Land rapid7#5374, --smallest option in msfvenom

wchen-r7 · wchen-r7 · commit bdf30dd38387 · 2015-05-20T21:06:10.000-05:00
diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
@@ -61,6 +61,9 @@ class PayloadGenerator
     # @!attribute  platform
     #   @return [String] The platform to build the payload for
     attr_accessor :platform
+    # @!attribute  smallest
+    #   @return [Boolean] Whether or not to find the smallest possible output
+    attr_accessor :smallest
     # @!attribute  space
     #   @return [Fixnum] The maximum size in bytes of the payload
     attr_accessor :space
@@ -95,6 +98,7 @@ class PayloadGenerator
     # @option opts [Hash] :datastore (see #datastore)
     # @option opts [Msf::Framework] :framework (see #framework)
     # @option opts [Boolean] :cli (see #cli)
+    # @option opts [Boolean] :smallest (see #smallest)
     # @raise [KeyError] if framework is not provided in the options hash
     def initialize(opts={})
       @add_code   = opts.fetch(:add_code, '')
@@ -113,12 +117,20 @@ def initialize(opts={})
       @stdin      = opts.fetch(:stdin, nil)
       @template   = opts.fetch(:template, '')
       @var_name   = opts.fetch(:var_name, 'buf')
+      @smallest   = opts.fetch(:smallest, false)
       @encoder_space = opts.fetch(:encoder_space, @space)
 
       @framework  = opts.fetch(:framework)
 
       raise ArgumentError, "Invalid Payload Selected" unless payload_is_valid?
       raise ArgumentError, "Invalid Format Selected" unless format_is_valid?
+
+      # In smallest mode, override the payload @space & @encoder_space settings
+      if @smallest
+        @space = 0
+        @encoder_space = 1.gigabyte
+      end
+
     end
 
     # This method takes the shellcode generated so far and adds shellcode from
@@ -199,24 +211,36 @@ def encode_payload(shellcode)
       encoder_list = get_encoders
       if encoder_list.empty?
         cli_print "No encoder or badchars specified, outputting raw payload"
-        shellcode
-      else
-        cli_print "Found #{encoder_list.count} compatible encoders"
-        encoder_list.each do |encoder_mod|
-          cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
-          begin
-            encoder_mod.available_space = @encoder_space
-            return run_encoder(encoder_mod, shellcode.dup)
-          rescue ::Msf::EncoderSpaceViolation => e
-            cli_print "#{encoder_mod.refname} failed with #{e.message}"
-            next
-          rescue ::Msf::EncodingError => e
-            cli_print "#{encoder_mod.refname} failed with #{e.message}"
-            next
-          end
+        return shellcode
+      end
+
+      results = {}
+
+      cli_print "Found #{encoder_list.count} compatible encoders"
+      encoder_list.each do |encoder_mod|
+        cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
+        begin
+          encoder_mod.available_space = @encoder_space unless @smallest
+          results[encoder_mod.refname] = run_encoder(encoder_mod, shellcode.dup)
+          break unless @smallest
+        rescue ::Msf::EncoderSpaceViolation => e
+          cli_print "#{encoder_mod.refname} failed with #{e.message}"
+          next
+        rescue ::Msf::EncodingError => e
+          cli_print "#{encoder_mod.refname} failed with #{e.message}"
+          next
         end
+      end
+
+      if results.keys.length == 0
         raise ::Msf::EncodingError, "No Encoder Succeeded"
       end
+
+      # Return the shortest encoding of the payload
+      chosen_encoder = results.keys.sort{|a,b| results[a].length <=> results[b].length}.first
+      cli_print "#{chosen_encoder} chosen with final size #{results[chosen_encoder].length}"
+
+      results[chosen_encoder]
     end
 
     # This returns a hash for the exe format generation of payloads
@@ -351,7 +375,7 @@ def get_encoders
           e.datastore.import_options_from_hash(datastore)
           encoders << e if e
         end
-        encoders.sort_by { |my_encoder| my_encoder.rank }.reverse
+        encoders.select{ |my_encoder| my_encoder.rank != ManualRanking }.sort_by { |my_encoder| my_encoder.rank }.reverse
       else
         encoders
       end
diff --git a/modules/encoders/cmd/echo.rb b/modules/encoders/cmd/echo.rb
@@ -34,12 +34,12 @@ def encode_block(state, buf)
     end
 
