infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/lib/rex/encoder/bloxor/bloxor.rb

328 lines
9.3 KiB
Ruby
Raw Blame History

# -*- coding: binary -*-
require 'rex/poly/machine'
module Rex
module Encoder
class BloXor < Msf::Encoder
def initialize( *args )
super
@machine = nil
@blocks_out = []
@block_size = 0
end
#
#
#
def decoder_stub( state )
if( not state.decoder_stub )
@blocks_out = []
@block_size = 0
# XXX: It would be ideal to use a random block size but unless we know the maximum size our final encoded
# blob can be we should instead start with the smallest block size and go up to avoid generating
# anything too big (if we knew the max size we could try something smaller if we generated a blob too big)
#block_sizes = (1..state.buf.length).to_a.shuffle
#block_sizes.each do | len |
1.upto( state.buf.length ) do | len |
# For now we ignore all odd sizes to help with performance (The rex poly machine
# doesnt have many load/store primitives that can handle byte sizes efficiently)
if( len % 2 != 0 )
next
end
blocks, size = compute_encoded( state, len )
if( blocks and size )
# We sanity check that the newly generated block ammount and the block size
# are not in the badchar list when converted into a hex form. Helps speed
# things up a great deal when generating a decoder stub later as these
# values may be used throughout.
if( not number_is_valid?( state, blocks.length - 1 ) or not number_is_valid?( state, ~( blocks.length - 1 ) ) )
next
end
if( not number_is_valid?( state, size ) or not number_is_valid?( state, ~size ) )
next
end
@blocks_out = blocks
@block_size = size
break
end
end
raise RuntimeError, "Unable to generate seed block." if( @blocks_out.empty? )
state.decoder_stub = compute_decoder( state )
end
state.decoder_stub
end
#
#
#
def encode_block( state, data )
buffer = ''
@blocks_out.each do | block |
buffer << block.pack( 'C*' )
end
buffer
end
protected
#
# Is a number in its byte form valid against the badchars?
#
def number_is_valid?( state, number )
size = 'C'
if( number > 0xFFFF )
size = 'V'
elsif( number > 0xFF )
size = 'v'
end
return Rex::Text.badchar_index( [ number ].pack( size ), state.badchars ).nil?
end
#
# Calculate Shannon's entropy.
#
def entropy( data )
entropy = 0.to_f
(0..255).each do | byte |
freq = data.to_s.count( byte.chr ).to_f / data.to_s.length
if( freq > 0 )
entropy -= freq * Math.log2( freq )
end
end
return entropy / 8
end
#
# Compute the encoded blocks (and associated seed)
#
def compute_encoded( state, len )
blocks_in = ::Array.new
input = '' << state.buf
block_padding = ( input.length % len ) > 0 ? len - ( input.length % len ) : 0
if( block_padding > 0 )
0.upto( block_padding-1 ) do
input << [ rand( 255 ) ].pack( 'C' )
end
end
while( input.length > 0 )
blocks_in << input[0..len-1].unpack( 'C*' )
input = input[len..input.length]
end
seed = compute_seed( blocks_in, len, block_padding, state.badchars.unpack( 'C*' ) )
if( not seed )
return [ nil, nil ]
end
blocks_out = [ seed ]
blocks_in.each do | block |
blocks_out << compute_block( blocks_out.last, block )
end
return [ blocks_out, len ]
end
#
# Generate the decoder stub which is functionally equivalent to the following:
#
# source = &end;
# dest = source + BLOCK_SIZE;
# counter = BLOCK_COUNT * ( BLOCK_SIZE / chunk_size );
# do
# {
# encoded = *(CHUNK_SIZE *)dest;
# dest += chunk_size;
# decoded = *(CHUNK_SIZE *)source;
# *(CHUNK_SIZE *)source = decoded ^ encoded;
# source += chunk_size;
# } while( --counter );
#
# end:
#
def compute_decoder( state )
@machine.create_variable( 'source' )
@machine.create_variable( 'dest' )
@machine.create_variable( 'counter' )
@machine.create_variable( 'encoded' )
@machine.create_variable( 'decoded' )
chunk_size = Rex::Poly::Machine::BYTE
if( @machine.native_size() == Rex::Poly::Machine::QWORD )
if( @block_size % Rex::Poly::Machine::QWORD == 0 )
chunk_size = Rex::Poly::Machine::QWORD
