dstruct 0.0.1

data/lib/rex/exploitation/powershell.rb

@@ -0,0 +1,62 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/powershell/output'
+require 'rex/exploitation/powershell/parser'
+require 'rex/exploitation/powershell/obfu'
+require 'rex/exploitation/powershell/param'
+require 'rex/exploitation/powershell/function'
+require 'rex/exploitation/powershell/script'
+require 'rex/exploitation/powershell/psh_methods'
+
+module Rex
+  module Exploitation
+    module Powershell
+      #
+      # Reads script into a PowershellScript
+      #
+      # @param script_path [String] Path to the Script File
+      #
+      # @return [Script] Powershell Script object
+      def self.read_script(script_path)
+        Rex::Exploitation::Powershell::Script.new(script_path)
+      end
+
+      #
+      # Insert substitutions into the powershell script
+      # If script is a path to a file then read the file
+      # otherwise treat it as the contents of a file
+      #
+      # @param script [String] Script file or path to script
+      # @param subs [Array] Substitutions to insert
+      #
+      # @return [String] Modified script file
+      def self.make_subs(script, subs)
+        if ::File.file?(script)
+          script = ::File.read(script)
+        end
+
+        subs.each do |set|
+          script.gsub!(set[0], set[1])
+        end
+
+        script
+      end
+
+      #
+      # Return an array of substitutions for use in make_subs
+      #
+      # @param subs [String] A ; seperated list of substitutions
+      #
+      # @return [Array] An array of substitutions
+      def self.process_subs(subs)
+        return [] if subs.nil? or subs.empty?
+        new_subs = []
+        subs.split(';').each do |set|
+          new_subs << set.split(',', 2)
+        end
+
+        new_subs
+      end
+    end
+  end
+end

data/lib/rex/exploitation/powershell/function.rb

@@ -0,0 +1,63 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  class Function
+    FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
+    PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
+    attr_accessor :code, :name, :params
+
+    include Output
+    include Parser
+    include Obfu
+
+    def initialize(name, code)
+      @name = name
+      @code = code
+      populate_params
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell function
+    def to_s
+      "function #{name} #{code}"
+    end
+
+    #
+    # Identify the parameters from the code and
+    # store as Param in @params
+    #
+    def populate_params
+      @params = []
+      start = code.index(PARAMETER_REGEX)
+      return unless start
+      # Get start of our block
+      idx = scan_with_index('(', code[start..-1]).first.last + start
+      pclause = block_extract(idx)
+
+      matches = pclause.scan(FUNCTION_REGEX)
+
+      # Ignore assignment, create params with class and variable names
+      matches.each do |param|
+        klass = nil
+        name = nil
+        param.each do |value|
+          if value
+            if klass
+              name = value
+              @params << Param.new(klass, name)
+              break
+            else
+              klass = value
+            end
+          end
+        end
+      end
+    end
+  end
+end
+end
+end

data/lib/rex/exploitation/powershell/obfu.rb

@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+
+module Rex
+module Exploitation
+module Powershell
+  module Obfu
+    MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
+    SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
+    WINDOWS_EOL_REGEX = Regexp.new(/[\r\n]+/)
+    UNIX_EOL_REGEX = Regexp.new(/[\n]+/)
+    WHITESPACE_REGEX = Regexp.new(/\s+/)
+    EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
+
+    #
+    # Remove comments
+    #
+    # @return [String] code without comments
+    def strip_comments
+      # Multi line
+      code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
+      # Single line
+      code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')
+
+      code
+    end
+
+    #
+    # Remove empty lines
+    #
+    # @return [String] code without empty lines
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
+      # UNIX EOL
+      code.gsub!(UNIX_EOL_REGEX, "\n")
+
+      code
+    end
+
+    #
+    # Remove whitespace
+    # This can break some codes using inline .NET
+    #
+    # @return [String] code with whitespace stripped
+    def strip_whitespace
+      code.gsub!(WHITESPACE_REGEX, ' ')
+
+      code
+    end
+
+    #
+    # Identify variables and replace them
+    #
+    # @return [String] code with variable names replaced with unique values
+    def sub_vars
+      # Get list of variables, remove reserved
+      get_var_names.each do |var, _sub|
+        code.gsub!(var, "$#{@rig.init_var(var)}")
+      end
+
+      code
+    end
+
+    #
+    # Identify function names and replace them
+    #
+    # @return [String] code with function names replaced with unique
+    #   values
+    def sub_funcs
+      # Find out function names, make map
+      get_func_names.each do |var, _sub|
+        code.gsub!(var, @rig.init_var(var))
+      end
+
+      code
+    end
+
+    #
+    # Perform standard substitutions
+    #
+    # @return [String] code with standard substitution methods applied
+    def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
+      # Save us the trouble of breaking injected .NET and such
+      subs.delete('strip_whitespace') unless get_string_literals.empty?
+      # Run selected modifiers
+      subs.each do |modifier|
+        send(modifier)
+      end
+      code.gsub!(EMPTY_LINE_REGEX, '')
+
+      code
+    end
+  end # Obfu
+end
+end
+end

