librex 0.0.1 → 0.0.3

data/lib/rex/post/meterpreter/packet.rb

@@ -24,6 +24,17 @@ TLV_META_TYPE_COMPRESSED    = (1 << 29)
 TLV_META_TYPE_GROUP         = (1 << 30)
 TLV_META_TYPE_COMPLEX       = (1 << 31)
 
+# Exclude compressed from the mask since other meta types (e.g. RAW) can also
+# be compressed
+TLV_META_MASK = (
+	TLV_META_TYPE_STRING |
+	TLV_META_TYPE_UINT |
+	TLV_META_TYPE_RAW |
+	TLV_META_TYPE_BOOL |
+	TLV_META_TYPE_GROUP |
+	TLV_META_TYPE_COMPLEX
+)
+
 #
 # TLV base starting points
 #
@@ -114,6 +125,63 @@ class Tlv
 		end
 	end
 
+	def inspect
+		utype = type ^ TLV_META_TYPE_COMPRESSED
+		meta = case (utype & TLV_META_MASK)
+			when TLV_META_TYPE_STRING; "STRING"
+			when TLV_META_TYPE_UINT; "INT"
+			when TLV_META_TYPE_RAW; "RAW"
+			when TLV_META_TYPE_BOOL; "BOOL"
+			when TLV_META_TYPE_GROUP; "GROUP"
+			when TLV_META_TYPE_COMPLEX; "COMPLEX"
+			else; 'unknown-meta-type'
+			end
+		stype = case type
+			when TLV_TYPE_REQUEST_ID; "REQUEST-ID"
+			when TLV_TYPE_METHOD; "METHOD"
+			when TLV_TYPE_RESULT; "RESULT"
+			when TLV_TYPE_EXCEPTION; "EXCEPTION"
+			when TLV_TYPE_STRING; "STRING"
+			when TLV_TYPE_UINT; "UINT"
+			when TLV_TYPE_BOOL; "BOOL"
+
+			when TLV_TYPE_LENGTH; "LENGTH"
+			when TLV_TYPE_DATA; "DATA"
+			when TLV_TYPE_FLAGS; "FLAGS"
+
+			when TLV_TYPE_CHANNEL_ID; "CHANNEL-ID"
+			when TLV_TYPE_CHANNEL_TYPE; "CHANNEL-TYPE"
+			when TLV_TYPE_CHANNEL_DATA; "CHANNEL-DATA"
+			when TLV_TYPE_CHANNEL_DATA_GROUP; "CHANNEL-DATA-GROUP"
+			when TLV_TYPE_CHANNEL_CLASS; "CHANNEL-CLASS"
+			when TLV_TYPE_CHANNEL_PARENTID; "CHANNEL-PARENTID"
+
+			when TLV_TYPE_SEEK_WHENCE; "SEEK-WHENCE"
+			when TLV_TYPE_SEEK_OFFSET; "SEEK-OFFSET"
+			when TLV_TYPE_SEEK_POS; "SEEK-POS"
+
+			when TLV_TYPE_EXCEPTION_CODE; "EXCEPTION-CODE"
+			when TLV_TYPE_EXCEPTION_STRING; "EXCEPTION-STRING"
+
+			when TLV_TYPE_LIBRARY_PATH; "LIBRARY-PATH"
+			when TLV_TYPE_TARGET_PATH; "TARGET-PATH"
+			when TLV_TYPE_MIGRATE_PID; "MIGRATE-PID"
+			when TLV_TYPE_MIGRATE_LEN; "MIGRATE-LEN"
+			when TLV_TYPE_MIGRATE_PAYLOAD; "MIGRATE-PAYLOAD"
+			when TLV_TYPE_MIGRATE_ARCH; "MIGRATE-ARCH"
+
+			# Extension classes don't exist yet, so can't use their constants
+			# here.
+			#when Extensions::Stdapi::TLV_TYPE_IP;           'ip-address'
+			else; "unknown-#{type}"
+			end
+		val = value.inspect
+		if val.length > 50
+			val = val[0,50] + ' ..."'
+		end
+		"#<#{self.class} type=#{stype} meta-type=#{meta} #{self.class.to_s =~ /Packet/ ? "tlvs=#{@tlvs.inspect}" : "value=#{val}"} >"
+	end
+
 	##
 	#
 	# Conditionals

data/lib/rex/post/meterpreter/packet_dispatcher.rb

@@ -71,7 +71,7 @@ module PacketDispatcher
 		response = send_packet_wait_response(packet, t)
 
 		if (response == nil)
-			raise TimeoutError
+			raise TimeoutError.new("Send timed out")
 		elsif (response.result != 0)
 			e = RequestError.new(packet.method, response.result)
 
