Class: Msf::PayloadGenerator

Inherits:

Object

• Object
• Msf::PayloadGenerator

Defined in:

lib/msf/core/payload_generator.rb

Instance Attribute Summary

• #add_code ⇒ String

  The path to a shellcode file to execute in a separate thread.

• #arch ⇒ String

  The CPU architecture to build the payload for.

• #badchars ⇒ String

  The bad characters that can’t be in the payload.

• #cli ⇒ Boolean

  Whether this is being run by a CLI script.

• #datastore ⇒ Hash

  The datastore to apply to the payload module.

• #encoder ⇒ String

  The encoder(s) you want applied to the payload.

• #encoder_space ⇒ Integer

  The maximum size in bytes of the encoded payload.

• #encryption_format ⇒ String

  The encryption format to use for the shellcode.

• #encryption_iv ⇒ String

  The initialization vector for the encryption (not all apply).

• #encryption_key ⇒ String

  The key to use for the encryption.

• #format ⇒ String

  The format you want the payload returned in.

• #framework ⇒ Msf::Framework

  The framework instance to use for generation.

• #iterations ⇒ Integer

  The number of iterations to run the encoder.

• #keep ⇒ Boolean

  Whether or not to preserve the original functionality of the template.

• #nops ⇒ Integer

  The size in bytes of NOP sled to prepend the payload with.

• #padnops ⇒ Boolean

  Whether to use @!attribute nops as the total payload size.

• #payload ⇒ String

  The refname of the payload to generate.

• #payload_module ⇒ Module

  The payload module object if applicable.

• #platform ⇒ String

  The platform to build the payload for.

• #secname ⇒ String

  The name of the new section within the generated Windows binary.

• #servicename ⇒ String

  The name of the service to be associated with the generated Windows binary.

• #smallest ⇒ Boolean

  Whether or not to find the smallest possible output.

• #space ⇒ Integer

  The maximum size in bytes of the payload.

• #stdin ⇒ String

  The raw bytes of a payload taken from STDIN.

• #sub_method ⇒ Boolean

  Whether or not this binary needs the x86 sub_method applied or not.

• #template ⇒ String

  The path to an executable template to use.

• #var_name ⇒ String

  The custom variable string for certain output formats.

Instance Method Summary

• #add_shellcode(shellcode) ⇒ String

  This method takes the shellcode generated so far and adds shellcode from a supplied file.

• #choose_arch(mod) ⇒ String, Nil

  This method takes a payload module and tries to reconcile a chosen arch with the arches supported by the module.

• #choose_platform(mod) ⇒ Msf::Module::PlatformList

  This method takes a payload module and tries to reconcile a chosen platform with the platforms supported by the module.

• #encode_payload(shellcode) ⇒ String

  This method takes the shellcode generated so far and iterates through the chosen or compatible encoders.

• #exe_options ⇒ Hash

  This returns a hash for the exe format generation of payloads.

• #format_payload(shellcode) ⇒ String

  This method takes the payload shellcode and formats it appropriately based on the selected output format.

• #generate_java_payload ⇒ String

  This method generates Java payloads which are a special case.

• #generate_payload ⇒ String

  This method is a wrapper around all of the other methods.

• #generate_raw_payload ⇒ String

  This method generates the raw form of the payload as generated by the payload module itself.

• #get_encoders(buf) ⇒ Array<Msf::Encoder>

  This method returns an array of encoders that either match the encoders selected by the user, or match the arch selected.

• #initialize(opts = {}) ⇒ PayloadGenerator constructor

  A new instance of PayloadGenerator.

• #multiple_encode_payload(shellcode) ⇒ Object
• #platform_list ⇒ Msf::Module::PlatformList

  Returns a PlatformList object based on the platform string given at creation.

• #prepend_nops(shellcode) ⇒ String

  This method takes an encoded payload and prepends a NOP Sled to it with a size based on the nops value given to the generator.

• #run_encoder(encoder_module, shellcode) ⇒ String

  This method runs a specified encoder, for a number of defined iterations against the shellcode.

Constructor Details

#initialize(opts = {}) ⇒ PayloadGenerator

Returns a new instance of PayloadGenerator.

