dstruct 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/README.markdown +23 -0
- data/examples/smb_example.rb +35 -0
- data/lib/rex.rb +108 -0
- data/lib/rex/LICENSE +29 -0
- data/lib/rex/arch.rb +104 -0
- data/lib/rex/arch/sparc.rb +75 -0
- data/lib/rex/arch/x86.rb +524 -0
- data/lib/rex/assembly/nasm.rb +104 -0
- data/lib/rex/codepage.map +104 -0
- data/lib/rex/compat.rb +389 -0
- data/lib/rex/constants.rb +124 -0
- data/lib/rex/elfparsey.rb +9 -0
- data/lib/rex/elfparsey/elf.rb +121 -0
- data/lib/rex/elfparsey/elfbase.rb +256 -0
- data/lib/rex/elfparsey/exceptions.rb +25 -0
- data/lib/rex/elfscan.rb +10 -0
- data/lib/rex/elfscan/scanner.rb +226 -0
- data/lib/rex/elfscan/search.rb +44 -0
- data/lib/rex/encoder/alpha2.rb +31 -0
- data/lib/rex/encoder/alpha2/alpha_mixed.rb +68 -0
- data/lib/rex/encoder/alpha2/alpha_upper.rb +79 -0
- data/lib/rex/encoder/alpha2/generic.rb +90 -0
- data/lib/rex/encoder/alpha2/unicode_mixed.rb +116 -0
- data/lib/rex/encoder/alpha2/unicode_upper.rb +123 -0
- data/lib/rex/encoder/bloxor/bloxor.rb +327 -0
- data/lib/rex/encoder/ndr.rb +90 -0
- data/lib/rex/encoder/nonalpha.rb +61 -0
- data/lib/rex/encoder/nonupper.rb +64 -0
- data/lib/rex/encoder/xdr.rb +107 -0
- data/lib/rex/encoder/xor.rb +69 -0
- data/lib/rex/encoder/xor/dword.rb +13 -0
- data/lib/rex/encoder/xor/dword_additive.rb +13 -0
- data/lib/rex/encoders/xor_dword.rb +35 -0
- data/lib/rex/encoders/xor_dword_additive.rb +53 -0
- data/lib/rex/encoding/xor.rb +20 -0
- data/lib/rex/encoding/xor/byte.rb +15 -0
- data/lib/rex/encoding/xor/dword.rb +21 -0
- data/lib/rex/encoding/xor/dword_additive.rb +92 -0
- data/lib/rex/encoding/xor/exceptions.rb +17 -0
- data/lib/rex/encoding/xor/generic.rb +146 -0
- data/lib/rex/encoding/xor/qword.rb +15 -0
- data/lib/rex/encoding/xor/word.rb +21 -0
- data/lib/rex/exceptions.rb +275 -0
- data/lib/rex/exploitation/cmdstager.rb +10 -0
- data/lib/rex/exploitation/cmdstager/base.rb +190 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +105 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +140 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +134 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +164 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +122 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +71 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +126 -0
- data/lib/rex/exploitation/egghunter.rb +425 -0
- data/lib/rex/exploitation/encryptjs.rb +78 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +69 -0
- data/lib/rex/exploitation/js/memory.rb +81 -0
- data/lib/rex/exploitation/js/network.rb +84 -0
- data/lib/rex/exploitation/js/utils.rb +33 -0
- data/lib/rex/exploitation/jsobfu.rb +513 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/powershell.rb +62 -0
- data/lib/rex/exploitation/powershell/function.rb +63 -0
- data/lib/rex/exploitation/powershell/obfu.rb +98 -0
- data/lib/rex/exploitation/powershell/output.rb +151 -0
- data/lib/rex/exploitation/powershell/param.rb +23 -0
- data/lib/rex/exploitation/powershell/parser.rb +183 -0
- data/lib/rex/exploitation/powershell/psh_methods.rb +70 -0
- data/lib/rex/exploitation/powershell/script.rb +99 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/file.rb +160 -0
- data/lib/rex/image_source.rb +10 -0
- data/lib/rex/image_source/disk.rb +58 -0
- data/lib/rex/image_source/image_source.rb +44 -0
- data/lib/rex/image_source/memory.rb +35 -0
- data/lib/rex/io/bidirectional_pipe.rb +161 -0
- data/lib/rex/io/datagram_abstraction.rb +35 -0
- data/lib/rex/io/ring_buffer.rb +369 -0
- data/lib/rex/io/stream.rb +312 -0
- data/lib/rex/io/stream_abstraction.rb +209 -0
- data/lib/rex/io/stream_server.rb +221 -0
- data/lib/rex/job_container.rb +200 -0
- data/lib/rex/logging.rb +4 -0
- data/lib/rex/logging/log_dispatcher.rb +180 -0
- data/lib/rex/logging/log_sink.rb +43 -0
- data/lib/rex/logging/sinks/flatfile.rb +56 -0
- data/lib/rex/logging/sinks/stderr.rb +44 -0
- data/lib/rex/mac_oui.rb +16581 -0
- data/lib/rex/machparsey.rb +9 -0
- data/lib/rex/machparsey/exceptions.rb +34 -0
- data/lib/rex/machparsey/mach.rb +209 -0
- data/lib/rex/machparsey/machbase.rb +408 -0
- data/lib/rex/machscan.rb +9 -0
- data/lib/rex/machscan/scanner.rb +217 -0
- data/lib/rex/mime.rb +10 -0
- data/lib/rex/mime/encoding.rb +17 -0
- data/lib/rex/mime/header.rb +78 -0
- data/lib/rex/mime/message.rb +150 -0
- data/lib/rex/mime/part.rb +50 -0
- data/lib/rex/nop/opty2.rb +109 -0
- data/lib/rex/nop/opty2_tables.rb +301 -0
- data/lib/rex/ole.rb +202 -0
- data/lib/rex/ole/clsid.rb +44 -0
- data/lib/rex/ole/difat.rb +138 -0
- data/lib/rex/ole/directory.rb +228 -0
- data/lib/rex/ole/direntry.rb +237 -0
- data/lib/rex/ole/docs/dependencies.txt +8 -0
- data/lib/rex/ole/docs/references.txt +1 -0
- data/lib/rex/ole/fat.rb +96 -0
- data/lib/rex/ole/header.rb +201 -0
- data/lib/rex/ole/minifat.rb +74 -0
- data/lib/rex/ole/propset.rb +141 -0
- data/lib/rex/ole/samples/create_ole.rb +27 -0
- data/lib/rex/ole/samples/dir.rb +35 -0
- data/lib/rex/ole/samples/dump_stream.rb +34 -0
- data/lib/rex/ole/samples/ole_info.rb +23 -0
- data/lib/rex/ole/storage.rb +392 -0
- data/lib/rex/ole/stream.rb +50 -0
- data/lib/rex/ole/substorage.rb +46 -0
- data/lib/rex/ole/util.rb +154 -0
- data/lib/rex/parser/acunetix_nokogiri.rb +406 -0
- data/lib/rex/parser/apple_backup_manifestdb.rb +132 -0
- data/lib/rex/parser/appscan_nokogiri.rb +367 -0
- data/lib/rex/parser/arguments.rb +108 -0
- data/lib/rex/parser/burp_session_nokogiri.rb +291 -0
- data/lib/rex/parser/ci_nokogiri.rb +193 -0
- data/lib/rex/parser/foundstone_nokogiri.rb +342 -0
- data/lib/rex/parser/fusionvm_nokogiri.rb +109 -0
- data/lib/rex/parser/group_policy_preferences.rb +185 -0
- data/lib/rex/parser/ini.rb +186 -0
- data/lib/rex/parser/ip360_aspl_xml.rb +103 -0
- data/lib/rex/parser/ip360_xml.rb +98 -0
- data/lib/rex/parser/mbsa_nokogiri.rb +256 -0
- data/lib/rex/parser/nessus_xml.rb +121 -0
- data/lib/rex/parser/netsparker_xml.rb +109 -0
- data/lib/rex/parser/nexpose_raw_nokogiri.rb +686 -0
- data/lib/rex/parser/nexpose_simple_nokogiri.rb +330 -0
- data/lib/rex/parser/nexpose_xml.rb +172 -0
- data/lib/rex/parser/nmap_nokogiri.rb +394 -0
- data/lib/rex/parser/nmap_xml.rb +166 -0
- data/lib/rex/parser/nokogiri_doc_mixin.rb +233 -0
- data/lib/rex/parser/openvas_nokogiri.rb +172 -0
- data/lib/rex/parser/outpost24_nokogiri.rb +240 -0
- data/lib/rex/parser/retina_xml.rb +110 -0
- data/lib/rex/parser/unattend.rb +171 -0
- data/lib/rex/parser/wapiti_nokogiri.rb +105 -0
- data/lib/rex/payloads.rb +2 -0
- data/lib/rex/payloads/win32.rb +3 -0
- data/lib/rex/payloads/win32/common.rb +27 -0
- data/lib/rex/payloads/win32/kernel.rb +54 -0
- data/lib/rex/payloads/win32/kernel/common.rb +55 -0
- data/lib/rex/payloads/win32/kernel/migration.rb +13 -0
- data/lib/rex/payloads/win32/kernel/recovery.rb +51 -0
- data/lib/rex/payloads/win32/kernel/stager.rb +195 -0
- data/lib/rex/peparsey.rb +10 -0
- data/lib/rex/peparsey/exceptions.rb +30 -0
- data/lib/rex/peparsey/pe.rb +210 -0
- data/lib/rex/peparsey/pe_memdump.rb +61 -0
- data/lib/rex/peparsey/pebase.rb +1662 -0
- data/lib/rex/peparsey/section.rb +128 -0
- data/lib/rex/pescan.rb +11 -0
- data/lib/rex/pescan/analyze.rb +366 -0
- data/lib/rex/pescan/scanner.rb +230 -0
- data/lib/rex/pescan/search.rb +68 -0
- data/lib/rex/platforms.rb +2 -0
- data/lib/rex/platforms/windows.rb +52 -0
- data/lib/rex/poly.rb +134 -0
- data/lib/rex/poly/block.rb +480 -0
- data/lib/rex/poly/machine.rb +13 -0
- data/lib/rex/poly/machine/machine.rb +830 -0
- data/lib/rex/poly/machine/x86.rb +509 -0
- data/lib/rex/poly/register.rb +101 -0
- data/lib/rex/poly/register/x86.rb +41 -0
- data/lib/rex/post.rb +7 -0
- data/lib/rex/post/dir.rb +51 -0
- data/lib/rex/post/file.rb +172 -0
- data/lib/rex/post/file_stat.rb +220 -0
- data/lib/rex/post/gen.pl +13 -0
- data/lib/rex/post/io.rb +182 -0
- data/lib/rex/post/meterpreter.rb +5 -0
- data/lib/rex/post/meterpreter/channel.rb +446 -0
- data/lib/rex/post/meterpreter/channel_container.rb +54 -0
- data/lib/rex/post/meterpreter/channels/pool.rb +160 -0
- data/lib/rex/post/meterpreter/channels/pools/file.rb +62 -0
- data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +103 -0
- data/lib/rex/post/meterpreter/channels/stream.rb +87 -0
- data/lib/rex/post/meterpreter/client.rb +483 -0
- data/lib/rex/post/meterpreter/client_core.rb +352 -0
- data/lib/rex/post/meterpreter/dependencies.rb +3 -0
- data/lib/rex/post/meterpreter/extension.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/android/android.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/android/tlv.rb +40 -0
- data/lib/rex/post/meterpreter/extensions/espia/espia.rb +58 -0
- data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +17 -0
- data/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +71 -0
- data/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb +169 -0
- data/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +45 -0
- data/lib/rex/post/meterpreter/extensions/extapi/service/service.rb +104 -0
- data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +77 -0
- data/lib/rex/post/meterpreter/extensions/extapi/window/window.rb +56 -0
- data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +75 -0
- data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +94 -0
- data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +22 -0
- data/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +361 -0
- data/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +76 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp.rb +78 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb +43 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/tftp/tftp.rb +49 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/tlv.rb +17 -0
- data/lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/mimikatz/tlv.rb +16 -0
- data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +57 -0
- data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +16 -0
- data/lib/rex/post/meterpreter/extensions/priv/fs.rb +118 -0
- data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +61 -0
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +109 -0
- data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +29 -0
- data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +117 -0
