librex 0.0.4 → 0.0.5

data/lib/rex/proto/http/client.rb

@@ -8,8 +8,9 @@ module Http
 
 ###
 #
-# Acts as a client to an HTTP server, sending requests and receiving
-# responses.
+# Acts as a client to an HTTP server, sending requests and receiving responses.
+# 
+# See the RFC: http://www.w3.org/Protocols/rfc2616/rfc2616.html 
 #
 ###
 class Client
@@ -172,6 +173,25 @@ class Client
 	#
 	# Create a CGI compatible request
 	#
+	# Options:
+	# - agent:         User-Agent header value
+	# - basic_auth:    Basic-Auth header value
+	# - connection:    Connection header value
+	# - cookie:        Cookie header value
+	# - ctype:         Content-Type header value, default: +application/x-www-form-urlencoded+
+	# - data:          HTTP data (only useful with some methods, see rfc2616)
+	# - encode:        URI encode the supplied URI
+	# - headers:       HTTP headers as a hash, e.g. <code>{ "X-MyHeader" => "value" }</code>
+	# - method:        HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET
+	# - proto:         protocol, default: HTTP
+	# - query:         raw query string
+	# - raw_headers:   HTTP headers as a hash
+	# - uri:           the URI to request
+	# - vars_get:      GET variables as a hash to be translated into a query string
+	# - vars_post:     POST variables as a hash to be translated into POST data
+	# - version:       version of the protocol, default: 1.1
+	# - vhost:         Host header value
+	#
 	def request_cgi(opts={})
 		c_enc  = opts['encode']     || false
 		c_cgi  = opts['uri']        || '/'
@@ -345,6 +365,11 @@ class Client
 					buff = conn.get_once(-1, 1)
 					rv   = resp.parse( buff || '')
 
+				##########################################################################
+				# XXX: NOTE: BUG: get_once currently (as of r10042) rescues "Exception"
+				# As such, the following rescue block will ever be reached.  -jjd
+				##########################################################################
+
 				# Handle unexpected disconnects
 				rescue ::Errno::EPIPE, ::EOFError, ::IOError
 					case resp.state

data/lib/rex/proto/http/client.rb.ut.rb

@@ -69,8 +69,10 @@ class Rex::Proto::Http::Client::UnitTest < Test::Unit::TestCase
 
 		resp = c.send_recv(r)
 
-		assert_equal(200, resp.code)
-		assert_equal('OK', resp.message)
+		#assert_equal(200, resp.code)
+		#assert_equal('OK', resp.message)
+		assert_equal(301, resp.code)
+		assert_equal('Moved Permanently', resp.message)
 		assert_equal('1.1', resp.proto)
 	end
 

data/lib/rex/proto/http/handler/proc.rb

@@ -39,6 +39,12 @@ class Handler::Proc < Handler
 			elog("Proc::on_request: Client closed connection prematurely", LogSource)
 		rescue
 			elog("Proc::on_request: #{$!}\n\n#{$@.join("\n")}", LogSource)
+			if self.server and self.server.context
+				exploit = self.server.context['MsfExploit']
+				if exploit
+					exploit.print_error("Exception handling request: #{$!}")
+				end
+			end
 		end
 	end
 

data/lib/rex/proto/http/packet.rb

@@ -92,7 +92,7 @@ class Packet
 				end
 			end
 		rescue
-			# This rescue might be a problem because it will swallow TimeoutError
+			# XXX: BUG: This rescue might be a problem because it will swallow TimeoutError
 			self.error = $!
 			return ParseCode::Error
 		end
@@ -284,24 +284,25 @@ protected
 		end
 
 		# Determine how to handle data when there is no length header
-		if(self.body_bytes_left == -1 and self.transfer_chunked != true)
-			if(self.headers['Connection'].to_s.downcase.include?('keep-alive'))
-				# If we are using keep-alive, but have no content-length and
-				# no chunked transfer header, pretend this is the entire
-				# buffer and call it done
-				self.body_bytes_left = self.bufq.length
-			elsif(not self.transfer_chunked and not self.headers['Content-Length'])
-				# RFC 2616 says: "The presence of a message-body in a request
-				# is signaled by the inclusion of a Content-Length or
-				# Transfer-Encoding header field in the request's
-				# message-headers."
-				#
-				# So if we haven't seen either a Content-Length or a
-				# Transfer-Encoding header, there shouldn't be a message body.
-				self.body_bytes_left = 0
-			else
+		if (self.body_bytes_left == -1)
+			if (not self.transfer_chunked)
+				if (self.headers['Connection'].to_s.downcase.include?('keep-alive'))
+					# If we are using keep-alive, but have no content-length and
+					# no chunked transfer header, pretend this is the entire
+					# buffer and call it done
+					self.body_bytes_left = self.bufq.length
+				elsif (not self.headers['Content-Length'] and self.class == Rex::Proto::Http::Request)
+					# RFC 2616 says: "The presence of a message-body in a request
+					# is signaled by the inclusion of a Content-Length or
+					# Transfer-Encoding header field in the request's
+					# message-headers."
+					#
+					# So if we haven't seen either a Content-Length or a
+					# Transfer-Encoding header, there shouldn't be a message body.
+					self.body_bytes_left = 0
+				#else
 				# Otherwise we need to keep reading until EOF
-				self.body_bytes_left = -1
+				end
 			end
 		end
 
@@ -390,7 +391,7 @@ protected
 
 		# If there are no more bytes left, then parsing has completed and we're
 		# ready to go.
-		if (self.transfer_chunked != 1 and self.body_bytes_left <= 0)
+		if (not self.transfer_chunked and self.body_bytes_left == 0)
 			self.state = ParseState::Completed
 			return
 		end

data/lib/rex/proto/http/server.rb

@@ -99,7 +99,7 @@ class Server
 	# Initializes an HTTP server as listening on the provided port and
 	# hostname.
 	#
-	def initialize(port = 80, listen_host = '0.0.0.0', ssl = false, context = {})
+	def initialize(port = 80, listen_host = '0.0.0.0', ssl = false, context = {}, comm = nil)
 		self.listen_host = listen_host
 		self.listen_port = port
 		self.context     = context
@@ -107,6 +107,7 @@ class Server
 		self.resources   = {}
 		self.server_name = DefaultServer
 		self.ssl         = ssl
+		self.comm        = comm
 	end
 
 	#
@@ -132,7 +133,8 @@ class Server
 			'LocalHost' => self.listen_host,
 			'LocalPort' => self.listen_port,
 			'Context'   => self.context,
-			'SSL'		=> self.ssl
+			'SSL'		=> self.ssl,
+			'Comm'      => self.comm
 		)
 
 		# Register callbacks
@@ -254,7 +256,7 @@ class Server
 		cli.send_response(resp)
 	end
 
-	attr_accessor :listen_port, :listen_host, :server_name, :context, :ssl
+	attr_accessor :listen_port, :listen_host, :server_name, :context, :ssl, :comm
 	attr_accessor :listener, :resources
 
