librex 0.0.1 → 0.0.3

data/lib/rex/mime/message.rb

@@ -4,47 +4,72 @@ class Message
 
 	require 'rex/mime/header'
 	require 'rex/mime/part'
-	require 'rex/text'	
+	require 'rex/text'
 
 	attr_accessor :header, :parts, :bound, :content
 
-	def initialize
+	def initialize(data=nil)
 		self.header = Rex::MIME::Header.new
 		self.parts  = []
 		self.bound  = "_Part_#{rand(1024)}_#{rand(0xffffffff)}_#{rand(0xffffffff)}"
 		self.content = ''
+		if data
+			head,body = data.split(/\r?\n\r?\n/, 2)
+
+			self.header.parse(head)
+			ctype = self.header.find('Content-Type')
+
+			if ctype and ctype[1] and ctype[1] =~ /multipart\/mixed;\s*boundary=([^\s]+)/
+				self.bound = $1
+
+				chunks = body.to_s.split(/--#{self.bound}(--)?\r?\n/)
+				self.content = chunks.shift.to_s.gsub(/\s+$/, '')
+				self.content << "\r\n" if not self.content.empty?
+
+				chunks.each do |chunk|
+					break if chunk == "--"
+					head,body = chunk.split(/\r?\n\r?\n/, 2)
+					part = Rex::MIME::Part.new
+					part.header.parse(head)
+					part.content = body.gsub(/\s+$/, '')
+					self.parts << part
+				end
+			else
+				self.content = body.to_s.gsub(/\s+$/, '') + "\r\n"
+			end
+		end
 	end
 
 	def to
 		(self.header.find('To') || [nil, nil])[1]
 	end
-	
+
 	def to=(val)
 		self.header.set("To", val)
 	end
-	
+
 	def from=(val)
-		self.header.set("From", val)	
+		self.header.set("From", val)
 	end
-	
+
 	def from
 		(self.header.find('From') || [nil, nil])[1]
 	end
-	
+
 	def subject=(val)
-		self.header.set("Subject", val)	
+		self.header.set("Subject", val)
 	end
-	
+
 	def subject
 		(self.header.find('Subject') || [nil, nil])[1]
 	end
-		
+
 	def mime_defaults
 		self.header.set("MIME-Version", "1.0")
 		self.header.set("Content-Type", "multipart/mixed; boundary=\"#{self.bound}\"")
 		self.header.set("Subject", '') # placeholder
 		self.header.set("Date", Time.now.strftime("%a,%e %b %Y %H:%M:%S %z"))
-		self.header.set("Message-ID", 
+		self.header.set("Message-ID",
 			"<"+
 			Rex::Text.rand_text_alphanumeric(rand(20)+40)+
 			"@"+
@@ -55,24 +80,24 @@ class Message
 		self.header.set("To", '')      # placeholder
 	end
 
-	
+
 	def add_part(data='', content_type='text/plain', transfer_encoding="8bit", content_disposition=nil)
 		part = Rex::MIME::Part.new
 		part.header.set("Content-Type", content_type)
-		
+
 		if (transfer_encoding)
 			part.header.set("Content-Transfer-Encoding", transfer_encoding)
 		end
-		
+
 		if (content_disposition)
 			part.header.set("Content-Disposition", content_disposition)
 		end
-				
+
 		part.content = data
 		self.parts << part
 		part
 	end
-	
+
 	def add_part_attachment(data, name)
 		self.add_part(
 			Rex::Text.encode_base64(data, "\r\n"),
@@ -81,7 +106,7 @@ class Message
 			"attachment; filename=\"#{name}\""
 		)
 	end
-	
+
 
 	def add_part_inline_attachment(data, name)
 		self.add_part(
@@ -91,22 +116,28 @@ class Message
 			"inline; filename=\"#{name}\""
 		)
 	end
-		
+
 	def to_s
 		msg = self.header.to_s + "\r\n"
-		
-		msg << self.content + "\r\n"
-		
+
+		if self.content and not self.content.empty?
+			msg << self.content + "\r\n"
+		end
+
 		self.parts.each do |part|
 			msg << "--" + self.bound + "\r\n"
-			msg << part.to_s
+			msg << part.to_s + "\r\n"
+		end
+
+		if self.parts.length > 0
+			msg << "--" + self.bound + "--\r\n"
 		end
 