@@ -186,7 +186,7 @@ module PacketDispatcher
 			# thread above.
 			while(not @finish)
 				if(@pqueue.empty?)
-					select(nil, nil, nil, 0.10)
+					::IO.select(nil, nil, nil, 0.10)
 					next
 				end
 

data/lib/rex/post/meterpreter/packet_response_waiter.rb

@@ -59,19 +59,19 @@ class PacketResponseWaiter
 	def wait(interval)
 		if( interval and interval == -1 )
 			while(not self.done)
-				select(nil, nil, nil, 0.1)
-			end 
-		else    
+				::IO.select(nil, nil, nil, 0.1)
+			end
+		else
 			begin
 				Timeout.timeout(interval) {
 					while(not self.done)
-						select(nil, nil, nil, 0.1)
+						::IO.select(nil, nil, nil, 0.1)
 					end
 				}
 			rescue Timeout::Error
 				self.response = nil
 			end
-		end    
+		end
 		return self.response
 	end
 

data/lib/rex/post/meterpreter/ui/console.rb

@@ -53,6 +53,8 @@ class Console
 	# assumed that init_ui has been called prior.
 	#
 	def interact(&block)
+		init_tab_complete
+
 		# Run queued commands
 		commands.delete_if { |ent|
 			run_single(ent)

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -86,8 +86,11 @@ class Console::CommandDispatcher::Stdapi::Fs
 			print_line("Usage: cd directory")
 			return true
 		end
-
-		client.fs.dir.chdir(args[0])
+		if args[0] =~ /\%(\w*)\%/
+			client.fs.dir.chdir(client.fs.file.expand_path(args[0].upcase))
+		else
+			client.fs.dir.chdir(args[0])
+		end
 
 		return true
 	end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -460,8 +460,8 @@ class Console::CommandDispatcher::Stdapi::Sys
 
 		print_line("Computer: " + info['Computer'])
 		print_line("OS      : " + info['OS'])
-		print_line("Arch    : " + info['Architecture'])
-		print_line("Language: " + info['System Language'])
+		print_line("Arch    : " + info['Architecture']) if info['Architecture']
+		print_line("Language: " + info['System Language']) if info['System Language']
 
 		return true
 	end

data/lib/rex/proto/http/client.rb

@@ -301,15 +301,18 @@ class Client
 	end
 
 	#
-	# Transmit a HTTP request and receive the response
+	# Transmit an HTTP request and receive the response
+	# If persist is set, then the request will attempt
+	# to reuse an existing connection.
 	#
-	def send_recv(req, t = -1)
+	def send_recv(req, t = -1, persist=false)
+		@pipeline = persist
 		send_request(req)
 		read_response(t)
 	end
 
 	#
-	# Send a HTTP request to the server
+	# Send an HTTP request to the server
 	#
 	def send_request(req)
 		connect
@@ -362,10 +365,12 @@ class Client
 					rblob = rbody.to_s + rbufq.to_s
 					tries = 0
 					begin
+						# XXX This doesn't deal with chunked encoding or "Content-type: text/html; charset=..."
 						while tries < 20 and resp.headers["Content-Type"]== "text/html" and rblob !~ /<\/html>/i
 							buff = conn.get_once(-1, 0.05)
 							break if not buff
 							rblob += buff
+							tries += 1
 						end
 					rescue ::Errno::EPIPE, ::EOFError, ::IOError
 					end

data/lib/rex/proto/http/packet.rb

@@ -92,6 +92,7 @@ class Packet
 				end
 			end
 		rescue
+			# This rescue might be a problem because it will swallow TimeoutError
 			self.error = $!
 			return ParseCode::Error
 		end
@@ -331,8 +332,17 @@ protected
 			# Remove any leading newlines or spaces
 			self.bufq.lstrip!
 
