librex 0.0.68 → 0.0.70

data/lib/rex/encoder/alpha2/unicode_upper.rb

@@ -1,4 +1,3 @@
-#!/usr/bin/env ruby
 # -*- coding: binary -*-
 
 require 'rex/encoder/alpha2/generic'
@@ -8,117 +7,117 @@ module Encoder
 module Alpha2
 
 class UnicodeUpper < Generic
-	def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
-	
-	def self.gen_second(block, base)
-		# unicode uses additive encoding
-		(block - base)
-	end
+  def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
 
-	def self.gen_decoder_prefix(reg, offset)
-		if (offset > 6)
-			raise "Critical: Offset is greater than 6"
-		end
+  def self.gen_second(block, base)
+    # unicode uses additive encoding
+    (block - base)
+  end
 
-		# offset untested for unicode :(
-		if (offset <= 4)
-			nop = 'CP' * offset
-			mod = 'IA' * (4 - offset) + nop    # dec ecx,,, push ecx, pop edx
-		else
-			mod = 'AA' * (offset - 4)          # inc ecx
-			nop = 'CP' * (4 - mod.length)
-			mod += nop
-		end
+  def self.gen_decoder_prefix(reg, offset)
+    if (offset > 6)
+      raise "Critical: Offset is greater than 6"
+    end
 
-		regprefix = {                      # nops ignored below
-			'EAX'   => 'PPYA' + mod,        # push eax, pop ecx
-			'ECX'   =>  mod + '4444',       # dec ecx
-			'EDX'   => 'RRYA' + mod,        # push edx, pop ecx
-			'EBX'   => 'SSYA' + mod,        # push ebx, pop ecx
-			'ESP'   => 'TUYA' + mod,        # push esp, pop ecx
-			'EBP'   => 'UUYA' + mod,        # push ebp, pop ecx
-			'ESI'   => 'VVYA' + mod,        # push esi, pop ecx
-			'EDI'   => 'WWYA' + mod,        # push edi, pop edi
-			'[ESP]' => 'YA' + mod + '44',   #
-			'[ESP+4]' => 'YUYA' + mod,      # 
-		}
+    # offset untested for unicode :(
+    if (offset <= 4)
+      nop = 'CP' * offset
+      mod = 'IA' * (4 - offset) + nop    # dec ecx,,, push ecx, pop edx
+    else
+      mod = 'AA' * (offset - 4)          # inc ecx
+      nop = 'CP' * (4 - mod.length)
+      mod += nop
+    end
 
-		return regprefix[reg]
-	end
+    regprefix = {                      # nops ignored below
+      'EAX'   => 'PPYA' + mod,        # push eax, pop ecx
+      'ECX'   =>  mod + '4444',       # dec ecx
+      'EDX'   => 'RRYA' + mod,        # push edx, pop ecx
+      'EBX'   => 'SSYA' + mod,        # push ebx, pop ecx
+      'ESP'   => 'TUYA' + mod,        # push esp, pop ecx
+      'EBP'   => 'UUYA' + mod,        # push ebp, pop ecx
+      'ESI'   => 'VVYA' + mod,        # push esi, pop ecx
+      'EDI'   => 'WWYA' + mod,        # push edi, pop edi
+      '[ESP]' => 'YA' + mod + '44',   #
+      '[ESP+4]' => 'YUYA' + mod,      #
+    }
 
