librex 0.0.5 → 0.0.6

data/lib/rex/parser/netsparker_xml.rb

@@ -0,0 +1,94 @@
+module Rex
+module Parser
+
+
+class NetSparkerXMLStreamParser
+
+	attr_accessor :on_found_vuln
+
+	def initialize(on_found_vuln = nil)
+		self.on_found_vuln = on_found_vuln if on_found_vuln
+		reset_state		
+	end
+
+	def reset_state
+		@state = :generic_state
+		@vuln  = {'info' => []}
+		@attr  = {}
+	end
+
+	def tag_start(name, attributes)
+		@state = "in_#{name.downcase}".intern
+		@attr  = attributes
+		
+		case name
+		when "vulnerability"
+			@vuln['confirmed'] = attributes['confirmed']
+		end
+	end
+
+	def text(str)
+		case @state
+		when :in_url
+			@vuln['url'] ||= ""
+			@vuln['url']  += str
+		when :in_type
+			@vuln['type'] ||= ""		
+			@vuln['type']  += str
+		when :in_severity
+			@vuln['severity'] ||= ""
+			@vuln['severity']  += str
+		when :in_vulnerableparametertype
+			@vuln["vparam_type"] ||= ""
+			@vuln["vparam_type"]  += str
+		when :in_vulnerableparameter
+			@vuln["vparam_name"] ||= ""			
+			@vuln["vparam_name"]  += str		
+		when :in_vulnerableparametervalue
+			@vuln["vparam_value"] ||= ""		
+			@vuln["vparam_value"]  += str				
+		when :in_rawrequest
+			@vuln["request"] ||= ""			
+			@vuln["request"]  += str
+		when :in_rawresponse
+			@vuln["response"] ||= ""
+			@vuln["response"]  += str
+		when :in_info
+			# <info name="Identified Internal Path(s)">C:\AppServ\www\test-apps\dokeos\main\inc\banner.inc.php</info>
+			if not str.to_s.strip.empty?
+				@vuln['info'] << [@attr['name'] || "Information", str]
+			end
+		when :in_netsparker
+		when :in_target
+		when :in_scantime
+		when :generic_state
+		when :in_vulnerability
+		when :in_extrainformation
+		else 
+			# $stderr.puts "unknown state: #{@state}"
+		end
+	end
+
+	def tag_end(name)
+		case name
+		when "vulnerability"
+			@vuln.keys.each do |k|
+				@vuln[k] = @vuln[k].strip if @vuln[k].kind_of?(::String)
+			end
+			on_found_vuln.call(@vuln) if on_found_vuln
+			reset_state
+		end
+	end
+
+	# We don't need these methods, but they're necessary to keep REXML happy
+	def xmldecl(version, encoding, standalone); end
+	def cdata; end
+	def comment(str); end
+	def instruction(name, instruction); end
+	def attlist; end
+end
+end
+end
+
+__END__
+

data/lib/rex/parser/retina_xml.rb

@@ -0,0 +1,109 @@
+module Rex
+module Parser
+
+# XXX - Retina XML does not include ANY service/port information export
+class RetinaXMLStreamParser
+
+	attr_accessor :on_found_host
+
+	def initialize(on_found_host = nil)
+		reset_state
+		self.on_found_host = on_found_host if on_found_host
+	end
+
+	def reset_state
+		@state = :generic_state
+		@host  = { 'vulns' => [] }
+		reset_audit_state
+	end
+	
+	def reset_audit_state
+		@audit = { 'refs' => [] }
+	end
+
+	def tag_start(name, attributes)
+		@state = "in_#{name.downcase}".intern
+	end
+
+	def text(str)
+		case @state
+		when :in_ip
+			@host["address"] = str
+		when :in_dnsname
+			@host["hostname"] = str.split(/\s+/).first
+		when :in_netbiosname
+			@host["netbios"] = str
+		when :in_mac
+			@host["mac"] = str
+		when :in_os
+			@host["os"] = str
+		when :in_rthid
+			@audit['refs'].push(['RETINA', str])
+		when :in_cve
+			str.split(",").each do |cve|
+				cve = cve.to_s.strip
+				next if cve.empty?
+				pre,val = cve.split('-', 2)
+				next if not val
+				next if pre != "CVE"
+				@audit['refs'].push( ['CVE', val] )
+			end
+		when :in_name
+			@audit['name'] = str
+		when :in_description
+			@audit['description'] = str
+		when :in_risk
+			@audit['risk'] = str
+		when :in_cce
+			@audit['cce'] = str
+		when :in_date
+			@audit['data'] = str
+		end
+	end
+
+	def tag_end(name)
+		case name
+		when "host"
+			on_found_host.call(@host) if on_found_host
+			reset_state
+		when "audit"
+			@host['vulns'].push @audit
+			reset_audit_state
+		end
+	end
+
+	# We don't need these methods, but they're necessary to keep REXML happy
+	def xmldecl(version, encoding, standalone); end
+	def cdata; end
+	def comment(str); end
+	def instruction(name, instruction); end
+	def attlist; end
+end
+end
+end
+
+__END__
+<scanJob>
+	<hosts>
+		<host>
+			<ip>10.2.79.98</ip>
+			<netBIOSName>bsmith-10156B07C</netBIOSName>
+			<dnsName>bsmith-10156b07c.core.testcorp.com  random.testcorp.com</dnsName>
+			<mac>00:02:29:0E:38:2B</mac>
+			<os>Windows Server 2003 (X64), Service Pack 2</os>
+			<audit>
+				<rthID>7851</rthID>
+				<cve>CVE-2009-0089,CVE-2009-0550,CVE-2009-0086</cve>
+				<cce>N/A</cce>
+				<name>Microsoft Windows HTTP Services Multiple Vulnerabilities (960803)</name>
+				<description>Microsoft Windows HTTP Services contains multiple vulnerabilities when handling ..</description>
+				<date>09/15/2010</date>
+				<risk>Low</risk>
+				<pciLevel>5 (Urgent)</pciLevel>
+				<cvssScore>10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]</cvssScore>
+				<fixInformation>....</fixInformation>
+			</audit>
+		</host>
+	</hosts>
+</scanJob>		
+

