librex 0.0.5 → 0.0.6

data/README.md

@@ -4,7 +4,7 @@ REX
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 
 Currently based on:
-SVN Revision: 10547
+SVN Revision: 11474
 
 Credits
 ===

data/Rakefile

@@ -0,0 +1,13 @@
+$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
+ 
+task :build do
+  system "gem build librex.gemspec"
+end
+ 
+task :release => :build do
+  system "gem push librex-*.gem"
+end
+
+task :clean do
+	system "rm *.gem"
+end

data/lib/rex.rb

@@ -2,7 +2,7 @@
 
 The Metasploit Rex library is provided under the 3-clause BSD license.
 
-Copyright (c) 2005-2006, Rapid7 LLC
+Copyright (c) 2005-2010, Rapid7 LLC
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -49,6 +49,9 @@ require 'rex/file'
 # Thread safety and synchronization
 require 'rex/sync'
 
+# Thread factory
+require 'rex/thread_factory'
+
 # Encoding
 require 'rex/encoder/xor'
 require 'rex/encoding/xor'

data/lib/rex/assembly/nasm.rb

@@ -42,6 +42,8 @@ class Nasm
 
 		# Open the temporary file
 		tmp = Tempfile.new('nasmXXXX')
+		tmp.binmode
+		
 		tpath = tmp.path
 		opath = tmp.path + '.out'
 
@@ -72,6 +74,8 @@ class Nasm
 		check
 
 		tmp = Tempfile.new('nasmout')
+		tmp.binmode
+		
 		tfd = File.open(tmp.path, "wb")
 
 		tfd.write(raw)

data/lib/rex/compat.rb

@@ -37,7 +37,7 @@ ENABLE_PROCESSED_INPUT = 1
 
 def self.is_windows
 	return @@is_windows if @@is_windows
-	@@is_windows = (RUBY_PLATFORM =~ /mswin32/) ? true : false
+	@@is_windows = (RUBY_PLATFORM =~ /mswin32|mingw32/) ? true : false
 end
 
 def self.is_cygwin
@@ -80,6 +80,18 @@ def self.is_java
 	@@is_java = (RUBY_PLATFORM =~ /java/) ? true : false
 end
 
+def self.is_wow64
+	return false if not is_windows
+	is64 = false
+	begin
+		buff = "\x00" * 4
+		Win32API.new("kernel32","IsWow64Process",['L','P'],'L').call(-1, buff)
+		is64 = (buff.unpack("V")[0]) == 1 ? true : false
+	rescue ::Exception
+	end
+	is64
+end
+
 def self.cygwin_to_win32(path)
 	if(path !~ /^\/cygdrive/)
 		return ::IO.popen("cygpath -w #{path}", "rb").read.strip
@@ -115,6 +127,23 @@ def self.open_browser(url='http://metasploit.com/')
 	when /darwin/
 		system("open #{url}")
 	else
+		# Search through the PATH variable (if it exists) and chose a browser
+		# We are making an assumption about the nature of "PATH" so tread lightly
+		if defined? ENV['PATH']
+			# "sensible-browser" opens the "default" browser in Ubuntu and others, so try that first
+			#  but also provide fallbacks
+			['sensible-browser', 'firefox', 'opera', 'chromium-browser', 'konqueror'].each do |browser|
+					ENV['PATH'].split(':').each do |path|
+					# Does the browser exists?
+					if File.exists?("#{path}/#{browser}")
+						system("#{browser} #{url} &")
+						return
+					end
+				end
+			end
+		end
+
+		# If nothing else worked, default to firefox
 		system("firefox #{url} &")
 	end
 end
@@ -231,6 +260,7 @@ def self.temp_copy(path)
 	raise RuntimeError,"missing Tempfile" if not @@loaded_tempfile
 	fd = File.open(path, "rb")
 	tp = Tempfile.new("msftemp")
+	tp.binmode
 	tp.write(fd.read(File.size(path)))
 	tp.close
 	fd.close

data/lib/rex/encoder/alpha2/generic.rb

@@ -54,20 +54,21 @@ class Generic
 		gen_base_set(block).each do |randbase_|
 			second   = gen_second(block, randbase_)
 			next if second < 0
-			if(accepted_chars.include?([second].pack('C')))
+			if accepted_chars.include?([second].pack('C'))
 				found    = second
 				randbase = randbase_
 				break
 			end
 		end
 
