Permalink
Browse files

Land #11141, Ensure Byte XORi Encoder uses cacheflush()

  • Loading branch information...
bcoles committed Dec 29, 2018
2 parents 005b266 + 1e88ce9 commit 59573151675cc21ce020e7284ecd6f4532ae6eef
Showing with 20 additions and 6 deletions.
  1. +10 −3 modules/encoders/mipsbe/byte_xori.rb
  2. +10 −3 modules/encoders/mipsle/byte_xori.rb
@@ -18,8 +18,9 @@ def initialize
},
'Author' =>
[
'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
'juan vazquez' # byte_xori encoder
'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
'juan vazquez', # byte_xori encoder
'Pedro Ribeiro <pedrib@gmail.com>', # fix for Linux >= 2.6.11 (set up cacheflush() args properly)
],
'Arch' => ARCH_MIPSBE,
'License' => MSF_LICENSE,
@@ -44,6 +45,7 @@ def decoder_stub(state)

# 16-bits not (again, see also commented source)
reg_14 = (number_of_passes+1)^0xFFFF
reg_5 = state.buf.length^0xFFFF

decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data
main:
@@ -54,7 +56,7 @@ def decoder_stub(state)

li ($14, #{reg_14}) ; 0x240exxxx - store in $14 the number of passes (two's complement) - xxxx (number of passes)
nor $14, $14, $0 ; 0x01c07027 - get in $14 the number of passes
li ($11,-69) ; 0x240bffbb - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
li ($11,-84) ; 0x240bffac - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
; acts as getpc
next:
@@ -63,6 +65,7 @@ def decoder_stub(state)
nor $11, $11, $0 ; 0x01605827 - get in $11 the offset to the end of the decoder (from the addu instr)
addu $25, $31, $11 ; 0x03ebc821 - get in $25 a pointer to the end of the decoder stub
addu $16, $31, $11 ; $16 too (used to set up the cacheflush() arg down below)
slti $23, $0, 0x#{slti_imm(state)} ; 0x2817xxxx - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm
lb $17, -1($25) ; 0x8f31fffc - Load xor key in $17 (stored on the last byte of the decoder stub)
@@ -83,6 +86,10 @@ def decoder_stub(state)
bne $0, $30, loop ; 0x17c0fff9 - branch to loop if $30 != 0 (ranch while bytes to decode)
addu $25, $25, $15 ; 0x032dc821 - next instruction to decode, executed because of the pipelining
addiu $4, $16, -4 ; cacheflush() addr parameter
li( $10,#{reg_5}) ; cacheflush() nbytes parameter
nor $5, $10, $0 ; same as above
li ($2, 4147) ; 0x24021033 - cacheflush sytem call
syscall 0x52950 ; 0x014a540c
nop ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop
@@ -18,8 +18,9 @@ def initialize
},
'Author' =>
[
'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
'juan vazquez' # byte_xori encoder
'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
'juan vazquez', # byte_xori encoder
'Pedro Ribeiro <pedrib@gmail.com>', # fix for Linux >= 2.6.11 (set up cacheflush() args properly)
],
'Arch' => ARCH_MIPSLE,
'License' => MSF_LICENSE,
@@ -44,6 +45,7 @@ def decoder_stub(state)

# 16-bits not (again, see also commented source)
reg_14 = (number_of_passes+1)^0xFFFF
reg_5 = state.buf.length^0xFFFF

decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), <<EOS).encoded.data
main:
@@ -54,7 +56,7 @@ def decoder_stub(state)

li ($14, #{reg_14}) ; 0xXXXX0e24 - store in $14 the number of passes (two's complement) - xxxx (number of passes)
nor $14, $14, $0 ; 0x2770c001 - get in $14 the number of passes
li ($11,-69) ; 0xbbff0b24 - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
li ($11,-84) ; 0xacff0b24 - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
; acts as getpc
next:
@@ -63,6 +65,7 @@ def decoder_stub(state)
nor $11, $11, $0 ; 0x27586001 - get in $11 the offset to the end of the decoder (from the addu instr)
addu $25, $31, $11 ; 0x21c8eb03 - get in $25 a pointer to the end of the decoder stub
addu $16, $31, $11 ; $16 too (used to set up the cacheflush() arg down below)
slti $23, $0, 0x#{slti_imm(state)} ; 0xXXXX1728 - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm
lb $17, -1($25) ; 0xffff3183 - Load xor key in $17 (stored on the last byte of the decoder stub)
@@ -83,6 +86,10 @@ def decoder_stub(state)
bne $0, $30, loop ; 0xfaffc017 - branch to loop if $30 != 0 (ranch while bytes to decode)
addu $25, $25, $15 ; 0x21c82f03 - next instruction to decode, executed because of the pipelining
addiu $4, $16, -4 ; cacheflush() addr parameter
li( $10,#{reg_5}) ; cacheflush() nbytes parameter
nor $5, $10, $0 ; same as above
li ($2, 4147) ; 0x33100224 - cacheflush sytem call
syscall 0x52950 ; 0x0c544a01
nop ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop

0 comments on commit 5957315

Please sign in to comment.