Land rapid7#5510, update x86/alpha* encoders to be SaveRegister aware

Author: Brent Cook

lib/rex/arch/x86.rb

@@ -421,8 +421,7 @@ def self.fpu_instructions
   # This method returns an array containing a geteip stub, a register, and an offset
   # This method will return nil if the getip generation fails
   #
-  def self.geteip_fpu(badchars)
-
+  def self.geteip_fpu(badchars, modified_registers = [])
     #
     # Default badchars to an empty string
     #
@@ -470,18 +469,29 @@ def self.geteip_fpu(badchars)
     #
     while(dsts.length > 0)
       buf = ''
+      mod_registers = [ESP]
       dst = dsts[ rand(dsts.length) ]
       dsts.delete(dst)
 
       # If the register is not ESP, copy ESP
       if (dst != ESP)
-        next if badchars.index( (0x70 + dst).chr )
+        mod_registers.push(dst)
+        if badchars.index( (0x70 + dst).chr )
+          mod_registers.pop(dst)
+          next
+        end
 
         if !(badchars.index("\x89") or badchars.index( (0xE0+dst).chr ))
           buf << "\x89" + (0xE0 + dst).chr
         else
-          next if badchars.index("\x54")
-          next if badchars.index( (0x58+dst).chr )
+          if badchars.index("\x54")
+            mod_registers.pop(dst)
+            next
+          end
+          if badchars.index( (0x58+dst).chr )
+            mod_registers.pop(dst)
+            next
+          end
           buf << "\x54" + (0x58 + dst).chr
         end
       end
@@ -506,15 +516,19 @@ def self.geteip_fpu(badchars)
         regs.delete(reg)
         next if reg == ESP
         next if badchars.index( (0x58 + reg).chr )
+        mod_registers.push(reg)
 
         # Pop the value back out
         0.upto(pad / 4) { |c| out << (0x58 + reg).chr }
 
         # Fix the value to point to self
         gap = out.length - buf.length
 
+        mod_registers.uniq!
+        modified_registers.concat(mod_registers)
         return [out, REG_NAMES32[reg].upcase, gap]
       end
+      mod_registers.pop(dst)
     end
 
     return nil

lib/rex/encoder/alpha2/alpha_mixed.rb

@@ -8,22 +8,49 @@ module Alpha2
 
 class AlphaMixed < Generic
 
-  def self.gen_decoder_prefix(reg, offset)
-    if (offset > 32)
-      raise "Critical: Offset is greater than 32"
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha mixed decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 32
+      raise 'Critical: Offset is greater than 32'
     end
 
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
     # use inc ebx as a nop here so we still pad correctly
-    if (offset <= 16)
+    if offset <= 16
       nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod = 'I' * (16 - offset) + nop + '7QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 16
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'J' * (17 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     else
       mod = 'A' * (offset - 16)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
       nop = 'C' * (16 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod << nop + '7QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'B' * (17 - (offset - 16))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     end
+
     regprefix = {
       'EAX'   => 'PY' + mod,                         # push eax, pop ecx
       'ECX'   => 'I' + mod,                          # dec ecx
@@ -36,15 +63,38 @@ def self.gen_decoder_prefix(reg, offset)
     }
 
     reg.upcase!
-    if (not regprefix.keys.include? reg)
-      raise ArgumentError.new("Invalid register name")
+
+    unless regprefix.keys.include?(reg)
+      raise ArgumentError.new('Invalid register name')
     end
+
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
     return regprefix[reg]
   end
 
-  def self.gen_decoder(reg, offset)
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha mixed decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
     decoder =
-       gen_decoder_prefix(reg, offset) +
+       gen_decoder_prefix(reg, offset, mod_registers) +
        "jA" +          # push 0x41
        "X" +           # pop eax
        "P" +           # push eax
@@ -62,7 +112,18 @@ def self.gen_decoder(reg, offset)
        "uJ" +          # jnz short -------------------------
        "I"             # first encoded char, fixes the above J
 
-    return decoder
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    decoder
   end
 
 end end end end

lib/rex/encoder/alpha2/alpha_upper.rb

@@ -9,21 +9,47 @@ module Alpha2
 class AlphaUpper < Generic
   def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
 