-		if(not found)
-			raise RuntimeError, "No valid base found for #{"0x%.2x" % block}"
-		end
-
-		raise RuntimeError, "Negative" if second < 0
-		if !(accepted_chars.include?([second].pack('C')))
-			raise RuntimeError, "BadChar; #{block} to #{second}"
+		if not found
+			msg = "No valid base found for #{"0x%.2x" % block}"
+			if not accepted_chars.include?([second].pack('C'))
+				msg << ": BadChar to #{second}"
+			elsif second < 1
+				msg << ": Negative"
+			end
+			raise RuntimeError, msg
 		end
 
 		if (randbase > 0xa0)
@@ -79,10 +80,10 @@ class Generic
 		else
 			# pick one at "random"
 			first = (randbase/0x10)
-			if (first % 2)
+			if (first % 2) > 0
 				first += 0x40
 			else
-				randbase += 0x50
+				first += 0x50
 			end
 		end
 

data/lib/rex/exceptions.rb

@@ -61,7 +61,7 @@ class ArgumentError < ::ArgumentError
 	def to_s
 		str = 'An invalid argument was specified.'
 		if @message
-			str += " #{@message}"
+			str << " #{@message}"
 		end
 		str
 	end

data/lib/rex/exploitation/egghunter.rb

@@ -18,6 +18,7 @@ module Exploitation
 # Checksum checking implemented by dijital1/corelanc0d3r
 # Checksum code merged to Egghunter by jduck
 # Conversion to use Metasm by jduck
+# Startreg code added by corelanc0d3r
 #
 ###
 class Egghunter
@@ -38,12 +39,25 @@ class Egghunter
 			#
 			def hunter_stub(payload, badchars = '', opts = {})
 
+				startreg = opts[:startreg]
+
 				raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
 				marker = "0x%x" % opts[:eggtag].unpack('V').first
 
 				checksum = checksum_stub(payload, badchars, opts)
 
+				startstub = ''
+				if startreg
+					if startreg.downcase != 'edx'
+						startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr"
+					else
+						startstub = "\n\tjmp next_addr"
+					end
+				end
+				startstub << "\n\t" if startstub.length > 0
+
 				assembly = <<EOS
+#{startstub}
 check_readable:
 	or dx,0xfff
 next_addr:
@@ -97,13 +111,26 @@ EOS
 			#
 			def hunter_stub(payload, badchars = '', opts = {})
 
+				startreg = opts[:startreg]
+
 				raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
 				marker = "0x%x" % opts[:eggtag].unpack('V').first
 
 				checksum = checksum_stub(payload, badchars, opts)
 
+				startstub = ''
+				if startreg
+					if startreg.downcase != 'ecx'
+						startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
+					else
+						startstub = "\n\tjmp next_addr"
+					end
+				end
+				startstub << "\n\t" if startstub.length > 0
+
 				assembly = <<EOS
 	cld
+#{startstub}
 check_readable:
 	or cx,0xfff
 next_addr:

data/lib/rex/file.rb

@@ -1,5 +1,6 @@
 require 'find'
 require 'rex/compat'
+require 'tempfile'
 
 module Rex
 
@@ -26,6 +27,10 @@ module FileUtils
 		if (path)
 			path.split(::File::PATH_SEPARATOR).each { |base|
 				begin
+					# Deal with Windows paths surrounded by quotes.  Prevents
+					# silliness like trying to look for
+					# '"C:\\framework\\nmap"\\nmap.exe' which will always fail.
+					base = $1 if base =~ /^"(.*)"$/
 					path = base + ::File::SEPARATOR + file_name
 					if (::File::Stat.new(path) and not ::File.directory?(path))
 						return path
@@ -39,6 +44,14 @@ module FileUtils
 
 end
 
+class Quickfile < ::Tempfile
+	def initialize(*args)
+		super(*args)
+		self.binmode
+		ObjectSpace.undefine_finalizer(self)	
+	end
+end
+
 module Find
   #
   # Identical to Find.find from Ruby, but follows symlinks to directories.

data/lib/rex/io/stream.rb

@@ -34,19 +34,27 @@ module Stream
 	def write(buf, opts = {})
 		total_sent   = 0
 		total_length = buf.length
+		block_size   = 32768
 		begin
 			while( total_sent < total_length )
 				s = Rex::ThreadSafe.select( nil, [ fd ], nil, 0.2 )
 				if( s == nil || s[0] == nil )
 					next
 				end
-				data = buf[0, 32768]
+				data = buf[0, block_size]
 				sent = fd.write_nonblock( data )
 				if sent > 0
 					total_sent += sent
 					buf[0, sent] = ""
 				end
 			end
+		rescue ::Errno::EAGAIN
+			# Sleep for a half a second, or until we can write again
+			Rex::ThreadSafe.select( nil, [ fd ], nil, 0.5 )
+			# Decrement the block size to handle full sendQs better
+			block_size = 1024
+			# Try to write the data again
+			retry
 		rescue ::IOError, ::Errno::EPIPE
 			return nil if (fd.abortive_close == true)
 			raise $!

