librex 0.0.44 → 0.0.46

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb

@@ -263,13 +263,30 @@ class Console::CommandDispatcher::Stdapi::Net
 					print_error("Failed to stop TCP relay on #{lhost || '0.0.0.0'}:#{lport}")
 				end
 
+			when "flush"
+
+				counter = 0
+				service.each_tcp_relay do |lhost, lport, rhost, rport, opts|
+					next if (opts['MeterpreterRelay'] == nil)
+
+					if (service.stop_tcp_relay(lport, lhost))
+						print_status("Successfully stopped TCP relay on #{lhost || '0.0.0.0'}:#{lport}")
+					else
+						print_error("Failed to stop TCP relay on #{lhost || '0.0.0.0'}:#{lport}")
+						next
+					end 
+
+					counter += 1
+				end
+				print_status("Successfully flushed #{counter} rules")
+
 			else
 				cmd_portfwd_help
 		end
 	end
 
 	def cmd_portfwd_help
-		print_line "Usage: portfwd [-h] [add / delete / list] [args]"
+		print_line "Usage: portfwd [-h] [add | delete | list | flush] [args]"
 		print_line
 		print @@portfwd_opts.usage
 	end

data/lib/rex/proto.rb

@@ -3,6 +3,7 @@ require 'rex/proto/smb'
 require 'rex/proto/ntlm'
 require 'rex/proto/dcerpc'
 require 'rex/proto/drda'
+require 'rex/proto/iax2'
 
 module Rex
 module Proto

data/lib/rex/proto/http/client.rb

@@ -15,6 +15,8 @@ module Http
 ###
 class Client
 
+	DefaultUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
+
 	#
 	# Creates a new client instance
 	#
@@ -29,7 +31,7 @@ class Client
 			'read_max_data'   => (1024*1024*1),
 			'vhost'           => self.hostname,
 			'version'         => '1.1',
-			'agent'           => "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
+			'agent'           => DefaultUserAgent,
 			#
 			# Evasion options
 			#

data/lib/rex/proto/iax2.rb

@@ -0,0 +1 @@
+require 'rex/proto/iax2/client'