Parameters:

• opts (Hash) (defaults to: {}) —

  The options hash

Options Hash (opts):

• :payload (String) — default: see #payload
• :format (String) — default: see #format
• :encoder (String) — default: see #encoder
• :secname (String) — default: see #secname
• :iterations (Integer) — default: see #iterations
• :arch (String) — default: see #arch
• :platform (String) — default: see #platform
• :badchars (String) — default: see #badchars
• :template (String) — default: see #template
• :space (Integer) — default: see #space
• :encoder_space (Integer) — default: see #encoder_space
• :nops (Integer) — default: see #nops
• :padnops (Boolean) — default: see #padnops
• :add_code (String) — default: see #add_code
• :keep (Boolean) — default: see #keep
• :datastore (Hash) — default: see #datastore
• :framework (Msf::Framework) — default: see #framework
• :cli (Boolean) — default: see #cli
• :smallest (Boolean) — default: see #smallest

Raises:

• (KeyError) —

  if framework is not provided in the options hash

# File 'lib/msf/core/payload_generator.rb', line 133

def initialize(opts={})
  @add_code   = opts.fetch(:add_code, '')
  @arch       = opts.fetch(:arch, '')
  @badchars   = opts.fetch(:badchars, '')
  @cli        = opts.fetch(:cli, false)
  @datastore  = opts.fetch(:datastore, {})
  @encoder    = opts.fetch(:encoder, '')
  @secname    = opts.fetch(:secname, '')
  @servicename = opts.fetch(:servicename, '')
  @sub_method = opts.fetch(:sub_method, false)
  @format     = opts.fetch(:format, 'raw')
  @iterations = opts.fetch(:iterations, 1)
  @keep       = opts.fetch(:keep, false)
  @nops       = opts.fetch(:nops, 0)
  @padnops    = opts.fetch(:padnops, false)
  @payload    = opts.fetch(:payload, '')
  @platform   = opts.fetch(:platform, '')
  @space      = opts.fetch(:space, 1.gigabyte)
  @stdin      = opts.fetch(:stdin, nil)
  @template   = opts.fetch(:template, '')
  @var_name   = opts.fetch(:var_name, 'buf')
  @smallest   = opts.fetch(:smallest, false)
  @encoder_space = opts.fetch(:encoder_space, @space)
  @encryption_format = opts.fetch(:encryption_format, nil)
  @encryption_key = opts.fetch(:encryption_key, nil)
  @encryption_iv = opts.fetch(:encryption_iv, nil)

  @framework  = opts.fetch(:framework)

  raise InvalidFormat, "invalid format: #{format}"  unless format_is_valid?
  raise ArgumentError, "invalid payload: #{payload}" unless payload_is_valid?

  # A side-effecto of running framework.payloads.create is that
  # framework.payloads.keys gets pruned of unloadable payloads. So, we do it
  # after checking payload_is_valid?, which refers to the cached keys.
  @payload_module = framework.payloads.create(@payload)
  raise ArgumentError, "unloadable payload: #{payload}" unless payload_module || @payload == 'stdin'

  # In smallest mode, override the payload @space & @encoder_space settings
  if @smallest
    @space = 0
    @encoder_space = 1.gigabyte
  end

end

Instance Attribute Details

#add_code ⇒ String

Returns The path to a shellcode file to execute in a separate thread.

Returns:

• (String) —

  The path to a shellcode file to execute in a separate thread

# File 'lib/msf/core/payload_generator.rb', line 31

def add_code
  @add_code
end

#arch ⇒ String

Returns The CPU architecture to build the payload for.

Returns:

• (String) —

  The CPU architecture to build the payload for

# File 'lib/msf/core/payload_generator.rb', line 34

def arch
  @arch
end

#badchars ⇒ String

Returns The bad characters that can’t be in the payload.

Returns:

• (String) —

  The bad characters that can't be in the payload

# File 'lib/msf/core/payload_generator.rb', line 37

def badchars
  @badchars
end

#cli ⇒ Boolean

Returns Whether this is being run by a CLI script.

Returns:

• (Boolean) —

  Whether this is being run by a CLI script

# File 'lib/msf/core/payload_generator.rb', line 40

def cli
  @cli
end

#datastore ⇒ Hash

Returns The datastore to apply to the payload module.

Returns:

• (Hash) —

  The datastore to apply to the payload module

# File 'lib/msf/core/payload_generator.rb', line 43

def datastore
  @datastore
end

#encoder ⇒ String

Returns The encoder(s) you want applied to the payload.