-	def self.gen_decoder(reg, offset)
-		decoder =
-			gen_decoder_prefix(reg, offset) +
-			"QA" +                  # push ecx, NOP
-			"TA" +                  # push esp, NOP
-			"XA" +                  # pop eax, NOP
-			"ZA" +                  # pop edx, NOP
-			"PU" +                  # push eax, NOP
-			"3" +                   # xor eax, [eax]
-			"QA" +                  # push ecx, NOP
-			"DA" +                  # inc esp, NOP
-			"ZA" +                  # pop edx, NOP
-			"BA" +                  # inc edx, NOP
-			"RA" +                  # push edx, NOP
-			"LA" +                  # dec esp, NOP
-			"YA" +                  # pop ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"QA" +                  # push ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"QA" +                  # push ecx, NOP
-			"PA" +                  # push eax, NOP
-			"5AAA" +                # xor eax, 41004100 - NOP
-			"PA" +                  # push eax, NOP
-			"Z" +                   # pop edx
-			"1A" +                  # add [ecx], dh - NOP
-			"I" +                   # dec ecx
-			"1A" +                  # add [ecx], dh - NOP
-			"IA" +                  # dec ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"J" +                   # dec edx
-			"1" +                   # add [ecx], dh
-			"1A" +                  # add [ecx], dh - NOP
-			"IA" +                  # dec ecx, NOP
-			"IA" +                  # dec ecx, NOP
-			"XA" +                  # pop eax, NOP
-			"58AA" +                # xor eax, 41003800 - NOP
-			"PA" +                  # push eax, NOP
-			"ZA" +                  # pop edx, NOP
-			"BA" +                  # inc edx, NOP
-			"B" +                   # inc edx
-			"Q" +                   # add [ecx], dl
-			"I" +                   # dec ecx
-			"1A" +                  # add [ecx], dh - NOP
-			"I" +                   # dec ecx
-			"Q" +                   # add [ecx], dl
-			"IA" +                  # dec ecx, NOP
-			"I" +                   # dec ecx
-			"Q" +                   # add [ecx], dl
-			"I" +                   # dec ecx
-			"1" +                   # add [ecx], dh
-			"1" +                   # add [ecx], dh
-			"1" +                   # add [ecx], dh
-			"1A" +                  # add [ecx], dh - NOP
-			"IA" +                  # dec ecx, NOP
-			"J" +                   # dec edx
-			"Q" +                   # add [ecx], dl
-			"I" +                   # dec edx
-			"1A" +                  # add [ecx], dh - NOP
-			"YA" +                  # pop ecx, NOP
-			"ZB" +                  # pop edx, NOP
-			"AB" +                  # inc ecx, NOP      <-------
-			"AB" +                  # inc ecx, NOP              |
-			"AB" +                  # inc ecx, NOP              |
-			"AB" +                  # inc ecx, NOP              |
-			"30" +                  # imul eax, [ecx], 10 *     |
-			"A" +                   # add al, [ecx+2] *         |
-			"P" +                   # mov [edx], al *           |
-			"B" +                   # inc edx                   |
-			"9" +                   # cmp [ecx], 41 *           |
-			"4" +                   # jnz   --------------------
-			"4JB"
+    return regprefix[reg]
+  end
 
