dstruct 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/README.markdown +23 -0
- data/examples/smb_example.rb +35 -0
- data/lib/rex.rb +108 -0
- data/lib/rex/LICENSE +29 -0
- data/lib/rex/arch.rb +104 -0
- data/lib/rex/arch/sparc.rb +75 -0
- data/lib/rex/arch/x86.rb +524 -0
- data/lib/rex/assembly/nasm.rb +104 -0
- data/lib/rex/codepage.map +104 -0
- data/lib/rex/compat.rb +389 -0
- data/lib/rex/constants.rb +124 -0
- data/lib/rex/elfparsey.rb +9 -0
- data/lib/rex/elfparsey/elf.rb +121 -0
- data/lib/rex/elfparsey/elfbase.rb +256 -0
- data/lib/rex/elfparsey/exceptions.rb +25 -0
- data/lib/rex/elfscan.rb +10 -0
- data/lib/rex/elfscan/scanner.rb +226 -0
- data/lib/rex/elfscan/search.rb +44 -0
- data/lib/rex/encoder/alpha2.rb +31 -0
- data/lib/rex/encoder/alpha2/alpha_mixed.rb +68 -0
- data/lib/rex/encoder/alpha2/alpha_upper.rb +79 -0
- data/lib/rex/encoder/alpha2/generic.rb +90 -0
- data/lib/rex/encoder/alpha2/unicode_mixed.rb +116 -0
- data/lib/rex/encoder/alpha2/unicode_upper.rb +123 -0
- data/lib/rex/encoder/bloxor/bloxor.rb +327 -0
- data/lib/rex/encoder/ndr.rb +90 -0
- data/lib/rex/encoder/nonalpha.rb +61 -0
- data/lib/rex/encoder/nonupper.rb +64 -0
- data/lib/rex/encoder/xdr.rb +107 -0
- data/lib/rex/encoder/xor.rb +69 -0
- data/lib/rex/encoder/xor/dword.rb +13 -0
- data/lib/rex/encoder/xor/dword_additive.rb +13 -0
- data/lib/rex/encoders/xor_dword.rb +35 -0
- data/lib/rex/encoders/xor_dword_additive.rb +53 -0
- data/lib/rex/encoding/xor.rb +20 -0
- data/lib/rex/encoding/xor/byte.rb +15 -0
- data/lib/rex/encoding/xor/dword.rb +21 -0
- data/lib/rex/encoding/xor/dword_additive.rb +92 -0
- data/lib/rex/encoding/xor/exceptions.rb +17 -0
- data/lib/rex/encoding/xor/generic.rb +146 -0
- data/lib/rex/encoding/xor/qword.rb +15 -0
- data/lib/rex/encoding/xor/word.rb +21 -0
- data/lib/rex/exceptions.rb +275 -0
- data/lib/rex/exploitation/cmdstager.rb +10 -0
- data/lib/rex/exploitation/cmdstager/base.rb +190 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +105 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +140 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +134 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +164 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +122 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +71 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +126 -0
- data/lib/rex/exploitation/egghunter.rb +425 -0
- data/lib/rex/exploitation/encryptjs.rb +78 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +69 -0
- data/lib/rex/exploitation/js/memory.rb +81 -0
- data/lib/rex/exploitation/js/network.rb +84 -0
- data/lib/rex/exploitation/js/utils.rb +33 -0
- data/lib/rex/exploitation/jsobfu.rb +513 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/powershell.rb +62 -0
- data/lib/rex/exploitation/powershell/function.rb +63 -0
- data/lib/rex/exploitation/powershell/obfu.rb +98 -0
- data/lib/rex/exploitation/powershell/output.rb +151 -0
- data/lib/rex/exploitation/powershell/param.rb +23 -0
- data/lib/rex/exploitation/powershell/parser.rb +183 -0
- data/lib/rex/exploitation/powershell/psh_methods.rb +70 -0
- data/lib/rex/exploitation/powershell/script.rb +99 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/file.rb +160 -0
- data/lib/rex/image_source.rb +10 -0
- data/lib/rex/image_source/disk.rb +58 -0
- data/lib/rex/image_source/image_source.rb +44 -0
- data/lib/rex/image_source/memory.rb +35 -0
- data/lib/rex/io/bidirectional_pipe.rb +161 -0
- data/lib/rex/io/datagram_abstraction.rb +35 -0
- data/lib/rex/io/ring_buffer.rb +369 -0
- data/lib/rex/io/stream.rb +312 -0
- data/lib/rex/io/stream_abstraction.rb +209 -0
- data/lib/rex/io/stream_server.rb +221 -0
- data/lib/rex/job_container.rb +200 -0
- data/lib/rex/logging.rb +4 -0
- data/lib/rex/logging/log_dispatcher.rb +180 -0
- data/lib/rex/logging/log_sink.rb +43 -0
- data/lib/rex/logging/sinks/flatfile.rb +56 -0
- data/lib/rex/logging/sinks/stderr.rb +44 -0
- data/lib/rex/mac_oui.rb +16581 -0
- data/lib/rex/machparsey.rb +9 -0
- data/lib/rex/machparsey/exceptions.rb +34 -0
- data/lib/rex/machparsey/mach.rb +209 -0
- data/lib/rex/machparsey/machbase.rb +408 -0
- data/lib/rex/machscan.rb +9 -0
- data/lib/rex/machscan/scanner.rb +217 -0
- data/lib/rex/mime.rb +10 -0
- data/lib/rex/mime/encoding.rb +17 -0
- data/lib/rex/mime/header.rb +78 -0
- data/lib/rex/mime/message.rb +150 -0
- data/lib/rex/mime/part.rb +50 -0
- data/lib/rex/nop/opty2.rb +109 -0
- data/lib/rex/nop/opty2_tables.rb +301 -0
- data/lib/rex/ole.rb +202 -0
- data/lib/rex/ole/clsid.rb +44 -0
- data/lib/rex/ole/difat.rb +138 -0
- data/lib/rex/ole/directory.rb +228 -0
- data/lib/rex/ole/direntry.rb +237 -0
- data/lib/rex/ole/docs/dependencies.txt +8 -0
- data/lib/rex/ole/docs/references.txt +1 -0
- data/lib/rex/ole/fat.rb +96 -0
- data/lib/rex/ole/header.rb +201 -0
- data/lib/rex/ole/minifat.rb +74 -0
- data/lib/rex/ole/propset.rb +141 -0
- data/lib/rex/ole/samples/create_ole.rb +27 -0
- data/lib/rex/ole/samples/dir.rb +35 -0
- data/lib/rex/ole/samples/dump_stream.rb +34 -0
- data/lib/rex/ole/samples/ole_info.rb +23 -0
- data/lib/rex/ole/storage.rb +392 -0
- data/lib/rex/ole/stream.rb +50 -0
- data/lib/rex/ole/substorage.rb +46 -0
- data/lib/rex/ole/util.rb +154 -0
- data/lib/rex/parser/acunetix_nokogiri.rb +406 -0
- data/lib/rex/parser/apple_backup_manifestdb.rb +132 -0