     if state.badchars.include?("-")
-      raise RuntimeError
+      raise EncodingError
     else
       # Without an escape character we can't escape anything, so echo
       # won't work.
       if state.badchars.include?("\\")
-        raise RuntimeError
+        raise EncodingError
       else
         buf = encode_block_bash_echo(state,buf)
       end
@@ -68,7 +68,7 @@ def encode_block_bash_echo(state, buf)
       if state.badchars.include?("`")
         # Last ditch effort, dollar paren
         if state.badchars.include?("$") or state.badchars.include?("(")
-          raise RuntimeError
+          raise EncodingError
         else
           buf = "$(/bin/echo -ne #{hex})"
         end
diff --git a/modules/encoders/cmd/generic_sh.rb b/modules/encoders/cmd/generic_sh.rb
@@ -68,7 +68,7 @@ def encode_block_perl(state, buf)
     state.badchars.unpack('C*') { |c| qot.delete(c.chr) }
 
     # Throw an error if we ran out of quotes
-    raise RuntimeError if qot.length == 0
+    raise EncodingError if qot.length == 0
 
     sep = qot[0].chr
 
@@ -83,7 +83,7 @@ def encode_block_perl(state, buf)
       if (state.badchars.match(/\(|\)/))
 
         # No paranthesis...
-        raise RuntimeError
+        raise EncodingError
       end
 
       cmd << "system\\(pack\\(qq#{sep}H\\*#{sep},qq#{sep}#{hex}#{sep}\\)\\)"
@@ -92,7 +92,7 @@ def encode_block_perl(state, buf)
       if (state.badchars.match(/\(|\)/))
         if (state.badchars.include?(" "))
           # No spaces allowed, no paranthesis, give up...
-          raise RuntimeError
+          raise EncodingError
         end
 
         cmd << "'system pack qq#{sep}H*#{sep},qq#{sep}#{hex}#{sep}'"
@@ -124,7 +124,7 @@ def encode_block_bash_echo(state, buf)
       if (state.badchars.include?("`"))
         # Last ditch effort, dollar paren
         if (state.badchars.include?("$") or state.badchars.include?("("))
-          raise RuntimeError
+          raise EncodingError
         else
           buf = "$(/bin/echo -ne #{hex})"
         end
diff --git a/modules/encoders/cmd/perl.rb b/modules/encoders/cmd/perl.rb
@@ -35,7 +35,7 @@ def encode_block(state, buf)
     end
 
     if state.badchars.include?("-")
-      raise RuntimeError
+      raise EncodingError
     else
       buf = encode_block_perl(state,buf)
     end
@@ -55,7 +55,7 @@ def encode_block_perl(state, buf)
     # Convert spaces to IFS...
     if state.badchars.include?(" ")
       if state.badchars.match(/[${IFS}]/n)
-        raise RuntimeError
+        raise EncodingError
       end
       cmd.gsub!(/\s/, '${IFS}')
     end
@@ -118,7 +118,7 @@ def perl_qq(state, qot, hex)
     state.badchars.unpack('C*') { |c| qot.delete(c.chr) }
 
     # Throw an error if we ran out of quotes
-    raise RuntimeError if qot.length == 0
+    raise EncodingError if qot.length == 0
 
     sep = qot[0].chr
     # Use an explicit length for the H specifier instead of just "H*"
diff --git a/modules/encoders/cmd/printf_php_mq.rb b/modules/encoders/cmd/printf_php_mq.rb
@@ -50,7 +50,7 @@ def encode_block(state, buf)
       (state.badchars.include?("|")) or
       # We must have at least ONE of these two..
       (state.badchars.include?("x") and state.badchars.include?("0"))
-      raise RuntimeError
+      raise EncodingError
     end
 
     # Now we build a string of the original payload with bad characters
diff --git a/modules/encoders/mipsbe/byte_xori.rb b/modules/encoders/mipsbe/byte_xori.rb
@@ -44,7 +44,7 @@ def decoder_stub(state)
     # add 4 number of passes  for the space reserved for the key, at the end of the decoder stub
     # (see commented source)
     number_of_passes=state.buf.length+4
-    raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766
+    raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766
 
     # 16-bits not (again, see also commented source)
     reg_14 = (number_of_passes+1)^0xFFFF
diff --git a/modules/encoders/mipsbe/longxor.rb b/modules/encoders/mipsbe/longxor.rb
@@ -35,8 +35,8 @@ def decoder_stub(state)
 
     # add one xor operation for the key (see comment below)
     number_of_passes=state.buf.length/4+1
-    raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
-    raise InvalidPayloadSizeException.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0
+    raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
+    raise EncodingError.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0
 
