infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PPC and Sparc nop generators 

git-svn-id: file:///home/svn/incoming/trunk@3269 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-12-30 04:06:41 +00:00
parent 52858d1078
commit a96cfa6b78
2 changed files with 271 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
modules/nops/ppc/simple.rb Normal file
View File

@ -0,0 +1,64 @@
require 'msf/core'
module Msf
module Nops
module Ppc
###
#
# SingleByte
# ----------
#
# This class implements simple NOP generator for PowerPC
#
###
class Simple < Msf::Nop
def initialize
super(
'Name' => 'Simple',
'Alias' => 'ppc_simple',
'Version' => '$Revision$',
'Description' => 'Simple NOP generator',
'Author' => 'hdm',
'Arch' => ARCH_PPC)
register_advanced_options(
[
OptBool.new('RandomNops', [ false, "Generate a random NOP sled", true ])
], self.class)
end
def generate_sled(length, opts)
badchars = opts['BadChars'] || ''
random = opts['Random'] || datastore['RandomNops']
if( random and random.match(/^(t|y|1)/i) )
1.upto(1024) do |i|
regs_d = (rand(0x8000 - 0x0800) + 0x0800).to_i
regs_b = [regs_d].pack('n').unpack('B*')[0][1, 15]
flag_o = rand(2).to_i
flag_r = rand(2).to_i
pcword = ["011111#{regs_b}#{flag_o}100001010#{flag_r}"].pack("B*")
failed = false
pcword.each_byte do |c|
failed = true if badchars.include?(c.chr)
end
next if failed
return (pcword * (length / 4))[0, length]
end
end
return ("\x60" * length)[0, length]
end
end
end end end

207
modules/nops/sparc/vlad902.rb Normal file
View File

@ -0,0 +1,207 @@
require 'msf/core'
module Msf
module Nops
module Sparc
###
#
# SingleByte
# ----------
#
# This class implements NOP generator for the SPARC platform
#
###
class Vlad902 < Msf::Nop
# Nop types
InsSethi = 0
InsArithmetic = 1
InsBranch = 2
# Generator table
SPARC_Table = [
[ InsSethi, [ ], ], # sethi
[ InsArithmetic, [ 0, 0 ], ], # add
[ InsArithmetic, [ 0, 1 ], ], # and
[ InsArithmetic, [ 0, 2 ], ], # or
[ InsArithmetic, [ 0, 3 ], ], # xor
[ InsArithmetic, [ 0, 4 ], ], # sub
[ InsArithmetic, [ 0, 5 ], ], # andn
[ InsArithmetic, [ 0, 6 ], ], # orn
[ InsArithmetic, [ 0, 7 ], ], # xnor
[ InsArithmetic, [ 0, 8 ], ], # addx
[ InsArithmetic, [ 0, 12 ], ], # subx
[ InsArithmetic, [ 0, 16 ], ], # addcc
[ InsArithmetic, [ 0, 17 ], ], # andcc
[ InsArithmetic, [ 0, 18 ], ], # orcc
[ InsArithmetic, [ 0, 19 ], ], # xorcc
[ InsArithmetic, [ 0, 20 ], ], # subcc
[ InsArithmetic, [ 0, 21 ], ], # andncc
[ InsArithmetic, [ 0, 22 ], ], # orncc
[ InsArithmetic, [ 0, 23 ], ], # xnorcc
[ InsArithmetic, [ 0, 24 ], ], # addxcc
[ InsArithmetic, [ 0, 28 ], ], # subxcc
[ InsArithmetic, [ 0, 32 ], ], # taddcc
[ InsArithmetic, [ 0, 33 ], ], # tsubcc
[ InsArithmetic, [ 0, 36 ], ], # mulscc
[ InsArithmetic, [ 2, 37 ], ], # sll
[ InsArithmetic, [ 2, 38 ], ], # srl
[ InsArithmetic, [ 2, 39 ], ], # sra
[ InsArithmetic, [ 4, 40 ], ], # rdy
[ InsArithmetic, [ 3, 48 ], ], # wry
[ InsBranch, [ 0 ] ], # bn[,a]
[ InsBranch, [ 1 ] ], # be[,a]
[ InsBranch, [ 2 ] ], # ble[,a]
[ InsBranch, [ 3 ] ], # bl[,a]
[ InsBranch, [ 4 ] ], # bleu[,a]
[ InsBranch, [ 5 ] ], # bcs[,a]
[ InsBranch, [ 6 ] ], # bneg[,a]
[ InsBranch, [ 7 ] ], # bvs[,a]
[ InsBranch, [ 8 ] ], # ba[,a]
[ InsBranch, [ 9 ] ], # bne[,a]
[ InsBranch, [ 10 ] ], # bg[,a]
[ InsBranch, [ 11 ] ], # bge[,a]
[ InsBranch, [ 12 ] ], # bgu[,a]
[ InsBranch, [ 13 ] ], # bcc[,a]
[ InsBranch, [ 14 ] ], # bpos[,a]
[ InsBranch, [ 15 ] ], # bvc[,a]
]
def initialize
super(
'Name' => 'Vlad902 SPARC',
'Alias' => 'ppc_simple',
'Version' => '$Revision$',
'Description' => 'SPARC NOP generator',
'Author' => 'vlad902',
'Arch' => ARCH_SPARC)
register_advanced_options(
[
OptBool.new('RandomNops', [ false, "Generate a random NOP sled", true ])
], self.class)
end
# Nops are always random...
def generate_sled(length, opts)
badchars = opts['BadChars'] || ''
random = opts['Random'] || datastore['RandomNops']
blen = length
buff = ''
count = 0
while (buff.length < blen)
r = SPARC_Table[ rand(SPARC_Table.length) ]
t = ''
case r[0]
when InsSethi
t = ins_sethi(r[1], blen - buff.length)
when InsArithmetic
t = ins_arithmetic(r[1], blen - buff.length)
when InsBranch
t = ins_branch(r[1], blen - buff.length)
else
print_status("Invalid opcode type")
raise RuntimeError
end
failed = false
t.each_byte do |c|
failed = true if badchars.include?(c.chr)
end
if (not failed)
buff << t
count = 0
end
if (count > length + 1000)
print_status("The SPARC nop generator could not create a usable sled")
raise RuntimeError
end
count += 1
end
return buff
end
def get_dst_reg
reg = rand(30)
reg += 1 if (reg >= 14)
reg += 1 if (reg >= 30)
return reg.to_i
end
def get_src_reg
return rand(30).to_i
end
def ins_sethi(ref, len=0)
[(get_dst_reg() << 25) | (4 << 22) | rand(1 << 22)].pack('N')
end
def ins_arithmetic(ref, len=0)
dst = get_dst_reg()
ver = ref[0]
# WRY fixups
if (ver == 3)
dst = 0
ver = 1
end
# 0, ~1, !2, ~3, !4
# Use one src reg with a signed 13-bit immediate (non-0)
if((ver == 0 && rand(2)) || ver == 1)
return [
(2 << 30) |
(dst << 25) |
(ref[1] << 19) |
(get_src_reg() << 14) |
(1 << 13) |
(rand((1 << 13) - 1) + 1)
].pack('N')
end
# ref[1] could be replaced with a static value since this only encodes for one function but it's done this way for consistancy.
if (ver == 4)
return [(2 << 30) | (dst << 25) | (ref[1] << 19)].pack('N')
end
# Use two src regs
return [
(2 << 30) |
(dst << 25) |
(ref[1] << 19) |
(get_src_reg() << 14) |
get_src_reg()
].pack('N')
end
def ins_branch(ref, len)
# We jump to 1 instruction before the payload so in cases where the delay slot of a branch with the the anull bit set that is not taken the first instruction of the
# payload is not anulled.
len = (len / 4) - 1
return '' if len == 0
len = 0x3fffff if (len >= 0x400000)
return [
(rand(2) << 29) |
(ref[0] << 25) |
(2 << 22) |
rand(len - 1) + 1
].pack('N')
end
end
end end end