librex 0.0.42 → 0.0.43

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb.ut.rb

@@ -15,8 +15,48 @@ module Stdapi
 module Railgun
 class Railgun::UnitTest < Test::Unit::TestCase
 
+	# DLLs we know should be available at the time of this writing, 
+	# and DLLs that because of changes since then should be available
+	STOCK_DLLS = 
+		['kernel32', 'ntdll', 'user32', 'ws2_32',
+			'iphlpapi', 'netapi32', 'advapi32', 'shell32'] | Railgun::BUILTIN_DLLS
+
 	include MockMagic
 
+	def test_known_dll_names
+		railgun = Railgun.new(make_mock_client())
+
+		dll_names = railgun.known_dll_names
+
+		assert_equal(dll_names.length, dll_names.uniq.length,
+			"known_dll_names should not have duplicates")
+		
+		STOCK_DLLS.each do |name|
+			assert(dll_names.include?(name),
+				"known_dll_names should include #{name}")
+		end
+	end
+#
+# TODO:
+#	def test_multi
+#		mock_function_descriptions.each do |func|
+#			railgun = Railgun.new(make_mock_client(func[:platform]))
+#
+#			functions = [
+#				[func[:dll_name], func[:name], func[:ruby_args]]
+#			]
+#
+#			results = railgun.multi(functions)
+#		end
+#	end
+#
+	def test_const
+		railgun = Railgun.new(make_mock_client())
+
+		assert_equal(0, railgun.const('SUCCESS'),
+			"const should look up constants like SUCCESS")
+	end
+
 	def test_add_dll
 		railgun = Railgun.new(make_mock_client())
 
@@ -33,11 +73,46 @@ class Railgun::UnitTest < Test::Unit::TestCase
 		assert_equal(actual_dll.dll_path, target_windows_name,
 			"add_dll should set a dll path when specified")
 
-# 
-#		wrapper = railgun.send(target_dll_name.to_sym)
-#
-#		assert_same(wrapper._dll, actual_dll,
-#			"railgun instance responds with dll wrapper as expected")
+		wrapper = railgun.send(target_dll_name.to_sym)
+
+		assert_same(wrapper._dll, actual_dll,
+			"railgun instance responds with dll wrapper of requested dll")
+	end
+
+	def test_method_missing
+		railgun = Railgun.new(make_mock_client())
+		
+		STOCK_DLLS.each do |dll_name|
+			assert_nothing_raised do
+				railgun.send(dll_name.to_sym)
+			end
+		end
+	end
+
+	def test_get_dll
+		railgun = Railgun.new(make_mock_client())
+
+		STOCK_DLLS.each do |dll_name|
+			dll = railgun.get_dll(dll_name)
+
+			# We want to ensure autoloading is working
+			assert(dll.instance_of?(DLL),
+				"get_dll should be able to return a value for dll #{dll_name}")
+
+			assert(dll.frozen?,
+				"Stock DLLs loaded lazily in get_dll should be frozen")
+
+			# adding a function should create a local unfrozen instance
+			railgun.add_function(dll_name, '__lolz', 'VOID', [])
+
+			unfrozen_dll = railgun.get_dll(dll_name)
+
+			assert_not_same(dll, unfrozen_dll,
+				"add_function should create a local unfrozen instance that get_dll can then access")
+
+			assert(!unfrozen_dll.frozen?,
+				"add_function should create a local unfrozen instance that get_dll can then access")
+		end
 	end
 
 	def test_add_function

data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -30,7 +30,7 @@ class Config
 	def getuid
 		request  = Packet.create_request('stdapi_sys_config_getuid')
 		response = client.send_request(request)
-		return response.get_tlv_value(TLV_TYPE_USER_NAME)
+		return Rex::Text.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
 	end
 
 	#
@@ -62,7 +62,7 @@ class Config
 		req = Packet.create_request('stdapi_sys_config_steal_token')
 		req.add_tlv(TLV_TYPE_PID, pid.to_i)
 		res = client.send_request(req)
-		return res.get_tlv_value(TLV_TYPE_USER_NAME)
+		return Rex::Text.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
 	end
 
 	#
@@ -71,7 +71,7 @@ class Config
 	def drop_token
 		req = Packet.create_request('stdapi_sys_config_drop_token')
 		res = client.send_request(req)
-		return res.get_tlv_value(TLV_TYPE_USER_NAME)
+		return Rex::Text.unicode_filter_encode( res.get_tlv_value(TLV_TYPE_USER_NAME) )
 	end
 
 	#

data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

@@ -151,7 +151,7 @@ class Process < Rex::Post::Process
 			end
 		end
 
-		request.add_tlv(TLV_TYPE_PROCESS_PATH, path);
+		request.add_tlv(TLV_TYPE_PROCESS_PATH, Rex::Text.unicode_filter_decode( path ));
 
 		# If process arguments were supplied
 		if (arguments != nil)
@@ -177,7 +177,7 @@ class Process < Rex::Post::Process
 		# Return a process instance
 		return self.new(pid, handle, channel)
 	end
-	
+
 	#
 	# Kills one or more processes.
 	#
@@ -223,7 +223,7 @@ class Process < Rex::Post::Process
 
 		response.each(TLV_TYPE_PROCESS_GROUP) { |p|
 		arch = ""
-		
+
 		pa = p.get_tlv_value( TLV_TYPE_PROCESS_ARCH )
 		if( pa != nil )
 			if pa == 1 # PROCESS_ARCH_X86
@@ -232,15 +232,15 @@ class Process < Rex::Post::Process
 				arch = ARCH_X86_64
 			end
 		end
-		
+
 		processes <<
 				{
 					'pid'      => p.get_tlv_value(TLV_TYPE_PID),
 					'parentid' => p.get_tlv_value(TLV_TYPE_PARENT_PID),
-					'name'     => p.get_tlv_value(TLV_TYPE_PROCESS_NAME),
-					'path'     => p.get_tlv_value(TLV_TYPE_PROCESS_PATH),
+					'name'     => Rex::Text.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_NAME) ),
+					'path'     => Rex::Text.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_PROCESS_PATH) ),
 					'session'  => p.get_tlv_value(TLV_TYPE_PROCESS_SESSION),
-					'user'     => p.get_tlv_value(TLV_TYPE_USER_NAME),
+					'user'     => Rex::Text.unicode_filter_encode( p.get_tlv_value(TLV_TYPE_USER_NAME) ),
 					'arch'     => arch
 				}
 		}
@@ -291,7 +291,7 @@ class Process < Rex::Post::Process
 	def self.finalize(client,handle)
 		proc { self.close(client,handle) }
 	end
-	
+
 	#
 	# Returns the executable name of the process.
 	#
@@ -316,7 +316,7 @@ class Process < Rex::Post::Process
 		handle = nil;
 		return true
 	end
-	
+
 	#
 	# Instance method
 	#
@@ -358,8 +358,8 @@ protected
 		response = client.send_request(request)
 
 		# Populate the hash
-		info['name'] = response.get_tlv_value(TLV_TYPE_PROCESS_NAME)
-		info['path'] = response.get_tlv_value(TLV_TYPE_PROCESS_PATH)
+		info['name'] = Rex::Text.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_NAME) )
+		info['path'] = Rex::Text.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_PROCESS_PATH) )
 
 		return info
 	end

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb

@@ -44,8 +44,8 @@ class Registry
 		request = Packet.create_request('stdapi_registry_load_key')
 		request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
 		request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
-		request.add_tlv(TLV_TYPE_FILE_PATH,hive_file)
-		
+		request.add_tlv(TLV_TYPE_FILE_PATH, Rex::Text.unicode_filter_decode( hive_file ))
+
 		response = client.send_request(request)
 		return response.get_tlv(TLV_TYPE_RESULT).value
 	end
@@ -95,7 +95,7 @@ class Registry
 		return Rex::Post::Meterpreter::Extensions::Stdapi::Sys::RegistrySubsystem::RemoteRegistryKey.new(
 				client, target_host, root_key, response.get_tlv(TLV_TYPE_HKEY).value)
 	end
-	
+
 	#
 	# Creates the supplied registry key or opens it if it already exists.
 	#

data/lib/rex/post/meterpreter/packet.rb

@@ -113,7 +113,7 @@ class Tlv
 	def initialize(type, value = nil, compress=false)
 		@type     = type
 		@compress = compress
-		
+
 		if (value != nil)
 			if (type & TLV_META_TYPE_STRING == TLV_META_TYPE_STRING)
 				if (value.kind_of?(Fixnum))
@@ -219,7 +219,7 @@ class Tlv
 	# Serializers
 	#
 	##
-	
+
 	#
 	# Converts the TLV to raw.
 	#
@@ -240,14 +240,14 @@ class Tlv
 				raw = [0].pack("c")
 			end
 		end
-		
+
 		# check if the tlv is to be compressed...
 		if( @compress )
 			raw_uncompressed = raw
 			# compress the raw data
 			raw_compressed = Rex::Text.zlib_deflate( raw_uncompressed )
 			# check we have actually made the raw data smaller...
-			# (small blobs often compress slightly larger then the origional) 
+			# (small blobs often compress slightly larger then the origional)
 			# if the compressed data is not smaller, we dont use the compressed data
 			if( raw_compressed.length < raw_uncompressed.length )
 				# if so, set the TLV's type to indicate compression is used
@@ -257,7 +257,7 @@ class Tlv
 				raw = [ raw_uncompressed.length ].pack("N") + raw_compressed
 			end
 		end
-		
+
 		return [raw.length + 8, self.type].pack("NN") + raw
 	end
 
