327 lines
9.3 KiB
Ruby
327 lines
9.3 KiB
Ruby
|
|
require 'rex/poly/machine'
|
|
|
|
module Rex
|
|
|
|
module Encoder
|
|
|
|
class BloXor < Msf::Encoder
|
|
|
|
def initialize( *args )
|
|
super
|
|
@machine = nil
|
|
@blocks_out = []
|
|
@block_size = 0
|
|
end
|
|
|
|
#
|
|
#
|
|
#
|
|
def decoder_stub( state )
|
|
|
|
if( not state.decoder_stub )
|
|
@blocks_out = []
|
|
@block_size = 0
|
|
|
|
# XXX: It would be ideal to use a random block size but unless we know the maximum size our final encoded
|
|
# blob can be we should instead start with the smallest block size and go up to avoid generating
|
|
# anything too big (if we knew the max size we could try something smaller if we generated a blob too big)
|
|
#block_sizes = (1..state.buf.length).to_a.shuffle
|
|
#block_sizes.each do | len |
|
|
|
|
1.upto( state.buf.length ) do | len |
|
|
|
|
# For now we ignore all odd sizes to help with performance (The rex poly machine
|
|
# doesnt have many load/store primitives that can handle byte sizes efficiently)
|
|
if( len % 2 != 0 )
|
|
next
|
|
end
|
|
|
|
blocks, size = compute_encoded( state, len )
|
|
if( blocks and size )
|
|
|
|
# We sanity check that the newly generated block ammount and the block size
|
|
# are not in the badchar list when converted into a hex form. Helps speed
|
|
# things up a great deal when generating a decoder stub later as these
|
|
# values may be used throughout.
|
|
|
|
if( not number_is_valid?( state, blocks.length - 1 ) or not number_is_valid?( state, ~( blocks.length - 1 ) ) )
|
|
next
|
|
end
|
|
|
|
if( not number_is_valid?( state, size ) or not number_is_valid?( state, ~size ) )
|
|
next
|
|
end
|
|
|
|
@blocks_out = blocks
|
|
@block_size = size
|
|
|
|
break
|
|
end
|
|
end
|
|
|
|
raise RuntimeError, "Unable to generate seed block." if( @blocks_out.empty? )
|
|
|
|
state.decoder_stub = compute_decoder( state )
|
|
end
|
|
|
|
state.decoder_stub
|
|
end
|
|
|
|
#
|
|
#
|
|
#
|
|
def encode_block( state, data )
|
|
|
|
buffer = ''
|
|
|
|
@blocks_out.each do | block |
|
|
buffer << block.pack( 'C*' )
|
|
end
|
|
|
|
buffer
|
|
end
|
|
|
|
protected
|
|
|
|
#
|
|
# Is a number in its byte form valid against the badchars?
|
|
#
|
|
def number_is_valid?( state, number )
|
|
size = 'C'
|
|
if( number > 0xFFFF )
|
|
size = 'V'
|
|
elsif( number > 0xFF )
|
|
size = 'v'
|
|
end
|
|
return Rex::Text.badchar_index( [ number ].pack( size ), state.badchars ).nil?
