]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
str
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def encoder_v_payload( encoder_name, payload, verbose=false )
|
2013-09-30 18:47:53 +00:00
|
|
|
success = 0
|
|
|
|
fail = 0
|
|
|
|
EXPLOITS.each_module do | name, mod |
|
|
|
|
|
|
|
|
exploit = mod.new
|
|
|
|
print_line( "\n#{encoder_name} v #{name} (#{ format_badchars( exploit.payload_badchars ) })" ) if verbose
|
|
|
|
begin
|
|
|
|
encoder = $msf.encoders.create( encoder_name )
|
|
|
|
raw = encoder.encode( payload, exploit.payload_badchars, nil, nil )
|
|
|
|
success += 1
|
|
|
|
rescue
|
|
|
|
print_line( " FAILED! badchars=#{ format_badchars( exploit.payload_badchars ) }\n" ) if verbose
|
|
|
|
fail += 1
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return [ success, fail ]
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def generate_payload( name )
|
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
payload = $msf.payloads.create( name )
|
|
|
|
|
|
|
|
# set options for a reverse_tcp payload
|
|
|
|
payload.datastore['LHOST'] = '192.168.2.1'
|
|
|
|
payload.datastore['RHOST'] = '192.168.2.254'
|
|
|
|
payload.datastore['RPORT'] = '5432'
|
|
|
|
payload.datastore['LPORT'] = '4444'
|
|
|
|
# set options for an exec payload
|
|
|
|
payload.datastore['CMD'] = 'calc'
|
|
|
|
# set generic options
|
|
|
|
payload.datastore['EXITFUNC'] = 'thread'
|
|
|
|
|
|
|
|
return payload.generate
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run( encoders, payload_name, verbose=false )
|
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
payload = generate_payload( payload_name )
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
table = Rex::Ui::Text::Table.new(
|
|
|
|
'Header' => 'Encoder v Payload Test - ' + ::Time.new.strftime( "%d-%b-%Y %H:%M:%S" ),
|
|
|
|
'Indent' => 4,
|
|
|
|
'Columns' => [ 'Encoder Name', 'Success', 'Fail' ]
|
|
|
|
)
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
encoders.each do | encoder_name |
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
success, fail = encoder_v_payload( encoder_name, payload, verbose )
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
table << [ encoder_name, success, fail ]
|
|
|
|
|
|
|
|
end
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
return table
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if( $0 == __FILE__ )
|
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
print_line( "[+] Starting.\n" )
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
encoders = [
|
|
|
|
'x86/bloxor',
|
|
|
|
'x86/shikata_ga_nai',
|
|
|
|
'x86/jmp_call_additive',
|
|
|
|
'x86/fnstenv_mov',
|
|
|
|
'x86/countdown',
|
|
|
|
'x86/call4_dword_xor'
|
|
|
|
]
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
payload_name = 'windows/shell/reverse_tcp'
|
|
|
|
|
|
|
|
verbose = false
|
|
|
|
|
|
|
|
result_table = run( encoders, payload_name, verbose )
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
print_line( "\n\n#{result_table.to_s}\n\n" )
|
2013-01-10 17:39:40 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
print_line( "[+] Finished.\n" )
|
2013-01-10 17:39:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
|