- data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +27 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +396 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +284 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +399 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +104 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +48 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/arp.rb +59 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +256 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +129 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/netstat.rb +97 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb +106 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +67 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +139 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +180 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +168 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +209 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +38146 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +48 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +2102 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +97 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +3852 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +100 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +168 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +3170 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_version.rb +41 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wlanapi.rb +87 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +613 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +388 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +111 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +149 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb +27 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb +515 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +319 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb +23 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +301 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +56 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb +106 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +676 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +96 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +151 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +192 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +41 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +60 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +408 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +129 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +55 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +336 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +141 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +328 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +193 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +102 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +188 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +180 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +236 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +259 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +201 -0
- data/lib/rex/post/meterpreter/inbound_packet_handler.rb +30 -0
- data/lib/rex/post/meterpreter/object_aliases.rb +83 -0
- data/lib/rex/post/meterpreter/packet.rb +709 -0
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +543 -0
- data/lib/rex/post/meterpreter/packet_parser.rb +94 -0
- data/lib/rex/post/meterpreter/packet_response_waiter.rb +83 -0
- data/lib/rex/post/meterpreter/ui/console.rb +142 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +86 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +383 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +939 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +109 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb +65 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb +198 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb +444 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb +199 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/window.rb +118 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb +108 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +242 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +509 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks.rb +60 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb +254 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp.rb +159 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb +182 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +232 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +62 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +97 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +52 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +133 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +204 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +66 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +527 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +448 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +906 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +318 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +343 -0
- data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +99 -0
- data/lib/rex/post/permission.rb +26 -0
- data/lib/rex/post/process.rb +57 -0
- data/lib/rex/post/thread.rb +57 -0
- data/lib/rex/post/ui.rb +52 -0
- data/lib/rex/proto.rb +15 -0
- data/lib/rex/proto/addp.rb +218 -0
- data/lib/rex/proto/dcerpc.rb +7 -0
- data/lib/rex/proto/dcerpc/client.rb +362 -0
