218 lines
7.7 KiB
Ruby
218 lines
7.7 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
#
|
|
# NOTE: this encoder currently has only be tested using bit 5 set to on.
|
|
#
|
|
# The decoder has been tested with all possible values, but the decoder stub
|
|
# is was not designed to bypass restrictions other than "bit 5 must be on"..
|
|
#
|
|
class Metasploit3 < Msf::Encoder
|
|
|
|
# This encoder has a manual ranking because it should only be used in cases
|
|
# where information has been explicitly supplied, specifically
|
|
# BitNumber and BitValue.
|
|
Rank = ManualRanking
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'Single Static Bit',
|
|
'Description' => 'Static value for specific bit',
|
|
'Author' => 'jduck',
|
|
'Arch' => ARCH_X86,
|
|
'License' => MSF_LICENSE,
|
|
'EncoderType' => Msf::Encoder::Type::SingleStaticBit
|
|
)
|
|
|
|
# this shouldn't be present in the decoder stub.
|
|
@key_marker = 0x1010
|
|
end
|
|
|
|
#
|
|
# Returns the decoder stub that is adjusted for the size of
|
|
# the buffer being encoded
|
|
#
|
|
def decoder_stub(state)
|
|
|
|
bit_num = (datastore['BitNumber'] || 5).to_i
|
|
bit_val = (datastore['BitValue'] || true)
|
|
|
|
# variables:
|
|
# bit to ignore (global - harcoded)
|
|
# buf len (can be deduced with a jmp/call/pop) (global - ebx)
|
|
# current source byte ptr (global - esi)
|
|
# current dest byte ptr (global - edi) ?
|
|
# current dest byte (global - ah) ?
|
|
# number of bits accumulated (global - ebp) ?
|
|
# current source byte (outer - al)
|
|
# bit index (for this byte) (inner - cl) ?
|
|
pre_init = ""
|
|
pre_init << "\x31\xed" # xor ebp, ebp - no bits accumulated
|
|
pre_init << "\x83\xe1\x01" # and ecx, $0x1 - init inner loop counter (set to 0/1)
|
|
pre_init << "\x83\xe3\x01" # and ebx, $0x1 - init buffer length
|
|
pre_init << "\x66\xbb" + [@key_marker].pack('v') # - load encrypted buffer length
|
|
pre_init << "\x66\x81\xf3" + [@key_marker].pack('v') # - xor decrypt buffer length
|
|
|
|
# we stored an entire byte, move to the next one
|
|
next_byte = ""
|
|
next_byte << "\x83\xef\xff" # sub edi, 0xffffffff - increment dst pointer
|
|
next_byte << "\x31\xed" # xor ebp, ebp - no bits accumulated
|
|
|
|
# inside the loop, we need to extract a bit, as
|
|
# specified by:
|
|
#
|
|
# ecx-1 - bit number to extract
|
|
# al - byte to extract it from
|
|
get_a_bit = ""
|
|
get_a_bit << "\x60" # pusha - save all registers
|
|
get_a_bit << "\x83\xe9\x01" # sub ecx, 1 - account for 1-based counting
|
|
get_a_bit << "\x74\x06" # jz +6 - skip dividing if bit zero
|
|
get_a_bit << "\xb3\x02" # mov bl, 2 - set divisor to 2
|
|
# divide_it:
|
|
get_a_bit << "\xf6\xf3" # div bl - do the division
|
|
get_a_bit << "\xe2" + [-1 * (2+2)].pack('C') # - divide again..
|
|
# store_bit:
|
|
get_a_bit << "\x83\xe0\x01" # and eax, 0x01 - we only want the lowest bit
|
|
get_a_bit << "\x6b\x2f\x02" # imul ebp, 2, [edi] - load [edi], shifted left by 1, to ebp
|
|
get_a_bit << "\x09\xe8" # or ebp, eax - set bit 0
|
|
get_a_bit << "\xaa" # stosb al, [edi] - store byte back
|
|
get_a_bit << "\x61" # popa - restore previous ebx/eax
|
|
get_a_bit << "\x83\xed\xff" # sub ebp, 0xffffffff - increment bits stored
|
|
|
|
inner_init = ""
|
|
inner_init << "\xb1\x08" # mov cl, $0x8 - init loop counter
|
|
|
|
inner_loop = ""
|
|
# process_bits:
|
|
inner_loop << "\x80\xf9" # cmp cl, <ignore_bit + 1> - is this the one to ignore?
|
|
inner_loop << [(bit_num+1)].pack('C')
|
|
len = get_a_bit.length + 3 + 2 + next_byte.length
|
|
inner_loop << "\x74" + [len].pack('C') # - je next_bit
|
|
inner_loop << get_a_bit
|
|
inner_loop << "\x83\xfd\x08" # cmp ebp, $0x8 - got 8 bits now?