data/lib/rex/exploitation/powershell/output.rb

@@ -0,0 +1,151 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+module Powershell
+  module Output
+    #
+    # To String
+    #
+    # @return [String] Code
+    def to_s
+      code
+    end
+
+    #
+    # Returns code size
+    #
+    # @return [Integer] Code size
+    def size
+      code.size
+    end
+
+    #
+    # Return code with numbered lines
+    #
+    # @return [String] Powershell code with line numbers
+    def to_s_lineno
+      numbered = ''
+      code.split(/\r\n|\n/).each_with_index do |line, idx|
+        numbered << "#{idx}: #{line}"
+      end
+
+      numbered
+    end
+
+    #
+    # Return a zlib compressed powershell code wrapped in decode stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Zlib compressed powershell code wrapped in
+    # decompression stub
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+                                                  ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << '$s.ReadByte();'
+      psh_expression << '$s.ReadByte();'
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.DeflateStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Return Base64 encoded powershell code
+    #
+    # @return [String] Base64 encoded powershell code
+    def encode_code
+      @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
+    end
+
+    #
+    # Return a gzip compressed powershell code wrapped in decoder stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Gzip compressed powershell code wrapped in
+    # decompression stub
+    def gzip_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = Rex::Text.gzip(code)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.GzipStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Compresses script contents with gzip (default) or deflate
+    #
+    # @param eof [String] End of file identifier to append to code
+    # @param gzip [Boolean] Whether to use gzip compression or deflate
+    #
+    # @return [String] Compressed code wrapped in decompression stub
+    def compress_code(eof = nil, gzip = true)
+      @code = gzip ? gzip_code(eof) : deflate_code(eof)
+    end
+
+    #
+    # Reverse the compression process
+    # Try gzip, inflate if that fails
+    #
+    # @return [String] Decompressed powershell code
+    def decompress_code
+      # Extract substring with payload
+      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Decode and decompress the string
+      unencoded = Rex::Text.decode_base64(encoded_stream)
+      begin
+        @code = Rex::Text.ungzip(unencoded) || Rex::Text.zlib_inflate(unencoded)
+      rescue Zlib::GzipFile::Error
+        begin
+          @code = Rex::Text.zlib_inflate(unencoded)
+        rescue Zlib::DataError => e
+          raise RuntimeError, 'Invalid compression'
+        end
+      end
+
+      @code
+    end
+  end
+end
+end
+end

data/lib/rex/exploitation/powershell/param.rb

@@ -0,0 +1,23 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  class Param
+    attr_accessor :klass, :name
+    def initialize(klass, name)
+      @klass = klass.strip
+      @name = name.strip.gsub(/\s|,/, '')
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell param
+    def to_s
+      "[#{klass}]$#{name}"
+    end
+  end
+end
+end
+end

