dstruct 0.0.1

data/lib/rex/proto/ipmi/rakp2.rb

@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+module IPMI
+
+class RAKP2 < BitStruct
+  unsigned :rmcp_version,      8,     "RMCP Version"
+  unsigned :rmcp_padding,      8,     "RMCP Padding"
+  unsigned :rmcp_sequence,     8,     "RMCP Sequence"
+  unsigned :rmcp_mtype,    1,     "RMCP Message Type"
+  unsigned :rmcp_class,    7,     "RMCP Message Class"
+
+  unsigned :session_auth_type,  8,     "Authentication Type"
+
+  unsigned :session_payload_encrypted,  1,     "Session Payload Encrypted"
+  unsigned :session_payload_authenticated,  1,     "Session Payload Authenticated"
+  unsigned :session_payload_type,  6,     "Session Payload Type", :endian => 'little'
+
+  unsigned :session_id,  32,     "Session ID"
+  unsigned :session_sequence,  32,     "Session Sequence Number"
+  unsigned :message_length,  16,     "Message Length", :endian => "little"
+
+  unsigned :ignored1, 8, "Ignored"
+  unsigned :error_code, 8, "RMCP Error Code"
+  unsigned :ignored2, 16, "Ignored"
+  char :console_session_id, 32, "Console Session ID"
+  char :bmc_random_id,  128,     "BMC Random ID"
+  char :bmc_guid,  128,     "RAKP2 Hash 2 (nulls)"
+  char :hmac_sha1,  160,     "HMAC_SHA1 Output"
+  rest :stuff, "The rest of the stuff"
+end
+
+end
+end
+end

data/lib/rex/proto/ipmi/utils.rb

@@ -0,0 +1,125 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+module IPMI
+class Utils
+
+  def self.checksum(data)
+    sum = 0
+    data.unpack("C*").each {|c| sum += c }
+    sum = ~sum + 1
+    sum & 0xff
+  end
+
+  def self.create_ipmi_getchannel_probe
+    [   # Get Channel Authentication Capabilities
+      0x06, 0x00, 0xff, 0x07, # RMCP Header
+      0x00, 0x00, 0x00, 0x00, 
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x20, 0x18, 
+      0xc8, 0x81, 0x00, 0x38, 0x8e, 0x04, 0xb5
+    ].pack("C*")
+  end
+
+  # open rmcpplus_request
+  def self.create_ipmi_session_open_request(console_session_id)
+    head = [
+      0x06, 0x00, 0xff, 0x07,   # RMCP Header
+      0x06,                     # RMCP+ Authentication Type
+      PAYLOAD_RMCPPLUSOPEN_REQ, # Payload Type
+      0x00, 0x00, 0x00, 0x00,   # Session ID
+      0x00, 0x00, 0x00, 0x00    # Sequence Number
+    ].pack("C*")
+
+    data =
+    [   # Maximum access
+      0x00, 0x00,
+      # Reserved
+      0x00, 0x00
+    ].pack("C*") + 
+    console_session_id +
+    [
+      0x00, 0x00, 0x00, 0x08, 
+      0x01, 0x00, 0x00, 0x00,
+      0x01, 0x00, 0x00, 0x08, 
+      # HMAC-SHA1
+      0x01, 0x00, 0x00, 0x00, 
+      0x02, 0x00, 0x00, 0x08, 
+      # AES Encryption
+      0x01, 0x00, 0x00, 0x00
+    ].pack("C*")
+
+    head + [data.length].pack('v') + data 
+  end
+
+
+  # open rmcpplus_request with cipherzero
+  def self.create_ipmi_session_open_cipher_zero_request(console_session_id)
+    head = [
+      0x06, 0x00, 0xff, 0x07,   # RMCP Header
+      0x06,                     # RMCP+ Authentication Type
+      PAYLOAD_RMCPPLUSOPEN_REQ, # Payload Type
+      0x00, 0x00, 0x00, 0x00,   # Session ID
+      0x00, 0x00, 0x00, 0x00    # Sequence Number
+    ].pack("C*")
+
+    data =
+    [   # Maximum access
+      0x00, 0x00,
+      # Reserved
+      0x00, 0x00
+    ].pack("C*") + 
+    console_session_id +
+    [
+      0x00, 0x00, 0x00, 0x08, 
+      # Cipher 0
+      0x00, 0x00, 0x00, 0x00,
+      0x01, 0x00, 0x00, 0x08,
+      # Cipher 0
+      0x00, 0x00, 0x00, 0x00,
+      0x02, 0x00, 0x00, 0x08,
+      # No Encryption 
+      0x00, 0x00, 0x00, 0x00
+    ].pack("C*")
+
+    head + [data.length].pack('v') + data 
+  end
+
+  def self.create_ipmi_rakp_1(bmc_session_id, console_random_id, username)
+    [
+      0x06, 0x00, 0xff, 0x07,  # RMCP Header
+      0x06,                    # RMCP+ Authentication Type
+      PAYLOAD_RAKP1,           # Payload Type
+      0x00, 0x00, 
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 
+      0x00, 0x00, 0x00, 0x00
+    ].pack("C*") +
+    bmc_session_id +
+    console_random_id +
+    [
+      0x14, 0x00, 0x00, 
+      username.length
+    ].pack("C*") + 
+    username
+  end
+
+
+  def self.create_rakp_hmac_sha1_salt(con_sid, bmc_sid, con_rid, bmc_rid, bmc_gid, auth_level, username)
+    con_sid +
+    bmc_sid +
+    con_rid +
+    bmc_rid +
+    bmc_gid + 
+    [ auth_level ].pack("C") +
+    [ username.length ].pack("C") +
+    username
+  end
+
+  def self.verify_rakp_hmac_sha1(salt, hash, password)
+    OpenSSL::HMAC.digest('sha1', password, salt) == hash
+  end
+
+end
+end
+end
+end

