Land #11141, Ensure Byte XORi Encoder uses cacheflush()

modules/encoders/mipsbe/byte_xori.rb

@@ -18,8 +18,9 @@ class MetasploitModule < Msf::Encoder::Xor
       },
       'Author'           =>
         [
-          'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
-          'juan vazquez' # byte_xori encoder
+          'Julien Tinnes <julien[at]cr0.org>',  # original longxor encoder, which this one is based on
+          'juan vazquez',                       # byte_xori encoder
+          'Pedro Ribeiro <pedrib@gmail.com>',   # fix for Linux >= 2.6.11 (set up cacheflush() args properly)
         ],
       'Arch'             => ARCH_MIPSBE,
       'License'          => MSF_LICENSE,
@@ -44,6 +45,7 @@ class MetasploitModule < Msf::Encoder::Xor
 
     # 16-bits not (again, see also commented source)
     reg_14 = (number_of_passes+1)^0xFFFF
+    reg_5 = state.buf.length^0xFFFF
 
     decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:big), <<EOS).encoded.data
 main:
@@ -54,7 +56,7 @@ endm
 
   li      ($14, #{reg_14})               ; 0x240exxxx - store in $14 the number of passes (two's complement) - xxxx (number of passes)
   nor     $14, $14, $0                   ; 0x01c07027 - get in $14 the number of passes
-  li      ($11,-69)                      ; 0x240bffbb - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
+  li      ($11,-84)                      ; 0x240bffac - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
 
 ; acts as getpc
 next:
@@ -63,6 +65,7 @@ next:
 
   nor     $11, $11, $0                   ; 0x01605827 - get in $11 the offset to the end of the decoder (from the addu instr)
   addu    $25, $31, $11                  ; 0x03ebc821 - get in $25 a pointer to the end of the decoder stub
+  addu	  $16, $31, $11		             ; $16 too (used to set up the cacheflush() arg down below)
 
   slti    $23, $0, 0x#{slti_imm(state)}  ; 0x2817xxxx - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm
   lb      $17, -1($25)                   ; 0x8f31fffc - Load xor key in $17 (stored on the last byte of the decoder stub)
@@ -83,6 +86,10 @@ loop:
   bne     $0, $30, loop                  ; 0x17c0fff9 - branch to loop if $30 != 0 (ranch while bytes to decode)
   addu    $25, $25, $15                  ; 0x032dc821 - next instruction to decode, executed because of the pipelining
 
+  addiu	$4, $16, -4                      ; cacheflush() addr parameter
+  li(      $10,#{reg_5})                 ; cacheflush() nbytes parameter
+  nor   $5, $10, $0                      ; same as above
+
   li      ($2, 4147)                     ; 0x24021033 - cacheflush sytem call
   syscall 0x52950                        ; 0x014a540c
   nop                                    ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop

modules/encoders/mipsle/byte_xori.rb

@@ -18,8 +18,9 @@ class MetasploitModule < Msf::Encoder::Xor
       },
       'Author'           =>
         [
-          'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
-          'juan vazquez' # byte_xori encoder
+          'Julien Tinnes <julien[at]cr0.org>',  # original longxor encoder, which this one is based on
+          'juan vazquez',                       # byte_xori encoder
+          'Pedro Ribeiro <pedrib@gmail.com>',   # fix for Linux >= 2.6.11 (set up cacheflush() args properly)
         ],
       'Arch'             => ARCH_MIPSLE,
       'License'          => MSF_LICENSE,
@@ -44,6 +45,7 @@ class MetasploitModule < Msf::Encoder::Xor
 
     # 16-bits not (again, see also commented source)
     reg_14 = (number_of_passes+1)^0xFFFF
+    reg_5 = state.buf.length^0xFFFF
 
     decoder = Metasm::Shellcode.assemble(Metasm::MIPS.new(:little), <<EOS).encoded.data
 main:
@@ -54,7 +56,7 @@ endm
 
   li      ($14, #{reg_14})               ; 0xXXXX0e24 - store in $14 the number of passes (two's complement) - xxxx (number of passes)
   nor     $14, $14, $0                   ; 0x2770c001 - get in $14 the number of passes
-  li      ($11,-69)                      ; 0xbbff0b24 - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
+  li      ($11,-84)                      ; 0xacff0b24 - store in $11 the offset to the end of the decoder (two's complement) (from the addu instr)
 
 ; acts as getpc
 next:
@@ -63,6 +65,7 @@ next:
 
   nor     $11, $11, $0                   ; 0x27586001 - get in $11 the offset to the end of the decoder (from the addu instr)
   addu    $25, $31, $11                  ; 0x21c8eb03 - get in $25 a pointer to the end of the decoder stub
+  addu	  $16, $31, $11		               ; $16 too (used to set up the cacheflush() arg down below)
 
   slti    $23, $0, 0x#{slti_imm(state)}  ; 0xXXXX1728 - Set $23 = 0 (Set $23 = 1 if $0 < imm; else $23 = 0) / xxxx: imm
   lb      $17, -1($25)                   ; 0xffff3183 - Load xor key in $17 (stored on the last byte of the decoder stub)
@@ -83,6 +86,10 @@ loop:
   bne     $0, $30, loop                  ; 0xfaffc017 - branch to loop if $30 != 0 (ranch while bytes to decode)
   addu    $25, $25, $15                  ; 0x21c82f03 - next instruction to decode, executed because of the pipelining
 
+  addiu	$4, $16, -4                      ; cacheflush() addr parameter
+  li(      $10,#{reg_5})                 ; cacheflush() nbytes parameter
+  nor   $5, $10, $0                      ; same as above
+
   li      ($2, 4147)                     ; 0x33100224 - cacheflush sytem call
   syscall 0x52950                        ; 0x0c544a01
   nop                                    ; encoded shellcoded must be here (xor key right here ;) after decoding will result in a nop