- data/lib/rex/proto/dcerpc/exceptions.rb +151 -0
- data/lib/rex/proto/dcerpc/handle.rb +48 -0
- data/lib/rex/proto/dcerpc/ndr.rb +73 -0
- data/lib/rex/proto/dcerpc/packet.rb +264 -0
- data/lib/rex/proto/dcerpc/response.rb +188 -0
- data/lib/rex/proto/dcerpc/uuid.rb +85 -0
- data/lib/rex/proto/dcerpc/wdscp.rb +3 -0
- data/lib/rex/proto/dcerpc/wdscp/constants.rb +89 -0
- data/lib/rex/proto/dcerpc/wdscp/packet.rb +94 -0
- data/lib/rex/proto/dhcp.rb +7 -0
- data/lib/rex/proto/dhcp/constants.rb +34 -0
- data/lib/rex/proto/dhcp/server.rb +334 -0
- data/lib/rex/proto/drda.rb +6 -0
- data/lib/rex/proto/drda/constants.rb +50 -0
- data/lib/rex/proto/drda/packet.rb +253 -0
- data/lib/rex/proto/drda/utils.rb +124 -0
- data/lib/rex/proto/http.rb +7 -0
- data/lib/rex/proto/http/client.rb +722 -0
- data/lib/rex/proto/http/client_request.rb +472 -0
- data/lib/rex/proto/http/handler.rb +47 -0
- data/lib/rex/proto/http/handler/erb.rb +129 -0
- data/lib/rex/proto/http/handler/proc.rb +61 -0
- data/lib/rex/proto/http/header.rb +173 -0
- data/lib/rex/proto/http/packet.rb +414 -0
- data/lib/rex/proto/http/request.rb +354 -0
- data/lib/rex/proto/http/response.rb +151 -0
- data/lib/rex/proto/http/server.rb +385 -0
- data/lib/rex/proto/iax2.rb +2 -0
- data/lib/rex/proto/iax2/call.rb +326 -0
- data/lib/rex/proto/iax2/client.rb +218 -0
- data/lib/rex/proto/iax2/codecs.rb +5 -0
- data/lib/rex/proto/iax2/codecs/alaw.rb +16 -0
- data/lib/rex/proto/iax2/codecs/g711.rb +2176 -0
- data/lib/rex/proto/iax2/codecs/mulaw.rb +17 -0
- data/lib/rex/proto/iax2/constants.rb +262 -0
- data/lib/rex/proto/ipmi.rb +57 -0
- data/lib/rex/proto/ipmi/channel_auth_reply.rb +89 -0
- data/lib/rex/proto/ipmi/open_session_reply.rb +36 -0
- data/lib/rex/proto/ipmi/rakp2.rb +36 -0
- data/lib/rex/proto/ipmi/utils.rb +125 -0
- data/lib/rex/proto/natpmp.rb +7 -0
- data/lib/rex/proto/natpmp/constants.rb +19 -0
- data/lib/rex/proto/natpmp/packet.rb +45 -0
- data/lib/rex/proto/ntlm.rb +8 -0
- data/lib/rex/proto/ntlm/base.rb +327 -0
- data/lib/rex/proto/ntlm/constants.rb +75 -0
- data/lib/rex/proto/ntlm/crypt.rb +412 -0
- data/lib/rex/proto/ntlm/exceptions.rb +17 -0
- data/lib/rex/proto/ntlm/message.rb +534 -0
- data/lib/rex/proto/ntlm/utils.rb +765 -0
- data/lib/rex/proto/ntp.rb +3 -0
- data/lib/rex/proto/ntp/constants.rb +12 -0
- data/lib/rex/proto/ntp/modes.rb +130 -0
- data/lib/rex/proto/pjl.rb +31 -0
- data/lib/rex/proto/pjl/client.rb +163 -0
- data/lib/rex/proto/proxy/socks4a.rb +441 -0
- data/lib/rex/proto/rfb.rb +13 -0
- data/lib/rex/proto/rfb/cipher.rb +82 -0
- data/lib/rex/proto/rfb/client.rb +205 -0
- data/lib/rex/proto/rfb/constants.rb +50 -0
- data/lib/rex/proto/sip.rb +4 -0
- data/lib/rex/proto/sip/response.rb +61 -0
- data/lib/rex/proto/smb.rb +8 -0
- data/lib/rex/proto/smb/client.rb +2064 -0
- data/lib/rex/proto/smb/constants.rb +1064 -0
- data/lib/rex/proto/smb/crypt.rb +37 -0
- data/lib/rex/proto/smb/evasions.rb +67 -0
- data/lib/rex/proto/smb/exceptions.rb +867 -0
- data/lib/rex/proto/smb/simpleclient.rb +173 -0
- data/lib/rex/proto/smb/simpleclient/open_file.rb +106 -0
- data/lib/rex/proto/smb/simpleclient/open_pipe.rb +57 -0
- data/lib/rex/proto/smb/utils.rb +104 -0
- data/lib/rex/proto/sunrpc.rb +2 -0
- data/lib/rex/proto/sunrpc/client.rb +196 -0
- data/lib/rex/proto/tftp.rb +13 -0
- data/lib/rex/proto/tftp/client.rb +344 -0
- data/lib/rex/proto/tftp/constants.rb +39 -0
- data/lib/rex/proto/tftp/server.rb +497 -0
- data/lib/rex/random_identifier_generator.rb +177 -0
- data/lib/rex/registry.rb +14 -0
- data/lib/rex/registry/hive.rb +132 -0
- data/lib/rex/registry/lfkey.rb +51 -0
- data/lib/rex/registry/nodekey.rb +54 -0
- data/lib/rex/registry/regf.rb +25 -0
- data/lib/rex/registry/valuekey.rb +67 -0
- data/lib/rex/registry/valuelist.rb +29 -0
- data/lib/rex/ropbuilder.rb +8 -0
- data/lib/rex/ropbuilder/rop.rb +271 -0
- data/lib/rex/script.rb +42 -0
- data/lib/rex/script/base.rb +61 -0
- data/lib/rex/script/meterpreter.rb +16 -0
- data/lib/rex/script/shell.rb +10 -0
- data/lib/rex/service.rb +49 -0
- data/lib/rex/service_manager.rb +154 -0
- data/lib/rex/services/local_relay.rb +424 -0
- data/lib/rex/socket.rb +788 -0
- data/lib/rex/socket/comm.rb +120 -0
- data/lib/rex/socket/comm/local.rb +526 -0
- data/lib/rex/socket/ip.rb +132 -0
- data/lib/rex/socket/parameters.rb +363 -0
- data/lib/rex/socket/range_walker.rb +470 -0
- data/lib/rex/socket/ssl_tcp.rb +345 -0
- data/lib/rex/socket/ssl_tcp_server.rb +188 -0
- data/lib/rex/socket/subnet_walker.rb +76 -0
- data/lib/rex/socket/switch_board.rb +289 -0
- data/lib/rex/socket/tcp.rb +79 -0
- data/lib/rex/socket/tcp_server.rb +67 -0
- data/lib/rex/socket/udp.rb +165 -0
- data/lib/rex/sslscan/result.rb +201 -0
- data/lib/rex/sslscan/scanner.rb +206 -0
- data/lib/rex/struct2.rb +5 -0
- data/lib/rex/struct2/c_struct.rb +181 -0
- data/lib/rex/struct2/c_struct_template.rb +39 -0
- data/lib/rex/struct2/constant.rb +26 -0
- data/lib/rex/struct2/element.rb +44 -0
- data/lib/rex/struct2/generic.rb +73 -0
- data/lib/rex/struct2/restraint.rb +54 -0
- data/lib/rex/struct2/s_string.rb +72 -0
- data/lib/rex/struct2/s_struct.rb +111 -0
- data/lib/rex/sync.rb +6 -0
- data/lib/rex/sync/event.rb +85 -0
- data/lib/rex/sync/read_write_lock.rb +177 -0
- data/lib/rex/sync/ref.rb +58 -0
- data/lib/rex/sync/thread_safe.rb +83 -0
