dstruct 0.0.1

data/lib/rex/proto/ntp.rb

@@ -0,0 +1,3 @@
+# -*- coding: binary -*-
+require 'rex/proto/ntp/constants'
+require 'rex/proto/ntp/modes'

data/lib/rex/proto/ntp/constants.rb

@@ -0,0 +1,12 @@
+# -*- coding: binary -*-
+module Rex
+module Proto
+module NTP
+VERSIONS = (0..7).to_a
+MODES = (0..7).to_a
+MODE_6_OPERATIONS = (0..31).to_a
+MODE_7_IMPLEMENTATIONS = (0..255).to_a
+MODE_7_REQUEST_CODES = (0..255).to_a
+end
+end
+end

data/lib/rex/proto/ntp/modes.rb

@@ -0,0 +1,130 @@
+# -*- coding: binary -*-
+
+require 'bit-struct'
+
+module Rex
+module Proto
+module NTP
+
+  # A very generic NTP message
+  #
+  # Uses the common/similar parts from versions 1-4 and considers everything
+  # after to be just one big field.  For the particulars on the different versions,
+  # see:
+  #   http://tools.ietf.org/html/rfc958#appendix-B
+  #   http://tools.ietf.org/html/rfc1059#appendix-B
+  #   pages 45/48 of http://tools.ietf.org/pdf/rfc1119.pdf
+  #   http://tools.ietf.org/html/rfc1305#appendix-D
+  #   http://tools.ietf.org/html/rfc5905#page-19
+  class NTPGeneric < BitStruct
+    #    0                   1                   2                   3
+    #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   |LI | VN  | mode|    Stratum    |      Poll     |   Precision   |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    unsigned :li, 2,  default: 0
+    unsigned :version, 3,  default: 0
+    unsigned :mode, 3,  default: 0
+    unsigned :stratum, 8,  default: 0
+    unsigned :poll, 8,  default: 0
+    unsigned :precision, 8,  default: 0
+    rest :payload
+  end
+
+  # An NTP control message.  Control messages are only specified for NTP
+  # versions 2-4, but this is a fuzzer so why not try them all...
+  class NTPControl < BitStruct
+    #  0                   1                   2                   3
+    #  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |00 | VN  |   6 |R E M|  op     |     Sequence                  |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |              status           |      association id           |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |              offset           |     count                     |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    unsigned :reserved, 2, default: 0
+    unsigned :version, 3,  default: 0
+    unsigned :mode, 3,  default: 6
+    unsigned :response, 1,  default: 0
+    unsigned :error, 1,  default: 0
+    unsigned :more, 1,  default: 0
+    unsigned :operation, 5,  default: 0
+    unsigned :sequence, 16,  default: 0
+    unsigned :status, 16,  default: 0
+    unsigned :association_id, 16,  default: 0
+    # TODO: there *must* be bugs in the handling of these next two fields!
+    unsigned :payload_offset, 16,  default: 0
+    unsigned :payload_size, 16,  default: 0
+    rest :payload
+  end
+
+  # An NTP "private" message.  Private messages are only specified for NTP
+  # versions 2-4, but this is a fuzzer so why not try them all...
+  class NTPPrivate < BitStruct
+    #  0                   1                   2                   3
+    #  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |R M| VN  |   7 |A|  Sequence   | Implementation| Req code      |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |  err  | Number of data items  |  MBZ   |   Size of data item  |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    unsigned :response, 1, default: 0
+    unsigned :more, 1, default: 0
+    unsigned :version, 3,  default: 0
+    unsigned :mode, 3,  default: 7
+    unsigned :auth, 1, default: 0
+    unsigned :sequence, 7, default: 0
+    unsigned :implementation, 8, default: 0
+    unsigned :request_code, 8, default: 0
+    unsigned :error, 4, default: 0
+    unsigned :record_count, 12, default: 0
+    unsigned :mbz, 4, default: 0
+    unsigned :record_size, 12, default: 0
+    rest :payload
+
+    def records
+      records = []
+      1.upto(record_count) do |record_num|
+        records << payload[record_size*(record_num-1), record_size]
+      end
+      records
+    end
+  end
+
+  def self.ntp_control(version, operation, payload = nil)
+    n = NTPControl.new
+    n.version = version
+    n.operation = operation
+    if payload
+      n.payload_offset = 0
+      n.payload_size = payload.size
+      n.payload = payload
+    end
+    n
+  end
+
+  def self.ntp_private(version, implementation, request_code, payload = nil)
+    n = NTPPrivate.new
+    n.version = version
+    n.implementation = implementation
+    n.request_code = request_code
+    n.payload = payload if payload
+    n
+  end
+
+  def self.ntp_generic(version, mode)
+    n = NTPGeneric.new
+    n.version = version
+    n.mode = mode
+    n
+  end
+
+  # Parses the given message and provides a description about the NTP message inside
+  def self.describe(message)
+    ntp = NTPGeneric.new(message)
+    "#{message.size}-byte version #{ntp.version} mode #{ntp.mode} reply"
+  end
+end
+end
+end