- data/lib/rex/parser/appscan_nokogiri.rb +367 -0
- data/lib/rex/parser/arguments.rb +108 -0
- data/lib/rex/parser/burp_session_nokogiri.rb +291 -0
- data/lib/rex/parser/ci_nokogiri.rb +193 -0
- data/lib/rex/parser/foundstone_nokogiri.rb +342 -0
- data/lib/rex/parser/fusionvm_nokogiri.rb +109 -0
- data/lib/rex/parser/group_policy_preferences.rb +185 -0
- data/lib/rex/parser/ini.rb +186 -0
- data/lib/rex/parser/ip360_aspl_xml.rb +103 -0
- data/lib/rex/parser/ip360_xml.rb +98 -0
- data/lib/rex/parser/mbsa_nokogiri.rb +256 -0
- data/lib/rex/parser/nessus_xml.rb +121 -0
- data/lib/rex/parser/netsparker_xml.rb +109 -0
- data/lib/rex/parser/nexpose_raw_nokogiri.rb +686 -0
- data/lib/rex/parser/nexpose_simple_nokogiri.rb +330 -0
- data/lib/rex/parser/nexpose_xml.rb +172 -0
- data/lib/rex/parser/nmap_nokogiri.rb +394 -0
- data/lib/rex/parser/nmap_xml.rb +166 -0
- data/lib/rex/parser/nokogiri_doc_mixin.rb +233 -0
- data/lib/rex/parser/openvas_nokogiri.rb +172 -0
- data/lib/rex/parser/outpost24_nokogiri.rb +240 -0
- data/lib/rex/parser/retina_xml.rb +110 -0
- data/lib/rex/parser/unattend.rb +171 -0
- data/lib/rex/parser/wapiti_nokogiri.rb +105 -0
- data/lib/rex/payloads.rb +2 -0
- data/lib/rex/payloads/win32.rb +3 -0
- data/lib/rex/payloads/win32/common.rb +27 -0
- data/lib/rex/payloads/win32/kernel.rb +54 -0
- data/lib/rex/payloads/win32/kernel/common.rb +55 -0
- data/lib/rex/payloads/win32/kernel/migration.rb +13 -0
- data/lib/rex/payloads/win32/kernel/recovery.rb +51 -0
- data/lib/rex/payloads/win32/kernel/stager.rb +195 -0
- data/lib/rex/peparsey.rb +10 -0
- data/lib/rex/peparsey/exceptions.rb +30 -0
- data/lib/rex/peparsey/pe.rb +210 -0
- data/lib/rex/peparsey/pe_memdump.rb +61 -0
- data/lib/rex/peparsey/pebase.rb +1662 -0
- data/lib/rex/peparsey/section.rb +128 -0
- data/lib/rex/pescan.rb +11 -0
- data/lib/rex/pescan/analyze.rb +366 -0
- data/lib/rex/pescan/scanner.rb +230 -0
- data/lib/rex/pescan/search.rb +68 -0
- data/lib/rex/platforms.rb +2 -0
- data/lib/rex/platforms/windows.rb +52 -0
- data/lib/rex/poly.rb +134 -0
- data/lib/rex/poly/block.rb +480 -0
- data/lib/rex/poly/machine.rb +13 -0
- data/lib/rex/poly/machine/machine.rb +830 -0
- data/lib/rex/poly/machine/x86.rb +509 -0
- data/lib/rex/poly/register.rb +101 -0
- data/lib/rex/poly/register/x86.rb +41 -0
- data/lib/rex/post.rb +7 -0
- data/lib/rex/post/dir.rb +51 -0
- data/lib/rex/post/file.rb +172 -0
- data/lib/rex/post/file_stat.rb +220 -0
- data/lib/rex/post/gen.pl +13 -0
- data/lib/rex/post/io.rb +182 -0
- data/lib/rex/post/meterpreter.rb +5 -0
- data/lib/rex/post/meterpreter/channel.rb +446 -0
- data/lib/rex/post/meterpreter/channel_container.rb +54 -0
- data/lib/rex/post/meterpreter/channels/pool.rb +160 -0
- data/lib/rex/post/meterpreter/channels/pools/file.rb +62 -0
- data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +103 -0
- data/lib/rex/post/meterpreter/channels/stream.rb +87 -0
- data/lib/rex/post/meterpreter/client.rb +483 -0
- data/lib/rex/post/meterpreter/client_core.rb +352 -0
- data/lib/rex/post/meterpreter/dependencies.rb +3 -0
- data/lib/rex/post/meterpreter/extension.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/android/android.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/android/tlv.rb +40 -0
- data/lib/rex/post/meterpreter/extensions/espia/espia.rb +58 -0
- data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +17 -0
- data/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +71 -0
- data/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb +169 -0
- data/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +45 -0
- data/lib/rex/post/meterpreter/extensions/extapi/service/service.rb +104 -0
- data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +77 -0
- data/lib/rex/post/meterpreter/extensions/extapi/window/window.rb +56 -0
- data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +75 -0
- data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +94 -0
- data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +22 -0
- data/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +361 -0
- data/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +76 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp.rb +78 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb +43 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/tftp/tftp.rb +49 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/tlv.rb +17 -0
- data/lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/mimikatz/tlv.rb +16 -0
- data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +57 -0
- data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +16 -0
- data/lib/rex/post/meterpreter/extensions/priv/fs.rb +118 -0
- data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +61 -0
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +109 -0
- data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +29 -0
- data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +117 -0
