rex-encoder 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a1449e0625dd065a353bae94c84d45fd1203d8c2
+  data.tar.gz: 23ee448ad20fcf27e45b7afaf7ff290390ebc7b6
+SHA512:
+  metadata.gz: aafa688f874e573dfddd9419bf5d2da7bbfdcef327ce4cb26365027a99337f92b44a5405359f364b167596329c0e7d48c23392cd2de27b56822a70d21b0c7fe5
+  data.tar.gz: 075779953f26c537005a89e409164278a0d19097fde40c853182a8359a9a0d057843debeeb998d67d2222a99b5a1c5ce9bc46bbbba1118843e24a5e8c18ccb98

checksums.yaml.gz.sig

@@ -0,0 +1 @@
+c �`a��������u䡆 .�z �!@�o)'�0�N�Q��������{ٝ���)ķ��[���5�o$+�=�ō�C:Z���E��Q�>W7���#!ȩ���

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.1
+before_install: gem install bundler -v 1.12.5

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,49 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at DMaloney@rapid7.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rex-encoder.gemspec
+gemspec

data/README.md

@@ -0,0 +1,32 @@
+# Rex::Encoder
+
+This library provides the basis for all of the polymorphic encoders that Metasploit uses for payload encoding.
+Encoders are used to try and create a version of a payload that is free of bad characters as defined by the exploit.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rex-encoder'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rex-encoder
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/rex-encoder. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rex/encoder"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rex/encoder.rb

@@ -0,0 +1,15 @@
+require "rex/encoder/version"
+require 'rex/arch'
+require 'rex/poly'
+require 'rex/encoding/xor'
+require 'rex/encoder/alpha2'
+require 'rex/encoder/xor'
+require 'rex/encoder/ndr'
+require 'rex/encoder/nonalpha'
+require 'rex/encoder/nonupper'
+require 'rex/encoder/xdr'
+module Rex
+  module Encoder
+    # Your code goes here...
+  end
+end

data/lib/rex/encoder/alpha2.rb

@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+#
+# ________________________________________________________________________________
+#
+#     ,sSSs,,s,  ,sSSSs,  ALPHA 2: Zero-tolerance. (build 07)
+#    SS"  Y$P"  SY"  ,SY
+#   iS'   dY       ,sS"   Unicode-proof uppercase alphanumeric shellcode encoding.
+#   YS,  dSb    ,sY"      Copyright (C) 2003, 2004 by Berend-Jan Wever.
+#   `"YSS'"S' 'SSSSSSSP   <skylined@edup.tudelft.nl>
+# ________________________________________________________________________________
+#
+
+#
+# make sure the namespace is created
+#
+
+module Rex
+module Encoder
+module Alpha2
+end end end
+
+#
+# include the Alpha2 encodings
+#
+
+require 'rex/encoder/alpha2/generic'
+require 'rex/encoder/alpha2/alpha_mixed'
+require 'rex/encoder/alpha2/alpha_upper'
+require 'rex/encoder/alpha2/unicode_mixed'
+require 'rex/encoder/alpha2/unicode_upper'

