librex 0.0.1

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb

@@ -0,0 +1,51 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The password database portion of the privilege escalation extension.
+#
+###
+class Console::CommandDispatcher::Priv::Passwd
+
+	Klass = Console::CommandDispatcher::Priv::Passwd
+
+	include Console::CommandDispatcher
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"hashdump" => "Dumps the contents of the SAM database"
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Password database"
+	end
+
+	#
+	# Displays the contents of the SAM database
+	#
+	def cmd_hashdump(*args)
+		client.priv.sam_hashes.each { |user|
+			print_line("#{user}")
+		}
+		
+		return true
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

@@ -0,0 +1,132 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# This class provides commands that interact with the timestomp feature set of
+# the privilege escalation extension.
+#
+###
+class Console::CommandDispatcher::Priv::Timestomp
+
+	Klass = Console::CommandDispatcher::Priv::Timestomp
+
+	include Console::CommandDispatcher
+
+	@@timestomp_opts = Rex::Parser::Arguments.new(
+		"-m" => [ true,  "Set the \"last written\" time of the file" ],
+		"-a" => [ true,  "Set the \"last accessed\" time of the file" ],
+		"-c" => [ true,  "Set the \"creation\" time of the file" ],
+		"-e" => [ true,  "Set the \"mft entry modified\" time of the file" ],
+		"-z" => [ true,  "Set all four attributes (MACE) of the file" ],
+		"-f" => [ true,  "Set the MACE of attributes equal to the supplied file" ],
+		"-b" => [ false, "Set the MACE timestamps so that EnCase shows blanks" ],
+		"-r" => [ false, "Set the MACE timestamps recursively on a directory" ],
+		"-v" => [ false, "Display the UTC MACE values of the file" ],
+		"-h" => [ false, "Help banner" ])
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"timestomp" => "Manipulate file MACE attributes"
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Timestomp"
+	end
+
+	#
+	# This command provides the same level of features that vinnie's command
+	# line timestomp interface provides with a similar argument set.
+	#
+	def cmd_timestomp(*args)
+		if (args.length < 2)
+			print_line("\nUsage: timestomp file_path OPTIONS\n" +
+				@@timestomp_opts.usage)
+			return
+		end
+
+		file_path = args.shift
+		modified  = nil
+		accessed  = nil
+		creation  = nil
+		emodified = nil
+
+		@@timestomp_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-m"
+					modified  = str_to_time(val)
+				when "-a"
+					accessed  = str_to_time(val)
+				when "-c"
+					creation  = str_to_time(val)
+				when "-e"
+					emodified = str_to_time(val)
+				when "-z"
+					puts "#{val}"
+					modified  = str_to_time(val)
+					accessed  = str_to_time(val)
+					creation  = str_to_time(val)
+					emodified = str_to_time(val)
+				when "-f"
+					print_status("Setting MACE attributes on #{file_path} from #{val}")
+					client.priv.fs.set_file_mace_from_file(file_path, val)
+				when "-b"
+					print_status("Blanking file MACE attributes on #{file_path}")
+					client.priv.fs.blank_file_mace(file_path)
+				when "-r"
+					print_status("Blanking directory MACE attributes on #{file_path}")
+					client.priv.fs.blank_directory_mace(file_path)
+				when "-v"
+					hash = client.priv.fs.get_file_mace(file_path)
+
+					print_line("Modified      : #{hash['Modified']}")
+					print_line("Accessed      : #{hash['Accessed']}")
+					print_line("Created       : #{hash['Created']}")
+					print_line("Entry Modified: #{hash['Entry Modified']}")
+				when "-h"
+					print_line("\nUsage: timestomp file_path OPTIONS\n" +
+						@@timestomp_opts.usage)
+					return
+			end
+		}
+
+		# If any one of the four times were specified, change them.
+		if (modified or accessed or creation or emodified)
+			print_status("Setting specific MACE attributes on #{file_path}")
+			client.priv.fs.set_file_mace(file_path, modified, accessed, 
+				creation, emodified)
+		end
+	end
+
+protected
+
+	#
+	# Converts a date/time in the form of MM/DD/YYYY HH24:MI:SS
+	#
+	def str_to_time(str) # :nodoc:
+		r, mon, day, year, hour, min, sec = str.match("^(\\d+?)/(\\d+?)/(\\d+?) (\\d+?):(\\d+?):(\\d+?)$").to_a
+
+		if (mon == nil)
+			raise ArgumentError, "Invalid date format, expected MM/DD/YYYY HH24:MI:SS (got #{str})"
+		end
+
+		Time.mktime(year, mon, day, hour, min, sec, 0)
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb

@@ -0,0 +1,187 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Packet sniffer extension user interface.