- data/lib/rex/text.rb +1813 -0
- data/lib/rex/thread_factory.rb +43 -0
- data/lib/rex/time.rb +66 -0
- data/lib/rex/transformer.rb +116 -0
- data/lib/rex/ui.rb +22 -0
- data/lib/rex/ui/interactive.rb +304 -0
- data/lib/rex/ui/output.rb +85 -0
- data/lib/rex/ui/output/none.rb +19 -0
- data/lib/rex/ui/progress_tracker.rb +97 -0
- data/lib/rex/ui/subscriber.rb +160 -0
- data/lib/rex/ui/text/color.rb +98 -0
- data/lib/rex/ui/text/dispatcher_shell.rb +538 -0
- data/lib/rex/ui/text/input.rb +119 -0
- data/lib/rex/ui/text/input/buffer.rb +79 -0
- data/lib/rex/ui/text/input/readline.rb +129 -0
- data/lib/rex/ui/text/input/socket.rb +96 -0
- data/lib/rex/ui/text/input/stdio.rb +46 -0
- data/lib/rex/ui/text/irb_shell.rb +62 -0
- data/lib/rex/ui/text/output.rb +86 -0
- data/lib/rex/ui/text/output/buffer.rb +62 -0
- data/lib/rex/ui/text/output/buffer/stdout.rb +26 -0
- data/lib/rex/ui/text/output/file.rb +44 -0
- data/lib/rex/ui/text/output/socket.rb +44 -0
- data/lib/rex/ui/text/output/stdio.rb +53 -0
- data/lib/rex/ui/text/output/tee.rb +56 -0
- data/lib/rex/ui/text/progress_tracker.rb +57 -0
- data/lib/rex/ui/text/shell.rb +403 -0
- data/lib/rex/ui/text/table.rb +346 -0
- data/lib/rex/zip.rb +96 -0
- data/lib/rex/zip/archive.rb +130 -0
- data/lib/rex/zip/blocks.rb +184 -0
- data/lib/rex/zip/entry.rb +122 -0
- data/lib/rex/zip/jar.rb +283 -0
- data/lib/rex/zip/samples/comment.rb +32 -0
- data/lib/rex/zip/samples/mkwar.rb +138 -0
- data/lib/rex/zip/samples/mkzip.rb +19 -0
- data/lib/rex/zip/samples/recursive.rb +58 -0
- metadata +536 -0
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
module Rex
|
|
3
|
+
module Proto
|
|
4
|
+
module DCERPC
|
|
5
|
+
class Handle
|
|
6
|
+
|
|
7
|
+
require 'rex/proto/dcerpc/uuid'
|
|
8
|
+
|
|
9
|
+
@@protocols = ['ncacn_ip_tcp', 'ncacn_ip_udp', 'ncacn_np', 'ncacn_http']
|
|
10
|
+
attr_accessor :uuid, :protocol, :address, :options
|
|
11
|
+
|
|
12
|
+
# instantiate a handle object, akin to Microsoft's string binding handle by values
|
|
13
|
+
def initialize(uuid, protocol, address, options)
|
|
14
|
+
raise ArgumentError if !Rex::Proto
|
|
15
|
+
raise ArgumentError if !Rex::Proto::DCERPC::UUID.is?(uuid[0])
|
|
16
|
+
raise ArgumentError if !@@protocols.include?(protocol)
|
|
17
|
+
self.uuid = uuid
|
|
18
|
+
self.protocol = protocol
|
|
19
|
+
self.address = address
|
|
20
|
+
self.options = options
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
# instantiate a handle object, by parsing a string binding handle
|
|
24
|
+
def self.parse (handle)
|
|
25
|
+
uuid_re = '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}'
|
|
26
|
+
rev_re = '\d+.\d+'
|
|
27
|
+
proto_re = '(?:' + @@protocols.join('|') + ')'
|
|
28
|
+
re = Regexp.new("(#{uuid_re}):(#{rev_re})\@(#{proto_re}):(.*?)\\[(.*)\\]$", true, 'n')
|
|
29
|
+
match = re.match(handle)
|
|
30
|
+
raise ArgumentError if !match
|
|
31
|
+
|
|
32
|
+
uuid = [match[1], match[2]]
|
|
33
|
+
protocol = match[3]
|
|
34
|
+
address = match[4]
|
|
35
|
+
options = match[5].split(',')
|
|
36
|
+
i = Rex::Proto::DCERPC::Handle.new(uuid, protocol, address, options)
|
|
37
|
+
return i
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
# stringify a handle
|
|
41
|
+
def to_s
|
|
42
|
+
self.uuid.join(':') + '@' + self.protocol + ':' + self.address + '[' + self.options.join(', ') + ']'
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
require "rex/text"
|
|
3
|
+
|
|
4
|
+
module Rex
|
|
5
|
+
module Proto
|
|
6
|
+
module DCERPC
|
|
7
|
+
class NDR
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
# Provide padding to align the string to the 32bit boundary
|
|
11
|
+
def self.align(string)
|
|
12
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
13
|
+
return "\x00" * ((4 - (string.length & 3)) & 3)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
# Encode a 4 byte long
|
|
17
|
+
# use to encode:
|
|
18
|
+
# long element_1;
|
|
19
|
+
def self.long(string)
|
|
20
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
21
|
+
return [string].pack('V')
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Encode a 2 byte short
|
|
25
|
+
# use to encode:
|
|
26
|
+
# short element_1;
|
|
27
|
+
def self.short(string)
|
|
28
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
29
|
+
return [string].pack('v')
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
# Encode a single byte
|
|
33
|
+
# use to encode:
|
|
34
|
+
# byte element_1;
|
|
35
|
+
def self.byte(string)
|
|
36
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
37
|
+
return [string].pack('C')
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
# Encode a byte array
|
|
41
|
+
# use to encode:
|
|
42
|
+
# char element_1
|
|
43
|
+
def self.UniConformantArray(string)
|
|
44
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
45
|
+
return long(string.length) + string + align(string)
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
# Encode a string
|
|
49
|
+
# use to encode:
|
|
50
|
+
# w_char *element_1;
|
|
51
|
+
def self.UnicodeConformantVaryingString(string)
|
|
52
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
53
|
+
string += "\x00" # null pad
|
|
54
|
+
return long(string.length) + long(0) + long(string.length) + Rex::Text.to_unicode(string) + align(Rex::Text.to_unicode(string))
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
