Commit Graph

114 Commits (648c034d17007a2e94ccd187a1a7c9f5eb2c360e)

Author SHA1 Message Date
HD Moore cea8605365 Fix #5596 by catching RuntimeError from Rex::Poly 2015-06-24 15:17:33 -05:00
HD Moore b0a8c77127 Switch RuntimeError -> EncodingError 2015-05-18 15:33:01 -05:00
HD Moore 7989a29203 Switch to the stock EncodingError exception 2015-05-18 15:27:31 -05:00
sinn3r a543d957d4 Fix #4717 - Change AllowWin32SEH's default to false
This is patch to change AllowWin32SEH to false.

Root cause:

The truely intended behavior is that if the user doesn't set a
BufferRegister and the encoder is for Windows, the AllowWin32SEH
code should kick in.

The problem here is that msfencode and msfvenom handle the platform
information differently, so we get different results.

With msfencode, the platform information isn't passed when alpha_mixed
is used, so even if you're using the encoder for Win32, the encoder
doesn't actually know about this. But everything works out just fine
anyway because people don't actually rely on AllowWin32SEH.

With msfvenom, the platform information is passed, so the encoder
actually knows it's for Windows. The two conditions are met (regster
and platform), so AllowWin32SEH kicks in. However, the AllowWin32SEH
technique enforces the BufferRegister to ECX, and that there's no
GetPC, so by default this isn't going to work.

The solution:

We are actually better off with setting AllowWin32SEH to false, mainly
because the SEH technique is pretty much dead (congrats MSFT!). And we
want the GetPC routine by default.

If people want to use AllowWin32SEH routine, they can simply set
AllowWin32SEH to true to bring it right back. For example:

e = framework.encoders.create('x86/alpha_mixed')
e.datastore.import_options_from_hash({'AllowWin32SEH'=>true})
buf = e.encode("AAAA", nil, nil, ::Msf::Module::PlatformList.win32)

Or in msfvenom:

msfvenom -p windows/meterpreter/bind_tcp -e x86/alpha_mixed
AllowWin32SEH=true -f raw

Fix #4717
2015-02-06 12:38:04 -06:00
HD Moore f67a32ef9c
Add missing commits from #3770, lands #4393 2014-12-13 17:36:26 -06:00
Tod Beardsley 0199e4d658
Land #3770, resolve random stager bugs 2014-11-03 14:15:14 -06:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
James Lee e9f341fd6c
Rename to more intention-revealing name 2014-10-06 16:33:21 -05:00
HD Moore b8a1010ba4 Switch to Array#union and rename preserved_registers 2014-09-13 22:48:14 -05:00
HD Moore 71228b48a0 Update 3 more encoders to be StageEncoder compatible
This could probably use some DRY love via a mixin
2014-09-10 20:21:35 -05:00
HD Moore 815e007f48 Fix two cosmetic typos 2014-09-10 19:07:40 -05:00
HD Moore 6c0dae953d Stage encoding is now SaveRegister aware 2014-09-09 14:21:51 -05:00
jvazquez-r7 8937fbb2f5 Fix email format 2014-07-11 12:45:23 -05:00
sinn3r a50b4e88be Fix msftidy warning: Suspect capitalization in module title: 'encoder' 2014-02-24 11:25:46 -06:00
OJ b2d09ed0d1 Add the NULL byte to the list of valid chars
While rare, I guess it is a possibility that the NULL byte can be
used.
2014-02-17 16:40:56 +10:00
OJ e134ec4691 Remove '*' from valid file system chars 2014-02-16 23:57:54 +10:00
OJ a808053c37 Add first pass of optimised sub encoder
Full details of the encoder are in the detailed description in the
source itself. But this is effectively an "optimised" SUB encoder
which is similar to the add_sub encoder except it doesn't bother to
use the ADD instructions at all, and it doesn't zero out EAX for
each 4-byte block unless absolutely necessary. This results in
payloads being MUCH smaller (in some cases 30% or more is saved).
2014-02-16 20:12:14 +10:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
sinn3r d679946b7f Landing #1713 - add_sub encoder for x86 payloads 2013-05-31 18:49:08 -05:00
sinn3r 2ac0d25413 Fixes e-mail format, also a whitespace 2013-05-31 18:47:46 -05:00
Tod Beardsley 05916c079e Inline unit tests are so last decade
Aside from codebase-wide changes, nearly all of these tests haven't been
touched since before 2010, and there is no effort to maintain this style
of testing. We've moved on to (correctly) seperating out our tests from
our codebase.
2013-05-23 12:41:14 -05:00
Melih SARICA e48cea432c added add_sub encoder for x86 payloads 2013-04-08 20:51:39 +03:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
sinn3r 4085fa73c5 Merge branch 'stephenfewer-master' 2013-02-27 11:13:10 -06:00
James Lee b3b68c1b90 Make stage encoding possible
* Fixes a bug in shikata where input greater than 0xffff length would
  still use 16-bit counter
* Short circuits finding bad xor keys if there are no bad characters to
  avoid
* Fixes huge performance issue with large inputs to xor-based encoders
  due to the use of String#+ instead of String#<< in a loop. It now
  takes ~3 seconds on modern hardware to encode a 750kB buffer with
  shikata where it used to take more than 10 minutes. The decoding side
  takes a similar amount of time and will increase the wait between
  sending the second stage and opening a usable session by several
  seconds.

I believe this addresses the intent of pull request 905

[See #905]
2013-01-13 21:07:39 -06:00
Stephen Fewer 8e6e1bc164 open up the bloxor encoder. 2013-01-10 17:39:40 +00:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
HD Moore 93a69ea62e Fix instances of invalid lower-case datastore use 2012-11-29 00:05:36 -06:00
Michael Schierl e9f7873afc Version cleanup
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
jvazquez-r7 cc90a60a1b Correct the use of the platform argument
The platform argument is meant to be a PlatformList object, not as an array:
http://dev.metasploit.com/redmine/issues/6826
This commit undoes the last change to init_platform() in alpha_mixed and modifies msfvenom to use it as intended.
2012-06-26 17:32:55 +02:00
jvazquez-r7 1d121071f3 Prepend nops to raw payload in encoder if needed 2012-06-15 09:59:10 +02:00
jvazquez-r7 091b3bbbd9 Added module plus encoder for CVE-2012-2329 2012-06-15 00:29:52 +02:00
Silviu-Mihai Popescu 605e1929e4 Fixed msfvenom NoMethodError with alpha_mixed encoder.
The issue was reported on Github[1] and Redmine[2].

The error consisted of trying to use the supports?() method
on an Array instead of a PlatformList.

[1] https://github.com/rapid7/metasploit-framework/issues/357
[2] http://dev.metasploit.com/redmine/issues/6826

Reported by: Brandon Perry
Signed off by: Silviu Popescu <silviupopescu1990@gmail.com>
2012-05-03 17:47:25 +03:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
James Lee 3a33434867 Fix a couple of typos that throw off module authors 2012-03-05 13:28:46 -07:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
James Lee 6f5961db52 don't dump a stack trace when it's a normal encoding failure.
git-svn-id: file:///home/svn/framework3/trunk@13532 4d416f70-5f16-0410-b530-b9f4589650da
2011-08-11 21:29:53 +00:00
James Lee d2670d52ec add BufferRegister and BufferOffset support for shikata_ga_nai. see #3563. tested this pretty extensively. /me crosses fingers
git-svn-id: file:///home/svn/framework3/trunk@11646 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-26 04:24:41 +00:00
Mario Ceballos bd7f6eec10 Typo.
git-svn-id: file:///home/svn/framework3/trunk@11045 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-14 23:39:29 +00:00
Joshua Drake 4590844871 tons of indentation fixes, some other style tweaks
git-svn-id: file:///home/svn/framework3/trunk@10394 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 08:06:27 +00:00
Joshua Drake d8609b85e3 style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@9460 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-09 18:41:58 +00:00
HD Moore 74a68138fc Add new context-keyed encoders from Dimitris Glynos ( http://census-labs.com/news/2010/06/04/athcon-2010-update/ )
git-svn-id: file:///home/svn/framework3/trunk@9457 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-09 16:43:46 +00:00
Joshua Drake 0e72894e58 more cleanups
git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-03 17:13:09 +00:00
Joshua Drake 0ea6eca4bc big module whitespace/formatting cleanup pass
git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-30 08:40:19 +00:00
Joshua Drake 4ccfc076f9 ruby 1.8 compat fix
git-svn-id: file:///home/svn/framework3/trunk@8014 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-28 22:53:39 +00:00
Joshua Drake a247de77ec add the SingleStaticBit for the CVE-2008-4193 exploit - comments welcome
git-svn-id: file:///home/svn/framework3/trunk@8011 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-28 20:39:43 +00:00