#!/usr/bin/env ruby module Rex module Arch # # everything here is mostly stole from vlad's perl x86 stuff # module X86 # # Register number constants # EAX = AL = AX = ES = 0 ECX = CL = CX = CS = 1 EDX = DL = DX = SS = 2 EBX = BL = BX = DS = 3 ESP = AH = SP = FS = 4 EBP = CH = BP = GS = 5 ESI = DH = SI = 6 EDI = BH = DI = 7 REG_NAMES32 = [ 'eax', 'ecx', 'edx', 'ebx', 'esp', 'ebp', 'esi', 'edi' ] # :nodoc: # Jump tp a specific register def self.jmp_reg(str) reg = reg_number(str) _check_reg(reg) "\xFF" + [224 + reg].pack('C') end # This method returns the opcodes that compose a jump instruction to the # supplied relative offset. def self.jmp(addr) "\xe9" + pack_dword(rel_number(addr)) end # # This method adds/subs a packed long integer # def self.dword_adjust(dword, amount=0) pack_dword(dword.unpack('V')[0] + amount) end # # This method returns the opcodes that compose a tag-based search routine # def self.searcher(tag) "\xbe" + dword_adjust(tag,-1)+ # mov esi, Tag - 1 "\x46" + # inc esi "\x47" + # inc edi (end_search:) "\x39\x37" + # cmp [edi],esi "\x75\xfb" + # jnz 0xa (end_search) "\x46" + # inc esi "\x4f" + # dec edi (start_search:) "\x39\x77\xfc" + # cmp [edi-0x4],esi "\x75\xfa" + # jnz 0x10 (start_search) jmp_reg('edi') # jmp edi end # # Generates a buffer that will copy memory immediately following the stub # that is generated to be copied to the stack # def self.copy_to_stack(len) # four byte align len = (len + 3) & ~0x3 stub = "\xeb\x0f"+ # jmp _end push_dword(len)+ # push n "\x59"+ # pop ecx "\x5e"+ # pop esi "\x29\xcc"+ # sub esp, ecx "\x89\xe7"+ # mov edi, esp "\xf3\xa4"+ # rep movsb "\xff\xe4"+ # jmp esp "\xe8\xec\xff\xff\xff" # call _start stub end # # This method returns the opcodes that compose a short jump instruction to # the supplied relative offset. # def self.jmp_short(addr) "\xeb" + pack_lsb(rel_number(addr, -2)) end # # This method returns the opcodes that compose a relative call instruction # to the address specified. # def self.call(addr) "\xe8" + pack_dword(rel_number(addr, -5)) end # # This method returns a number offset to the supplied string. # def self.rel_number(num, delta = 0) s = num.to_s case s[0, 2] when '$+' num = s[2 .. -1].to_i when '$-' num = -1 * s[2 .. -1].to_i when '0x' num = s.hex else delta = 0 end return num + delta end # # This method returns the number associated with a named register. # def self.reg_number(str) return self.const_get(str.upcase) end # # This method returns the register named associated with a given register # number. # def self.reg_name32(num) _check_reg(num) return REG_NAMES32[num].dup end # # This method generates the encoded effective value for a register. # def self.encode_effective(shift, dst) return (0xc0 | (shift << 3) | dst) end # # This method generates the mod r/m character for a source and destination # register. # def self.encode_modrm(dst, src) _check_reg(dst, src) return (0xc0 | src | dst << 3).chr end # # This method generates a push byte instruction. # def self.push_byte(byte) # push byte will sign extend... if byte < 128 && byte >= -128 return "\x6a" + (byte & 0xff).chr end raise ::ArgumentError, "Can only take signed byte values!", caller() end # # This method generates a push word instruction. # def self.push_word(val) return "\x66\x68" + pack_word(val) end # # This method generates a push dword instruction. # def self.push_dword(val) return "\x68" + pack_dword(val) end # # This method generates a pop dword instruction into a register. # def self.pop_dword(dst) _check_reg(dst) return (0x58 | dst).chr end # # This method generates an instruction that clears the supplied register in # a manner that attempts to avoid bad characters, if supplied. # def self.clear(reg, badchars = '') _check_reg(reg) return set(reg, 0, badchars) end # # This method generates the opcodes that set the low byte of a given # register to the supplied value. # def self.mov_byte(reg, val) _check_reg(reg) # chr will raise RangeError if val not between 0 .. 255 return (0xb0 | reg).chr + val.chr end # # This method generates the opcodes that set the low word of a given # register to the supplied value. # def self.mov_word(reg, val) _check_reg(reg) if val < 0 || val > 0xffff raise RangeError, "Can only take unsigned word values!", caller() end return "\x66" + (0xb8 | reg).chr + pack_word(val) end # # This method generates the opcodes that set the a register to the # supplied value. # def self.mov_dword(reg, val) _check_reg(reg) return (0xb8 | reg).chr + pack_dword(val) end # # This method is a general way of setting a register to a value. Depending # on the value supplied, different sets of instructions may be used. # # TODO: Make this moderatly intelligent so it chain instructions by itself # (ie. xor eax, eax + mov al, 4 + xchg ah, al) def self.set(dst, val, badchars = '') _check_reg(dst) # If the value is 0 try xor/sub dst, dst (2 bytes) if(val == 0) opcodes = Rex::Text.remove_badchars("\x29\x2b\x31\x33", badchars) if !opcodes.empty? return opcodes[rand(opcodes.length)].chr + encode_modrm(dst, dst) end # TODO: SHL/SHR # TODO: AND end # try push BYTE val; pop dst (3 bytes) begin return _check_badchars(push_byte(val) + pop_dword(dst), badchars) rescue ::ArgumentError, ::RuntimeError, ::RangeError end # try clear dst, mov BYTE dst (4 bytes) begin # break if val == 0 return _check_badchars(clear(dst, badchars) + mov_byte(dst, val), badchars) rescue ::ArgumentError, ::RuntimeError, ::RangeError end # try mov DWORD dst (5 bytes) begin return _check_badchars(mov_dword(dst, val), badchars) rescue ::ArgumentError, ::RuntimeError, ::RangeError end # try push DWORD, pop dst (6 bytes) begin return _check_badchars(push_dword(val) + pop_dword(dst), badchars) rescue ::ArgumentError, ::RuntimeError, ::RangeError end # try clear dst, mov WORD dst (6 bytes) begin # break if val == 0 return _check_badchars(clear(dst, badchars) + mov_word(dst, val), badchars) rescue ::ArgumentError, ::RuntimeError, ::RangeError end raise RuntimeError, "No valid set instruction could be created!", caller() end # # Builds a subtraction instruction using the supplied operand # and register. # def self.sub(val, reg, badchars = '', add = false, adjust = false, bits = 0) opcodes = [] shift = (add == true) ? 0 : 5 if (bits <= 8 and val >= -0x7f and val <= 0x7f) opcodes << ((adjust) ? '' : clear(reg, badchars)) + "\x83" + [ encode_effective(shift, reg) ].pack('C') + [ val.to_i ].pack('C') end if (bits <= 16 and val >= -0xffff and val <= 0) opcodes << ((adjust) ? '' : clear(reg, badchars)) + "\x66\x81" + [ encode_effective(shift, reg) ].pack('C') + [ val.to_i ].pack('v') end opcodes << ((adjust) ? '' : clear(reg, badchars)) + "\x81" + [ encode_effective(shift, reg) ].pack('C') + [ val.to_i ].pack('V') # Search for a compatible opcode opcodes.each { |op| begin _check_badchars(op, badchars) rescue next end return op } if opcodes.empty? raise RuntimeError, "Could not find a usable opcode", caller() end end # # This method generates the opcodes equivalent to subtracting with a # negative value from a given register. # def self.add(val, reg, badchars = '', adjust = false, bits = 0) sub(val, reg, badchars, true, adjust, bits) end # # This method wrappers packing a short integer as a little-endian buffer. # def self.pack_word(num) [num].pack('v') end # # This method wrappers packing an integer as a little-endian buffer. # def self.pack_dword(num) [num].pack('V') end # # This method returns the least significant byte of a packed dword. # def self.pack_lsb(num) pack_dword(num)[0,1] end # # This method adjusts the value of the ESP register by a given amount. # def self.adjust_reg(reg, adjustment) if (adjustment > 0) sub(adjustment, reg, '', false, false, 32) else add(adjustment, reg, '', true, 32) end end def self._check_reg(*regs) # :nodoc: regs.each { |reg| if reg > 7 || reg < 0 raise ArgumentError, "Invalid register #{reg}", caller() end } return nil end def self._check_badchars(data, badchars) # :nodoc: idx = Rex::Text.badchar_index(data, badchars) if idx raise RuntimeError, "Bad character at #{idx}", caller() end return data end # # This method returns an array of 'safe' FPU instructions # def self.fpu_instructions fpus = [] 0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr } 0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr } fpus << "\xd9\xd0" fpus << "\xd9\xe1" fpus << "\xd9\xf6" fpus << "\xd9\xf7" fpus << "\xd9\xe5" # This FPU instruction seems to fail consistently on Linux #fpus << "\xdb\xe1" fpus end # # This method returns an array containing a geteip stub, a register, and an offset # This method will return nil if the getip generation fails # def self.geteip_fpu(badchars) # # Default badchars to an empty string # badchars ||= '' # # Bail out early if D9 is restricted # return nil if badchars.index("\xd9") # # Create a list of FPU instructions # fpus = *self.fpu_instructions bads = [] badchars.each_byte do |c| fpus.each do |str| bads << str if (str.index(c.chr)) end end bads.each { |str| fpus.delete(str) } return nil if fpus.length == 0 # # Create a list of registers to use for fnstenv # dsts = [] 0.upto(7) do |c| dsts << c if (not badchars.index( (0x70+c).chr )) end if (dsts.include?(ESP) and badchars.index("\x24")) dsts.delete(ESP) end return nil if dsts.length == 0 # # Grab a random FPU instruction # fpu = fpus[ rand(fpus.length) ] # # Grab a random register from dst # while(dsts.length > 0) buf = '' dst = dsts[ rand(dsts.length) ] dsts.delete(dst) # If the register is not ESP, copy ESP if (dst != ESP) next if badchars.index( (0x70 + dst).chr ) if !(badchars.index("\x89") or badchars.index( (0xE0+dst).chr )) buf << "\x89" + (0xE0 + dst).chr else next if badchars.index("\x54") next if badchars.index( (0x58+dst).chr ) buf << "\x54" + (0x58 + dst).chr end end pad = 0 while (pad < (128-12) and badchars.index( (256-12-pad).chr)) pad += 4 end # Give up on finding a value to use here if (pad == (128-12)) return nil end out = buf + fpu + "\xd9" + (0x70 + dst).chr out << "\x24" if dst == ESP out << (256-12-pad).chr regs = [*(0..7)] while (regs.length > 0) reg = regs[ rand(regs.length) ] regs.delete(reg) next if reg == ESP next if badchars.index( (0x58 + reg).chr ) # Pop the value back out 0.upto(pad / 4) { |c| out << (0x58 + reg).chr } # Fix the value to point to self gap = out.length - buf.length return [out, REG_NAMES32[reg].upcase, gap] end end return nil end end end end