Returns:

• (String) —

  The encoder(s) you want applied to the payload

# File 'lib/msf/core/payload_generator.rb', line 46

def encoder
  @encoder
end

#encoder_space ⇒ Integer

Returns The maximum size in bytes of the encoded payload.

Returns:

• (Integer) —

  The maximum size in bytes of the encoded payload

# File 'lib/msf/core/payload_generator.rb', line 91

def encoder_space
  @encoder_space
end

#encryption_format ⇒ String

Returns The encryption format to use for the shellcode.

Returns:

• (String) —

  The encryption format to use for the shellcode.

# File 'lib/msf/core/payload_generator.rb', line 103

def encryption_format
  @encryption_format
end

#encryption_iv ⇒ String

Returns The initialization vector for the encryption (not all apply).

Returns:

• (String) —

  The initialization vector for the encryption (not all apply)

# File 'lib/msf/core/payload_generator.rb', line 109

def encryption_iv
  @encryption_iv
end

#encryption_key ⇒ String

Returns The key to use for the encryption.

Returns:

• (String) —

  The key to use for the encryption

# File 'lib/msf/core/payload_generator.rb', line 106

def encryption_key
  @encryption_key
end

#format ⇒ String

Returns The format you want the payload returned in.

Returns:

• (String) —

  The format you want the payload returned in

# File 'lib/msf/core/payload_generator.rb', line 58

def format
  @format
end

#framework ⇒ Msf::Framework

Returns The framework instance to use for generation.

Returns:

• (Msf::Framework) —

  The framework instance to use for generation

# File 'lib/msf/core/payload_generator.rb', line 61

def framework
  @framework
end

#iterations ⇒ Integer

Returns The number of iterations to run the encoder.

Returns:

• (Integer) —

  The number of iterations to run the encoder

# File 'lib/msf/core/payload_generator.rb', line 64

def iterations
  @iterations
end

#keep ⇒ Boolean

Returns Whether or not to preserve the original functionality of the template.

Returns:

• (Boolean) —

  Whether or not to preserve the original functionality of the template

# File 'lib/msf/core/payload_generator.rb', line 67

def keep
  @keep
end

#nops ⇒ Integer

Returns The size in bytes of NOP sled to prepend the payload with.

Returns:

• (Integer) —

  The size in bytes of NOP sled to prepend the payload with

# File 'lib/msf/core/payload_generator.rb', line 70

def nops
  @nops
end

#padnops ⇒ Boolean

Returns Whether to use @!attribute nops as the total payload size.

Returns:

• (Boolean) —

  Whether to use @!attribute nops as the total payload size

# File 'lib/msf/core/payload_generator.rb', line 73

def padnops
  @padnops
end

#payload ⇒ String

Returns The refname of the payload to generate.

Returns:

• (String) —

  The refname of the payload to generate

# File 'lib/msf/core/payload_generator.rb', line 76

def payload
  @payload
end

#payload_module ⇒ Module

Returns The payload module object if applicable.

Returns:

• (Module) —

  The payload module object if applicable

# File 'lib/msf/core/payload_generator.rb', line 79

def payload_module
  @payload_module
end

#platform ⇒ String

Returns The platform to build the payload for.

Returns:

• (String) —

  The platform to build the payload for

# File 'lib/msf/core/payload_generator.rb', line 82

def platform
  @platform
end

#secname ⇒ String

Returns The name of the new section within the generated Windows binary.

Returns:

• (String) —

  The name of the new section within the generated Windows binary

# File 'lib/msf/core/payload_generator.rb', line 49

def secname
  @secname
end

#servicename ⇒ String

Returns The name of the service to be associated with the generated Windows binary.

Returns:

• (String) —

  The name of the service to be associated with the generated Windows binary

# File 'lib/msf/core/payload_generator.rb', line 52

def servicename
  @servicename
end

#smallest ⇒ Boolean

Returns Whether or not to find the smallest possible output.

Returns:

• (Boolean) —

  Whether or not to find the smallest possible output

# File 'lib/msf/core/payload_generator.rb', line 85

def smallest
  @smallest
end

#space ⇒ Integer

Returns The maximum size in bytes of the payload.

Returns:

• (Integer) —

  The maximum size in bytes of the payload

# File 'lib/msf/core/payload_generator.rb', line 88

def space
  @space
end

#stdin ⇒ String

Returns The raw bytes of a payload taken from STDIN.

