r3set
/
MetaSploitFraemwork
mirror of https://github.com/rapid7/metasploit-framework


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
							#
# Simple script to test a group of encoders against every exploit in the framework,
# specifically for the exploits badchars, to see if a payload can be encoded. We ignore
# the target arch/platform of the exploit as we just want to pull out real world bad chars.
#

msfbase = __FILE__
while File.symlink?(msfbase)
  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end

$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))

require 'msfenv'

$msf = Msf::Simple::Framework.create

EXPLOITS = $msf.exploits

def print_line(message)
  $stdout.puts(message)
end

def format_badchars(badchars)
  str = ''
  if (badchars)
    badchars.each_byte do |b|
      str << "\\x%02X" % [ b ]
    end
  end
  str
end

def encoder_v_payload(encoder_name, payload, verbose = false)
  success = 0
  fail = 0
  EXPLOITS.each_module do |name, mod|
    exploit = mod.new
    print_line("\n#{encoder_name} v #{name} (#{format_badchars(exploit.payload_badchars)})") if verbose
    begin
      encoder = $msf.encoders.create(encoder_name)
      raw = encoder.encode(payload, exploit.payload_badchars, nil, nil)
      success += 1
    rescue
      print_line("    FAILED! badchars=#{format_badchars(exploit.payload_badchars)}\n") if verbose
      fail += 1
    end
  end
  return [ success, fail ]
end

def generate_payload(name)
  payload = $msf.payloads.create(name)

  # set options for a reverse_tcp payload
  payload.datastore['LHOST'] = '192.168.2.1'
  payload.datastore['RHOST'] = '192.168.2.254'
  payload.datastore['RPORT'] = '5432'
  payload.datastore['LPORT'] = '4444'
  # set options for an exec payload
  payload.datastore['CMD'] = 'calc'
  # set generic options
  payload.datastore['EXITFUNC'] = 'thread'

  return payload.generate
end

def run(encoders, payload_name, verbose = false)
  payload = generate_payload(payload_name)

  table = Rex::Text::Table.new(
    'Header' => 'Encoder v Payload Test - ' + ::Time.new.strftime("%d-%b-%Y %H:%M:%S"),
    'Indent' => 4,
    'Columns' => [ 'Encoder Name', 'Success', 'Fail' ]
  )

  encoders.each do |encoder_name|
    success, fail = encoder_v_payload(encoder_name, payload, verbose)

    table << [ encoder_name, success, fail ]
  end

  return table
end

if ($0 == __FILE__)

  print_line("[+] Starting.\n")

  encoders = [
    'x86/bloxor',
    'x86/shikata_ga_nai',
    'x86/jmp_call_additive',
    'x86/fnstenv_mov',
    'x86/countdown',
    'x86/call4_dword_xor'
  ]

  payload_name = 'windows/shell/reverse_tcp'

  verbose = false

  result_table = run(encoders, payload_name, verbose)

  print_line("\n\n#{result_table.to_s}\n\n")

  print_line("[+] Finished.\n")
end