- data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +27 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +396 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +284 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +399 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +104 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +48 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/arp.rb +59 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +256 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +129 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/netstat.rb +97 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb +106 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +67 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +139 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +180 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +168 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +209 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +38146 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +48 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +2102 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +97 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +3852 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +100 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +168 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +3170 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_version.rb +41 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wlanapi.rb +87 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +613 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +388 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +111 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +149 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb +27 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb +515 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +319 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb +23 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +301 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +56 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb +106 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +676 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +96 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +151 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +192 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +41 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +60 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +408 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +129 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +55 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +336 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +141 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +328 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +193 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +102 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +188 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +180 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +236 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +259 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +201 -0
- data/lib/rex/post/meterpreter/inbound_packet_handler.rb +30 -0
- data/lib/rex/post/meterpreter/object_aliases.rb +83 -0
- data/lib/rex/post/meterpreter/packet.rb +709 -0
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +543 -0
- data/lib/rex/post/meterpreter/packet_parser.rb +94 -0
- data/lib/rex/post/meterpreter/packet_response_waiter.rb +83 -0
- data/lib/rex/post/meterpreter/ui/console.rb +142 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +86 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +383 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +939 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +109 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb +65 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb +198 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb +444 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb +199 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/window.rb +118 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb +108 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +242 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +509 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks.rb +60 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb +254 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp.rb +159 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb +182 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +232 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +62 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +97 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +52 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +133 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +204 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +66 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +527 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +448 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +906 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +318 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +343 -0
- data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +99 -0
- data/lib/rex/post/permission.rb +26 -0
- data/lib/rex/post/process.rb +57 -0
- data/lib/rex/post/thread.rb +57 -0
- data/lib/rex/post/ui.rb +52 -0
- data/lib/rex/proto.rb +15 -0
- data/lib/rex/proto/addp.rb +218 -0
- data/lib/rex/proto/dcerpc.rb +7 -0
- data/lib/rex/proto/dcerpc/client.rb +362 -0