Returns:

• (String) —

  The raw bytes of a payload taken from STDIN

# File 'lib/msf/core/payload_generator.rb', line 94

def stdin
  @stdin
end

#sub_method ⇒ Boolean

Returns Whether or not this binary needs the x86 sub_method applied or not.

Returns:

• (Boolean) —

  Whether or not this binary needs the x86 sub_method applied or not.

# File 'lib/msf/core/payload_generator.rb', line 55

def sub_method
  @sub_method
end

#template ⇒ String

Returns The path to an executable template to use.

Returns:

• (String) —

  The path to an executable template to use

# File 'lib/msf/core/payload_generator.rb', line 97

def template
  @template
end

#var_name ⇒ String

Returns The custom variable string for certain output formats.

Returns:

• (String) —

  The custom variable string for certain output formats

# File 'lib/msf/core/payload_generator.rb', line 100

def var_name
  @var_name
end

Instance Method Details

#add_shellcode(shellcode) ⇒ String

This method takes the shellcode generated so far and adds shellcode from a supplied file. The added shellcode is executed in a separate thread from the main payload.

Parameters:

• shellcode (String) —

  The shellcode to add to

Returns:

• (String) —

  the combined shellcode which executes the added code in a separate thread

# File 'lib/msf/core/payload_generator.rb', line 184

def add_shellcode(shellcode)
  if add_code.present? and platform_list.platforms.include? Msf::Module::Platform::Windows and arch == ARCH_X86
    cli_print "Adding shellcode from #{add_code} to the payload"
    shellcode_file = File.open(add_code)
    shellcode_file.binmode
    added_code = shellcode_file.read
    shellcode_file.close
    shellcode = ::Msf::Util::EXE.win32_rwx_exec_thread(shellcode,0,'end')
    shellcode << added_code
  else
    shellcode.dup
  end
end

#choose_arch(mod) ⇒ String, Nil

This method takes a payload module and tries to reconcile a chosen arch with the arches supported by the module.

Parameters:

• mod (Msf::Payload) —

  The module class to choose an arch for

Returns:

• (String) —

  String form of the arch if a valid arch found

• (Nil) —

  if no valid arch found

# File 'lib/msf/core/payload_generator.rb', line 203

def choose_arch(mod)
  if arch.blank?
    @arch = mod.arch.first
    cli_print "[-] No arch selected, selecting arch: #{arch} from the payload"
    datastore['ARCH'] = arch if mod.kind_of?(Msf::Payload::Generic)
    return mod.arch.first
  elsif mod.arch.include? arch
    datastore['ARCH'] = arch if mod.kind_of?(Msf::Payload::Generic)
    return arch
  else
    return nil
  end
end

#choose_platform(mod) ⇒ Msf::Module::PlatformList

This method takes a payload module and tries to reconcile a chosen platform with the platforms supported by the module.

Parameters:

• mod (Msf::Payload) —

  The module class to choose a platform for

Returns:

• (Msf::Module::PlatformList) —

  The selected platform list

# File 'lib/msf/core/payload_generator.rb', line 221

def choose_platform(mod)
  # By default, platform_list will at least return Msf::Module::Platform
  # if there is absolutely no pre-configured platform info at all
  chosen_platform = platform_list

  if chosen_platform.platforms.empty?
    chosen_platform = mod.platform
    cli_print "[-] No platform was selected, choosing #{chosen_platform.platforms.first} from the payload"
    @platform = mod.platform.platforms.first.to_s.split("::").last
  elsif (chosen_platform & mod.platform).empty?
    chosen_platform = Msf::Module::PlatformList.new
  end

  begin
    platform_object = Msf::Module::Platform.find_platform(platform)
  rescue ArgumentError
    platform_object = nil
  end

  if mod.kind_of?(Msf::Payload::Generic) && mod.send(:module_info)['Platform'].empty? && platform_object
    datastore['PLATFORM'] = platform
  end

  chosen_platform
end

#encode_payload(shellcode) ⇒ String

This method takes the shellcode generated so far and iterates through the chosen or compatible encoders. It attempts to encode the payload with each encoder until it finds one that works.