+#
+###
+class Console::CommandDispatcher::Sniffer
+
+	Klass = Console::CommandDispatcher::Sniffer
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the sniffer command interaction.
+	#
+	def initialize(shell)
+		super
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"sniffer_interfaces" => "Enumerate all sniffable network interfaces",
+			"sniffer_start" => "Start packet capture on a specific interface",
+			"sniffer_stop"  => "Stop packet capture on a specific interface",
+			"sniffer_stats" => "View statistics of an active capture",
+			"sniffer_dump"  => "Retrieve captured packet data to PCAP file",
+		}
+	end
+
+
+	def cmd_sniffer_interfaces(*args)
+		
+		ifaces = client.sniffer.interfaces()
+
+		print_line()
+
+		ifaces.each do |i|
+			print_line(sprintf("%d - '%s' ( type:%d mtu:%d usable:%s dhcp:%s wifi:%s )", 
+				i['idx'], i['description'],
+				i['type'], i['mtu'], i['usable'], i['dhcp'], i['wireless'])
+			)
+		end
+		
+		print_line()
+
+		return true
+	end
+	
+	def cmd_sniffer_start(*args)
+		intf = args[0].to_i
+		if (intf == 0)
+			print_error("Usage: sniffer_start [interface-id] [packet-buffer (1-200000)]")
+			return
+		end
+		maxp = args[1].to_i
+		maxp = 50000 if maxp == 0
+		 
+		client.sniffer.capture_start(intf, maxp)
+		print_status("Capture started on interface #{intf} (#{maxp} packet buffer)")
+		return true
+	end
+	
+	def cmd_sniffer_stop(*args)
+	   intf = args[0].to_i
+		if (intf == 0)
+			print_error("Usage: sniffer_stop [interface-id]")
+			return
+		end
+		
+		client.sniffer.capture_stop(intf)
+		print_status("Capture stopped on interface #{intf}")
+		return true
+	end
+	
+	def cmd_sniffer_stats(*args)
+	   intf = args[0].to_i
+		if (intf == 0)
+			print_error("Usage: sniffer_stats [interface-id]")
+			return
+		end
+		
+		stats = client.sniffer.capture_stats(intf)
+		print_status("Capture statistics for interface #{intf}")
+		stats.each_key do |k|
+			puts "\t#{k}: #{stats[k]}"
+		end
+		
+		return true		
+	end
+	
+	def cmd_sniffer_dump(*args)
+	   intf = args[0].to_i
+		if (intf == 0 or not args[1])
+			print_error("Usage: sniffer_dump [interface-id] [pcap-file]")
+			return
+		end
+		
+		path_cap = args[1]
+		path_raw = args[1] + '.raw'
+		
+		fd = ::File.new(path_raw, 'wb+')
+		
+		print_status("Flushing packet capture buffer for interface #{intf}...")
+		res = client.sniffer.capture_dump(intf)
+		print_status("Flushed #{res[:packets]} packets (#{res[:bytes]} bytes)")
+		
+		bytes_all = res[:bytes] || 0
+		bytes_got = 0
+		bytes_pct = 0
+
+		while (bytes_all > 0)
+			res = client.sniffer.capture_dump_read(intf,1024*512)
+			
+			bytes_got += res[:bytes]
+
+			pct = ((bytes_got.to_f / bytes_all.to_f) * 100).to_i
+			if(pct > bytes_pct)
+				print_status("Downloaded #{"%.3d" % pct}% (#{bytes_got}/#{bytes_all})...")
+				bytes_pct = pct
+			end		
+			break if res[:bytes] == 0
+			fd.write(res[:data])
+		end
+		
+		fd.close
+		
+		print_status("Download completed, converting to PCAP...")
+		
+		fd = nil
+		if(::File.exist?(path_cap))
+			fd = ::File.new(path_cap, 'ab+')
+		else
+			fd = ::File.new(path_cap, 'wb+')
+			fd.write([0xa1b2c3d4, 2, 4, 0, 0, 65536, 1].pack('NnnNNNN'))
+		end	
+
+		pkts = {}		
+		od = ::File.new(path_raw, 'rb')
+
+
+		# TODO: reorder packets based on the ID (only an issue if the buffer wraps)
+		while(true)
+			buf = od.read(20)
+			break if not buf
+		
+			idh,idl,thi,tlo,len = buf.unpack('N5')
+			break if not len
+			if(len > 10000) 
+				print_error("Corrupted packet data (length:#{len})")
+				break
+			end
+			
+			pkt_id = (idh << 32) +idl
+			pkt_ts = Rex::Proto::SMB::Utils.time_smb_to_unix(thi,tlo)
+			pkt    = od.read(len)
+			
+			fd.write([pkt_ts,0,len,len].pack('NNNN')+pkt)
+		end
+		od.close
+		fd.close
+		
+		::File.unlink(path_raw)
+		print_status("PCAP file written to #{path_cap}")
+	end	
+	
+	#
+	# Name for this dispatcher
+	# sni
+	def name
+		"Sniffer"
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb

@@ -0,0 +1,63 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Standard API extension.
