librex 0.0.13 → 0.0.15

data/lib/rex/elfparsey/exceptions.rb

@@ -1,27 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: exceptions.rb 5413 2008-02-13 02:43:56Z ramon $
-
-module Rex
-module ElfParsey
-
-class ElfError < ::RuntimeError
-end
-
-class ParseError < ElfError
-end
-
-class ElfHeaderError < ParseError
-end
-
-class ProgramHeaderError < ParseError
-end
-
-class BoundsError < ElfError
-end
-
-class WtfError < ElfError
-end
-
-end
-end

data/lib/rex/elfscan.rb

@@ -1,12 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: elfscan.rb 5398 2008-02-06 17:31:57Z ramon $
-
-module Rex
-module ElfScan
-
-end
-end
-
-require 'rex/elfscan/scanner'
-require 'rex/elfscan/search'

data/lib/rex/elfscan/scanner.rb

@@ -1,207 +0,0 @@
-
-# $Id: scanner.rb 7320 2009-11-02 17:09:13Z hdm $
-
-module Rex
-module ElfScan
-module Scanner
-class Generic
-
-	attr_accessor :elf, :regex
-
-	def initialize(elf)
-		self.elf = elf
-	end
-
-	def config(param)
-	end
-
-	def scan(param)
-		config(param)
-
-		$stdout.puts "[#{param['file']}]"
-		elf.program_header.each do |program_header|
-
-			# Scan only loadable segment entries in the program header table
-			if program_header.p_type == Rex::ElfParsey::ElfBase::PT_LOAD
-				hits = scan_segment(program_header, param)
-				hits.each do |hit|
-					rva  = hit[0]
-					message  = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
-					$stdout.puts elf.ptr_s(rva) + " " + message
-				end
-			end
-
-		end
-	end
-
-	def scan_segment(program_header, param={})
-		[]
-	end
-end
-
-class JmpRegScanner < Generic
-
-	def config(param)
-		regnums = param['args']
-
-		# build a list of the call bytes
-		calls  = _build_byte_list(0xd0, regnums - [4]) # note call esp's don't work..
-		jmps   = _build_byte_list(0xe0, regnums)
-		pushs1 = _build_byte_list(0x50, regnums)
-		pushs2 = _build_byte_list(0xf0, regnums)
-
-		regexstr = '('
-		if !calls.empty?
-			regexstr += "\xff[#{calls}]|"
-		end
-
-		regexstr += "\xff[#{jmps}]|([#{pushs1}]|\xff[#{pushs2}])(\xc3|\xc2..))"
-
-		self.regex = Regexp.new(regexstr, nil, 'n')
-	end
-
-	# build a list for regex of the possible bytes, based on a base
-	# byte and a list of register numbers..
-	def _build_byte_list(base, regnums)
-		regnums.collect { |regnum| Regexp.escape((base | regnum).chr) }.join('')
-	end
-
-	def _ret_size(offset)
-		case elf.read(offset, 1)
-			when "\xc3"
-				return 1
-			when "\xc2"
-				return 3
-		end
-
-		raise "wtf"
-	end
-
-	def _parse_ret(data)
-		if data.length == 1
-			return "ret"
-		else
-			return "retn 0x%04x" % data[1, 2].unpack('v')[0]
-		end
-	end
-
-
-	def scan_segment(program_header, param={})
-		offset = program_header.p_offset
-
-		hits = []
-
-		while (offset = elf.index(regex, offset)) != nil
-
-			rva     = elf.offset_to_rva(offset)
-			message = ''
-
-			parse_ret = false
-
-			byte1 = elf.read(offset, 1).unpack('C')[0]
-
-			if byte1 == 0xff
-				byte2   = elf.read(offset+1, 1).unpack('C')[0]
-				regname = Rex::Arch::X86.reg_name32(byte2 & 0x7)
-
-				case byte2 & 0xf8
-				when 0xd0
-					message = "call #{regname}"
-					offset += 2
-				when 0xe0
-					message = "jmp #{regname}"
-					offset += 2
-				when 0xf0
-					retsize = _ret_size(offset+2)
-					message = "push #{regname}; " + _parse_ret(elf.read(offset+2, retsize))
-					offset += 2 + retsize
-				else
-					raise "wtf"
-				end
-			else
-				regname = Rex::Arch::X86.reg_name32(byte1 & 0x7)
-				retsize = _ret_size(offset+1)
-				message = "push #{regname}; " + _parse_ret(elf.read(offset+1, retsize))
-				offset += 1 + retsize
-			end
-
-			hits << [ rva, message ]
-		end
-
-		return hits
-	end
-end
-
-class PopPopRetScanner < JmpRegScanner
-
-	def config(param)
-		pops = _build_byte_list(0x58, (0 .. 7).to_a - [4]) # we don't want pop esp's...
-		self.regex = Regexp.new("[#{pops}][#{pops}](\xc3|\xc2..)", nil, 'n')
-	end
-
-	def scan_segment(program_header, param={})
-		offset = program_header.p_offset
-
-		hits = []
-
-		while offset < program_header.p_offset + program_header.p_filesz &&
-		(offset = elf.index(regex, offset)) != nil
-
-			rva     = elf.offset_to_rva(offset)
-			message = ''
-
-			pops = elf.read(offset, 2)
-			reg1 = Rex::Arch::X86.reg_name32(pops[0,1].unpack('C*')[0] & 0x7)
-			reg2 = Rex::Arch::X86.reg_name32(pops[1,1].unpack('C*')[0] & 0x7)
-
-			message = "pop #{reg1}; pop #{reg2}; "
-
-			retsize = _ret_size(offset+2)
-			message += _parse_ret(elf.read(offset+2, retsize))
-
-			offset += 2 + retsize
-
-			hits << [ rva, message ]
-		end
-
-		return hits
-	end
-end
-
-class RegexScanner < JmpRegScanner
-
-	def config(param)
-		self.regex = Regexp.new(param['args'], nil, 'n')
-	end
-
-	def scan_segment(program_header, param={})
-		offset = program_header.p_offset
-
-		hits = []
-
-		while offset < program_header.p_offset + program_header.p_filesz &&
-		(offset = elf.index(regex, offset)) != nil
-
-			idx = offset
-			buf = ''
-			mat = nil
-
-			while (! (mat = buf.match(regex)))
-				buf << elf.read(idx, 1)
-				idx += 1
-			end
-
-			rva = elf.offset_to_rva(offset)
-
-			hits << [ rva, buf.unpack("H*") ]
-			offset += buf.length
-		end
-
-		return hits
-	end
-end
-
-end
-end
-end
-