     # 16-bits not (again, see below)
     reg_14 = (number_of_passes+1)^0xFFFF
diff --git a/modules/encoders/mipsle/byte_xori.rb b/modules/encoders/mipsle/byte_xori.rb
@@ -44,7 +44,7 @@ def decoder_stub(state)
     # add 4 number of passes  for the space reserved for the key, at the end of the decoder stub
     # (see commented source)
     number_of_passes=state.buf.length+4
-    raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766
+    raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 32766
 
     # 16-bits not (again, see also commented source)
     reg_14 = (number_of_passes+1)^0xFFFF
diff --git a/modules/encoders/mipsle/longxor.rb b/modules/encoders/mipsle/longxor.rb
@@ -35,8 +35,8 @@ def decoder_stub(state)
 
     # add one xor operation for the key (see comment below)
     number_of_passes=state.buf.length/4+1
-    raise InvalidPayloadSizeException.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
-    raise InvalidPayloadSizeException.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0
+    raise EncodingError.new("The payload being encoded is too long (#{state.buf.length} bytes)") if number_of_passes > 10240
+    raise EncodingError.new("The payload is not padded to 4-bytes (#{state.buf.length} bytes)") if state.buf.length%4 != 0
 
     # 16-bits not (again, see below)
     reg_14 = (number_of_passes+1)^0xFFFF
diff --git a/modules/encoders/php/base64.rb b/modules/encoders/php/base64.rb
@@ -27,7 +27,7 @@ def encode_block(state, buf)
     # Have to have these for the decoder stub, so if they're not available,
     # there's nothing we can do here.
     ["(",")",".","_","c","h","r","e","v","a","l","b","s","6","4","d","o"].each do |c|
-      raise EncodeError if state.badchars.include?(c)
+      raise BadcharError if state.badchars.include?(c)
     end
 
     # PHP escapes quotes by default with magic_quotes_gpc, so we use some
diff --git a/modules/encoders/x86/add_sub.rb b/modules/encoders/x86/add_sub.rb
@@ -99,7 +99,7 @@ def decoder_stub(state)
     @inst = {}
     @set = add_or_sub(@avchars)
     if @set == 0 then
-      raise RuntimeError, "Bad character list includes essential characters."
+      raise EncodingError, "Bad character list includes essential characters."
       exit
     elsif @set == 1 then #add
       @inst["opcode"] = 0x05
@@ -112,7 +112,7 @@ def decoder_stub(state)
     @inst["push_esp"] = 0x54
     @inst["pop_esp"] = 0x5c
     if state.buf.size%4 != 0 then
-      raise RuntimeError, "Shellcode size must be divisible by 4, try nop padding."
+      raise EncodingError, "Shellcode size must be divisible by 4, try nop padding."
       exit
     end
     #init
diff --git a/modules/encoders/x86/alpha_mixed.rb b/modules/encoders/x86/alpha_mixed.rb
@@ -44,7 +44,7 @@ def decoder_stub(state)
       else
         res = Rex::Arch::X86.geteip_fpu(state.badchars)
         if (not res)
-          raise RuntimeError, "Unable to generate geteip code"
+          raise EncodingError, "Unable to generate geteip code"
         end
       buf, reg, off = res
       end
diff --git a/modules/encoders/x86/alpha_upper.rb b/modules/encoders/x86/alpha_upper.rb
@@ -47,7 +47,7 @@ def decoder_stub(state)
       else
         res = Rex::Arch::X86.geteip_fpu(state.badchars)
         if (not res)
-          raise RuntimeError, "Unable to generate geteip code"
+          raise EncodingError, "Unable to generate geteip code"
         end
       buf, reg, off = res
       end
diff --git a/modules/encoders/x86/avoid_utf8_tolower.rb b/modules/encoders/x86/avoid_utf8_tolower.rb
@@ -90,20 +90,6 @@
 #
 class Metasploit3 < Msf::Encoder
 
-  #
-  # In some cases, payloads can be an invalid size that is incompatible with
-  # this encoder
-  #
-  class InvalidPayloadSizeException < ::Exception
-    def initialize(msg)
-      @msg = msg
-    end
-
-    def to_s
-      @msg
-    end
-  end
-
   # This encoder has a manual ranking because it should only be used in cases
   # where information has been explicitly supplied, like the BufferOffset.
   Rank = ManualRanking
@@ -136,7 +122,7 @@ def decoder_stub(state)
 