+#
+###
+class Console::CommandDispatcher::Stdapi
+
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs'
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net'
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys'
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui'
+
+	Klass = Console::CommandDispatcher::Stdapi
+
+	Dispatchers = 
+		[
+			Klass::Fs,
+			Klass::Net,
+			Klass::Sys,
+			Klass::Ui,
+		]
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the stdapi command interaction.
+	#
+	def initialize(shell)
+		super
+
+		Dispatchers.each { |d|
+			shell.enstack_dispatcher(d)
+		}
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+		}
+	end
+
+	#
+	# Name for this dispatcher
+	#
+	def name
+		"Standard extension"
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -0,0 +1,376 @@
+require 'tempfile'
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The file system portion of the standard API extension.
+#
+###
+class Console::CommandDispatcher::Stdapi::Fs
+
+	Klass = Console::CommandDispatcher::Stdapi::Fs
+
+	include Console::CommandDispatcher
+
+	#
+	# Options for the download command.
+	#
+	@@download_opts = Rex::Parser::Arguments.new(
+		"-r" => [ false, "Download recursively." ])
+	#
+	# Options for the upload command.
+	#
+	@@upload_opts = Rex::Parser::Arguments.new(
+		"-r" => [ false, "Upload recursively." ])
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"cat"      => "Read the contents of a file to the screen",
+			"cd"       => "Change directory",
+			"download" => "Download a file or directory",
+			"edit"     => "Edit a file",
+			"getwd"    => "Print working directory",
+			"ls"       => "List files",
+			"mkdir"    => "Make directory",
+			"pwd"      => "Print working directory",
+			"rmdir"    => "Remove directory",
+			"upload"   => "Upload a file or directory",
+			"lcd"      => "Change local working directory",
+			"getlwd"   => "Print local working directory",
+			"lpwd"     => "Print local working directory",
+			"rm"       => "Delete the specified file",
+			"del"       => "Delete the specified file"
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Stdapi: File system"
+	end
+
+	#
+	# Reads the contents of a file and prints them to the screen.
+	#
+	def cmd_cat(*args)
+		if (args.length == 0)
+			print_line("Usage: cat file")
+			return true
+		end
+
+		fd = client.fs.file.new(args[0], "rb")
+
+		until fd.eof?
+			print(fd.read)
+		end
+
+		fd.close
+
+		true
+	end
+
+	#
+	# Change the working directory.
+	#
+	def cmd_cd(*args)
+		if (args.length == 0)
+			print_line("Usage: cd directory")
+			return true
+		end
+
+		client.fs.dir.chdir(args[0])
+
+		return true
+	end
+
+	#
+	# Change the local working directory.
+	#
+	def cmd_lcd(*args)
+		if (args.length == 0)
+			print_line("Usage: lcd directory")
+			return true
+		end
+
+		::Dir.chdir(args[0])
+
+		return true
+	end
+	
+	#
+	# Delete the specified file.
+	#
+	def cmd_rm(*args)
+		if (args.length == 0)
+			print_line("Usage: rm file")
+			return true
+		end
+
+		client.fs.file.rm(args[0])
+
+		return true
+	end
+	
+	alias :cmd_del :cmd_rm
+	
+	#
+	# Downloads a file or directory from the remote machine to the local
+	# machine.
+	#
+	def cmd_download(*args)
+		if (args.empty?)
+			print(
+				"Usage: download [options] src1 src2 src3 ... destination\n\n" +
+				"Downloads remote files and directories to the local machine.\n" +
+				@@download_opts.usage)
+			return true
+		end
+
+		recursive = false
+		src_items = []
+		last      = nil
+		dest      = nil
+
+		@@download_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-r"
+					recursive = true
+				when nil
+					if (last)
+						src_items << last
+					end
+
+					last = val
+			end
+		}
+
+		return true if not last
+
+		# Source and destination will be the same
+		src_items << last if src_items.empty?
+
+		dest = last
+
+		# Go through each source item and download them
+		src_items.each { |src|
+			stat = client.fs.file.stat(src)
+
+			if (stat.directory?)
+				client.fs.dir.download(dest, src, recursive) { |step, src, dst|
+					print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+				}
+			elsif (stat.file?)
+				client.fs.file.download(dest, src) { |step, src, dst|
+					print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+				}
+			end
+		}
+		
+		return true
+	end
+
+	#
+	# Downloads a file to a temporary file, spawns and editor, and then uploads
+	# the contents to the remote machine after completion.