- data/lib/rex/proto/dcerpc/exceptions.rb +151 -0
- data/lib/rex/proto/dcerpc/handle.rb +48 -0
- data/lib/rex/proto/dcerpc/ndr.rb +73 -0
- data/lib/rex/proto/dcerpc/packet.rb +264 -0
- data/lib/rex/proto/dcerpc/response.rb +188 -0
- data/lib/rex/proto/dcerpc/uuid.rb +85 -0
- data/lib/rex/proto/dcerpc/wdscp.rb +3 -0
- data/lib/rex/proto/dcerpc/wdscp/constants.rb +89 -0
- data/lib/rex/proto/dcerpc/wdscp/packet.rb +94 -0
- data/lib/rex/proto/dhcp.rb +7 -0
- data/lib/rex/proto/dhcp/constants.rb +34 -0
- data/lib/rex/proto/dhcp/server.rb +334 -0
- data/lib/rex/proto/drda.rb +6 -0
- data/lib/rex/proto/drda/constants.rb +50 -0
- data/lib/rex/proto/drda/packet.rb +253 -0
- data/lib/rex/proto/drda/utils.rb +124 -0
- data/lib/rex/proto/http.rb +7 -0
- data/lib/rex/proto/http/client.rb +722 -0
- data/lib/rex/proto/http/client_request.rb +472 -0
- data/lib/rex/proto/http/handler.rb +47 -0
- data/lib/rex/proto/http/handler/erb.rb +129 -0
- data/lib/rex/proto/http/handler/proc.rb +61 -0
- data/lib/rex/proto/http/header.rb +173 -0
- data/lib/rex/proto/http/packet.rb +414 -0
- data/lib/rex/proto/http/request.rb +354 -0
- data/lib/rex/proto/http/response.rb +151 -0
- data/lib/rex/proto/http/server.rb +385 -0
- data/lib/rex/proto/iax2.rb +2 -0
- data/lib/rex/proto/iax2/call.rb +326 -0
- data/lib/rex/proto/iax2/client.rb +218 -0
- data/lib/rex/proto/iax2/codecs.rb +5 -0
- data/lib/rex/proto/iax2/codecs/alaw.rb +16 -0
- data/lib/rex/proto/iax2/codecs/g711.rb +2176 -0
- data/lib/rex/proto/iax2/codecs/mulaw.rb +17 -0
- data/lib/rex/proto/iax2/constants.rb +262 -0
- data/lib/rex/proto/ipmi.rb +57 -0
- data/lib/rex/proto/ipmi/channel_auth_reply.rb +89 -0
- data/lib/rex/proto/ipmi/open_session_reply.rb +36 -0
- data/lib/rex/proto/ipmi/rakp2.rb +36 -0
- data/lib/rex/proto/ipmi/utils.rb +125 -0
- data/lib/rex/proto/natpmp.rb +7 -0
- data/lib/rex/proto/natpmp/constants.rb +19 -0
- data/lib/rex/proto/natpmp/packet.rb +45 -0
- data/lib/rex/proto/ntlm.rb +8 -0
- data/lib/rex/proto/ntlm/base.rb +327 -0
- data/lib/rex/proto/ntlm/constants.rb +75 -0
- data/lib/rex/proto/ntlm/crypt.rb +412 -0
- data/lib/rex/proto/ntlm/exceptions.rb +17 -0
- data/lib/rex/proto/ntlm/message.rb +534 -0
- data/lib/rex/proto/ntlm/utils.rb +765 -0
- data/lib/rex/proto/ntp.rb +3 -0
- data/lib/rex/proto/ntp/constants.rb +12 -0
- data/lib/rex/proto/ntp/modes.rb +130 -0
- data/lib/rex/proto/pjl.rb +31 -0
- data/lib/rex/proto/pjl/client.rb +163 -0
- data/lib/rex/proto/proxy/socks4a.rb +441 -0
- data/lib/rex/proto/rfb.rb +13 -0
- data/lib/rex/proto/rfb/cipher.rb +82 -0
- data/lib/rex/proto/rfb/client.rb +205 -0
- data/lib/rex/proto/rfb/constants.rb +50 -0
- data/lib/rex/proto/sip.rb +4 -0
- data/lib/rex/proto/sip/response.rb +61 -0
- data/lib/rex/proto/smb.rb +8 -0
- data/lib/rex/proto/smb/client.rb +2064 -0
- data/lib/rex/proto/smb/constants.rb +1064 -0
- data/lib/rex/proto/smb/crypt.rb +37 -0
- data/lib/rex/proto/smb/evasions.rb +67 -0
- data/lib/rex/proto/smb/exceptions.rb +867 -0
- data/lib/rex/proto/smb/simpleclient.rb +173 -0
- data/lib/rex/proto/smb/simpleclient/open_file.rb +106 -0
- data/lib/rex/proto/smb/simpleclient/open_pipe.rb +57 -0
- data/lib/rex/proto/smb/utils.rb +104 -0
- data/lib/rex/proto/sunrpc.rb +2 -0
- data/lib/rex/proto/sunrpc/client.rb +196 -0
- data/lib/rex/proto/tftp.rb +13 -0
- data/lib/rex/proto/tftp/client.rb +344 -0
- data/lib/rex/proto/tftp/constants.rb +39 -0
- data/lib/rex/proto/tftp/server.rb +497 -0
- data/lib/rex/random_identifier_generator.rb +177 -0
- data/lib/rex/registry.rb +14 -0
- data/lib/rex/registry/hive.rb +132 -0
- data/lib/rex/registry/lfkey.rb +51 -0
- data/lib/rex/registry/nodekey.rb +54 -0
- data/lib/rex/registry/regf.rb +25 -0
- data/lib/rex/registry/valuekey.rb +67 -0
- data/lib/rex/registry/valuelist.rb +29 -0
- data/lib/rex/ropbuilder.rb +8 -0
- data/lib/rex/ropbuilder/rop.rb +271 -0
- data/lib/rex/script.rb +42 -0
- data/lib/rex/script/base.rb +61 -0
- data/lib/rex/script/meterpreter.rb +16 -0
- data/lib/rex/script/shell.rb +10 -0
- data/lib/rex/service.rb +49 -0
- data/lib/rex/service_manager.rb +154 -0
- data/lib/rex/services/local_relay.rb +424 -0
- data/lib/rex/socket.rb +788 -0
- data/lib/rex/socket/comm.rb +120 -0
- data/lib/rex/socket/comm/local.rb +526 -0
- data/lib/rex/socket/ip.rb +132 -0
- data/lib/rex/socket/parameters.rb +363 -0
- data/lib/rex/socket/range_walker.rb +470 -0
- data/lib/rex/socket/ssl_tcp.rb +345 -0
- data/lib/rex/socket/ssl_tcp_server.rb +188 -0
- data/lib/rex/socket/subnet_walker.rb +76 -0
- data/lib/rex/socket/switch_board.rb +289 -0
- data/lib/rex/socket/tcp.rb +79 -0
- data/lib/rex/socket/tcp_server.rb +67 -0
- data/lib/rex/socket/udp.rb +165 -0
- data/lib/rex/sslscan/result.rb +201 -0
- data/lib/rex/sslscan/scanner.rb +206 -0
- data/lib/rex/struct2.rb +5 -0
- data/lib/rex/struct2/c_struct.rb +181 -0
- data/lib/rex/struct2/c_struct_template.rb +39 -0
- data/lib/rex/struct2/constant.rb +26 -0
- data/lib/rex/struct2/element.rb +44 -0
- data/lib/rex/struct2/generic.rb +73 -0
- data/lib/rex/struct2/restraint.rb +54 -0
- data/lib/rex/struct2/s_string.rb +72 -0
- data/lib/rex/struct2/s_struct.rb +111 -0
- data/lib/rex/sync.rb +6 -0
- data/lib/rex/sync/event.rb +85 -0
- data/lib/rex/sync/read_write_lock.rb +177 -0
- data/lib/rex/sync/ref.rb +58 -0
- data/lib/rex/sync/thread_safe.rb +83 -0