data/lib/rex/io/stream_abstraction.rb

@@ -53,8 +53,7 @@ module StreamAbstraction
 		self.lsock.extend(Ext)
 		self.rsock.extend(Rex::IO::Stream)
 
-    self.monitor_rsock
-
+		self.monitor_rsock
 	end
 
 	#
@@ -122,26 +121,37 @@ module StreamAbstraction
 protected
 
 	def monitor_rsock
-		self.monitor_thread = ::Thread.new {
+		self.monitor_thread = Rex::ThreadFactory.spawn("StreamMonitorRemote", false) {
 			loop do
 				closed = false
 				buf    = nil
 
+				if not self.rsock
+					wlog("monitor_rsock: the remote socket is nil, exiting loop")
+					break
+				end
+
 				begin
 					s = Rex::ThreadSafe.select( [ self.rsock ], nil, nil, 0.2 )
 					if( s == nil || s[0] == nil )
 						next
 					end
 				rescue Exception => e
+					wlog("monitor_rsock: exception during select: #{e.class} #{e}")
 					closed = true
 				end
 
 				if( closed == false )
 					begin
 						buf = self.rsock.sysread( 32768 )
-						closed = true if( buf == nil )
-					rescue
+						if buf == nil
+							closed = true
+							wlog("monitor_rsock: closed remote socket due to nil read")
+						end
+
+					rescue ::Exception
 						closed = true
+						wlog("monitor_rsock: exception during read: #{e.class} #{e}")						
 					end
 				end
 
@@ -162,14 +172,15 @@ protected
 							end
 						rescue ::IOError => e
 							closed = true
+							wlog("monitor_rsock: exception during write: #{e.class} #{e}")
 							break
 						end
 					end
 				end
 
 				if( closed )
-					self.close_write
-					::Thread.exit
+					self.close_write if self.respond_to?('close_write')
+					break
 				end
 			end
 		}

data/lib/rex/io/stream_server.rb

@@ -62,10 +62,10 @@ module StreamServer
 	def start
 		self.clients = []
 
-		self.listener_thread = Thread.new {
+		self.listener_thread = Rex::ThreadFactory.spawn("StreamServerListener", false) {
 			monitor_listener
 		}
-		self.clients_thread = Thread.new {
+		self.clients_thread = Rex::ThreadFactory.spawn("StreamServerClientMonitor", false) {
 			monitor_clients
 		}
 	end

data/lib/rex/job_container.rb

@@ -28,7 +28,7 @@ class Job
 	def start(async = false)
 		self.start_time = Time.now
 		if (async)
-			self.job_thread = Thread.new {
+			self.job_thread = Rex::ThreadFactory.spawn("JobID(#{jid})-#{name}", false) {
 				# Deschedule our thread momentarily
 				::IO.select(nil, nil, nil, 0.01)
 

data/lib/rex/mime/message.rb

@@ -83,16 +83,17 @@ class Message
 
 	def add_part(data='', content_type='text/plain', transfer_encoding="8bit", content_disposition=nil)
 		part = Rex::MIME::Part.new
+
+		if (content_disposition)
+			part.header.set("Content-Disposition", content_disposition)
+		end
+
 		part.header.set("Content-Type", content_type)
 
 		if (transfer_encoding)
 			part.header.set("Content-Transfer-Encoding", transfer_encoding)
 		end
 
-		if (content_disposition)
-			part.header.set("Content-Disposition", content_disposition)
-		end
-
 		part.content = data
 		self.parts << part
 		part

data/lib/rex/ole.rb

@@ -1,6 +1,6 @@
 ##
-# $Id: ole.rb 8457 2010-02-11 18:36:38Z jduck $
-# Version: $Revision: 8457 $
+# $Id: ole.rb 11444 2010-12-29 17:07:46Z jduck $
+# Version: $Revision: 11444 $
 ##
 
 ##
@@ -30,6 +30,7 @@
 #  8. R/W substorages (including nesting)
 #  9. full directory support (hierarchal and flattened access)
 # 10. big and little endian files (although only little endian was tested)
+# 11. PropertySet streams (except .to_s)
 #
 #
 # TODO (in order of priority):
@@ -40,10 +41,9 @@
 #     - may lead to allocating more fat sectors :-/
 #  4. properly support mode params for open_stream/open_storage/etc
 #  5. optimize to prevent unecessary loading/writing
-#  6. support for auxillary streams (DocumentSummaryInformation and SummaryInformation)
-#  7. support non-committal editing (open, change, close w/o save)
-#  8. support timestamps
-#  9. provide interface to change paramters (endian, etc)
+#  6. support non-committal editing (open, change, close w/o save)
+#  7. support timestamps
+#  8. provide interface to change paramters (endian, etc)
 #
 #
 # TO INVESTIGATE:
@@ -124,5 +124,82 @@ require 'rex/ole/substorage'
 require 'rex/ole/stream'
 
 
+# constants for property sets
+# PropertyIds
+PID_DICTIONARY  = 0x00000000
+PID_CODEPAGE    = 0x00000001
+PID_LOCALE      = 0x80000000
+PID_BEHAVIOR    = 0x80000003
+# Well-known PropertyIds
+PIDSI_TITLE        = 0x02
+PIDSI_SUBJECT      = 0x03
+PIDSI_AUTHOR       = 0x04
+PIDSI_KEYWORDS     = 0x05
+PIDSI_COMMENTS     = 0x06
+PIDSI_TEMPLATE     = 0x07
+PIDSI_LASTAUTHOR   = 0x08
+PIDSI_REVNUMBER    = 0x09
+PIDSI_EDITTIME     = 0x0a
+PIDSI_LASTPRINTED  = 0x0b
+PIDSI_CREATE_DTM   = 0x0c
+PIDSI_LASTSAVE_DTM = 0x0d
+PIDSI_PAGECOUNT    = 0x0e
+PIDSI_WORDCOUNT    = 0x0f
+PIDSI_CHARCOUNT    = 0x10
+PIDSI_THUMBNAIL    = 0x11
+PIDSI_APPNAME      = 0x12
+PIDSI_DOC_SECURITY = 0x13
+# PropertyTypes
+VT_EMPTY        = 0x00
+VT_NULL         = 0x01
+VT_I2           = 0x02
+VT_I4           = 0x03
+VT_R4           = 0x04
+VT_R8           = 0x05
+VT_CY           = 0x06
+VT_DATE         = 0x07
+VT_BSTR         = 0x08
+VT_ERROR        = 0x0a
+VT_BOOL         = 0x0b
+VT_VARIANT      = 0x0c # used with VT_VECTOR
+# 0xd
+VT_DECIMAL      = 0x0e
+# 0xf
+VT_I1           = 0x10
+VT_UI1          = 0x11
+VT_UI2          = 0x12
+VT_UI4          = 0x13
+VT_I8           = 0x14
+VT_UI8          = 0x15
+VT_INT          = 0x16
+VT_UINT         = 0x17
+VT_LPSTR        = 0x1e
+VT_LPWSTR       = 0x1f
+# 0x20-0x3f
+VT_FILETIME     = 0x40
+VT_BLOB         = 0x41
+VT_STREAM       = 0x42
+VT_STORAGE      = 0x43
+VT_STREAMED_OBJ = 0x44
+VT_STORED_OBJ   = 0x45
+VT_BLOB_OBJ     = 0x46
+VT_CF           = 0x47 # Clipboard Format
+VT_CLSID        = 0x48
+VT_VERSIONED_STREAM = 0x49
+# Flags
+VT_VECTOR       = 0x1000
+VT_ARRAY        = 0x2000 # Requires OLE version >= 1
+# Format IDs
+FMTID_SummaryInformation    = "\xe0\x85\x9f\xf2\xf9\x4f\x68\x10\xab\x91\x08\x00\x2b\x27\xb3\xd9"
+FMTID_DocSummaryInformation = "\x02\xd5\xcd\xd5\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae"
+FMTID_UserDefinedProperties = "\x05\xd5\xcd\xd5\x9c\x2e\x1b\x10\x93\x97\x08\x00\x2b\x2c\xf9\xae"
+FMTID_GlobalInfo            = "\x00\x6f\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+FMTID_ImageContents         = "\x00\x64\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+FMTID_ImageInfo             = "\x00\x65\x61\x56\x54\xc1\xce\x11\x85\x53\x00\xaa\x00\xa1\xf9\x5b"
+FMTID_PropertyBag           = "\x01\x18\x00\x20\xe6\x5d\xd1\x11\x8e\x38\x00\xc0\x4f\xb9\x38\x6d"
+# defines PropertySet class
+require 'rex/ole/propset'
+
+
 end
 end