data/lib/rex/proto/natpmp.rb

@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+# NAT-PMP protocol support
+#
+# @author Jon Hart <jhart@spoofed.org>
+
+require 'rex/proto/natpmp/constants'
+require 'rex/proto/natpmp/packet'

data/lib/rex/proto/natpmp/constants.rb

@@ -0,0 +1,19 @@
+# -*- coding: binary -*-
+##
+#
+# NAT-PMP constants
+#
+# by Jon Hart <jhart@spoofed.org>
+#
+##
+
+module Rex
+module Proto
+module NATPMP
+  DefaultPort = 5351
+  Version = 0
+  TCP = 2
+  UDP = 1
+end
+end
+end

data/lib/rex/proto/natpmp/packet.rb

@@ -0,0 +1,45 @@
+# -*- coding: binary -*-
+##
+#
+# NAT-PMP protocol support
+#
+# by Jon Hart <jhart@spoofed.org>
+#
+##
+
+module Rex
+module Proto
+module NATPMP
+
+  # Return a NAT-PMP request to get the external address.
+  def external_address_request
+    [ 0, 0 ].pack('nn')
+  end
+
+  # Parse a NAT-PMP external address response +resp+.
+  # Returns the decoded parts of the response as an array.
+  def parse_external_address_response(resp)
+    (ver, op, result, epoch, addr) = resp.unpack("CCnNN")
+    [ ver, op, result, epoch, Rex::Socket::addr_itoa(addr) ]
+  end
+
+  # Return a NAT-PMP request to map remote port +rport+/+protocol+ to local port +lport+ for +lifetime+ ms
+  def map_port_request(lport, rport, protocol, lifetime)
+    [ Rex::Proto::NATPMP::Version, # version
+      protocol, # opcode, which is now the protocol we are asking to forward
+      0, # reserved
+      lport,
+      rport,
+      lifetime
+    ].pack("CCnnnN")
+  end
+
+  # Parse a NAT-PMP mapping response +resp+.
+  # Returns the decoded parts as an array.
+  def parse_map_port_response(resp)
+    resp.unpack("CCnNnnN")
+  end
+end
+
+end
+end

data/lib/rex/proto/ntlm.rb

@@ -0,0 +1,8 @@
+# -*- coding: binary -*-
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/exceptions'
+require 'rex/proto/ntlm/crypt'
+require 'rex/proto/ntlm/utils'
+require 'rex/proto/ntlm/base'
+require 'rex/proto/ntlm/message'
+