- data/lib/rex/text.rb +1813 -0
- data/lib/rex/thread_factory.rb +43 -0
- data/lib/rex/time.rb +66 -0
- data/lib/rex/transformer.rb +116 -0
- data/lib/rex/ui.rb +22 -0
- data/lib/rex/ui/interactive.rb +304 -0
- data/lib/rex/ui/output.rb +85 -0
- data/lib/rex/ui/output/none.rb +19 -0
- data/lib/rex/ui/progress_tracker.rb +97 -0
- data/lib/rex/ui/subscriber.rb +160 -0
- data/lib/rex/ui/text/color.rb +98 -0
- data/lib/rex/ui/text/dispatcher_shell.rb +538 -0
- data/lib/rex/ui/text/input.rb +119 -0
- data/lib/rex/ui/text/input/buffer.rb +79 -0
- data/lib/rex/ui/text/input/readline.rb +129 -0
- data/lib/rex/ui/text/input/socket.rb +96 -0
- data/lib/rex/ui/text/input/stdio.rb +46 -0
- data/lib/rex/ui/text/irb_shell.rb +62 -0
- data/lib/rex/ui/text/output.rb +86 -0
- data/lib/rex/ui/text/output/buffer.rb +62 -0
- data/lib/rex/ui/text/output/buffer/stdout.rb +26 -0
- data/lib/rex/ui/text/output/file.rb +44 -0
- data/lib/rex/ui/text/output/socket.rb +44 -0
- data/lib/rex/ui/text/output/stdio.rb +53 -0
- data/lib/rex/ui/text/output/tee.rb +56 -0
- data/lib/rex/ui/text/progress_tracker.rb +57 -0
- data/lib/rex/ui/text/shell.rb +403 -0
- data/lib/rex/ui/text/table.rb +346 -0
- data/lib/rex/zip.rb +96 -0
- data/lib/rex/zip/archive.rb +130 -0
- data/lib/rex/zip/blocks.rb +184 -0
- data/lib/rex/zip/entry.rb +122 -0
- data/lib/rex/zip/jar.rb +283 -0
- data/lib/rex/zip/samples/comment.rb +32 -0
- data/lib/rex/zip/samples/mkwar.rb +138 -0
- data/lib/rex/zip/samples/mkzip.rb +19 -0
- data/lib/rex/zip/samples/recursive.rb +58 -0
- metadata +536 -0
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
module Rex
|
|
3
|
+
module Proto
|
|
4
|
+
module DCERPC
|
|
5
|
+
class Handle
|
|
6
|
+
|
|
7
|
+
require 'rex/proto/dcerpc/uuid'
|
|
8
|
+
|
|
9
|
+
@@protocols = ['ncacn_ip_tcp', 'ncacn_ip_udp', 'ncacn_np', 'ncacn_http']
|
|
10
|
+
attr_accessor :uuid, :protocol, :address, :options
|
|
11
|
+
|
|
12
|
+
# instantiate a handle object, akin to Microsoft's string binding handle by values
|
|
13
|
+
def initialize(uuid, protocol, address, options)
|
|
14
|
+
raise ArgumentError if !Rex::Proto
|
|
15
|
+
raise ArgumentError if !Rex::Proto::DCERPC::UUID.is?(uuid[0])
|
|
16
|
+
raise ArgumentError if !@@protocols.include?(protocol)
|
|
17
|
+
self.uuid = uuid
|
|
18
|
+
self.protocol = protocol
|
|
19
|
+
self.address = address
|
|
20
|
+
self.options = options
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# instantiate a handle object, by parsing a string binding handle
|
|
24
|
+
def self.parse (handle)
|
|
25
|
+
uuid_re = '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}'
|
|
26
|
+
rev_re = '\d+.\d+'
|
|
27
|
+
proto_re = '(?:' + @@protocols.join('|') + ')'
|
|
28
|
+
re = Regexp.new("(#{uuid_re}):(#{rev_re})\@(#{proto_re}):(.*?)\\[(.*)\\]$", true, 'n')
|
|
29
|
+
match = re.match(handle)
|
|
30
|
+
raise ArgumentError if !match
|
|
31
|
+
|
|
32
|
+
uuid = [match[1], match[2]]
|
|
33
|
+
protocol = match[3]
|
|
34
|
+
address = match[4]
|
|
35
|
+
options = match[5].split(',')
|
|
36
|
+
i = Rex::Proto::DCERPC::Handle.new(uuid, protocol, address, options)
|
|
37
|
+
return i
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
# stringify a handle
|
|
41
|
+
def to_s
|
|
42
|
+
self.uuid.join(':') + '@' + self.protocol + ':' + self.address + '[' + self.options.join(', ') + ']'
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
require "rex/text"
|
|
3
|
+
|
|
4
|
+
module Rex
|
|
5
|
+
module Proto
|
|
6
|
+
module DCERPC
|
|
7
|
+
class NDR
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
# Provide padding to align the string to the 32bit boundary
|
|
11
|
+
def self.align(string)
|
|
12
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
13
|
+
return "\x00" * ((4 - (string.length & 3)) & 3)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
# Encode a 4 byte long
|
|
17
|
+
# use to encode:
|
|
18
|
+
# long element_1;
|
|
19
|
+
def self.long(string)
|
|
20
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
21
|
+
return [string].pack('V')
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Encode a 2 byte short
|
|
25
|
+
# use to encode:
|
|
26
|
+
# short element_1;
|
|
27
|
+
def self.short(string)
|
|
28
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
29
|
+
return [string].pack('v')
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
# Encode a single byte
|
|
33
|
+
# use to encode:
|
|
34
|
+
# byte element_1;
|
|
35
|
+
def self.byte(string)
|
|
36
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
37
|
+
return [string].pack('C')
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
# Encode a byte array
|
|
41
|
+
# use to encode:
|
|
42
|
+
# char element_1
|
|
43
|
+
def self.UniConformantArray(string)
|
|
44
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
45
|
+
return long(string.length) + string + align(string)
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
# Encode a string
|
|
49
|
+
# use to encode:
|
|
50
|
+
# w_char *element_1;
|
|
51
|
+
def self.UnicodeConformantVaryingString(string)
|
|
52
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
53
|
+
string += "\x00" # null pad
|
|
54
|
+
return long(string.length) + long(0) + long(string.length) + Rex::Text.to_unicode(string) + align(Rex::Text.to_unicode(string))
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