-		return decoder
-	end
+  def self.gen_decoder(reg, offset)
+    decoder =
+      gen_decoder_prefix(reg, offset) +
+      "QA" +                  # push ecx, NOP
+      "TA" +                  # push esp, NOP
+      "XA" +                  # pop eax, NOP
+      "ZA" +                  # pop edx, NOP
+      "PU" +                  # push eax, NOP
+      "3" +                   # xor eax, [eax]
+      "QA" +                  # push ecx, NOP
+      "DA" +                  # inc esp, NOP
+      "ZA" +                  # pop edx, NOP
+      "BA" +                  # inc edx, NOP
+      "RA" +                  # push edx, NOP
+      "LA" +                  # dec esp, NOP
+      "YA" +                  # pop ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "QA" +                  # push ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "QA" +                  # push ecx, NOP
+      "PA" +                  # push eax, NOP
+      "5AAA" +                # xor eax, 41004100 - NOP
+      "PA" +                  # push eax, NOP
+      "Z" +                   # pop edx
+      "1A" +                  # add [ecx], dh - NOP
+      "I" +                   # dec ecx
+      "1A" +                  # add [ecx], dh - NOP
+      "IA" +                  # dec ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "J" +                   # dec edx
+      "1" +                   # add [ecx], dh
+      "1A" +                  # add [ecx], dh - NOP
+      "IA" +                  # dec ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "XA" +                  # pop eax, NOP
+      "58AA" +                # xor eax, 41003800 - NOP
+      "PA" +                  # push eax, NOP
+      "ZA" +                  # pop edx, NOP
+      "BA" +                  # inc edx, NOP
+      "B" +                   # inc edx
+      "Q" +                   # add [ecx], dl
+      "I" +                   # dec ecx
+      "1A" +                  # add [ecx], dh - NOP
+      "I" +                   # dec ecx
+      "Q" +                   # add [ecx], dl
+      "IA" +                  # dec ecx, NOP
+      "I" +                   # dec ecx
+      "Q" +                   # add [ecx], dl
+      "I" +                   # dec ecx
+      "1" +                   # add [ecx], dh
+      "1" +                   # add [ecx], dh
+      "1" +                   # add [ecx], dh
+      "1A" +                  # add [ecx], dh - NOP
+      "IA" +                  # dec ecx, NOP
+      "J" +                   # dec edx
+      "Q" +                   # add [ecx], dl
+      "I" +                   # dec edx
+      "1A" +                  # add [ecx], dh - NOP
+      "YA" +                  # pop ecx, NOP
+      "ZB" +                  # pop edx, NOP
+      "AB" +                  # inc ecx, NOP      <-------
+      "AB" +                  # inc ecx, NOP              |
+      "AB" +                  # inc ecx, NOP              |
+      "AB" +                  # inc ecx, NOP              |
+      "30" +                  # imul eax, [ecx], 10 *     |
+      "A" +                   # add al, [ecx+2] *         |
+      "P" +                   # mov [edx], al *           |
+      "B" +                   # inc edx                   |
+      "9" +                   # cmp [ecx], 41 *           |
+      "4" +                   # jnz   --------------------
+      "4JB"
+
+    return decoder
+  end
 