@@ -273,7 +273,7 @@ class Tlv
 		if( self.type & TLV_META_TYPE_COMPRESSED == TLV_META_TYPE_COMPRESSED )
 			# set this TLV as using compression
 			@compress = true
-			# remove the TLV_META_TYPE_COMPRESSED flag from the tlv type to restore the 
+			# remove the TLV_META_TYPE_COMPRESSED flag from the tlv type to restore the
 			# tlv type to its origional, allowing for transparent data compression.
 			self.type = self.type ^ TLV_META_TYPE_COMPRESSED
 			# decompress the compressed data (skipping the length and type DWORD's)
@@ -283,7 +283,7 @@ class Tlv
 			# update the raw buffer with the new length, decompressed data and updated type.
 			raw = [length, self.type].pack("NN") + raw_decompressed
 		end
-		
+
 		if (self.type & TLV_META_TYPE_STRING == TLV_META_TYPE_STRING)
 			if (raw.length > 0)
 				self.value = raw[8..length-2]
@@ -293,7 +293,7 @@ class Tlv
 		elsif (self.type & TLV_META_TYPE_UINT == TLV_META_TYPE_UINT)
 			self.value = raw.unpack("NNN")[2]
 		elsif (self.type & TLV_META_TYPE_QWORD == TLV_META_TYPE_QWORD)
-			self.value = raw.unpack("NNQ")[2] 		
+			self.value = raw.unpack("NNQ")[2]
 			self.value = self.ntohq( self.value )
 		elsif (self.type & TLV_META_TYPE_BOOL == TLV_META_TYPE_BOOL)
 			self.value = raw.unpack("NNc")[2]
@@ -309,9 +309,9 @@ class Tlv
 
 		return length;
 	end
-	
+
 	protected
-	
+
 	def htonq( value )
 		if( [1].pack( 's' ) == [1].pack( 'n' ) )
 			return value
@@ -322,7 +322,7 @@ class Tlv
 	def ntohq( value )
 		return htonq( value )
 	end
-	
+
 end
 
 ###
@@ -685,5 +685,6 @@ class Packet < GroupTlv
 	end
 end
 
+
 end; end; end
 

data/lib/rex/proto/dhcp/server.rb

@@ -1,4 +1,4 @@
-# $Id: server.rb 12471 2011-04-29 22:58:55Z scriptjunkie $
+# $Id: server.rb 13165 2011-07-14 02:34:25Z scriptjunkie $
 
 require 'rex/socket'
 require 'rex/proto/dhcp'
@@ -27,8 +27,6 @@ class Server
 		self.context = context
 		self.sock = nil
 
-		@shutting_down = false
-
 		self.myfilename = hash['FILENAME'] || ""
 		self.myfilename << ("\x00" * (128 - self.myfilename.length))
 
@@ -74,17 +72,10 @@ class Server
 		end
 
 		self.served = {}
-		if (hash['SERVEONCE'])
-			self.serveOnce = true
-		else
-			self.serveOnce = false
-		end
-		
-		if (hash['PXE'])
-			self.servePXE = true
-		else
-			self.servePXE = false
-		end
+		self.serveOnce = hash.include?('SERVEONCE')
+
+		self.servePXE = (hash.include?('PXE') or hash.include?('FILENAME') or hash.include?('PXEONLY'))
+		self.serveOnlyPXE = hash.include?('PXEONLY')
 
 		# Always assume we don't give out hostnames ...
 		self.give_hostname = false
@@ -120,8 +111,8 @@ class Server
 
 	# Stop the DHCP server
 	def stop
-		@shutting_down = true
 		self.thread.kill
+		self.served = {}
 		self.sock.close rescue nil
 	end
 
@@ -131,7 +122,7 @@ class Server
 		allowed_options = [
 			:serveOnce, :servePXE, :relayip, :leasetime, :dnsserv,
 			:pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
-			:give_hostname, :served_hostname, :served_over
+			:give_hostname, :served_hostname, :served_over, :serveOnlyPXE
 		]
 
 		opts.each_pair { |k,v|
@@ -158,7 +149,7 @@ class Server
 	attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
 	attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
 	attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
-	attr_accessor :servePXE, :pxeconfigfile, :pxepathprefix, :pxereboottime
+	attr_accessor :servePXE, :pxeconfigfile, :pxepathprefix, :pxereboottime, :serveOnlyPXE
 	attr_accessor :give_hostname, :served_hostname, :served_over
 
 protected
@@ -242,24 +233,26 @@ protected
 			end
 		end
 
-		if pxeclient == false && self.servePXE == true
-			#dlog ("No tftp server request; ignoring (probably not PXE client)")
-			return
-		end
+		# don't serve if only serving PXE and not PXE request
+		return if pxeclient == false and self.serveOnlyPXE == true
 