 protected

data/lib/rex/proto/proxy/socks4a.rb

@@ -0,0 +1,440 @@
+#
+# sf - Sept 2010
+#
+require 'thread'
+require 'rex/logging'
+require 'rex/socket'
+
+module Rex
+module Proto
+module Proxy
+	
+# 
+# A Socks4a proxy server.
+# 
+class Socks4a
+
+	#
+	# A client connected to the Socks4a server.
+	#
+	class Client
+		
+		REQUEST_VERSION                 = 4
+		REPLY_VERSION                   = 0
+		
+		COMMAND_CONNECT                 = 1
+		COMMAND_BIND                    = 2
+	
+		REQUEST_GRANTED                 = 90
+		REQUEST_REJECT_FAILED           = 91
+		REQUEST_REJECT_CONNECT          = 92
+		REQUEST_REJECT_USERID           = 93
+		
+		HOST                            = 1
+		PORT                            = 2
+		
+		#
+		# A Socks4a packet.
+		#
+		class Packet
+			
+			def initialize
+				@version   = REQUEST_VERSION
+				@command   = 0
+				@dest_port = 0
+				@dest_ip   = '0.0.0.0'
+				@userid    = ''
+			end
+			
+			#
+			# A helper function to recv in a Socks4a packet byte by byte.
+			#
+			# sf: we could just call raw = sock.get_once but some clients 
+			#     seem to need reading this byte by byte instead.
+			#
+			def Packet.recv( sock, timeout=30 )
+				raw = ''
+				# read in the 8 byte header
+				while( raw.length < 8 )
+					raw << sock.read( 1 )
+				end
+				# if its a request there will be more data
+				if( raw[0..0].unpack( 'C' ).first == REQUEST_VERSION )
+					# read in the userid
+					while( raw[8..raw.length].index( "\x00" ) == nil )
+						raw << sock.read( 1 )
+					end
+					# if a hostname is going to be present, read it in
+					ip = raw[4..7].unpack( 'N' ).first
+					if( ( ip & 0xFFFFFF00 ) == 0x00000000 and ( ip & 0x000000FF ) != 0x00 )
+						hostname = ''
+						while( hostname.index( "\x00" ) == nil )
+							hostname += sock.read( 1 )
+						end
+						raw << hostname
+					end
+				end
+				# create a packet from this raw data...
+				packet = Packet.new
+				packet.from_r( raw ) ? packet : nil
+			end
+						
+			#
+			# Pack a packet into raw bytes for transmitting on the wire.
+			# 
+			def to_r
+				raw = [ @version, @command, @dest_port, Rex::Socket.addr_atoi( @dest_ip ) ].pack( 'CCnN' )
+				return raw if( @userid.empty? )
+				return raw + [ @userid ].pack( 'Z*' )
+			end
+			
+			#
+			# Unpack a raw packet into its components.
+			#
+			def from_r( raw )
+				return false if( raw.length < 8 )
+				@version   = raw[0..0].unpack( 'C' ).first
+				return false if( @version != REQUEST_VERSION and @version != REPLY_VERSION )
+				@command   = raw[1..1].unpack( 'C' ).first
+				@dest_port = raw[2..3].unpack( 'n' ).first
+				@dest_ip   = Rex::Socket.addr_itoa( raw[4..7].unpack( 'N' ).first )
+				if( raw.length > 8 )
+					@userid = raw[8..raw.length].unpack( 'Z*' ).first
+					# if this is a socks4a request we can resolve the provided hostname
+					if( self.is_hostname? )
+						hostname = raw[(8+@userid.length+1)..raw.length].unpack( 'Z*' ).first
+						@dest_ip = self.resolve( hostname )
+						# fail if we couldnt resolve the hostname
+						return false if( not @dest_ip )
+					end
+				else
+					@userid  = ''
+				end
+				return true
+			end
+		
+			def is_connect?
+				@command == COMMAND_CONNECT ? true : false
+			end
+			
+			def is_bind?
+				@command == COMMAND_BIND ? true : false
+			end
+			
+			attr_accessor :version, :command, :dest_port, :dest_ip, :userid
+			
+			protected
+			
+			#
+			# Resolve the given hostname into a dotted IP address.
+			#
+			def resolve( hostname )
+				if( not hostname.empty? )
+					begin
+						return Rex::Socket.addr_itoa( Rex::Socket.gethostbyname( hostname )[3].unpack( 'N' ).first )
+					rescue ::SocketError
+						return nil
+					end
+				end
+				return nil
+			end
+			
+			#
+			# As per the Socks4a spec, check to see if the provided dest_ip is 0.0.0.XX 