# Encode a string that is already unicode encoded
|
|
58
|
+
# use to encode:
|
|
59
|
+
# w_char *element_1;
|
|
60
|
+
def self.UnicodeConformantVaryingStringPreBuilt(string)
|
|
61
|
+
warn 'should be using Rex::Encoder::NDR'
|
|
62
|
+
# if the string len is odd, thats bad!
|
|
63
|
+
if string.length % 2 > 0
|
|
64
|
+
string += "\x00"
|
|
65
|
+
end
|
|
66
|
+
len = string.length / 2;
|
|
67
|
+
return long(len) + long(0) + long(len) + string + align(string)
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
@@ -0,0 +1,264 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
module Rex
|
|
3
|
+
module Proto
|
|
4
|
+
module DCERPC
|
|
5
|
+
class Packet
|
|
6
|
+
|
|
7
|
+
require 'rex/proto/dcerpc/uuid'
|
|
8
|
+
require 'rex/proto/dcerpc/response'
|
|
9
|
+
require 'rex/text'
|
|
10
|
+
|
|
11
|
+
UUID = Rex::Proto::DCERPC::UUID
|
|
12
|
+
|
|
13
|
+
# Create a standard DCERPC BIND request packet
|
|
14
|
+
def self.make_bind(uuid, vers, xfer_syntax_uuid=UUID.xfer_syntax_uuid, xfer_syntax_vers=UUID.xfer_syntax_vers)
|
|
15
|
+
|
|
16
|
+
# Process the version strings ("1.0", 1.0, "1", 1)
|
|
17
|
+
bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers)
|
|
18
|
+
xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(xfer_syntax_vers)
|
|
19
|
+
|
|
20
|
+
if UUID.is? xfer_syntax_uuid
|
|
21
|
+
xfer_syntax_uuid = UUID.uuid_pack(xfer_syntax_uuid)
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Create the bind request packet
|
|
25
|
+
buff =
|
|
26
|
+
[
|
|
27
|
+
5, # major version 5
|
|
28
|
+
0, # minor version 0
|
|
29
|
+
11, # bind type
|
|
30
|
+
3, # flags
|
|
31
|
+
0x10000000, # data representation
|
|
32
|
+
72, # frag length
|
|
33
|
+
0, # auth length
|
|
34
|
+
0, # call id
|
|
35
|
+
5840, # max xmit frag
|
|
36
|
+
5840, # max recv frag
|
|
37
|
+
0, # assoc group
|
|
38
|
+
1, # num ctx items
|
|
39
|
+
0, # context id
|
|
40
|
+
1, # num trans items
|
|
41
|
+
UUID.uuid_pack(uuid), # interface uuid
|
|
42
|
+
bind_vers_maj, # interface major version
|
|
43
|
+
bind_vers_min, # interface minor version
|
|
44
|
+
xfer_syntax_uuid, # transfer syntax
|
|
45
|
+
xfer_vers_maj, # syntax major version
|
|
46
|
+
xfer_vers_min, # syntax minor version
|
|
47
|
+
].pack('CCCCNvvVvvVVvvA16vvA16vv')
|
|
48
|
+
|
|
49
|
+
return buff, 0
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
# Create an obfuscated DCERPC BIND request packet
|
|
53
|
+
def self.make_bind_fake_multi(uuid, vers, bind_head=0, bind_tail=0)
|
|
54
|
+
|
|
55
|
+
bind_head = bind_head.to_i
|
|
56
|
+
bind_tail = bind_tail.to_i
|
|
57
|
+
bind_head = rand(6)+10 if bind_head == 0
|
|
58
|
+
bind_tail = rand(4)+1 if bind_head == 0
|
|
59
|
+
|
|
60
|
+
u = Rex::Proto::DCERPC::UUID
|
|
61
|
+
|
|
62
|
+
# Process the version strings ("1.0", 1.0, "1", 1)
|
|
63
|
+
bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers)
|
|
64
|
+
xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(UUID.xfer_syntax_vers)
|
|
65
|
+
|
|
66
|
+
bind_total = bind_head + bind_tail + 1
|
|
67
|
+
bind_size = (bind_total * 44) + 28
|
|
68
|
+
real_ctx, ctx = 0, 0
|
|
69
|
+
|
|
70
|
+
# Create the header of the bind request
|
|
71
|
+
data =
|
|
72
|
+
[
|
|
73
|
+
5, # major version 5
|
|
74
|
+
0, # minor version 0
|
|
75
|
+
11, # bind type
|
|
76
|
+
3, # flags
|
|
77
|
+
0x10000000, # data representation
|
|
78
|
+
bind_size, # frag length
|
|
79
|
+
0, # auth length
|
|
80
|
+
0, # call id
|
|
81
|
+
5840, # max xmit frag
|
|
82
|
+
5840, # max recv frag
|
|
83
|
+
0, # assoc group
|
|
84
|
+
bind_total, # num ctx items
|
|
85
|
+
].pack('CCCCNvvVvvVV')
|
|
86
|
+
|
|
87
|
+
# Generate the fake UUIDs prior to the real one
|
|
88
|
+
1.upto(bind_head) do ||
|
|
89
|
+
# Generate some random UUID and versions
|
|
90
|
+
rand_uuid = Rex::Text.rand_text(16)
|
|
91
|
+
rand_imaj = rand(6)
|
|
92
|
+
rand_imin = rand(4)
|
|
93
|
+
|
|
94
|
+
data +=
|
|
95
|
+
[
|
|
96
|
+
ctx, # context id
|
|
97
|
+
1, # num trans items
|
|
98
|
+
rand_uuid, # interface uuid
|
|
99
|
+
rand_imaj, # interface major version
|
|
100
|
+
rand_imin, # interface minor version
|
|
101
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
102
|
+
xfer_vers_maj, # syntax major version
|
|
103
|
+
xfer_vers_min, # syntax minor version
|
|
104
|
+
].pack('vvA16vvA16vv')
|
|
105
|
+
ctx += 1
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
# Stuff the real UUID onto the end of the buffer
|
|
109
|
+
real_ctx = ctx;
|
|
110
|
+
data +=
|
|
111
|
+
[
|
|
112
|
+
ctx, # context id
|
|
113
|
+
1, # num trans items
|
|
114
|
+
UUID.uuid_pack(uuid), # interface uuid
|
|
115
|
+
bind_vers_maj, # interface major version
|
|
116
|
+
bind_vers_min, # interface minor version
|
|
117
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
118
|
+
xfer_vers_maj, # syntax major version
|
|
119
|
+
xfer_vers_min, # syntax minor version
|
|
120
|
+
].pack('vvA16vvA16vv')
|
|
121
|
+
ctx += 1
|
|
122
|
+
|
|
123
|
+
|
|
124
|
+
# Generate the fake UUIDs after the real one
|
|
125
|
+
1.upto(bind_tail) do ||
|
|
126
|
+
# Generate some random UUID and versions
|
|
127
|
+
rand_uuid = Rex::Text.rand_text(16)
|
|
128
|
+
rand_imaj = rand(6)
|
|
129
|
+
rand_imin = rand(4)
|
|
130
|
+
|
|
131
|
+
data +=
|
|
132
|
+
[
|
|
133
|
+
ctx, # context id
|
|
134
|
+
1, # num trans items