data/lib/rex/proto/iax2/call.rb

@@ -0,0 +1,320 @@
+module Rex
+module Proto
+module IAX2
+class Call
+
+	attr_accessor :client
+	attr_accessor :oseq, :iseq
+	attr_accessor :scall, :dcall
+	attr_accessor :codec, :state
+	attr_accessor :ring_start, :ring_finish
+	attr_accessor :itime
+	attr_accessor :queue
+	attr_accessor :audio_hook
+	attr_accessor :audio_buff
+	attr_accessor :time_limit
+	attr_accessor :busy
+	
+	attr_accessor :caller_name
+	attr_accessor :caller_number
+	attr_accessor :dtmf
+	
+	
+	def initialize(client, src_id)
+		self.client = client
+		self.scall  = src_id
+		self.dcall  = 0 
+		self.iseq   = 0
+		self.oseq   = 0
+		self.state  = nil
+		
+		self.itime  = ::Time.now
+		self.queue  = ::Queue.new 
+		
+		self.audio_buff = []
+		
+		self.busy = false
+		self.dtmf = ''
+	end
+	
+	
+	def dprint(msg)
+		self.client.dprint(msg)
+	end 
+
+	def wait_for(*stypes)
+		begin
+			::Timeout.timeout( IAX_DEFAULT_TIMEOUT ) do
+				while (res = self.queue.pop )
+					if stypes.include?(res[1])
+						return res
+					end
+				end
+			end
+		rescue ::Timeout::Error
+			return nil
+		end
+	end
+	
+	# Register with the IAX endpoint
+	def register
+		self.client.send_regreq(self)
+		res = wait_for( IAX_SUBTYPE_REGAUTH, IAX_SUBTYPE_REGREJ )
+		return if not res
+
+		if res[1] == IAX_SUBTYPE_REGREJ 
+			reason = res[2][IAX_IE_REGREJ_CAUSE] || "Unknown Reason"
+			dprint("REGREJ: #{reason}")
+			# Acknowledge the REGREJ
+			self.client.send_ack(self)			
+			return
+		end 
+
+		chall = nil
+		if res[2][14] == "\x00\x03" and res[2][IAX_IE_CHALLENGE_DATA]
+			self.dcall = res[0][0]
+			chall = res[2][IAX_IE_CHALLENGE_DATA]
+		end
+		
+		self.client.send_regreq_chall_response(self, chall)
+		res = wait_for( IAX_SUBTYPE_REGACK, IAX_SUBTYPE_REGREJ )
+		return if not res
+
+		if res[1] == IAX_SUBTYPE_REGREJ 
+			reason = res[2][IAX_IE_REGREJ_CAUSE] || "Unknown Reason"
+			dprint("REGREJ: #{reason}")
+			return
+		end 
+		
+		if res[2][IAX_IE_APPARENT_ADDR]
+			r_fam, r_port, r_addr = res[2][IAX_IE_APPARENT_ADDR].unpack('nnA4')
+			r_addr = r_addr.unpack("C*").map{|x| x.to_s }.join(".")
+			dprint("REGACK: Registered from address #{r_addr}:#{r_port}")
+		end
+		
+		# Acknowledge the REGACK
+		self.client.send_ack(self)
+		
+		self.state = :registered
+
+		true
+	end
+
+	def dial(number)
+		self.client.send_new(self, number)
+		res = wait_for(IAX_SUBTYPE_AUTHREQ, IAX_SUBTYPE_ACCEPT)
+		return if not res
+
+		# Handle authentication if its requested
+		if res[1] == IAX_SUBTYPE_AUTHREQ
+			chall = nil
+			if res[2][14] == "\x00\x03" and res[1][15]
+				self.dcall = res[0][0]
+				chall = res[2][15]
+			end
+
+			self.client.send_authrep_chall_response(self, chall)
+			res = wait_for( IAX_SUBTYPE_ACCEPT)
+			return if not res
+		end
+
+		self.codec = res[2][IAX_IE_DESIRED_CODEC].unpack("N")[0]
+		self.state = :ringing
+		self.ring_start = ::Time.now.to_i
+		self.client.send_ack(self)
+		true
+	end
+
+	def hangup
+		self.client.send_hangup(self)
+		self.state = :hangup
+		true
+	end
+	
+	def ring_time
+		(self.ring_finish || Time.now).to_i - self.ring_start.to_i
+	end
+
+	def timestamp
+		(( ::Time.now - self.itime) * 1000.0 ).to_i & 0xffffffff
+	end
+
+	def process_elements(data,off=0)
+		res = {}
+		while( off < data.length )
+			ie_type = data[off    ,1].unpack("C")[0]
+			ie_len  = data[off + 1,2].unpack("C")[0]
+			res[ie_type] = data[off + 2, ie_len]
+			off += ie_len + 2
+		end
+		res
+	end
+	
+	# Handling incoming control packets
+	# TODO: Enforce sequence order to prevent duplicates from breaking our state
+	def handle_control(pkt)
+		src_call, dst_call, tstamp, out_seq, inp_seq, itype = pkt.unpack('nnNCCC')
+
+		# Scrub the high bits out of the call IDs
+		src_call ^= 0x8000 if (src_call & 0x8000 != 0)
+		dst_call ^= 0x8000 if (dst_call & 0x8000 != 0)
+