+			# which indicates after the @userid field contains a hostname to resolve.
+			#
+			def is_hostname?
+				ip = Rex::Socket.addr_atoi( @dest_ip )
+				if( ip & 0xFFFFFF00 == 0x00000000 )
+					return true if( ip & 0x000000FF != 0x00 )
+				end
+				return false
+			end
+
+		end
+		
+		#
+		# A mixin for a socket to perform a relay to another socket.
+		#
+		module Relay
+
+			#
+			# Relay data coming in from relay_sock to this socket.
+			#
+			def relay( relay_client, relay_sock )
+				@relay_client = relay_client
+				@relay_sock   = relay_sock
+				# start the relay thread (modified from Rex::IO::StreamAbstraction)
+				@relay_thread = ::Thread.new do
+					loop do
+						closed = false
+						buf    = nil
+		
+						begin
+							s = Rex::ThreadSafe.select( [ @relay_sock ], nil, nil, 0.2 )
+							if( s == nil || s[0] == nil )
+								next
+							end
+						rescue
+							closed = true
+						end
+		
+						if( closed == false )
+							begin
+								buf = @relay_sock.sysread( 32768 )
+								closed = true if( buf == nil )
+							rescue
+								closed = true
+							end
+						end
+		
+						if( closed == false )
+							total_sent   = 0
+							total_length = buf.length
+							while( total_sent < total_length )
+								begin
+									data = buf[0, buf.length]
+									sent = self.write( data )
+									if( sent > 0 )
+										total_sent += sent
+										buf[0, sent] = ""
+									end
+								rescue
+									closed = true
+									break
+								end
+							end
+						end
+		
+						if( closed )
+							@relay_client.stop
+							::Thread.exit
+						end
+					end
+				end
+				
+			end
+			
+		end
+		
+		#
+		# Create a new client connected to the server.
+		#
+		def initialize( server, sock )
+			@server        = server
+			@lsock         = sock
+			@rsock         = nil
+			@client_thread = nil
+			@mutex         = ::Mutex.new
+			@closed        = false
+		end
+
+		#
+		# Start handling the client connection.
+		#
+		def start
+			# create a thread to handle this client request so as to not block the socks4a server
+			@client_thread = ::Thread.new do
+				begin
+					@server.add_client( self )
+					# get the initial client request packet
+					request = Packet.recv( @lsock )
+					raise "Invalid Socks4 request packet received." if not request
+					# handle the request
+					begin
+						# handle socks4a conenct requests
+						if( request.is_connect? )
+							# perform the connection request
+							params = { 
+								'PeerHost' => request.dest_ip,
+								'PeerPort' => request.dest_port,
+								'Comm'     => @server.opts['Comm']
+							}
+							@rsock = Rex::Socket::Tcp.create( params )
+							# and send back success to the client
+							response         = Packet.new
+							response.version = REPLY_VERSION
+							response.command = REQUEST_GRANTED
+							@lsock.put( response.to_r )
+						# handle socks4a bind requests
+						elsif( request.is_bind? )
+							# create a server socket for this request
+							params = { 
+								'LocalHost' => '0.0.0.0',
+								'LocalPort' => 0,
+								'Comm'      => @server.opts['Comm']
+							}
+							bsock = Rex::Socket::TcpServer.create( params )
+							# send back the bind success to the client
+							response           = Packet.new
+							response.version   = REPLY_VERSION
+							response.command   = REQUEST_GRANTED
+							response.dest_ip   = '0.0.0.0'
+							response.dest_port = bsock.getlocalname()[PORT]
+							@lsock.put( response.to_r )
+							# accept a client connection (2 minute timeout as per spec)
+							begin
+								::Timeout.timeout( 120 ) do
+									@rsock = bsock.accept
+								end
+							rescue ::Timeout::Error
+								raise "Timeout reached on accept request."
+							end
+							# close the listening socket
+							bsock.close
+							# verify the connection is from the dest_ip origionally specified by the client
+							rpeer = @rsock.getpeername
+							raise "Got connection from an invalid peer." if( rpeer[HOST] != request.dest_ip )
+							# send back the client connect success to the client
+							#
+							# sf: according to the spec we send this response back to the client, however 
+							#     I have seen some clients who bawk if they get this second response.
+							#
+							response           = Packet.new
+							response.version   = REPLY_VERSION
+							response.command   = REQUEST_GRANTED
+							response.dest_ip   = rpeer[HOST]
+							response.dest_port = rpeer[PORT]
+							@lsock.put( response.to_r )
+						else
+							raise "Unknown request command received #{request.command} received."
+						end
+					rescue
+						# send back failure to the client
+						response         = Packet.new
+						response.version = REPLY_VERSION
+						response.command = REQUEST_REJECT_FAILED
+						@lsock.put( response.to_r )
+						# raise an exception to close this client connection
+						raise "Failed to handle the clients request."
+					end
+					# setup the two way relay for full duplex io
+					@lsock.extend( Relay )
+					@rsock.extend( Relay )
+					# start the socket relays...
+					@lsock.relay( self, @rsock )
+					@rsock.relay( self, @lsock )
+				rescue
+					wlog( "Client.start - #{$!}" )
+					self.stop
+				end
+			end
+		end
+		
+		#
+		# Stop handling the client connection.
+		#
+		def stop
+			@mutex.synchronize do
+				if( not @closed )
+				
+					begin
+						@lsock.close if @lsock
+					rescue
+					end
+				
+					begin
+						@rsock.close if @rsock
+					rescue
+					end
+				
+					@client_thread.kill if( @client_thread and @client_thread.alive? )
+					
+					@server.remove_client( self )
+					
+					@closed = true
+				end
+			end
+		end
+		
+	end
+
+	#
+	# Create a new Socks4a server.
+	#
+	def initialize( opts={} )
+		@opts          = { 'ServerHost' => '0.0.0.0', 'ServerPort' => 1080, 'Comm' => nil }
+		@opts          = @opts.merge( opts )
+		@server        = nil
+		@clients       = ::Array.new
+		@running       = false
+		@server_thread = nil
+	end
+
+	#
+	# Check if the server is running.
+	#
+	def is_running?
+		return @running
+	end
+	
+	#
+	# Start the Socks4a server.
+	#
+	def start
+			begin
+				# create the servers main socket
+				@server = Rex::Socket::TcpServer.create( 'LocalHost' => @opts['ServerHost'], 'LocalPort' => @opts['ServerPort'] )
+				# signal we are now running
+				@running = true
+				# start the servers main thread to pick up new clients
+				@server_thread = ::Thread.new do
+					while( @running ) do
+						begin
+							# accept the client connection
+							sock = @server.accept
+							# and fire off a new client instance to handle it
+							Client.new( self, sock ).start
+						rescue
+							wlog( "Socks4a.start - server_thread - #{$!}" )
+						end
+					end
+				end
+			rescue
+				wlog( "Socks4a.start - #{$!}" )
+				return false
+			end
+			return true
+	end
+	
+	#
+	# Block while the server is running.
+	#
+	def join
+		@server_thread.join
+	end
+	
+	#
+	# Stop the Socks4a server.
+	#
+	def stop
+		if( @running )
+			# signal we are no longer running
+			@running = false
+			# stop any clients we have (create a new client array as client.stop will delete from @clients)
+			clients = []
+			clients.concat( @clients )
+			clients.each do | client |
+				client.stop
+			end
+			# close the server socket
+			@server.close if @server
+			# if the server thread did not terminate gracefully, kill it.
+			@server_thread.kill if( @server_thread and @server_thread.alive? )
+		end
+		return !@running
+	end
+	
+	def add_client( client )
+		@clients << client
+	end
+	
+	def remove_client( client )
+		@clients.delete( client )
+	end
+	
+	attr_reader :opts
+	
+end
+
+end; end; end