dstruct 0.0.1

data/lib/rex/ole/stream.rb

@@ -0,0 +1,50 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class Stream < DirEntry
+
+  def initialize(stg)
+    super
+
+    # for reading/writing from this
+    @offset = 0
+    @_mse = STGTY_STREAM
+  end
+
+  def close
+    @mode = nil
+    @offset = nil
+  end
+
+  def seek(offset)
+    @offset = offset
+  end
+
+  def read(len)
+    return nil if (not @data)
+
+    ret = @data[@offset, len]
+    @offset += len
+    ret
+  end
+
+  def <<(expr)
+    if (not @data)
+      @data = expr.dup
+    else
+      @data << expr
+    end
+    @_ulSize = @data.length
+  end
+
+end
+
+end
+end

data/lib/rex/ole/substorage.rb

@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class SubStorage < DirEntry
+
+  def initialize(stg)
+    super
+
+    @_mse = STGTY_STORAGE
+  end
+
+
+  def close
+  end
+
+
+  # stream handling stuff
+  def create_stream(name, mode=STGM_WRITE)
+    @stg.create_stream(name, mode, self)
+  end
+
+  def open_stream(name, mode=STGM_READ)
+    @stg.open_stream(name, mode, self)
+  end
+
+
+  # storage handling stuff
+  def create_storage(name, mode=STGM_WRITE)
+    @stg.create_storage(name, mode, self)
+  end
+
+  def open_storage(name, mode=STGM_WRITE)
+    @stg.open_storage(name, mode, self)
+  end
+
+end
+
+end
+end

data/lib/rex/ole/util.rb

@@ -0,0 +1,154 @@
+# -*- coding: binary -*-
+
+##
+# Rex::OLE - an OLE implementation
+# written in 2010 by Joshua J. Drake <jduck [at] metasploit.com>
+##
+
+module Rex
+module OLE
+
+class Util
+
+  def self.Hexify32array(arr)
+    ret = ""
+    arr.each { |dw|
+      ret << " " if ret.length > 0
+      ret << "0x%08x" % dw
+    }
+    ret
+  end
+
+  def self.Printable(buf)
+    ret = ""
+    buf.unpack('C*').each { |byte|
+      ch = byte.chr
+      if (byte < 0x20 || byte > 0x7e)
+        ret << "\\x" + ch.unpack('H*')[0]
+      else
+        ret << ch
+      end
+    }
+    ret
+  end
+
+
+  def self.set_endian(endian)
+    @endian = endian
+  end
+
+  def self.get64(buf, offset)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      arr = buf[offset,8].unpack('VV')
+      return (arr[0] + (arr[1] << 32))
+    else
+      arr = buf[offset,8].unpack('NN')
+      return ((arr[0] << 32) + arr[1])
+    end
+  end
+
+  def self.pack64(value)
+    @endian = LITTLE_ENDIAN if not @endian
+    arr = []
+    arr << (value & 0xffffffff)
+    arr << (value >> 32)
+    if (@endian == LITTLE_ENDIAN)
+      arr.pack('VV')
+    else
+      arr.reverse.pack('NN')
+    end
+  end
+
+  def self.get32(buf, offset)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      buf[offset,4].unpack('V')[0]
+    else
+      buf[offset,4].unpack('N')[0]
+    end
+  end
+
+  def self.pack32(value)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      [value].pack('V')
+    else
+      [value].pack('N')
+    end
+  end
+
+  def self.get32array(buf)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      buf.unpack('V*')
+    else
+      buf.unpack('N*')
+    end
+  end
+
+  def self.pack32array(arr)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      arr.pack('V*')
+    else
+      arr.pack('N*')
+    end
+  end
+
+  def self.get16(buf, offset)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      buf[offset,2].unpack('v')[0]
+    else
+      buf[offset,2].unpack('n')[0]
+    end
+  end
+
+  def self.pack16(value)
+    @endian = LITTLE_ENDIAN if not @endian
+    if (@endian == LITTLE_ENDIAN)
+      [value].pack('v')
+    else
+      [value].pack('n')
+    end
+  end
+
+  def self.get8(buf, offset)
+    buf[offset,1].unpack('C')[0]
+  end
+
+  def self.pack8(value)
+    [value].pack('C')
+  end
+
+
+  def self.getUnicodeString(buf)
+    buf = buf.unpack('v*').pack('C*')
+    if (idx = buf.index(0x00.chr))
+      buf.slice!(idx, buf.length)
+    end
+    buf
+  end
+
+  def self.putUnicodeString(buf)
+    buf = buf.unpack('C*').pack('v*')
+    if (buf.length < 0x40)
+      buf << "\x00" * (0x40 - buf.length)
+    end
+    buf
+  end
+
+
+  def self.name_is_valid(name)
+    return nil if (name.length > 31)
+    (0..0x1f).to_a.each { |x|
+      return nil if (name.include?(x.chr))
+    }
+    return true
+  end
+
+end
+
+end
+end

