Results 1 to 5 of 5

Thread: Creating a new encoding schema for msf

  1. #1
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Lightbulb Creating a new encoding schema for msf

    Hi, guys. In my travels and adventures into the exciting world of pentesting, I've come across something I feel is cool. So here's the deal.
    I've looked through the encoding tools in the msframework, those that were described in Metasploit: The Penetration Tester's Guide, and those that were described in Grey Hat Hacking...
    What I've noticed is that they pretty much all follow the same standard: XOR against a key, with the final exploit looking like this:
    encrypted shellcode->decryption loop->decrypted shellcode
    The program decrypts itself then jumps to the new shellcode and runs.
    All very nice and pretty. But...
    This won't bypass systems using advanced IPS/IDS to monitor packets, and it also won't pass validation on a printable charset only lookup.
    So, Hacking: A Guide to Exploitation gives a solution that I have yet to see implemented. Namely, self-building shellcode. Meaning, the shellcode builds itself using only printable chars.
    Something like this: Since PUSH EAX, SUB EAX, and a few others all correspond to printable ASCII chars, we can zero out EAX, then subtract by way of rollover to get EAX to the instruction set we want, then push it to the stack. This usually only takes 3 SUB's for each 4 bytes to push to stack. By subtracting to the last four bytes of SC(shellcode) then pushing to stack, and moving on to the next four, until all is pushed to stack, we can bypass all those mentioned protection systems.
    The next step would either be to SUB to 4 NOP's and PUSH EAX until the SC overwrites itself and slides down to the payload, or just to JMP to the actual payload immediately.
    To set the actual subtraction to the correct only printable bytes usually doesn't take more than three instructions since the ascii charset can be used to subtract, obviously. Looking something like this:
    SUB EAX,0x41434547 (f - D C B A or something very similar I hexdumped this from SUB EAX,0x41424344 compiled with NASM)
    SUB EAX,0x...
    SUB EAX,0x...
    PUSH EAX (the last four bytes)

    SUB EAX,0x...
    SUB EAX,0x...
    SUB EAX,0x...
    PUSH EAX (the next four bytes)
    until all the SC is written. All this being contained within a printable string.
    What I want to do is write a metasploit module to take a given payload, and make it self-building.
    What I want from the community is :
    1)Advice.
    I've never written a metasploit module, programmed in ruby, or done anything like this really. I want to know if it's a good idea, if it's implementable, and if people are interested.
    2)Help
    I'm willing to put in work, but I don't know enough to do this on my own. Please help, people.
    3)Practical concerns
    Will this work? What is the best way to implement it?
    4)General suggestions and improvements
    Self-explanatory

    I understand that this may only be practical on non-exe(i.e. only standard network) exploits, but if it helps the success of even those, why not do it.
    Let me know.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  2. #2
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Creating a new encoding schema for msf

    Yeah, to AND EAX x2 for each four bytes is a little stupid. So I actually don't want to do that. Since when EAX is originally zeroed out, and then SUB'ed to the proper value then pushed, we already know it's value, it's only a matter of figuring out which values to sub from the new EAX to get to the next four bytes. You should only have to zero it out once.
    As for the tutorial, that technique is similar, but I want this more like a POC for non-SEH, ASLR etc protected things. When this works POC, then we would take it to the next level and make it work as a standard module with all the other goodies.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  3. #3
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Creating a new encoding schema for msf

    While I would love to get started and post updates, several problems remain. 1) I have not magically gained ruby programming knowledge in the last 72 hours. 2) I have not gained through any means, arcane or otherwise, a design for the module. 3) Sorcerous familiars have not been conjured to offer help with the design, implementation, and coding of the module. 4) I have not been granted any epiphanies in regards to the most practical way to do any of this. 5) Nobody has offered the help of his/her coven of hackers to assist me in this endeavor. I refer you back to my first post. I need help with this. So if people are willing to collaborate with me, then I would love to continue. Until then, we must wait with bated breath for willing volunteers.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  4. #4
    Just burned his ISO
    Join Date
    Nov 2011
    Posts
    3

    Default Re: Creating a new encoding schema for msf

    Which language are you suggesting?

    Im up for python.

  5. #5
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Creating a new encoding schema for msf

    We can start with a POC python module, but the end game is to port it directly into the MSF. For that it needs to be in ruby...
    If people are interested, I'll use this thread to continue posting, and upload a script that'll figure out what to SUB from EAX based on EAX(current) to EAX(desired).

    EDIT: Due to appearant lack of interest, I've scrapped this project and moved on to a more useful one.
    Last edited by ShadowMaster; 11-27-2011 at 03:05 AM. Reason: Lack of interest.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

Similar Threads

  1. Metasploit encoding
    By SecureSurfer in forum Beginners Forum
    Replies: 7
    Last Post: 01-07-2011, 10:42 AM
  2. Creating and encoding a Metasploit meterpreter payload
    By TAPE in forum BackTrack Videos
    Replies: 0
    Last Post: 06-12-2010, 12:27 AM
  3. Recognize this encoding?
    By thorin in forum OLD Pentesting
    Replies: 8
    Last Post: 02-05-2008, 06:07 PM
  4. HDD install - Set language/encoding permanently
    By Huegel in forum OLD BT3beta General
    Replies: 4
    Last Post: 01-27-2008, 08:30 PM
  5. Edimax EW-7108pcg wifi encoding
    By yoshx in forum OLD Newbie Area
    Replies: 7
    Last Post: 07-24-2007, 12:37 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •