From e02eb0d2ebbc64ef1ec6200fa8657d4d3ca73b08 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 17 Jan 2006 04:09:40 +0000 Subject: [PATCH] Fixed to NOP vs Nop, Encoder vs ENCODER, setting the preferred NOP Fixed multiple CPU spinning bugs in the alpha2 encoders Fixed SiteReference to expose site type and value git-svn-id: file:///home/svn/incoming/trunk@3401 4d416f70-5f16-0410-b530-b9f4589650da --- lib/msf/base/simple/exploit.rb | 2 +- lib/msf/core/encoded_payload.rb | 4 +-- lib/msf/core/exploit.rb | 4 +-- lib/msf/core/module/reference.rb | 39 ++++++++++++++----------- lib/rex/encoder/alpha2/generic.rb | 26 ++++++++++------- lib/rex/encoder/alpha2/unicode_mixed.rb | 9 +++--- lib/rex/encoder/alpha2/unicode_upper.rb | 11 +++---- lib/rex/text.rb | 25 ++++++++++++++++ 8 files changed, 79 insertions(+), 41 deletions(-) diff --git a/lib/msf/base/simple/exploit.rb b/lib/msf/base/simple/exploit.rb index 274e5ff05e..419bf9627f 100644 --- a/lib/msf/base/simple/exploit.rb +++ b/lib/msf/base/simple/exploit.rb @@ -79,7 +79,7 @@ module Exploit # Use the supplied encoder, if any. If one was not specified, then # nil will be assigned causing the exploit to default to picking the # best encoder. - exploit.datastore['Encoder'] = opts['Encoder'] + exploit.datastore['ENCODER'] = opts['Encoder'] # Force the payload to share the exploit's datastore driver.payload.share_datastore(driver.exploit.datastore) diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index 79b7e4c394..a8f7324c0f 100644 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -200,8 +200,8 @@ class EncodedPayload # If the caller had a preferred nop, try to find it and prefix it if ((reqs['Nop']) and - (preferred = framework.encoders[reqs['Nop']])) - encoders.unshift([reqs['Nop'], preferred ]) + (preferred = framework.nops[reqs['Nop']])) + nops.unshift([reqs['Nop'], preferred ]) elsif (reqs['Nop']) wlog("#{pinst.refname}: Failed to find preferred nop #{reqs['Nop']}") end diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb index 792ac56e0a..ac986a83f7 100644 --- a/lib/msf/core/exploit.rb +++ b/lib/msf/core/exploit.rb @@ -367,8 +367,8 @@ class Exploit < Msf::Module reqs['Append'] = payload_append reqs['MaxNops'] = payload_max_nops reqs['MinNops'] = payload_min_nops - reqs['Encoder'] = datastore['Encoder'] - reqs['Nop'] = datastore['Nop'] + reqs['Encoder'] = datastore['ENCODER'] + reqs['Nop'] = datastore['NOP'] reqs['EncoderType'] = payload_encoder_type reqs['EncoderOptions'] = payload_encoder_options diff --git a/lib/msf/core/module/reference.rb b/lib/msf/core/module/reference.rb index d3bb2158a3..5610302c4b 100644 --- a/lib/msf/core/module/reference.rb +++ b/lib/msf/core/module/reference.rb @@ -87,24 +87,25 @@ class Msf::Module::SiteReference < Msf::Module::Reference # # Initialize the site reference. # - def initialize(in_site = nil, in_ctx_id = nil) - self.ctx_id = in_ctx_id + def initialize(in_ctx_id = 'Unknown', in_ctx_val = '') + self.ctx_id = in_ctx_id + self.ctx_val = in_ctx_val - if (in_site == 'OSVDB') - self.site = 'http://www.osvdb.org/' + in_ctx_id.to_s - elsif (in_site == 'CVE') - self.site = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + in_ctx_id.to_s - elsif (in_site == 'BID') - self.site = 'http://www.securityfocus.com/bid/' + in_ctx_id.to_s - elsif (in_site == 'MSB') - self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_id.to_s + '.mspx' - elsif (in_site == 'MIL') - self.site = 'http://milw0rm.com/metasploit.php?id=' + in_ctx_id.to_s - elsif (in_site == 'URL') - self.site = in_ctx_id.to_s + if (in_ctx_id == 'OSVDB') + self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s + elsif (in_ctx_id == 'CVE') + self.site = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' + in_ctx_val.to_s + elsif (in_ctx_id == 'BID') + self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s + elsif (in_ctx_id == 'MSB') + self.site = 'http://www.microsoft.com/technet/security/bulletin/' + in_ctx_val.to_s + '.mspx' + elsif (in_ctx_id == 'MIL') + self.site = 'http://milw0rm.com/metasploit.php?id=' + in_ctx_val.to_s + elsif (in_ctx_id == 'URL') + self.site = in_ctx_val.to_s else - self.site = in_site - self.site += " (#{in_ctx_id.to_s})" if (in_ctx_id) + self.site = in_ctx_id + self.site += " (#{in_ctx_val.to_s})" if (in_ctx_val) end end @@ -136,10 +137,14 @@ class Msf::Module::SiteReference < Msf::Module::Reference # The context identifier of the site, such as OSVDB. # attr_reader :ctx_id + # + # The context value of the reference, such as MS02-039 + # + attr_reader :ctx_val protected - attr_writer :site, :ctx_id + attr_writer :site, :ctx_id, :ctx_val end diff --git a/lib/rex/encoder/alpha2/generic.rb b/lib/rex/encoder/alpha2/generic.rb index 9ddd564425..dc9f20918e 100644 --- a/lib/rex/encoder/alpha2/generic.rb +++ b/lib/rex/encoder/alpha2/generic.rb @@ -21,11 +21,12 @@ class Generic return '' end - def Generic.gen_base(max) + def Generic.gen_base_set(ignored_max=0x0f) # 0xf is max for XOR encodings - non-unicode - max = 0xf - - (rand(max) * 0x10) + max = 0x0f + Rex::Text.shuffle_a( + [* ( (0..(max-1)).map { |i| i *= 0x10 } ) ] + ) end def Generic.gen_second(block, base) @@ -34,13 +35,18 @@ class Generic end def Generic.encode_byte(block) - first = 0 - second = 1 - - while ( !(@@accepted_chars.include?(second.chr)) ) - randbase = gen_base(block) - second = gen_second(block, randbase) + first = 0 + second = 1 + randbase = 0 + + gen_base_set(block).each do |randbase| + second = gen_second(block, randbase) + next if second < 0 + break if @@accepted_chars.include?(second.chr) end + + raise RuntimeError, "Negative" if second < 0 + raise RuntimeError, "BadChar" if not @@accepted_chars.include?(second.chr) if (randbase > 0xa0) # first num must be 4 diff --git a/lib/rex/encoder/alpha2/unicode_mixed.rb b/lib/rex/encoder/alpha2/unicode_mixed.rb index 8298f1bc78..824a6f95c0 100644 --- a/lib/rex/encoder/alpha2/unicode_mixed.rb +++ b/lib/rex/encoder/alpha2/unicode_mixed.rb @@ -8,11 +8,12 @@ module Alpha2 class UnicodeMixed < Generic - def self.gen_base(max) - max = max >> 4 - (rand(max) * 0x10) + def self.gen_base_set(max) + Rex::Text.shuffle_a( + [* ( (0..(max-1)).map { |i| i *= 0x10 } ) ] + ) end - + def self.gen_second(block, base) # unicode uses additive encoding (block - base) diff --git a/lib/rex/encoder/alpha2/unicode_upper.rb b/lib/rex/encoder/alpha2/unicode_upper.rb index acad552ac6..5583e02222 100644 --- a/lib/rex/encoder/alpha2/unicode_upper.rb +++ b/lib/rex/encoder/alpha2/unicode_upper.rb @@ -8,12 +8,13 @@ module Alpha2 class UnicodeUpper < Generic @@accepted_chars = ('B' .. 'Z').to_a + ('0' .. '9').to_a - - def self.gen_base(max) - max = max >> 4 - (rand(max) * 0x10) - end + def self.gen_base_set(max) + Rex::Text.shuffle_a( + [* ( (0..(max-1)).map { |i| i *= 0x10 } ) ] + ) + end + def self.gen_second(block, base) # unicode uses additive encoding (block - base) diff --git a/lib/rex/text.rb b/lib/rex/text.rb index b53a2c7c57..db88d8b4f6 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -398,6 +398,31 @@ module Text [*(0..255)].pack('C*').delete(keepers) end + # + # Shuffles a byte stream + # + def self.shuffle_s(str) + shuffle_a(str.unpack("C*")).pack("C*") + end + + # + # Performs a Fisher-Yates shuffle on an array + # + def self.shuffle_a(arr) + len = arr.length + max = len - 1 + cyc = [* (0..max) ] + for d in cyc + e = rand(d+1) + next if e == d + f = arr[d]; + g = arr[e]; + arr[d] = g; + arr[e] = f; + end + return arr + end + protected def self.converge_sets(sets, idx, offsets, length) # :nodoc: