2005-10-31 18:50:58 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
module Encoders
|
|
|
|
|
module X86
|
|
|
|
|
|
|
|
|
|
class Countdown < Msf::Encoder::Xor
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
2005-10-31 18:56:55 +00:00
|
|
|
'Name' => 'Single-byte Xor Countdown Encoder',
|
2005-10-31 18:50:58 +00:00
|
|
|
'Version' => '$Revision$',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This encoder uses the length of the payload as a position-dependent
|
|
|
|
|
encoder key to produce a small decoder stub.
|
|
|
|
|
},
|
|
|
|
|
'Author' => 'vlad902',
|
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
|
'Decoder' =>
|
|
|
|
|
{
|
|
|
|
|
'BlockSize' => 1,
|
|
|
|
|
})
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Returns the decoder stub that is adjusted for the size of the buffer
|
|
|
|
|
# being encoded.
|
|
|
|
|
#
|
|
|
|
|
def decoder_stub(state)
|
|
|
|
|
decoder =
|
2005-10-31 18:54:39 +00:00
|
|
|
Rex::Arch::X86.set(state.buf.length - 1,
|
2005-10-31 18:50:58 +00:00
|
|
|
Rex::Arch::X86::ECX,
|
|
|
|
|
state.badchars) +
|
|
|
|
|
"\xe8\xff\xff\xff" +
|
|
|
|
|
"\xff\xc1" +
|
|
|
|
|
"\x5e" +
|
|
|
|
|
"\x30\x4c\x0e\x07" +
|
|
|
|
|
"\xe2\xfa"
|
|
|
|
|
|
|
|
|
|
# Initialize the state context to 1
|
|
|
|
|
state.context = 1
|
|
|
|
|
|
|
|
|
|
return decoder
|
|
|
|
|
end
|
|
|
|
|
|
2005-10-31 19:15:21 +00:00
|
|
|
#
|
|
|
|
|
# Encodes a one byte block with the current index of the length of the
|
|
|
|
|
# payload.
|
|
|
|
|
#
|
2005-10-31 18:50:58 +00:00
|
|
|
def encode_block(state, block)
|
|
|
|
|
state.context += 1
|
|
|
|
|
|
|
|
|
|
[ block.unpack('C')[0] ^ (state.context - 1) ].pack('C')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end end end
|
