metasploit-framework/modules/encoders/mipsbe/longxor.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'
require 'metasm'


class Metasploit3 < Msf::Encoder::Xor

  def initialize
    super(
      'Name'             => 'XOR Encoder',
      'Description'      => %q{
        Mips Web server exploit friendly xor encoder
      },
      'Author'           => 'Julien Tinnes <julien[at]cr0.org>',
      'Arch'             => ARCH_MIPSBE,
      'License'          => MSF_LICENSE,
      'Decoder'          =>
        {
          'KeySize'   => 4,
          'BlockSize' => 4,
          'KeyPack'   => 'N',
        })
  end

  #
  # Returns the decoder stub that is adjusted for the size of the buffer
  # being encoded.
  #
  def decoder_stub(state)

    # add one xor operation for the key (see comment below)
    number_of_passes=state.buf.length/4+1
    raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
    raise InvalidPayloadSizeException.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0

    # 16-bits not (again, see below)
    reg_14 = (number_of_passes+1)^0xFFFF
    decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data
;
; MIPS nul-free xor decoder
;
; (C) 2006 Julien TINNES
; <julien at cr0.org>
;
; The first four bytes in encoded shellcode must be the xor key
; This means that you have to put the xor key right after
; this xor decoder
; This key will be considered part of the encoded shellcode
; by this decoder and will be xored, thus becoming 4NULs, meaning nop
;
; This is Linux-only because I use the cacheflush system call
;
; You can use shellforge to assemble this, but be sure to discard all
; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)
;
; change 2 bytes in the first instruction's opcode with the number of passes
; the number of passes is the number of xor operations to apply, which should be
; 1 (for the key) + the number of 4-bytes words you have in your shellcode
; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)


;.text
;.align	2
;.globl	main
;.ent	main
;.type		 main,@function

main:

li macro reg, imm
;	lui reg, ((imm) >> 16) & 0ffffh
;	ori reg, reg, (imm) & 0ffffh
  addiu reg, $0, imm		; sufficient if imm.abs <= 0x7fff
endm

  li(	$14, #{reg_14})		; 4 passes
  nor	$14, $14, $0		; put number of passes in $14

  li(	$11,-73)		; addend to calculated PC is 73
;.set noreorder
next:
  bltzal  $8, next
;.set reorder
  slti    $8, $0, 0x8282
  nor     $11, $11, $0		; addend in $9
  addu	$25, $31, $11		; $25 points to encoded shellcode +4
;	addu	$16, $31, $11		; $16 too (enable if you want to pass correct parameters to cacheflush

;	lui	$2, 0xDDDD     		; first part of the xor (old method)
  slti	$23, $0, 0x8282 	; store 0 in $23 (our counter)
;	ori	$17, $2, 0xDDDD 	; second part of the xor (old method)
  lw	$17, -4($25)		; load xor key in $17


  li(	$13, -5)
  nor	$13, $13, $0		; 4 in $13

  addi	$15, $13, -3		; 1 in $15
loop:
  lw	$8, -4($25)

  addu	$23, $23, $15		; increment counter
  xor	$3, $8, $17
  sltu	$30, $23, $14		; enough loops?
  sw	$3, -4($25)
  addi	$6, $13, -1		; 3 in $6 (for cacheflush)
  bne	$0, $30, loop
  addu	$25, $25, $13		; next instruction to decode :)


;	addiu	$4, $16, -4	       	; not checked by Linux
;	li      $5,40                  	; not checked by Linux
;	li      $6,3                   	; $6 is set above

;	.set    noreorder
  li(     $2, 4147)               ; cacheflush
  ;.ascii "\\x01JT\\x0c"		; nul-free syscall
  syscall 0x52950
;	.set    reorder


          ; write last decoder opcode and decoded shellcode
;	li      $4,1            	; stdout
;	addi	$5, $16, -8
;	li      $6,40           	; how much to write
;	.set    noreorder
;	li      $2, 4004                ; write
;	syscall
;	.set    reorder


  nop				; encoded shellcoded must be here (xor key right here ;)
; $t9 (aka $25) points here

EOS
    # put the key at the end of the decoder
    state.decoder_key_offset = decoder.length - 4

    return decoder
  end

end
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`##`


			`require 'msf/core'`
			`require 'metasm'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Encoder::Xor`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize`
			`super(`
			`'Name' => 'XOR Encoder',`
			`'Description' => %q{`
			`Mips Web server exploit friendly xor encoder`
			`},`
Fix email format 2014-07-11 17:45:23 +00:00			`'Author' => 'Julien Tinnes <julien[at]cr0.org>',`
Retab modules 2013-08-30 21:28:54 +00:00			`'Arch' => ARCH_MIPSBE,`
			`'License' => MSF_LICENSE,`
			`'Decoder' =>`
			`{`
			`'KeySize' => 4,`
			`'BlockSize' => 4,`
			`'KeyPack' => 'N',`
			`})`
			`end`

