librex 0.0.35 → 0.0.36

data/lib/rex/parser/burp_session_nokogiri.rb

@@ -0,0 +1,290 @@
+require File.join(File.expand_path(File.dirname(__FILE__)),"nokogiri_doc_mixin")
+
+module Rex
+	module Parser
+
+		# If Nokogiri is available, define Burp Session document class. 
+		#
+		# Burp Session XML files actually provide a lot, but since it also
+		# provides the originating url, we can pull most of the detail from
+		# the URI object.
+		load_nokogiri && class BurpSessionDocument < Nokogiri::XML::SAX::Document
+
+		include NokogiriDocMixin
+
+		# The resolver prefers your local /etc/hosts (or windows equiv), but will
+		# fall back to regular DNS. It retains a cache for the import to avoid 
+		# spamming your network with DNS requests.
+		attr_reader :resolv_cache 
+
+		# Since we try to resolve every time we hit a new web page, need to
+		# hang on to our misses. Presume that it's a permanent enough failure
+		# that it won't get fixed during this particular import
+		attr_reader :missed_cache
+
+		# If name resolution of the host fails out completely, you will not be
+		# able to import that Scan task. Other scan tasks in the same report
+		# should be unaffected.
+		attr_reader :parse_warning
+
+		def start_document
+			@parse_warnings = []
+			@parse_warned = []
+			@resolv_cache = {}
+			@missed_cache = []
+		end
+
+		def start_element(name=nil,attrs=[])
+			attrs = normalize_attrs(attrs)
+			block = @block
+			@state[:current_tag][name] = true
+			case name
+			when "host", "port", "protocol", "path"
+				@state[:has_text] = true
+			when "status"
+				@state[:has_text] = true
+			when "response"
+				@state[:has_text] = true
+			end
+		end
+
+		def end_element(name=nil)
+			block = @block
+			case name
+			when "item" # Wrap up this item, but keep resolved web sites 
+				collect_uri
+				report_web_site(&block)
+				handle_parse_warnings(&block)
+				report_web_page(&block)
+				report_web_service_info
+				report_web_host_info
+				# Reset the state once we close a host
+				@state = @state.select {|k| [:current_tag, :web_sites].include? k}
+			when "host"
+				@state[:has_text] = false
+				collect_host
+				@text = nil
+			when "port"
+				@state[:has_text] = false
+				collect_port
+				@text = nil
+			when "protocol"
+				@state[:has_text] = false
+				collect_protocol
+				@text = nil
+			when "path"
+				@state[:has_text] = false
+				collect_path_and_query
+				@text = nil
+			when "status"
+				@state[:has_text] = false
+				collect_status
+				@text = nil
+			when "response"
+				@state[:has_text] = false
+				collect_response
+				@text = nil
+			end
+			@state[:current_tag].delete name
+		end
+
+		def collect_host
+			return unless in_item
+			return unless has_text
+			@state[:host] = @text
+		end
+
+		def collect_port
+			return unless in_item
+			return unless has_text
+			return unless @text.to_i.to_s == @text.to_s
+			@state[:port] = @text.to_i
+		end
+
+		def collect_protocol
+			return unless in_item
+			return unless has_text
+			@state[:protocol] = @text
+		end
+
+		def collect_path_and_query
+			return unless in_item
+			return unless has_text
+			path,query = @text.split(/\?+/,2)
+			return unless path
+			if query
+				@state[:query] = "?#{query}" # Can be nil
+			end
+			if path =~ /https?:[\x5c\x2f][\x5c\x2f]+[^\x5c\x2f][^\x5c\x2f]+([^?]+)/
+				real_path = "/#{$1}"
+			else
+				real_path = path
+			end
+			@state[:path] = real_path
+		end
+
+		def collect_status
+			return unless in_item
+			return unless has_text
+			return unless @text.to_i.to_s == @text
+			@state[:status] = @text.to_i
+		end
+
+		def collect_uri
+			return unless in_item
+			return unless @state[:host]
+			return unless @state[:port]
+			return unless @state[:protocol]
+			return unless @state[:path]
+			url = @state[:protocol].to_s
+			url << "://"
+			url << @state[:host].to_s
+			url << ":"
+			url << @state[:port].to_s
+			url << @state[:path]
+			if @state[:query]
+				url << "?"
+				url << @state[:query]
+			end
+			@state[:uri] = URI.parse(url) rescue nil
+		end
+
+		def report_web_host_info
+			return unless @state[:web_site]
+			return unless @state[:uri].kind_of? URI::HTTP