data/lib/rex/proto/ntlm/base.rb

@@ -0,0 +1,327 @@
+# -*- coding: binary -*-
+#
+# An NTLM Authentication Library for Ruby
+#
+# This code is a derivative of "dbf2.rb" written by yrock
+# and Minero Aoki. You can find original code here:
+# http://jp.rubyist.net/magazine/?0013-CodeReview
+# -------------------------------------------------------------
+# Copyright (c) 2005,2006 yrock
+#
+# This program is free software.
+# You can distribute/modify this program under the terms of the
+# Ruby License.
+#
+# 2011-02-23 refactored by Alexandre Maloteaux for Metasploit Project
+# -------------------------------------------------------------
+#
+# 2006-02-11 refactored by Minero Aoki
+# -------------------------------------------------------------
+#
+# All protocol information used to write this code stems from
+# "The NTLM Authentication Protocol" by Eric Glass. The author
+# would thank to him for this tremendous work and making it
+# available on the net.
+# http://davenport.sourceforge.net/ntlm.html
+# -------------------------------------------------------------
+# Copyright (c) 2003 Eric Glass
+#
+# Permission to use, copy, modify, and distribute this document
+# for any purpose and without any fee is hereby granted,
+# provided that the above copyright notice and this list of
+# conditions appear in all copies.
+# -------------------------------------------------------------
+#
+# The author also looked Mozilla-Firefox-1.0.7 source code,
+# namely, security/manager/ssl/src/nsNTLMAuthModule.cpp and
+# Jonathan Bastien-Filiatrault's libntlm-ruby.
+# "http://x2a.org/websvn/filedetails.php?
+# repname=libntlm-ruby&path=%2Ftrunk%2Fntlm.rb&sc=1"
+# The latter has a minor bug in its separate_keys function.
+# The third key has to begin from the 14th character of the
+# input string instead of 13th:)
+
+require 'rex/proto/ntlm/constants'
+
+module Rex
+module Proto
+module NTLM
+# The base type needed for other modules like message and crypt
+class Base
+
+CONST = Rex::Proto::NTLM::Constants
+
+  # base classes for primitives
+  class Field
+    attr_accessor :active, :value
+
+    def initialize(opts)
+      @value  = opts[:value]
+      @active = opts[:active].nil? ? true : opts[:active]
+    end
+
+    def size
+      @active ? @size : 0
+    end
+  end
+
+  class String < Field
+    def initialize(opts)
+      super(opts)
+      @size = opts[:size]
+    end
+
+    def parse(str, offset=0)
+      if @active and str.size >= offset + @size
+        @value = str[offset, @size]
+        @size
+      else
+        0
+      end
+    end
+
+    def serialize
+      if @active
+        @value
+      else
+        ""
+      end
+    end
+
+    def value=(val)
+      @value = val
+      @size = @value.nil? ? 0 : @value.size
+      @active = (@size > 0)
+    end
+  end
+
+  class Int16LE < Field
+    def initialize(opt)
+      super(opt)
+      @size = 2
+    end
+
+    def parse(str, offset=0)
+      if @active and str.size >= offset + @size
+        @value = str[offset, @size].unpack("v")[0]
+        @size
+      else
+        0
+      end
+    end
+
+    def serialize
+      [@value].pack("v")
+    end
+  end
+
+  class Int32LE < Field
+    def initialize(opt)
+      super(opt)
+      @size = 4
+    end
+
+    def parse(str, offset=0)
+      if @active and str.size >= offset + @size
+        @value = str.slice(offset, @size).unpack("V")[0]
+        @size
+      else
+        0
+      end
+    end
+
+    def serialize
+      [@value].pack("V") if @active
+    end
+  end
+
+  class Int64LE < Field
+    def initialize(opt)
+      super(opt)
+      @size = 8
+    end
+
+    def parse(str, offset=0)
+      if @active and str.size >= offset + @size