|
|
135
|
+
rand_uuid, # interface uuid
|
|
136
|
+
rand_imaj, # interface major version
|
|
137
|
+
rand_imin, # interface minor version
|
|
138
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
139
|
+
xfer_vers_maj, # syntax major version
|
|
140
|
+
xfer_vers_min, # syntax minor version
|
|
141
|
+
].pack('vvA16vvA16vv')
|
|
142
|
+
ctx += 1
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
# Return both the bind packet and the real context_id
|
|
146
|
+
return data, real_ctx
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
# Create a standard DCERPC ALTER_CONTEXT request packet
|
|
150
|
+
def self.make_alter_context(uuid, vers)
|
|
151
|
+
u = Rex::Proto::DCERPC::UUID
|
|
152
|
+
|
|
153
|
+
# Process the version strings ("1.0", 1.0, "1", 1)
|
|
154
|
+
bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers)
|
|
155
|
+
xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(UUID.xfer_syntax_vers)
|
|
156
|
+
|
|
157
|
+
buff =
|
|
158
|
+
[
|
|
159
|
+
5, # major version 5
|
|
160
|
+
0, # minor version 0
|
|
161
|
+
14, # alter context
|
|
162
|
+
3, # flags
|
|
163
|
+
0x10000000, # data representation
|
|
164
|
+
72, # frag length
|
|
165
|
+
0, # auth length
|
|
166
|
+
0, # call id
|
|
167
|
+
5840, # max xmit frag
|
|
168
|
+
5840, # max recv frag
|
|
169
|
+
0, # assoc group
|
|
170
|
+
1, # num ctx items
|
|
171
|
+
0, # context id
|
|
172
|
+
1, # num trans items
|
|
173
|
+
UUID.uuid_pack(uuid), # interface uuid
|
|
174
|
+
bind_vers_maj, # interface major version
|
|
175
|
+
bind_vers_min, # interface minor version
|
|
176
|
+
UUID.xfer_syntax_uuid, # transfer syntax
|
|
177
|
+
xfer_vers_maj, # syntax major version
|
|
178
|
+
xfer_vers_min, # syntax minor version
|
|
179
|
+
].pack('CCCCNvvVvvVVvvA16vvA16vv')
|
|
180
|
+
end
|
|
181
|
+
|
|
182
|
+
|
|
183
|
+
# Used to create a piece of a DCERPC REQUEST packet
|
|
184
|
+
def self.make_request_chunk(flags=3, opnum=0, data="", ctx=0, object_id = '')
|
|
185
|
+
|
|
186
|
+
flags = flags.to_i
|
|
187
|
+
opnum = opnum.to_i
|
|
188
|
+
ctx = ctx.to_i
|
|
189
|
+
|
|
190
|
+
dlen = data.length
|
|
191
|
+
flen = dlen + 24
|
|
192
|
+
|
|
193
|
+
use_object = 0
|
|
194
|
+
|
|
195
|
+
object_str = ''
|
|
196
|
+
|
|
197
|
+
if object_id.size > 0
|
|
198
|
+
flags |= 0x80
|
|
199
|
+
flen = flen + 16
|
|
200
|
+
object_str = UUID.uuid_pack(object_id)
|
|
201
|
+
end
|
|
202
|
+
|
|
203
|
+
buff =
|
|
204
|
+
[
|
|
205
|
+
5, # major version 5
|
|
206
|
+
0, # minor version 0
|
|
207
|
+
0, # request type
|
|
208
|
+
flags, # flags
|
|
209
|
+
0x10000000, # data representation
|
|
210
|
+
flen, # frag length
|
|
211
|
+
0, # auth length
|
|
212
|
+
0, # call id
|
|
213
|
+
dlen, # alloc hint
|
|
214
|
+
ctx, # context id
|
|
215
|
+
opnum, # operation number
|
|
216
|
+
].pack('CCCCNvvVVvv') + object_str + data
|
|
217
|
+
end
|
|
218
|
+
|
|
219
|
+
# Used to create standard DCERPC REQUEST packet(s)
|
|
220
|
+
def self.make_request(opnum=0, data="", size=data.length, ctx=0, object_id = '')
|
|
221
|
+
|
|
222
|
+
opnum = opnum.to_i
|
|
223
|
+
size = [4000, size.to_i].min
|
|
224
|
+
ctx = ctx.to_i
|
|
225
|
+
|
|
226
|
+
chunks, frags = [], []
|
|
227
|
+
ptr = 0
|
|
228
|
+
|
|
229
|
+
# Break the request into fragments of 'size' bytes
|
|
230
|
+
while ptr < data.length
|
|
231
|
+
chunks.push( data[ ptr, size ] )
|
|
232
|
+
ptr += size
|
|
233
|
+
end
|
|
234
|
+
|
|
235
|
+
# Process requests with no stub data
|
|
236
|
+
if chunks.length == 0
|
|
237
|
+
frags.push( make_request_chunk(3, opnum, '', ctx, object_id) )
|
|
238
|
+
return frags
|
|
239
|
+
end
|
|
240
|
+
|
|
241
|
+
# Process requests with only one fragment
|
|
242
|
+
if chunks.length == 1
|
|
243
|
+
frags.push( make_request_chunk(3, opnum, chunks[0], ctx, object_id) )
|
|
244
|
+
return frags
|
|
245
|
+
end
|
|
246
|
+
|
|
247
|
+
# Create the first fragment of the request
|
|
248
|
+
frags.push( make_request_chunk(1, opnum, chunks.shift, ctx, object_id) )
|
|
249
|
+
|
|
250
|
+
# Create all of the middle fragments
|
|
251
|
+
while chunks.length != 1
|
|
252
|
+
frags.push( make_request_chunk(0, opnum, chunks.shift, ctx, object_id) )
|
|
253
|
+
end
|
|
254
|
+
|
|
255
|
+
# Create the last fragment of the request
|
|
256
|
+
frags.push( make_request_chunk(2, opnum, chunks.shift, ctx, object_id) )
|
|
257
|
+
|
|
258
|
+
return frags
|
|
259
|
+
end
|
|
260
|
+
|
|
261
|
+
end
|
|
262
|
+
end
|
|
263
|
+
end
|
|
264
|
+
end
|
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
require 'rex/proto/dcerpc/uuid'
|
|
3
|
+
require 'rex/proto/dcerpc/exceptions'
|
|
4
|
+
|
|
5
|
+
module Rex
|
|
6
|
+
module Proto
|
|
7
|
+
module DCERPC
|
|
8
|
+
class Response
|
|
9
|
+
|
|
10
|
+
attr_accessor :frag_len, :auth_len, :type, :vers_major, :vers_minor
|
|
11
|
+
attr_accessor :flags, :data_rep, :call_id, :max_frag_xmit, :max_frag_recv
|
|
12
|
+
attr_accessor :assoc_group, :sec_addr_len, :sec_addr, :num_results
|
|
13
|
+
attr_accessor :nack_reason, :xfer_syntax_uuid, :xfer_syntax_vers
|
|
14
|
+
attr_accessor :ack_reason, :ack_result, :ack_xfer_syntax_uuid, :ack_xfer_syntax_vers
|
|
15
|
+
attr_accessor :alloc_hint, :context_id, :cancel_cnt, :status, :stub_data
|
|
16
|
+
attr_accessor :raw
|
|
17
|
+
|
|
18
|
+
# Create a new DCERPC::Response object
|
|
19
|
+
