Land rapid7#4876, @hmoore-r7 give encoders and payloads space available

Brent Cook · Brent Cook · commit 603179176a00 · 2015-03-09T11:50:46.000-05:00
diff --git a/lib/msf/base/simple/payload.rb b/lib/msf/base/simple/payload.rb
@@ -51,12 +51,13 @@ def self.generate_simple(payload, opts, &block)
 
     # Generate the payload
     e = EncodedPayload.create(payload,
-        'BadChars' => opts['BadChars'],
-        'MinNops'  => opts['NopSledSize'],
-        'Encoder'  => opts['Encoder'],
+        'BadChars'    => opts['BadChars'],
+        'MinNops'     => opts['NopSledSize'],
+        'Encoder'     => opts['Encoder'],
         'Iterations'  => opts['Iterations'],
         'ForceEncode' => opts['ForceEncode'],
-        'Space'    => opts['MaxSize'])
+        'DisableNops' => opts['DisableNops'],
+        'Space'       => opts['MaxSize'])
 
     fmt = opts['Format'] || 'raw'
 
diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb
@@ -34,6 +34,7 @@ def initialize(framework, pinst, reqs)
     self.framework = framework
     self.pinst     = pinst
     self.reqs      = reqs
+    self.space     = reqs['Space']
   end
 
   #
@@ -64,6 +65,9 @@ def generate(raw = nil)
       # First, validate
       pinst.validate()
 
+      # Tell the payload how much space is available
+      pinst.available_space = self.space
+
       # Generate the raw version of the payload first
       generate_raw() if self.raw.nil?
 
@@ -191,6 +195,9 @@ def encode
           next
         end
 
+        # Tell the encoder how much space is available
+        self.encoder.available_space = self.space
+
         eout = self.raw.dup
 
         next_encoder = false
@@ -456,7 +463,10 @@ def arch
   # The number of encoding iterations used
   #
   attr_reader :iterations
-
+  #
+  # The maximum number of bytes acceptable for the encoded payload
+  #
+  attr_reader :space
 protected
 
   attr_writer :raw # :nodoc:
@@ -467,6 +477,7 @@ def arch
   attr_writer :encoder # :nodoc:
   attr_writer :nop # :nodoc:
   attr_writer :iterations # :nodoc:
+  attr_writer :space # :nodoc
 
   #
   # The payload instance used to generate the payload
diff --git a/lib/msf/core/encoder.rb b/lib/msf/core/encoder.rb
@@ -434,6 +434,12 @@ def preserves_stack?
     false
   end
 
+  #
+  # The amount of space available to the encoder, which may be nil,
+  # indicating that the smallest possible encoding should be used.
+  #
+  attr_accessor :available_space
+
 protected
 
   #
diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb
@@ -500,6 +500,12 @@ def on_session(session)
   #
   attr_accessor :assoc_exploit
 
+  #
+  # The amount of space available to the payload, which may be nil,
+  # indicating that the smallest possible payload should be used.
+  #
+  attr_accessor :available_space
+
 protected
 
   #
diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
@@ -184,6 +184,7 @@ def encode_payload(shellcode)
         encoder_list.each do |encoder_mod|
           cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
           begin
+            encoder_mod.available_space = @space
             return run_encoder(encoder_mod, shellcode.dup)
           rescue ::Msf::EncoderSpaceViolation => e
             cli_print "#{encoder_mod.refname} failed with #{e.message}"
@@ -298,9 +299,11 @@ def generate_raw_payload
         end
 
         payload_module.generate_simple(
-            'Format'   => 'raw',
-            'Options'  => datastore,
-            'Encoder'  => nil
+            'Format'      => 'raw',
+            'Options'     => datastore,
+            'Encoder'     => nil,
+            'MaxSize'     => @space,
+            'DisableNops' => true
         )
       end
     end

Original file line number	Diff line number	Diff line change
`@@ -500,6 +500,12 @@ def on_session(session)`
`500`	`500`	`#`
`501`	`501`	`attr_accessor :assoc_exploit`
`502`	`502`
	`503`	`+ #`
	`504`	`+ # The amount of space available to the payload, which may be nil,`
	`505`	`+ # indicating that the smallest possible payload should be used.`
	`506`	`+ #`
	`507`	`+ attr_accessor :available_space`
	`508`	`+`
`503`	`509`	`protected`
`504`	`510`
`505`	`511`	`#`