-		msg << "--" + self.bound + "--\r\n"
-		
-		msg
+		# Force CRLF for SMTP compatibility
+		msg.gsub("\r", '').gsub("\n", "\r\n")
 	end
 
 end
 end
-end
+end
+

data/lib/rex/ole/directory.rb

@@ -1,6 +1,6 @@
 ##
-# $Id: directory.rb 8457 2010-02-11 18:36:38Z jduck $
-# Version: $Revision: 8457 $
+# $Id: directory.rb 9287 2010-05-12 05:33:35Z jduck $
+# Version: $Revision: 9287 $
 ##
 
 ##
@@ -51,7 +51,6 @@ class Directory < DirEntry
 		child.sid = @num_entries
 		@num_entries += 1
 
-
 		# link item to siblings and/or parent
 		if (parent._sidChild == DIR_NOSTREAM)
 			parent._sidChild = child.sid
@@ -72,7 +71,9 @@ class Directory < DirEntry
 					break
 				end
 			}
-			raise RuntimeError, 'Unable to find a sibling to link to in the directory'
+			if (not sib)
+				raise RuntimeError, 'Unable to find a sibling to link to in the directory'
+			end
 		end
 		parent << child
 	end

data/lib/rex/ole/samples/dump_stream.rb

@@ -23,7 +23,7 @@ if (stg = Rex::OLE::Storage.new(document))
 		data = stm.read(stm.length)
 		data ||= ""
 		$stderr.puts "Successfully opened the \"%s\" stream (%u bytes)" % [stream, data.length]
-		$stdout.puts data
+		$stdout.print data
 		stm.close
 	else
 		$stderr.puts "Unable to open stream: #{stream}"