+			# If we didn't get a newline, then this might not be the full
+			# length, go back and get more.
+			# e.g. 
+			#  first packet: "200"
+			#  second packet: "0\r\n\r\n<html>..."
+			if not bufq.index("\n")
+				return
+			end
+
 			# Extract the actual hexadecimal length value
-			clen = self.bufq.slice!(/^[a-zA-Z0-9]*\r?\n/)
+			clen = self.bufq.slice!(/^[a-fA-F0-9]+\r?\n/)
 
 			clen.rstrip! if (clen)
 

data/lib/rex/proto/smb/client.rb

@@ -96,7 +96,7 @@ EVADE = Rex::Proto::SMB::Evasions
 			while ( (chunk = data.slice!(0, size)).length > 0 )
 				ret = self.socket.put(chunk)
 				if (wait > 0)
-					select(nil, nil, nil, wait)
+					::IO.select(nil, nil, nil, wait)
 				end
 			end
 			return ret

data/lib/rex/proto/smb/utils.rb

@@ -347,26 +347,74 @@ CONST = Rex::Proto::SMB::Constants
 	#
 	# Process Type 3 NTLM Message (in Base64)
 	#
+	# from http://www.innovation.ch/personal/ronald/ntlm.html
+	#
+	#	struct {
+	#		byte  protocol[8];  // 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'
+	#		byte  type;         // 0x03
+	#		byte  zero[3];
+	#
+	#		short lm_resp_len;  // LanManager response length (always 0x18)
+	#		short lm_resp_len;  // LanManager response length (always 0x18)
+	#		short lm_resp_off;  // LanManager response offset
+	#		byte  zero[2];
+	#
+	#		short nt_resp_len;  // NT response length (always 0x18)
+	#		short nt_resp_len;  // NT response length (always 0x18)
+	#		short nt_resp_off;  // NT response offset
+	#		byte  zero[2];
+	#
+	#		short dom_len;      // domain string length
+	#		short dom_len;      // domain string length
+	#		short dom_off;      // domain string offset (always 0x40)
+	#		byte  zero[2];
+	#
+	#		short user_len;     // username string length
+	#		short user_len;     // username string length
+	#		short user_off;     // username string offset
+	#		byte  zero[2];
+	#
+	#		short host_len;     // host string length
+	#		short host_len;     // host string length
+	#		short host_off;     // host string offset
+	#		byte  zero[6];
+	#
+	#		short msg_len;      // message length
+	#		byte  zero[2];
+	#
+	#		short flags;        // 0x8201
+	#		byte  zero[2];
+	#
+	#		byte  dom[*];       // domain string (unicode UTF-16LE)
+	#		byte  user[*];      // username string (unicode UTF-16LE)
+	#		byte  host[*];      // host string (unicode UTF-16LE)
+	#		byte  lm_resp[*];   // LanManager response
+	#		byte  nt_resp[*];   // NT response
+	#	} type_3_message
+	#
 	def self.process_type3_message(message)
 		decode = Rex::Text.decode_base64(message.strip)
-		type = decode[8]
+		type = decode[8,1].unpack("C").first
 		if (type == 3)
-			domoff = decode[32]	 # domain offset
-			domlen = decode[28]	 # domain length
-			useroff = decode[40] # username offset
-			userlen = decode[36] # username length
-			hostoff = decode[48] # hostname offset
-			hostlen = decode[44] # hostname length
-			lmoff = decode[16]	 # LM hash offset
-			lmlen = decode[12]	 # LM hash length
-			ntoff = decode[24]	 # NT hash offset
-			ntlen = decode[20]	 # NT hash length
-
-			domain = decode[domoff..domoff+domlen-1]
-			user = decode[useroff..useroff+userlen-1]
-			host = decode[hostoff..hostoff+hostlen-1]
-			lm = decode[lmoff..lmoff+lmlen-1].unpack("H*")
-			nt = decode[ntoff..ntoff+ntlen-1].unpack("H*")
+			lm_len = decode[12,2].unpack("v").first
+			lm_offset = decode[16,2].unpack("v").first
+			lm = decode[lm_offset, lm_len].unpack("H*").first
+
+			nt_len = decode[20,2].unpack("v").first
+			nt_offset = decode[24,2].unpack("v").first
+			nt = decode[nt_offset, nt_len].unpack("H*").first
+
+			dom_len = decode[28,2].unpack("v").first
+			dom_offset = decode[32,2].unpack("v").first
+			domain = decode[dom_offset, dom_len]
+
+			user_len = decode[36,2].unpack("v").first
+			user_offset = decode[40,2].unpack("v").first
+			user = decode[user_offset, user_len]
+
+			host_len = decode[44,2].unpack("v").first
+			host_offset = decode[48,2].unpack("v").first
+			host = decode[host_offset, host_len]
 		
 			return domain, user, host, lm, nt
 		else
@@ -386,13 +434,13 @@ CONST = Rex::Proto::SMB::Constants
 		win_name = Rex::Text.to_unicode(win_name)
 		decode = Rex::Text.decode_base64(message.strip)
 