Parameters:

• shellcode (String) —

  The shellcode to encode

Returns:

• (String) —

  The encoded shellcode

# File 'lib/msf/core/payload_generator.rb', line 269

def encode_payload(shellcode)
  shellcode = shellcode.dup
  encoder_list = get_encoders(shellcode)
  if encoder_list.empty?
    cli_print "No encoder specified, outputting raw payload"
    return shellcode
  end

  results = {}

  cli_print "Found #{encoder_list.count} compatible encoders"
  encoder_list.each do |encoder_mod|
    cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
    begin
      encoder_mod.available_space = @encoder_space unless @smallest
      results[encoder_mod.refname] = run_encoder(encoder_mod, shellcode.dup)
      break unless @smallest
    rescue ::Msf::EncoderSpaceViolation => e
      cli_print "#{encoder_mod.refname} failed with #{e.message}"
      next
    rescue ::Msf::EncodingError => e
      cli_print "#{encoder_mod.refname} failed with #{e.message}"
      next
    end
  end

  if results.keys.length == 0
    raise ::Msf::EncodingError, "No Encoder Succeeded"
  end

  # Return the shortest encoding of the payload
  chosen_encoder = results.keys.sort{|a,b| results[a].length <=> results[b].length}.first
  cli_print "#{chosen_encoder} chosen with final size #{results[chosen_encoder].length}"

  results[chosen_encoder]
end

#exe_options ⇒ Hash

This returns a hash for the exe format generation of payloads

Returns:

• (Hash) —

  The hash needed for generating an executable format

# File 'lib/msf/core/payload_generator.rb', line 308

def exe_options
  opts = { inject: keep }
  unless template.blank?
    opts[:template_path] = File.dirname(template)
    opts[:template]      = File.basename(template)
  end
  unless secname.blank?
    opts[:secname]       = secname
  end
  unless servicename.blank?
    opts[:servicename] = servicename
  end
  if sub_method.nil?
    opts[:sub_method] = false
  else
    opts[:sub_method] = sub_method
  end
  opts
end

#format_payload(shellcode) ⇒ String

This method takes the payload shellcode and formats it appropriately based on the selected output format.

Parameters:

• shellcode (String) —

  the processed shellcode to be formatted

Returns:

• (String) —

  The final formatted form of the payload

# File 'lib/msf/core/payload_generator.rb', line 332

def format_payload(shellcode)
  encryption_opts = {}
  encryption_opts[:format] = encryption_format if encryption_format
  encryption_opts[:iv] = encryption_iv if encryption_iv
  encryption_opts[:key] = encryption_key if encryption_key

  if Msf::Util::EXE.elf?(shellcode) && format.downcase != 'elf'
    # TODO: force generation from stager/stage if available
    raise InvalidFormat, 'selected payload can only generate ELF files'
  end
  if Msf::Util::EXE.macho?(shellcode) && format.downcase != 'macho'
    # TODO: force generation from stager/stage if available
    raise InvalidFormat, 'selected payload can only generate MACHO files'
  end

  case format.downcase
    when "js_be"
      if Rex::Arch.endian(arch) != ENDIAN_BIG
        raise IncompatibleEndianess, "Big endian format selected for a non big endian payload"
      else
        ::Msf::Simple::Buffer.transform(shellcode, format, @var_name, encryption_opts)
      end
    when *::Msf::Simple::Buffer.transform_formats
      ::Msf::Simple::Buffer.transform(shellcode, format, @var_name, encryption_opts)
    when *::Msf::Util::EXE.to_executable_fmt_formats
      ::Msf::Util::EXE.to_executable_fmt(framework, arch, platform_list, shellcode, format, exe_options)
    else
      raise InvalidFormat, "you have selected an invalid payload format"
  end
end

#generate_java_payload ⇒ String

This method generates Java payloads which are a special case. They can be generated in raw or war formats, which respectively produce a JAR or WAR file for the java payload.

Returns:

• (String) —

  Java payload as a JAR or WAR file

Raises:

• (PayloadGeneratorError)

# File 'lib/msf/core/payload_generator.rb', line 367

def generate_java_payload
  raise PayloadGeneratorError, "A payload module was not selected" if payload_module.nil?
  payload_module.datastore.import_options_from_hash(datastore)
  case format
  when "raw", "jar"
    if payload_module.respond_to? :generate_jar
      payload_module.generate_jar.pack
    else
      payload_module.generate
    end
  when "war"
    if payload_module.respond_to? :generate_war
      payload_module.generate_war.pack
    else
      raise InvalidFormat, "#{payload} is not a Java payload"
    end
  when "axis2"
    if payload_module.respond_to? :generate_axis2
      payload_module.generate_axis2.pack
    else
      raise InvalidFormat, "#{payload} is not a Java payload"
    end
  else
    raise InvalidFormat, "#{format} is not a valid format for Java payloads"
  end
end

#generate_payload ⇒ String

This method is a wrapper around all of the other methods. It calls the correct methods in order based on the supplied options and returns the finished payload.

