librex 0.0.35 → 0.0.36

data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -89,6 +89,7 @@ TLV_TYPE_KEY_NAME           = TLV_META_TYPE_STRING  | 1003
 TLV_TYPE_VALUE_NAME         = TLV_META_TYPE_STRING  | 1010
 TLV_TYPE_VALUE_TYPE         = TLV_META_TYPE_UINT    | 1011
 TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
+TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
 
 # Config
 TLV_TYPE_COMPUTER_NAME      = TLV_META_TYPE_STRING  | 1040

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -37,10 +37,12 @@ class Console::CommandDispatcher::Stdapi::Sys
 	#
 	@@reg_opts = Rex::Parser::Arguments.new(
 		"-d" => [ true,  "The data to store in the registry value."                ],
-		"-h" => [ true,  "Help menu."                                              ],
+		"-h" => [ false, "Help menu."                                              ],
 		"-k" => [ true,  "The registry key path (E.g. HKLM\\Software\\Foo)."       ],
 		"-t" => [ true,  "The registry value type (E.g. REG_SZ)."                  ],
-		"-v" => [ true,  "The registry value name (E.g. Stuff)."                   ])
+		"-v" => [ true,  "The registry value name (E.g. Stuff)."                   ],
+		"-r" => [ true,  "The remote machine name to connect to (with current process credentials" ],
+		"-w" => [ false,  "Set KEY_WOW64 flag, valid values [32|64]."               ])
 
 	#
 	# List of supported commands.
@@ -271,10 +273,12 @@ class Console::CommandDispatcher::Stdapi::Sys
 		end
 
 		# Initiailze vars
-		key   = nil
-		value = nil
-		data  = nil
-		type  = nil
+		key     = nil
+		value   = nil
+		data    = nil
+		type    = nil
+		wowflag = 0x0000
+		rem     = nil
 
 		@@reg_opts.parse(args) { |opt, idx, val|
 			case opt
@@ -290,7 +294,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 						"    queryclass Queries the class of the supplied key [-k <key>]\n" +
 						"    setval     Set a registry value [-k <key> -v <val> -d <data>]\n" +
 						"    deleteval  Delete the supplied registry value [-k <key> -v <val>]\n" +
-						"    queryval   Queries the data contents of a value [-k <key> -v <val>]\n\n")
+						"    queryval   Queries the data contents of a value [-k <key> -v <val>]\n\n") 
 					return false
 				when "-k"
 					key   = val
@@ -300,6 +304,14 @@ class Console::CommandDispatcher::Stdapi::Sys
 					type  = val
 				when "-d"
 					data  = val
+				when "-r"
+					rem  = val
+				when "-w"
+					if val == '64'
+						wowflag = KEY_WOW64_64KEY
+					elsif val == '32'
+						wowflag = KEY_WOW64_32KEY
+					end
 			end
 		}
 
@@ -316,7 +328,16 @@ class Console::CommandDispatcher::Stdapi::Sys
 			# Rock it
 			case cmd
 				when "enumkey"
-					open_key = client.sys.registry.open_key(root_key, base_key)
+				
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.open_key(base_key, KEY_READ + wowflag)
+						end
+					end
 
 					print_line(
 						"Enumerating: #{key}\n")
@@ -349,12 +370,29 @@ class Console::CommandDispatcher::Stdapi::Sys
 					end
 
 				when "createkey"
-					open_key = client.sys.registry.create_key(root_key, base_key)
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.create_key(root_key, base_key, KEY_WRITE + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.create_key(base_key, KEY_WRITE + wowflag)
+						end
+					end				
 
 					print_line("Successfully created key: #{key}")
 
 				when "deletekey"
-					client.sys.registry.delete_key(root_key, base_key)
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.open_key(base_key, KEY_WRITE + wowflag)
+						end
+					end
+					open_key.delete_key(base_key)
 
 					print_line("Successfully deleted key: #{key}")
 
@@ -366,7 +404,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 
 					type = "REG_SZ" if (type == nil)
 
-					open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.open_key(base_key, KEY_WRITE + wowflag)
+						end
+					end
 
 					open_key.set_value(value, client.sys.registry.type2str(type), data)
 
@@ -378,7 +424,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 						return false
 					end
 
-					open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.open_key(base_key, KEY_WRITE + wowflag)
+						end
+					end
 
 					open_key.delete_value(value)
 
@@ -390,7 +444,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 						return false
 					end
 
-					open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.open_key(base_key, KEY_READ + wowflag)
+						end
+					end
 
 					v = open_key.query_value(value)
 