# Encode a string that is already unicode encoded
|
|
58
|
+
# use to encode:
|
|
59
|
+
# w_char *element_1;
|
|
60
|
+
def self.UnicodeConformantVaryingStringPreBuilt(string)
|
|
61
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
62
|
+
# if the string len is odd, thats bad!
|
|
63
|
+
if string.length % 2 > 0
|
|
64
|
+
string += "\x00"
|
|
65
|
+
end
|
|
66
|
+
len = string.length / 2;
|
|
67
|
+
return long(len) + long(0) + long(len) + string + align(string)
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
@@ -0,0 +1,264 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
module Rex
|
|
3
|
+
module Proto
|
|
4
|
+
module DCERPC
|
|
5
|
+
class Packet
|
|
6
|
+
|
|
7
|
+
require 'rex/proto/dcerpc/uuid'
|
|
8
|
+
require 'rex/proto/dcerpc/response'
|
|
9
|
+
require 'rex/text'
|
|
10
|
+
|
|
11
|
+
UUID = Rex::Proto::DCERPC::UUID
|
|
12
|
+
|
|
13
|
+
# Create a standard DCERPC BIND request packet
|
|
14
|
+
def self.make_bind(uuid, vers, xfer_syntax_uuid=UUID.xfer_syntax_uuid, xfer_syntax_vers=UUID.xfer_syntax_vers)
|
|
15
|
+
|
|
16
|
+
# Process the version strings ("1.0", 1.0, "1", 1)
|
|
17
|
+
bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers)
|
|
18
|
+
xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(xfer_syntax_vers)
|
|
19
|
+
|
|
20
|
+
if UUID.is? xfer_syntax_uuid
|
|
21
|
+
xfer_syntax_uuid = UUID.uuid_pack(xfer_syntax_uuid)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Create the bind request packet
|
|
25
|
+
buff =
|
|
26
|
+
[
|
|
27
|
+
5, # major version 5
|
|
28
|
+
0, # minor version 0
|
|
29
|
+
11, # bind type
|
|
30
|
+
3, # flags
|
|
31
|
+
0x10000000, # data representation
|
|
32
|
+
72, # frag length
|
|
33
|
+
0, # auth length
|
|
34
|
+
0, # call id
|
|
35
|
+
5840, # max xmit frag
|
|
36
|
+
5840, # max recv frag
|
|
37
|
+
0, # assoc group
|
|
38
|
+
1, # num ctx items
|
|
39
|
+
0, # context id
|
|
40
|
+
1, # num trans items
|
|
41
|
+
UUID.uuid_pack(uuid), # interface uuid
|
|
42
|
+
bind_vers_maj, # interface major version
|
|
43
|
+
bind_vers_min, # interface minor version
|
|
44
|
+
xfer_syntax_uuid, # transfer syntax
|
|
45
|
+
xfer_vers_maj, # syntax major version
|
|
46
|
+
xfer_vers_min, # syntax minor version
|
|
47
|
+
].pack('CCCCNvvVvvVVvvA16vvA16vv')
|
|
48
|
+
|
|
49
|
+
return buff, 0
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
# Create an obfuscated DCERPC BIND request packet
|
|
53
|
+
def self.make_bind_fake_multi(uuid, vers, bind_head=0, bind_tail=0)
|
|
54
|
+
|
|
55
|
+
bind_head = bind_head.to_i
|
|
56
|
+
bind_tail = bind_tail.to_i
|
|
57
|
+
bind_head = rand(6)+10 if bind_head == 0
|
|
58
|
+
bind_tail = rand(4)+1 if bind_head == 0
|
|
59
|
+
|
|
60
|
+
u = Rex::Proto::DCERPC::UUID
|
|
61
|
+
|
|
62
|
+
# Process the version strings ("1.0", 1.0, "1", 1)
|
|
63
|
+
bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers)
|
|
64
|
+
xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(UUID.xfer_syntax_vers)
|
|
65
|
+
|
|
66
|
+
bind_total = bind_head + bind_tail + 1
|
|
67
|
+
bind_size = (bind_total * 44) + 28
|
|
68
|
+
real_ctx, ctx = 0, 0
|
|
69
|
+
|
|
70
|
+
# Create the header of the bind request
|
|
71
|
+
data =
|
|
72
|
+
[
|
|
73
|
+
5, # major version 5
|
|
74
|
+
0, # minor version 0
|
|
75
|
+
11, # bind type
|
|
76
|
+
3, # flags
|
|
77
|
+
0x10000000, # data representation
|
|
78
|
+
bind_size, # frag length
|
|
79
|
+
0, # auth length
|
|
80
|
+
0, # call id
|
|
81
|
+
5840, # max xmit frag
|
|
82
|
+
5840, # max recv frag
|
|
83
|
+
0, # assoc group
|
|
84
|
+
bind_total, # num ctx items
|
|
85
|
+
].pack('CCCCNvvVvvVV')
|
|
86
|
+
|
|
87
|
+
# Generate the fake UUIDs prior to the real one
|
|
88
|
+
1.upto(bind_head) do ||
|
|
89
|
+
# Generate some random UUID and versions
|
|
90
|
+
rand_uuid = Rex::Text.rand_text(16)
|
|
91
|
+
rand_imaj = rand(6)
|
|
92
|
+
rand_imin = rand(4)
|
|
93
|
+
|
|
94
|
+
data +=
|
|
95
|
+
[
|
|
96
|
+
ctx, # context id
|
|
97
|
+
1, # num trans items
|
|
98
|
+
rand_uuid, # interface uuid
|
|
99
|
+
rand_imaj, # interface major version
|
|
100
|
+
rand_imin, # interface minor version
|
|
101
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
102
|
+
xfer_vers_maj, # syntax major version
|
|
103
|
+
xfer_vers_min, # syntax minor version
|
|
104
|
+
].pack('vvA16vvA16vv')
|
|
105
|
+
ctx += 1
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
# Stuff the real UUID onto the end of the buffer
|
|
109
|
+
real_ctx = ctx;
|
|
110
|
+
data +=
|
|
111
|
+
[
|
|
112
|
+
ctx, # context id
|
|
113
|
+
1, # num trans items
|
|
114
|
+
UUID.uuid_pack(uuid), # interface uuid
|
|
115
|
+
bind_vers_maj, # interface major version
|
|
116
|
+
bind_vers_min, # interface minor version
|
|
117
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
118
|
+
xfer_vers_maj, # syntax major version
|
|
119
|
+
xfer_vers_min, # syntax minor version
|
|
120
|
+
].pack('vvA16vvA16vv')
|
|
121
|
+
ctx += 1
|
|
122
|
+
|
|
123
|
+
|
|
124
|
+
# Generate the fake UUIDs after the real one
|
|
125
|
+
1.upto(bind_tail) do ||
|
|
126
|
+
# Generate some random UUID and versions
|
|
127
|
+
rand_uuid = Rex::Text.rand_text(16)
|
|
128
|
+
rand_imaj = rand(6)
|
|
129
|
+
rand_imin = rand(4)
|
|
130
|
+
|
|
131
|
+
data +=
|
|
132
|
+
[
|
|
133
|
+
ctx, # context id
|
|
134
|
+
1, # num trans items