data/lib/rex/encoder/alpha2/alpha_mixed.rb

@@ -0,0 +1,129 @@
+# -*- coding: binary -*-
+
+require 'rex/encoder/alpha2/generic'
+
+module Rex
+module Encoder
+module Alpha2
+
+class AlphaMixed < Generic
+
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha mixed decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 32
+      raise 'Critical: Offset is greater than 32'
+    end
+
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
+    # use inc ebx as a nop here so we still pad correctly
+    if offset <= 16
+      nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
+      mod = 'I' * (16 - offset) + nop + '7QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 16
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
+      edxmod = 'J' * (17 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
+    else
+      mod = 'A' * (offset - 16)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
+      nop = 'C' * (16 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
+      mod << nop + '7QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
+      edxmod = 'B' * (17 - (offset - 16))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
+    end
+
+    regprefix = {
+      'EAX'   => 'PY' + mod,                         # push eax, pop ecx
+      'ECX'   => 'I' + mod,                          # dec ecx
+      'EDX'   =>  edxmod + nop + '7RY',			   # dec edx,,, push edx, pop ecx
+      'EBX'   => 'SY' + mod,                         # push ebx, pop ecx
+      'ESP'   => 'TY' + mod,                         # push esp, pop ecx
+      'EBP'   => 'UY' + mod,                         # push ebp, pop ecx
+      'ESI'   => 'VY' + mod,                         # push esi, pop ecx
+      'EDI'   => 'WY' + mod,                         # push edi, pop ecx
+    }
+
+    reg.upcase!
+
+    unless regprefix.keys.include?(reg)
+      raise ArgumentError.new('Invalid register name')
+    end
+
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    return regprefix[reg]
+  end
+
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha mixed decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
+    decoder =
+       gen_decoder_prefix(reg, offset, mod_registers) +
+       "jA" +          # push 0x41
+       "X" +           # pop eax
+       "P" +           # push eax
+       "0A0" +         # xor byte [ecx+30], al
+       "A" +           # inc ecx                        <---
+       "kAAQ" +        # imul eax, [ecx+42], 51 -> 10       |
+       "2AB" +         # xor al, [ecx + 42]                 |
+       "2BB" +         # xor al, [edx + 42]                 |
+       "0BB" +         # xor [edx + 42], al                 |
+       "A" +           # inc ecx                            |
+       "B" +           # inc edx                            |
+       "X" +           # pop eax                            |
+       "P" +           # push eax                           |
+       "8AB" +         # cmp [ecx + 42], al                 |
+       "uJ" +          # jnz short -------------------------
+       "I"             # first encoded char, fixes the above J
+
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    decoder
+  end
+
+end end end end

data/lib/rex/encoder/alpha2/alpha_upper.rb

@@ -0,0 +1,138 @@
+# -*- coding: binary -*-
+
+require 'rex/encoder/alpha2/generic'
+
+module Rex
+module Encoder
+module Alpha2
+
+class AlphaUpper < Generic
+  def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
+
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 20
+      raise 'Critical: Offset is greater than 20'
+    end
+
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
+    # use inc ebx as a nop here so we still pad correctly
+    if (offset <= 10)
+      nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
+      mod = 'I' * (10 - offset) + nop + 'QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 10
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
+      edxmod = 'J' * (11 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
+    else
+      mod = 'A' * (offset - 10)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
+      nop = 'C' * (10 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
+      mod << nop + 'QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
+      edxmod = 'B' * (11 - (offset - 10))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
+    end
+    regprefix = {
+      'EAX'   => 'PY' + mod,                        # push eax, pop ecx
+      'ECX'   => 'I' + mod,                         # dec ecx
+      'EDX'   =>  edxmod + nop + 'RY',  			  # mod edx,,, push edx, pop ecx
+      'EBX'   => 'SY' + mod,                        # push ebx, pop ecx
+      'ESP'   => 'TY' + mod,                        # push esp, pop ecx
+      'EBP'   => 'UY' + mod,                        # push ebp, pop ecx
+      'ESI'   => 'VY' + mod,                        # push esi, pop ecx
+      'EDI'   => 'WY' + mod,                        # push edi, pop ecx
+    }
+
+    reg.upcase!
+    unless regprefix.keys.include?(reg)
+      raise ArgumentError.new("Invalid register name")
+    end
+
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    return regprefix[reg]
+  end
+
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
+    decoder =
+      gen_decoder_prefix(reg, offset, mod_registers) +
+      "V" +           # push esi
+      "T" +           # push esp
+      "X" +           # pop eax
+      "30" +          # xor esi, [eax]
+      "V" +           # push esi
+      "X" +           # pop eax
+      "4A" +          # xor al, 41
+      "P" +           # push eax
+      "0A3" +         # xor [ecx+33], al
+      "H" +           # dec eax
+      "H" +           # dec eax
+      "0A0" +         # xor [ecx+30], al
+      "0AB" +         # xor [ecx+42], al
+      "A" +           # inc ecx   <---------------
+      "A" +           # inc ecx                   |
+      "B" +           # inc edx                   |
+      "TAAQ" +        # imul eax, [ecx+41], 10 *  |
+      "2AB" +         # xor al [ecx+42]           |
+      "2BB" +         # xor al, [edx+42]          |
+      "0BB" +         # xor [edx+42], al          |
+      "X" +           # pop eax                   |
+      "P" +           # push eax                  |
+      "8AC" +         # cmp [ecx+43], al          |
+      "JJ" +          # jnz * --------------------
+      "I"             # first encoded char, fixes the above J
+
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ESI,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    return decoder
+  end
+
+end end end end