+		phdr = [ src_call, dst_call, tstamp, out_seq, inp_seq, itype ]
+
+		info  = nil
+		stype = pkt[11,1].unpack("C")[0]
+		info  = process_elements(pkt, 12) if [IAX_TYPE_IAX, IAX_TYPE_CONTROL].include?(itype)
+
+		if dst_call != self.scall
+			dprint("Incoming packet to inactive call: #{dst_call} vs #{self.scall}: #{phdr.inspect} #{stype.inspect} #{info.inspect}")
+			return
+		end
+
+		# Increment the received sequence number
+		self.iseq = (self.iseq + 1) & 0xff
+					
+		if self.state == :hangup
+			dprint("Packet received after hangup, replying with invalid")
+			self.client.send_invalid(self)
+			return
+		end
+
+		# Technically these all require an ACK reply
+		# NEW, HANGUP, REJECT, ACCEPT, PONG, AUTHREP, REGREL, REGACK, REGREJ, TXREL
+
+		case itype
+		when IAX_TYPE_DTMF_BEGIN
+			self.dprint("DTMF BEG: #{pkt[11,1]}")
+			self.dtmf << pkt[11,1]
+			
+		when IAX_TYPE_DTMF_END
+			self.dprint("DTMF END: #{pkt[11,1]}")
+			
+		when IAX_TYPE_CONTROL
+			case stype
+			when IAX_CTRL_HANGUP
+				dprint("HANGUP")
+				self.client.send_ack(self)
+				self.state = :hangup
+				
+			when IAX_CTRL_RINGING
+				dprint("RINGING")
+				self.client.send_ack(self)
+				
+			when IAX_CTRL_BUSY
+				dprint("BUSY")
+				self.busy  = true 
+				self.state = :hangup
+				self.client.send_ack(self)
+				
+			when IAX_CTRL_ANSWER
+				dprint("ANSWER")
+				if self.state == :ringing
+					self.state = :answered
+					self.ring_finish = ::Time.now.to_i
+				end 
+				self.client.send_ack(self)
+			
+			when IAX_CTRL_PROGRESS
+				dprint("PROGRESS")
+
+			when IAX_CTRL_PROCEED
+				dprint("PROCEED")
+												
+			when 255
+				dprint("STOP SOUNDS")
+			end
+			# Acknowledge all control packets	
+			# self.client.send_ack(self)
+		
+		when IAX_TYPE_IAX
+				
+			dprint( ["RECV", phdr, stype, info].inspect )
+			case stype
+			when IAX_SUBTYPE_HANGUP
+				self.state = :hangup
+				self.client.send_ack(self)
+			when IAX_SUBTYPE_LAGRQ
+				# Lagrps echo the timestamp
+				self.client.send_lagrp(self, tstamp)
+			when IAX_SUBTYPE_ACK
+				# Nothing to do here
+			when IAX_SUBTYPE_PING
+				# Pongs echo the timestamp 
+				self.client.send_pong(self, tstamp)
+			when IAX_SUBTYPE_PONG
+				self.client.send_ack(self)
+			else
+				dprint( ["RECV-QUEUE", phdr, stype, info].inspect )
+				self.queue.push( [phdr, stype, info ] )
+			end
+			
+		when IAX_TYPE_VOICE
+			v_codec = stype
+			if self.state == :answered
+				handle_audio(pkt)
+			end
+			self.client.send_ack(self)
+
+		when nil
+			dprint("Invalid control packet: #{pkt.unpack("H*")[0]}")
+		end
+	end
+
+	
+	# Encoded audio from the client
+	def handle_audio(pkt)
+		# Ignore audio received before the call is answered (ring ring)
+		return if self.state != :answered
+		
+		# Extract the data from the packet (full or mini)
+		data = audio_packet_data(pkt)
+
+		# Decode the data into linear PCM frames
+		buff = decode_audio_frame(data)
+		
+		# Call the caller-provided hook if its exists
+		if self.audio_hook
+			self.audio_buff(buff)
+		# Otherwise append the frame to the buffer
+		else
+			self.audio_buff << buff
+		end
+	end
+
+	def each_audio_frame(&block)
+		self.audio_buff.each do |frame|
+			block.call(frame)
+		end
+	end
+
+	def decode_audio_frame(buff)
+		case self.codec
+		
+		# Convert u-law into signed PCM
+		when IAX_CODEC_G711_MULAW
+			Rex::Proto::IAX2::Codecs::MuLaw.decode(buff)
+		
+		# Convert a-law into signed PCM
+		when IAX_CODEC_G711_ALAW
+			Rex::Proto::IAX2::Codecs::ALaw.decode(buff)
+			
+		# Linear little-endian signed PCM is our native format		
+		when IAX_CODEC_LINEAR_PCM
+			buff
+		
+		# Unsupported codec, return empty
+		else
+			dprint("UNKNOWN CODEC: #{self.codec.inspect}")
+			''
+		end
+	end
+	
+	def audio_packet_data(pkt)
+		(pkt[0,1].unpack("C")[0] & 0x80 == 0) ? pkt[4,pkt.length-4] : pkt[12,pkt.length-12]
+	end
+
+end
+end
+end
+end