|
|
135
|
+
rand_uuid, # interface uuid
|
|
136
|
+
rand_imaj, # interface major version
|
|
137
|
+
rand_imin, # interface minor version
|
|
138
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
139
|
+
xfer_vers_maj, # syntax major version
|
|
140
|
+
xfer_vers_min, # syntax minor version
|
|
141
|
+
].pack('vvA16vvA16vv')
|
|
142
|
+
ctx += 1
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
# Return both the bind packet and the real context_id
|
|
146
|
+
return data, real_ctx
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
# Create a standard DCERPC ALTER_CONTEXT request packet
|
|
150
|
+
def self.make_alter_context(uuid, vers)
|
|
151
|
+
u = Rex::Proto::DCERPC::UUID
|
|
152
|
+
|
|
153
|
+
# Process the version strings ("1.0", 1.0, "1", 1)
|
|
154
|
+
bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers)
|
|
155
|
+
xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(UUID.xfer_syntax_vers)
|
|
156
|
+
|
|
157
|
+
buff =
|
|
158
|
+
[
|
|
159
|
+
5, # major version 5
|
|
160
|
+
0, # minor version 0
|
|
161
|
+
14, # alter context
|
|
162
|
+
3, # flags
|
|
163
|
+
0x10000000, # data representation
|
|
164
|
+
72, # frag length
|
|
165
|
+
0, # auth length
|
|
166
|
+
0, # call id
|
|
167
|
+
5840, # max xmit frag
|
|
168
|
+
5840, # max recv frag
|
|
169
|
+
0, # assoc group
|
|
170
|
+
1, # num ctx items
|
|
171
|
+
0, # context id
|
|
172
|
+
1, # num trans items
|
|
173
|
+
UUID.uuid_pack(uuid), # interface uuid
|
|
174
|
+
bind_vers_maj, # interface major version
|
|
175
|
+
bind_vers_min, # interface minor version
|
|
176
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
177
|
+
xfer_vers_maj, # syntax major version
|
|
178
|
+
xfer_vers_min, # syntax minor version
|
|
179
|
+
].pack('CCCCNvvVvvVVvvA16vvA16vv')
|
|
180
|
+
end
|
|
181
|
+
|
|
182
|
+
|
|
183
|
+
# Used to create a piece of a DCERPC REQUEST packet
|
|
184
|
+
def self.make_request_chunk(flags=3, opnum=0, data="", ctx=0, object_id = '')
|
|
185
|
+
|
|
186
|
+
flags = flags.to_i
|
|
187
|
+
opnum = opnum.to_i
|
|
188
|
+
ctx = ctx.to_i
|
|
189
|
+
|
|
190
|
+
dlen = data.length
|
|
191
|
+
flen = dlen + 24
|
|
192
|
+
|
|
193
|
+
use_object = 0
|
|
194
|
+
|
|
195
|
+
object_str = ''
|
|
196
|
+
|
|
197
|
+
if object_id.size > 0
|
|
198
|
+
flags |= 0x80
|
|
199
|
+
flen = flen + 16
|
|
200
|
+
object_str = UUID.uuid_pack(object_id)
|
|
201
|
+
end
|
|
202
|
+
|
|
203
|
+
buff =
|
|
204
|
+
[
|
|
205
|
+
5, # major version 5
|
|
206
|
+
0, # minor version 0
|
|
207
|
+
0, # request type
|
|
208
|
+
flags, # flags
|
|
209
|
+
0x10000000, # data representation
|
|
210
|
+
flen, # frag length
|
|
211
|
+
0, # auth length
|
|
212
|
+
0, # call id
|
|
213
|
+
dlen, # alloc hint
|
|
214
|
+
ctx, # context id
|
|
215
|
+
opnum, # operation number
|
|
216
|
+
].pack('CCCCNvvVVvv') + object_str + data
|
|
217
|
+
end
|
|
218
|
+
|
|
219
|
+
# Used to create standard DCERPC REQUEST packet(s)
|
|
220
|
+
def self.make_request(opnum=0, data="", size=data.length, ctx=0, object_id = '')
|
|
221
|
+
|
|
222
|
+
opnum = opnum.to_i
|
|
223
|
+
size = [4000, size.to_i].min
|
|
224
|
+
ctx = ctx.to_i
|
|
225
|
+
|
|
226
|
+
chunks, frags = [], []
|
|
227
|
+
ptr = 0
|
|
228
|
+
|
|
229
|
+
# Break the request into fragments of 'size' bytes
|
|
230
|
+
while ptr < data.length
|
|
231
|
+
chunks.push( data[ ptr, size ] )
|
|
232
|
+
ptr += size
|
|
233
|
+
end
|
|
234
|
+
|
|
235
|
+
# Process requests with no stub data
|
|
236
|
+
if chunks.length == 0
|
|
237
|
+
frags.push( make_request_chunk(3, opnum, '', ctx, object_id) )
|
|
238
|
+
return frags
|
|
239
|
+
end
|
|
240
|
+
|
|
241
|
+
# Process requests with only one fragment
|
|
242
|
+
if chunks.length == 1
|
|
243
|
+
frags.push( make_request_chunk(3, opnum, chunks[0], ctx, object_id) )
|
|
244
|
+
return frags
|
|
245
|
+
end
|
|
246
|
+
|
|
247
|
+
# Create the first fragment of the request
|
|
248
|
+
frags.push( make_request_chunk(1, opnum, chunks.shift, ctx, object_id) )
|
|
249
|
+
|
|
250
|
+
# Create all of the middle fragments
|
|
251
|
+
while chunks.length != 1
|
|
252
|
+
frags.push( make_request_chunk(0, opnum, chunks.shift, ctx, object_id) )
|
|
253
|
+
end
|
|
254
|
+
|
|
255
|
+
# Create the last fragment of the request
|
|
256
|
+
frags.push( make_request_chunk(2, opnum, chunks.shift, ctx, object_id) )
|
|
257
|
+
|
|
258
|
+
return frags
|
|
259
|
+
end
|
|
260
|
+
|
|
261
|
+
end
|
|
262
|
+
end
|
|
263
|
+
end
|
|
264
|
+
end
|
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
require 'rex/proto/dcerpc/uuid'
|
|
3
|
+
require 'rex/proto/dcerpc/exceptions'
|
|
4
|
+
|
|
5
|
+
module Rex
|
|
6
|
+
module Proto
|
|
7
|
+
module DCERPC
|
|
8
|
+
class Response
|
|
9
|
+
|
|
10
|
+
attr_accessor :frag_len, :auth_len, :type, :vers_major, :vers_minor
|
|
11
|
+
attr_accessor :flags, :data_rep, :call_id, :max_frag_xmit, :max_frag_recv
|
|
12
|
+
attr_accessor :assoc_group, :sec_addr_len, :sec_addr, :num_results
|
|
13
|
+
attr_accessor :nack_reason, :xfer_syntax_uuid, :xfer_syntax_vers
|
|
14
|
+
attr_accessor :ack_reason, :ack_result, :ack_xfer_syntax_uuid, :ack_xfer_syntax_vers
|
|
15
|
+
attr_accessor :alloc_hint, :context_id, :cancel_cnt, :status, :stub_data
|
|
16
|
+
attr_accessor :raw
|
|
17
|
+
|
|
18
|
+
# Create a new DCERPC::Response object
|
|
19
