librex 0.0.5 → 0.0.6

data/lib/rex/proto/rfb.rb

@@ -0,0 +1,19 @@
+##
+# $Id: $
+##
+
+##
+#
+# RFB protocol support
+#
+# by Joshua J. Drake <jduck>
+#
+# Based on:
+# vnc_auth_none contributed by Matteo Cantoni <goony[at]nothink.org>
+# vnc_auth_login contributed by carstein <carstein.sec[at]gmail.com>
+#
+##
+
+require 'rex/proto/rfb/constants'
+require 'rex/proto/rfb/cipher'
+require 'rex/proto/rfb/client'

data/lib/rex/proto/rfb.rb.ut.rb

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+
+##
+# $Id: $
+##
+
+##
+#
+# RFB protocol support
+#
+# by Joshua J. Drake <jduck>
+#
+# Based on:
+# vnc_auth_none contributed by Matteo Cantoni <goony[at]nothink.org>
+# vnc_auth_login contributed by carstein <carstein.sec[at]gmail.com>
+#
+##
+
+require 'rex/socket'
+require 'rex/proto/rfb'
+
+sd = Rex::Socket::Tcp.create('PeerHost' => ENV["VNCHOST"], 'PeerPort' => Rex::Proto::RFB::DefaultPort)
+
+v = Rex::Proto::RFB::Client.new(sd)
+if not v.connect('password')
+	$stderr.puts v.error
+	exit(1)
+end
+
+loop {
+	sret = select([sd],nil,nil,10)
+	puts sret.inspect
+	if sret and sret[0].include? sd
+		buf = sd.sysread(8192)
+		puts "read #{buf.length} bytes: #{buf.inspect}"
+	end
+}

data/lib/rex/proto/rfb/cipher.rb

@@ -0,0 +1,78 @@
+##
+# $Id: $
+##
+
+##
+#
+# RFB protocol support
+#
+# by Joshua J. Drake <jduck>
+#
+# Based on:
+# vnc_auth_none contributed by Matteo Cantoni <goony[at]nothink.org>
+# vnc_auth_login contributed by carstein <carstein.sec[at]gmail.com>
+#
+##
+
+# Required for VNC authentication
+require 'openssl'
+
+module Rex
+module Proto
+module RFB
+
+##
+# A bit of information about the DES algorithm was found here:
+# http://www.vidarholen.net/contents/junk/vnc.html
+#
+# In addition, VNC uses two individual 8 byte block encryptions rather than
+# using any block mode (like cbc, ecb, etc).
+##
+
+class Cipher
+	
+	def self.mangle_password(password)
+		key = ''
+		key = password.dup if password
+		key.slice!(8,key.length) if key.length > 8
+		key << "\x00" * (8 - key.length) if key.length < 8
+
+		# We have to mangle the key so the LSB are kept vs the MSB
+		[key.unpack('B*').first.scan(/.{8}/).map! { |e| e.reverse }.join].pack('B*')
+	end
+
+	def self.encrypt(plain, password)
+		key = self.mangle_password(password)
+
+		# VNC auth does two 8-byte blocks individually instead supporting some block mode
+		cipher = ''
+		2.times { |x|
+			c = OpenSSL::Cipher::Cipher.new('des')
+			c.encrypt
+			c.key = key
+			cipher << c.update(plain[x*8, 8])
+		}
+
+		cipher
+	end
+
+	#
+	# NOTE: The default password is that of winvnc/etc which is used for
+	# encrypting the password(s) on disk/in registry.
+	#
+	def self.decrypt(cipher, password = "\x17\x52\x6b\x06\x23\x4e\x58\x07")
+		key = self.mangle_password(password)
+
+		# NOTE: This only does one 8 byte block
+		plain = ''
+		c = OpenSSL::Cipher::Cipher.new('des')
+		c.decrypt
+		c.key = key
+		c.update(cipher)
+	end
+
+end
+
+end
+end
+end

