librex 0.0.13 → 0.0.15

data/lib/rex/encoder/alpha2/generic.rb

@@ -1,114 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/text'
-
-module Rex
-module Encoder
-module Alpha2
-
-class Generic
-
-	def Generic.default_accepted_chars ; ('a' .. 'z').to_a + ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
-
-	def Generic.gen_decoder_prefix(reg, offset)
-		# Should never happen - have to pick a specifc
-		# encoding:
-		# alphamixed, alphaupper, unicodemixed, unicodeupper
-		''
-	end
-
-	def Generic.gen_decoder(reg, offset)
-		# same as above
-		return ''
-	end
-
-	def Generic.gen_base_set(ignored_max=0x0f)
-		# 0xf is max for XOR encodings - non-unicode
-		max = 0x0f
-		Rex::Text.shuffle_a(
-			[* ( (0..(max)).map { |i| i *= 0x10 } ) ]
-		)
-	end
-
-	def Generic.gen_second(block, base)
-		# XOR encoder for ascii - unicode uses additive
-		(block^base)
-	end
-
-	def Generic.encode_byte(block, badchars)
-		accepted_chars = default_accepted_chars.dup
-
-
-		# Remove bad chars from the accepted_chars list.  Sadly 'A' must be
-		# an accepted char or we'll certainly fail at this point.  This could
-		# be fixed later maybe with some recalculation of the encoder stubs...
-		# - Puss
-		(badchars || '').unpack('C*').map { |c| accepted_chars.delete([c].pack('C')) }
-
-		first    = 0
-		second   = 1
-		randbase = 0
-		found    = nil
-
-
-		gen_base_set(block).each do |randbase_|
-			second   = gen_second(block, randbase_)
-			next if second < 0
-			if accepted_chars.include?([second].pack('C'))
-				found    = second
-				randbase = randbase_
-				break
-			end
-		end
-
-		if not found
-			msg = "No valid base found for #{"0x%.2x" % block}"
-			if not accepted_chars.include?([second].pack('C'))
-				msg << ": BadChar to #{second}"
-			elsif second < 1
-				msg << ": Negative"
-			end
-			raise RuntimeError, msg
-		end
-
-		if (randbase > 0xa0)
-			# first num must be 4
-			first = (randbase/0x10) + 0x40
-		elsif (randbase == 0x00) || (randbase == 0x10)
-			# first num must be 5
-			first = (randbase/0x10) + 0x50
-		else
-			# pick one at "random"
-			first = (randbase/0x10)
-			if (first % 2) > 0
-				first += 0x40
-			else
-				first += 0x50
-			end
-		end
-
-		# now add our new bytes :)
-		[first.to_i, second].pack('CC')
-	end
-
-	def Generic.encode(buf, reg, offset, badchars = '')
-		encoded = gen_decoder(reg, offset)
-
-		buf.each_byte {
-			|block|
-
-			encoded += encode_byte(block, badchars)
-		}
-
-		encoded += add_terminator()
-
-		return encoded
-	end
-
-	# 'A' signifies the end of the encoded shellcode
-	def Generic.add_terminator()
-		'AA'
-	end
-
-end end end end
-

