2005-12-29 04:42:44 +00:00
module Rex
module Poly
# This class encapsulates a LogicalBlock permutation. Block permutations can
# take the form of a static string or a procedure. This makes it possible to
# have simple blocks and more complicated ones that take into account other
# variables, such as dynamic registers. The to_s method will return the
# string version of the permutation, regardless of whether or not the
# underlying permutation is a string or a procedure.
class Permutation
# Initializes the permutation and its associated block.
def initialize(perm, block)
@perm = perm
@block = block
# Returns the length of the string returned by to_s.
def length
# Returns the string representation of the permutation. If the underlying
# permutation is a procedure, the procedure is called. Otherwise, the
# string representation of the permutation is returned.
def to_s
if (@perm.kind_of?(Proc))
2006-01-18 15:32:49 +00:00
attr_reader :perm
2005-12-29 04:42:44 +00:00
# This class represents a logical block which is defined as a concise portion
# of code that may have one or more functionally equivalent implementations.
# A logical block should serve a very specific purpose, and any permutations
# beyond the first should result in exactly the same functionality without any
# adverse side effects to other blocks.
# Like blocks of code, LogicalBlock's can depend on one another in terms of
# ordering and precedence. By marking blocks as dependent on another, a
# hierarchy begins to form. This is a block dependency graph.
# To add permutations to a LogicalBlock, they can either be passed in as a
# list of arguments to the constructor following the blocks name or can be
# added on the fly by calling the add_perm method. To get a random
# permutation, the rand_perm method can be called.
# To mark one block as depending on another, the depends_on method can be
# called with zero or more LogicalBlock instances as parameters.
class LogicalBlock
# Initializes the logical block's name along with zero or more specific
# blocks.
def initialize(name, *perms)
@name = name
# Resets the block back to its starting point.
def reset
2006-01-08 01:10:45 +00:00
@perms = []
@depends = []
@next_blocks = []
@clobbers = []
@offset = nil
@state = nil
@once = false
@references = 0
@used_references = 0
@generated = false
2006-01-07 23:38:55 +00:00
# Returns the block's name.
def name
2005-12-29 04:42:44 +00:00
2006-01-08 01:10:45 +00:00
# Flags whether or not the block should only be generated once. This can
# be used to mark a blog as being depended upon by multiple blocks, but
# making it such that it is only generated once.
def once=(tf)
@once = tf
# Returns true if this block is a 'once' block. That is, this block is
# dependend upon by multiple blocks but should only be generated once.
def once
# Increments the number of blocks that depend on this block.
def ref
@references += 1
# Increments the number of blocks that have completed their dependency
# pass on this block. This number should never become higher than the
# @references attribute.
def deref
@used_references += 1
# Returns true if there is only one block reference remaining.
def last_reference?
(@references - @used_references <= 0)
2005-12-29 04:42:44 +00:00
# Adds zero or more specific permutations that may be represented either as
# strings or as Proc's to be called at evaluation time.
def add_perm(*perms)
# Returns a random permutation that is encapsulated in a Permutation class
# instance.
def rand_perm
2006-01-18 15:32:49 +00:00
perm = nil
if (@state.badchars)
perm = rand_perm_badchars
perm = Permutation.new(@perms[rand(@perms.length)], self)
if (perm.nil?)
raise RuntimeError, "Failed to locate a valid permutation."
# Returns a random permutation that passes any necessary bad character
# checks.
def rand_perm_badchars
idx = rand(@perms.length)
off = 0
while (off < @perms.length)
p = @perms[(idx + off) % @perms.length]
if (p.kind_of?(Proc) or
@state.badchars.nil? or
Rex::Text.badchar_index(p, @state.badchars).nil?)
return Permutation.new(p, self)
off += 1
2005-12-29 04:42:44 +00:00
# Sets the blocks that this block instance depends on.
def depends_on(*depends)
@depends = depends.dup
2006-01-08 01:10:45 +00:00
# Increment dependent references
@depends.each { |b| b.ref }
2005-12-29 04:42:44 +00:00
2006-01-07 23:38:55 +00:00
# Defines the next blocks, but not in a dependency fashion but rather in a
# linking of separate block contexts.
def next_blocks(*blocks)
@next_blocks = blocks.dup
2005-12-29 04:42:44 +00:00
# Defines the list of zero or more LogicalRegister's that this block
# clobbers.
def clobbers(*registers)
@clobbers = registers
# Enumerates each register instance that is clobbered by this block.
def each_clobbers(&block)
# Generates the polymorphic buffer that results from this block and any of
# the blocks that it either directly or indirectly depends on. A list of
# register numbers to be saved can be passed in as an argument.
# This method is not thread safe. To call this method on a single block
# instance from within multiple threads, be sure to encapsulate the calls
# inside a locked context.
2006-01-18 15:32:49 +00:00
def generate(save_registers = nil, state = nil, badchars = nil)
2005-12-29 04:42:44 +00:00
# Create a localized state instance if one was not supplied.
state = Rex::Poly::State.new if (state == nil)
2006-01-18 15:32:49 +00:00
buf = nil
cnt = 0
# This is a lame way of doing this. We just try to generate at most 128
# times until we don't have badchars. The reason we have to do it this
# way is because of the fact that badchars can be introduced through
# block offsetting and register number selection which can't be readily
# predicted or detected during the generation phase. In the future we
# can make this better, but for now this will have to do.
buf = do_generate(save_registers, state, badchars)
if (buf and
(badchars.nil? or Rex::Text.badchar_index(buf, badchars).nil?))
