Polymorphic XOR Additive Feedback Encoder - Metasploit

This page contains detailed information about how to use the encoder/x86/shikata_ga_nai metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

---

Name: Polymorphic XOR Additive Feedback Encoder
Module: encoder/x86/shikata_ga_nai
Source code: modules/encoders/x86/shikata_ga_nai.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): x86
Supported platform(s): All
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This encoder implements a polymorphic XOR additive feedback encoder. The decoder stub is generated based on dynamic instruction substitution and dynamic block ordering. Registers are also selected dynamically.

Module Ranking and Traits

---

Module Ranking:

• excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

---

msf > use encoder/x86/shikata_ga_nai
msf encoder(shikata_ga_nai) > show targets
    ... a list of targets ...
msf encoder(shikata_ga_nai) > set TARGET target-id
msf encoder(shikata_ga_nai) > show options
    ... show and set options ...
msf encoder(shikata_ga_nai) > exploit

Go back to menu.

Msfconsole Usage

---

Here is how the encoder/x86/shikata_ga_nai module looks in the msfconsole:

msf6 > use encoder/x86/shikata_ga_nai

msf6 encoder(x86/shikata_ga_nai) > show info

       Name: Polymorphic XOR Additive Feedback Encoder
     Module: encoder/x86/shikata_ga_nai
   Platform: All
       Arch: x86
       Rank: Excellent

Provided by:
  spoonm <spoonm@no$email.com>

Description:
  This encoder implements a polymorphic XOR additive feedback encoder. 
  The decoder stub is generated based on dynamic instruction 
  substitution and dynamic block ordering. Registers are also selected 
  dynamically.

Module Options

---

This is a complete list of options available in the encoder/x86/shikata_ga_nai module:

msf6 encoder(x86/shikata_ga_nai) > show options

Module options (encoder/x86/shikata_ga_nai):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Advanced Options

---

Here is a complete list of advanced options supported by the encoder/x86/shikata_ga_nai module:

msf6 encoder(x86/shikata_ga_nai) > show advanced

Module advanced options (encoder/x86/shikata_ga_nai):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Go back to menu.

Error Messages

---

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Can't generate NULL-free decoder with a BufferOffset bigger than one byte

---

Here is a relevant code snippet related to the "Can't generate NULL-free decoder with a BufferOffset bigger than one byte" error message:

177:	    if (datastore["BufferRegister"])
178:	
179:	      buff_reg = Rex::Poly::LogicalRegister::X86.new('buff', datastore["BufferRegister"])
180:	      offset = (datastore["BufferOffset"] ? datastore["BufferOffset"].to_i : 0)
181:	      if ((offset < -255 or offset > 255) and state.badchars.include? "\x00")
182:	        raise EncodingError.new("Can't generate NULL-free decoder with a BufferOffset bigger than one byte")
183:	      end
184:	      mov = Proc.new { |b|
185:	        # mov <buff_reg>, <addr_reg>
186:	        "\x89" + (0xc0 + b.regnum_of(addr_reg) + (8 * b.regnum_of(buff_reg))).chr
187:	      }

Go back to menu.

Related Pull Requests

---

• #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
• #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
• #6655 Merged Pull Request: use MetasploitModule as a class name
• #6648 Merged Pull Request: Change metasploit class names
• #5374 Merged Pull Request: Implements msfvenom --smallest
• #4393 Merged Pull Request: Missing patch for Stage Encoding
• #3770 Merged Pull Request: Stage encoding is now SaveRegister aware
• #2525 Merged Pull Request: Change module boilerplate
• #1316 Merged Pull Request: Re-enable stage encoding
• #1241 Merged Pull Request: Removed all $Id$ and $Revision$ occurences

Go back to menu.

See Also

---

Check also the following modules related to this module:

• encoder/x86/add_sub
• encoder/x86/alpha_mixed
• encoder/x86/alpha_upper
• encoder/x86/avoid_underscore_tolower
• encoder/x86/avoid_utf8_tolower
• encoder/x86/bloxor
• encoder/x86/bmp_polyglot
• encoder/x86/call4_dword_xor
• encoder/x86/context_cpuid
• encoder/x86/context_stat
• encoder/x86/context_time
• encoder/x86/countdown
• encoder/x86/fnstenv_mov
• encoder/x86/jmp_call_additive
• encoder/x86/nonalpha
• encoder/x86/nonupper
• encoder/x86/opt_sub
• encoder/x86/service
• encoder/x86/single_static_bit
• encoder/x86/unicode_mixed
• encoder/x86/unicode_upper
• encoder/x86/xor_dynamic

Authors

---

spoonm

Version

---

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.