+        d, u = str.slice(offset, @size).unpack("V2")
+        @value = (u * 0x100000000 + d)
+        @size
+      else
+        0
+      end
+    end
+
+    def serialize
+      [@value & 0x00000000ffffffff, @value >> 32].pack("V2") if @active
+    end
+  end
+
+  # base class of data structure
+  class FieldSet
+    class << FieldSet
+    def define(&block)
+      klass = Class.new(self) do
+        def self.inherited(subclass)
+          proto = @proto
+
+          subclass.instance_eval do
+            @proto = proto
+          end
+        end
+      end
+
+      klass.module_eval(&block)
+
+      klass
+    end
+
+    def string(name, opts)
+      add_field(name, String, opts)
+    end
+
+    def int16LE(name, opts)
+      add_field(name, Int16LE, opts)
+    end
+
+    def int32LE(name, opts)
+      add_field(name, Int32LE, opts)
+    end
+
+    def int64LE(name, opts)
+      add_field(name, Int64LE, opts)
+    end
+
+    def security_buffer(name, opts)
+      add_field(name, SecurityBuffer, opts)
+    end
+
+    def prototypes
+      @proto
+    end
+
+    def names
+      @proto.map{|n, t, o| n}
+    end
+
+    def types
+      @proto.map{|n, t, o| t}
+    end
+
+    def opts
+      @proto.map{|n, t, o| o}
+    end
+
+    private
+
+    def add_field(name, type, opts)
+      (@proto ||= []).push [name, type, opts]
+      define_accessor name
+    end
+
+    def define_accessor(name)
+      module_eval(<<-End, __FILE__, __LINE__ + 1)
+      def #{name}
+        self['#{name}'].value
+      end
+
+      def #{name}=(val)
+        self['#{name}'].value = val
+      end
+      End
+    end
+    end #self
+
+    def initialize
+      @alist = self.class.prototypes.map{ |n, t, o| [n, t.new(o)] }
+    end
+
+    def serialize
+      @alist.map{|n, f| f.serialize }.join
+    end
+
+    def parse(str, offset=0)
+      @alist.inject(offset){|cur, a|  cur += a[1].parse(str, cur)}
+    end
+
+    def size
+      @alist.inject(0){|sum, a| sum += a[1].size}
+    end
+
+    def [](name)
+      a = @alist.assoc(name.to_s.intern)
+      raise ArgumentError, "no such field: #{name}" unless a
+      a[1]
+    end
+
+    def []=(name, val)
+      a = @alist.assoc(name.to_s.intern)
+      raise ArgumentError, "no such field: #{name}" unless a
+      a[1] = val
+    end
+
+    def enable(name)
+      self[name].active = true
+    end
+
+    def disable(name)
+      self[name].active = false
+    end
+  end
+
+  Blob = FieldSet.define {
+    int32LE    :blob_signature,   {:value => CONST::BLOB_SIGN}
+    int32LE    :reserved,         {:value => 0}
+    int64LE    :timestamp,      {:value => 0}
+    string     :challenge,      {:value => "", :size => 8}
+    int32LE    :unknown1,     {:value => 0}
+    string     :target_info,      {:value => "", :size => 0}
+    int32LE    :unknown2,         {:value => 0}
+  }
+
+  SecurityBuffer = FieldSet.define {
+    int16LE   :length,        {:value => 0}
+    int16LE   :allocated,     {:value => 0}
+    int32LE   :offset,        {:value => 0}
+  }
+
+
+  class SecurityBuffer
+    attr_accessor :active
+    def initialize(opts)
+      super()
+      @value  = opts[:value]
+      @active = opts[:active].nil? ? true : opts[:active]
+      @size = 8
+    end
+
+    def parse(str, offset=0)
+      if @active and str.size >= offset + @size
+        super(str, offset)
+        @value = str[self.offset, self.length]
+        @size
+      else
+        0
+      end
+    end
+
+    def serialize
+      super if @active
+    end
+
+    def value
+      @value
+    end
+
+    def value=(val)
+      @value = val
+      self.length = self.allocated = val.size
+    end
+
+    def data_size
+      @active ? @value.size : 0
+    end
+  end
+end
+end
+end
+end