dstruct 0.0.1

data/lib/rex/post/meterpreter/extensions/stdapi/net/netstat.rb

@@ -0,0 +1,97 @@
+# -*- coding: binary -*-
+
+require 'ipaddr'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+
+###
+#
+# This class represents a connection (listening, connected)
+# on the remote machine.
+#
+###
+class Netstat
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Returns a netstat entry and initializes it to the supplied
+  # parameters.
+  #
+  def initialize(opts={})
+    self.local_addr   = IPAddr.new_ntoh(opts[:local_addr]).to_s
+    self.remote_addr  = IPAddr.new_ntoh(opts[:remote_addr]).to_s
+    self.local_port   = opts[:local_port]
+    self.remote_port  = opts[:remote_port]
+    self.protocol     = opts[:protocol]
+    self.state        = opts[:state]
+    self.uid          = opts[:uid] || 0
+    self.inode        = opts[:inode] || 0
+    self.pid_name     = opts[:pid_name]
+
+    self.local_addr_str  = sprintf("%s:%d",self.local_addr, self.local_port)
+    if self.remote_port == 0
+      port = "*"
+    else
+      port = self.remote_port.to_s
+    end
+    self.remote_addr_str = sprintf("%s:%s",self.remote_addr, port)
+  end
+
+
+  #
+  # The local address of the connection
+  #
+  attr_accessor :local_addr
+  #
+  # The remote address (peer) of the connection
+  #
+  attr_accessor :remote_addr
+  #
+  # The local port of the connection.
+  #
+  attr_accessor :local_port
+  #
+  # The remote port of the connection.
+  #
+  attr_accessor :remote_port
+  #
+  # The protocol type (tcp/tcp6/udp/udp6)
+  #
+  attr_accessor :protocol
+  #
+  # The state  of the connection (close, listening, syn_sent...)
+  #
+  attr_accessor :state
+  #
+  # The uid of the user who started the process to which the connection belongs to
+  #
+  attr_accessor :uid
+  #
+  # The socket inode
+  #
+  attr_accessor :inode
+  #
+  # The name of the process to which the connection belongs to
+  #
+  attr_accessor :pid_name
+  #
+  # The local address of the connection plus the port
+  #
+  attr_accessor :local_addr_str
+  #
+  # The remote address (peer) of the connection plus the port or *
+  #
+  attr_accessor :remote_addr_str
+end
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb

@@ -0,0 +1,106 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+
+###
+#
+# This class provides DNS resolution from the perspective
+# of the remote host.
+#
+###
+class Resolve
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Initializes a Resolve instance that is used to resolve network addresses
+  # on the remote machine.
+  #
+  def initialize(client)
+    self.client = client
+  end
+
+  def resolve_host(hostname, family=AF_INET)
+    request = Packet.create_request('stdapi_net_resolve_host')
+    request.add_tlv(TLV_TYPE_HOST_NAME, hostname)
+    request.add_tlv(TLV_TYPE_ADDR_TYPE, family)
+
+    response = client.send_request(request)
+
+    type = response.get_tlv_value(TLV_TYPE_ADDR_TYPE)
+    raw = response.get_tlv_value(TLV_TYPE_IP)
+
+    return raw_to_host_ip_pair(hostname, raw, type)
+  end
+
+  def resolve_hosts(hostnames, family=AF_INET)
+    request = Packet.create_request('stdapi_net_resolve_hosts')
+    request.add_tlv(TLV_TYPE_ADDR_TYPE, family)
+
+    hostnames.each do |hostname|
+      request.add_tlv(TLV_TYPE_HOST_NAME, hostname)
+    end
+
+    response = client.send_request(request)
+
+    hosts = []
+    raws = []
+    types = []
+
+    response.each(TLV_TYPE_IP) do |raw|
+      raws << raw
+    end
+
+    response.each(TLV_TYPE_ADDR_TYPE) do |type|
+      types << type
+    end
+
+    0.upto(hostnames.length - 1) do |i|
+      raw = raws[i]
+      type = types[i]
+      host = hostnames[i]
+
+      hosts << raw_to_host_ip_pair(host, raw.value, type.value)
+    end
+
+    return hosts
+  end
+
+  def raw_to_host_ip_pair(host, raw, type)
+    if raw.nil? or host.nil?
+      return nil
+    end
+
+    if raw.empty?
+      ip = nil
+    else
+      if type == AF_INET
+        ip = Rex::Socket.addr_ntoa(raw[0..3])
+      else
+        ip = Rex::Socket.addr_ntoa(raw[0..16])
+      end
+    end
+
+    result = { :hostname => host, :ip => ip }
+
+    return result
+  end
+
+protected
+
+  attr_accessor :client # :nodoc:
+
+end
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb

@@ -0,0 +1,67 @@
+# -*- coding: binary -*-
+
+require 'ipaddr'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+
+###
+#
+# Represents a logical network route.
+#
+###
+class Route
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Initializes a route instance.
+  #
+  def initialize(subnet, netmask, gateway, interface='', metric=0)
+    self.subnet  = IPAddr.new_ntoh(subnet).to_s
+    self.netmask = IPAddr.new_ntoh(netmask).to_s
+    self.gateway = IPAddr.new_ntoh(gateway).to_s
+    self.interface = interface
+    self.metric = metric
+  end
+
+  #
+  # Provides a pretty version of the route.
+  #
+  def pretty
+    return sprintf("%16s %16s %16s %d %16s", subnet, netmask, gateway, metric, interface)
+  end
+
+  #
+  # The subnet mask associated with the route.
+  #
+  attr_accessor :subnet
+  #
+  # The netmask of the subnet route.
+  #
+  attr_accessor :netmask
+  #
+  # The gateway to take for the subnet route.
+  #
+  attr_accessor :gateway
+  #
+  # The interface to take for the subnet route.
+  #
+  attr_accessor :interface
+  #
+  # The metric of the route.
+  #
+  attr_accessor :metric
+
+
+end
+
+end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb

@@ -0,0 +1,139 @@
+# -*- coding: binary -*-
+
+require 'thread'
+require 'rex/socket'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
+require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel'
+require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel'
+require 'rex/logging'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+
+###
+#
+# This class provides an interface to interacting with sockets
+# on the remote machine.  It allows callers to open TCP, UDP,
+# and other arbitrary socket-based connections as channels that
+# can then be interacted with through the established
+# meterpreter connection.
+#
+###
+class Socket
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Initialize the socket subsystem and start monitoring sockets as they come
+  # in.
+  #
+  def initialize(client)
+    self.client = client
+
+    # register the inbound handler for the tcp server channel (allowing us to
+    # receive new client connections to a tcp server channel)
+    client.register_inbound_handler( Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpServerChannel )
+
+  end
+
+  #
+  # Deregister the inbound handler for the tcp server channel
+  #
+  def shutdown
+    client.deregister_inbound_handler(  Rex::Post::Meterpreter::Extensions::Stdapi::Net::SocketSubsystem::TcpServerChannel )
+  end
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  #
+  # Creates an arbitrary client socket channel using the information supplied
+  # in the socket parameters instance.  The +params+ argument is expected to be
+  # of type Rex::Socket::Parameters.
+  #
+  def create( params )
+    res = nil
+
+    if( params.tcp? )
+      if( params.server? )
+        res = create_tcp_server_channel( params )
+      else
+        res = create_tcp_client_channel( params )
+      end
+    elsif( params.udp? )
+      res = create_udp_channel( params )
+    end
+
+    return res
+  end
+
+  #
+  # Create a TCP server channel.
+  #
+  def create_tcp_server_channel(params)
+    begin
+      return SocketSubsystem::TcpServerChannel.open(client, params)
+    rescue ::Rex::Post::Meterpreter::RequestError => e
+      case e.code
+      when 10000 .. 10100
+        raise ::Rex::ConnectionError.new
+      end
+      raise e
+    end
+  end
+
+  #
+  # Creates a TCP client channel.
+  #
+  def create_tcp_client_channel(params)
+    begin
+      channel = SocketSubsystem::TcpClientChannel.open(client, params)
+      if( channel != nil )
+        return channel.lsock
+      end
+      return nil
+    rescue ::Rex::Post::Meterpreter::RequestError => e
+      case e.code
+      when 10000 .. 10100
+        raise ::Rex::ConnectionError.new
+      end
+      raise e
+    end
+  end
+
+  #
+  # Creates a UDP channel.
+  #
+  def create_udp_channel(params)
+    begin
+      return SocketSubsystem::UdpChannel.open(client, params)
+    rescue ::Rex::Post::Meterpreter::RequestError => e
+      case e.code
+        when 10000 .. 10100
+        raise ::Rex::ConnectionError.new
+      end
+      raise e
+    end
+  end
+
+
+protected
+
+  attr_accessor :client # :nodoc:
+
+end
+
+end; end; end; end; end; end
+