+			return unless @state[:web_site].service.host.name.to_s.empty?
+			host_info = {:workspace => @args[:wspace]}
+			host_info[:address] = @state[:web_site].service.host.address
+			host_info[:name] = @state[:uri].host
+			report_db(:host, host_info)
+		end
+
+		def report_web_service_info
+			return unless @state[:web_site]
+			return unless @state[:service_info]
+			return unless @state[:web_site].service.info.to_s.empty?
+			service_info = {}
+			service_info[:host] = @state[:web_site].service.host
+			service_info[:port] = @state[:web_site].service.port
+			service_info[:proto] = @state[:web_site].service.proto
+			service_info[:info] = @state[:service_info]
+			db_report(:service, service_info)
+		end
+
+		def report_web_page(&block)
+			return unless @state[:uri].kind_of? URI::HTTP
+			return unless @state[:status]
+			return unless @state[:web_site]
+			return unless @state[:response_headers].kind_of? Hash
+			headers = {}
+			@state[:response_headers].each do |k,v|
+				headers[k.to_s.downcase] ||= []
+				headers[k.to_s.downcase] << v
+			end
+			if headers["server"].kind_of? Array
+				@state[:service_info] = headers["server"].first
+			end
+			return unless @state[:response_body]
+			web_page_info = {:workspace => @args[:wspace]}
+			web_page_info[:web_site] = @state[:web_site]
+			web_page_info[:code] = @state[:status]
+			web_page_info[:path] = @state[:uri].path
+			web_page_info[:headers] = headers
+			web_page_info[:body] = @state[:response_body]
+			web_page_info[:query] = @state[:uri].query
+			url = @state[:uri].to_s.gsub(/\?.*/,"")
+			db.emit(:web_page, url, &block) if block
+			db_report(:web_page, web_page_info)
+		end
+
+		def report_web_site(&block)
+			return unless @state[:uri].kind_of? URI::HTTP
+			vhost = @state[:uri].host
+			web_site_info = {:workspace => @args[:wspace]}
+			web_site_info[:vhost] = vhost
+			address = resolve_vhost_address(@state[:uri])
+			return unless address
+			web_site_info[:host] = address
+			web_site_info[:port] = @state[:uri].port
+			web_site_info[:ssl]  = @state[:uri].kind_of? URI::HTTPS
+			web_site_obj = db_report(:web_site, web_site_info)
+			return unless web_site_obj
+			@state[:web_sites] ||= []
+			url = "#{@state[:uri].scheme}://#{@state[:uri].host}:#{@state[:uri].port}"
+			unless @state[:web_sites].include? web_site_obj
+				db.emit(:web_site, url, &block)
+				@state[:web_sites] << web_site_obj
+			end
+			@state[:web_site] = web_site_obj
+		end
+
+		def collect_response
+			return unless in_item
+			return unless has_text
+			response_text = @text.dup
+			response_header_text,response_body_text = response_text.split(/\r*\n\r*\n/n,2)
+			return unless response_header_text
+			response_header = Rex::Proto::Http::Packet::Header.new
+			response_header.from_s response_header_text
+			@state[:response_headers] = response_header
+			@state[:response_body] = response_body_text
+		end
+
+		def in_item
+			return false unless in_tag("item")
+			return false unless in_tag("items")
+			return true
+		end
+
+		def has_text
+			return false unless @text
+			return false if @text.strip.empty?
+			@text = @text.strip
+		end
+
+		def handle_parse_warnings(&block)
+			return if @parse_warnings.empty?
+			return unless block
+			@parse_warnings.each_with_index do |pwarn,i|
+				unless @parse_warned.include? i
+					db.emit(:warning, pwarn, &block) 
+					@parse_warned << i
+				end
+			end
+		end
+
+		def resolve_address(host)
+			return @resolv_cache[host] if @resolv_cache[host]
+			return false if @missed_cache.include? host
+			address = Rex::Socket.resolv_to_dotted(host) rescue nil
+			@resolv_cache[host] = address
+			if address
+				block = @block
+				db.emit(:address, address, &block) if block
+			else
+				@missed_cache << host
+			end
+			return address
+		end
+
+		# Alias this 
+		def resolve_vhost_address(uri)
+			if uri.host
+				address = resolve_address(uri.host)
+				case address
+				when false
+					return false
+				when nil
+					@parse_warnings << "Could not resolve address for '#{uri.host}', skipping."
+				end
+			else
+				@parse_warnings << "Could not determine a host for this import."
+			end
+			address
+		end
+
+	end
+
+end
+end
+