data/lib/rex/parser/acunetix_nokogiri.rb

@@ -0,0 +1,406 @@
+# -*- coding: binary -*-
+require "rex/parser/nokogiri_doc_mixin"
+require 'rex'
+require 'uri'
+
+module Rex
+  module Parser
+
+    # If Nokogiri is available, define the Acunetix document class.
+    load_nokogiri && class AcunetixDocument < Nokogiri::XML::SAX::Document
+
+    include NokogiriDocMixin
+
+    # The resolver prefers your local /etc/hosts (or windows equiv), but will
+    # fall back to regular DNS. It retains a cache for the import to avoid
+    # spamming your network with DNS requests.
+    attr_reader :resolv_cache
+
+    # If name resolution of the host fails out completely, you will not be
+    # able to import that Scan task. Other scan tasks in the same report
+    # should be unaffected.
+    attr_reader :parse_warnings
+
+    def start_document
+      @parse_warnings = []
+      @resolv_cache = {}
+    end
+
+    def start_element(name=nil,attrs=[])
+      attrs = normalize_attrs(attrs)
+      block = @block
+      @state[:current_tag][name] = true
+      case name
+      when "Scan" # Start of the thing.
+      when "Name", "StartURL", "Banner", "Os"
+        @state[:has_text] = true
+      when "LoginSequence" # Skipping for now
+      when "Crawler"
+        record_crawler(attrs)
+      when "FullURL"
+        @state[:has_text] = true
+      when "Variable"
+        record_variable(attrs)
+      when "Request", "Response"
+        @state[:has_text] = true
+      end
+    end
+
+    def end_element(name=nil)
+      block = @block
+      case name
+      when "Scan"
+        # Clears most of the @state out, we're done with this web site.
+        @state.delete_if {|k| k != :current_tag}
+      when "Name"
+        @state[:has_text] = false
+        collect_scan_name
+        collect_report_item_name
+        @text = nil
+      when "StartURL" # Populates @state[:starturl_uri], we use this a lot
+        @state[:has_text] = false
+        collect_host
+        collect_service
+        @text = nil
+        handle_parse_warnings &block
+        host_object = report_host &block
+        if host_object
+          report_starturl_service(host_object,&block)
+          db.report_import_note(@args[:wspace],host_object)
+        end
+      when "Banner"
+        @state[:has_text] = false
+        collect_and_report_banner
+      when "Os"
+        @state[:has_text] = false
+        report_os_fingerprint
+      when "LoginSequence" # This comes up later in the report anyway
+      when "Crawler"
+        report_starturl_web_site(&block)
+      when "FullURL"
+        @state[:has_text] = false
+        report_web_site(@text,&block)
+        @text = nil
+      when "Inputs"
+        report_web_form(&block)
+      when "Request"
+        @state[:has_text] = false
+        collect_page_request
+        @text = nil
+      when "Response"
+        @state[:has_text] = false
+        collect_page_response
+        @text = nil
+        report_web_page(&block)
+      end
+      @state[:current_tag].delete name
+    end
+
+    def collect_page_response
+      return unless in_tag("TechnicalDetails")
+      return unless in_tag("ReportItem")
+      return unless @text
+      return if @text.to_s.empty?
+      @state[:page_response] = @text
+    end
+
+    def collect_page_request
+      return unless in_tag("TechnicalDetails")
+      return unless in_tag("ReportItem")
+      return unless @text
+      return if @text.to_s.empty?
+      @state[:page_request] = @text
+    end
+
+    def collect_scan_name
+      return unless in_tag("Scan")
+      return if in_tag("ReportItems")
+      return if in_tag("Crawler")
+      return unless @text
+      return if @text.strip.empty?
+      @state[:scan_name] = @text.strip
+    end
+
+    def collect_host
+      return unless in_tag("Scan")
+      return unless @text
+      return if @text.strip.empty?
+      uri = URI.parse(@text) rescue nil
+      return unless uri
+      address = resolve_scan_starturl_address(uri)
+      @report_data[:host] = address
+      @report_data[:state] = Msf::HostState::Alive
+    end
+
+    def collect_service
+      return unless @report_data[:host]
+      return unless in_tag("Scan")
+      return unless @text
+      return if @text.strip.empty?
+      uri = URI.parse(@text) rescue nil
+      return unless uri
+      @state[:starturl_uri] = uri
+      @report_data[:ports] ||= []
+      @report_data[:ports] << @state[:starturl_port]