|
|
end
|
|
|
|
#
|
|
# Calculate Shannon's entropy.
|
|
#
|
|
def entropy( data )
|
|
entropy = 0.to_f
|
|
(0..255).each do | byte |
|
|
freq = data.to_s.count( byte.chr ).to_f / data.to_s.length
|
|
if( freq > 0 )
|
|
entropy -= freq * Math.log2( freq )
|
|
end
|
|
end
|
|
return entropy / 8
|
|
end
|
|
|
|
#
|
|
# Compute the encoded blocks (and associated seed)
|
|
#
|
|
def compute_encoded( state, len )
|
|
|
|
blocks_in = ::Array.new
|
|
|
|
input = '' << state.buf
|
|
|
|
block_padding = ( input.length % len ) > 0 ? len - ( input.length % len ) : 0
|
|
|
|
if( block_padding > 0 )
|
|
0.upto( block_padding-1 ) do
|
|
input << [ rand( 255 ) ].pack( 'C' )
|
|
end
|
|
end
|
|
|
|
while( input.length > 0 )
|
|
blocks_in << input[0..len-1].unpack( 'C*' )
|
|
input = input[len..input.length]
|
|
end
|
|
|
|
seed = compute_seed( blocks_in, len, block_padding, state.badchars.unpack( 'C*' ) )
|
|
|
|
if( not seed )
|
|
return [ nil, nil ]
|
|
end
|
|
|
|
blocks_out = [ seed ]
|
|
|
|
blocks_in.each do | block |
|
|
blocks_out << compute_block( blocks_out.last, block )
|
|
end
|
|
|
|
return [ blocks_out, len ]
|
|
end
|
|
|
|
#
|
|
# Generate the decoder stub which is functionally equivalent to the following:
|
|
#
|
|
# source = &end;
|
|
# dest = source + BLOCK_SIZE;
|
|
# counter = BLOCK_COUNT * ( BLOCK_SIZE / chunk_size );
|
|
# do
|
|
# {
|
|
# encoded = *(CHUNK_SIZE *)dest;
|
|
# dest += chunk_size;
|
|
# decoded = *(CHUNK_SIZE *)source;
|
|
# *(CHUNK_SIZE *)source = decoded ^ encoded;
|
|
# source += chunk_size;
|
|
# } while( --counter );
|
|
#
|
|
# end:
|
|
#
|
|
def compute_decoder( state )
|
|
|
|
@machine.create_variable( 'source' )
|
|
@machine.create_variable( 'dest' )
|
|
@machine.create_variable( 'counter' )
|
|
@machine.create_variable( 'encoded' )
|
|
@machine.create_variable( 'decoded' )
|
|
|
|
chunk_size = Rex::Poly::Machine::BYTE
|
|
if( @machine.native_size() == Rex::Poly::Machine::QWORD )
|
|
if( @block_size % Rex::Poly::Machine::QWORD == 0 )
|
|
chunk_size = Rex::Poly::Machine::QWORD
|
|
elsif( @block_size % Rex::Poly::Machine::DWORD == 0 )
|
|
chunk_size = Rex::Poly::Machine::DWORD
|
|
elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
|
|
chunk_size = Rex::Poly::Machine::WORD
|
|
end
|
|
elsif( @machine.native_size() == Rex::Poly::Machine::DWORD )
|
|
if( @block_size % Rex::Poly::Machine::DWORD == 0 )
|
|
chunk_size = Rex::Poly::Machine::DWORD
|
|
elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
|
|
chunk_size = Rex::Poly::Machine::WORD
|
|
end
|
|
elsif( @machine.native_size() == Rex::Poly::Machine::WORD )
|
|
if( @block_size % Rex::Poly::Machine::WORD == 0 )
|
|
chunk_size = Rex::Poly::Machine::WORD
|
|
end
|
|
end
|
|
|
|
# Block 1 - Set the source variable to the address of the start block
|
|
@machine.create_block_primitive( 'block1', 'set', 'source', 'location' )
|
|
|
|
# Block 2 - Set the source variable to the address of the 1st encoded block
|
|
@machine.create_block_primitive( 'block2', 'add', 'source', 'end' )
|
|
|
|
# Block 3 - Set the destingation variable to the value of the source variable
|
|
@machine.create_block_primitive( 'block3', 'set', 'dest', 'source' )
|
|
|
|
# Block 4 - Set the destingation variable to the address of the 2nd encoded block
|
|