data/lib/rex/parser/nokogiri_doc_mixin.rb

@@ -126,7 +126,8 @@ module Parser
 			nonempty_data = data.reject {|k,v| v.nil?}
 			valid_attrs = db_valid_attributes(table)
 			raise "Unknown table `#{table}'" if valid_attrs.empty?
-			if table == :note # Notes don't whine about extra stuff
+			case table
+			when :note, :web_site, :web_page, :web_form, :web_vuln
 				just_the_facts = nonempty_data
 			else
 				just_the_facts = nonempty_data.select {|k,v| valid_attrs.include? k.to_s.to_sym}
@@ -149,8 +150,9 @@ module Parser
 			when :vuln
 				Msf::DBManager::Vuln.new.attribute_names.map {|x| x.to_sym} |
 					[:host, :refs, :workspace, :port, :proto]
-			when :note
-					[:anything]
+			when :note, :web_site, :web_page, :web_form, :web_vuln
+				# These guys don't complain
+				[:anything]
 			else
 				[]
 			end

data/lib/rex/pescan/scanner.rb

@@ -31,6 +31,7 @@ module Scanner
 					if(param['disasm'])
 						#puts [msg].pack('H*').inspect
 						insns = []
+				
 						msg.gsub!("; ", "\n")
 						if msg.include?("retn")
 							msg.gsub!("retn", "ret")
@@ -39,7 +40,7 @@ module Scanner
 						begin
 							d2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, msg).disassemble
 						rescue Metasm::ParseError
-							d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [msg].pack('H*')[0])
+							d2 = Metasm::Shellcode.disassemble(Metasm::Ia32.new, [msg].pack('H*'))
 						end
 						addr = 0
 						while ((di = d2.disassemble_instruction(addr)))

data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb

@@ -79,6 +79,8 @@ KEY_CREATE_SUB_KEY       = 0x00000004
 KEY_ENUMERATE_SUB_KEYS   = 0x00000008
 KEY_NOTIFY               = 0x00000010
 KEY_CREATE_LINK          = 0x00000020
+KEY_WOW64_64KEY          = 0x00000100
+KEY_WOW64_32KEY          = 0x00000200
 KEY_READ                 = (STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | 
                             KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE
 KEY_WRITE                = (STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | 

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb

@@ -17,6 +17,11 @@ class Def_netapi32
 			["PWCHAR","username","in"],
 			])
 
+		railgun.add_function( 'netapi32', 'NetGetJoinInformation', 'DWORD',[
+			["PBLOB","lpServer","in"],
+			["PDWORD","lpNameBugger","out"],
+			["PDWORD","BufferType","out"]
+			])
 	end
 	
 end

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb

@@ -7,6 +7,7 @@ require 'rex/post/meterpreter/extensions/stdapi/constants'
 require 'rex/post/meterpreter/extensions/stdapi/stdapi'
 require 'rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key'
 require 'rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value'
+require 'rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key'
 
 module Rex
 module Post
@@ -44,9 +45,37 @@ class Registry
 			return RegistrySubsystem::RegistryKey.new(client, root_key, base_key, perm, root_key)
 		end
 
-		return self.create_key(root_key, base_key, perm)
+		request = Packet.create_request('stdapi_registry_open_key')
+
+		request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
+		request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
+		request.add_tlv(TLV_TYPE_PERMISSION, perm)
+
+		response = client.send_request(request)
+
+		return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RegistryKey.new(
+				client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
 	end
 
+	#
+	# Opens the supplied registry key on the specified remote host. Requires that the
+	# current process has credentials to access the target and that the target has the
+	# remote registry service running.
+	#
+	def Registry.open_remote_key(target_host, root_key)
+
+		request = Packet.create_request('stdapi_registry_open_remote_key')
+
+		request.add_tlv(TLV_TYPE_TARGET_HOST, target_host)
+		request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
+
+
+		response = client.send_request(request)
+
+		return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RemoteRegistryKey.new(
+				client, target_host, root_key, response.get_tlv(TLV_TYPE_HKEY).value)
+	end
+	
 	#
 	# Creates the supplied registry key or opens it if it already exists.
 	#

