Polymorphic XOR Additive Feedback Encoder - Metasploit
This page contains detailed information about how to use the encoder/x86/shikata_ga_nai metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Polymorphic XOR Additive Feedback Encoder
Module: encoder/x86/shikata_ga_nai
Source code: modules/encoders/x86/shikata_ga_nai.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): x86
Supported platform(s): All
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This encoder implements a polymorphic XOR additive feedback encoder. The decoder stub is generated based on dynamic instruction substitution and dynamic block ordering. Registers are also selected dynamically.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
msf > use encoder/x86/shikata_ga_nai
msf encoder(shikata_ga_nai) > show targets
... a list of targets ...
msf encoder(shikata_ga_nai) > set TARGET target-id
msf encoder(shikata_ga_nai) > show options
... show and set options ...
msf encoder(shikata_ga_nai) > exploit
Go back to menu.
Msfconsole Usage
Here is how the encoder/x86/shikata_ga_nai module looks in the msfconsole:
msf6 > use encoder/x86/shikata_ga_nai
msf6 encoder(x86/shikata_ga_nai) > show info
Name: Polymorphic XOR Additive Feedback Encoder
Module: encoder/x86/shikata_ga_nai
Platform: All
Arch: x86
Rank: Excellent
Provided by:
spoonm <spoonm@no$email.com>
Description:
This encoder implements a polymorphic XOR additive feedback encoder.
The decoder stub is generated based on dynamic instruction
substitution and dynamic block ordering. Registers are also selected
dynamically.
Module Options
This is a complete list of options available in the encoder/x86/shikata_ga_nai module:
msf6 encoder(x86/shikata_ga_nai) > show options
Module options (encoder/x86/shikata_ga_nai):
Name Current Setting Required Description
---- --------------- -------- -----------
Advanced Options
Here is a complete list of advanced options supported by the encoder/x86/shikata_ga_nai module:
msf6 encoder(x86/shikata_ga_nai) > show advanced
Module advanced options (encoder/x86/shikata_ga_nai):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Can't generate NULL-free decoder with a BufferOffset bigger than one byte
Here is a relevant code snippet related to the "Can't generate NULL-free decoder with a BufferOffset bigger than one byte" error message:
177: if (datastore["BufferRegister"])
178:
179: buff_reg = Rex::Poly::LogicalRegister::X86.new('buff', datastore["BufferRegister"])
180: offset = (datastore["BufferOffset"] ? datastore["BufferOffset"].to_i : 0)
181: if ((offset < -255 or offset > 255) and state.badchars.include? "\x00")
182: raise EncodingError.new("Can't generate NULL-free decoder with a BufferOffset bigger than one byte")
183: end
184: mov = Proc.new { |b|
185: # mov <buff_reg>, <addr_reg>
186: "\x89" + (0xc0 + b.regnum_of(addr_reg) + (8 * b.regnum_of(buff_reg))).chr
187: }
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5374 Merged Pull Request: Implements msfvenom --smallest
- #4393 Merged Pull Request: Missing patch for Stage Encoding
- #3770 Merged Pull Request: Stage encoding is now SaveRegister aware
- #2525 Merged Pull Request: Change module boilerplate
- #1316 Merged Pull Request: Re-enable stage encoding
- #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences
Go back to menu.
See Also
Check also the following modules related to this module:
- encoder/x86/add_sub
- encoder/x86/alpha_mixed
- encoder/x86/alpha_upper
- encoder/x86/avoid_underscore_tolower
- encoder/x86/avoid_utf8_tolower
- encoder/x86/bloxor
- encoder/x86/bmp_polyglot
- encoder/x86/call4_dword_xor
- encoder/x86/context_cpuid
- encoder/x86/context_stat
- encoder/x86/context_time
- encoder/x86/countdown
- encoder/x86/fnstenv_mov
- encoder/x86/jmp_call_additive
- encoder/x86/nonalpha
- encoder/x86/nonupper
- encoder/x86/opt_sub
- encoder/x86/service
- encoder/x86/single_static_bit
- encoder/x86/unicode_mixed
- encoder/x86/unicode_upper
- encoder/x86/xor_dynamic
Authors
spoonm
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.