data/lib/rex/parser/nexpose_xml.rb

@@ -0,0 +1,131 @@
+module Rex
+module Parser
+
+# XXX doesn't tie services to vulns
+class NexposeXMLStreamParser
+
+	attr_accessor :callback
+
+	def initialize(callback = nil)
+		reset_state
+		self.callback = callback if callback
+	end
+
+	def reset_state
+		@state = :generic_state
+		@host = { "status" => nil, "endpoints" => [], "names" => [], "vulns" => {} }
+		@vuln = { "refs" => [] }
+	end
+
+	def tag_start(name, attributes)
+		case name
+		when "node"
+			@host["hardware-address"] = attributes["hardware-address"]
+			@host["addr"] = attributes["address"]
+			@host["status"] = attributes["status"]
+		when "os"
+			# Take only the highest certainty
+			if not @host["os_certainty"] or (@host["os_certainty"].to_f < attributes["certainty"].to_f)
+				@host["os_vendor"]    = attributes["vendor"]
+				@host["os_family"]    = attributes["family"]
+				@host["os_product"]   = attributes["product"]
+				@host["arch"]         = attributes["arch"]
+				@host["os_certainty"] = attributes["certainty"]
+			end
+		when "name"
+			#@host["names"].push attributes["name"]
+			@state = :in_name
+		when "endpoint"
+			# This is a port in NeXpose parlance
+			@host["endpoints"].push(attributes)
+		when "service"
+			@state = :in_service
+			# Store any service info with the associated port.  There shouldn't
+			# be any collisions on attribute names here, so just merge them.
+			@host["endpoints"].last.merge!(attributes)
+		when "fingerprint"
+			if @state == :in_service
+				@host["endpoints"].last.merge!(attributes)
+			end
+		when "test"
+			if attributes["status"] == "vulnerable-exploited" or attributes["status"] == "vulnerable-version"
+				@host["vulns"][attributes["id"]] = attributes.dup
+			end
+		when "vulnerability"
+			@vuln.merge! attributes
+		when "reference"
+			@state = :in_reference
+			@vuln["refs"].push attributes
+		end
+	end
+
+	def text(str)
+		case @state
+		when :in_name
+			@host["names"].push str
+		when :in_reference
+			@vuln["refs"].last["value"] = str
+		end
+	end
+
+	def tag_end(name)
+		case name
+		when "node"
+			callback.call(:host, @host) if callback
+			reset_state
+		when "vulnerability"
+			callback.call(:vuln, @vuln) if callback
+			reset_state
+		when "service","reference"
+			@state = :generic_state
+		end
+	end
+
+	# We don't need these methods, but they're necessary to keep REXML happy
+	def xmldecl(version, encoding, standalone); end
+	def cdata; end
+	def comment(str); end
+	def instruction(name, instruction); end
+	def attlist; end
+end
+end
+end
+
+__END__
+
+<node address="10.1.1.10" status="alive" hardware-address="0007371F3BE8">
+<names>
+<name>NETBIOSNAME</name>
+<name>hostname.example.com</name>
+</names>
+<fingerprints>
+<os  certainty="1.00" device-class="Domain controller" vendor="Microsoft" family="Windows" product="Windows Server 2003, Standard Edition" version="SP2" arch="x86"/>
+<os  certainty="0.85" device-class="General" vendor="Microsoft" family="Windows" product="Windows Server 2003"/>
+<os  certainty="0.70" vendor="Microsoft" family="Windows" product="Windows Server 2003"/>
+</fingerprints>
+<software>
+<fingerprint  certainty="1.00" vendor="Acronis" product="Acronis&#160;True&#160;Image&#160;Echo&#160;Server" version="9.5.8163"/>
+<fingerprint  certainty="1.00" vendor="Acronis" product="Acronis&#160;Universal&#160;Restore for Acronis&#160;True&#160;Image&#160;Echo&#160;Server" version="9.5.8076"/>
+<fingerprint  certainty="1.00" software-class="Internet Client" vendor="Microsoft" family="Internet Explorer" product="Internet Explorer" version="7.0.5730.11"/>
+<fingerprint  certainty="1.00" software-class="Database Client" vendor="Microsoft" family="MDAC" product="MDAC" version="2.8"/>
+<fingerprint  certainty="1.00" software-class="Media Client" vendor="Microsoft" family="Windows Media Player" product="Windows Media Player" version="10.0.0.3997"/>
+<fingerprint  certainty="1.00" vendor="MySolutions NORDIC" product="NSClient++ (Win32)" version="0.3.4.0"/>
+<fingerprint  certainty="1.00" vendor="Symantec Corporation" product="LiveUpdate 3.1 (Symantec Corporation)" version="3.1.0.99"/>
+<fingerprint  certainty="1.00" vendor="Symantec Corporation" product="Symantec AntiVirus" version="10.1.5000.5"/>
+</software>
+<tests>
+<test status="not-vulnerable" id="backdoor-ckb.cfaae1e6">
+
+<endpoint protocol="tcp" port="139" status="open">
+<services>
+<service name="CIFS">
+<fingerprints>
+<fingerprint  certainty="1.00" product="Windows Server 2003 R2 5.2"/>
+</fingerprints>
+<tests>
+</tests>
+</service>
+</services>
+</endpoint>
+</node>
+

data/lib/rex/parser/nmap_xml.rb

@@ -77,6 +77,7 @@ class NmapXMLStreamParser
 		when "status"
 			# <status> refers to the liveness of the host; values are "up" or "down"
 			@host["status"] = attributes["state"]
+			@host["status_reason"] = attributes["reason"]
 		when "port"
 			@host["ports"].push(attributes)
 		when "state"

data/lib/rex/peparsey/pe.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-# $Id: pe.rb 7730 2009-12-07 12:56:54Z sf $
+# $Id: pe.rb 9272 2010-05-10 16:18:19Z jduck $
 
 require 'rex/image_source'
 require 'rex/peparsey/exceptions'
@@ -143,7 +143,7 @@ class Pe < PeBase
 		self.hdr.config        = self._config_header
 		self.hdr.tls           = self._tls_header
 		self.hdr.exceptions    = self._exception_header
-		
+
 		# We load the exception directory last as it relies on hdr.file to be created above.
 		self._exception_header = _load_exception_directory()
 	end
@@ -184,5 +184,23 @@ class Pe < PeBase
 		(ptr_32?) ? ("0x%.8x" % va) : ("0x%.16x" % va)
 	end
 
-end end end
+	#
+	# Converts a file offset into a virtual address
+	#
+	def file_offset_to_va(offset)
+		image_base + file_offset_to_rva(offset)
+	end
+
+	#
+	# Read raw bytes from the specified offset in the underlying file
+	#
+	# NOTE: You should pass raw file offsets into this, not offsets from
+	# the beginning of the section. If you need to read from within a 
+	# section, add section.file_offset prior to passing the offset in.
+	#
+	def read(offset, len)
+		_isource.read(offset, len)
+	end
+
 