Returns:

• (String) —

  A string containing the bytes of the payload in the format selected

# File 'lib/msf/core/payload_generator.rb', line 397

def generate_payload
  if payload.include?("pingback") and framework.db.active == false
    cli_print "[-] WARNING: UUID cannot be saved because database is inactive."
  end

  if platform == "java" or arch == "java" or payload.start_with? "java/"
    raw_payload = generate_java_payload
    encoded_payload = raw_payload
    gen_payload = raw_payload
  elsif payload.start_with? "android/" and not template.blank?
    if payload.start_with? "android/meterpreter_"
      raise PayloadGeneratorError, "Stageless Android payloads (e.g #{payload}) are not compatible with injection (-x)"
    end
    cli_print "Using APK template: #{template}"
    apk_backdoor = ::Msf::Payload::Apk.new
    raw_payload = apk_backdoor.backdoor_apk(template, generate_raw_payload)
    gen_payload = raw_payload
  else
    if payload_module.is_a?(Msf::Payload::Windows::PayloadDBConf)
      payload_module.datastore.import_options_from_hash(datastore)
      ds_opt = payload_module.datastore
      cli_print("[!] Database is not active! Payload key and nonce must be manually set when creating handler") unless framework.db.active
      cli_print("[-] Please ensure payload key and nonce match when setting up handler: #{ds_opt['ChachaKey']} - #{ds_opt['ChachaNonce']}")
    end

    raw_payload = generate_raw_payload
    raw_payload = add_shellcode(raw_payload)

    if encoder != nil and encoder.start_with?("@")
      raw_payload = multiple_encode_payload(raw_payload)
    else
      raw_payload = encode_payload(raw_payload)
    end
    if padnops
      @nops = nops - raw_payload.length
    end
    raw_payload = prepend_nops(raw_payload)
    gen_payload = format_payload(raw_payload)
  end

  cli_print "Payload size: #{raw_payload.length} bytes"

  if gen_payload.nil?
    raise PayloadGeneratorError, 'The payload could not be generated, check options'
  elsif raw_payload.length > @space and not @smallest
    raise PayloadSpaceViolation, 'The payload exceeds the specified space'
  else
    if format.to_s != 'raw'
      cli_print "Final size of #{format} file: #{gen_payload.length} bytes"
    end

    gen_payload
  end
end

#generate_raw_payload ⇒ String

This method generates the raw form of the payload as generated by the payload module itself.

Returns:

• (String) —

  the raw bytes of the payload to be generated

Raises:

• (Msf::IncompatiblePlatform) —

  if no platform was selected for a stdin payload

• (Msf::IncompatibleArch) —

  if no arch was selected for a stdin payload

• (Msf::IncompatiblePlatform) —

  if the platform is incompatible with the payload

• (Msf::IncompatibleArch) —

  if the arch is incompatible with the payload

# File 'lib/msf/core/payload_generator.rb', line 458

def generate_raw_payload
  if payload == 'stdin'
    if arch.blank?
      raise IncompatibleArch, "You must select an arch for a custom payload"
    elsif platform.blank?
      raise IncompatiblePlatform, "You must select a platform for a custom payload"
    end
    stdin
  else
    raise PayloadGeneratorError, "A payload module was not selected" if payload_module.nil?
    chosen_platform = choose_platform(payload_module)
    if chosen_platform.platforms.empty?
      raise IncompatiblePlatform, "The selected platform is incompatible with the payload"
    end

    chosen_arch = choose_arch(payload_module)
    unless chosen_arch
      raise IncompatibleArch, "The selected arch is incompatible with the payload"
    end

    payload_module.generate_simple(
        'Format'      => 'raw',
        'Options'     => datastore,
        'Encoder'     => nil,
        'MaxSize'     => @space,
        'DisableNops' => true
    )
  end
end

#get_encoders(buf) ⇒ Array<Msf::Encoder>

This method returns an array of encoders that either match the encoders selected by the user, or match the arch selected.