-  def self.gen_decoder_prefix(reg, offset)
-    if (offset > 20)
-      raise "Critical: Offset is greater than 20"
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 20
+      raise 'Critical: Offset is greater than 20'
     end
 
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
     # use inc ebx as a nop here so we still pad correctly
     if (offset <= 10)
       nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod = 'I' * (10 - offset) + nop + 'QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 10
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'J' * (11 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     else
       mod = 'A' * (offset - 10)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
       nop = 'C' * (10 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod << nop + 'QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'B' * (11 - (offset - 10))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     end
     regprefix = {
       'EAX'   => 'PY' + mod,                        # push eax, pop ecx
@@ -33,20 +59,41 @@ def self.gen_decoder_prefix(reg, offset)
       'ESP'   => 'TY' + mod,                        # push esp, pop ecx
       'EBP'   => 'UY' + mod,                        # push ebp, pop ecx
       'ESI'   => 'VY' + mod,                        # push esi, pop ecx
-      'EDI'   => 'WY' + mod,                        # push edi, pop edi
+      'EDI'   => 'WY' + mod,                        # push edi, pop ecx
     }
 
     reg.upcase!
-    if (not regprefix.keys.include? reg)
+    unless regprefix.keys.include?(reg)
       raise ArgumentError.new("Invalid register name")
     end
-    return regprefix[reg]
 
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    return regprefix[reg]
   end
 
-  def self.gen_decoder(reg, offset)
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
     decoder =
-      gen_decoder_prefix(reg, offset) +
+      gen_decoder_prefix(reg, offset, mod_registers) +
       "V" +           # push esi
       "T" +           # push esp
       "X" +           # pop eax
@@ -73,6 +120,18 @@ def self.gen_decoder(reg, offset)
       "JJ" +          # jnz * --------------------
       "I"             # first encoded char, fixes the above J
 
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ESI,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
     return decoder
   end
 

modules/encoders/x86/alpha_mixed.rb

@@ -31,6 +31,7 @@ def initialize
   # being encoded.
   #
   def decoder_stub(state)
+    modified_registers = []
     reg = datastore['BufferRegister']
     off = (datastore['BufferOffset'] || 0).to_i
     buf = ''
@@ -41,8 +42,19 @@ def decoder_stub(state)
         buf = 'VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089'
         reg = 'ECX'
         off = 0
+        modified_registers.concat (
+          [
+            Rex::Arch::X86::ESP,
+            Rex::Arch::X86::EDI,
+            Rex::Arch::X86::ESI,
+            Rex::Arch::X86::EBP,
+            Rex::Arch::X86::EBX,
+            Rex::Arch::X86::EDX,
+            Rex::Arch::X86::ECX,
+            Rex::Arch::X86::EAX
+          ])
       else
-        res = Rex::Arch::X86.geteip_fpu(state.badchars)
+        res = Rex::Arch::X86.geteip_fpu(state.badchars, modified_registers)
         if (not res)
           raise EncodingError, "Unable to generate geteip code"
         end
@@ -52,7 +64,15 @@ def decoder_stub(state)
       reg.upcase!
     end
 
-    buf + Rex::Encoder::Alpha2::AlphaMixed::gen_decoder(reg, off)
+    stub = buf + Rex::Encoder::Alpha2::AlphaMixed::gen_decoder(reg, off, modified_registers)
+
+    # Sanity check that saved_registers doesn't overlap with modified_registers
+    modified_registers.uniq!
+    if (modified_registers & saved_registers).length > 0
+      raise BadGenerateError
+    end
+
+    stub
   end
 
   #
@@ -69,4 +89,14 @@ def encode_block(state, block)
   def encode_end(state)
     state.encoded += Rex::Encoder::Alpha2::AlphaMixed::add_terminator()
   end
+
+  # Indicate that this module can preserve some registers
+  def can_preserve_registers?
+    true
+  end
+
+  # Convert the SaveRegisters to an array of x86 register constants
+  def saved_registers
+    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
+  end
 end