data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb

@@ -0,0 +1,180 @@
+# -*- coding: binary -*-
+
+require 'thread'
+require 'rex/post/meterpreter/channel'
+require 'rex/post/meterpreter/channels/stream'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+module SocketSubsystem
+
+###
+#
+# This class represents a logical TCP client connection
+# that is established from the remote machine and tunnelled
+# through the established meterpreter connection, similar to an
+# SSH port forward.
+#
+###
+class TcpClientChannel < Rex::Post::Meterpreter::Stream
+
+  class << self
+    def cls
+      return CHANNEL_CLASS_STREAM
+    end
+  end
+
+  module SocketInterface
+    def type?
+      'tcp'
+    end
+
+    def getsockname
+      return super if not channel
+      # Find the first host in our chain (our address)
+      hops = 0
+      csock = channel.client.sock
+      while(csock.respond_to?('channel'))
+        csock = csock.channel.client.sock
+        hops += 1
+      end
+      tmp,caddr,cport = csock.getsockname
+      tmp,raddr,rport = csock.getpeername
+      maddr,mport = [ channel.params.localhost, channel.params.localport ]
+      [ tmp, "#{caddr}#{(hops > 0) ? "-_#{hops}_" : ""}-#{raddr}", "#{mport}" ]
+    end
+
+    def getpeername
+      return super if not channel
+      tmp,caddr,cport = channel.client.sock.getpeername
+      maddr,mport = [ channel.params.peerhost, channel.params.peerport ]
+      [ tmp, "#{maddr}", "#{mport}" ]
+    end
+
+    attr_accessor :channel
+  end
+
+  #
+  # Simple mixin for lsock in order to help avoid a ruby interpreter issue with ::Socket.pair
+  # Instead of writing to the lsock, reading from the rsock and then writing to the channel,
+  # we use this mixin to directly write to the channel.
+  #
+  # Note: This does not work with OpenSSL as OpenSSL is implemented natively and requires a real
+  # socket to write to and we cant intercept the sockets syswrite at a native level.
+  #
+  # Note: The deadlock only seems to effect the Ruby build for cygwin.
+  #
+  module DirectChannelWrite
+
+    def syswrite( buf )
+      channel._write( buf )
+    end
+
+    attr_accessor :channel
+  end
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  #
+  # Opens a TCP client channel using the supplied parameters.
+  #
+  def TcpClientChannel.open(client, params)
+    c = Channel.create(client, 'stdapi_net_tcp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
+      [
+        {
+          'type'  => TLV_TYPE_PEER_HOST,
+          'value' => params.peerhost
+        },
+        {
+          'type'  => TLV_TYPE_PEER_PORT,
+          'value' => params.peerport
+        },
+        {
+          'type'  => TLV_TYPE_LOCAL_HOST,
+          'value' => params.localhost
+        },
+        {
+          'type'  => TLV_TYPE_LOCAL_PORT,
+          'value' => params.localport
+        },
+        {
+          'type'  => TLV_TYPE_CONNECT_RETRIES,
+          'value' => params.retries
+        }
+      ])
+    c.params = params
+    c
+  end
+
+  ##
+  #
+  # Constructor
+  #
+  ##
+
+  #
+  # Passes the channel initialization information up to the base class.
+  #
+  def initialize( client, cid, type, flags )
+    super( client, cid, type, flags )
+
+    lsock.extend( SocketInterface )
+    lsock.extend( DirectChannelWrite )
+    lsock.channel = self
+
+    rsock.extend( SocketInterface )
+    rsock.channel = self
+
+  end
+
+  #
+  # Closes the write half of the connection.
+  #
+  def close_write
+    return shutdown(1)
+  end
+
+  #
+  # Shutdown the connection
+  #
+  # 0 -> future reads
+  # 1 -> future sends
+  # 2 -> both
+  #
+  def shutdown(how = 1)
+    request = Packet.create_request('stdapi_net_socket_tcp_shutdown')
+
+    request.add_tlv(TLV_TYPE_SHUTDOWN_HOW, how)
+    request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
+
+    response = client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Wrap the _write() call in order to catch some common, but harmless Windows exceptions
+  #
+  def _write(*args)
+    begin
+      super(*args)
+    rescue ::Rex::Post::Meterpreter::RequestError => e
+      case e.code
+      when 10000 .. 10100
+        raise ::Rex::ConnectionError.new
+      end
+    end
+  end
+end
+
+end; end; end; end; end; end; end
+