 end end end end

data/lib/rex/encoder/bloxor/bloxor.rb

@@ -0,0 +1,326 @@
+
+require 'rex/poly/machine'
+
+module Rex
+
+module Encoder
+
+  class BloXor < Msf::Encoder
+
+    def initialize( *args )
+      super
+      @machine    = nil
+      @blocks_out = []
+      @block_size = 0
+    end
+
+    #
+    #
+    #
+    def decoder_stub( state )
+
+      if( not state.decoder_stub )
+        @blocks_out = []
+        @block_size = 0
+
+        # XXX: It would be ideal to use a random block size but unless we know the maximum size our final encoded
+        # blob can be we should instead start with the smallest block size and go up to avoid generating
+        # anything too big (if we knew the max size we could try something smaller if we generated a blob too big)
+        #block_sizes = (1..state.buf.length).to_a.shuffle
+        #block_sizes.each do | len |
+
+        1.upto( state.buf.length ) do | len |
+
+          # For now we ignore all odd sizes to help with performance (The rex poly machine
+          # doesnt have many load/store primitives that can handle byte sizes efficiently)
+          if( len % 2 != 0 )
+            next
+          end
+
+          blocks, size = compute_encoded( state, len )
+          if( blocks and size )
+
+            # We sanity check that the newly generated block ammount and the block size
+            # are not in the badchar list when converted into a hex form. Helps speed
+            # things up a great deal when generating a decoder stub later as these
+            # values may be used throughout.
+
+            if( not number_is_valid?( state, blocks.length - 1 ) or not number_is_valid?( state, ~( blocks.length - 1 ) ) )
+              next
+            end
+
+            if( not number_is_valid?( state, size ) or not number_is_valid?( state, ~size ) )
+              next
+            end
+
+            @blocks_out = blocks
+            @block_size = size
+
+            break
+          end
+        end
+
+        raise RuntimeError, "Unable to generate seed block." if( @blocks_out.empty? )
+
+        state.decoder_stub = compute_decoder( state )
+      end
+
+      state.decoder_stub
+    end
+
+    #
+    #
+    #
+    def encode_block( state, data )
+
+      buffer = ''
+
+      @blocks_out.each do | block |
+        buffer << block.pack( 'C*' )
+      end
+
+      buffer
+    end
+
+    protected
+
+    #
+    # Is a number in its byte form valid against the badchars?
+    #
+    def number_is_valid?( state, number )
+      size = 'C'
+      if( number > 0xFFFF )
+        size = 'V'
+      elsif( number > 0xFF )
+        size = 'v'
+      end
+      return Rex::Text.badchar_index( [ number ].pack( size ), state.badchars ).nil?
+    end
+
+    #
+    # Calculate Shannon's entropy.
+    #
+    def entropy( data )
+      entropy = 0.to_f
+      (0..255).each do | byte |
+        freq = data.to_s.count( byte.chr ).to_f / data.to_s.length
+        if( freq > 0 )
+          entropy -= freq * Math.log2( freq )
+        end
+      end
+      return entropy / 8
+    end
+
+    #
+    # Compute the encoded blocks (and associated seed)
+    #
+    def compute_encoded( state, len )
+
+      blocks_in = ::Array.new
+
+      input = '' << state.buf
+
+      block_padding = ( input.length % len ) > 0 ? len - ( input.length % len ) : 0
+
+      if( block_padding > 0 )
+        0.upto( block_padding-1 ) do
+          input << [ rand( 255 ) ].pack( 'C' )
+        end
+      end
+
+      while( input.length > 0 )
+        blocks_in << input[0..len-1].unpack( 'C*' )
+        input = input[len..input.length]
+      end
+
+      seed = compute_seed( blocks_in, len, block_padding, state.badchars.unpack( 'C*' ) )
+
+      if( not seed )
+        return [ nil, nil ]
+      end
+
+      blocks_out = [ seed ]
+
+      blocks_in.each do | block |
+        blocks_out << compute_block( blocks_out.last, block )
+      end
+
+      return [ blocks_out, len ]
+    end
+
+    #
+    # Generate the decoder stub which is functionally equivalent to the following:
+    #
+    #	source  = &end;
+    #	dest    = source + BLOCK_SIZE;
+    #	counter = BLOCK_COUNT * ( BLOCK_SIZE / chunk_size );
+    #	do
+    #	{
+    #		encoded = *(CHUNK_SIZE *)dest;
+    #		dest += chunk_size;
+    #		decoded = *(CHUNK_SIZE *)source;
+    #		*(CHUNK_SIZE *)source = decoded ^ encoded;
+    #		source += chunk_size;
+    #	} while( --counter );
+    #
+    #	end:
+    #
+    def compute_decoder( state )
+
+      @machine.create_variable( 'source' )
+      @machine.create_variable( 'dest' )
+      @machine.create_variable( 'counter' )
+      @machine.create_variable( 'encoded' )
+      @machine.create_variable( 'decoded' )
+
+      chunk_size = Rex::Poly::Machine::BYTE
+      if( @machine.native_size() == Rex::Poly::Machine::QWORD )
+        if( @block_size % Rex::Poly::Machine::QWORD == 0 )
+          chunk_size = Rex::Poly::Machine::QWORD