@@ -401,7 +463,15 @@ class Console::CommandDispatcher::Stdapi::Sys
 						"Data: #{v.data}\n")
 
 				when "queryclass"
-					open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)
+					open_key = nil
+					if not rem
+						open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ + wowflag)
+					else
+						remote_key = client.sys.registry.open_remote_key(rem, root_key)
+						if remote_key
+							open_key = remote_key.open_key(base_key, KEY_READ + wowflag)
+						end
+					end
 
 					data = open_key.query_class
 

data/lib/rex/proto/http/header.rb

@@ -37,16 +37,16 @@ class Packet::Header < Hash
 
 		# put the non-standard line terminations back to normal
 		# gah.  not having look behinds suck,
-		header.gsub!(/([^\r])\n/,'\1' + "\r\n")
+		header.gsub!(/([^\r])\n/n,'\1' + "\r\n")
 
 		# undo folding, kinda ugly but works for now.
-		header.gsub!(/:\s*\r\n\s+/smi,': ')
+		header.gsub!(/:\s*\r\n\s+/smni,': ')
 
 		# Extract the command string
 		self.cmd_string = header.slice!(/.+\r\n/)
 
 		# Extract each header value pair
-		header.split(/\r\n/m).each { |str|
+		header.split(/\r\n/mn).each { |str|
 			if (md = str.match(/^(.+?): (.+?)$/))
 				if (self[md[1]])
 					self[md[1]] << ", " + md[2]

data/lib/rex/ropbuilder.rb

@@ -0,0 +1,7 @@
+module Rex
+module RopBuilder
+
+require 'rex/ropbuilder/rop'
+require 'metasm/metasm'
+end
+end