+    end
+
+    def collect_and_report_banner
+      return unless (svc = @state[:starturl_service_object]) # Yes i want assignment
+      return unless @text
+      return if @text.strip.empty?
+      return unless in_tag("Scan")
+      svc_info = {
+        :host => svc.host,
+        :port => svc.port,
+        :proto => svc.proto,
+        :info => @text.strip
+      }
+      db_report(:service, svc_info)
+      @text = nil
+    end
+
+    def collect_report_item_name
+      return unless in_tag("ReportItem")
+      return unless @text
+      return if @text.strip.empty?
+      @state[:report_item] = @text
+    end
+
+    # @state[:fullurl] is set by report_web_site
+    def record_variable(attrs)
+      return unless in_tag("Inputs")
+      return unless @state[:fullurl].kind_of? URI
+      method = attr_hash(attrs)["Type"]
+      return unless method
+      return if method.strip.empty?
+      @state[:form_variables] ||= []
+      @state[:form_variables] << [attr_hash(attrs)["Name"],method]
+    end
+
+    def record_crawler(attrs)
+      return unless in_tag("Scan")
+      return unless @state[:starturl_service_object]
+      starturl = attr_hash(attrs)["StartUrl"]
+      return unless starturl
+      @state[:crawler_starturl] = starturl
+    end
+
+    def report_web_form(&block)
+      return unless in_tag("SiteFiles")
+      return unless @state[:web_site]
+      return unless @state[:fullurl].kind_of? URI
+      return unless @state[:form_variables].kind_of? Array
+      return if @state[:form_variables].empty?
+      method = parse_method(@state[:form_variables].first[1])
+      vars = @state[:form_variables].map {|x| x[0]}
+      form_info = {}
+      form_info[:web_site] = @state[:web_site]
+      form_info[:path] = @state[:fullurl].path
+      form_info[:query] = @state[:fullurl].query
+      form_info[:method] = method
+      form_info[:params] = vars
+      url = @state[:fullurl].to_s
+      db.emit(:web_form,url,&block) if block
+      db_report(:web_form,form_info)
+      @state[:fullurl] = nil
+      @state[:form_variables] = nil
+    end
+
+    def report_web_page(&block)
+      return if should_skip_this_page
+      return unless @state[:web_site]
+      return unless @state[:page_request]
+      return if @state[:page_request].strip.empty?
+      return unless @state[:page_response]
+      return if @state[:page_response].strip.empty?
+      path,query_string = parse_request(@state[:page_request])
+      return unless path
+      parsed_response = parse_response(@state[:page_response])
+      return unless parsed_response
+      web_page_info = {}
+      web_page_info[:web_site] = @state[:web_site]
+      web_page_info[:path] = path
+      web_page_info[:code] = parsed_response[:code].to_i
+      web_page_info[:headers] = parsed_response[:headers]
+      web_page_info[:body] = parsed_response[:body]
+      web_page_info[:query] = query_string || ""
+      url = ""
+      url << @state[:web_site].service.name.to_s << "://"
+      url << @state[:web_site].vhost.to_s << ":"
+      url << path
+      uri = URI.parse(url) rescue nil
+      return unless uri # Sanity checker
+      db.emit(:web_page, url, &block) if block
+      web_page_object = db_report(:web_page,web_page_info)
+      @state[:page_request] = @state[:page_response] = nil
+      @state[:web_page] = web_page_object
+    end
+
+    # Reasons why we shouldn't collect a particular web page.
+    def should_skip_this_page
+      if @state[:report_item] =~ /Unrestricted File Upload/
+        # This means that the page being collected is something the
+        # auditor put there, so it's not useful to report on.
+        return true
+      end
+      return false
+    end
+
+    # XXX Rex::Proto::Http::Packet seems broken for
+    # actually parsing requests and responses, but all I
+    # need are the headers anyway
+    def parse_request(request)
+      headers = Rex::Proto::Http::Packet::Header.new
+      headers.from_s request.dup # It's destructive.
+      return unless headers.cmd_string
+      verb,req = headers.cmd_string.split(/\s+/)
+      return unless verb
+      return unless req
+      path,query_string = req.split(/\?/)[0,2]
+    end
+
+    def parse_response(response)
+      headers = Rex::Proto::Http::Packet::Header.new
+      headers.from_s response.dup # It's destructive.
+      return unless headers.cmd_string
+      http,code,msg = headers.cmd_string.split(/\s+/)