-		type = decode[8]
+		type = decode[8,1].unpack("C").first
 
 		if (type == 1)
 			# A type 1 message has been received, lets build a type 2 message response
 
-			reqflags = decode[12..15]
-			reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse)
+			reqflags = decode[12,4]
+			reqflags = reqflags.unpack("V").first
 
 			if (reqflags & CONST::REQUEST_TARGET) == CONST::REQUEST_TARGET
 
@@ -470,12 +518,12 @@ CONST = Rex::Proto::SMB::Constants
 	def self.downgrade_type_message(message)
 		decode = Rex::Text.decode_base64(message.strip)
 
-		type = decode[8]
+		type = decode[8,1].unpack("C").first
 
 		if (type > 0 and type < 4)
 			reqflags = decode[12..15] if (type == 1 or type == 3)
 			reqflags = decode[20..23] if (type == 2)
-			reqflags = Integer("0x" + reqflags.unpack("h8").to_s.reverse)
+			reqflags = reqflags.unpack("V")
 
 			# Remove NEGOTIATE_NTLMV2_KEY and NEGOTIATE_ALWAYS_SIGN, this lowers the negotiation
 			# down to LMv1/NTLMv1.
@@ -497,9 +545,9 @@ CONST = Rex::Proto::SMB::Constants
 			idx = 0
 			0.upto(3) do |cnt|
 				if (type == 2)
-					decode[23-cnt] = Integer("0x" + flags[idx .. idx + 1])
+					decode[23-cnt] = [flags[idx,1]].pack("C")
 				else
-					decode[15-cnt] = Integer("0x" + flags[idx .. idx + 1])
+					decode[15-cnt] = [flags[idx,1]].pack("C")
 				end
 				idx += 2
 			end

data/lib/rex/proto/tftp.rb

@@ -0,0 +1,3 @@
+# $Id: tftp.rb 9333 2010-05-21 00:03:04Z jduck $
+require 'rex/proto/tftp/constants'
+require 'rex/proto/tftp/server'

data/lib/rex/proto/tftp/constants.rb

@@ -0,0 +1,37 @@
+# $Id: constants.rb 9334 2010-05-21 00:15:10Z jduck $
+require 'rex/proto/tftp'
+
+module Rex
+module Proto
+module TFTP
+
+OPCODES = %w{ Unknown RRQ WRQ DATA ACK ERROR }
+OpRead = 1
+OpWrite = 2
+OpData = 3
+OpAck = 4
+OpError = 5
+
+
+ERRCODES = [
+	"Undefined",
+	"File not found",
+	"Access violation",
+	"Disk full or allocation exceeded",
+	"Illegal TFTP operation",
+	"Unknown transfer ID",
+	"File already exists",
+	"No such user"
+]
+
+ErrFileNotFound = 1
+ErrAccessViolation = 2
+ErrDiskFull = 3
+ErrIllegalOperation = 4
+ErrUnknownTransferId = 5
+ErrFileExists = 6
+ErrNoSuchUser = 7
+
+end
+end
+end

