dstruct 0.0.1

data/lib/rex/post/meterpreter/channel_container.rb

@@ -0,0 +1,54 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+
+###
+#
+# This interface is meant to be included by things that are meant to contain
+# zero or more channel instances in the form of a hash.
+#
+###
+module ChannelContainer
+
+  #
+  # Initializes the channel association hash
+  #
+  def initialize_channels
+    self.channels = {}
+  end
+
+  #
+  # Adds a channel to the container that is indexed by its channel identifier
+  #
+  def add_channel(channel)
+    self.channels[channel.cid] = channel
+  end
+
+  #
+  # Looks up a channel instance based on its channel identifier
+  #
+  def find_channel(cid)
+    return self.channels[cid]
+  end
+
+  #
+  # Removes a channel based on its channel identifier
+  #
+  def remove_channel(cid)
+    return self.channels.delete(cid)
+  end
+
+  #
+  # The hash of channels.
+  #
+  attr_reader :channels
+
+protected
+
+  attr_writer :channels # :nodoc:
+
+end
+
+end; end; end

data/lib/rex/post/meterpreter/channels/pool.rb

@@ -0,0 +1,160 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/channel'
+
+module Rex
+module Post
+module Meterpreter
+module Channels
+
+###
+#
+# This class acts as a base class for all channels that are classified
+# as 'pools'.  This means that only one side of the channel, typically
+# the client half, acts on the other half of the channel.  Examples
+# of pools come in the form of files where the remote side never sends
+# any unrequested data.
+#
+# Another key distinction of Pools is that they, in general, support
+# the DIO mode 'seek' which allows for changing the position, or offset,
+# into the channel.
+#
+###
+class Pool < Rex::Post::Meterpreter::Channel
+
+  class << self
+    def cls
+      return CHANNEL_CLASS_POOL
+    end
+  end
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Passes the initialization information up to the base class
+  #
+  def initialize(client, cid, type, flags)
+    super(client, cid, type, flags)
+  end
+
+  ##
+  #
+  # Channel interaction
+  #
+  ##
+
+  #
+  # Checks to see if the EOF flag has been set on the pool.
+  #
+  def eof
+    request = Packet.create_request('core_channel_eof')
+
+    request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
+
+    begin
+      response = self.client.send_request(request)
+    rescue
+      return true
+    end
+
+    if (response.has_tlv?(TLV_TYPE_BOOL))
+      return response.get_tlv_value(TLV_TYPE_BOOL)
+    end
+
+    return false
+  end
+
+  #
+  # Reads data from the remote side of the pool and raises EOFError if the
+  # pool has been reached EOF.
+  #
+  def read(length = nil)
+    begin
+      data = super(length)
+    rescue
+      data = nil
+    end
+
+    if (((data == nil) || (data.length == 0)) &&
+        (self.eof))
+      raise EOFError
+    end
+
+    return data
+  end
+
+  #
+  # This method seeks to an offset within the remote side of the pool using
+  # the standard seek whence clauses.
+  #
+  def seek(offset, whence = SEEK_SET)
+    sane = 0
+
+    # Just in case...
+    case whence
+      when ::IO::SEEK_SET
+        sane = 0
+      when ::IO::SEEK_CUR
+        sane = 1
+      when ::IO::SEEK_END
+        sane = 2
+      else
+        raise RuntimeError, "Invalid seek whence #{whence}.", caller
+    end
+
+    request = Packet.create_request('core_channel_seek')
+
+    request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
+    request.add_tlv(TLV_TYPE_SEEK_OFFSET, offset)
+    request.add_tlv(TLV_TYPE_SEEK_WHENCE, sane)
+
+    begin
+      response = self.client.send_request(request)
+    rescue
+      return -1
+    end
+
+    return tell
+  end
+
+  #
+  # Synonym for tell.
+  #
+  def pos
+    return tell
+  end
+
+  #
+  # This method returns the current file pointer position to the caller.
+  #
+  def tell
+    request = Packet.create_request('core_channel_tell')
+    pos     = -1
+
+    request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
+
+    begin
+      response = self.client.send_request(request)
+    rescue
+      return pos
+    end
+
+    # Set the return value to the position that we're at
+    if (response.has_tlv?(TLV_TYPE_SEEK_POS))
+      pos = response.get_tlv_value(TLV_TYPE_SEEK_POS)
+    end
+
+    return pos
+  end
+
+protected
+  attr_accessor :_eof # :nodoc:
+
+end
+
+end; end; end; end
+