+      return unless code
+      return unless code.to_i.to_s == code
+      parsed = {}
+      parsed[:code] = code
+      parsed[:headers] = {}
+      headers.each do |k,v|
+        parsed[:headers][k.to_s.downcase] = []
+        parsed[:headers][k.to_s.downcase] << v
+      end
+      parsed[:body] = "" # We never seem to get this from Acunetix
+      parsed
+    end
+
+    # Don't cause the web report to die just because we can't tell
+    # what method was used -- default to GET. Sometimes it's just "POST," and
+    # sometimes it's "URL encoded POST," and sometimes it might be something
+    # else.
+    def parse_method(meth)
+      verbs = "(GET|POST|PATH)"
+      real_method = meth.match(/^\s*#{verbs}/)
+      real_method ||= meth.match(/\s*#{verbs}\s*$/)
+      ( real_method && real_method[1] ) ? real_method[1] : "GET"
+    end
+
+    def report_host(&block)
+      return unless @report_data[:host]
+      return unless in_tag("Scan")
+      if host_is_okay
+        db.emit(:address,@report_data[:host],&block) if block
+        host_info = @report_data.merge(:workspace => @args[:wspace])
+        db_report(:host,host_info)
+      end
+    end
+
+    # The service is super important, so we hang on to it for the
+    # rest of the scan.
+    def report_starturl_service(host_object,&block)
+      return unless host_object
+      return unless @state[:starturl_uri]
+      name = @state[:starturl_uri].scheme
+      port = @state[:starturl_uri].port
+      addr = host_object.address
+      svc = {
+        :host => host_object,
+        :port => port,
+        :name => name.dup,
+        :proto => "tcp"
+      }
+      if name and port
+        db.emit(:service,[addr,port].join(":"),&block) if block
+        @state[:starturl_service_object] = db_report(:service,svc)
+      end
+    end
+
+    def report_web_site(url,&block)
+      return unless in_tag("Crawler")
+      return unless url
+      return if url.strip.empty?
+      uri = URI.parse(url) rescue nil
+      return unless uri
+      host = uri.host
+      port = uri.port
+      scheme = uri.scheme
+      return unless scheme[/^https?/]
+      return unless (host && port && scheme)
+      address = resolve_address(host)
+      return unless address
+      service_info = [ @args[:wspace], address, "tcp", port ]
+      service_object = db.get_service(*service_info)
+      service_object = db_report(:service,service_info) unless service_object
+      web_site_info = {
+        :workspace => @args[:wspace],
+        :service => service_object,
+        :vhost => host,
+        :ssl => (scheme == "https")
+      }
+      @state[:web_site] = db_report(:web_site,web_site_info)
+      @state[:fullurl] = uri
+    end
+
+    def report_starturl_web_site(&block)
+      return unless @state[:crawler_starturl]
+      starturl = @state[:crawler_starturl].dup
+      report_web_site(starturl,&block)
+    end
+
+    def report_os_fingerprint
+      return unless @state[:starturl_service_object]
+      return unless @text
+      return if @text.strip.empty?
+      return unless in_tag("Scan")
+      host = @state[:starturl_service_object].host
+      fp_note = {
+        :workspace => host.workspace,
+        :host => host,
+        :type => 'host.os.acunetix_fingerprint',
+        :data => {:os => @text}
+      }
+      db_report(:note, fp_note)
+      @text = nil
+    end
+
+    def resolve_port(uri)
+      @state[:port] = uri.port
+      unless @state[:port]
+        @parse_warnings << "Could not determine a port for '#{@state[:scan_name]}'"
+      end
+      @state[:port] = uri.port
+    end
+
+    def resolve_address(host)
+      return @resolv_cache[host] if @resolv_cache[host]
+      address = Rex::Socket.resolv_to_dotted(host) rescue nil
+      @resolv_cache[host] = address
+      return address
+    end
+
+    def resolve_scan_starturl_address(uri)
+      if uri.host
+        address = resolve_address(uri.host)
+        unless address
+          @parse_warnings << "Could not resolve address for '#{uri.host}', skipping '#{@state[:scan_name]}'"
+        end
+      else
+        @parse_warnings << "Could not determine a host for '#{@state[:scan_name]}'"
+      end
+      address
+    end
+
+    def handle_parse_warnings(&block)
+      return if @parse_warnings.empty?
+      @parse_warnings.each do |pwarn|
+        db.emit(:warning, pwarn, &block) if block
+      end
+    end
+
+  end
+  end
+end
+