|
+
# This can be initialized in two ways:
|
|
20
|
+
# 1) Call .new() with the first 10 bytes of packet, then call parse on the rest
|
|
21
|
+
# 2) Call .new() with the full packet contents
|
|
22
|
+
def initialize(data)
|
|
23
|
+
|
|
24
|
+
self.ack_result = []
|
|
25
|
+
self.ack_reason = []
|
|
26
|
+
self.ack_xfer_syntax_uuid = []
|
|
27
|
+
self.ack_xfer_syntax_vers = []
|
|
28
|
+
|
|
29
|
+
if (! data or data.length < 10)
|
|
30
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
if (data.length == 10)
|
|
34
|
+
self.frag_len = data[8,2].unpack('v')[0]
|
|
35
|
+
self.raw = data
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
if (data.length > 10)
|
|
39
|
+
self.raw = data
|
|
40
|
+
self.parse
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
# Parse the contents of a DCERPC response packet and fill out all the fields
|
|
45
|
+
def parse(body = '')
|
|
46
|
+
self.raw = self.raw + body
|
|
47
|
+
self.type = self.raw[2,1].unpack('C')[0]
|
|
48
|
+
|
|
49
|
+
uuid = Rex::Proto::DCERPC::UUID
|
|
50
|
+
data = self.raw
|
|
51
|
+
|
|
52
|
+
|
|
53
|
+
if(not data)
|
|
54
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
# BIND_ACK == 12, ALTER_CONTEXT_RESP == 15
|
|
58
|
+
if (self.type == 12 or self.type == 15)
|
|
59
|
+
|
|
60
|
+
# Decode most of the DCERPC header
|
|
61
|
+
self.vers_major,
|
|
62
|
+
self.vers_minor,
|
|
63
|
+
trash,
|
|
64
|
+
self.flags,
|
|
65
|
+
self.data_rep,
|
|
66
|
+
self.frag_len,
|
|
67
|
+
self.auth_len,
|
|
68
|
+
self.call_id,
|
|
69
|
+
self.max_frag_xmit,
|
|
70
|
+
self.max_frag_recv,
|
|
71
|
+
self.assoc_group,
|
|
72
|
+
self.sec_addr_len = data.unpack('CCCCNvvVvvVv')
|
|
73
|
+
|
|
74
|
+
|
|
75
|
+
if(not self.frag_len or data.length < self.frag_len)
|
|
76
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
# Keep an offset into the packet handy
|
|
80
|
+
x = 0
|
|
81
|
+
|
|
82
|
+
# XXX This is still somewhat broken (4 digit ports)
|
|
83
|
+
self.sec_addr = data[26, self.sec_addr_len]
|
|
84
|
+
|
|
85
|
+
# Move the pointer into the packet forward
|
|
86
|
+
x += 26 + self.sec_addr_len
|
|
87
|
+
|
|
88
|
+
# Align the pointer on a dword boundary
|
|
89
|
+
while (x % 4 != 0)
|
|
90
|
+
x += 1
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
# Figure out how many results we have (multiple-context binds)
|
|
94
|
+
self.num_results = data[ x, 4 ].unpack('V')[0]
|
|
95
|
+
|
|
96
|
+
# Move the pointer to the ack_result[0] offset
|
|
97
|
+
x += 4
|
|
98
|
+
|
|
99
|
+
# Initialize the ack_result index
|
|
100
|
+
ack = 0
|
|
101
|
+
|
|
102
|
+
# Scan through all results and add them to the result arrays
|
|
103
|
+
while ack < self.num_results
|
|
104
|
+
self.ack_result[ack] = data[ x + 0, 2 ].unpack('v')[0]
|
|
105
|
+
self.ack_reason[ack] = data[ x + 2, 2 ].unpack('v')[0]
|
|
106
|
+
self.ack_xfer_syntax_uuid[ack] = uuid.uuid_unpack(data[ x + 4, 16 ])
|
|
107
|
+
self.ack_xfer_syntax_vers[ack] = data[ x + 20, 4 ].unpack('V')[0]
|
|
108
|
+
x += 24
|
|
109
|
+
ack += 1
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
# End of BIND_ACK || ALTER_CONTEXT_RESP
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
# BIND_NACK == 13
|
|
116
|
+
if (self.type == 13)
|
|
117
|
+
|
|
118
|
+
# Decode most of the DCERPC header
|
|
119
|
+
self.vers_major,
|
|
120
|
+
self.vers_minor,
|
|
121
|
+
trash,
|
|
122
|
+
self.flags,
|
|
123
|
+
self.data_rep,
|
|
124
|
+
self.frag_len,
|
|
125
|
+
self.auth_len,
|
|
126
|
+
self.call_id,
|
|
127
|
+
self.nack_reason = data.unpack('CCCCNvvVv')
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
# RESPONSE == 2
|
|
131
|
+
if (self.type == 2)
|
|
132
|
+
|
|
133
|
+
# Decode the DCERPC response header
|
|
134
|
+
self.vers_major,
|
|
135
|
+
self.vers_minor,
|
|
136
|
+
trash,
|
|
137
|
+
self.flags,
|
|
138
|
+
self.data_rep,
|
|
139
|
+
self.frag_len,
|
|
140
|
+
self.auth_len,
|
|
141
|
+
self.call_id,
|
|
142
|
+
self.alloc_hint,
|
|
143
|
+
self.context_id,
|
|
144
|
+
self.cancel_cnt = data.unpack('CCCCNvvVVvC')
|
|
145
|
+
|
|
146
|
+
# Error out if the whole header was not read
|
|
147
|
+
if !(self.alloc_hint and self.context_id and self.cancel_cnt)
|
|
148
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
149
|
+
end
|
|
150
|
+
|
|
151
|
+
# Put the application data into self.stub_data
|
|
152
|
+
self.stub_data = data[data.length - self.alloc_hint, 0xffff]
|
|
153
|
+
# End of RESPONSE
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
# FAULT == 3
|
|
157
|
+
if (self.type == 3)
|
|
158
|
+
|
|
159
|
+
# Decode the DCERPC response header
|
|
160
|
+
self.vers_major,
|
|
161
|
+
self.vers_minor,
|
|
162
|
+
trash,
|
|
163
|
+
self.flags,
|
|
164
|
+
self.data_rep,
|
|
165
|
+
self.frag_len,
|
|
166
|
+
self.auth_len,
|
|
167
|
+
self.call_id,
|
|
168
|
+
self.alloc_hint,
|
|
169
|
+
self.context_id,
|
|
170
|
+
self.cancel_cnt,
|
|
171
|
+
trash,
|
|
172
|
+
self.status = data.unpack('CCCCNvvVVvCCV')
|
|
173
|
+
|
|
174
|
+
# Put the application data into self.stub_data
|
|
175
|
+
self.stub_data = data[data.length - self.alloc_hint, 0xffff]
|
|
176
|
+
# End of FAULT
|
|
177
|
+
end
|
|
178
|
+
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
protected
|
|
182
|
+
# attr_accessor :raw
|
|
183
|
+
|
|
184
|
+
end
|
|
185
|
+
end
|
|
186
|
+
end
|
|
187
|
+
end
|
|
188
|
+
|