+	#
+	def cmd_edit(*args)
+		if (args.length == 0)
+			print_line("Usage: edit file")
+			return true
+		end
+
+		# Get a temporary file path
+		temp_path = Tempfile.new('meterp').path
+
+		begin
+			# Download the remote file to the temporary file
+			client.fs.file.download_file(temp_path, args[0])
+		rescue RequestError => re
+			# If the file doesn't exist, then it's okay.  Otherwise, throw the
+			# error.
+			if re.result != 2
+				raise $!
+			end
+		end
+
+		# Spawn the editor (default to vi)
+		editor = Rex::Compat.getenv('EDITOR') || 'vi'
+
+		# If it succeeds, upload it to the remote side.
+		if (system("#{editor} #{temp_path}") == true)
+			client.fs.file.upload_file(args[0], temp_path)
+		end
+
+		# Get rid of that pesky temporary file
+		temp_path.close(true)
+	end
+
+	#
+	# Display the local working directory.
+	#
+	def cmd_lpwd(*args)
+		print_line(::Dir.pwd)
+		return true
+	end
+
+	alias cmd_getlwd cmd_lpwd
+
+	#
+	# Lists files
+	#
+	# TODO: make this more useful
+	#
+	def cmd_ls(*args)
+		path = args[0] || client.fs.dir.getwd
+		tbl  = Rex::Ui::Text::Table.new(
+			'Header'  => "Listing: #{path}",
+			'Columns' => 
+				[
+					'Mode',
+					'Size',
+					'Type',
+					'Last modified',
+					'Name',
+				])
+
+		items = 0
+
+		# Enumerate each item...
+		client.fs.dir.entries_with_info(path).sort { |a,b| a['FileName'] <=> b['FileName'] }.each { |p|
+
+			tbl << 
+				[ 
+					p['StatBuf'] ? p['StatBuf'].prettymode : '',
+					p['StatBuf'] ? p['StatBuf'].size       : '', 
+					p['StatBuf'] ? p['StatBuf'].ftype[0,3] : '', 
+					p['StatBuf'] ? p['StatBuf'].mtime      : '', 
+					p['FileName'] || 'unknown'
+				]
+
+			items += 1
+		}
+
+		if (items > 0)
+			print("\n" + tbl.to_s + "\n")
+		else
+			print_line("No entries exist in #{path}")
+		end
+
+		return true
+	end
+
+	#
+	# Make one or more directory.
+	#
+	def cmd_mkdir(*args)
+		if (args.length == 0)
+			print_line("Usage: mkdir dir1 dir2 dir3 ...")
+			return true
+		end
+
+		args.each { |dir|
+			print_line("Creating directory: #{dir}")
+
+			client.fs.dir.mkdir(dir)
+		}
+
+		return true
+	end
+
+	#
+	# Display the working directory.
+	#
+	def cmd_pwd(*args)
+		print_line(client.fs.dir.getwd)
+	end
+
+	alias cmd_getwd cmd_pwd
+
+	#
+	# Removes one or more directory if it's empty.
+	#
+	def cmd_rmdir(*args)
+		if (args.length == 0)
+		 	print_line("Usage: rmdir dir1 dir2 dir3 ...")
+			return true
+		end
+
+		args.each { |dir|
+			print_line("Removing directory: #{dir}")
+			client.fs.dir.rmdir(dir)
+		}
+
+		return true
+	end
+
+	#
+	# Uploads a file or directory to the remote machine from the local
+	# machine.
+	#
+	def cmd_upload(*args)
+		if (args.empty?)
+			print(
+				"Usage: upload [options] src1 src2 src3 ... destination\n\n" +
+				"Uploads local files and directories to the remote machine.\n" +
+				@@upload_opts.usage)
+			return true
+		end
+
+		recursive = false
+		src_items = []
+		last      = nil
+		dest      = nil
+
+		@@upload_opts.parse(args) { |opt, idx, val|
+			case opt
+				when "-r"
+					recursive = true
+				when nil
+					if (last)
+						src_items << last
+					end
+
+					last = val
+			end
+		}
+
+		return true if not last
+
+		# Source and destination will be the same
+		src_items << last if src_items.empty?
+
+		dest = last
+
+		# Go through each source item and upload them
+		src_items.each { |src|
+			stat = ::File.stat(src)
+
+			if (stat.directory?)
+				client.fs.dir.upload(dest, src, recursive) { |step, src, dst|
+					print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+				}
+			elsif (stat.file?)
+				client.fs.file.upload(dest, src) { |step, src, dst|
+					print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+				}
+			end
+		}
+		
+		return true
+	end
+
+end
+
+end
+end
+end
+end