end while ((cnt += 1) < 128)
# Returns the offset of a block. If the active state for this instance is
# operating in the first phase, then zero is always returned. Otherwise,
# the correct offset for the supplied block is returned.
def offset_of(lblock)
if (@state.first_phase)
if (lblock.kind_of?(SymbolicBlock::End))
# Returns the register number associated with the supplied LogicalRegister
# instance. If the active state for this instance is operating in the
# first phase, then zero is always returned. Otherwise, the correct
# register number is returned based on what is currently assigned to the
# supplied LogicalRegister instance, if anything.
def regnum_of(reg)
(@state.first_phase) ? 0 : reg.regnum
# This attributes contains the currently assigned offset of the permutation
# associated with this block into the polymorphic buffer that is being
# generated.
attr_accessor :offset
2005-12-29 04:42:44 +00:00
2006-01-18 15:32:49 +00:00
# Whether or not this block has currently been generated for a given
# iteration.
attr_accessor :generated
# Performs the actual polymorphic buffer generation. Called from generate
def do_generate(save_registers, state, badchars)
2005-12-29 04:42:44 +00:00
# Reset the state in case it was passed in.
2006-01-18 15:32:49 +00:00
# Set the bad character list
state.badchars = badchars if (badchars)
2005-12-29 04:42:44 +00:00
# Consume any registers that should be saved.
save_registers.each { |reg|
} if (save_registers)
# Build the linear list of blocks that will be processed. This
# list is built in a dynamic fashion based on block dependencies.
# The list that is returned is an Array of which each element is a two
# member array, the first element being the LogicalBlock instance that
# the permutation came from and the second being an instance of the
# Permutation class associated with the selected permutation.
block_list = generate_block_list(state)
# Transition into the second phase which enables offset_of and regnum_of
# calls to return real values.
state.first_phase = false
# Now that every block has been assigned an offset, generate the
# buffer block by block, assigning registers as necessary.
block_list.each { |b|
# Generate the next permutation and append it to the buffer.
state.buffer += b[1].to_s
# If an invalid register exception is raised, try to consume a random
# register from the register's associated architecture register
# number set.
rescue InvalidRegisterError => e
e.reg.regnum = state.consume_regnum_from_set(e.reg.class.regnum_set)
# Remove any of the registers that have been clobbered by this block
# from the list of consumed register numbers so that they can be used
# in the future.
b[0].each_clobbers { |reg|
reg.regnum = nil
rescue InvalidRegisterError
# Finally, return the buffer that has been created.
# Generates the linear of list of block permutation which is stored in the
# supplied state instance. This is done prior to assigning blocks offsets
def generate_block_list(state)
# Generate dependencies first in a random order
depend_idx = rand(@depends.length)
@depends.length.times { |x|
2006-01-08 01:10:45 +00:00
cidx = (depend_idx + x) % @depends.length
# Decrement the used reference count
# If this dependent block is a once block and the magic 8 ball turns
# up zero, skip it and let a later block pick it up. We only do this
# if we are not the last block to have a dependency on this block.
if ((@depends[cidx].once) and
(rand(2).to_i == 0) and
(@depends[cidx].last_reference? == false))
# Otherwise, if this is a once block that has already been generated,
# skip it.
elsif ((@depends[cidx].once) and
2005-12-29 04:42:44 +00:00
# Generate this block
2006-01-08 01:10:45 +00:00
2005-12-29 04:42:44 +00:00
# Assign the instance local state for the duration of this generation
@state = state
# Select a random permutation
perm = rand_perm
# Set our block offset to the current state offset
self.offset = state.curr_offset
2006-01-08 01:10:45 +00:00
# Flag ourselves as having been generated for this iteration.
self.generated = true
2005-12-29 04:42:44 +00:00
# Adjust the current offset based on the permutations length
state.curr_offset += perm.length
# Add it to the linear list of blocks
state.block_list << [ self, perm ]
2006-01-07 23:38:55 +00:00
# Generate all the blocks that follow this one.
@next_blocks.each { |b|
# Return the state's block list
2005-12-29 04:42:44 +00:00
# Symbolic blocks are used as special-case LogicalBlock's that have meaning
# a more general meaning. For instance, SymbolicBlock::End can be used to
# symbolize the end of a polymorphic buffer.
module SymbolicBlock
# The symbolic end of a polymorphic buffer.
class End < LogicalBlock
def initialize