data/lib/rex/proto/rfb/client.rb

@@ -0,0 +1,207 @@
+##
+# $Id: $
+##
+
+##
+#
+# RFB protocol support
+#
+# by Joshua J. Drake <jduck>
+#
+# Based on:
+# vnc_auth_none contributed by Matteo Cantoni <goony[at]nothink.org>
+# vnc_auth_login contributed by carstein <carstein.sec[at]gmail.com>
+#
+# TODO: determine how to detect a view-only session.
+##
+
+module Rex
+module Proto
+module RFB
+
+class Client
+
+	def initialize(sock, opts = {})
+		@sock = sock
+		@opts = opts
+
+		@banner = nil
+		@majver = MajorVersion
+		@minver = -1
+		@auth_types = []
+	end
+
+	def read_error_message
+		len = @sock.get_once(4)
+		return 'Unknown error' if not len or len.length != 4
+
+		len = len.unpack("N").first
+		@sock.get_once(len)
+	end
+
+	def handshake
+		@banner = @sock.get_once(12)
+		if not @banner
+			@error = "Unable to obtain banner from server"
+			return false
+		end
+
+		# RFB Protocol Version 3.3 (1998-01)
+		# RFB Protocol Version 3.7 (2003-08)
+		# RFB Protocol Version 3.8 (2007-06)
+
+		if @banner =~ /RFB ([0-9]{3})\.([0-9]{3})/
+			maj = $1.to_i
+			if maj != MajorVersion
+				@error = "Invalid major version number: #{maj}"
+				return false
+			end
+		else
+			@error = "Invalid RFB banner: #{@banner}"
+			return false
+		end
+
+		@minver = $2.to_i
+
+		our_ver = "RFB %03d.%03d\n" % [MajorVersion, @minver]
+		@sock.put(our_ver)
+
+		true
+	end
+
+	def connect(password = nil)
+		return false if not handshake
+		return false if not authenticate(password)
+		return false if not send_client_init
+		true
+	end
+
+	def send_client_init
+		if @opts[:exclusive]
+			@sock.put("\x00") # do share.
+		else
+			@sock.put("\x01") # do share.
+		end
+	end
+
+	def authenticate(password = nil)
+		type = negotiate_authentication
+		return false if not type
+
+		# Authenticate.
+		case type
+		when AuthType::None
+			# Nothing here.
+
+		when AuthType::VNC
+			return false if not negotiate_vnc_auth(password)
+
+		end
+
+		# Handle reading the security result message
+		result = @sock.get_once(4)
+		if not result
+			@error = "Unable to read auth result"
+			return false
+		end
+
+		result = result.unpack('N').first
+		case result
+		when 0
+			return true
+
+		when 1
+			if @minver >= 8
+				msg = read_error_message
+				@error = "Authentication failed: #{msg}"
+			else
+				@error = "Authentication failed"
+			end
+		when 2
+			@error = "Too many authentication attempts"
+		else
+			@error = "Unknown authentication result: #{result}"
+		end
+
+		false
+	end
+
+	def negotiate_authentication
+		# Authentication type negotiation is protocol version specific.
+		if @minver < 7
+			buf = @sock.get_once(4)
+			if not buf
+				@error = "Unable to obtain requested authentication method"
+				return nil
+			end
+			@auth_types = buf.unpack('N')
+			if not @auth_types or @auth_types.first == 0
+				msg = read_error_message
+				@error = "No authentication types available: #{msg}"
+				return nil
+			end
+		else
+			buf = @sock.get_once(1)
+			if not buf
+				@error = "Unable to obtain supported authentication method count"
+				return nil
+			end
+
+			# first byte is number of security types
+			num_types = buf.unpack("C").first
+			if (num_types == 0)
+				msg = read_error_message
+				@error = "No authentication types available: #{msg}"
+				return nil
+			end
+
+			buf = @sock.get_once(num_types)
+			if not buf or buf.length != num_types
+				@error = "Unable to read authentication types"
+				return nil
+			end
+
+			@auth_types = buf.unpack("C*")
+		end
+
+		if not @auth_types or @auth_types.length < 1
+			@error = "No authentication types found"
+			return nil
+		end
+
+		# Select the one we prefer
+		selected = nil
+		selected ||= AuthType::None if @opts[:allow_none] and @auth_types.include? AuthType::None
+		selected ||= AuthType::VNC if @auth_types.include? AuthType::VNC
+
+		if not selected
+			@error = "No supported authentication method found."
+			return nil
+		end
+
+		# For 3.7 and later, clients must state which security-type to use
+		@sock.put([selected].pack('C')) if @minver >= 7
+
+		selected
+	end
+
+	def negotiate_vnc_auth(password = nil)
+		challenge = @sock.get_once(16)
+		if not challenge or challenge.length != 16
+			@error = "Unable to obtain VNC challenge"
+			return false
+		end
+
+		response = Cipher.encrypt(challenge, password)
+		@sock.put(response)
+
+		true
+	end
+
+	attr_reader :error, :majver, :minver, :auth_types
+	attr_reader :view_only
+end
+
+end
+end
+end

data/lib/rex/proto/rfb/constants.rb

@@ -0,0 +1,52 @@
+##
+# $Id: $
+##
+
+##
+#
+# RFB protocol support
+#
+# by Joshua J. Drake <jduck>
+#
+# Based on:
+# vnc_auth_none contributed by Matteo Cantoni <goony[at]nothink.org>
+# vnc_auth_login contributed by carstein <carstein.sec[at]gmail.com>
+#
+##
+
+module Rex
+module Proto
+module RFB
+
+DefaultPort = 5900
+
+# Version information
+MajorVersion = 3
+# NOTE: We will emulate whatever minor version the server reports.
+
+# Security types
+class AuthType
+	Invalid = 0
+	None = 1
+	VNC = 2
+	RA2 = 5
+	RA2ne = 6
+	Tight = 16
+	Ultra = 17
+	TLS = 18
+	VeNCrypt = 19
+	GtkVncSasl = 20
+	MD5Hash = 21
+	ColinDeanXVP = 22
+
+	def self.to_s(num)
+		self.constants.each { |c|
+			return c.to_s if self.const_get(c) == num
+		}
+		'Unknown'
+	end
+end
+
+end
+end
+end

data/lib/rex/proto/tftp/server.rb

@@ -1,4 +1,4 @@
-# $Id: server.rb 10163 2010-08-27 04:44:02Z jduck $
+# $Id: server.rb 11454 2010-12-30 16:37:58Z hdm $
 require 'rex/socket'
 require 'rex/proto/tftp'
 