data/lib/rex/proto/pjl.rb

@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+# https://en.wikipedia.org/wiki/Printer_Job_Language
+# See external links for PJL spec
+
+module Rex::Proto::PJL
+
+  require "rex/proto/pjl/client"
+
+  DEFAULT_PORT = 9100
+  DEFAULT_TIMEOUT = 5
+
+  COUNT_MAX = 2_147_483_647
+  SIZE_MAX = 2_147_483_647
+
+  UEL = "\e%-12345X" # Universal Exit Language
+  PREFIX = "@PJL"
+
+  module Info
+    ID = "#{PREFIX} INFO ID"
+    STATUS = "#{PREFIX} INFO STATUS"
+    VARIABLES = "#{PREFIX} INFO VARIABLES"
+    FILESYS = "#{PREFIX} INFO FILESYS"
+  end
+
+  RDYMSG = "#{PREFIX} RDYMSG"
+
+  FSINIT = "#{PREFIX} FSINIT"
+  FSDIRLIST = "#{PREFIX} FSDIRLIST"
+  FSUPLOAD = "#{PREFIX} FSUPLOAD"
+
+end

data/lib/rex/proto/pjl/client.rb

@@ -0,0 +1,163 @@
+# -*- coding: binary -*-
+# https://en.wikipedia.org/wiki/Printer_Job_Language
+# See external links for PJL spec
+
+module Rex::Proto::PJL
+class Client
+
+  attr_reader :sock
+
+  def initialize(sock)
+    @sock = sock
+  end
+
+  # Begin a PJL job
+  #
+  # @return [void]
+  def begin_job
+    @sock.put("#{UEL}#{PREFIX}\n")
+  end
+
+  # End a PJL job
+  #
+  # @return [void]
+  def end_job
+    @sock.put(UEL)
+  end
+
+  # Send an INFO request and read the response
+  #
+  # @param category [String] INFO category
+  # @return [String] INFO response
+  def info(category)
+    categories = {
+      :id => Info::ID,
+      :status => Info::STATUS,
+      :variables => Info::VARIABLES,
+      :filesys => Info::FILESYS
+    }
+
+    unless categories.has_key?(category)
+      raise ArgumentError, "Unknown INFO category"
+    end
+
+    @sock.put("#{categories[category]}\n")
+    @sock.get(DEFAULT_TIMEOUT)
+  end
+
+  # Get version information
+  #
+  # @return [String] Version information
+  def info_id
+    id = nil
+
+    if info(:id) =~ /"(.*?)"/m
+      id = $1
+    end
+
+    id
+  end
+
+  # Get environment variables
+  #
+  # @return [String] Environment variables
+  def info_variables
+    env_vars = nil
+
