rex-encoder 0.1.0

data/lib/rex/encoder/alpha2/generic.rb

@@ -0,0 +1,90 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+
+module Rex
+module Encoder
+module Alpha2
+
+class Generic
+
+  # Note: 'A' is presumed to be accepted, but excluded from the accepted characters, because it serves as the terminator
+  def Generic.default_accepted_chars ; ('a' .. 'z').to_a + ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
+
+  def Generic.gen_decoder_prefix(reg, offset)
+    # Should never happen - have to pick a specifc
+    # encoding:
+    # alphamixed, alphaupper, unicodemixed, unicodeupper
+    ''
+  end
+
+  def Generic.gen_decoder(reg, offset)
+    # same as above
+    return ''
+  end
+
+  def Generic.gen_second(block, base)
+    # XOR encoder for ascii - unicode uses additive
+    (block^base)
+  end
+
+  def Generic.encode_byte(block, badchars)
+    accepted_chars = default_accepted_chars.dup
+
+    badchars.each_char {|c| accepted_chars.delete(c) } if badchars
+
+    # No, not nipple.
+    nibble_chars = Array.new(0x10) {[]}
+    accepted_chars.each {|c| nibble_chars[c.unpack('C')[0] & 0x0F].push(c) }
+
+    poss_encodings = []
+
+    block_low_nibble = block & 0x0F
+    block_high_nibble = block >> 4
+
+    # Get list of chars suitable for expressing lower part of byte
+    first_chars = nibble_chars[block_low_nibble]
+
+    # Build a list of possible encodings
+    first_chars.each do |first_char|
+      first_high_nibble = first_char.unpack('C')[0] >> 4
+
+      # In the decoding process, the low nibble of the second char gets combined
+      # (either ADDed or XORed depending on the encoder) with the high nibble of the first char,
+      # and we want the high nibble of our input byte to result
+      second_low_nibble = gen_second(block_high_nibble, first_high_nibble) & 0x0F
+
+      # Find valid second chars for this first char and add each combination to our possible encodings
+      second_chars = nibble_chars[second_low_nibble]
+      second_chars.each {|second_char| poss_encodings.push(second_char + first_char) }
+    end
+
+    if poss_encodings.empty?
+      raise RuntimeError, "No encoding of #{"0x%.2X" % block} possible with limited character set"
+    end
+
+    # Return a random encoding
+    poss_encodings[rand(poss_encodings.length)]
+  end
+
+  def Generic.encode(buf, reg, offset, badchars = '')
+    encoded = gen_decoder(reg, offset)
+
+    buf.each_byte {
+      |block|
+
+      encoded << encode_byte(block, badchars)
+    }
+
+    encoded << add_terminator()
+
+    return encoded
+  end
+
+  # 'A' signifies the end of the encoded shellcode
+  def Generic.add_terminator()
+    'AA'
+  end
+
+end end end end
+

data/lib/rex/encoder/alpha2/unicode_mixed.rb

@@ -0,0 +1,116 @@
+# -*- coding: binary -*-
+
+require 'rex/encoder/alpha2/generic'
+
+module Rex
+module Encoder
+module Alpha2
+
+class UnicodeMixed < Generic
+
+  def self.gen_second(block, base)
+    # unicode uses additive encoding
+    (block - base)
+  end
+
+  def self.gen_decoder_prefix(reg, offset)
+    if (offset > 21)
+       raise "Critical: Offset is greater than 21"
+    end
+
+    # offset untested for unicode :(
+    if (offset <= 14)
+      nop = 'CP' * offset
+      mod = 'IA' * (14 - offset) + nop    # dec ecx,,, push ecx, pop edx
+    else
+      mod = 'AA' * (offset - 14)			# inc ecx
+      nop = 'CP' * (14 - mod.length)
+      mod += nop
+    end
+    regprefix = {                       # nops ignored below
+      'EAX'   => 'PPYA' + mod,         # push eax, pop ecx
+      'ECX'   =>  mod + "4444",        # dec ecx
+      'EDX'   => 'RRYA' + mod,         # push edx, pop ecx
+      'EBX'   => 'SSYA' + mod,         # push ebx, pop ecx
+      'ESP'   => 'TUYA' + mod,         # push esp, pop ecx
+      'EBP'   => 'UUYA' + mod,         # push ebp, pop ecx
+      'ESI'   => 'VVYA' + mod,         # push esi, pop ecx
+      'EDI'   => 'WWYA' + mod,         # push edi, pop edi
+    }
+
+    prefix = regprefix[reg.upcase]
+    if prefix.nil?