     # Check to make sure that the length is a valid size
     if is_badchar(state, len)
-      raise InvalidPayloadSizeException.new("The payload being encoded is of an incompatible size (#{len} bytes)")
+      raise EncodingError.new("The payload being encoded is of an incompatible size (#{len} bytes)")
     end
 
     decoder =
diff --git a/modules/encoders/x86/opt_sub.rb b/modules/encoders/x86/opt_sub.rb
@@ -161,11 +161,11 @@ def decoder_stub(state)
 
     # determine if we have any invalid characters that we rely on.
     unless all_bytes_valid
-      raise RuntimeError, "Bad character set contains characters that are required for this encoder to function."
+      raise EncodingError, "Bad character set contains characters that are required for this encoder to function."
     end
 
     unless @asm['PUSH'][@base_reg]
-      raise RuntimeError, "Invalid base register"
+      raise EncodingError, "Invalid base register"
     end
 
     # get the offset from the specified base register, or default to zero if not specifed
@@ -176,7 +176,7 @@ def decoder_stub(state)
 
     # if we can't then we bomb, because we know we need to clear out EAX at least once
     unless @clear1
-      raise RuntimeError, "Unable to find AND-able chars resulting 0 in the valid character set."
+      raise EncodingError, "Unable to find AND-able chars resulting 0 in the valid character set."
     end
 
     protect_payload = (datastore['OverwriteProtect'] || "").downcase == "true"
@@ -288,7 +288,7 @@ def encode_payload(buf, reg_offset, protect_payload)
     # Write out a stubbed placeholder for the offset instruction based on
     # the base register, we'll update this later on when we know how big our payload is.
     encoded, _ = sub_3(0, 0)
-    raise RuntimeError, "Couldn't offset base register." if encoded.nil?
+    raise EncodingError, "Couldn't offset base register." if encoded.nil?
     data << create_sub(encoded)
 
     # finally push the value of EAX back into ESP
@@ -312,7 +312,7 @@ def encode_payload(buf, reg_offset, protect_payload)
       end
 
       # if we're still nil here, then we have an issue
-      raise RuntimeError, "Couldn't encode payload" if encoded.nil?
+      raise EncodingError, "Couldn't encode payload" if encoded.nil?
 
       data << create_sub(encoded)
     end
@@ -324,7 +324,7 @@ def encode_payload(buf, reg_offset, protect_payload)
     encoded, _ = sub_3(total_offset, 0)
 
     # if we're still nil here, then we have an issue
-    raise RuntimeError, "Couldn't encode protection" if encoded.nil?
+    raise EncodingError, "Couldn't encode protection" if encoded.nil?
     patch = create_sub(encoded)
 
     # patch in the correct offset back at the start of our payload
diff --git a/modules/encoders/x86/shikata_ga_nai.rb b/modules/encoders/x86/shikata_ga_nai.rb
@@ -281,7 +281,7 @@ def generate_shikata_block(state, length, cutoff)
     begin
       # Generate a permutation saving the ECX, ESP, and user defined registers
       loop_inst.generate(block_generator_register_blacklist, nil, state.badchars)
-    rescue RuntimeError => e
+    rescue EncodingError => e
       raise EncodingError
     end
   end
diff --git a/modules/encoders/x86/unicode_mixed.rb b/modules/encoders/x86/unicode_mixed.rb
@@ -37,7 +37,7 @@ def decoder_stub(state)
     reg    = datastore['BufferRegister']
     offset = datastore['BufferOffset'].to_i || 0
     if (not reg)
-      raise RuntimeError, "Need BufferRegister"
+      raise EncodingError, "Need BufferRegister"
     end
     Rex::Encoder::Alpha2::UnicodeMixed::gen_decoder(reg, offset)
   end
diff --git a/modules/encoders/x86/unicode_upper.rb b/modules/encoders/x86/unicode_upper.rb
@@ -37,7 +37,7 @@ def decoder_stub(state)
     reg    = datastore['BufferRegister']
     offset = datastore['BufferOffset'].to_i || 0
     if (not reg)
-      raise RuntimeError, "Need BufferRegister"
+      raise EncodingError, "Need BufferRegister"
     end
     Rex::Encoder::Alpha2::UnicodeUpper::gen_decoder(reg, offset)
   end
diff --git a/msfvenom b/msfvenom
@@ -143,6 +143,10 @@ require 'msf/core/payload_generator'
       opts[:var_name] = x
     end
 
+    opt.on('--smallest', 'Generate the smallest possible payload') do
+      opts[:smallest] = true
+    end
+
     opt.on_tail('-h', '--help', 'Show this message') do
       raise UsageError, "#{opt}"
     end
