2007-02-18 00:10:39 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Encoder::XorAdditiveFeedback
|
2005-05-18 06:28:12 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Uncomment when we get the poly stuff working again.
|
|
|
|
#Rank = GreatRanking
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Jump/Call XOR Additive Feedback Encoder',
|
|
|
|
'Description' => 'Jump/Call XOR Additive Feedback',
|
|
|
|
'Author' => 'skape',
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Decoder' =>
|
|
|
|
{
|
|
|
|
'Stub' =>
|
|
|
|
"\xfc" + # cld
|
|
|
|
"\xbbXORK" + # mov ebx, key
|
|
|
|
"\xeb\x0c" + # jmp short 0x14
|
|
|
|
"\x5e" + # pop esi
|
|
|
|
"\x56" + # push esi
|
|
|
|
"\x31\x1e" + # xor [esi], ebx
|
|
|
|
"\xad" + # lodsd
|
|
|
|
"\x01\xc3" + # add ebx, eax
|
|
|
|
"\x85\xc0" + # test eax, eax
|
|
|
|
"\x75\xf7" + # jnz 0xa
|
|
|
|
"\xc3" + # ret
|
|
|
|
"\xe8\xef\xff\xff\xff", # call 0x8
|
|
|
|
'KeyOffset' => 2,
|
|
|
|
'KeySize' => 4,
|
|
|
|
'BlockSize' => 4,
|
|
|
|
})
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Append the termination block.
|
|
|
|
#
|
|
|
|
def encode_end(state)
|
|
|
|
state.encoded += [ state.key ].pack(state.decoder_key_pack)
|
|
|
|
end
|
2009-06-14 21:30:56 +00:00
|
|
|
end
|