|
|
inner_loop << "\x75" + [next_byte.length].pack('C') # - jne to next_bit
|
|
# next_dst_byte:
|
|
inner_loop << next_byte
|
|
# next_bit:
|
|
# I really wish this silly padding wasn't necessary, however removing the bad characters in the
|
|
# jump/call displacements has proven difficult otherwise.
|
|
inner_loop << "\x90" * 0x1a # nops - for padding (so relative jumps don't have badchars)
|
|
len = -1 * (inner_loop.length+2)
|
|
inner_loop << "\xe2" + [len].pack('C') # - loop process_bits
|
|
|
|
# prefixed by: # jmp data_beg_call
|
|
outer_init = ""
|
|
# get_data_beg:
|
|
outer_init << "\x5e" # pop esi - ptr to beginning of data
|
|
outer_init << pre_init
|
|
outer_init << "\x89\xf7" # mov edi, esi - decode in place, init dst ptr
|
|
|
|
outer_loop = ""
|
|
#outer_loop << "\x90" * (0xd+6)
|
|
outer_loop << "\x83\xe0\x7f" # and eax, 0x7f - we only want the low byte
|
|
outer_loop << "\xac" # lods al, [esi] - load src byte
|
|
outer_loop << inner_init << inner_loop
|
|
outer_loop << "\x83\xeb\x01" # sub ebx, 1 - 1 byte down!
|
|
outer_loop << "\x74\x07" # jz +(2+5) - jump to data!
|
|
len = -1 * (outer_loop.length+2)
|
|
# next_byte:
|
|
outer_loop << "\xeb" + [len].pack('C') # - jmp process_byte
|
|
# data_beg_call:
|
|
|
|
decoder = outer_init + outer_loop
|
|
jmp = "\xeb" + [decoder.length].pack('C')
|
|
call = "\xe8" + [-1 * (decoder.length+5)].pack('V')
|
|
decoder = jmp + decoder + call
|
|
|
|
# encoded sled
|
|
state.context = ''
|
|
|
|
return decoder
|
|
end
|
|
|
|
def encode_block(state, block)
|
|
bit_num = (datastore['BitNumber'] || 5).to_i
|
|
bit_num = (7-bit_num)
|
|
bit_val = (datastore['BitValue'] || true)
|
|
|
|
encoded = ''
|
|
new_byte = 0
|
|
nbits = 0
|
|
|
|
block.unpack('C*').each do |ch|
|
|
7.step(0,-1) do |x|
|
|
|
|
# is this the special bit?
|
|
if (nbits == bit_num)
|
|
new_byte <<= 1 if nbits > 0
|
|
new_byte |= 1 if bit_val
|
|
nbits += 1
|
|
|
|
# do we have a full byte?
|
|
if nbits == 8
|
|
encoded << new_byte.chr
|
|
new_byte = 0
|
|
nbits = 0
|
|
end
|
|
end
|
|
|
|
# we have space, add it in
|
|
new_byte <<= 1 if nbits > 0
|
|
new_byte += 1 if (((ch >> x) & 1) > 0)
|
|
nbits += 1
|
|
|
|
# do we have a full byte?
|
|
if nbits == 8
|
|
encoded << new_byte.chr
|
|
new_byte = 0
|
|
nbits = 0
|
|
end
|
|
end
|
|
end
|
|
|
|
# if we have bits left, pad out to a whole byte
|
|
if nbits > 0
|
|
while nbits < 8
|
|
new_byte <<= 1
|
|
new_byte |= 1 if (nbits == bit_num) and bit_val
|
|
nbits += 1
|
|
end
|
|
encoded << new_byte.chr
|
|
end
|
|
|
|
return encoded
|
|
end
|
|
|
|
#
|
|
# Appends the encoded context portion.
|
|
#
|
|
def encode_end(state)
|
|
state.encoded += state.context
|
|
|
|
xor_key = 0
|
|
xor_key_str = ''
|
|
enc_len_str = ''
|
|
loop do
|
|
xor_key = rand(0x10000)
|
|
xor_key_str = [xor_key].pack('v')
|
|
enc_len_str = [state.encoded.length ^ xor_key].pack('v')
|
|
next if has_badchars?(xor_key_str, state.badchars)
|
|
next if has_badchars?(enc_len_str, state.badchars)
|
|
break
|
|
end
|
|
|
|
marker_str = [@key_marker].pack('v')
|
|
|
|
state.encoded.sub!(marker_str, enc_len_str)
|
|
state.encoded.sub!(marker_str, xor_key_str)
|
|
end
|
|
|
|
end
|