+        elsif( @block_size % Rex::Poly::Machine::DWORD == 0 )
+          chunk_size = Rex::Poly::Machine::DWORD
+        elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
+          chunk_size = Rex::Poly::Machine::WORD
+        end
+      elsif( @machine.native_size() == Rex::Poly::Machine::DWORD )
+        if( @block_size % Rex::Poly::Machine::DWORD == 0 )
+          chunk_size = Rex::Poly::Machine::DWORD
+        elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
+          chunk_size = Rex::Poly::Machine::WORD
+        end
+      elsif( @machine.native_size() == Rex::Poly::Machine::WORD )
+        if( @block_size % Rex::Poly::Machine::WORD == 0 )
+          chunk_size = Rex::Poly::Machine::WORD
+        end
+      end
+
+      # Block 1 - Set the source variable to the address of the start block
+      @machine.create_block_primitive( 'block1', 'set', 'source', 'location' )
+
+      # Block 2 - Set the source variable to the address of the 1st encoded block
+      @machine.create_block_primitive( 'block2', 'add', 'source', 'end' )
+
+      # Block 3 - Set the destingation variable to the value of the source variable
+      @machine.create_block_primitive( 'block3', 'set', 'dest', 'source' )
+
+      # Block 4 - Set the destingation variable to the address of the 2nd encoded block
+      @machine.create_block_primitive( 'block4', 'add', 'dest', @block_size )
+
+      # Block 5 - Sets the loop counter to the number of blocks to process
+      @machine.create_block_primitive( 'block5', 'set', 'counter', ( ( @block_size / chunk_size ) * (@blocks_out.length - 1) ) )
+
+      # Block 6 - Set the encoded variable to the byte pointed to by the dest variable
+      @machine.create_block_primitive( 'block6', 'load', 'encoded', 'dest', chunk_size )
+
+      # Block 7 - Increment the destination variable by one
+      @machine.create_block_primitive( 'block7', 'add', 'dest', chunk_size )
+
+      # Block 8 - Set the decoded variable to the byte pointed to by the source variable
+      @machine.create_block_primitive( 'block8', 'load', 'decoded', 'source', chunk_size )
+
+      # Block 9 - Xor the decoded variable with the encoded variable
+      @machine.create_block_primitive( 'block9', 'xor', 'decoded', 'encoded' )
+
+      # Block 10 - store the newly decoded byte
+      @machine.create_block_primitive( 'block10', 'store', 'source', 'decoded', chunk_size )
+
+      # Block 11 - Increment the source variable by one
+      @machine.create_block_primitive( 'block11', 'add', 'source', chunk_size )
+
+      # Block 12 - Jump back up to the outer_loop block while the counter variable > 0
+      @machine.create_block_primitive( 'block12', 'loop', 'counter', 'block6' )
+
+      # Try to generate the decoder stub...
+      decoder = @machine.generate
+
+      if( not decoder )
+        raise RuntimeError, "Unable to generate decoder stub."
+      end
+
+      decoder
+    end
+
+    #
+    # Compute the seed block which will successfully decode all proceeding encoded
+    # blocks while ensuring the encoded blocks do not contain any badchars.
+    #
+    def compute_seed( blocks_in, block_size, block_padding, badchars )
+      seed       = []
+      redo_bytes = []
+
+      0.upto( block_size-1 ) do | index |
+
+        seed_bytes = (0..255).sort_by do
+          rand()
+        end
+
+        seed_bytes.each do | seed_byte |
+
+          next if( badchars.include?( seed_byte ) )
+
+          success = true
+
+          previous_byte = seed_byte
+
+          if( redo_bytes.length < 256 )
+            redo_bytes = (0..255).sort_by do
+              rand()
+            end
+          end
+
+          blocks_in.each do | block |
+
+            decoded_byte = block[ index ]
+
+            encoded_byte = previous_byte ^ decoded_byte
+
+            if( badchars.include?( encoded_byte ) )
+              # the padding bytes we added earlier can be changed if they are causing us to fail.
+              if( block == blocks_in.last and index >= (block_size-block_padding) )
+                if( redo_bytes.empty? )
+                  success = false
+                  break
+                end
+                block[ index ] = redo_bytes.shift
+                redo
+              end
+
+              success = false
+              break
+            end
+
+            previous_byte = encoded_byte
+          end
+
+          if( success )
+            seed << seed_byte
+            break
+          end
+        end
+
+      end
+
+      if( seed.length == block_size )
+        return seed
+      end
+
+      return nil
+    end
+
+    #
+    # Compute the next encoded block by xoring the previous
+    # encoded block with the next decoded block.
+    #
+    def compute_block( encoded, decoded )
+      block = []
+      0.upto( encoded.length-1 ) do | index |
+        block << ( encoded[ index ] ^ decoded[ index ] )
+      end
+      return block
+    end
+
+  end
+
+end
+
+end