+end end end

data/lib/rex/post/meterpreter/client.rb

@@ -81,13 +81,14 @@ class Client
 		self.ext_aliases = ObjectAliases.new
 		self.alive       = true
 		self.target_id   = opts[:target_id]
+		self.capabilities= opts[:capabilities] || {}
 
 		self.response_timeout =  opts[:timeout] || self.class.default_timeout
 		self.send_keepalives  = true
 
 
 		# Switch the socket to SSL mode and receive the hello if needed
-		if not opts[:skip_ssl]
+		if capabilities[:ssl] and not opts[:skip_ssl]
 			swap_sock_plain_to_ssl()
 		end
 
@@ -325,6 +326,10 @@ class Client
 	# The unique target identifier for this payload
 	#
 	attr_accessor :target_id
+	#
+	# The libraries available to this meterpreter server
+	#
+	attr_accessor :capabilities
 
 protected
 	attr_accessor :parser, :ext_aliases # :nodoc:

data/lib/rex/post/meterpreter/client_core.rb

@@ -89,7 +89,7 @@ class ClientCore < Extension
 			}
 
 			if (image != nil)
-				request.add_tlv(TLV_TYPE_DATA, image, false, true)
+				request.add_tlv(TLV_TYPE_DATA, image, false, client.capabilities[:zlib])
 			else
 				raise RuntimeError, "Failed to serialize library #{library_path}.", caller
 			end
@@ -222,7 +222,7 @@ class ClientCore < Extension
 		request = Packet.create_request( 'core_migrate' )
 		request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
 		request.add_tlv( TLV_TYPE_MIGRATE_LEN, payload.length )
-		request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, payload, false, true)
+		request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, payload, false, client.capabilities[:zlib])
 		if( process['arch'] == ARCH_X86_64 )
 			request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
 		else

data/lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -24,10 +24,10 @@ class Priv < Extension
 	#
 	def initialize(client)
 		super(client, 'priv')
-		
+
 		client.register_extension_aliases(
 			[
-				{ 
+				{
 					'name' => 'priv',
 					'ext'  => self
 				},
@@ -36,25 +36,25 @@ class Priv < Extension
 		# Initialize sub-classes
 		self.fs = Fs.new(client)
 	end
-	
+
 	#
 	# Attempt to elevate the meterpreter to Local SYSTEM
 	#
 	def getsystem( technique=0 )
 		request = Packet.create_request( 'priv_elevate_getsystem' )
-		
-		elevator_name = Rex::Text.rand_text_alpha_lower( 6 ) 
-		
+
+		elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
+
 		if( client.platform == 'x64/win64' )
 			elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.x64.dll" )
 		else
 			elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.dll" )
 		end
-		
+
 		elevator_path = ::File.expand_path( elevator_path )
-		
+
 		elevator_data = ""
-		
+
 		::File.open( elevator_path, "rb" ) { |f|
 			elevator_data += f.read( f.stat.size )
 		}
@@ -63,29 +63,29 @@ class Priv < Extension
 		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_NAME, elevator_name )
 		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data )
 		request.add_tlv( TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length )
-		
+
 		# as some service routines can be slow we bump up the timeout to 90 seconds
 		response = client.send_request( request, 90 )
-		
+
 		technique = response.get_tlv_value( TLV_TYPE_ELEVATE_TECHNIQUE )
-		
+
 		if( response.result == 0 and technique != nil )
 			client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
 			client.sys.config.getprivs
 			return [ true, technique ]
 		end
-		
+
 		return [ false, 0 ]
 	end
-	
+
 	#
 	# Returns an array of SAM hashes from the remote machine.
 	#
 	def sam_hashes
-		response = client.send_request(
-			Packet.create_request('priv_passwd_get_sam_hashes'))
+		# This can take a long long time for large domain controls, bump the timeout to one hour
+		response = client.send_request(Packet.create_request('priv_passwd_get_sam_hashes'), 3600)
 
-		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| 
+		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash|
 			SamUser.new(hash)
 		}
 	end
@@ -101,4 +101,5 @@ protected
 
 end
 
-end; end; end; end; end
+end; end; end; end; end
+