+    if info(:variables) =~ /#{Info::VARIABLES}\r?\n(.*?)\f/m
+      env_vars = $1
+    end
+
+    env_vars
+  end
+
+  # List volumes
+  #
+  # @return [String] Volume listing
+  def info_filesys
+    filesys = nil
+
+    if info(:filesys) =~ /\[\d+ TABLE\]\r?\n(.*?)\f/m
+      filesys = $1
+    end
+
+    filesys
+  end
+
+  # Get the ready message
+  #
+  # @return [String] Ready message
+  def get_rdymsg
+    rdymsg = nil
+
+    if info(:status) =~ /DISPLAY="(.*?)"/m
+      rdymsg = $1
+    end
+
+    rdymsg
+  end
+
+  # Set the ready message
+  #
+  # @param message [String] Ready message
+  # @return [void]
+  def set_rdymsg(message)
+    @sock.put(%Q{#{RDYMSG} DISPLAY = "#{message}"\n})
+  end
+
+  # Initialize a volume
+  #
+  # @param volume [String] Volume
+  # @return [void]
+  def fsinit(volume)
+    if volume !~ /^[0-2]:$/
+      raise ArgumentError, "Volume must be 0:, 1:, or 2:"
+    end
+
+    @sock.put(%Q{#{FSINIT} VOLUME = "#{volume}"\n})
+  end
+
+  # List a directory
+  #
+  # @param pathname [String] Pathname
+  # @param count [Fixnum] Number of entries to list
+  # @return [String] Directory listing
+  def fsdirlist(pathname, count = COUNT_MAX)
+    if pathname !~ /^[0-2]:/
+      raise ArgumentError, "Pathname must begin with 0:, 1:, or 2:"
+    end
+
+    listing = nil
+
+    @sock.put(%Q{#{FSDIRLIST} NAME = "#{pathname}" ENTRY=1 COUNT=#{count}\n})
+
+    if @sock.get(DEFAULT_TIMEOUT) =~ /ENTRY=1\r?\n(.*?)\f/m
+      listing = $1
+    end
+
+    listing
+  end
+
+  # Download a file
+  #
+  # @param pathname [String] Pathname
+  # @param size [Fixnum] Size of file
+  # @return [String] File as a string
+  def fsupload(pathname, size = SIZE_MAX)
+    if pathname !~ /^[0-2]:/
+      raise ArgumentError, "Pathname must begin with 0:, 1:, or 2:"
+    end
+
+    file = nil
+
+    @sock.put(%Q{#{FSUPLOAD} NAME = "#{pathname}" OFFSET=0 SIZE=#{size}\n})
+
+    if @sock.get(DEFAULT_TIMEOUT) =~ /SIZE=\d+\r?\n(.*)\f/m
+      file = $1
+    end
+
+    file
+  end
+
+end
+end