 		# prepare response
 		pkt = [Response].pack('C')
 		pkt << buf[1..7] #hwtype, hwlen, hops, txid
 		pkt << "\x00\x00\x00\x00"  #elapsed, flags
 		pkt << clientip
-		if messageType == DHCPDiscover
-			# give next ip address (not super reliable high volume but it should work for a basic server)
+
+		# if this is somebody we've seen before, use the saved IP
+		if self.served.include?( buf[28..43] )
+			pkt << Rex::Socket.addr_iton(self.served[buf[28..43]][0])
+		else # otherwise go to next ip address
 			self.current_ip += 1
 			if self.current_ip > self.end_ip
 				self.current_ip = self.start_ip
 			end
+			self.served.merge!( buf[28..43] => [ self.current_ip, messageType == DHCPRequest ] )
+			pkt << Rex::Socket.addr_iton(self.current_ip)
 		end
-		pkt << Rex::Socket.addr_iton(self.current_ip)
 		pkt << self.ipstring #next server ip
 		pkt << self.relayip
 		pkt << buf[28..43] #client hw address
@@ -270,15 +263,17 @@ protected
 
 		if messageType == DHCPDiscover  #DHCP Discover - send DHCP Offer
 			pkt << [DHCPOffer].pack('C')
-			# check if already served based on hw addr (MAC address)
-			if self.serveOnce == true && self.served.has_key?(buf[28..43])
-				#dlog ("Already served; allowing normal boot")
+			# check if already served an Ack based on hw addr (MAC address)
+			# if serveOnce & PXE, don't reply to another PXE request 
+			# if serveOnce & ! PXE, don't reply to anything
+			if self.serveOnce == true and self.served.has_key?(buf[28..43]) and
+					self.served[buf[28..43]][1] and (pxeclient == true or self.servePXE == false)
 				return
 			end
 		elsif messageType == DHCPRequest #DHCP Request - send DHCP ACK
+			self.served[buf[28..43]][1] = true # mark as requested
 			pkt << [DHCPAck].pack('C')
 			# now we ignore their discovers (but we'll respond to requests in case a packet was lost)
-			self.served.merge!( buf[28..43] => true ) 
 			if ( self.served_over != 0 )
 				# NOTE: this is sufficient for low-traffic net
 				# for high-traffic, this will probably lead to
@@ -286,8 +281,7 @@ protected
 				self.served_over += 1
 			end
 		else
-			#dlog("ignoring unknown DHCP request - type #{messageType}")
-			return
+			return  # ignore unknown DHCP request
 		end
 
 		# Options!
@@ -296,20 +290,20 @@ protected
 		pkt << dhcpoption(OpSubnetMask, self.netmaskn)
 		pkt << dhcpoption(OpRouter, self.router)
 		pkt << dhcpoption(OpDns, self.dnsserv)
-		pkt << dhcpoption(OpPXEMagic, PXEMagic)
-		pkt << dhcpoption(OpPXEConfigFile, self.pxeconfigfile)
-		pkt << dhcpoption(OpPXEPathPrefix, self.pxepathprefix)
-		pkt << dhcpoption(OpPXERebootTime, [self.pxereboottime].pack('N'))
-		if ( self.give_hostname == true )
-			send_hostname = self.served_hostname
-			if ( self.served_over != 0 )
-				# NOTE : see above comments for the 'uniqueness'
-				# of this value
-				send_hostname += self.served_over.to_s
+		if self.servePXE  # PXE options
+			pkt << dhcpoption(OpPXEMagic, PXEMagic)
+			pkt << dhcpoption(OpPXEConfigFile, self.pxeconfigfile)
+			pkt << dhcpoption(OpPXEPathPrefix, self.pxepathprefix)
+			pkt << dhcpoption(OpPXERebootTime, [self.pxereboottime].pack('N'))
+			if ( self.give_hostname == true )
+				send_hostname = self.served_hostname
+				if ( self.served_over != 0 )
+					# NOTE : see above comments for the 'uniqueness' of this value
+					send_hostname += self.served_over.to_s
+				end
+				pkt << dhcpoption(OpHostname, send_hostname)
 			end
-			pkt << dhcpoption(OpHostname, send_hostname)
 		end
-
 		pkt << dhcpoption(OpEnd)
 
 		pkt << ("\x00" * 32) #padding