From 742c52711a7fb1e2c3b5259835c870b5885094b1 Mon Sep 17 00:00:00 2001 From: corelanc0d3r Date: Wed, 20 Nov 2013 22:36:17 +0100 Subject: [PATCH 1/4] added 2 new output types for msfencode: num and dword --- lib/msf/base/simple/buffer.rb | 12 +++++++-- lib/rex/text.rb | 46 +++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index fe34bfbd08..95fba9d69f 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -16,11 +16,15 @@ module Buffer # # Serializes a buffer to a provided format. The formats supported are raw, - # ruby, perl, bash, c, js_be, js_le, java and psh + # num, dword, ruby, python, perl, bash, c, js_be, js_le, java and psh # def self.transform(buf, fmt = "ruby") case fmt when 'raw' + when 'num' + buf = Rex::Text.to_num(buf) + when 'dword', 'dw' + buf = Rex::Text.to_dword(buf) when 'python', 'py' buf = Rex::Text.to_python(buf) when 'ruby', 'rb' @@ -54,11 +58,13 @@ module Buffer # # Creates a comment using the supplied format. The formats supported are - # raw, ruby, perl, bash, js_be, js_le, c, and java. + # raw, ruby, python, perl, bash, js_be, js_le, c, and java. # def self.comment(buf, fmt = "ruby") case fmt when 'raw' + when 'num', 'dword', 'dw' + buf = Rex::Text.to_num_comment(buf) when 'ruby', 'rb', 'python', 'py' buf = Rex::Text.to_ruby_comment(buf) when 'perl', 'pl' @@ -85,6 +91,8 @@ module Buffer # def self.transform_formats ['raw', + 'num', + 'dword','dw', 'ruby','rb', 'perl','pl', 'bash','sh', diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 144ef80a67..48936d5b32 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -115,6 +115,52 @@ module Text return hexify(str, wrap, '"', '" +', "#{name} = \n", '"') end + # + # Creates a comma separated list of numbers + # + def self.to_num(str, wrap = DefaultWrap) + code = str.unpack('C*') + buff = "" + 0.upto(code.length-1) do |byte| + if(byte % 15 == 0) and (buff.length > 0) + buff << "\r\n" + end + buff << sprintf('0x%.2x, ', code[byte]) + end + # strip , at the end + buff = buff.chomp(', ') + buff << "\r\n" + return buff + end + + # + # Creates a comma separated list of dwords + # + def self.to_dword(str, wrap = DefaultWrap) + code = str + alignnr = str.length % 4 + if (alignnr > 0) + code << "\x00" * (4 - alignnr) + end + codevalues = Array.new + code.split("").each_slice(4) do |chars4| + chars4 = chars4.join("") + dwordvalue = chars4.unpack('*V') + codevalues.push(dwordvalue[0]) + end + buff = "" + 0.upto(codevalues.length-1) do |byte| + if(byte % 8 == 0) and (buff.length > 0) + buff << "\r\n" + end + buff << sprintf('0x%.8x, ', codevalues[byte]) + end + # strip , at the end + buff = buff.chomp(', ') + buff << "\r\n" + return buff + end + # # Creates a ruby-style comment # From 0ea0dc168c5a81250fe091202af62b59c2eb8130 Mon Sep 17 00:00:00 2001 From: corelanc0d3r Date: Wed, 20 Nov 2013 23:10:55 +0100 Subject: [PATCH 2/4] set _comment method to js for num and dword --- lib/msf/base/simple/buffer.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index 95fba9d69f..35b4682f71 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -64,7 +64,7 @@ module Buffer case fmt when 'raw' when 'num', 'dword', 'dw' - buf = Rex::Text.to_num_comment(buf) + buf = Rex::Text.to_js_comment(buf) when 'ruby', 'rb', 'python', 'py' buf = Rex::Text.to_ruby_comment(buf) when 'perl', 'pl' From 66edfe968d5b01a3bd8757b435a0b50ff74b0af9 Mon Sep 17 00:00:00 2001 From: corelanc0d3r Date: Thu, 21 Nov 2013 00:57:08 +0100 Subject: [PATCH 3/4] Sorting output --- lib/msf/base/simple/buffer.rb | 2 +- lib/msf/util/exe.rb | 2 +- msfvenom | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index 35b4682f71..eae124d5aa 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -105,7 +105,7 @@ module Buffer 'powershell','ps1', 'vbscript', 'vbapplication' - ] + ].sort end end diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 3b0db149dd..091a40e2eb 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -1731,7 +1731,7 @@ def self.to_vba(framework,code,opts={}) [ 'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe', 'vbs','loop-vbs','asp','aspx', 'aspx-exe','war','psh','psh-net', 'msi', 'msi-nouac' - ] + ].sort end # diff --git a/msfvenom b/msfvenom index daa0d7d3ff..4d258fda18 100755 --- a/msfvenom +++ b/msfvenom @@ -147,9 +147,9 @@ class MsfVenom opt.on_tail('--help-formats', String, "List available formats") do init_framework(:module_types => []) msg = "Executable formats\n" + - "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" + + "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.sort.join(", ") + "\n" + "Transform formats\n" + - "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ") + "\t" + ::Msf::Simple::Buffer.transform_formats.sort.join(", ") raise UsageError, msg end @@ -507,4 +507,4 @@ if __FILE__ == $0 $stderr.puts e.message exit(-1) end -end \ No newline at end of file +end From 474a03475f49a612575bc1e0df7f5061e10f6c6c Mon Sep 17 00:00:00 2001 From: corelanc0d3r Date: Mon, 2 Dec 2013 11:57:52 +0100 Subject: [PATCH 4/4] sorted out the sorts without .sort --- lib/msf/base/simple/buffer.rb | 39 +++++++++++++++++++++-------------- lib/msf/util/exe.rb | 23 ++++++++++++++++++--- msfvenom | 4 ++-- 3 files changed, 45 insertions(+), 21 deletions(-) diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index eae124d5aa..a20ea9e0c0 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -90,22 +90,29 @@ module Buffer # Returns the list of supported formats # def self.transform_formats - ['raw', - 'num', - 'dword','dw', - 'ruby','rb', - 'perl','pl', - 'bash','sh', - 'c', - 'csharp', - 'js_be', - 'js_le', - 'java', - 'python','py', - 'powershell','ps1', - 'vbscript', - 'vbapplication' - ].sort + [ + 'bash', + 'c', + 'csharp', + 'dw', + 'dword', + 'java', + 'js_be', + 'js_le', + 'num', + 'perl', + 'pl', + 'powershell', + 'ps1', + 'py', + 'python', + 'raw', + 'rb', + 'ruby', + 'sh', + 'vbapplication', + 'vbscript' + ] end end diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 091a40e2eb..776cedcb74 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -1729,9 +1729,26 @@ def self.to_vba(framework,code,opts={}) def self.to_executable_fmt_formats [ - 'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe', - 'vbs','loop-vbs','asp','aspx', 'aspx-exe','war','psh','psh-net', 'msi', 'msi-nouac' - ].sort + "asp", + "aspx", + "aspx-exe", + "dll", + "elf", + "exe", + "exe-only", + "exe-service", + "exe-small", + "loop-vbs", + "macho", + "msi", + "msi-nouac", + "psh", + "psh-net", + "vba", + "vba-exe", + "vbs", + "war" + ] end # diff --git a/msfvenom b/msfvenom index 4d258fda18..1fe9e13c18 100755 --- a/msfvenom +++ b/msfvenom @@ -147,9 +147,9 @@ class MsfVenom opt.on_tail('--help-formats', String, "List available formats") do init_framework(:module_types => []) msg = "Executable formats\n" + - "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.sort.join(", ") + "\n" + + "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" + "Transform formats\n" + - "\t" + ::Msf::Simple::Buffer.transform_formats.sort.join(", ") + "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ") raise UsageError, msg end