data/lib/rex/post/meterpreter/channel.rb

@@ -141,6 +141,11 @@ class Channel
 		if (cid and client)
 			client.add_channel(self)
 		end
+		ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.cid) )
+	end
+
+	def self.finalize(client,cid)
+		proc { self._close(client,cid) }
 	end
 
 	##
@@ -262,27 +267,29 @@ class Channel
 	#
 	# Closes the channel.
 	#
-	def _close(addends = nil)
-		if (self.cid == nil)
+	def self._close(client, cid, addends=nil)
+		if (cid == nil)
 			raise IOError, "Channel has been closed.", caller
 		end
 
 		request = Packet.create_request('core_channel_close')
 
 		# Populate the request
-		request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
+		request.add_tlv(TLV_TYPE_CHANNEL_ID, cid)
 		request.add_tlvs(addends)
 
-		self.client.send_request(request)
+		client.send_request(request, nil)
 
 		# Disassociate this channel instance
-		self.client.remove_channel(self.cid)
-
-		self.cid = nil
+		client.remove_channel(cid)
 
 		return true
 	end
-
+	
+	def _close(addends = nil)
+		self.class._close(self.client, self.cid, addends)
+		self.cid = nil
+	end
 	#
 	# Enables or disables interactive mode.
 	#

data/lib/rex/post/meterpreter/client.rb

@@ -41,6 +41,23 @@ class Client
 	#
 	@@ext_hash = {}
 
+	#
+	# Cached SSL certificate (required to scale)
+	#
+	@@ssl_ctx = nil
+	
+	#
+	# Mutex to synchronize class-wide operations
+	#
+	@@ssl_mutex = ::Mutex.new
+
+	#
+	# Lookup the error that occurred
+	#
+	def self.lookup_error(code)
+		code
+	end
+
 	#
 	# Checks the extension hash to see if a class has already been associated
 	# with the supplied extension name.
@@ -133,6 +150,11 @@ class Client
 	end
 
 	def generate_ssl_context
+		@@ssl_mutex.synchronize do 
+		if not @@ssl_ctx
+		
+		wlog("Generating SSL certificate for Meterpreter sessions")
+	
 		key  = OpenSSL::PKey::RSA.new(1024){ }
 		cert = OpenSSL::X509::Certificate.new
 		cert.version = 2
@@ -175,7 +197,14 @@ class Client
 
 		ctx.session_id_context = Rex::Text.rand_text(16)
 
-		return ctx
+		wlog("Generated SSL certificate for Meterpreter sessions")
+		
+		@@ssl_ctx = ctx
+		
+		end # End of if not @ssl_ctx
+		end # End of mutex.synchronize
+		
+		@@ssl_ctx
 	end
 
 	#
@@ -197,7 +226,7 @@ class Client
 	# waiting for a response.
 	#
 	def Client.default_timeout
-		return 30
+		return 300
 	end
 