data/lib/rex/proto/iax2/client.rb

@@ -0,0 +1,217 @@
+require 'rex/proto/iax2/constants'
+require 'rex/proto/iax2/codecs'
+require 'rex/proto/iax2/call'
+
+require 'rex/socket'
+require 'thread'
+require 'digest/md5'
+require 'timeout'
+
+module Rex
+module Proto
+module IAX2
+class Client
+
+	attr_accessor :caller_number, :caller_name, :server_host, :server_port
+	attr_accessor :username, :password
+	attr_accessor :sock, :monitor
+	attr_accessor :src_call_idx
+	attr_accessor :debugging
+	attr_accessor :calls	
+
+	def initialize(uopts={})
+		opts = {
+			:caller_number => '15555555555',
+			:caller_name   => '',
+			:server_port   => IAX2_DEFAULT_PORT,
+			:context       => { }
+		}.merge(uopts)
+		
+		self.caller_name   = opts[:caller_name]
+		self.caller_number = opts[:caller_number]
+		self.server_host   = opts[:server_host]
+		self.server_port   = opts[:server_port]
+		self.username      = opts[:username]
+		self.password      = opts[:password]
+		
+		self.sock = Rex::Socket::Udp.create(
+			'PeerHost' => self.server_host,
+			'PeerPort' => self.server_port,
+			'Context'  => opts[:context]
+		)
+		
+		self.monitor   = ::Thread.new { monitor_socket }
+
+		self.src_call_idx = 0
+		self.calls = {}
+		
+	end
+	
+	def shutdown
+		self.monitor.kill rescue nil
+	end
+	
+	def create_call
+		cid  = allocate_call_id()
+		self.calls[ cid ] = IAX2::Call.new(self, cid)
+	end
+
+	#
+	# Transport
+	#
+
+	def monitor_socket
+		while true
+			begin
+				pkt, src = self.sock.recvfrom(65535)
+				next if not pkt
+				
+				# Find the matching call object 
+				mcall = matching_call(pkt)				
+				next if not mcall
+	
+				if (pkt[0,1].unpack("C")[0] & 0x80) != 0
+					mcall.handle_control(pkt)
+				else
+					# Dispatch the buffer via the call handler
+					mcall.handle_audio(pkt)
+				end
+			rescue ::Exception => e
+				dprint("monitor_socket: #{e.class} #{e} #{e.backtrace}")
+				break
+			end
+		end
+		self.sock.close rescue nil
+	end
+	
+	def matching_call(pkt)
+		src_call = pkt[0,2].unpack('n')[0]
+		dst_call = nil
+		
+		if (src_call & 0x8000 != 0)
+			dst_call = pkt[2,2].unpack('n')[0]
+			dst_call ^= 0x8000 if (dst_call & 0x8000 != 0)
+		end
+		
+		src_call ^= 0x8000 if (src_call & 0x8000 != 0)
+		
+		# Find a matching call in our list
+		mcall = self.calls.values.select {|x| x.dcall == src_call or (dst_call and x.scall == dst_call) }.first
+		if not mcall
+			dprint("Packet received for non-existent call #{[src_call, dst_call].inspect}  vs #{self.calls.values.map{|x| [x.dcall, x.scall]}.inspect}")
+			return
+		end
+		mcall	
+	end
+	
+	def allocate_call_id
+		res = ( self.src_call_idx += 1 )
+		if ( res > 0x8000 )
+			self.src_call_idx = 1
+			res = 1
+		end
+		res
+	end
+
+	def dprint(msg)
+		return if not self.debugging
+		$stderr.puts "[#{Time.now.to_s}] #{msg}"
+	end
+
+	def send_data(call, data, inc_seq = true )
+		r = self.sock.sendto(data, self.server_host, self.server_port, 0)