data/lib/rex/elfscan/search.rb

@@ -1,46 +0,0 @@
-#!/usr/bin/env ruby
-
-# $Id: search.rb 10173 2010-08-27 21:26:59Z jduck $
-
-module Rex
-module ElfScan
-module Search
-
-	class DumpRVA
-		attr_accessor :elf
-
-		def initialize(elf)
-			self.elf = elf
-		end
-
-		def config(param)
-			@address = param['args']
-		end
-
-		def scan(param)
-			config(param)
-
-			$stdout.puts "[#{param['file']}]"
-
-			# Adjust based on -A and -B flags
-			pre = param['before'] || 0
-			suf = param['after']  || 16
-
-			@address -= pre
-			@address = 0 if (@address < 0 || ! @address)
-			buf = elf.read_rva(@address, suf)
-			$stdout.puts elf.ptr_s(@address) + " " + buf.unpack("H*")[0]
-		end
-	end
-
-	class DumpOffset < DumpRVA
-		def config(param)
-			begin
-				@address = elf.offset_to_rva(param['args'])
-			rescue Rex::ElfParsey::BoundsError
-			end
-		end
-	end
-end
-end
-end

data/lib/rex/encoder/alpha2.rb

@@ -1,31 +0,0 @@
-#!/usr/bin/env ruby
-
-#
-# ________________________________________________________________________________
-# 
-#     ,sSSs,,s,  ,sSSSs,  ALPHA 2: Zero-tolerance. (build 07)
-#    SS"  Y$P"  SY"  ,SY
-#   iS'   dY       ,sS"   Unicode-proof uppercase alphanumeric shellcode encoding.
-#   YS,  dSb    ,sY"      Copyright (C) 2003, 2004 by Berend-Jan Wever.
-#   `"YSS'"S' 'SSSSSSSP   <skylined@edup.tudelft.nl>
-# ________________________________________________________________________________
-#
-
-#
-# make sure the namespace is created
-#
-
-module Rex
-module Encoder
-module Alpha2
-end end end
-
-#
-# include the Alpha2 encodings
-#
-
-require 'rex/encoder/alpha2/generic'
-require 'rex/encoder/alpha2/alpha_mixed'
-require 'rex/encoder/alpha2/alpha_upper'
-require 'rex/encoder/alpha2/unicode_mixed'
-require 'rex/encoder/alpha2/unicode_upper'

data/lib/rex/encoder/alpha2/alpha_mixed.rb

@@ -1,68 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/encoder/alpha2/generic'
-
-module Rex
-module Encoder
-module Alpha2
-
-class AlphaMixed < Generic
-
-	def self.gen_decoder_prefix(reg, offset)
-		if (offset > 32)
-			raise "Critical: Offset is greater than 32"
-		end
-
-		# use inc ebx as a nop here so we still pad correctly
-		if (offset <= 16)
-			nop = 'C' * offset
-			mod = 'I' * (16 - offset) + nop + '7QZ'    # dec ecx,,, push ecx, pop edx
-			edxmod = 'J' * (17 - offset)
-		else
-			mod = 'A' * (offset - 16) 
-			nop = 'C' * (16 - mod.length)
-			mod << nop + '7QZ'
-			edxmod = 'B' * (17 - (offset - 16))
-		end
-		regprefix = {
-			'EAX'   => 'PY' + mod,                         # push eax, pop ecx
-			'ECX'   => 'I' + mod,                          # dec ecx
-			'EDX'   =>  edxmod + nop + '7RY',			   # dec edx,,, push edx, pop ecx
-			'EBX'   => 'SY' + mod,                         # push ebx, pop ecx
-			'ESP'   => 'TY' + mod,                         # push esp, pop ecx
-			'EBP'   => 'UY' + mod,                         # push ebp, pop ecx
-			'ESI'   => 'VY' + mod,                         # push esi, pop ecx
-			'EDI'   => 'WY' + mod,                         # push edi, pop ecx
-		}
-
-		reg.upcase!
-		if (not regprefix.keys.include? reg)
-			raise ArgumentError.new("Invalid register name")
-		end
-		return regprefix[reg]
-	end
-
-	def self.gen_decoder(reg, offset)
-		decoder =
-			 gen_decoder_prefix(reg, offset) +
-			 "jA" +          # push 0x41
-			 "X" +           # pop eax
-			 "P" +           # push eax 
-			 "0A0" +         # xor byte [ecx+30], al
-			 "A" +           # inc ecx                        <---
-			 "kAAQ" +        # imul eax, [ecx+42], 51 -> 10       |
-			 "2AB" +         # xor al, [ecx + 42]                 |
-			 "2BB" +         # xor al, [edx + 42]                 |
-			 "0BB" +         # xor [edx + 42], al                 |
-			 "A" +           # inc ecx                            |
-			 "B" +           # inc edx                            |
-			 "X" +           # pop eax                            |
-			 "P" +           # push eax                           |
-			 "8AB" +         # cmp [ecx + 42], al                 |
-			 "uJ" +          # jnz short -------------------------
-			 "I"             # first encoded char, fixes the above J
-
-		return decoder
-	end
-
-end end end end

data/lib/rex/encoder/alpha2/alpha_upper.rb

@@ -1,79 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rex/encoder/alpha2/generic'
-
-module Rex
-module Encoder
-module Alpha2
-
-class AlphaUpper < Generic
-	def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
-	
-	def self.gen_decoder_prefix(reg, offset)
-		if (offset > 20)
-			raise "Critical: Offset is greater than 20"
-		end
-
-		# use inc ebx as a nop here so we still pad correctly
-		if (offset <= 10)
-			nop = 'C' * offset
-			mod = 'I' * (10 - offset) + nop + 'QZ'    # dec ecx,,, push ecx, pop edx
-			edxmod = 'J' * (11 - offset)
-		else
-			mod = 'A' * (offset - 10)
-			nop = 'C' * (10 - mod.length)
-			mod << nop + 'QZ'
-			edxmod = 'B' * (11 - (offset - 10))
-		end
-		regprefix = {
-			'EAX'   => 'PY' + mod,                        # push eax, pop ecx
-			'ECX'   => 'I' + mod,                         # dec ecx
-			'EDX'   =>  edxmod + nop + 'RY',  			  # mod edx,,, push edx, pop ecx
-			'EBX'   => 'SY' + mod,                        # push ebx, pop ecx
-			'ESP'   => 'TY' + mod,                        # push esp, pop ecx
-			'EBP'   => 'UY' + mod,                        # push ebp, pop ecx
-			'ESI'   => 'VY' + mod,                        # push esi, pop ecx
-			'EDI'   => 'WY' + mod,                        # push edi, pop edi
-		}
-
-		reg.upcase!
-		if (not regprefix.keys.include? reg)
-			raise ArgumentError.new("Invalid register name")
-		end
-		return regprefix[reg]
-
-	end
-
-	def self.gen_decoder(reg, offset)
-		decoder =
-			gen_decoder_prefix(reg, offset) +
-			"V" +           # push esi
-			"T" +           # push esp
-			"X" +           # pop eax 
-			"30" +          # xor esi, [eax]
-			"V" +           # push esi
-			"X" +           # pop eax
-			"4A" +          # xor al, 41
-			"P" +           # push eax 
-			"0A3" +         # xor [ecx+33], al
-			"H" +           # dec eax
-			"H" +           # dec eax
-			"0A0" +         # xor [ecx+30], al
-			"0AB" +         # xor [ecx+42], al
-			"A" +           # inc ecx   <---------------
-			"A" +           # inc ecx                   |
-			"B" +           # inc edx                   |
-			"TAAQ" +        # imul eax, [ecx+41], 10 *  | 
-			"2AB" +         # xor al [ecx+42]           |
-			"2BB" +         # xor al, [edx+42]          |
-			"0BB" +         # xor [edx+42], al          |
-			"X" +           # pop eax                   |
-			"P" +           # push eax                  |
-			"8AC" +         # cmp [ecx+43], al          |
-			"JJ" +          # jnz * --------------------
-			"I"             # first encoded char, fixes the above J
-
-		return decoder
-	end
-
-end end end end