 	##
@@ -233,7 +262,7 @@ class Client
 
 			# No new constants added?
 			if ((diff = new - old).empty?)
-				return false
+				diff = [ name.capitalize ]
 			end
 
 			klass = Rex::Post::Meterpreter::Extensions.const_get(diff[0]).const_get(diff[0])

data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb

@@ -51,7 +51,7 @@ class Sniffer < Extension
 		request = Packet.create_request('sniffer_capture_start')
 		request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
 		request.add_tlv(TLV_TYPE_SNIFFER_PACKET_COUNT, maxp.to_i)
-		request.add_tlv(TLV_TYPE_SNIFFER_ADDITIONAL_FILTER, filter) if filter.length
+		request.add_tlv(TLV_TYPE_SNIFFER_ADDITIONAL_FILTER, filter) if filter.length > 0
 		response = client.send_request(request)	
 	end
 	

data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb

@@ -18,7 +18,7 @@ module Fs
 ###
 class Dir < Rex::Post::Dir
 
-	class <<self
+	class << self
 		attr_accessor :client
 	end
 
@@ -192,7 +192,7 @@ class Dir < Rex::Post::Dir
 	# Downloads the contents of a remote directory a 
 	# local directory, optionally in a recursive fashion.
 	#
-	def Dir.download(dst, src, recursive = false, &stat)
+	def Dir.download(dst, src, recursive = false, force = true, &stat)
 		self.entries(src).each { |src_sub|
 			dst_item = dst + ::File::SEPARATOR + src_sub
 			src_item = src + File::SEPARATOR + src_sub
@@ -205,8 +205,17 @@ class Dir < Rex::Post::Dir
 
 			if (src_stat.file?)
 				stat.call('downloading', src_item, dst_item) if (stat)
-				client.fs.file.download(dst_item, src_item)
-				stat.call('downloaded', src_item, dst_item) if (stat)
+				begin 
+					client.fs.file.download(dst_item, src_item)
+					stat.call('downloaded', src_item, dst_item) if (stat)
+				rescue ::Rex::Post::Meterpreter::RequestError => e
+					if force
+						stat.call('failed', src_item, dst_item) if (stat)
+					else
+						raise e
+					end
+				end
+				
 			elsif (src_stat.directory?)
 				if (recursive == false)
 					next
@@ -218,7 +227,7 @@ class Dir < Rex::Post::Dir
 				end
 
 				stat.call('mirroring', src_item, dst_item) if (stat)
-				download(dst_item, src_item, recursive, &stat)
+				download(dst_item, src_item, recursive, force, &stat)
 				stat.call('mirrored', src_item, dst_item) if (stat)
 			end
 		}

data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb

@@ -28,7 +28,7 @@ Separator = "\\"
 
 	include Rex::Post::File
 	
-	class <<self
+	class << self
 		attr_accessor :client
 	end
 	

data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb

@@ -84,7 +84,7 @@ class Socket
 		begin
 			return SocketSubsystem::TcpServerChannel.open(client, params)
 		rescue ::Rex::Post::Meterpreter::RequestError => e
-			case e.result
+			case e.code
 			when 10000 .. 10100
 				raise ::Rex::ConnectionError.new
 			end
@@ -103,7 +103,7 @@ class Socket
 			end
 			return nil
 		rescue ::Rex::Post::Meterpreter::RequestError => e
-			case e.result
+			case e.code
 			when 10000 .. 10100
 				raise ::Rex::ConnectionError.new
 			end
@@ -118,7 +118,7 @@ class Socket
 		begin
 			return SocketSubsystem::UdpChannel.open(client, params)
 		rescue ::Rex::Post::Meterpreter::RequestError => e
-			case e.result
+			case e.code
 				when 10000 .. 10100
 				raise ::Rex::ConnectionError.new
 			end

data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb

@@ -168,7 +168,7 @@ class TcpClientChannel < Rex::Post::Meterpreter::Stream
 		begin
 			super(*args)
 		rescue ::Rex::Post::Meterpreter::RequestError => e
-			case e.result
+			case e.code
 			when 10000 .. 10100
 				raise ::Rex::ConnectionError.new
 			end

data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb

@@ -194,7 +194,7 @@ class UdpChannel < Rex::Post::Meterpreter::Channel
 		begin
 			super(*args)
 		rescue ::Rex::Post::Meterpreter::RequestError => e
-			case e.result
+			case e.code
 			when 10000 .. 10100
 				raise ::Rex::ConnectionError.new
 			end

data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb

@@ -16,6 +16,7 @@ require 'rex/post/meterpreter/extensions/stdapi/sys/event_log'
 require 'rex/post/meterpreter/extensions/stdapi/sys/power'
 require 'rex/post/meterpreter/extensions/stdapi/railgun/railgun'
 require 'rex/post/meterpreter/extensions/stdapi/ui'
+require 'rex/post/meterpreter/extensions/stdapi/webcam/webcam'
 
 module Rex
 module Post
@@ -74,6 +75,10 @@ class Stdapi < Extension
 					'name' => 'railgun',
 					'ext'  => Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun.new(client)
 				},
+				{
+					'name' => 'webcam',
+					'ext'  => Rex::Post::Meterpreter::Extensions::Stdapi::Webcam::Webcam.new(client)
+				},
 				{
 					'name' => 'ui',
 					'ext'  => UI.new(client)