+		if inc_seq
+			call.oseq = (call.oseq + 1) & 0xff
+		end
+		r
+	end
+
+	def send_ack(call)
+		data =	[ IAX_SUBTYPE_ACK ].pack('C')
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ), false )
+	end
+	
+	def send_pong(call, stamp)
+		data =	[ IAX_SUBTYPE_PONG ].pack('C')
+		send_data( call, create_pkt( call.scall, call.dcall, stamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+
+	def send_lagrp(call, stamp)
+		data =	[ IAX_SUBTYPE_LAGRP ].pack('C')
+		send_data( call, create_pkt( call.scall, call.dcall, stamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+
+
+	def send_invalid(call)
+		data =	[ IAX_SUBTYPE_INVAL ].pack('C')
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+	
+	def send_hangup(call)
+		data =	[ IAX_SUBTYPE_HANGUP ].pack('C')
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+	
+	def send_new(call, number)
+		data = [ IAX_SUBTYPE_NEW ].pack('C')
+		
+		cid = call.caller_number || self.caller_number
+		cid = number if cid == 'SELF'
+		
+		data << create_ie(IAX_IE_CALLING_NUMBER, cid )
+		data << create_ie(IAX_IE_CALLING_NAME, call.caller_name || self.caller_name)
+		data << create_ie(IAX_IE_DESIRED_CODEC, [IAX_SUPPORTED_CODECS].pack("N") )
+		data << create_ie(IAX_IE_ACTUAL_CODECS, [IAX_SUPPORTED_CODECS].pack("N") )
+		data << create_ie(IAX_IE_USERNAME, self.username) if self.username
+		data << create_ie(IAX_IE_CALLED_NUMBER, number)
+		data << create_ie(IAX_IE_ORIGINAL_DID, number)
+
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+
+	def send_authrep_chall_response(call, chall)
+		data =
+			[ IAX_SUBTYPE_AUTHREP ].pack('C') +
+			create_ie(IAX_IE_CHALLENGE_RESP, ::Digest::MD5.hexdigest( chall + self.password ))
+
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+
+	def send_regreq(call)
+		data = [ IAX_SUBTYPE_REGREQ ].pack('C')
+		data << create_ie(IAX_IE_USERNAME, self.username) if self.username
+		data << create_ie(IAX_IE_REG_REFRESH, [IAX_DEFAULT_REG_REFRESH].pack('n'))
+
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+
+	def send_regreq_chall_response(call, chall)
+		data =
+			[ IAX_SUBTYPE_REGREQ ].pack('C') +
+			create_ie(IAX_IE_USERNAME, self.username) +
+			create_ie(IAX_IE_CHALLENGE_RESP, ::Digest::MD5.hexdigest( chall + self.password )) +
+			create_ie(IAX_IE_REG_REFRESH, [IAX_DEFAULT_REG_REFRESH].pack('n'))
+
+		send_data( call, create_pkt( call.scall, call.dcall, call.timestamp, call.oseq, call.iseq, IAX_TYPE_IAX, data ) )
+	end
+
+	def create_ie(ie_type, ie_data)
+		[ie_type, ie_data.length].pack('CC') + ie_data
+	end
+
+	def create_pkt(src_call, dst_call, tstamp, out_seq, inp_seq, itype, data)
+		[
+			src_call | 0x8000,  # High bit indicates a full packet
+			dst_call,
+			tstamp,
+			out_seq & 0xff,     # Sequence numbers wrap at 8-bits
+			inp_seq & 0xff,     # Sequence numbers wrap at 8-bits
+			itype
+		].pack('nnNCCC') + data
+	end
+
+end
+end
+end
+end
+