data/lib/rex/proto/tftp/server.rb

@@ -0,0 +1,249 @@
+# $Id: server.rb 9375 2010-05-26 22:39:56Z jduck $
+require 'rex/socket'
+require 'rex/proto/tftp'
+
+module Rex
+module Proto
+module TFTP
+
+#
+# Little util function
+#
+def self.get_string(data)
+	ret = data.slice!(0,data.index("\x00"))
+	# Slice off the nul byte.
+	data.slice!(0,1)
+	ret
+end
+
+
+##
+#
+# TFTP Server class
+#
+##
+class Server
+
+	def initialize(port = 69, listen_host = '0.0.0.0', context = {})
+		self.listen_host = listen_host
+		self.listen_port = port
+		self.context = context
+		self.sock = nil
+		@shutting_down = false
+
+		self.files = []
+		self.transfers = []
+	end
+
+
+	#
+	# Start the TFTP server
+	#
+	def start
+		self.sock = Rex::Socket::Udp.create(
+			'LocalHost' => listen_host,
+			'LocalPort' => listen_port,
+			'Context'   => context
+			)
+
+		self.thread = Thread.new {
+			monitor_socket
+		}
+	end
+
+
+	#
+	# Stop the TFTP server
+	#
+	def stop
+		@shutting_down = true
+
+		# Wait a maximum of 30 seconds for all transfers to finish.
+		start = Time.now
+		while (self.transfers.length > 0)
+			::IO.select(nil, nil, nil, 0.5)
+			dur = Time.now - start
+			break if (dur > 30)
+		end
+
+		self.files.clear
+		self.thread.kill
+		self.sock.close
+	end
+
+
+	#
+	# Register a filename and content for a client to request
+	#
+	def register_file(fn, content)
+		self.files << {
+			:name => fn,
+			:data => content
+		}
+	end
+
+
+	#
+	# Send an error packet w/the specified code and string
+	#
+	def send_error(from, num)
+		if (num < 1 or num >= ERRCODES.length)
+			# ignore..
+			return
+		end
+		pkt = [OpError, num].pack('nn')
+		pkt << ERRCODES[num]
+		pkt << "\x00"
+		send_packet(from, pkt)
+	end
+
+
+	#
+	# Send a single packet to the specified host
+	#
+	def send_packet(from, pkt)
+		self.sock.sendto(pkt, from[0], from[1])
+	end
+
+
+	#
+	# Find the hash entry for a file that may be offered
+	#
+	def find_file(fname)
+		self.files.each do |f|
+			if (fname == f[:name])
+				return f
+			end
+		end
+		nil
+	end
+
+
+	attr_accessor :listen_host, :listen_port, :context
+	attr_accessor :sock, :files, :transfers
+	attr_accessor :thread
+
+
+protected
+
+	#
+	# See if there is anything to do.. If so, dispatch it.
+	#
+	def monitor_socket
+		while true
+			rds = [@sock]
+			wds = []
+			self.transfers.each do |tr|
+				if (not tr[:last_sent])
+					wds << @sock
+					break
+				end
+			end
+			eds = [@sock]
+
+			r,w,e = ::IO.select(rds,wds,eds,1)
+
+			if (r != nil and r[0] == self.sock)
+				buf,host,port = self.sock.recvfrom(65535)
+				# Lame compatabilitiy :-/
+				from = [host, port]
+				dispatch_request(from, buf)
+			end
+
+			#
+			# Check to see if transfers need maintenance
+			#
+			self.transfers.each do |tr|
+				# Are we awaiting an ack?
+				if (tr[:last_sent])
+					elapsed = Time.now - tr[:last_sent]
+					if (elapsed >= 3)
+						# max retries reached?
+						if (tr[:retries] < 3)
+							#puts "[-] ack timed out, resending block"
+							tr[:last_sent] = nil
+							tr[:retries] += 1
+						else
+							#puts "[-] maximum tries reached, terminating transfer"
+							self.transfers.delete(tr)
+						end
+					end
+				elsif (w != nil and w[0] == self.sock)
+					# No ack waiting, send next block..
+					chunk = tr[:file][:data].slice(tr[:offset], 512)
+					if (chunk and chunk.length >= 0)
+						pkt = [OpData, tr[:block]].pack('nn')
+						pkt << chunk
+						send_packet(tr[:from], pkt)
+						tr[:last_sent] = Time.now
+					else
+						# no more chunks.. transfer is most likely done.
+						self.transfers.delete(tr)
+					end
+				end
+			end
+		end
+	end
+
+
+	#
+	# Dispatch a packet that we received
+	#
+	def dispatch_request(from, buf)
+
+		op = buf.unpack('n')[0]
+		buf.slice!(0,2)
+
+		#start = "[*] TFTP - %s:%u - %s" % [from[0], from[1], OPCODES[op]]
+
+		case op
+		when OpRead
+			# Process RRQ packets
+			fn = TFTP::get_string(buf)
+			mode = TFTP::get_string(buf).downcase
+
+			#puts "%s %s %s" % [start, fn, mode]
+
+			if (not @shutting_down) and (file = self.find_file(fn))
+				self.transfers << {
+					:from => from,
+					:file => file,
+					:block => 1,
+					:offset => 0,
+					:last_sent => nil,
+					:retries => 0
+				}
+			else
+				#puts "[-] file not found!"
+				send_error(from, ErrFileNotFound)
+			end
+
+		when OpAck
+			# Process ACK packets
+			block = buf.unpack('n')[0]
+			#puts "%s %d" % [start, block]
+
+			self.transfers.each do |tr|
+				if (from == tr[:from] and block == tr[:block])
+					# acked! send the next block
+					tr[:block] += 1
+					tr[:offset] += 512
+					tr[:last_sent] = nil
+					tr[:retries] = 0
+				end
+			end
+
+		else
+			# Other packets are unsupported
+			#puts start
+			send_error(from, ErrAccessViolation)
+
+		end
+	end
+
+end
+
+end
+end
+end
+