#!/usr/bin/env ruby # # $Id$ # $Revision$ # msfbase = __FILE__ while File.symlink?(msfbase) msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) end $:.unshift(File.join(File.dirname(msfbase), 'lib')) $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB'] require 'rex' require 'msf/ui' require 'msf/base' OutStatus = "[*] " OutError = "[-] " $args = Rex::Parser::Arguments.new( "-i" => [ true, "Encode the contents of the supplied file path" ], "-m" => [ true, "Specifies an additional module search path" ], "-a" => [ true, "The architecture to encode as" ], "-p" => [ true, "The platform to encode for" ], "-t" => [ true, "The format to display the encoded buffer with (c, dll, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho)" ], "-b" => [ true, "The list of characters to avoid: '\\x00\\xff'" ], "-s" => [ true, "The maximum size of the encoded data" ], "-e" => [ true, "The encoder to use" ], "-o" => [ true, "The output file" ], "-c" => [ true, "The number of times to encode the data" ], "-n" => [ false, "Dump encoder information" ], "-h" => [ false, "Help banner" ], "-x" => [ true, "Specify an alternate win32 executable template" ], "-k" => [ false, "Keep template working; run payload in new thread (use with -x)" ], "-l" => [ false, "List available encoders" ]) # # Dump the list of encoders # def dump_encoders(arch = nil) tbl = Rex::Ui::Text::Table.new( 'Indent' => 4, 'Header' => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""), 'Columns' => [ "Name", "Rank", "Description" ]) cnt = 0 $framework.encoders.each_module( 'Arch' => arch ? arch.split(',') : nil) { |name, mod| tbl << [ name, mod.rank_to_s, mod.new.name ] cnt += 1 } (cnt > 0) ? "\n" + tbl.to_s + "\n" : "\nNo compatible encoders found.\n\n" end # # Returns the list of encoders to try # def get_encoders(arch, encoder) encoders = [] if (encoder) encoders << $framework.encoders.create(encoder) else $framework.encoders.each_module_ranked( 'Arch' => arch ? arch.split(',') : nil) { |name, mod| encoders << mod.new } end encoders end # # Nuff said. # def usage $stderr.puts("\n" + " Usage: #{$0} \n" + $args.usage) exit end def write_encoded(buf) if (not $output) $stdout.write(buf) else File.open($output, "wb") do |fd| fd.write(buf) end end end # Defaults cmd = "encode" arch = nil badchars = '' space = nil encoder = nil fmt = nil input = $stdin options = '' delim = '_|_' output = nil ecount = 1 altexe = nil inject = false plat = nil # Parse the argument and rock that shit. $args.parse(ARGV) { |opt, idx, val| case opt when "-i" begin input = File.new(val) rescue $stderr.puts(OutError + "Failed to open file #{val}: #{$!}") exit end when "-m" $framework.modules.add_module_path(val) when "-l" cmd = "list" when "-n" cmd = "dump" when "-a" arch = val when "-c" ecount = val.to_i when "-b" badchars = Rex::Text.hex_to_raw(val) when "-p" plat = Msf::Module::PlatformList.transform(val) when "-s" space = val.to_i when "-t" if (val =~ /^(perl|ruby|rb|raw|c|js_le|js_be|java|dll|exe|exe-small|elf|vba|vbs|loop-vbs|asp|war|macho)$/) fmt = val else $stderr.puts(OutError + "Invalid format: #{val}") exit end when "-o" $output = val when "-e" encoder = val when "-x" altexe = val when "-k" inject = true when "-h" usage else if (val =~ /=/) options += ((options.length > 0) ? delim : "") + "#{val}" end end } if(not fmt and output) pre,ext = output.split('.') if(ext and not ext.empty?) fmt = ext end end if inject and not altexe $stderr.puts "[*] Error: the injection option must use a custom EXE template via -x, otherwise the injected payload will immediately exit when the main process dies." exit(1) end # Initialize the simplified framework instance. $framework = Msf::Simple::Framework.create( :module_types => [ Msf::MODULE_ENCODER, Msf::MODULE_NOP ] ) # Get the list of encoders to try encoders = get_encoders(arch, encoder) # Process the actual command case cmd when "list" $stderr.puts(dump_encoders(arch)) when "dump" enc = encoder ? $framework.encoders.create(encoder) : nil if (enc) $stderr.puts(Msf::Serializer::ReadableText.dump_module(enc)) else $stderr.puts(OutError + "Invalid encoder specified.") end when "encode" buf = input.read encoders.each { |enc| next if not enc begin # Imports options enc.datastore.import_options_from_s(options, delim) skip = false eout = buf.dup raw = nil 1.upto(ecount) do |iteration| # Encode it up raw = enc.encode(eout, badchars, nil, plat) # Is it too big? if (space and space > 0 and raw.length > space) $stderr.puts(OutError + "#{enc.refname} created buffer that is too big (#{raw.length})") skip = true break end # Print it out $stderr.puts(OutStatus + "#{enc.refname} succeeded with size #{raw.length} (iteration=#{iteration})\n\n") eout = raw end next if skip case fmt when 'dll' dll = nil dll = Msf::Util::EXE.to_win32pe_dll($framework, raw) write_encoded(dll) when 'exe' exe = nil if(not arch or (arch.index(ARCH_X86))) exe = Msf::Util::EXE.to_win32pe($framework, raw, {:insert => inject, :template => altexe}) end if(arch and (arch.index( ARCH_X86_64 ) or arch.index( ARCH_X64 ))) exe = Msf::Util::EXE.to_win64pe($framework, raw, {:insert => inject, :template => altexe}) end write_encoded(exe) when 'exe-small' exe = nil if(not arch or (arch.index(ARCH_X86))) exe = Msf::Util::EXE.to_win32pe_old($framework, raw) end write_encoded(exe) when 'elf' elf = Msf::Util::EXE.to_linux_x86_elf($framework, raw) write_encoded(elf) when 'macho' macho = Msf::Util::EXE.to_osx_x86_macho($framework, raw) write_encoded(macho) when 'vba' exe = Msf::Util::EXE.to_win32pe($framework, raw, {:insert => inject, :template => altexe}) vba = Msf::Util::EXE.to_exe_vba(exe) write_encoded(vba) when 'vbs' vbs = Msf::Util::EXE.to_win32pe_vbs($framework, raw, {:insert => inject, :persist => false, :template => altexe}) write_encoded(vbs) when 'loop-vbs' vbs = Msf::Util::EXE.to_win32pe_vbs($framework, raw, {:insert => inject, :persist => true, :template => altexe}) write_encoded(vbs) when 'asp' asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:insert => inject, :persist => false, :template => altexe}) write_encoded(asp) when 'war' tmp_plat = plat.platforms war = Msf::Util::EXE.to_jsp_war($framework, arch, tmp_plat, raw, {:persist => false, :template => altexe}) write_encoded(war) else fmt ||= "ruby" write_encoded(Msf::Simple::Buffer.transform(raw, fmt)) end exit rescue => e $stderr.puts(OutError + "#{enc.refname} failed: #{e} #{e.backtrace}") end } $stderr.puts(OutError + "No encoders succeeded.") end