data/lib/rex/ropbuilder/rop.rb

@@ -0,0 +1,257 @@
+require 'metasm'
+require 'rex/compat'
+require 'rex/ui/text/table'
+require 'rex/ui/text/output/stdio'
+require 'rex/ui/text/color'
+
+module Rex
+module RopBuilder
+
+class RopBase
+	def initialize()
+		@stdio = Rex::Ui::Text::Output::Stdio.new
+		@gadgets = []
+	end
+
+	def to_csv(gadgets = [])
+		if gadgets.empty? and @gadgets.nil? or @gadgets.empty?
+			print_error("No gadgets collected to convert to CSV format.")
+			return
+		end
+
+		# allow the users to import gadget collections from multiple files
+		if @gadgets.empty? or @gadgets.nil?
+			@gadgets = gadgets
+		end
+
+		table = Rex::Ui::Text::Table.new(
+		'Header'    => "#{@file} ROP Gadgets",
+		'Indent'    => 1,
+		'Columns'   =>
+		[
+			"Address",
+			"Raw",
+			"Disassembly",
+		])
+
+		@gadgets.each do |gadget|
+			table << [gadget[:address], gadget[:raw].unpack('H*')[0], gadget[:disasm].gsub(/\n/, ' | ')]
+		end
+
+		return table.to_csv
+	end
+
+	def import(file)
+		begin
+			data = File.new(file, 'r').read
+		rescue
+			print_error("Error reading #{file}")
+		end
+
+		data.gsub!(/\"/, '')
+		data.gsub!("Address,Raw,Disassembly\n", '')
+		@gadgets = []
+		data.each_line do |line|
+			addr, raw, disasm = line.split(',', 3)
+			disasm.gsub!(/: /, ":\t")
+			disasm.gsub!(' | ', "\n")
+			raw = [raw].pack('H*')
+			@gadgets << {:file => file, :address => addr, :raw => raw, :disasm => disasm.chomp!}
+		end
+			@gadgets
+	end
+
+	def print_msg(msg, color=true)
+		if not @stdio
+			@stdio = Rex::Ui::Text::Output::Stdio.new
+		end
+
+		if color == true
+			@stdio.auto_color
+		else
+		    @stdio.disable_color
+		end
+		@stdio.print_raw(@stdio.substitute_colors(msg))
+	end
+end
+
+class RopCollect < RopBase
+	def initialize(file="")
+		@file = file if not file.empty?
+		@bin = Metasm::AutoExe.decode_file(file) if not file.empty?
+		@disassembler = @bin.disassembler if not @bin.nil?
+		if @disassembler
+			@disassembler.cpu = Metasm::Ia32.new('386_common')
+		end
+		super()
+	end
+
+	def collect(depth, pattern)
+		matches = []
+		gadgets = []
+
+		# find matches by scanning for the pattern
+		matches = @disassembler.pattern_scan(pattern)
+		if @bin.kind_of?(Metasm::PE)
+			@bin.sections.each do |section|
+				next if section.characteristics.include? 'MEM_EXECUTE'
+				# delete matches if the address is outside the virtual address space
+				matches.delete_if do |ea|
+					va = section.virtaddr + @bin.optheader.image_base
+					ea >= va and ea < va + section.virtsize
+				end
+			end
+		elsif @bin.kind_of?(Metasm::ELF)
+			@bin.segments.each do |seg|
+				next if seg.flags.include? 'X'
+				matches.delete_if do |ea|
+					ea >= seg.vaddr and ea < seg.vaddr + seg.memsz
+				end
+			end
+		elsif @bin.kind_of?(Metasm::MachO)
+			@bin.segments.each do |seg|
+				next if seg.initprot.include? 'EXECUTE'
+				matches.delete_if do |ea|
+					ea >= seg.virtaddr and ea < seg.virtaddr + seg.filesize
+				end
+			end
+		end
+
+		gadgets = process_gadgets(matches, depth)
+		gadgets.each do |gadget|
+			@gadgets << gadget
+		end
+		gadgets
+	end
+
+	def pattern_search(pattern)
+		p = Regexp.new("(" + pattern + ")")
+		matches = []
+
+		@gadgets.each do |gadget|
+			disasm = ""
+			addrs = []
+
+			gadget[:disasm].each_line do |line|
+				addr, asm = line.split("\t", 2)
+				addrs << addr
+				disasm << asm
+			end
+
+			if gadget[:raw] =~ p or gadget[:disasm] =~ p or disasm =~ p
+				matches << {:gadget => gadget, :disasm => disasm, :addrs => addrs}
+			end
+		end
+		matches.each do |match|
+			@stdio.print_status("gadget with address: %bld%cya#{match[:gadget][:address]}%clr matched")
+			color_pattern(match[:gadget], match[:disasm], match[:addrs], p)
+		end
+		matches
+	end
+
+	def color_pattern(gadget, disasm, addrs, p)
+		idx = disasm.index(p)
+		if idx.nil?
+			print_msg(gadget[:disasm])
+			return
+		end
+
+		disasm = disasm.insert(idx, "%bld%grn")
+
+		asm = ""
+		cnt = 0
+		colors = false
+		disasm.each_line do |line|
+			# if we find this then we are in the matching area
+			if line.index(/\%bld\%grn/)
+				colors = true
+			end
+			asm << "%clr" + addrs[cnt] + "\t"
+
+			# color the remaining parts of the gadget
+			if colors and line.index("%bld%grn").nil?
+				asm << "%bld%grn" + line 
+			else
+				asm << line
+			end
+
+			cnt += 1
+		end
+		asm << "%clr\n"
+		print_msg(asm)
+	end
+
+	def process_gadgets(rets, num)
+		ret = {}
+		gadgets = []
+		tmp = []
+		rets.each do |ea|
+			insn = @disassembler.disassemble_instruction(ea)
+			next if not insn
+
+			xtra = insn.bin_length
+
+			1.upto(num) do |x|
+				addr = ea - x
+
+				# get the disassembled instruction at this address
+				di = @disassembler.disassemble_instruction(addr)
+
+				# skip invalid instructions
+				next if not di
+				next if di.opcode.props[:setip]
+				next if di.opcode.props[:stopexec]
+
+				# get raw bytes
+				buf = @disassembler.read_raw_data(addr, x + xtra)
+				
+
+				# make sure disassembling forward leads to our instruction
+				next if not ends_with_addr(buf, addr, ea)
+
+				dasm = ""
+				while addr <= ea
+					di = @disassembler.disassemble_instruction(addr)
+					dasm << ("0x%08x:\t" % addr) + di.instruction.to_s + "\n"
+					addr = addr + di.bin_length
+				end
+
+				if not tmp.include?(ea)
+					tmp << ea
+				else
+					next
+				end
+				# otherwise, we create a new tailchunk and add it to the list
+				ret = {:file => @file, :address => ("0x%08x" % (ea - x)), :raw => buf, :disasm => dasm}
+				gadgets << ret
+			end
+		end
+		gadgets
+	end
+
+	private
+	def ends_with_addr(raw, base, addr)
+		dasm2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
+		offset = 0
+		while ((di = dasm2.disassemble_instruction(offset)))
+			return true if (base + offset) == addr
+			return false if di.opcode.props[:setip]
+			return false if di.opcode.props[:stopexec]
+			offset = di.next_addr
+		end
+		false
+	end
+
+	def raw_instructions(raw)
+		insns = []
+		d2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
+		addr = 0
+		while ((di = d2.disassemble_instruction(addr)))
+			insns << di.instruction
+			addr = di.next_addr
+		end
+		insns
+	end
+end
+end
+end