# This can be initialized in two ways:
|
|
20
|
+
# 1) Call .new() with the first 10 bytes of packet, then call parse on the rest
|
|
21
|
+
# 2) Call .new() with the full packet contents
|
|
22
|
+
def initialize(data)
|
|
23
|
+
|
|
24
|
+
self.ack_result = []
|
|
25
|
+
self.ack_reason = []
|
|
26
|
+
self.ack_xfer_syntax_uuid = []
|
|
27
|
+
self.ack_xfer_syntax_vers = []
|
|
28
|
+
|
|
29
|
+
if (! data or data.length < 10)
|
|
30
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
if (data.length == 10)
|
|
34
|
+
self.frag_len = data[8,2].unpack('v')[0]
|
|
35
|
+
self.raw = data
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
if (data.length > 10)
|
|
39
|
+
self.raw = data
|
|
40
|
+
self.parse
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
# Parse the contents of a DCERPC response packet and fill out all the fields
|
|
45
|
+
def parse(body = '')
|
|
46
|
+
self.raw = self.raw + body
|
|
47
|
+
self.type = self.raw[2,1].unpack('C')[0]
|
|
48
|
+
|
|
49
|
+
uuid = Rex::Proto::DCERPC::UUID
|
|
50
|
+
data = self.raw
|
|
51
|
+
|
|
52
|
+
|
|
53
|
+
if(not data)
|
|
54
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
# BIND_ACK == 12, ALTER_CONTEXT_RESP == 15
|
|
58
|
+
if (self.type == 12 or self.type == 15)
|
|
59
|
+
|
|
60
|
+
# Decode most of the DCERPC header
|
|
61
|
+
self.vers_major,
|
|
62
|
+
self.vers_minor,
|
|
63
|
+
trash,
|
|
64
|
+
self.flags,
|
|
65
|
+
self.data_rep,
|
|
66
|
+
self.frag_len,
|
|
67
|
+
self.auth_len,
|
|
68
|
+
self.call_id,
|
|
69
|
+
self.max_frag_xmit,
|
|
70
|
+
self.max_frag_recv,
|
|
71
|
+
self.assoc_group,
|
|
72
|
+
self.sec_addr_len = data.unpack('CCCCNvvVvvVv')
|
|
73
|
+
|
|
74
|
+
|
|
75
|
+
if(not self.frag_len or data.length < self.frag_len)
|
|
76
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
# Keep an offset into the packet handy
|
|
80
|
+
x = 0
|
|
81
|
+
|
|
82
|
+
# XXX This is still somewhat broken (4 digit ports)
|
|
83
|
+
self.sec_addr = data[26, self.sec_addr_len]
|
|
84
|
+
|
|
85
|
+
# Move the pointer into the packet forward
|
|
86
|
+
x += 26 + self.sec_addr_len
|
|
87
|
+
|
|
88
|
+
# Align the pointer on a dword boundary
|
|
89
|
+
while (x % 4 != 0)
|
|
90
|
+
x += 1
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
# Figure out how many results we have (multiple-context binds)
|
|
94
|
+
self.num_results = data[ x, 4 ].unpack('V')[0]
|
|
95
|
+
|
|
96
|
+
# Move the pointer to the ack_result[0] offset
|
|
97
|
+
x += 4
|
|
98
|
+
|
|
99
|
+
# Initialize the ack_result index
|
|
100
|
+
ack = 0
|
|
101
|
+
|
|
102
|
+
# Scan through all results and add them to the result arrays
|
|
103
|
+
while ack < self.num_results
|
|
104
|
+
self.ack_result[ack] = data[ x + 0, 2 ].unpack('v')[0]
|
|
105
|
+
self.ack_reason[ack] = data[ x + 2, 2 ].unpack('v')[0]
|
|
106
|
+
self.ack_xfer_syntax_uuid[ack] = uuid.uuid_unpack(data[ x + 4, 16 ])
|
|
107
|
+
self.ack_xfer_syntax_vers[ack] = data[ x + 20, 4 ].unpack('V')[0]
|
|
108
|
+
x += 24
|
|
109
|
+
ack += 1
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
# End of BIND_ACK || ALTER_CONTEXT_RESP
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
# BIND_NACK == 13
|
|
116
|
+
if (self.type == 13)
|
|
117
|
+
|
|
118
|
+
# Decode most of the DCERPC header
|
|
119
|
+
self.vers_major,
|
|
120
|
+
self.vers_minor,
|
|
121
|
+
trash,
|
|
122
|
+
self.flags,
|
|
123
|
+
self.data_rep,
|
|
124
|
+
self.frag_len,
|
|
125
|
+
self.auth_len,
|
|
126
|
+
self.call_id,
|
|
127
|
+
self.nack_reason = data.unpack('CCCCNvvVv')
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
# RESPONSE == 2
|
|
131
|
+
if (self.type == 2)
|
|
132
|
+
|
|
133
|
+
# Decode the DCERPC response header
|
|
134
|
+
self.vers_major,
|
|
135
|
+
self.vers_minor,
|
|
136
|
+
trash,
|
|
137
|
+
self.flags,
|
|
138
|
+
self.data_rep,
|
|
139
|
+
self.frag_len,
|
|
140
|
+
self.auth_len,
|
|
141
|
+
self.call_id,
|
|
142
|
+
self.alloc_hint,
|
|
143
|
+
self.context_id,
|
|
144
|
+
self.cancel_cnt = data.unpack('CCCCNvvVVvC')
|
|
145
|
+
|
|
146
|
+
# Error out if the whole header was not read
|
|
147
|
+
if !(self.alloc_hint and self.context_id and self.cancel_cnt)
|
|
148
|
+
raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
|
|
149
|
+
end
|
|
150
|
+
|
|
151
|
+
# Put the application data into self.stub_data
|
|
152
|
+
self.stub_data = data[data.length - self.alloc_hint, 0xffff]
|
|
153
|
+
# End of RESPONSE
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
# FAULT == 3
|
|
157
|
+
if (self.type == 3)
|
|
158
|
+
|
|
159
|
+
# Decode the DCERPC response header
|
|
160
|
+
self.vers_major,
|
|
161
|
+
self.vers_minor,
|
|
162
|
+
trash,
|
|
163
|
+
self.flags,
|
|
164
|
+
self.data_rep,
|
|
165
|
+
self.frag_len,
|
|
166
|
+
self.auth_len,
|
|
167
|
+
self.call_id,
|
|
168
|
+
self.alloc_hint,
|
|
169
|
+
self.context_id,
|
|
170
|
+
self.cancel_cnt,
|
|
171
|
+
trash,
|
|
172
|
+
self.status = data.unpack('CCCCNvvVVvCCV')
|
|
173
|
+
|
|
174
|
+
# Put the application data into self.stub_data
|
|
175
|
+
self.stub_data = data[data.length - self.alloc_hint, 0xffff]
|
|
176
|
+
# End of FAULT
|
|
177
|
+
end
|
|
178
|
+
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
protected
|
|
182
|
+
# attr_accessor :raw
|
|
183
|
+
|
|
184
|
+
end
|
|
185
|
+
end
|
|
186
|
+
end
|
|
187
|
+
end
|
|
188
|
+
|