@@ -51,7 +51,7 @@ class Server
 			'Context'   => context
 			)
 
-		self.thread = Thread.new {
+		self.thread = Rex::ThreadFactory.spawn("TFTPServerMonitor", false) {
 			monitor_socket
 		}
 	end
@@ -64,10 +64,10 @@ class Server
 		@shutting_down = true
 
 		# Wait a maximum of 30 seconds for all transfers to finish.
-		start = Time.now
+		start = ::Time.now
 		while (self.transfers.length > 0)
 			::IO.select(nil, nil, nil, 0.5)
-			dur = Time.now - start
+			dur = ::Time.now - start
 			break if (dur > 30)
 		end
 
@@ -93,7 +93,7 @@ class Server
 	# Register an entire directory to serve files from
 	#
 	def set_tftproot(rootdir)
-		@tftproot = rootdir if File.directory?(rootdir)
+		@tftproot = rootdir if ::File.directory?(rootdir)
 	end
 
 
@@ -101,7 +101,7 @@ class Server
 	# Register a directory to write uploaded files to
 	#
 	def set_output_dir(outdir)
-		@output_dir = outdir if File.directory?(outdir)
+		@output_dir = outdir if ::File.directory?(outdir)
 	end
 
 
@@ -153,15 +153,15 @@ class Server
 	# entry to the files hash.
 	#
 	def find_file_in_root(fname)
-		fn = File.expand_path(File.join(@tftproot, fname))
+		fn = ::File.expand_path(::File.join(@tftproot, fname))
 
 		# Don't allow directory traversal
 		return nil if fn.index(@tftproot) != 0
 
-		return nil if not File.file?(fn) or not File.readable?(fn)
+		return nil if not ::File.file?(fn) or not ::File.readable?(fn)
 
 		# Read the file contents, and register it as being served once
-		data = data = File.open(fn, "rb") { |fd| fd.read(fd.stat.size) }
+		data = data = ::File.open(fn, "rb") { |fd| fd.read(fd.stat.size) }
 		register_file(fname, data, true)
 
 		# Return the last file in the array
@@ -172,7 +172,8 @@ class Server
 	attr_accessor :listen_host, :listen_port, :context
 	attr_accessor :sock, :files, :transfers, :uploaded
 	attr_accessor :thread
-
+	
+	attr_accessor :incoming_file_hook
 
 protected
 
@@ -185,14 +186,16 @@ protected
 		nil
 	end
 
-
 	def save_output(tr)
 		self.uploaded << tr[:file]
+		
+		return incoming_file_hook.call(tr) if incoming_file_hook
+		
 		if @output_dir
 			fn = tr[:file][:name].split(File::SEPARATOR)[-1]
 			if fn
-				fn = File.join(@output_dir, fn)
-				File.open(fn, "wb") { |fd|
+				fn = ::File.join(@output_dir, fn)
+				::File.open(fn, "wb") { |fd|
 					fd.write(tr[:file][:data])
 				}
 			end
@@ -201,7 +204,7 @@ protected
 
 
 	def check_retransmission(tr)
-		elapsed = Time.now - tr[:last_sent]
+		elapsed = ::Time.now - tr[:last_sent]
 		if (elapsed >= tr[:timeout])
 			# max retries reached?
 			if (tr[:retries] < 3)
@@ -262,7 +265,7 @@ protected
 							pkt << chunk
 
 							send_packet(tr[:from], pkt)
-							tr[:last_sent] = Time.now
+							tr[:last_sent] = ::Time.now
 
 							# If the file is a one-serve, mark it as started
 							tr[:file][:started] = true if (tr[:file][:once])
@@ -282,7 +285,7 @@ protected
 						pkt = [OpAck, tr[:block]].pack('nn')
 
 						send_packet(tr[:from], pkt)
-						tr[:last_sent] = Time.now
+						tr[:last_sent] = ::Time.now
 
 						# If we had a 0-511 byte chunk, we're done.
 						if (tr[:last_size] and tr[:last_size] < tr[:blksize])
@@ -355,7 +358,7 @@ protected
 
 			#puts "%s %s %s" % [start, fn, mode]
 
-			if (not @shutting_down) and (@output_dir)
+			if not @shutting_down
 				transfer = {
 					:type => OpWrite,
 					:from => from,