data/lib/rex/proto/proxy/socks4a.rb

@@ -0,0 +1,441 @@
+# -*- coding: binary -*-
+#
+# sf - Sept 2010
+#
+require 'thread'
+require 'rex/logging'
+require 'rex/socket'
+
+module Rex
+module Proto
+module Proxy
+
+#
+# A Socks4a proxy server.
+#
+class Socks4a
+
+  #
+  # A client connected to the Socks4a server.
+  #
+  class Client
+
+    REQUEST_VERSION                 = 4
+    REPLY_VERSION                   = 0
+
+    COMMAND_CONNECT                 = 1
+    COMMAND_BIND                    = 2
+
+    REQUEST_GRANTED                 = 90
+    REQUEST_REJECT_FAILED           = 91
+    REQUEST_REJECT_CONNECT          = 92
+    REQUEST_REJECT_USERID           = 93
+
+    HOST                            = 1
+    PORT                            = 2
+
+    #
+    # A Socks4a packet.
+    #
+    class Packet
+
+      def initialize
+        @version   = REQUEST_VERSION
+        @command   = 0
+        @dest_port = 0
+        @dest_ip   = '0.0.0.0'
+        @userid    = ''
+      end
+
+      #
+      # A helper function to recv in a Socks4a packet byte by byte.
+      #
+      # sf: we could just call raw = sock.get_once but some clients
+      #     seem to need reading this byte by byte instead.
+      #
+      def Packet.recv( sock, timeout=30 )
+        raw = ''
+        # read in the 8 byte header
+        while( raw.length < 8 )
+          raw << sock.read( 1 )
+        end
+        # if its a request there will be more data
+        if( raw[0..0].unpack( 'C' ).first == REQUEST_VERSION )
+          # read in the userid
+          while( raw[8..raw.length].index( "\x00" ) == nil )
+            raw << sock.read( 1 )
+          end
+          # if a hostname is going to be present, read it in
+          ip = raw[4..7].unpack( 'N' ).first
+          if( ( ip & 0xFFFFFF00 ) == 0x00000000 and ( ip & 0x000000FF ) != 0x00 )
+            hostname = ''
+            while( hostname.index( "\x00" ) == nil )
+              hostname += sock.read( 1 )
+            end
+            raw << hostname
+          end
+        end
+        # create a packet from this raw data...
+        packet = Packet.new
+        packet.from_r( raw ) ? packet : nil
+      end
+
+      #
+      # Pack a packet into raw bytes for transmitting on the wire.
+      #
+      def to_r
+        raw = [ @version, @command, @dest_port, Rex::Socket.addr_atoi( @dest_ip ) ].pack( 'CCnN' )
+        return raw if( @userid.empty? )
+        return raw + [ @userid ].pack( 'Z*' )
+      end
+
+      #
+      # Unpack a raw packet into its components.
+      #
+      def from_r( raw )
+        return false if( raw.length < 8 )
+        @version   = raw[0..0].unpack( 'C' ).first
+        return false if( @version != REQUEST_VERSION and @version != REPLY_VERSION )
+        @command   = raw[1..1].unpack( 'C' ).first
+        @dest_port = raw[2..3].unpack( 'n' ).first
+        @dest_ip   = Rex::Socket.addr_itoa( raw[4..7].unpack( 'N' ).first )
+        if( raw.length > 8 )
+          @userid = raw[8..raw.length].unpack( 'Z*' ).first
+          # if this is a socks4a request we can resolve the provided hostname
+          if( self.is_hostname? )
+            hostname = raw[(8+@userid.length+1)..raw.length].unpack( 'Z*' ).first
+            @dest_ip = self.resolve( hostname )
+            # fail if we couldnt resolve the hostname
+            return false if( not @dest_ip )
+          end
+        else
+          @userid  = ''
+        end
+        return true
+      end
+
+      def is_connect?
+        @command == COMMAND_CONNECT ? true : false
+      end
+
+      def is_bind?
+        @command == COMMAND_BIND ? true : false
+      end
+
+      attr_accessor :version, :command, :dest_port, :dest_ip, :userid
+
+      protected
+
+      #
+      # Resolve the given hostname into a dotted IP address.
+      #
+      def resolve( hostname )
+        if( not hostname.empty? )
+          begin
+            return Rex::Socket.addr_itoa( Rex::Socket.gethostbyname( hostname )[3].unpack( 'N' ).first )
+          rescue ::SocketError
+            return nil
+          end
+        end
+        return nil
+      end
+
+      #
+      # As per the Socks4a spec, check to see if the provided dest_ip is 0.0.0.XX
+      # which indicates after the @userid field contains a hostname to resolve.
+      #
+      def is_hostname?
+        ip = Rex::Socket.addr_atoi( @dest_ip )
+        if( ip & 0xFFFFFF00 == 0x00000000 )