+      raise "Critical: Invalid register"
+    end
+
+    return prefix
+  end
+
+  def self.gen_decoder(reg, offset)
+    decoder =
+      gen_decoder_prefix(reg, offset) +
+      "j" +               # push 0
+      "XA" +              # pop eax, NOP
+      "QA" +              # push ecx, NOP
+      "DA" +              # inc esp, NOP
+      "ZA" +              # pop edx, NOP
+      "BA" +              # inc edx, NOP
+      "RA" +              # push edx, NOP
+      "LA" +              # dec esp, NOP
+      "YA" +              # pop ecx, NOP
+      "IA" +              # dec ecx, NOP
+      "QA" +              # push ecx, NOP
+      "IA" +              # dec ecx, NOP
+      "QA" +              # push ecx, NOP
+      "IA" +              # dec ecx, NOP
+      "hAAA" +            # push 00410041, NOP
+      "Z" +               # pop edx
+      "1A" +              # add [ecx], dh NOP
+      "IA" +              # dec ecx, NOP
+      "IA" +              # dec ecx, NOP
+      "J" +               # dec edx
+      "1" +               # add [ecx], dh
+      "1A" +              # add [ecx], dh NOP
+      "IA" +              # dec ecx, NOP
+      "IA" +              # dec ecx, NOP
+      "BA" +              # inc edx, NOP
+      "BA" +              # inc edx, NOP
+      "B" +               # inc edx
+      "Q" +               # add [ecx], dl
+      "I" +               # dec ecx
+      "1A" +              # add [ecx], dh NOP
+      "I" +               # dec ecx
+      "Q" +               # add [ecx], dl
+      "IA" +              # dec ecx, NOP
+      "I" +               # dec ecx
+      "Q" +               # add [ecx], dh
+      "I" +               # dec ecx
+      "1" +               # add [ecx], dh
+      "1" +               # add [ecx], dh
+      "1A" +              # add [ecx], dh NOP
+      "IA" +              # dec ecx, NOP
+      "J" +               # dec edx
+      "Q" +               # add [ecx], dl
+      "YA" +              # pop ecx, NOP
+      "Z" +               # pop edx
+      "B" +               # add [edx], al
+      "A" +               # inc ecx       <-------
+      "B" +               # add [edx], al         |
+      "A" +               # inc ecx               |
+      "B" +               # add [edx], al         |
+      "A" +               # inc ecx               |
+      "B" +               # add [edx], al         |
+      "A" +               # inc ecx               |
+      "B" +               # add [edx], al         |
+      "kM" +              # imul eax, [eax], 10 * |
+      "A" +               # add [edx], al         |
+      "G" +               # inc edi               |
+      "B" +               # add [edx], al         |
+      "9" +               # cmp [eax], eax        |
+      "u" +               # jnz ------------------
+      "4JB"
+
+    return decoder
+  end
+
+end end end end

data/lib/rex/encoder/alpha2/unicode_upper.rb

@@ -0,0 +1,123 @@
+# -*- coding: binary -*-
+
+require 'rex/encoder/alpha2/generic'
+
+module Rex
+module Encoder
+module Alpha2
+
+class UnicodeUpper < Generic
+  def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
+
+  def self.gen_second(block, base)
+    # unicode uses additive encoding
+    (block - base)
+  end
+
+  def self.gen_decoder_prefix(reg, offset)
+    if (offset > 6)
+      raise "Critical: Offset is greater than 6"
+    end
+
+    # offset untested for unicode :(
+    if (offset <= 4)
+      nop = 'CP' * offset
+      mod = 'IA' * (4 - offset) + nop    # dec ecx,,, push ecx, pop edx
+    else
+      mod = 'AA' * (offset - 4)          # inc ecx
+      nop = 'CP' * (4 - mod.length)
+      mod += nop
+    end
+
+    regprefix = {                      # nops ignored below
+      'EAX'   => 'PPYA' + mod,        # push eax, pop ecx
+      'ECX'   =>  mod + '4444',       # dec ecx
+      'EDX'   => 'RRYA' + mod,        # push edx, pop ecx
+      'EBX'   => 'SSYA' + mod,        # push ebx, pop ecx
+      'ESP'   => 'TUYA' + mod,        # push esp, pop ecx
+      'EBP'   => 'UUYA' + mod,        # push ebp, pop ecx
+      'ESI'   => 'VVYA' + mod,        # push esi, pop ecx
+      'EDI'   => 'WWYA' + mod,        # push edi, pop edi
+      '[ESP]' => 'YA' + mod + '44',   #
+      '[ESP+4]' => 'YUYA' + mod,      #
+    }
+
+    return regprefix[reg]
+  end
+
+  def self.gen_decoder(reg, offset)
+    decoder =
+      gen_decoder_prefix(reg, offset) +
+      "QA" +                  # push ecx, NOP
+      "TA" +                  # push esp, NOP
+      "XA" +                  # pop eax, NOP
+      "ZA" +                  # pop edx, NOP
+      "PU" +                  # push eax, NOP
