Forcing a specific encoder

[alok.menghrajani at ilionsecurity.ch (Alok Menghrajani)]

Hi all,

I would like to force a specific encoder. Currently the framework is
always choosing encoder/x86/shikata_ga_nai, but I have the feeling there
is a bug in this encoder (or probably in my code, that's why I want to
play around with different encoders before I start blaming other
people's code for my bugs :).

I read the mailing list archive, and it seems ver 2.0 did not let an
exploit specify the encoder on it's own. But when I looked at the source
code of the ver 3.0, it seems there is some kind of way to specify a
preferred encoder...

So I added some debug stuff to the encode method in the file
/lib/msf/core/encoded_payload.rb (L106-L112):

        # If the caller had a preferred encoder, try to find it and
        # prefix it
        print "HERE1"
        if ((reqs['Encoder']) and
            (preferred = framework.encoders[reqs['Encoder']]))
                print "HERE2"           
                encoders.unshift([reqs['Encoder'], preferred ])
        elsif (reqs['Encoder'])
                print "HERE3"
                wlog("#{pinst.refname}: Failed to find preferred
                     encoder #{reqs['Encoder']}")
        end

And it seems, no matter what I do, I can't get to fill reqs['Encoder']
(HERE2 and HERE3 never get displayed).

Could someone please explain why in /lib/msf/core/exploit.rb (L468), the
reqs['Encoder'] is not assigned a value the same way as the other
parameters (such as BadChars) ?

I tried adding 'Encoder' => '/x86/countdown' and 'Payload' => {
'Encoder' => '/x86/countdown' } to my exploit, but the reqs['Encoder']
never seems to get assigned.

Thanks,
Alok.