data/lib/rex/post/meterpreter/channels/pools/file.rb

@@ -0,0 +1,62 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/channels/pool'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Channels
+module Pools
+
+###
+#
+# File
+# ----
+#
+# This class represents a channel that is associated with a file
+# on the remote half of the meterpreter connection.
+#
+###
+class File < Rex::Post::Meterpreter::Channels::Pool
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  #
+  # This method returns an instance of a file pool channel that can be read
+  # from, written to, seeked on, and other interacted with.
+  #
+  def File.open(client, name, mode = "r", perm = 0)
+    return Channel.create(client, 'stdapi_fs_file',
+        self, CHANNEL_FLAG_SYNCHRONOUS,
+        [
+          {
+            'type'  => Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_FILE_PATH,
+            'value' => client.unicode_filter_decode( name )
+          },
+          {
+            'type'  => Rex::Post::Meterpreter::Extensions::Stdapi::TLV_TYPE_FILE_MODE,
+            'value' => mode + "b"
+          },
+        ])
+  end
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  # Initializes the file channel instance
+  def initialize(client, cid, type, flags)
+    super(client, cid, type, flags)
+  end
+
+end
+
+end; end; end; end; end
+

data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb

@@ -0,0 +1,103 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/channels/pool'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Channels
+module Pools
+
+###
+#
+# StreamPool
+# ----------
+#
+# This class represents a channel that is associated with a
+# streaming pool that has no definite end-point.  While this
+# may seem a paradox given the stream class of channels, it's
+# in fact dinstinct because streams automatically forward
+# traffic between the two ends of the channel whereas
+# stream pools are always requested data in a single direction.
+#
+###
+class StreamPool < Rex::Post::Meterpreter::Channels::Pool
+
+  include Rex::IO::StreamAbstraction
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  # Initializes the file channel instance
+  def initialize(client, cid, type, flags)
+    super(client, cid, type, flags)
+
+    initialize_abstraction
+  end
+
+  ##
+  #
+  # Streaming pools don't support tell, seek, or eof.
+  #
+  ##
+
+  #
+  # This method returns the current offset into the pool.
+  #
+  def tell
+    raise NotImplementedError
+  end
+
+  #
+  # This method seeks to an offset in the pool.
+  #
+  def seek
+    raise NotImplementedError
+  end
+
+  #
+  # This method returns whether or not eof has been returned.
+  #
+  def eof
+    return false
+  end
+
+  #
+  # Transfers data to the local half of the pool for reading.
+  #
+  def dio_write_handler(packet, data)
+    rv = Rex::ThreadSafe.select(nil, [rsock], nil, 0.01)
+    if(rv)
+      rsock.write(data)
+      return true
+    else
+      return false
+    end
+  end
+
+  #
+  # Closes the local half of the pool stream.
+  #
+  def dio_close_handler(packet)
+    rsock.close
+
+    return super(packet)
+  end
+
+  #
+  # Cleans up resources used by the channel.
+  #
+  def cleanup
+    super
+
+    cleanup_abstraction
+  end
+
+end
+
+end; end; end; end; end
+

data/lib/rex/post/meterpreter/channels/stream.rb

@@ -0,0 +1,87 @@
+# -*- coding: binary -*-
+
+require 'rex/io/stream_abstraction'
+require 'rex/post/meterpreter/channel'
+
+module Rex
+module Post
+module Meterpreter
+
+###
+#
+# Stream
+# ------
+#
+# This class represents a channel that is streaming.  This means
+# that sequential data is flowing in either one or both directions.
+#
+###
+class Stream < Rex::Post::Meterpreter::Channel
+
+  include Rex::IO::StreamAbstraction
+
+  class << self
+    def cls
+      return CHANNEL_CLASS_STREAM
+    end
+  end
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Passes the initialization information up to the base class
+  #
+  def initialize(client, cid, type, flags)
+    # sf: initialize_abstraction() before super() as we can get a scenario where dio_write_handler() is called
+    # with data to write to the rsock but rsock has not yet been initialized. This happens if the channel
+    # is registered (client.add_channel(self) in Channel.initialize) to a session and a 'core_channel_write'
+    # request comes in before we have called self.initialize_abstraction()
+    initialize_abstraction
+    super(client, cid, type, flags)
+  end
+
+  ##
+  #
+  # Remote I/O handlers
+  #
+  ##
+
+  #
+  # Performs a write operation on the right side of the local stream.
+  #
+  def dio_write_handler(packet, data)
+    rv = Rex::ThreadSafe.select(nil, [rsock], nil, 0.01)
+    if(rv)
+      rsock.write(data)
+      return true
+    else
+      return false
+    end
+  end
+
+  #
+  # Performs a close operation on the right side of the local stream.
+  #
+  def dio_close_handler(packet)
+    rsock.close
+
+    return super(packet)
+  end
+
+  #
+  # Cleans up the stream abstraction.
+  #
+  def cleanup
+    super
+
+    cleanup_abstraction
+  end
+
+end
+
+end; end; end
+