+      "3" +                   # xor eax, [eax]
+      "QA" +                  # push ecx, NOP
+      "DA" +                  # inc esp, NOP
+      "ZA" +                  # pop edx, NOP
+      "BA" +                  # inc edx, NOP
+      "RA" +                  # push edx, NOP
+      "LA" +                  # dec esp, NOP
+      "YA" +                  # pop ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "QA" +                  # push ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "QA" +                  # push ecx, NOP
+      "PA" +                  # push eax, NOP
+      "5AAA" +                # xor eax, 41004100 - NOP
+      "PA" +                  # push eax, NOP
+      "Z" +                   # pop edx
+      "1A" +                  # add [ecx], dh - NOP
+      "I" +                   # dec ecx
+      "1A" +                  # add [ecx], dh - NOP
+      "IA" +                  # dec ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "J" +                   # dec edx
+      "1" +                   # add [ecx], dh
+      "1A" +                  # add [ecx], dh - NOP
+      "IA" +                  # dec ecx, NOP
+      "IA" +                  # dec ecx, NOP
+      "XA" +                  # pop eax, NOP
+      "58AA" +                # xor eax, 41003800 - NOP
+      "PA" +                  # push eax, NOP
+      "ZA" +                  # pop edx, NOP
+      "BA" +                  # inc edx, NOP
+      "B" +                   # inc edx
+      "Q" +                   # add [ecx], dl
+      "I" +                   # dec ecx
+      "1A" +                  # add [ecx], dh - NOP
+      "I" +                   # dec ecx
+      "Q" +                   # add [ecx], dl
+      "IA" +                  # dec ecx, NOP
+      "I" +                   # dec ecx
+      "Q" +                   # add [ecx], dl
+      "I" +                   # dec ecx
+      "1" +                   # add [ecx], dh
+      "1" +                   # add [ecx], dh
+      "1" +                   # add [ecx], dh
+      "1A" +                  # add [ecx], dh - NOP
+      "IA" +                  # dec ecx, NOP
+      "J" +                   # dec edx
+      "Q" +                   # add [ecx], dl
+      "I" +                   # dec edx
+      "1A" +                  # add [ecx], dh - NOP
+      "YA" +                  # pop ecx, NOP
+      "ZB" +                  # pop edx, NOP
+      "AB" +                  # inc ecx, NOP      <-------
+      "AB" +                  # inc ecx, NOP              |
+      "AB" +                  # inc ecx, NOP              |
+      "AB" +                  # inc ecx, NOP              |
+      "30" +                  # imul eax, [ecx], 10 *     |
+      "A" +                   # add al, [ecx+2] *         |
+      "P" +                   # mov [edx], al *           |
+      "B" +                   # inc edx                   |
+      "9" +                   # cmp [ecx], 41 *           |
+      "4" +                   # jnz   --------------------
+      "4JB"
+
+    return decoder
+  end
+
+end end end end

data/lib/rex/encoder/bloxor/bloxor.rb

@@ -0,0 +1,327 @@
+# -*- coding: binary -*-
+
+require 'rex/poly/machine'
+
+module Rex
+
+module Encoder
+
+  class BloXor < Msf::Encoder
+
+    def initialize( *args )
+      super
+      @machine    = nil
+      @blocks_out = []
+      @block_size = 0
+    end
+
+    #
+    #
+    #
+    def decoder_stub( state )
+
+      if( not state.decoder_stub )
+        @blocks_out = []
+        @block_size = 0
+
+        # XXX: It would be ideal to use a random block size but unless we know the maximum size our final encoded
+        # blob can be we should instead start with the smallest block size and go up to avoid generating
+        # anything too big (if we knew the max size we could try something smaller if we generated a blob too big)
+        #block_sizes = (1..state.buf.length).to_a.shuffle
+        #block_sizes.each do | len |
+
+        1.upto( state.buf.length ) do | len |
+
+          # For now we ignore all odd sizes to help with performance (The rex poly machine
+          # doesnt have many load/store primitives that can handle byte sizes efficiently)
+          if( len % 2 != 0 )
+            next
+          end
+
+          blocks, size = compute_encoded( state, len )
+          if( blocks and size )
+
+            # We sanity check that the newly generated block ammount and the block size
+            # are not in the badchar list when converted into a hex form. Helps speed
+            # things up a great deal when generating a decoder stub later as these
+            # values may be used throughout.
