TLV traffic obfuscation with 4-non-null-byte XOR #6480
Conversation
| raw = super | ||
| xor_key = rand(254) + 1 | ||
| xor_key |= (rand(254) + 1) << 8 | ||
| xor_key |= (rand(255) + 1) << 16 |
There was a problem hiding this comment.
Shouldn't this be 254, like the above?
| expect(parser.send(:raw)).to eq "" | ||
| expect(parser.send(:hdr_length_left)).to eq 8 | ||
| expect(parser.send(:payload_length_left)).to eq 0 | ||
| parser.send(:raw).to eq "" |
There was a problem hiding this comment.
We will need to keep the expects here.
There was a problem hiding this comment.
Looks like a bad merge. Thanks for picking this up!
|
OK, this should be good to go now! We've got all the payloads wired up. Thanks to all who helped! @sempervictus @bcook-r7 @timwr @zeroSteiner |
|
Pretty please can I get a bump on this? Working off the branch on gigs is annoying :D Thank you and much ❤️ |
|
ok, let's do it |
|
done and done - thanks ever so much @OJ and crew! |
|
Woohoo! Thanks Brent!
|
| # the serialized TLV content, and then returns the key plus the | ||
| # scrambled data as the payload. | ||
| # | ||
| def to_r |
There was a problem hiding this comment.
Mainly a style nitpick, but this could be cleaner:
xor_key = rand(0x100000000)
There was a problem hiding this comment.
That doesn't guarantee non-null bytes in all 4 positions.
There was a problem hiding this comment.
Would something like xor_key = rand(0xffffffff) +1 be better?
There was a problem hiding this comment.
There was a problem hiding this comment.
Is avoiding any single byte good or bad for heuristic detection? Would the chance of the first byte never being an 'R' be more of a tell than it being an 'R' in rare cases?
There was a problem hiding this comment.
I think that as long as not all of the bytes are 0, nothing else really makes a difference.
There was a problem hiding this comment.
I may just be overly paranoid, but I felt like it was a good thing to guarantee that every byte changed. That's really the only reasoning.
This is the MSF side of the Meterpreter PR that can be found here: rapid7/metasploit-payloads#64
Details of the PR and its intent can be found in the Payloads repo. May I request that we discuss the bulk of it on the payloads side, and only discuss the MSF-side of the PR here.
Thanks!