data/lib/rex/encoder/alpha2/unicode_mixed.rb

@@ -1,117 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/encoder/alpha2/generic'
-
-module Rex
-module Encoder
-module Alpha2
-
-class UnicodeMixed < Generic
-
-	def self.gen_base_set(max)
-		Rex::Text.shuffle_a(
-			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
-		)
-	end
-	
-	def self.gen_second(block, base)
-		# unicode uses additive encoding
-		(block - base)
-	end
-	
-	def self.gen_decoder_prefix(reg, offset)
-		if (offset > 28)
-			 raise "Critical: Offset is greater than 28"
-		end
-
-		# offset untested for unicode :(
-		if (offset <= 14)
-			nop = 'CP' * offset
-			mod = 'IA' * (14 - offset) + nop    # dec ecx,,, push ecx, pop edx
-		else
-			mod = 'AA' * (offset - 14)			# inc ecx
-			nop = 'CP' * (14 - mod.length)
-			mod += nop
-		end	
-		regprefix = {                       # nops ignored below
-			'EAX'   => 'PPYA' + mod,         # push eax, pop ecx
-			'ECX'   =>  mod + "4444",        # dec ecx
-			'EDX'   => 'RRYA' + mod,         # push edx, pop ecx
-			'EBX'   => 'SSYA' + mod,         # push ebx, pop ecx
-			'ESP'   => 'TUYA' + mod,         # push esp, pop ecx
-			'EBP'   => 'UUYA' + mod,         # push ebp, pop ecx
-			'ESI'   => 'VVYA' + mod,         # push esi, pop ecx
-			'EDI'   => 'WWYA' + mod,         # push edi, pop edi
-		}
-
-		return regprefix[reg]	
-	end
-
-	def self.gen_decoder(reg, offset)
-		decoder =
-			gen_decoder_prefix(reg, offset) +
-			"j" +               # push 0
-			"XA" +              # pop eax, NOP
-			"QA" +              # push ecx, NOP
-			"DA" +              # inc esp, NOP
-			"ZA" +              # pop edx, NOP
-			"BA" +              # inc edx, NOP
-			"RA" +              # push edx, NOP
-			"LA" +              # dec esp, NOP
-			"YA" +              # pop ecx, NOP
-			"IA" +              # dec ecx, NOP
-			"QA" +              # push ecx, NOP
-			"IA" +              # dec ecx, NOP
-			"QA" +              # push ecx, NOP
-			"IA" +              # dec ecx, NOP
-			"hAAA" +            # push 00410041, NOP
-			"Z" +               # pop edx
-			"1A" +              # add [ecx], dh NOP
-			"IA" +              # dec ecx, NOP
-			"IA" +              # dec ecx, NOP
-			"J" +               # dec edx
-			"1" +               # add [ecx], dh
-			"1A" +              # add [ecx], dh NOP
-			"IA" +              # dec ecx, NOP
-			"IA" +              # dec ecx, NOP
-			"BA" +              # inc edx, NOP
-			"BA" +              # inc edx, NOP
-			"B" +               # inc edx
-			"Q" +               # add [ecx], dl
-			"I" +               # dec ecx
-			"1A" +              # add [ecx], dh NOP
-			"I" +               # dec ecx
-			"Q" +               # add [ecx], dl
-			"IA" +              # dec ecx, NOP
-			"I" +               # dec ecx
-			"Q" +               # add [ecx], dh
-			"I" +               # dec ecx
-			"1" +               # add [ecx], dh
-			"1" +               # add [ecx], dh
-			"1A" +              # add [ecx], dh NOP
-			"IA" +              # dec ecx, NOP
-			"J" +               # dec edx
-			"Q" +               # add [ecx], dl 
-			"YA" +              # pop ecx, NOP
-			"Z" +               # pop edx
-			"B" +               # add [edx], al
-			"A" +               # inc ecx       <-------
-			"B" +               # add [edx], al         |
-			"A" +               # inc ecx               |
-			"B" +               # add [edx], al         |
-			"A" +               # inc ecx               |
-			"B" +               # add [edx], al         |
-			"A" +               # inc ecx               |
-			"B" +               # add [edx], al         |
-			"kM" +              # imul eax, [eax], 10 * |
-			"A" +               # add [edx], al         |
-			"G" +               # inc edi               | 
-			"B" +               # add [edx], al         |
-			"9" +               # cmp [eax], eax        |
-			"u" +               # jnz ------------------      
-			"4JB"
-
-		return decoder
-	end
-
-end end end end

data/lib/rex/encoder/alpha2/unicode_upper.rb

@@ -1,129 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/encoder/alpha2/generic'
-
-module Rex
-module Encoder
-module Alpha2
-
-class UnicodeUpper < Generic
-	def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
-
-	def self.gen_base_set(max)
-		Rex::Text.shuffle_a(
-			[* ( (0..(max-1)).map { |i| i *= 0x10 } ) ]
-		)
-	end
-	
-	def self.gen_second(block, base)
-		# unicode uses additive encoding
-		(block - base)
-	end
-
-	def self.gen_decoder_prefix(reg, offset)
-		if (offset > 8)
-			raise "Critical: Offset is greater than 8"
-		end
-
-		# offset untested for unicode :(
-		if (offset <= 4)
-			nop = 'CP' * offset
-			mod = 'IA' * (4 - offset) + nop    # dec ecx,,, push ecx, pop edx
-		else
-			mod = 'AA' * (offset - 4)          # inc ecx
-			nop = 'CP' * (4 - mod.length)
-			mod += nop
-		end
-
-		regprefix = {                      # nops ignored below
-			'EAX'   => 'PPYA' + mod,        # push eax, pop ecx
-			'ECX'   =>  mod + '4444',       # dec ecx
-			'EDX'   => 'RRYA' + mod,        # push edx, pop ecx
-			'EBX'   => 'SSYA' + mod,        # push ebx, pop ecx
-			'ESP'   => 'TUYA' + mod,        # push esp, pop ecx
-			'EBP'   => 'UUYA' + mod,        # push ebp, pop ecx
-			'ESI'   => 'VVYA' + mod,        # push esi, pop ecx
-			'EDI'   => 'WWYA' + mod,        # push edi, pop edi
-			'[ESP]' => 'YA' + mod + '44',   #
-			'[ESP+4]' => 'YUYA' + mod,      # 
-		}
-
-		return regprefix[reg]
-	end
-
-	def self.gen_decoder(reg, offset)
-		decoder =
-			gen_decoder_prefix(reg, offset) +
-			"QA" +                  # push ecx, NOP
-			"TA" +                  # push esp, NOP
-			"XA" +                  # pop eax, NOP
-			"ZA" +                  # pop edx, NOP
-			"PU" +                  # push eax, NOP
-			"3" +                   # xor eax, [eax]
-			"QA" +                  # push ecx, NOP
-			"DA" +                  # inc esp, NOP
-			"ZA" +                  # pop edx, NOP
-			"BA" +                  # inc edx, NOP
-			"RA" +                  # push edx, NOP
-			"LA" +                  # dec esp, NOP
-			"YA" +                  # pop ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"QA" +                  # push ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"QA" +                  # push ecx, NOP
-			"PA" +                  # push eax, NOP
-			"5AAA" +                # xor eax, 41004100 - NOP
-			"PA" +                  # push eax, NOP
-			"Z" +                   # pop edx
-			"1A" +                  # add [ecx], dh - NOP
-			"I" +                   # dec ecx
-			"1A" +                  # add [ecx], dh - NOP
-			"IA" +                  # dec ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"J" +                   # dec edx
-			"1" +                   # add [ecx], dh
-			"1A" +                  # add [ecx], dh - NOP
-			"IA" +                  # dec ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"XA" +                  # pop eax, NOP
-			"58AA" +                # xor eax, 41003800 - NOP
-			"PA" +                  # push eax, NOP
-			"ZA" +                  # pop edx, NOP
-			"BA" +                  # inc edx, NOP
-			"B" +                   # inc edx
-			"Q" +                   # add [ecx], dl
-			"I" +                   # dec ecx
-			"1A" +                  # add [ecx], dh - NOP
-			"I" +                   # dec ecx
-			"Q" +                   # add [ecx], dl
-			"IA" +                  # dec ecx, NOP
-			"I" +                   # dec ecx
-			"Q" +                   # add [ecx], dl
-			"I" +                   # dec ecx
-			"1" +                   # add [ecx], dh
-			"1" +                   # add [ecx], dh
-			"1" +                   # add [ecx], dh
-			"1A" +                  # add [ecx], dh - NOP
-			"IA" +                  # dec ecx, NOP
-			"J" +                   # dec edx
-			"Q" +                   # add [ecx], dl
-			"I" +                   # dec edx
-			"1A" +                  # add [ecx], dh - NOP
-			"YA" +                  # pop ecx, NOP
-			"ZB" +                  # pop edx, NOP
-			"AB" +                  # inc ecx, NOP      <-------
-			"AB" +                  # inc ecx, NOP              |
-			"AB" +                  # inc ecx, NOP              |
-			"AB" +                  # inc ecx, NOP              |
-			"30" +                  # imul eax, [ecx], 10 *     |
-			"A" +                   # add al, [ecx+2] *         |
-			"P" +                   # mov [edx], al *           |
-			"B" +                   # inc edx                   |
-			"9" +                   # cmp [ecx], 41 *           |
-			"4" +                   # jnz   --------------------
-			"4JB"
-
-		return decoder
-	end
-
-end end end end

