Add support for stage encoding to alpha_upper

Author: jvazquez-r7

lib/rex/encoder/alpha2/alpha_mixed.rb

@@ -27,28 +27,28 @@ def self.gen_decoder_prefix(reg, offset, modified_registers = [])
     # use inc ebx as a nop here so we still pad correctly
     if offset <= 16
       nop = 'C' * offset
-      nop_regs.push(Rex::Arch::X86::EBX)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
 
       mod = 'I' * (16 - offset) + nop + '7QZ'    # dec ecx,,, push ecx, pop edx
-      mod_regs.concat([
-        Rex::Arch::X86::ECX,
-        Rex::Arch::X86::EDX
-      ])
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 16
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
 
       edxmod = 'J' * (17 - offset)
-      edx_regs.push(Rex::Arch::X86::EDX)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     else
       mod = 'A' * (offset - 16)
-      mod_regs.push(Rex::Arch::X86::ECX)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
 
       nop = 'C' * (16 - mod.length)
-      nop_regs.push(Rex::Arch::X86::EBX)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
 
       mod << nop + '7QZ'
+      mod_regs.concat(nop_regs)
       mod_regs.push(Rex::Arch::X86::EDX)
 
       edxmod = 'B' * (17 - (offset - 16))
-      edx_regs.push(Rex::Arch::X86::EDX)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     end
 
     regprefix = {

lib/rex/encoder/alpha2/alpha_upper.rb

@@ -9,21 +9,47 @@ module Alpha2
 class AlphaUpper < Generic
   def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
 
-  def self.gen_decoder_prefix(reg, offset)
-    if (offset > 20)
-      raise "Critical: Offset is greater than 20"
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 20
+      raise 'Critical: Offset is greater than 20'
     end
 
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
     # use inc ebx as a nop here so we still pad correctly
     if (offset <= 10)
       nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod = 'I' * (10 - offset) + nop + 'QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 10
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'J' * (11 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     else
       mod = 'A' * (offset - 10)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
       nop = 'C' * (10 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod << nop + 'QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'B' * (11 - (offset - 10))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     end
     regprefix = {
       'EAX'   => 'PY' + mod,                        # push eax, pop ecx
@@ -33,20 +59,41 @@ def self.gen_decoder_prefix(reg, offset)
       'ESP'   => 'TY' + mod,                        # push esp, pop ecx
       'EBP'   => 'UY' + mod,                        # push ebp, pop ecx
       'ESI'   => 'VY' + mod,                        # push esi, pop ecx
-      'EDI'   => 'WY' + mod,                        # push edi, pop edi
+      'EDI'   => 'WY' + mod,                        # push edi, pop ecx
     }
 
     reg.upcase!
-    if (not regprefix.keys.include? reg)
+    unless regprefix.keys.include?(reg)
       raise ArgumentError.new("Invalid register name")
     end
-    return regprefix[reg]
 
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    return regprefix[reg]
   end
 
-  def self.gen_decoder(reg, offset)
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
     decoder =
-      gen_decoder_prefix(reg, offset) +
+      gen_decoder_prefix(reg, offset, mod_registers) +
       "V" +           # push esi
       "T" +           # push esp
       "X" +           # pop eax
@@ -73,6 +120,18 @@ def self.gen_decoder(reg, offset)
       "JJ" +          # jnz * --------------------
       "I"             # first encoded char, fixes the above J
 
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ESI,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
     return decoder
   end
 

modules/encoders/x86/alpha_upper.rb

@@ -34,6 +34,7 @@ def initialize
   # being encoded.
   #
   def decoder_stub(state)
+    modified_registers = []
     reg = datastore['BufferRegister']
     off = (datastore['BufferOffset'] || 0).to_i
     buf = ''
@@ -44,8 +45,15 @@ def decoder_stub(state)
         buf = 'VTX630WTX638VXH49HHHPVX5AAQQPVX5YYYYP5YYYD5KKYAPTTX638TDDNVDDX4Z4A63861816'
         reg = 'ECX'
         off = 0
+        modified_registers.concat (
+          [
+            Rex::Arch::X86::ESP,
+            Rex::Arch::X86::EDI,
+            Rex::Arch::X86::ESI,
+            Rex::Arch::X86::EAX
+          ])
       else
-        res = Rex::Arch::X86.geteip_fpu(state.badchars)
+        res = Rex::Arch::X86.geteip_fpu(state.badchars, modified_registers)
         if (not res)
           raise EncodingError, "Unable to generate geteip code"
         end
@@ -55,7 +63,15 @@ def decoder_stub(state)
       reg.upcase!
     end
 
-    buf + Rex::Encoder::Alpha2::AlphaUpper::gen_decoder(reg, off)
+    stub = buf + Rex::Encoder::Alpha2::AlphaUpper::gen_decoder(reg, off, modified_registers)
+
+    # Sanity check that saved_registers doesn't overlap with modified_registers
+    modified_registers.uniq!
+    if (modified_registers & saved_registers).length > 0
+      raise BadGenerateError
+    end
+
+    stub
   end
 
   #
@@ -72,4 +88,14 @@ def encode_block(state, block)
   def encode_end(state)
     state.encoded += Rex::Encoder::Alpha2::AlphaUpper::add_terminator()
   end
+
+  # Indicate that this module can preserve some registers
+  def can_preserve_registers?
+    true
+  end
+
+  # Convert the SaveRegisters to an array of x86 register constants
+  def saved_registers
+    Rex::Arch::X86.register_names_to_ids(datastore['SaveRegisters'])
+  end
 end