Fixed to NOP vs Nop, Encoder vs ENCODER, setting the preferred NOP

Fixed multiple CPU spinning bugs in the alpha2 encoders Fixed SiteReference to expose site type and value git-svn-id: file:///home/svn/incoming/trunk@3401 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-17 04:09:40 +00:00
parent dc83e49db2
commit e02eb0d2eb
8 changed files with 79 additions and 41 deletions
@@ -79,7 +79,7 @@ module Exploit
 		# Use the supplied encoder, if any.  If one was not specified, then
 		# nil will be assigned causing the exploit to default to picking the
 		# best encoder.
-		exploit.datastore['Encoder'] = opts['Encoder']
+		exploit.datastore['ENCODER'] = opts['Encoder']

 		# Force the payload to share the exploit's datastore
 		driver.payload.share_datastore(driver.exploit.datastore)
@@ -200,8 +200,8 @@ class EncodedPayload

 			# If the caller had a preferred nop, try to find it and prefix it
 			if ((reqs['Nop']) and
-			    (preferred = framework.encoders[reqs['Nop']]))
-				encoders.unshift([reqs['Nop'], preferred ])
+			    (preferred = framework.nops[reqs['Nop']]))
+				nops.unshift([reqs['Nop'], preferred ])
 			elsif (reqs['Nop'])
 				wlog("#{pinst.refname}: Failed to find preferred nop #{reqs['Nop']}")
 			end
@@ -367,8 +367,8 @@ class Exploit < Msf::Module
 		reqs['Append']         = payload_append
 		reqs['MaxNops']        = payload_max_nops
 		reqs['MinNops']        = payload_min_nops
-		reqs['Encoder']        = datastore['Encoder']
-		reqs['Nop']            = datastore['Nop']
+		reqs['Encoder']        = datastore['ENCODER']
+		reqs['Nop']            = datastore['NOP']
 		reqs['EncoderType']    = payload_encoder_type
 		reqs['EncoderOptions'] = payload_encoder_options

@@ -87,24 +87,25 @@ class Msf::Module::SiteReference < Msf::Module::Reference
 	#
 	# Initialize the site reference.
 	#
-	def initialize(in_site = nil, in_ctx_id = nil)
-		self.ctx_id = in_ctx_id
+	def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
+		self.ctx_id  = in_ctx_id
+		self.ctx_val = in_ctx_val

-		if (in_site == 'OSVDB')
-			self.site = 'http://www.osvdb.org/' + in_ctx_id.to_s
-		elsif (in_site == 'CVE')
-			self.site = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + in_ctx_id.to_s
-		elsif (in_site == 'BID')
-			self.site = 'http://www.securityfocus.com/bid/' + in_ctx_id.to_s
-		elsif (in_site == 'MSB')
-			self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_id.to_s + '.mspx'
-		elsif (in_site == 'MIL')
-			self.site = 'http://milw0rm.com/metasploit.php?id=' + in_ctx_id.to_s
-		elsif (in_site == 'URL')
-			self.site = in_ctx_id.to_s
+		if (in_ctx_id == 'OSVDB')
+			self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s
+		elsif (in_ctx_id == 'CVE')
+			self.site = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + in_ctx_val.to_s
+		elsif (in_ctx_id == 'BID')
+			self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
+		elsif (in_ctx_id == 'MSB')
+			self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_val.to_s + '.mspx'
+		elsif (in_ctx_id == 'MIL')
+			self.site = 'http://milw0rm.com/metasploit.php?id=' + in_ctx_val.to_s
+		elsif (in_ctx_id == 'URL')
+			self.site = in_ctx_val.to_s
 		else
-			self.site  = in_site
-			self.site += " (#{in_ctx_id.to_s})" if (in_ctx_id)
+			self.site  = in_ctx_id
+			self.site += " (#{in_ctx_val.to_s})" if (in_ctx_val)
 		end
 	end

@@ -136,10 +137,14 @@ class Msf::Module::SiteReference < Msf::Module::Reference
 	# The context identifier of the site, such as OSVDB.
 	#
 	attr_reader :ctx_id
+	#
+	# The context value of the reference, such as MS02-039
+	#
+	attr_reader :ctx_val

 protected

-	attr_writer :site, :ctx_id
+	attr_writer :site, :ctx_id, :ctx_val

 end

@@ -21,11 +21,12 @@ class Generic
 		return ''
 	end

-	def Generic.gen_base(max)
+	def Generic.gen_base_set(ignored_max=0x0f)
 		# 0xf is max for XOR encodings - non-unicode
-		max = 0xf
-
-		(rand(max) * 0x10)
+		max = 0x0f
+		Rex::Text.shuffle_a(
+			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
+		)
 	end

 	def Generic.gen_second(block, base)
@@ -34,13 +35,18 @@ class Generic
 	end

 	def Generic.encode_byte(block)
-		first   = 0
-		second  = 1
-
-		while ( !(@@accepted_chars.include?(second.chr)) )
-			randbase = gen_base(block)
-			second = gen_second(block, randbase)
+		first    = 0
+		second   = 1
+		randbase = 0
+		
+		gen_base_set(block).each do |randbase|
+			second   = gen_second(block, randbase)
+			next  if second < 0
+			break if @@accepted_chars.include?(second.chr)
 		end
+		
+		raise RuntimeError, "Negative" if second < 0
+		raise RuntimeError, "BadChar"  if not @@accepted_chars.include?(second.chr)

 		if (randbase > 0xa0)
 			# first num must be 4
@@ -8,11 +8,12 @@ module Alpha2

 class UnicodeMixed < Generic

-	def self.gen_base(max)
-		max = max >> 4
-		(rand(max) * 0x10)
+	def self.gen_base_set(max)
+		Rex::Text.shuffle_a(
+			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
+		)
 	end
-
+	
 	def self.gen_second(block, base)
 		# unicode uses additive encoding
 		(block - base)
@@ -8,12 +8,13 @@ module Alpha2

 class UnicodeUpper < Generic
 	@@accepted_chars = ('B' .. 'Z').to_a + ('0' .. '9').to_a
-   
-	def self.gen_base(max)
-		max = max >> 4
-		(rand(max) * 0x10)
-	end

+	def self.gen_base_set(max)
+		Rex::Text.shuffle_a(
+			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
+		)
+	end
+	
 	def self.gen_second(block, base)
 		# unicode uses additive encoding
 		(block - base)
@@ -398,6 +398,31 @@ module Text
 		[*(0..255)].pack('C*').delete(keepers)
 	end

+	#
+	#  Shuffles a byte stream
+	#
+	def self.shuffle_s(str)
+		shuffle_a(str.unpack("C*")).pack("C*")
+	end
+
+	#
+	# Performs a Fisher-Yates shuffle on an array
+	#
+	def self.shuffle_a(arr)
+		len = arr.length
+		max = len - 1
+		cyc = [* (0..max) ]
+		for d in cyc
+			e = rand(d+1)
+			next if e == d
+			f = arr[d];
+			g = arr[e];
+			arr[d] = g;
+			arr[e] = f;
+		end
+		return arr
+	end
+
 protected

 	def self.converge_sets(sets, idx, offsets, length) # :nodoc: