2006-05-08 15:04:50 +00:00
|
|
|
#!/usr/bin/env ruby
|
2012-06-29 05:18:28 +00:00
|
|
|
# -*- coding: binary -*-
|
2006-05-08 15:04:50 +00:00
|
|
|
|
|
|
|
require 'rex/text'
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
module Encoder
|
|
|
|
|
|
|
|
class NonUpper
|
2013-03-08 00:16:57 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def NonUpper.gen_decoder()
|
|
|
|
decoder =
|
|
|
|
"\x66\xB9\xFF\xFF" +
|
|
|
|
"\xEB\x19" + # Jmp to table
|
|
|
|
"\x5E" + # pop esi
|
|
|
|
"\x8B\xFE" + # mov edi, esi - Get table addr
|
|
|
|
"\x83\xC7" + "A" + # add edi, tablelen - Get shellcode addr
|
|
|
|
"\x8B\xD7" + # mov edx, edi - Hold end of table ptr
|
|
|
|
"\x3B\xF2" + # cmp esi, edx
|
|
|
|
"\x7D\x0B" + # jle to end
|
|
|
|
"\xB0\x7B" + # mov eax, 0x7B - Set up eax with magic
|
|
|
|
"\xF2\xAE" + # repne scasb - Find magic!
|
|
|
|
"\xFF\xCF" + # dec edi - scasb purs us one ahead
|
|
|
|
"\xAC" + # lodsb
|
|
|
|
"\x28\x07" + # subb [edi], al
|
|
|
|
"\xEB\xF1" + # jmp BACK!
|
|
|
|
"\xEB" + "B" + # jmp [shellcode]
|
|
|
|
"\xE8\xE2\xFF\xFF\xFF"
|
|
|
|
end
|
2006-05-08 15:04:50 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def NonUpper.encode_byte(badchars, block, table, tablelen)
|
|
|
|
if (tablelen > 255) or (block == 0x40)
|
|
|
|
raise RuntimeError, "BadChar"
|
|
|
|
end
|
2013-03-08 00:16:57 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
if (block >= 0x41 and block <= 0x40) or (badchars =~ block)
|
|
|
|
# gen offset, return magic
|
|
|
|
offset = 0x40 - block;
|
|
|
|
table += offset.chr
|
|
|
|
tablelen = tablelen + 1
|
|
|
|
block = 0x40
|
|
|
|
end
|
2006-05-08 15:04:50 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
return [block.chr, table, tablelen]
|
|
|
|
end
|
2006-05-08 15:04:50 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
def NonUpper.encode(buf)
|
|
|
|
table = ""
|
|
|
|
tablelen = 0
|
|
|
|
nonascii = ""
|
|
|
|
encoded = gen_decoder()
|
|
|
|
buf.each_byte {
|
|
|
|
|block|
|
2006-05-08 15:04:50 +00:00
|
|
|
|
2013-08-30 21:28:33 +00:00
|
|
|
newchar, table, tablelen = encode_byte(block.unpack('C')[0], table, tablelen)
|
|
|
|
nonascii += newchar
|
|
|
|
}
|
|
|
|
encoded.gsub!(/A/, tablelen)
|
|
|
|
encoded.gsub!(/B/, tablelen+5)
|
|
|
|
encoded += table
|
|
|
|
encoded += nonascii
|
|
|
|
end
|
2006-05-08 15:04:50 +00:00
|
|
|
|
2009-09-28 05:23:23 +00:00
|
|
|
end end end
|