data/lib/rex/exploitation/powershell/parser.rb

@@ -0,0 +1,183 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Exploitation
+    module Powershell
+      module Parser
+        # Reserved special variables
+        # Acquired with: Get-Variable | Format-Table name, value -auto
+        RESERVED_VARIABLE_NAMES = [
+          '$$',
+          '$?',
+          '$^',
+          '$_',
+          '$args',
+          '$ConfirmPreference',
+          '$ConsoleFileName',
+          '$DebugPreference',
+          '$Env',
+          '$Error',
+          '$ErrorActionPreference',
+          '$ErrorView',
+          '$ExecutionContext',
+          '$false',
+          '$FormatEnumerationLimit',
+          '$HOME',
+          '$Host',
+          '$input',
+          '$LASTEXITCODE',
+          '$MaximumAliasCount',
+          '$MaximumDriveCount',
+          '$MaximumErrorCount',
+          '$MaximumFunctionCount',
+          '$MaximumHistoryCount',
+          '$MaximumVariableCount',
+          '$MyInvocation',
+          '$NestedPromptLevel',
+          '$null',
+          '$OutputEncoding',
+          '$PID',
+          '$PROFILE',
+          '$ProgressPreference',
+          '$PSBoundParameters',
+          '$PSCulture',
+          '$PSEmailServer',
+          '$PSHOME',
+          '$PSSessionApplicationName',
+          '$PSSessionConfigurationName',
+          '$PSSessionOption',
+          '$PSUICulture',
+          '$PSVersionTable',
+          '$PWD',
+          '$ReportErrorShowExceptionClass',
+          '$ReportErrorShowInnerException',
+          '$ReportErrorShowSource',
+          '$ReportErrorShowStackTrace',
+          '$ShellId',
+          '$StackTrace',
+          '$true',
+          '$VerbosePreference',
+          '$WarningPreference',
+          '$WhatIfPreference'
+        ].map(&:downcase).freeze
+
+        #
+        # Get variable names from code, removes reserved names from return
+        #
+        # @return [Array] variable names
+        def get_var_names
+          our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+          our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
+        end
+
+        #
+        # Get function names from code
+        #
+        # @return [Array] function names
+        def get_func_names
+          code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
+        end
+
+        #
+        # Attempt to find string literals in PSH expression
+        #
+        # @return [Array] string literals
+        def get_string_literals
+          code.scan(/@"(.+?)"@|@'(.+?)'@/m)
+        end
+
+        #
+        # Scan code and return matches with index
+        #
+        # @param str [String] string to match in code
+        # @param source [String] source code to match, defaults to @code
+        #
+        # @return [Array[String,Integer]] matched items with index
+        def scan_with_index(str, source = code)
+          ::Enumerator.new do |y|
+            source.scan(str) do
+              y << ::Regexp.last_match
+            end
+          end.map { |m| [m.to_s, m.offset(0)[0]] }
+        end
+
+        #
+        # Return matching bracket type
+        #
+        # @param char [String] opening bracket character
+        #
+        # @return [String] matching closing bracket
+        def match_start(char)
+          case char
+          when '{'
+            '}'
+          when '('
+            ')'
+          when '['
+            ']'
+          when '<'
+            '>'
+          else
+            fail ArgumentError, 'Unknown starting bracket'
+          end
+        end
+
+        #
+        # Extract block of code inside brackets/parenthesis
+        #
+        # Attempts to match the bracket at idx, handling nesting manually
+        # Once the balanced matching bracket is found, all script content
+        # between idx and the index of the matching bracket is returned
+        #
+        # @param idx [Integer] index of opening bracket
+        #
+        # @return [String] content between matching brackets
+        def block_extract(idx)
+          fail ArgumentError unless idx
+
+          if idx < 0 || idx >= code.length
+            fail ArgumentError, 'Invalid index'
+          end
+
+          start = code[idx]
+          stop = match_start(start)
+          delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
+          delims.map { |x| x[1] = x[1] + idx + 1 }
+          c = 1
+          sidx = nil
+          # Go through delims till we balance, get idx
+          while (c != 0) && (x = delims.shift)
+            sidx = x[1]
+            x[0] == stop ? c -= 1 : c += 1
+          end
+
+          code[idx..sidx]
+        end
+
+        #
+        # Extract a block of function code
+        #
+        # @param func_name [String] function name
+        # @param delete [Boolean] delete the function from the code
+        #
+        # @return [String] function block
+        def get_func(func_name, delete = false)
+          start = code.index(func_name)
+
+          return nil unless start
+
+          idx = code[start..-1].index('{') + start
+          func_txt = block_extract(idx)
+
+          if delete
+            delete_code = code[0..idx]
+            delete_code << code[(idx + func_txt.length)..-1]
+            @code = delete_code
+          end
+
+          Function.new(func_name, func_txt)
+        end
+      end # Parser
+    end
+  end
+end