+
+            if( not number_is_valid?( state, blocks.length - 1 ) or not number_is_valid?( state, ~( blocks.length - 1 ) ) )
+              next
+            end
+
+            if( not number_is_valid?( state, size ) or not number_is_valid?( state, ~size ) )
+              next
+            end
+
+            @blocks_out = blocks
+            @block_size = size
+
+            break
+          end
+        end
+
+        raise RuntimeError, "Unable to generate seed block." if( @blocks_out.empty? )
+
+        state.decoder_stub = compute_decoder( state )
+      end
+
+      state.decoder_stub
+    end
+
+    #
+    #
+    #
+    def encode_block( state, data )
+
+      buffer = ''
+
+      @blocks_out.each do | block |
+        buffer << block.pack( 'C*' )
+      end
+
+      buffer
+    end
+
+    protected
+
+    #
+    # Is a number in its byte form valid against the badchars?
+    #
+    def number_is_valid?( state, number )
+      size = 'C'
+      if( number > 0xFFFF )
+        size = 'V'
+      elsif( number > 0xFF )
+        size = 'v'
+      end
+      return Rex::Text.badchar_index( [ number ].pack( size ), state.badchars ).nil?
+    end
+
+    #
+    # Calculate Shannon's entropy.
+    #
+    def entropy( data )
+      entropy = 0.to_f
+      (0..255).each do | byte |
+        freq = data.to_s.count( byte.chr ).to_f / data.to_s.length
+        if( freq > 0 )
+          entropy -= freq * Math.log2( freq )
+        end
+      end
+      return entropy / 8
+    end
+
+    #
+    # Compute the encoded blocks (and associated seed)
+    #
+    def compute_encoded( state, len )
+
+      blocks_in = ::Array.new
+
+      input = '' << state.buf
+
+      block_padding = ( input.length % len ) > 0 ? len - ( input.length % len ) : 0
+
+      if( block_padding > 0 )
+        0.upto( block_padding-1 ) do
+          input << [ rand( 255 ) ].pack( 'C' )
+        end
+      end
+
+      while( input.length > 0 )
+        blocks_in << input[0..len-1].unpack( 'C*' )
+        input = input[len..input.length]
+      end
+
+      seed = compute_seed( blocks_in, len, block_padding, state.badchars.unpack( 'C*' ) )
+
+      if( not seed )
+        return [ nil, nil ]
+      end
+
+      blocks_out = [ seed ]
+
+      blocks_in.each do | block |
+        blocks_out << compute_block( blocks_out.last, block )
+      end
+
+      return [ blocks_out, len ]
+    end
+
+    #
+    # Generate the decoder stub which is functionally equivalent to the following:
+    #
+    #	source  = &end;
+    #	dest    = source + BLOCK_SIZE;
+    #	counter = BLOCK_COUNT * ( BLOCK_SIZE / chunk_size );
+    #	do
+    #	{
+    #		encoded = *(CHUNK_SIZE *)dest;
+    #		dest += chunk_size;
+    #		decoded = *(CHUNK_SIZE *)source;
+    #		*(CHUNK_SIZE *)source = decoded ^ encoded;
+    #		source += chunk_size;
+    #	} while( --counter );
+    #
+    #	end:
+    #
+    def compute_decoder( state )
+
+      @machine.create_variable( 'source' )
+      @machine.create_variable( 'dest' )
+      @machine.create_variable( 'counter' )
+      @machine.create_variable( 'encoded' )
+      @machine.create_variable( 'decoded' )
+
+      chunk_size = Rex::Poly::Machine::BYTE
+      if( @machine.native_size() == Rex::Poly::Machine::QWORD )
+        if( @block_size % Rex::Poly::Machine::QWORD == 0 )
+          chunk_size = Rex::Poly::Machine::QWORD
+        elsif( @block_size % Rex::Poly::Machine::DWORD == 0 )
+          chunk_size = Rex::Poly::Machine::DWORD
+        elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
+          chunk_size = Rex::Poly::Machine::WORD
+        end
+      elsif( @machine.native_size() == Rex::Poly::Machine::DWORD )
+        if( @block_size % Rex::Poly::Machine::DWORD == 0 )
+          chunk_size = Rex::Poly::Machine::DWORD
+        elsif( @block_size % Rex::Poly::Machine::WORD == 0 )
+          chunk_size = Rex::Poly::Machine::WORD
+        end
+      elsif( @machine.native_size() == Rex::Poly::Machine::WORD )
+        if( @block_size % Rex::Poly::Machine::WORD == 0 )
+          chunk_size = Rex::Poly::Machine::WORD
+        end
+      end
+
+      # Block 1 - Set the source variable to the address of the start block