Returns:

• (Array<Msf::Encoder>) —

  An array of potential encoders to use

# File 'lib/msf/core/payload_generator.rb', line 491

def get_encoders(buf)
  encoders = []
  if encoder.present?
    # Allow comma separated list of encoders so users can choose several
    encoder.split(',').each do |chosen_encoder|
      e = framework.encoders.create(chosen_encoder)
      if e.nil?
        cli_print "[-] Skipping invalid encoder #{chosen_encoder}"
        next
      end
      e.datastore.import_options_from_hash(datastore)
      encoders << e if e
    end
    if encoders.empty?
      cli_print "[!] Couldn't find encoder to use"
      return encoders
    end
    encoders.sort_by { |my_encoder| my_encoder.rank }.reverse
  elsif !badchars.empty? && !badchars.nil?
    badchars_present = false
    badchars.each_byte do |bad|
      badchars_present = true if buf.index(bad.chr(::Encoding::ASCII_8BIT))
    end

    unless badchars_present
      cli_print "No badchars present in payload, skipping automatic encoding"
      return []
    end

    framework.encoders.each_module_ranked('Arch' => [arch], 'Platform' => platform_list) do |name, mod|
      e = framework.encoders.create(name)
      e.datastore.import_options_from_hash(datastore)
      encoders << e if e
    end
    encoders.select{ |my_encoder| my_encoder.rank != ManualRanking }.sort_by { |my_encoder| my_encoder.rank }.reverse
  else
    encoders
  end
end

#multiple_encode_payload(shellcode) ⇒ Object

# File 'lib/msf/core/payload_generator.rb', line 247

def multiple_encode_payload(shellcode)
  encoder_str = encoder[1..-1]
  encoder_str.scan(/([^:, ]+):?([^,]+)?/).map do |encoder_opt|
    @iterations = (encoder_opt[1] || 1).to_i
    @iterations = 1 if iterations < 1

    encoder_mod = framework.encoders.create(encoder_opt[0])
    unless encoder_mod
      cli_print "#{encoder_opt[0]} not found continuing..."
      next
    end
    encoder_mod.datastore.import_options_from_hash(datastore)
    shellcode = run_encoder(encoder_mod, shellcode)
  end
  shellcode
end

#platform_list ⇒ Msf::Module::PlatformList

Returns a PlatformList object based on the platform string given at creation.

Returns:

• (Msf::Module::PlatformList) —

  It will be empty if no valid platforms found

# File 'lib/msf/core/payload_generator.rb', line 533

def platform_list
  if platform.blank?
    list = Msf::Module::PlatformList.new
  else
    begin
      list = ::Msf::Module::PlatformList.transform(platform)
    rescue
      list = Msf::Module::PlatformList.new
    end
  end
  list
end

#prepend_nops(shellcode) ⇒ String

This method takes an encoded payload and prepends a NOP Sled to it with a size based on the nops value given to the generator.

Parameters:

• shellcode (String) —

  The shellcode to prepend the NOPs to

Returns:

• (String) —

  the shellcode with the appropriate nopsled affixed

# File 'lib/msf/core/payload_generator.rb', line 550

def prepend_nops(shellcode)
  return shellcode unless nops > 0

  framework.nops.each_module_ranked('Arch' => [arch]) do |name, mod|
    nop = framework.nops.create(name)
    raw = nop.generate_sled(nops, {'BadChars' => badchars, 'SaveRegisters' => [ 'esp', 'ebp', 'esi', 'edi' ] })
    if raw
      cli_print "Successfully added NOP sled of size #{raw.length} from #{name}"
      return raw + shellcode
    end
  end

  shellcode
end

#run_encoder(encoder_module, shellcode) ⇒ String

This method runs a specified encoder, for a number of defined iterations against the shellcode.

Parameters:

• encoder_module (Msf::Encoder) —

  The Encoder to run against the shellcode

• shellcode (String) —

  The shellcode to be encoded

Returns:

• (String) —

  The encoded shellcode

Raises:

• (Msf::EncoderSpaceViolation) —

  If the Encoder makes the shellcode larger than the supplied space limit

# File 'lib/msf/core/payload_generator.rb', line 570

def run_encoder(encoder_module, shellcode)
  iterations.times do |x|
    shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list)
    cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})"
    if shellcode.length > encoder_space
      raise EncoderSpaceViolation, "encoder has made a buffer that is too big"
    end
  end
  shellcode
end