data/lib/rex/encoder/ndr.rb

@@ -1,89 +0,0 @@
-require "rex/text"
-
-module Rex
-module Encoder
-module NDR
-
-	# Provide padding to align the string to the 32bit boundary
-	def NDR.align(string)
-		return "\x00" * ((4 - (string.length & 3)) & 3)
-	end
-
-	# Encode a 4 byte long
-	# use to encode:
-	#       long element_1;
-	def NDR.long(string)
-		return [string].pack('V')
-	end
-
-	# Encode a 2 byte short
-	# use to encode:
-	#       short element_1;
-	def NDR.short(string)
-		return [string].pack('v')
-	end
-
-	# Encode a single byte
-	# use to encode:
-	#       byte element_1;
-	def NDR.byte(string)
-		return [string].pack('c')
-	end
-
-	# Encode a byte array
-	# use to encode:
-	#       char  element_1
-	def NDR.UniConformantArray(string)
-		return long(string.length) + string + align(string)
-	end
-
-	# Encode a string
-	# use to encode:
-	#       char *element_1;
-	def NDR.string(string)
-		string << "\x00" # null pad
-		return long(string.length) + long(0) + long(string.length) + string + align(string)
-	end
-
-	# Encode a string
-	# use to encode:
-	#       w_char *element_1;
-	def NDR.wstring(string)
-		string  = string + "\x00" # null pad
-		return long(string.length) + long(0) + long(string.length) + Rex::Text.to_unicode(string) + align(Rex::Text.to_unicode(string))
-	end
-
-	# Encode a string and make it unique
-	# use to encode:
-	#       [unique] w_char *element_1;
-	def NDR.uwstring(string)
-		string  = string + "\x00" # null pad
-		return long(rand(0xffffffff))+long(string.length) + long(0) + long(string.length) + Rex::Text.to_unicode(string) + align(Rex::Text.to_unicode(string))
-	end
-
-	# Encode a string that is already unicode encoded
-	# use to encode:
-	#       w_char *element_1;
-	def NDR.wstring_prebuilt(string)
-		# if the string len is odd, thats bad!
-		if string.length % 2 > 0
-			string = string + "\x00"
-		end
-		len = string.length / 2;
-		return long(len) + long(0) + long(len) + string + align(string)
-	end
-
-	# alias to wstring, going away soon
-	def NDR.UnicodeConformantVaryingString(string)
-		NDR.wstring(string)
-	end
-
-	# alias to wstring_prebuilt, going away soon
-	def NDR.UnicodeConformantVaryingStringPreBuilt(string)
-		NDR.wstring_prebuilt(string)
-	end
-
-end
-end
-end
-