librex 0.0.41 → 0.0.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. data/README.markdown +1 -1
  2. data/lib/rex/exploitation/egghunter.rb +54 -24
  3. metadata +3 -3
data/README.markdown CHANGED
@@ -3,7 +3,7 @@
3
3
  A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
4
4
 
5
5
  Currently based on:
6
- SVN Revision: 13139
6
+ SVN Revision: 13159
7
7
 
8
8
  # Credits
9
9
  The Metasploit development team <http://www.metasploit.com>
data/lib/rex/exploitation/egghunter.rb CHANGED
@@ -69,6 +69,11 @@ class Egghunter
69
69
 
70
70
  freeregs = [ "esi", "ebp", "ecx", "ebx" ]
71
71
 
72
+ reginfo = {
73
+ "ebx"=>["bx","bl","bh"],
74
+ "ecx"=>["cx","cl","ch"]
75
+ }
76
+
72
77
  if opts[:depmethod]
73
78
 
74
79
  if freeregs.index(apireg) == nil
@@ -102,29 +107,54 @@ class Egghunter
102
107
  end
103
108
  end
104
109
 
105
-
106
- blockcnt = 0
107
- vpsize = 0
108
- blocksize = depsize
109
- while blocksize >= 127
110
- blocksize = blocksize / 2
111
- blockcnt += 1
112
- end
113
- if blockcnt > 0
114
- getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
115
- vpsize = blocksize
116
- depblockcnt = 0
117
- while depblockcnt < blockcnt
118
- getsize << "add #{sizereg},#{sizereg}\n\t"
119
- vpsize += vpsize
120
- depblockcnt += 1
110
+ if depsize <= 127
111
+ getsize << "push 0x%02x\n\t" % depsize
112
+ else
113
+ sizebytes = "%04x" % depsize
114
+ low = sizebytes[2,4]
115
+ high = sizebytes[0,2]
116
+ if sizereg == "ecx" || sizereg == "ebx"
117
+ regvars = reginfo[sizereg]
118
+ getsize << "xor #{sizereg},#{sizereg}\n\t"
119
+ if low != "00" and high != "00"
120
+ getsize << "mov #{regvars[0]},0x%s\n\t" % sizebytes
121
+ elsif low != "00"
122
+ getsize << "mov #{regvars[1]},0x%s\n\t" % low
123
+ elsif high != "00"
124
+ getsize << "mov #{regvars[2]},0x%s\n\t" % high
125
+ end
126
+ getsize << "push #{sizereg}\n\t"
127
+ end
128
+ if sizereg == "ebp"
129
+ if low != "00" and high != "00"
130
+ getsize << "xor #{sizereg},#{sizereg}\n\t"
131
+ getsize << "mov bp,0x%s\n\t" % sizebytes
132
+ getsize << "push #{sizereg}\n\t"
133
+ end
121
134
  end
122
- delta = depsize - vpsize
123
- if delta > 0
124
- getsize << "add #{sizereg},0x%02x\n\t" % delta
135
+ # last resort
136
+ if getsize == ''
137
+ blockcnt = 0
138
+ vpsize = 0
139
+ blocksize = depsize
140
+ while blocksize > 127
141
+ blocksize = blocksize / 2
142
+ blockcnt += 1
143
+ end
144
+ getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
145
+ vpsize = blocksize
146
+ depblockcnt = 0
147
+ while depblockcnt < blockcnt
148
+ getsize << "add #{sizereg},#{sizereg}\n\t"
149
+ vpsize += vpsize
150
+ depblockcnt += 1
151
+ end
152
+ delta = depsize - vpsize
153
+ if delta > 0
154
+ getsize << "add #{sizereg},0x%02x\n\t" % delta
155
+ end
156
+ getsize << "push #{sizereg}\n\t"
125
157
  end
126
- else
127
- getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % depsize
128
158
  end
129
159
 
130
160
 
@@ -132,21 +162,21 @@ class Egghunter
132
162
  when "virtualprotect"
133
163
  jmppayload = "push esp\n\tpush 0x40\n\t"
134
164
  jmppayload << getsize
135
- jmppayload << "push #{sizereg}\n\tpush edi\n\tpush edi\n\tpush #{apireg}\n\tret"
165
+ jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
136
166
  when "copy"
137
167
  jmppayload = getpc
138
168
  jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
139
169
  when "copy_size"
140
170
  jmppayload = getpc
141
171
  jmppayload << getsize
142
- jmppayload << "push #{sizereg}\n\tpush edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
172
+ jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
143
173
  end
144
174
  end
145
175
 
146
176
  jmppayload << "\n" if jmppayload.length > 0
147
177
 
148
178
  assembly = <<EOS
149
- #{getpointer}
179
+ #{getpointer}
150
180
  #{startstub}
151
181
  check_readable:
152
182
  or dx,0xfff
metadata CHANGED
@@ -2,7 +2,7 @@
2
2
  name: librex
3
3
  version: !ruby/object:Gem::Version
4
4
  prerelease:
5
- version: 0.0.41
5
+ version: 0.0.42
6
6
  platform: ruby
7
7
  authors:
8
8
  - Metasploit Development Team
@@ -11,11 +11,11 @@ autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
13
 
14
- date: 2011-07-09 00:00:00 -05:00
14
+ date: 2011-07-12 00:00:00 -05:00
15
15
  default_executable:
16
16
  dependencies: []
17
17
 
18
- description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13139
18
+ description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13159
19
19
  email:
20
20
  - hdm@metasploit.com
21
21
  - jacob.hammack@hammackj.com