@machine.create_block_primitive( 'block4', 'add', 'dest', @block_size )
|
|
|
|
# Block 5 - Sets the loop counter to the number of blocks to process
|
|
@machine.create_block_primitive( 'block5', 'set', 'counter', ( ( @block_size / chunk_size ) * (@blocks_out.length - 1) ) )
|
|
|
|
# Block 6 - Set the encoded variable to the byte pointed to by the dest variable
|
|
@machine.create_block_primitive( 'block6', 'load', 'encoded', 'dest', chunk_size )
|
|
|
|
# Block 7 - Increment the destination variable by one
|
|
@machine.create_block_primitive( 'block7', 'add', 'dest', chunk_size )
|
|
|
|
# Block 8 - Set the decoded variable to the byte pointed to by the source variable
|
|
@machine.create_block_primitive( 'block8', 'load', 'decoded', 'source', chunk_size )
|
|
|
|
# Block 9 - Xor the decoded variable with the encoded variable
|
|
@machine.create_block_primitive( 'block9', 'xor', 'decoded', 'encoded' )
|
|
|
|
# Block 10 - store the newly decoded byte
|
|
@machine.create_block_primitive( 'block10', 'store', 'source', 'decoded', chunk_size )
|
|
|
|
# Block 11 - Increment the source variable by one
|
|
@machine.create_block_primitive( 'block11', 'add', 'source', chunk_size )
|
|
|
|
# Block 12 - Jump back up to the outer_loop block while the counter variable > 0
|
|
@machine.create_block_primitive( 'block12', 'loop', 'counter', 'block6' )
|
|
|
|
# Try to generate the decoder stub...
|
|
decoder = @machine.generate
|
|
|
|
if( not decoder )
|
|
raise RuntimeError, "Unable to generate decoder stub."
|
|
end
|
|
|
|
decoder
|
|
end
|
|
|
|
#
|
|
# Compute the seed block which will successfully decode all proceeding encoded
|
|
# blocks while ensuring the encoded blocks do not contain any badchars.
|
|
#
|
|
def compute_seed( blocks_in, block_size, block_padding, badchars )
|
|
seed = []
|
|
redo_bytes = []
|
|
|
|
0.upto( block_size-1 ) do | index |
|
|
|
|
seed_bytes = (0..255).sort_by do
|
|
rand()
|
|
end
|
|
|
|
seed_bytes.each do | seed_byte |
|
|
|
|
next if( badchars.include?( seed_byte ) )
|
|
|
|
success = true
|
|
|
|
previous_byte = seed_byte
|
|
|
|
if( redo_bytes.length < 256 )
|
|
redo_bytes = (0..255).sort_by do
|
|
rand()
|
|
end
|
|
end
|
|
|
|
blocks_in.each do | block |
|
|
|
|
decoded_byte = block[ index ]
|
|
|
|
encoded_byte = previous_byte ^ decoded_byte
|
|
|
|
if( badchars.include?( encoded_byte ) )
|
|
# the padding bytes we added earlier can be changed if they are causing us to fail.
|
|
if( block == blocks_in.last and index >= (block_size-block_padding) )
|
|
if( redo_bytes.empty? )
|
|
success = false
|
|
break
|
|
end
|
|
block[ index ] = redo_bytes.shift
|
|
redo
|
|
end
|
|
|
|
success = false
|
|
break
|
|
end
|
|
|
|
previous_byte = encoded_byte
|
|
end
|
|
|
|
if( success )
|
|
seed << seed_byte
|
|
break
|
|
end
|
|
end
|
|
|
|
end
|
|
|
|
if( seed.length == block_size )
|
|
return seed
|
|
end
|
|
|
|
return nil
|
|
end
|
|
|
|
#
|
|
# Compute the next encoded block by xoring the previous
|
|
# encoded block with the next decoded block.
|
|
#
|
|
def compute_block( encoded, decoded )
|
|
block = []
|
|
0.upto( encoded.length-1 ) do | index |
|
|
block << ( encoded[ index ] ^ decoded[ index ] )
|
|
end
|
|
return block
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|