2005-07-09 21:18:49 +00:00
|
|
|
require 'msf/core'
|
2005-05-21 17:57:00 +00:00
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# EncoderState
|
|
|
|
# ------------
|
|
|
|
#
|
|
|
|
# This class is used to track the state of a single encoding operation
|
|
|
|
# from start to finish.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class EncoderState
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Initializes a new encoder state, optionally with a key.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def initialize(key = nil)
|
|
|
|
reset(key)
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Reset the encoder state by initializing the encoded buffer to an empty
|
|
|
|
# string.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def reset(key = nil)
|
|
|
|
init_key(key)
|
|
|
|
|
|
|
|
self.encoded = ''
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
# Set the initial encoding key
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def init_key(key)
|
|
|
|
self.key = key
|
|
|
|
self.orig_key = key
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
attr_accessor :key # :nodoc:
|
|
|
|
attr_accessor :orig_key # :nodoc:
|
|
|
|
attr_accessor :encoded # :nodoc:
|
|
|
|
attr_accessor :context # :nodoc:
|
|
|
|
attr_accessor :badchars # :nodoc:
|
|
|
|
attr_accessor :buf # :nodoc:
|
2005-07-10 20:49:13 +00:00
|
|
|
|
|
|
|
# Decoder settings
|
2005-10-19 03:20:20 +00:00
|
|
|
attr_accessor :decoder_key_offset, :decoder_key_size, :decoder_key_pack # :nodoc:
|
2005-05-21 17:57:00 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# Encoder
|
|
|
|
# -------
|
|
|
|
#
|
|
|
|
# This class is the base class that all encoders inherit from.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class Encoder < Module
|
|
|
|
|
|
|
|
def initialize(info)
|
|
|
|
super(info)
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-05-21 17:57:00 +00:00
|
|
|
#
|
|
|
|
# Encoder information accessors that can be overriden
|
|
|
|
# by derived classes
|
|
|
|
#
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-07-14 20:05:41 +00:00
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns MODULE_ENCODER to indicate that this is an encoder module.
|
|
|
|
#
|
2005-07-14 20:05:41 +00:00
|
|
|
def self.type
|
|
|
|
return MODULE_ENCODER
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns MODULE_ENCODER to indicate that this is an encoder module.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def type
|
|
|
|
return MODULE_ENCODER
|
|
|
|
end
|
|
|
|
|
2005-07-10 20:49:13 +00:00
|
|
|
#
|
2005-10-19 03:20:20 +00:00
|
|
|
# Returns the decoder stub to use based on the supplied length.
|
2005-07-10 20:49:13 +00:00
|
|
|
#
|
|
|
|
def decoder_stub(state)
|
|
|
|
return module_info['Decoder']['Stub']
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns the offset to the key associated with the decoder stub.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def decoder_key_offset
|
2005-07-10 20:49:13 +00:00
|
|
|
return module_info['Decoder']['KeyOffset']
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns the size of the key, in bytes.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def decoder_key_size
|
2005-07-10 20:49:13 +00:00
|
|
|
return module_info['Decoder']['KeySize']
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns the size of each logical encoding block, in bytes. This
|
|
|
|
# is typically the same as decoder_key_size.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def decoder_block_size
|
2005-07-10 20:49:13 +00:00
|
|
|
return module_info['Decoder']['BlockSize']
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns the byte-packing character that should be used to encode
|
|
|
|
# the key.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def decoder_key_pack
|
2005-07-10 20:49:13 +00:00
|
|
|
return module_info['Decoder']['KeyPack'] || 'V'
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-05-21 17:57:00 +00:00
|
|
|
#
|
|
|
|
# Encoding
|
|
|
|
#
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-05-21 17:57:00 +00:00
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# This method generates an encoded version of the supplied buffer in buf
|
|
|
|
# using the bad characters as guides. On success, an encoded and
|
|
|
|
# functional version of the supplied buffer will be returned. Otherwise,
|
|
|
|
# an exception will be thrown if an error is encountered during the
|
|
|
|
# encoding process.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def encode(buf, badchars, state = nil)
|
2005-07-10 19:35:46 +00:00
|
|
|
# Initialize an empty set of bad characters
|
|
|
|
badchars = '' if (!badchars)
|
|
|
|
|
2005-05-21 17:57:00 +00:00
|
|
|
# Initialize the encoding state and key as necessary
|
|
|
|
if (state == nil)
|
|
|
|
state = EncoderState.new
|
|
|
|
end
|
|
|
|
|
|
|
|
# Prepend data to the buffer as necessary
|
|
|
|
buf = prepend_buf + buf
|
|
|
|
|
|
|
|
# If this encoder is key-based and we don't already have a key, find one
|
|
|
|
if ((decoder_key_size) and
|
|
|
|
(state.key == nil))
|
|
|
|
# Find a key that doesn't contain and wont generate any bad
|
|
|
|
# characters
|
|
|
|
state.init_key(find_key(buf, badchars))
|
|
|
|
|
|
|
|
if (state.key == nil)
|
2005-07-10 19:35:46 +00:00
|
|
|
raise NoKeyError, "A key could not be found for the #{self.name} encoder.", caller
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-07-13 21:09:07 +00:00
|
|
|
init_state(state)
|
2005-07-10 20:49:13 +00:00
|
|
|
|
|
|
|
# Save the buffer in the encoding state
|
|
|
|
state.badchars = badchars
|
|
|
|
state.buf = buf
|
|
|
|
|
2005-05-21 17:57:00 +00:00
|
|
|
# Call encode_begin to do any encoder specific pre-processing
|
|
|
|
encode_begin(state)
|
|
|
|
|
|
|
|
# Perform the actual encoding operation with the determined state
|
|
|
|
do_encode(buf, badchars, state)
|
|
|
|
|
|
|
|
# Call encoded_end to do any encoder specific post-processing
|
|
|
|
encode_end(state)
|
|
|
|
|
|
|
|
# Return the encoded buffer to the caller
|
|
|
|
return state.encoded
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Performs the actual encoding operation after the encoder state has been
|
|
|
|
# initialized and is ready to go.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def do_encode(buf, badchars, state)
|
|
|
|
# Copy the decoder stub since we may need to modify it
|
2005-07-10 20:49:13 +00:00
|
|
|
stub = decoder_stub(state).dup
|
2005-05-21 17:57:00 +00:00
|
|
|
|
|
|
|
if (state.key != nil)
|
|
|
|
# Substitute the decoder key in the copy of the decoder stub with the
|
|
|
|
# one that we found
|
2005-07-10 20:49:13 +00:00
|
|
|
stub[state.decoder_key_offset,state.decoder_key_size] = [ state.key.to_i ].pack(state.decoder_key_pack)
|
2005-05-21 17:57:00 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Walk the buffer encoding each block along the way
|
|
|
|
offset = 0
|
|
|
|
|
|
|
|
while (offset < buf.length)
|
|
|
|
block = buf[offset, decoder_block_size]
|
|
|
|
|
|
|
|
state.encoded += encode_block(state,
|
|
|
|
block + ("\x00" * (decoder_block_size - block.length)))
|
|
|
|
|
|
|
|
offset += decoder_block_size
|
|
|
|
end
|
|
|
|
|
|
|
|
# Prefix the decoder stub to the encoded buffer
|
|
|
|
state.encoded = stub + state.encoded
|
|
|
|
|
|
|
|
# Last but not least, do one last badchar pass to see if the stub +
|
|
|
|
# encoded payload leads to any bad char issues...
|
|
|
|
if ((badchar_idx = has_badchars?(state.encoded, badchars)) != nil)
|
2005-09-23 05:51:09 +00:00
|
|
|
raise BadcharError.new(state.encoded, badchar_idx, stub.length, state.encoded[badchar_idx]),
|
2005-05-21 17:57:00 +00:00
|
|
|
"The #{self.name} encoder failed to encode without bad characters.",
|
|
|
|
caller
|
|
|
|
end
|
|
|
|
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-05-21 17:57:00 +00:00
|
|
|
#
|
|
|
|
# Buffer management
|
|
|
|
#
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns a string that should be prepended to the encoded version of the
|
|
|
|
# buffer before returning it to callers.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def prepend_buf
|
|
|
|
return ''
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-05-21 17:57:00 +00:00
|
|
|
#
|
|
|
|
# Pre-processing, post-processing, and block encoding stubs
|
|
|
|
#
|
2005-10-19 03:20:20 +00:00
|
|
|
##
|
2005-05-21 17:57:00 +00:00
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Called when encoding is about to start immediately after the encoding
|
|
|
|
# state has been initialized.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def encode_begin(state)
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Called after encoding has completed.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def encode_end(state)
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Called once for each block being encoded based on the attributes of the
|
|
|
|
# decoder.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def encode_block(state, block)
|
|
|
|
return block
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Initializes the encoding state supplied as an argument to the attributes
|
|
|
|
# that have been defined for this decoder stub, such as key offset, size,
|
|
|
|
# and pack.
|
|
|
|
#
|
2005-07-13 21:09:07 +00:00
|
|
|
def init_state(state)
|
|
|
|
# Update the state with default decoder information
|
|
|
|
state.decoder_key_offset = decoder_key_offset
|
|
|
|
state.decoder_key_size = decoder_key_size
|
|
|
|
state.decoder_key_pack = decoder_key_pack
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# This method finds a compatible key for the supplied buffer based also on
|
|
|
|
# the supplied bad characters list. This is meant to make encoders more
|
|
|
|
# reliable and less prone to bad character failure by doing a fairly
|
|
|
|
# complete key search before giving up on an encoder.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def find_key(buf, badchars)
|
|
|
|
key_bytes = [ ]
|
|
|
|
cur_key = [ ]
|
|
|
|
bad_keys = find_bad_keys(buf, badchars)
|
|
|
|
found = false
|
|
|
|
|
|
|
|
# Keep chugging until we find something...right
|
|
|
|
while (!found)
|
|
|
|
# Scan each byte position
|
|
|
|
0.upto(decoder_key_size - 1) { |index|
|
|
|
|
cur_key[index] = rand(255)
|
|
|
|
|
|
|
|
# Scan all 255 bytes (wrapping around as necessary)
|
|
|
|
for cur_char in (cur_key[index] .. (cur_key[index] + 255))
|
|
|
|
cur_char = (cur_char % 255) + 1
|
|
|
|
|
|
|
|
# If this is a known bad character at this location in the
|
|
|
|
# key or it doesn't pass the bad character check...
|
|
|
|
if (((bad_keys != nil) and
|
|
|
|
(bad_keys[index][cur_char] == true)) or
|
|
|
|
(badchars.index(cur_char) != nil))
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
key_bytes[index] = cur_char
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
# Assume that we're going to rock this shit...
|
|
|
|
found = true
|
|
|
|
|
|
|
|
# Scan each byte and see what we've got going on to make sure
|
|
|
|
# no funny business is happening
|
|
|
|
key_bytes.each { |byte|
|
|
|
|
if (badchars.index(byte) != nil)
|
|
|
|
found = false
|
|
|
|
end
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
# Do we have all the key bytes accounted for?
|
|
|
|
if (key_bytes.length != decoder_key_size)
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
return key_bytes_to_integer(key_bytes)
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns the list of bad keys associated with this encoder.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def find_bad_keys
|
|
|
|
return [ {}, {}, {}, {} ]
|
|
|
|
end
|
|
|
|
|
2005-10-19 03:20:20 +00:00
|
|
|
#
|
|
|
|
# Returns the index of any bad characters found in the supplied buffer.
|
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def has_badchars?(buf, badchars)
|
|
|
|
badchars.each_byte { |badchar|
|
|
|
|
idx = buf.index(badchar)
|
|
|
|
|
|
|
|
if (idx != nil)
|
|
|
|
return idx
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
# Convert individual key bytes into a single integer based on the
|
|
|
|
# decoder's key size and packing requirements
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def key_bytes_to_integer(key_bytes)
|
|
|
|
return key_bytes.pack('C' + decoder_key_size.to_s).unpack(decoder_key_pack)[0]
|
|
|
|
end
|
|
|
|
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
# Convert an integer into the individual key bytes based on the
|
|
|
|
# decoder's key size and packing requirements
|
2005-07-12 14:32:44 +00:00
|
|
|
#
|
2005-05-21 17:57:00 +00:00
|
|
|
def integer_to_key_bytes(integer)
|
|
|
|
return [ integer.to_i ].pack(decoder_key_pack).unpack('C' + decoder_key_size.to_s)
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2005-07-09 21:18:49 +00:00
|
|
|
require 'msf/core/encoder/xor'
|
|
|
|
require 'msf/core/encoder/xor_additive_feedback'
|