elsif( @block_size % Rex::Poly::Machine::DWORD == 0 )
chunk_size = Rex::Poly::Machine::DWORD
elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
chunk_size = Rex::Poly::Machine::WORD
end
elsif( @machine.native_size() == Rex::Poly::Machine::DWORD )
if( @block_size % Rex::Poly::Machine::DWORD == 0 )
chunk_size = Rex::Poly::Machine::DWORD
elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
chunk_size = Rex::Poly::Machine::WORD
end
elsif( @machine.native_size() == Rex::Poly::Machine::WORD )
if( @block_size % Rex::Poly::Machine::WORD == 0 )
chunk_size = Rex::Poly::Machine::WORD
end
end
# Block 1 - Set the source variable to the address of the start block
@machine.create_block_primitive( 'block1', 'set', 'source', 'location' )
# Block 2 - Set the source variable to the address of the 1st encoded block
@machine.create_block_primitive( 'block2', 'add', 'source', 'end' )
# Block 3 - Set the destingation variable to the value of the source variable
@machine.create_block_primitive( 'block3', 'set', 'dest', 'source' )
# Block 4 - Set the destingation variable to the address of the 2nd encoded block
@machine.create_block_primitive( 'block4', 'add', 'dest', @block_size )
# Block 5 - Sets the loop counter to the number of blocks to process
@machine.create_block_primitive( 'block5', 'set', 'counter', ( ( @block_size / chunk_size ) * (@blocks_out.length - 1) ) )
# Block 6 - Set the encoded variable to the byte pointed to by the dest variable
@machine.create_block_primitive( 'block6', 'load', 'encoded', 'dest', chunk_size )
# Block 7 - Increment the destination variable by one
@machine.create_block_primitive( 'block7', 'add', 'dest', chunk_size )
# Block 8 - Set the decoded variable to the byte pointed to by the source variable
@machine.create_block_primitive( 'block8', 'load', 'decoded', 'source', chunk_size )
# Block 9 - Xor the decoded variable with the encoded variable
@machine.create_block_primitive( 'block9', 'xor', 'decoded', 'encoded' )
# Block 10 - store the newly decoded byte
@machine.create_block_primitive( 'block10', 'store', 'source', 'decoded', chunk_size )
# Block 11 - Increment the source variable by one
@machine.create_block_primitive( 'block11', 'add', 'source', chunk_size )
# Block 12 - Jump back up to the outer_loop block while the counter variable > 0
@machine.create_block_primitive( 'block12', 'loop', 'counter', 'block6' )
# Try to generate the decoder stub...
decoder = @machine.generate
if( not decoder )
raise RuntimeError, "Unable to generate decoder stub."
end
decoder
end
#
# Compute the seed block which will successfully decode all proceeding encoded
# blocks while ensuring the encoded blocks do not contain any badchars.
#
def compute_seed( blocks_in, block_size, block_padding, badchars )
seed = []
redo_bytes = []
0.upto( block_size-1 ) do | index |
seed_bytes = (0..255).sort_by do
rand()
end
seed_bytes.each do | seed_byte |
next if( badchars.include?( seed_byte ) )
success = true
previous_byte = seed_byte
if( redo_bytes.length < 256 )
redo_bytes = (0..255).sort_by do
rand()
end
end
blocks_in.each do | block |
decoded_byte = block[ index ]
encoded_byte = previous_byte ^ decoded_byte
if( badchars.include?( encoded_byte ) )
# the padding bytes we added earlier can be changed if they are causing us to fail.
if( block == blocks_in.last and index >= (block_size-block_padding) )
if( redo_bytes.empty? )
success = false
break
end
block[ index ] = redo_bytes.shift
redo
end
success = false
break
end
previous_byte = encoded_byte
end
if( success )
seed << seed_byte
break
end
end
end
if( seed.length == block_size )
return seed
end
return nil
end
#
# Compute the next encoded block by xoring the previous
# encoded block with the next decoded block.
#
def compute_block( encoded, decoded )
block = []
0.upto( encoded.length-1 ) do | index |
block << ( encoded[ index ] ^ decoded[ index ] )
end
return block
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink