librex 0.0.1

data/lib/rex/encoder/alpha2/generic.rb

@@ -0,0 +1,113 @@
+#!/usr/bin/env ruby
+
+require 'rex/text'
+
+module Rex
+module Encoder
+module Alpha2
+
+class Generic
+
+	def Generic.default_accepted_chars ; ('a' .. 'z').to_a + ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
+
+	def Generic.gen_decoder_prefix(reg, offset)
+		# Should never happen - have to pick a specifc
+		# encoding:
+		# alphamixed, alphaupper, unicodemixed, unicodeupper
+		''
+	end
+
+	def Generic.gen_decoder(reg, offset)
+		# same as above
+		return ''
+	end
+
+	def Generic.gen_base_set(ignored_max=0x0f)
+		# 0xf is max for XOR encodings - non-unicode
+		max = 0x0f
+		Rex::Text.shuffle_a(
+			[* ( (0..(max)).map { |i| i *= 0x10 } ) ]
+		)
+	end
+
+	def Generic.gen_second(block, base)
+		# XOR encoder for ascii - unicode uses additive
+		(block^base)
+	end
+
+	def Generic.encode_byte(block, badchars)
+		accepted_chars = default_accepted_chars.dup
+
+
+		# Remove bad chars from the accepted_chars list.  Sadly 'A' must be
+		# an accepted char or we'll certainly fail at this point.  This could
+		# be fixed later maybe with some recalculation of the encoder stubs...
+		# - Puss
+		(badchars || '').unpack('C*').map { |c| accepted_chars.delete([c].pack('C')) }
+
+		first    = 0
+		second   = 1
+		randbase = 0
+		found    = nil
+
+
+		gen_base_set(block).each do |randbase_|
+			second   = gen_second(block, randbase_)
+			next if second < 0
+			if(accepted_chars.include?([second].pack('C')))
+				found    = second
+				randbase = randbase_
+				break
+			end
+		end
+
+		if(not found)
+			raise RuntimeError, "No valid base found for #{"0x%.2x" % block}"
+		end
+
+		raise RuntimeError, "Negative" if second < 0
+		if !(accepted_chars.include?([second].pack('C')))
+			raise RuntimeError, "BadChar; #{block} to #{second}"
+		end
+
+		if (randbase > 0xa0)
+			# first num must be 4
+			first = (randbase/0x10) + 0x40
+		elsif (randbase == 0x00) || (randbase == 0x10)
+			# first num must be 5
+			first = (randbase/0x10) + 0x50
+		else
+			# pick one at "random"
+			first = (randbase/0x10)
+			if (first % 2)
+				first += 0x40
+			else
+				randbase += 0x50
+			end
+		end
+
+		# now add our new bytes :)
+		[first.to_i, second].pack('CC')
+	end
+
+	def Generic.encode(buf, reg, offset, badchars = '')
+		encoded = gen_decoder(reg, offset)
+
+		buf.each_byte {
+			|block|
+
+			encoded += encode_byte(block, badchars)
+		}
+
+		encoded += add_terminator()
+
+		return encoded
+	end
+
+	# 'A' signifies the end of the encoded shellcode
+	def Generic.add_terminator()
+		'AA'
+	end
+
+end end end end
+

data/lib/rex/encoder/alpha2/unicode_mixed.rb

@@ -0,0 +1,117 @@
+#!/usr/bin/env ruby
+
+require 'rex/encoder/alpha2/generic'
+
+module Rex
+module Encoder
+module Alpha2
+
+class UnicodeMixed < Generic
+
+	def self.gen_base_set(max)
+		Rex::Text.shuffle_a(
+			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
+		)
+	end
+	
+	def self.gen_second(block, base)
+		# unicode uses additive encoding
+		(block - base)
+	end
+	
+	def self.gen_decoder_prefix(reg, offset)
+		if (offset > 28)
+			 raise "Critical: Offset is greater than 28"
+		end
+
+		# offset untested for unicode :(
+		if (offset <= 14)
+			nop = 'CP' * offset
+			mod = 'IA' * (14 - offset) + nop    # dec ecx,,, push ecx, pop edx
+		else
+			mod = 'AA' * (offset - 14)			# inc ecx
+			nop = 'CP' * (14 - mod.length)
+			mod += nop
+		end	
+		regprefix = {                       # nops ignored below
+			'EAX'   => 'PPYA' + mod,         # push eax, pop ecx
+			'ECX'   =>  mod + "4444",        # dec ecx
+			'EDX'   => 'RRYA' + mod,         # push edx, pop ecx
+			'EBX'   => 'SSYA' + mod,         # push ebx, pop ecx
+			'ESP'   => 'TUYA' + mod,         # push esp, pop ecx
+			'EBP'   => 'UUYA' + mod,         # push ebp, pop ecx
+			'ESI'   => 'VVYA' + mod,         # push esi, pop ecx
+			'EDI'   => 'WWYA' + mod,         # push edi, pop edi
+		}
+
+		return regprefix[reg]	
+	end
+
+	def self.gen_decoder(reg, offset)
+		decoder =
+			gen_decoder_prefix(reg, offset) +
+			"j" +               # push 0
+			"XA" +              # pop eax, NOP
+			"QA" +              # push ecx, NOP
+			"DA" +              # inc esp, NOP
+			"ZA" +              # pop edx, NOP
+			"BA" +              # inc edx, NOP
+			"RA" +              # push edx, NOP
+			"LA" +              # dec esp, NOP
+			"YA" +              # pop ecx, NOP
+			"IA" +              # dec ecx, NOP
+			"QA" +              # push ecx, NOP
+			"IA" +              # dec ecx, NOP
+			"QA" +              # push ecx, NOP
+			"IA" +              # dec ecx, NOP
+			"hAAA" +            # push 00410041, NOP
+			"Z" +               # pop edx
+			"1A" +              # add [ecx], dh NOP
+			"IA" +              # dec ecx, NOP
+			"IA" +              # dec ecx, NOP
+			"J" +               # dec edx
+			"1" +               # add [ecx], dh
+			"1A" +              # add [ecx], dh NOP
+			"IA" +              # dec ecx, NOP
+			"IA" +              # dec ecx, NOP
+			"BA" +              # inc edx, NOP
+			"BA" +              # inc edx, NOP
+			"B" +               # inc edx
+			"Q" +               # add [ecx], dl
+			"I" +               # dec ecx
+			"1A" +              # add [ecx], dh NOP
+			"I" +               # dec ecx
+			"Q" +               # add [ecx], dl
+			"IA" +              # dec ecx, NOP
+			"I" +               # dec ecx
+			"Q" +               # add [ecx], dh
+			"I" +               # dec ecx
+			"1" +               # add [ecx], dh
+			"1" +               # add [ecx], dh
+			"1A" +              # add [ecx], dh NOP
+			"IA" +              # dec ecx, NOP
+			"J" +               # dec edx
+			"Q" +               # add [ecx], dl 
+			"YA" +              # pop ecx, NOP
+			"Z" +               # pop edx
+			"B" +               # add [edx], al
+			"A" +               # inc ecx       <-------
+			"B" +               # add [edx], al         |
+			"A" +               # inc ecx               |
+			"B" +               # add [edx], al         |
+			"A" +               # inc ecx               |
+			"B" +               # add [edx], al         |
+			"A" +               # inc ecx               |
+			"B" +               # add [edx], al         |
+			"kM" +              # imul eax, [eax], 10 * |
+			"A" +               # add [edx], al         |
+			"G" +               # inc edi               | 
+			"B" +               # add [edx], al         |
+			"9" +               # cmp [eax], eax        |
+			"u" +               # jnz ------------------      
+			"4JB"
+
+		return decoder
+	end
+
+end end end end

data/lib/rex/encoder/alpha2/unicode_upper.rb

@@ -0,0 +1,129 @@
+#!/usr/bin/env ruby
+
+require 'rex/encoder/alpha2/generic'
+
+module Rex
+module Encoder
+module Alpha2
+
+class UnicodeUpper < Generic
+	def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
+
+	def self.gen_base_set(max)
+		Rex::Text.shuffle_a(
+			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
+		)
+	end
+	
+	def self.gen_second(block, base)
+		# unicode uses additive encoding
+		(block - base)
+	end
+
+	def self.gen_decoder_prefix(reg, offset)
+		if (offset > 8)
+			raise "Critical: Offset is greater than 8"
+		end
+
+		# offset untested for unicode :(
+		if (offset <= 4)
+			nop = 'CP' * offset
+			mod = 'IA' * (4 - offset) + nop    # dec ecx,,, push ecx, pop edx
+		else
+			mod = 'AA' * (offset - 4)          # inc ecx
+			nop = 'CP' * (4 - mod.length)
+			mod += nop
+		end
+
+		regprefix = {                      # nops ignored below
+			'EAX'   => 'PPYA' + mod,        # push eax, pop ecx
+			'ECX'   =>  mod + '4444',       # dec ecx
+			'EDX'   => 'RRYA' + mod,        # push edx, pop ecx
+			'EBX'   => 'SSYA' + mod,        # push ebx, pop ecx
+			'ESP'   => 'TUYA' + mod,        # push esp, pop ecx
+			'EBP'   => 'UUYA' + mod,        # push ebp, pop ecx
+			'ESI'   => 'VVYA' + mod,        # push esi, pop ecx
+			'EDI'   => 'WWYA' + mod,        # push edi, pop edi
+			'[ESP]' => 'YA' + mod + '44',   #
+			'[ESP+4]' => 'YUYA' + mod,      # 
+		}
+
+		return regprefix[reg]
+	end
+
+	def self.gen_decoder(reg, offset)
+		decoder =
+			gen_decoder_prefix(reg, offset) +
+			"QA" +                  # push ecx, NOP
+			"TA" +                  # push esp, NOP
+			"XA" +                  # pop eax, NOP
+			"ZA" +                  # pop edx, NOP
+			"PU" +                  # push eax, NOP
+			"3" +                   # xor eax, [eax]
+			"QA" +                  # push ecx, NOP
+			"DA" +                  # inc esp, NOP
+			"ZA" +                  # pop edx, NOP
+			"BA" +                  # inc edx, NOP
+			"RA" +                  # push edx, NOP
+			"LA" +                  # dec esp, NOP
+			"YA" +                  # pop ecx, NOP
+			"IA" +                  # dec ecx, NOP
+			"QA" +                  # push ecx, NOP
+			"IA" +                  # dec ecx, NOP
+			"QA" +                  # push ecx, NOP
+			"PA" +                  # push eax, NOP
+			"5AAA" +                # xor eax, 41004100 - NOP
+			"PA" +                  # push eax, NOP
+			"Z" +                   # pop edx
+			"1A" +                  # add [ecx], dh - NOP
+			"I" +                   # dec ecx
+			"1A" +                  # add [ecx], dh - NOP
+			"IA" +                  # dec ecx, NOP
+			"IA" +                  # dec ecx, NOP
+			"J" +                   # dec edx
+			"1" +                   # add [ecx], dh
+			"1A" +                  # add [ecx], dh - NOP
+			"IA" +                  # dec ecx, NOP
+			"IA" +                  # dec ecx, NOP
+			"XA" +                  # pop eax, NOP
+			"58AA" +                # xor eax, 41003800 - NOP
+			"PA" +                  # push eax, NOP
+			"ZA" +                  # pop edx, NOP
+			"BA" +                  # inc edx, NOP
+			"B" +                   # inc edx
+			"Q" +                   # add [ecx], dl
+			"I" +                   # dec ecx
+			"1A" +                  # add [ecx], dh - NOP
+			"I" +                   # dec ecx
+			"Q" +                   # add [ecx], dl
+			"IA" +                  # dec ecx, NOP
+			"I" +                   # dec ecx
+			"Q" +                   # add [ecx], dl
+			"I" +                   # dec ecx
+			"1" +                   # add [ecx], dh
+			"1" +                   # add [ecx], dh
+			"1" +                   # add [ecx], dh
+			"1A" +                  # add [ecx], dh - NOP
+			"IA" +                  # dec ecx, NOP
+			"J" +                   # dec edx
+			"Q" +                   # add [ecx], dl
+			"I" +                   # dec edx
+			"1A" +                  # add [ecx], dh - NOP
+			"YA" +                  # pop ecx, NOP
+			"ZB" +                  # pop edx, NOP
+			"AB" +                  # inc ecx, NOP      <-------
+			"AB" +                  # inc ecx, NOP              |
+			"AB" +                  # inc ecx, NOP              |
+			"AB" +                  # inc ecx, NOP              |
+			"30" +                  # imul eax, [ecx], 10 *     |
+			"A" +                   # add al, [ecx+2] *         |
+			"P" +                   # mov [edx], al *           |
+			"B" +                   # inc edx                   |
+			"9" +                   # cmp [ecx], 41 *           |
+			"4" +                   # jnz   --------------------
+			"4JB"
+
+		return decoder
+	end
+
+end end end end

data/lib/rex/encoder/ndr.rb

@@ -0,0 +1,89 @@
+require "rex/text"
+
+module Rex
+module Encoder
+module NDR
+
+	# Provide padding to align the string to the 32bit boundary
+	def NDR.align(string)
+		return "\x00" * ((4 - (string.length & 3)) & 3)
+	end
+
+	# Encode a 4 byte long
+	# use to encode:
+	#       long element_1;
+	def NDR.long(string)
+		return [string].pack('V')
+	end
+
+	# Encode a 2 byte short
+	# use to encode:
+	#       short element_1;
+	def NDR.short(string)
+		return [string].pack('v')
+	end
+
+	# Encode a single byte
+	# use to encode:
+	#       byte element_1;
+	def NDR.byte(string)
+		return [string].pack('c')
+	end
+
+	# Encode a byte array
+	# use to encode:
+	#       char  element_1
+	def NDR.UniConformantArray(string)
+		return long(string.length) + string + align(string)
+	end
+
+	# Encode a string
+	# use to encode:
+	#       char *element_1;
+	def NDR.string(string)
+		string << "\x00" # null pad
+		return long(string.length) + long(0) + long(string.length) + string + align(string)
+	end
+
+	# Encode a string
+	# use to encode:
+	#       w_char *element_1;
+	def NDR.wstring(string)
+		string  = string + "\x00" # null pad
+		return long(string.length) + long(0) + long(string.length) + Rex::Text.to_unicode(string) + align(Rex::Text.to_unicode(string))
+	end
+
+	# Encode a string and make it unique
+	# use to encode:
+	#       [unique] w_char *element_1;
+	def NDR.uwstring(string)
+		string  = string + "\x00" # null pad
+		return long(rand(0xffffffff))+long(string.length) + long(0) + long(string.length) + Rex::Text.to_unicode(string) + align(Rex::Text.to_unicode(string))
+	end
+
+	# Encode a string that is already unicode encoded
+	# use to encode:
+	#       w_char *element_1;
+	def NDR.wstring_prebuilt(string)
+		# if the string len is odd, thats bad!
+		if string.length % 2 > 0
+			string = string + "\x00"
+		end
+		len = string.length / 2;
+		return long(len) + long(0) + long(len) + string + align(string)
+	end
+
+	# alias to wstring, going away soon
+	def NDR.UnicodeConformantVaryingString(string)
+		NDR.wstring(string)
+	end
+
+	# alias to wstring_prebuilt, going away soon
+	def NDR.UnicodeConformantVaryingStringPreBuilt(string)
+		NDR.wstring_prebuilt(string)
+	end
+
+end
+end
+end
+