+          return true if( ip & 0x000000FF != 0x00 )
+        end
+        return false
+      end
+
+    end
+
+    #
+    # A mixin for a socket to perform a relay to another socket.
+    #
+    module Relay
+
+      #
+      # Relay data coming in from relay_sock to this socket.
+      #
+      def relay( relay_client, relay_sock )
+        @relay_client = relay_client
+        @relay_sock   = relay_sock
+        # start the relay thread (modified from Rex::IO::StreamAbstraction)
+        @relay_thread = Rex::ThreadFactory.spawn("SOCKS4AProxyServerRelay", false) do
+          loop do
+            closed = false
+            buf    = nil
+
+            begin
+              s = Rex::ThreadSafe.select( [ @relay_sock ], nil, nil, 0.2 )
+              if( s == nil || s[0] == nil )
+                next
+              end
+            rescue
+              closed = true
+            end
+
+            if( closed == false )
+              begin
+                buf = @relay_sock.sysread( 32768 )
+                closed = true if( buf == nil )
+              rescue
+                closed = true
+              end
+            end
+
+            if( closed == false )
+              total_sent   = 0
+              total_length = buf.length
+              while( total_sent < total_length )
+                begin
+                  data = buf[total_sent, buf.length]
+                  sent = self.write( data )
+                  if( sent > 0 )
+                    total_sent += sent
+                  end
+                rescue
+                  closed = true
+                  break
+                end
+              end
+            end
+
+            if( closed )
+              @relay_client.stop
+              ::Thread.exit
+            end
+          end
+        end
+
+      end
+
+    end
+
+    #
+    # Create a new client connected to the server.
+    #
+    def initialize( server, sock )
+      @server        = server
+      @lsock         = sock
+      @rsock         = nil
+      @client_thread = nil
+      @mutex         = ::Mutex.new
+    end
+
+    #
+    # Start handling the client connection.
+    #
+    def start
+      # create a thread to handle this client request so as to not block the socks4a server
+      @client_thread = Rex::ThreadFactory.spawn("SOCKS4AProxyClient", false) do
+        begin
+          @server.add_client( self )
+          # get the initial client request packet
+          request = Packet.recv( @lsock )
+          raise "Invalid Socks4 request packet received." if not request
+          # handle the request
+          begin
+            # handle socks4a conenct requests
+            if( request.is_connect? )
+              # perform the connection request
+              params = {
+                'PeerHost' => request.dest_ip,
+                'PeerPort' => request.dest_port,
+              }
+              params['Context'] = @server.opts['Context'] if @server.opts.has_key?('Context')
+
+              @rsock = Rex::Socket::Tcp.create( params )
+              # and send back success to the client
+              response         = Packet.new
+              response.version = REPLY_VERSION
+              response.command = REQUEST_GRANTED
+              @lsock.put( response.to_r )
+            # handle socks4a bind requests
+            elsif( request.is_bind? )
+              # create a server socket for this request
+              params = {
+                'LocalHost' => '0.0.0.0',
+                'LocalPort' => 0,
+              }
+              params['Context'] = @server.opts['Context'] if @server.opts.has_key?('Context')
+              bsock = Rex::Socket::TcpServer.create( params )
+              # send back the bind success to the client
+              response           = Packet.new
+              response.version   = REPLY_VERSION
+              response.command   = REQUEST_GRANTED
+              response.dest_ip   = '0.0.0.0'
+              response.dest_port = bsock.getlocalname()[PORT]
+              @lsock.put( response.to_r )
+              # accept a client connection (2 minute timeout as per spec)
+              begin
+                ::Timeout.timeout( 120 ) do
+                  @rsock = bsock.accept
+                end
+              rescue ::Timeout::Error
+                raise "Timeout reached on accept request."
+              end
+              # close the listening socket
+              bsock.close
+              # verify the connection is from the dest_ip origionally specified by the client
+              rpeer = @rsock.getpeername
+              raise "Got connection from an invalid peer." if( rpeer[HOST] != request.dest_ip )
+              # send back the client connect success to the client
+              #
+              # sf: according to the spec we send this response back to the client, however
+              #     I have seen some clients who bawk if they get this second response.
+              #
+              response           = Packet.new
+              response.version   = REPLY_VERSION
+              response.command   = REQUEST_GRANTED
+              response.dest_ip   = rpeer[HOST]
+              response.dest_port = rpeer[PORT]
+              @lsock.put( response.to_r )
+            else
+              raise "Unknown request command received #{request.command} received."
+            end
+          rescue
+            # send back failure to the client
+            response         = Packet.new
+            response.version = REPLY_VERSION
+            response.command = REQUEST_REJECT_FAILED
+            @lsock.put( response.to_r )
+            # raise an exception to close this client connection
+            raise "Failed to handle the clients request."
+          end
+          # setup the two way relay for full duplex io
+          @lsock.extend( Relay )
+          @rsock.extend( Relay )
+          # start the socket relays...
+          @lsock.relay( self, @rsock )
+          @rsock.relay( self, @lsock )
+        rescue
+          wlog( "Client.start - #{$!}" )
+          self.stop
+        end
+      end
+    end
+
+    #
+    # Stop handling the client connection.
+    #
+    def stop
+      @mutex.synchronize do
+        if( not @closed )
+
+          begin
+            @lsock.close if @lsock
+          rescue
+          end
+
+          begin
+            @rsock.close if @rsock
+          rescue
+          end
+
+          @client_thread.kill if( @client_thread and @client_thread.alive? )
+
+          @server.remove_client( self )
+
+          @closed = true
+        end
+      end
+    end
+
+  end
+
+  #
+  # Create a new Socks4a server.
+  #
+  def initialize( opts={} )
+    @opts          = { 'ServerHost' => '0.0.0.0', 'ServerPort' => 1080 }
+    @opts          = @opts.merge( opts )
+    @server        = nil
+    @clients       = ::Array.new
+    @running       = false
+    @server_thread = nil
+  end
+
+  #
+  # Check if the server is running.
+  #
+  def is_running?
+    return @running
+  end
+
+  #
+  # Start the Socks4a server.
+  #
+  def start
+      begin
+        # create the servers main socket (ignore the context here because we don't want a remote bind)
+        @server = Rex::Socket::TcpServer.create( 'LocalHost' => @opts['ServerHost'], 'LocalPort' => @opts['ServerPort'] )
+        # signal we are now running
+        @running = true
+        # start the servers main thread to pick up new clients
+        @server_thread = Rex::ThreadFactory.spawn("SOCKS4AProxyServer", false) do
+          while( @running ) do
+            begin
+              # accept the client connection
+              sock = @server.accept
+              # and fire off a new client instance to handle it
+              Client.new( self, sock ).start
+            rescue
+              wlog( "Socks4a.start - server_thread - #{$!}" )
+            end
+          end
+        end
+      rescue
+        wlog( "Socks4a.start - #{$!}" )
+        return false
+      end
+      return true
+  end
+
+  #
+  # Block while the server is running.
+  #
+  def join
+    @server_thread.join if @server_thread
+  end
+
+  #
+  # Stop the Socks4a server.
+  #
+  def stop
+    if( @running )
+      # signal we are no longer running
+      @running = false
+      # stop any clients we have (create a new client array as client.stop will delete from @clients)
+      clients = []
+      clients.concat( @clients )
+      clients.each do | client |
+        client.stop
+      end
+      # close the server socket
+      @server.close if @server
+      # if the server thread did not terminate gracefully, kill it.
+      @server_thread.kill if( @server_thread and @server_thread.alive? )
+    end
+    return !@running
+  end
+
+  def add_client( client )
+    @clients << client
+  end
+
+  def remove_client( client )
+    @clients.delete( client )
+  end
+
+  attr_reader :opts
+
+end
+
+end; end; end
+