			`#`
			`# Returns the decoder stub that is adjusted for the size of the buffer`
			`# being encoded.`
			`#`
			`def decoder_stub(state)`

			`# add one xor operation for the key (see comment below)`
			`number_of_passes=state.buf.length/4+1`
			`raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240`
			`raise InvalidPayloadSizeException.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0`

			`# 16-bits not (again, see below)`
			`reg_14 = (number_of_passes+1)^0xFFFF`
			`decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`;`
			`; MIPS nul-free xor decoder`
			`;`
			`; (C) 2006 Julien TINNES`
			`; <julien at cr0.org>`
			`;`
			`; The first four bytes in encoded shellcode must be the xor key`
			`; This means that you have to put the xor key right after`
			`; this xor decoder`
			`; This key will be considered part of the encoded shellcode`
			`; by this decoder and will be xored, thus becoming 4NULs, meaning nop`
			`;`
			`; This is Linux-only because I use the cacheflush system call`
			`;`
			`; You can use shellforge to assemble this, but be sure to discard all`
			`; the nul bytes at the end (everything after x01\\x4a\\x54\\x0c)`
			`;`
			`; change 2 bytes in the first instruction's opcode with the number of passes`
			`; the number of passes is the number of xor operations to apply, which should be`
			`; 1 (for the key) + the number of 4-bytes words you have in your shellcode`
			`; you must encode ~(number_of_passes + 1) (to ensure that you're nul-free)`


			`;.text`
			`;.align 2`
			`;.globl main`
			`;.ent main`
			`;.type main,@function`

			`main:`

			`li macro reg, imm`
			`; lui reg, ((imm) >> 16) & 0ffffh`
			`; ori reg, reg, (imm) & 0ffffh`
Retab modules 2013-08-30 21:28:54 +00:00			`addiu reg, $0, imm ; sufficient if imm.abs <= 0x7fff`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`endm`

Retab modules 2013-08-30 21:28:54 +00:00			`li( $14, #{reg_14}) ; 4 passes`
			`nor $14, $14, $0 ; put number of passes in $14`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`li( $11,-73) ; addend to calculated PC is 73`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`;.set noreorder`
			`next:`
Retab modules 2013-08-30 21:28:54 +00:00			`bltzal $8, next`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`;.set reorder`
Retab modules 2013-08-30 21:28:54 +00:00			`slti $8, $0, 0x8282`
			`nor $11, $11, $0 ; addend in $9`
			`addu $25, $31, $11 ; $25 points to encoded shellcode +4`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`; addu $16, $31, $11 ; $16 too (enable if you want to pass correct parameters to cacheflush`

			`; lui $2, 0xDDDD ; first part of the xor (old method)`
Retab modules 2013-08-30 21:28:54 +00:00			`slti $23, $0, 0x8282 ; store 0 in $23 (our counter)`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`; ori $17, $2, 0xDDDD ; second part of the xor (old method)`
Retab modules 2013-08-30 21:28:54 +00:00			`lw $17, -4($25) ; load xor key in $17`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00

Retab modules 2013-08-30 21:28:54 +00:00			`li( $13, -5)`
			`nor $13, $13, $0 ; 4 in $13`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`addi $15, $13, -3 ; 1 in $15`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`loop:`
Retab modules 2013-08-30 21:28:54 +00:00			`lw $8, -4($25)`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`addu $23, $23, $15 ; increment counter`
			`xor $3, $8, $17`
			`sltu $30, $23, $14 ; enough loops?`
			`sw $3, -4($25)`
			`addi $6, $13, -1 ; 3 in $6 (for cacheflush)`
			`bne $0, $30, loop`
			`addu $25, $25, $13 ; next instruction to decode :)`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00

			`; addiu $4, $16, -4 ; not checked by Linux`
			`; li $5,40 ; not checked by Linux`
			`; li $6,3 ; $6 is set above`

			`; .set noreorder`
Retab modules 2013-08-30 21:28:54 +00:00			`li( $2, 4147) ; cacheflush`
			`;.ascii "\\x01JT\\x0c" ; nul-free syscall`
			`syscall 0x52950`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`; .set reorder`


Retab modules 2013-08-30 21:28:54 +00:00			`; write last decoder opcode and decoded shellcode`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`; li $4,1 ; stdout`
			`; addi $5, $16, -8`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`; li $6,40 ; how much to write`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`; .set noreorder`
			`; li $2, 4004 ; write`
			`; syscall`
			`; .set reorder`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`nop ; encoded shellcoded must be here (xor key right here ;)`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00			`; $t9 (aka $25) points here`

			`EOS`
Retab modules 2013-08-30 21:28:54 +00:00			`# put the key at the end of the decoder`
			`state.decoder_key_offset = decoder.length - 4`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`return decoder`
			`end`
Merge patch from Julien TINNES for MIPS support (LE/BE) git-svn-id: file:///home/svn/framework3/trunk@5658 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-15 18:50:34 +00:00
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`end`