[framework] Forcing a specific encoder

mmiller at hick.org mmiller at hick.org
Tue Oct 17 07:58:55 CDT 2006 

On Tue, Oct 17, 2006 at 10:36:14AM +0200, Alok Menghrajani wrote:
> And it seems, no matter what I do, I can't get to fill reqs['Encoder']
> (HERE2 and HERE3 never get displayed).
> 
> Could someone please explain why in /lib/msf/core/exploit.rb (L468), the
> reqs['Encoder'] is not assigned a value the same way as the other
> parameters (such as BadChars) ?
> 
> I tried adding 'Encoder' => '/x86/countdown' and 'Payload' => {
> 'Encoder' => '/x86/countdown' } to my exploit, but the reqs['Encoder']
> never seems to get assigned.

While not directly related to your question (which Pranay Kanwar
answered), there is another way that you can indirectly control which
encoder is selected.  Technically, we would prefer that exploits stay
away from specifying a static encoder in their meta information.  Non-static
encoders make them less static and more likely to be able to grow if we add or
improve existing encoders.  However, in some cases, it is necessary for
exploits to restrict that type of encoder that is used to one that will meet a
certain set of character requirements. For example, the following 'types' of
encoders can be specified in an exploit to limit the set of possible encoders
that the framework will attempt to use when building a payload for the exploit:

   module Type
      # 'A' - 'Z', '0' - '9'
      AlphanumUpper        = "alpha_upper"
      # 'a' - 'z', 'A' - 'Z', '0' - '9'
      AlphanumMixed        = "alpha_mixed"
      # Unicode-safe 'A' - 'Z', '0' - '9'
      AlphanumUnicodeUpper = "alpha_unicode_upper"
      # Unicode-safe 'a' - 'z', 'A' - 'Z', '0' - '9'
      AlphanumUnicodeMixed = "alpha_unicode_mixed"
      # toupper/tolower safe ascii - not 'a' - 'z', 'A' - 'Z' 
      NonAlpha = "non_alpha"
      # tolower safe ascii - not 'A' - 'Z' (more flexable than nonalpha)
      NonUpper = "non_upper"
      # tolower safe ascii UTF8-safe (<= 0x7f only)
      NonUpperUtf8Safe = "non_upper_utf8_safe"
      # All characters
      Raw                  = "raw"
   end

This probably isn't applicable to your exploit, but I'm mainly posting it
for future reference.  To see an example of specifying an encoder type,
check out the following exploit:

exploits/windows/browser/mcafee_mcsubmgr_vsprintf.rb

More information about the framework mailing list