2006-01-06 00:57:14 +00:00
|
|
|
#!/usr/bin/env ruby
|
|
|
|
|
|
|
|
|
|
require 'rex/text'
|
|
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
|
module Encoder
|
|
|
|
|
module Alpha2
|
|
|
|
|
|
|
|
|
|
class Generic
|
2006-12-28 05:19:31 +00:00
|
|
|
|
|
|
|
|
@@default_accepted_chars = ('a' .. 'z').to_a + ('B' .. 'Z').to_a + ('0' .. '9').to_a
|
2006-01-27 05:33:08 +00:00
|
|
|
|
2006-01-06 00:57:14 +00:00
|
|
|
def Generic.gen_decoder_prefix(reg, offset)
|
|
|
|
|
# Should never happen - have to pick a specifc
|
|
|
|
|
# encoding:
|
|
|
|
|
# alphamixed, alphaupper, unicodemixed, unicodeupper
|
|
|
|
|
''
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def Generic.gen_decoder(reg, offset)
|
|
|
|
|
# same as above
|
|
|
|
|
return ''
|
|
|
|
|
end
|
|
|
|
|
|
2006-01-17 04:09:40 +00:00
|
|
|
def Generic.gen_base_set(ignored_max=0x0f)
|
2006-01-06 00:57:14 +00:00
|
|
|
# 0xf is max for XOR encodings - non-unicode
|
2006-01-17 04:09:40 +00:00
|
|
|
max = 0x0f
|
|
|
|
|
Rex::Text.shuffle_a(
|
|
|
|
|
[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
|
|
|
|
|
)
|
2006-01-06 00:57:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def Generic.gen_second(block, base)
|
|
|
|
|
# XOR encoder for ascii - unicode uses additive
|
|
|
|
|
(block^base)
|
|
|
|
|
end
|
|
|
|
|
|
2006-01-18 15:21:41 +00:00
|
|
|
def Generic.encode_byte(block, badchars)
|
2006-12-28 05:19:31 +00:00
|
|
|
accepted_chars = @@default_accepted_chars.dup
|
2006-01-17 04:09:40 +00:00
|
|
|
|
2006-01-18 15:21:41 +00:00
|
|
|
# Remove bad chars from the accepted_chars list. Sadly 'A' must be
|
|
|
|
|
# an accepted char or we'll certainly fail at this point. This could
|
|
|
|
|
# be fixed later maybe with some recalculation of the encoder stubs...
|
|
|
|
|
# - Puss
|
2006-12-28 05:19:31 +00:00
|
|
|
(badchars || '').split('').each { |c| accepted_chars.delete(c) }
|
|
|
|
|
|
|
|
|
|
first = 0
|
|
|
|
|
second = 1
|
|
|
|
|
randbase = 0
|
2006-01-18 15:21:41 +00:00
|
|
|
|
2006-01-17 04:09:40 +00:00
|
|
|
gen_base_set(block).each do |randbase|
|
2006-01-19 16:55:09 +00:00
|
|
|
second = gen_second(block, randbase)
|
2006-01-17 04:09:40 +00:00
|
|
|
next if second < 0
|
2006-12-28 05:19:31 +00:00
|
|
|
break if accepted_chars.include?(second.chr)
|
2006-01-06 00:57:14 +00:00
|
|
|
end
|
2006-01-17 04:09:40 +00:00
|
|
|
|
|
|
|
|
raise RuntimeError, "Negative" if second < 0
|
2006-12-28 05:19:31 +00:00
|
|
|
raise RuntimeError, "BadChar; #{block} to #{second}" if not accepted_chars.include?(second.chr)
|
2006-01-06 00:57:14 +00:00
|
|
|
|
|
|
|
|
if (randbase > 0xa0)
|
|
|
|
|
# first num must be 4
|
|
|
|
|
first = (randbase/0x10) + 0x40
|
2006-04-27 16:23:02 +00:00
|
|
|
elsif (randbase == 0x00) || (randbase == 0x10)
|
2006-01-06 00:57:14 +00:00
|
|
|
# first num must be 5
|
|
|
|
|
first = (randbase/0x10) + 0x50
|
|
|
|
|
else
|
|
|
|
|
# pick one at "random"
|
2006-01-06 02:26:22 +00:00
|
|
|
first = (randbase/0x10)
|
2006-01-06 00:57:14 +00:00
|
|
|
if (first % 2)
|
|
|
|
|
first += 0x40
|
|
|
|
|
else
|
|
|
|
|
randbase += 0x50
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# now add our new bytes :)
|
2006-01-06 02:26:22 +00:00
|
|
|
first.to_i.chr + second.chr
|
2006-01-06 00:57:14 +00:00
|
|
|
end
|
|
|
|
|
|
2006-12-28 05:19:31 +00:00
|
|
|
def Generic.encode(buf, reg, offset, badchars = '')
|
2006-01-06 00:57:14 +00:00
|
|
|
encoded = gen_decoder(reg, offset)
|
|
|
|
|
|
|
|
|
|
buf.each_byte {
|
|
|
|
|
|block|
|
|
|
|
|
|
2006-12-28 05:19:31 +00:00
|
|
|
encoded += encode_byte(block, badchars)
|
2006-01-06 00:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
encoded += add_terminator()
|
|
|
|
|
|
|
|
|
|
return encoded
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# 'A' signifies the end of the encoded shellcode
|
|
|
|
|
def Generic.add_terminator()
|
|
|
|
|
'AA'
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end end end end
|