+      @machine.create_block_primitive( 'block1', 'set', 'source', 'location' )
+
+      # Block 2 - Set the source variable to the address of the 1st encoded block
+      @machine.create_block_primitive( 'block2', 'add', 'source', 'end' )
+
+      # Block 3 - Set the destingation variable to the value of the source variable
+      @machine.create_block_primitive( 'block3', 'set', 'dest', 'source' )
+
+      # Block 4 - Set the destingation variable to the address of the 2nd encoded block
+      @machine.create_block_primitive( 'block4', 'add', 'dest', @block_size )
+
+      # Block 5 - Sets the loop counter to the number of blocks to process
+      @machine.create_block_primitive( 'block5', 'set', 'counter', ( ( @block_size / chunk_size ) * (@blocks_out.length - 1) ) )
+
+      # Block 6 - Set the encoded variable to the byte pointed to by the dest variable
+      @machine.create_block_primitive( 'block6', 'load', 'encoded', 'dest', chunk_size )
+
+      # Block 7 - Increment the destination variable by one
+      @machine.create_block_primitive( 'block7', 'add', 'dest', chunk_size )
+
+      # Block 8 - Set the decoded variable to the byte pointed to by the source variable
+      @machine.create_block_primitive( 'block8', 'load', 'decoded', 'source', chunk_size )
+
+      # Block 9 - Xor the decoded variable with the encoded variable
+      @machine.create_block_primitive( 'block9', 'xor', 'decoded', 'encoded' )
+
+      # Block 10 - store the newly decoded byte
+      @machine.create_block_primitive( 'block10', 'store', 'source', 'decoded', chunk_size )
+
+      # Block 11 - Increment the source variable by one
+      @machine.create_block_primitive( 'block11', 'add', 'source', chunk_size )
+
+      # Block 12 - Jump back up to the outer_loop block while the counter variable > 0
+      @machine.create_block_primitive( 'block12', 'loop', 'counter', 'block6' )
+
+      # Try to generate the decoder stub...
+      decoder = @machine.generate
+
+      if( not decoder )
+        raise RuntimeError, "Unable to generate decoder stub."
+      end
+
+      decoder
+    end
+
+    #
+    # Compute the seed block which will successfully decode all proceeding encoded
+    # blocks while ensuring the encoded blocks do not contain any badchars.
+    #
+    def compute_seed( blocks_in, block_size, block_padding, badchars )
+      seed       = []
+      redo_bytes = []
+
+      0.upto( block_size-1 ) do | index |
+
+        seed_bytes = (0..255).sort_by do
+          rand()
+        end
+
+        seed_bytes.each do | seed_byte |
+
+          next if( badchars.include?( seed_byte ) )
+
+          success = true
+
+          previous_byte = seed_byte
+
+          if( redo_bytes.length < 256 )
+            redo_bytes = (0..255).sort_by do
+              rand()
+            end
+          end
+
+          blocks_in.each do | block |
+
+            decoded_byte = block[ index ]
+
+            encoded_byte = previous_byte ^ decoded_byte
+
+            if( badchars.include?( encoded_byte ) )
+              # the padding bytes we added earlier can be changed if they are causing us to fail.
+              if( block == blocks_in.last and index >= (block_size-block_padding) )
+                if( redo_bytes.empty? )
+                  success = false
+                  break
+                end
+                block[ index ] = redo_bytes.shift
+                redo
+              end
+
+              success = false
+              break
+            end
+
+            previous_byte = encoded_byte
+          end
+
+          if( success )
+            seed << seed_byte
+            break
+          end
+        end
+
+      end
+
+      if( seed.length == block_size )
+        return seed
+      end
+
+      return nil
+    end
+
+    #
+    # Compute the next encoded block by xoring the previous
+    # encoded block with the next decoded block.
+    #
+    def compute_block( encoded, decoded )
+      block = []
+      0.upto( encoded.length-1 ) do | index |
+        block << ( encoded[ index ] ^ decoded[ index ] )
+      end
+      return block
+    end
+
+  end
+
+end
+
+end