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb

@@ -0,0 +1,188 @@
+#!/usr/bin/env ruby
+
+require 'rex/post/meterpreter/extensions/stdapi/constants'
+require 'rex/post/meterpreter/extensions/stdapi/sys/registry'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Sys
+module RegistrySubsystem
+
+###
+#
+# Class wrapper around a remote registry key on the remote side
+#
+###
+class RemoteRegistryKey
+
+
+	#
+	# Initializes an instance of a registry key using the supplied properties
+	# and HKEY handle from the server.
+	#
+	def initialize(client, target_host, root_key, hkey)
+		self.client   = client
+		self.root_key = root_key
+		self.target_host = target_host
+		self.hkey     = hkey
+		
+		ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.hkey) )
+	end
+
+	def self.finalize(client,hkey)
+		proc { self.close(client,hkey) }
+	end
+
+	##
+	#
+	# Enumerators
+	#
+	##
+
+	#
+	# Enumerates all of the child keys within this registry key.
+	#
+	def each_key(&block)
+		return enum_key.each(&block)
+	end
+
+	#
+	# Enumerates all of the child values within this registry key.
+	#
+	def each_value(&block)
+		return enum_value.each(&block)
+	end
+
+	#
+	# Retrieves all of the registry keys that are direct descendents of
+	# the class' registry key.
+	#
+	def enum_key()
+		return self.client.sys.registry.enum_key(self.hkey)
+	end
+
+	#
+	# Retrieves all of the registry values that exist within the opened
+	# registry key.
+	#
+	def enum_value()
+		return self.client.sys.registry.enum_value(self.hkey)
+	end
+
+
+	##
+	#
+	# Registry key interaction
+	#
+	##
+
+	#
+	# Opens a registry key that is relative to this registry key.
+	#
+	def open_key(base_key, perm = KEY_READ)
+		return self.client.sys.registry.open_key(self.hkey, base_key, perm)
+	end
+
+	#
+	# Creates a registry key that is relative to this registry key.
+	#
+	def create_key(base_key, perm = KEY_READ)
+		return self.client.sys.registry.create_key(self.hkey, base_key, perm)
+	end
+
+	#
+	# Deletes a registry key that is relative to this registry key.
+	#
+	def delete_key(base_key, recursive = true)
+		return self.client.sys.registry.delete_key(self.hkey, base_key, recursive)
+	end
+
+	#
+	# Closes the open key.  This must be called if the registry
+	# key was opened.
+	#
+	def self.close(client, hkey)
+		if hkey != nil
+			return client.sys.registry.close_key(hkey)
+		end
+
+		return false	
+	end
+	
+	# Instance method for the same
+	def close()
+		self.class.close(self.client, self.hkey)
+	end
+
+	##
+	#
+	# Registry value interaction
+	#
+	##
+
+	#
+	# Sets a value relative to the opened registry key.
+	#
+	def set_value(name, type, data)
+		return self.client.sys.registry.set_value(self.hkey, name, type, data)
+	end
+
+	#
+	# Queries the attributes of the supplied registry value relative to
+	# the opened registry key.
+	#
+	def query_value(name)
+		return self.client.sys.registry.query_value(self.hkey, name)
+	end
+
+	#
+	# Queries the class of the specified key
+	#
+	def query_class
+		return self.client.sys.registry.query_class(self.hkey)
+	end
+
+	#
+	# Delete the supplied registry value.
+	#
+	def delete_value(name)
+		return self.client.sys.registry.delete_value(self.hkey, name)
+	end
+
+	##
+	#
+	# Serializers
+	#
+	##
+
+	#
+	# Returns the path to the key.
+	#
+	def to_s
+		return "\\\\" + self.target_host + "\\" + self.root_key.to_s + "\\"
+	end
+
+	#
+	# The open handle to the key on the server.
+	#
+	attr_reader   :hkey
+	#
+	# The root key name, such as HKEY_LOCAL_MACHINE.
+	#
+	attr_reader   :root_key
+	#
+	# The remote machine name, such as PDC01
+	#
+	attr_reader   :target_host
+
+protected
+
+	attr_accessor :client # :nodoc:
+	attr_writer   :hkey, :root_key, :target_host # :nodoc:
+end
+
+end; end; end; end; end; end; end
+