drb-rb 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 94ccd527e185405e65cf075096b2855ea5c7556211faec5a099aab457b4d5cdd
+  data.tar.gz: e84ea85c93567f30e83d63b2d15e81a7048f960abda1a857d6964c72e6587a00
+SHA512:
+  metadata.gz: 873997dbb694b0f74c868603d8b65c642e466d97f3cd13021cddcee190aca7ebfc004e24b5f707166aaec7daacc3fbc7bdd31d5e804bc6004fdd0530ec193640
+  data.tar.gz: 2d86ef34a996de4b9cb7d3167422364a4f5d85dd3eb4352ed3a16baa26a610106ab298077d5994b5218bcf883887d2004186a218ecada2bc93a1021c350ed25c

data/lib/drb-rb.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+require 'timeout'
+require 'parshal'
+require_relative './drb-rb/stable'
+
+module DRbRb
+  # block must accept 4 arguments: [obj_id, obj_id_raw], [method, method_raw], [args, args_raw], and [block, block_raw]
+  # block must return 2-3 arguments: success, result, close?
+  def self.start_server(sock, &block)
+    loop do
+      req = begin
+        drb_read_request(sock)
+      rescue => e
+        if 'recvfrom yielded no data' == e.message
+          break
+        end
+        puts "Exception raised in DRbRb handler1: #{e.inspect}\n#{e.backtrace.join("\n")}"
+        break
+      end
+      rep = begin
+        block.call(*req)
+      rescue => e
+        puts "Exception raised in DRbRb handler: #{e.inspect}\n#{e.backtrace.join("\n")}"
+        next
+      end
+
+      begin
+        if not drb_write_reply(sock, *rep)
+          break
+        end
+      rescue => e
+        puts "Exception raised in DRbRb handler3: #{e.inspect}\n#{e.backtrace.join("\n")}"
+        break
+      end
+    end
+  end
+
+  def self.send_request(sock, obj_id, method, args, block, include_raw: false)
+    drb_write_request(sock, obj_id, method, args, block)
+    drb_read_reply(sock, include_raw: include_raw)
+  end
+
+  def self.drb_read_request(sock)
+    id = drb_read_msg_piece(sock, include_raw: true)
+    method = drb_read_msg_piece(sock, include_raw: true)
+    args_len = drb_read_msg_piece(sock, include_raw: true)
+    args = []
+    if args_len[0] != nil && args_len[0].instance_of?(Integer) && args_len[0] > 0
+      for _ in 0...args_len[0]
+        args.push(drb_read_msg_piece(sock, include_raw: true))
+      end
+    end
+    block = drb_read_msg_piece(sock, include_raw: true)
+    [id, method, args, block]
+  end
+
+  def self.drb_read_reply(sock, include_raw: false)
+    [drb_read_msg_piece(sock), # success
+     drb_read_msg_piece(sock, include_raw: include_raw)] # result
+  end
+
+  def self.drb_write_request(sock, obj_id, method, args, block)
+    sock.send(make_request(obj_id, method, args, block), 0)
+  end
+
+  def self.drb_write_reply(sock, success, result, close=false)
+    sock.send(make_reply(success, result), 0)
+    if close
+      sock.close
+    end
+    !close
+  end
+
+  def self.drb_read_msg_piece(sock, include_raw: false)
+    len = drb_read_msg_piece_length sock
+
+    piece = nil
+    begin
+      Timeout::timeout(4) {
+        piece = sock.recvfrom(len)[0]
+        piece << sock.recvfrom(len - piece.size)[0] while piece.size < len
+      }
+    rescue Timeout::Error
+      raise "recvfrom timed out"
+    end
+
+    obj = Parshal.unmarshal(piece)
+
+    if include_raw
+      [obj, piece]
+    else
+      obj
+    end
+  end
+
+  def self.drb_read_msg_piece_length(sock)
+    len = 0
+    begin
+      Timeout::timeout(2) {
+        len = sock.recvfrom(4)[0]
+      }
+    rescue Timeout::Error
+      raise "recvfrom timed out"
+    end
+
+    if len.empty?
+      raise 'recvfrom yielded no data'
+    end
+
+    while len.size < 4
+      chunk = nil
+      begin
+        Timeout::timeout(2) {
+          chunk = sock.recvfrom(4 - len.size)
+        }
+      rescue Timeout::Error
+        raise "recvfrom timed out"
+      end
+
+      if chunk[0].empty?
+        raise 'recvfrom yielded no data after partial read'
+      end
+      len << chunk[0]
+    end
+
+    len.unpack1('N')
+  end
+
+  def self.make_request(obj_id, method, args, block)
+    request = make_msg_piece(obj_id)
+    request << make_msg_piece(method)
+    request << make_msg_piece(args.size)
+    args.each { |arg| request << make_msg_piece(arg) }
+    request << make_msg_piece(block)
+    request
+  end
+
+  def self.make_reply(success, result, raw=[false,false])
+    reply = make_msg_piece(success, raw: raw[0])
+    reply << make_msg_piece(result, raw: raw[1])
+    reply
+  end
+
+  def self.make_msg_piece(obj, prepend_size: true, raw: false)
+    #piece = Parshal.marshal(obj)
+    piece = if raw
+      obj
+    else
+      Marshal.dump(obj)
+    end
+
+    piece = [piece.size].pack('N') + piece if prepend_size
+    piece
+  end
+end

data/lib/drb-rb/stable.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+module DRbRb
+  module Stable
+    # Methods not handled:
+    # - run_cli(argv)
+    # - parse_args(args)
+    # - connect_pwn(targets)
+    # - listen_pwn(targets)
+
+    # Builds a DRb request from pieces.
+    #
+    # == Parameters:
+    # [obj]     The id of the object to call the method on. By default, the object_id of nil is passed as it is constant across invocations of the interpreter and always present. Nil can be passed to specify that the method should be called on the default (front) object of the DRb server.
+    # [method]  The method to call. This is #instance_eval by default. Should be a String.
+    # [args]    An array of arguments passed to the method. Pass an empty array if there are no objects.
+    # [block]   The block to pass to the method. Nil by default, which specifies there is no block.
+    #
+    # == Returns:
+    # A array of bytes that can be written to a socket connected to a DRb server.  The array includes all parts necessary for a complete request message.
+    def self.make_drb_request(obj = nil,
+                              method = 'instance_eval',
+                              args = ["IO.read('|touch \"/tmp/drb-pwn_#{Time.now}\"')"],
+                              block = nil)
+      raise "make_drb_request doesn't support specifying obj" unless obj.nil?
+      raise "make_drb_request doesn't support specifying a block" unless block.nil?
+
+      DRbRb.make_request(obj.object_id,
+                         method,
+                         args,
+                         block).unpack('c*')
+    end
+
+    # Prepares a piece of a DRb message by attempting to marshal the object and prepending it's length and version number
+    #
+    # == Parameters:
+    # [obj]   The object to serialize in this piece.
+    #
+    # == Returns:
+    # A byte array of the marshalled object with all necessary headers for it to be a part of a valid DRb message.
+    def self.drb_msg_piece(obj)
+      DRbRb.make_msg_piece(obj).unpack('c*')
+    end
+
+    # A high-level marshal method that takes an object and tries to marshal the object into a byte array.
+    #
+    # == Parameters:
+    # [obj]   The object to serialize
+    #
+    # == Returns:
+    # A byte array of the marshalled object.
+    def self.marshal(obj, prepend_version = true)
+      Parshal.marshal(obj, prepend_version: prepend_version).unpack('c*')
+    end
+
+    # A low-level marshal dump that dumps "raw" types. Intended primarily for #marshal to use but may be useful in other contexts. Main differences are that Integer doesn't include its prefix (as it's used raw in many contexts) and String doesn't turn into an IVAR, it's just the "raw String" representation that's inside the normal IVAR.
+    #
+    # == Parameters:
+    # [obj]   The object to be serialized.
+    #
+    # == Returns:
+    # The raw form of the serialized object.
+    def self.marshal_raw(obj)
+      Parshal.marshal_raw(obj)
+    end
+
+    # Gets a reply for a DRb request. This includes a success value indicating whether the call was successful and a result that is the return value from the call. This function will exit with an error code if the success value is invalid (not true or false).
+    #
+    # == Parameters:
+    # [sock]    The socket the request was sent over.
+    #
+    # == Returns:
+    # [succ]    A boolean, indicating whether the request succeeded or failed.
+    # [result]  The string containing the marshaled value returned as a result of the request. If the call was successful, this will contain the return value from the call. If the call failed, this will contain the stacktrace. This value could contain many types of objects depending on the call made so no attempt at decoding is made. Instead the raw value is returned for further parsing if necessary.
+    def self.get_drb_reply(sock)
+      success, result = DRbRb.drb_read_reply(sock)
+
+      throw "Invalid success code in reply: #{success.inspect}" unless [true, false].include? success
+
+      [success, result]
+    end
+
+    # Gets a single piece in a response to a DRb request. First recvs the length of the piece, decodes it to know how many bytes to read, and the recvs the whole piece.
+    #
+    # == Parameters:
+    # [sock]    The socket the request was sent over.
+    #
+    # == Returns:
+    # A string containing the raw response. This value has been stripped of it's length header and Marshal version header and contains only the raw value.
+    def self.get_drb_reply_piece(sock)
+      len = DRbRb.drb_read_msg_piece_length(sock)
+
+      reply = sock.recvfrom(len)[0]
+      reply += sock.recvfrom(len - reply.size)[0] while reply.size < len
+      reply
+    end
+
+    # Inspects and removes the first two bytes of a marshal blob to determine the version of marshal used by the encoder. The only version supported by this script is 4.8. If the version doesn't match exactly, a warning is printed to STDERR and the function returns normally.
+    #
+    # == Parameters:
+    # [reply]   The string containing the response from a DRb server
+    #
+    # == Returns:
+    # The string without the initial two byte version number.
+    def self.strip_version(reply)
+      Parshal.remove_version_prefix(reply)
+    end
+
+    def self.unmarshal(raw_obj, strip = true)
+      Parshal.unmarshal(raw_obj, remove_version: strip)
+    end
+
+    def self.unmarshal_raw(obj)
+      Parshal.unmarshal_raw(obj)
+    end
+
+    def self.unmarshal_raw_bool(obj)
+      Parshal.unmarshal_raw_bool(obj)
+    end
+
+    def self.unmarshal_raw_string_symbol(obj)
+      Parshal.unmarshal_raw_string_symbol(obj)
+    end
+
+    def self.unmarshal_raw_integer(obj)
+      Parshal.unmarshal_raw_integer(obj)
+    end
+
+    def is_nil(obj)
+      strip_version(obj) == '0'
+    end
+  end
+end

metadata

@@ -0,0 +1,44 @@
+--- !ruby/object:Gem::Specification
+name: drb-rb
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Addison Amiri
+- Jeff Dileo
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-05-20 00:00:00.000000000 Z
+dependencies: []
+description:
+email: jeff.dileo@nccgroup.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/drb-rb.rb
+- lib/drb-rb/stable.rb
+homepage: https://github.com/nccgroup/drb-rb
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: A safer, minimal, partial implementation of DRb
+test_files: []