2009-08-23 23:47:33 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2009-08-23 23:47:33 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Encoder::Xor
|
2009-08-23 23:47:33 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'XOR Encoder',
|
|
|
|
'Description' => 'An x64 XOR encoder. Uses an 8 byte key and takes advantage of x64 relative addressing.',
|
|
|
|
'Author' => [ 'sf' ],
|
|
|
|
'Arch' => ARCH_X86_64,
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Decoder' =>
|
|
|
|
{
|
|
|
|
'KeySize' => 8,
|
|
|
|
'KeyPack' => 'Q',
|
|
|
|
'BlockSize' => 8,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def decoder_stub( state )
|
|
|
|
|
|
|
|
# calculate the (negative) block count . We should check this against state.badchars.
|
|
|
|
block_count = [-( ( (state.buf.length - 1) / state.decoder_key_size) + 1)].pack( "V" )
|
|
|
|
|
|
|
|
decoder = "\x48\x31\xC9" + # xor rcx, rcx
|
|
|
|
"\x48\x81\xE9" + block_count + # sub ecx, block_count
|
|
|
|
"\x48\x8D\x05\xEF\xFF\xFF\xFF" + # lea rax, [rel 0x0]
|
|
|
|
"\x48\xBBXXXXXXXX" + # mov rbx, 0x????????????????
|
|
|
|
"\x48\x31\x58\x27" + # xor [rax+0x27], rbx
|
|
|
|
"\x48\x2D\xF8\xFF\xFF\xFF" + # sub rax, -8
|
|
|
|
"\xE2\xF4" # loop 0x1B
|
|
|
|
|
|
|
|
state.decoder_key_offset = decoder.index( 'XXXXXXXX' )
|
|
|
|
|
|
|
|
return decoder
|
|
|
|
end
|
2009-08-23 23:47:33 +00:00
|
|
|
|
2009-09-27 21:30:45 +00:00
|
|
|
end
|