librex 0.0.6 → 0.0.7

data/lib/rex/post/meterpreter/packet.rb

@@ -140,6 +140,8 @@ class Tlv
 			else; 'unknown-meta-type'
 			end
 		stype = case type
+			when PACKET_TYPE_REQUEST; "Request"
+			when PACKET_TYPE_RESPONSE; "Response"
 			when TLV_TYPE_REQUEST_ID; "REQUEST-ID"
 			when TLV_TYPE_METHOD; "METHOD"
 			when TLV_TYPE_RESULT; "RESULT"
@@ -182,7 +184,7 @@ class Tlv
 		if val.length > 50
 			val = val[0,50] + ' ..."'
 		end
-		"#<#{self.class} type=#{stype} meta-type=#{meta} #{self.class.to_s =~ /Packet/ ? "tlvs=#{@tlvs.inspect}" : "value=#{val}"} >"
+		"#<#{self.class} type=#{stype} #{self.class.to_s =~ /Packet/ ? "tlvs=#{@tlvs.inspect}" : "meta=#{meta} value=#{val}"} >"
 	end
 
 	##

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -26,6 +26,21 @@ class Console::CommandDispatcher::Core
 		self.extensions = []
 		self.bgjobs     = []
 		self.bgjob_id   = 0
+
+		@msf_loaded = nil
+	end
+
+	def msf_loaded?
+		return @msf_loaded unless @msf_loaded.nil?
+		# if we get here we must not have initialized yet
+
+		if client.framework
+			# We have a framework instance so the msf libraries should be
+			# available.  Load up the ones we're going to use
+			require 'msf/base/serializer/readable_text'
+		end
+		@msf_loaded = !!(client.framework)
+		@msf_loaded
 	end
 
 	@@use_opts = Rex::Parser::Arguments.new(
@@ -36,7 +51,7 @@ class Console::CommandDispatcher::Core
 	# List of supported commands.
 	#
 	def commands
-		{
+		c = {
 			"?"          => "Help menu",
 			"background" => "Backgrounds the current session",
 			"close"      => "Closes a channel",
@@ -49,12 +64,17 @@ class Console::CommandDispatcher::Core
 			"use"        => "Load a one or more meterpreter extensions",
 			"quit"       => "Terminate the meterpreter session",
 			"read"       => "Reads data from a channel",
-			"run"        => "Executes a meterpreter script",
+			"run"        => "Executes a meterpreter script or Post module",
 			"bgrun"      => "Executes a meterpreter script as a background thread",
 			"bgkill"     => "Kills a background meterpreter script",
 			"bglist"     => "Lists running background scripts",
 			"write"      => "Writes data to a channel",
 		}
+		if (msf_loaded?)
+			c["info"] = "Displays information about a Post module"
+		end
+
+		c
 	end
 
 	#
@@ -159,15 +179,6 @@ class Console::CommandDispatcher::Core
 
 	alias cmd_quit cmd_exit
 
-	#
-	# Displays the help menu.
-	#
-	def cmd_help(*args)
-		print(shell.help_to_s)
-	end
-
-	alias cmd_? cmd_help
-
 	#
 	# Interacts with a channel.
 	#
@@ -331,21 +342,48 @@ class Console::CommandDispatcher::Core
 		return true
 	end
 
+	def cmd_run_help
+		print_line "Usage: run <script> [arguments]"
+		print_line 
+		print_line "Executes a ruby script or Metasploit Post module in the context of the"
+		print_line "meterpreter session.  Post modules can take arguments in var=val format."
+		print_line "Example: run post/foo/bar BAZ=abcd"
+		print_line 
+	end
+
 	#
 	# Executes a script in the context of the meterpreter session.
 	#
 	def cmd_run(*args)
 		if args.length == 0
-			print_line(
-				"Usage: run <script> [arguments]\n\n" +
-				"Executes a ruby script in the context of the meterpreter session.")
+			cmd_run_help
 			return true
 		end
 
 		# Get the script name
 		begin
-			# the rest of the arguments get passed in through the binding
-			client.execute_script(args.shift, args)
+			script_name = args.shift
+			# First try it as a Post module if we have access to the Metasploit
+			# Framework instance.  If we don't, or if no such module exists,
+			# fall back to using the scripting interface.
+			if (msf_loaded? and mod = client.framework.modules.create(script_name))
+				omod = mod
+				mod = client.framework.modules.reload_module(mod)
+				if (not mod)
+					print_error("Failed to reload module: #{client.framework.modules.failed[omod.file_path]}")
+					return
+				end
+				opts = (args + [ "SESSION=#{client.sid}" ]).join(',')
+				mod.run_simple(
+					#'RunAsJob' => true,
+					'LocalInput'  => shell.input,
+					'LocalOutput' => shell.output,
+					'OptionStr'   => opts
+				)
+			else
+				# the rest of the arguments get passed in through the binding
+				client.execute_script(script_name, args)
+			end
 		rescue
 			print_error("Error in script: #{$!.class} #{$!}")
 			elog("Error in script: #{$!.class} #{$!}")
@@ -357,9 +395,12 @@ class Console::CommandDispatcher::Core
 		tabs = []
 		if(not words[1] or not words[1].match(/^\//))
 			begin
+				if (msf_loaded?)
+					tabs += tab_complete_postmods
+				end
 				[
-					::Msf::Sessions::Meterpreter::ScriptBase,
-					::Msf::Sessions::Meterpreter::UserScriptBase 
+					::Msf::Sessions::Meterpreter.script_base,
+					::Msf::Sessions::Meterpreter.user_script_base
 				].each do |dir|
 					next if not ::File.exist? dir
 					tabs += ::Dir.new(dir).find_all { |e|
@@ -370,7 +411,7 @@ class Console::CommandDispatcher::Core
 			rescue Exception
 			end
 		end
-		return tabs.map { |e| e.sub!(/\.rb$/, '') }
+		return tabs.map { |e| e.sub(/\.rb$/, '') }
 	end
 
 
@@ -445,6 +486,36 @@ class Console::CommandDispatcher::Core
 		end
 	end
 
+	#
+	# Show info for a given Post module.  
+	#
+	# See also +cmd_info+ in lib/msf/ui/console/command_dispatcher/core.rb
+	#
+	def cmd_info(*args)
+		return unless msf_loaded?
+
+		if args.length != 1
+			print_error 'Usage: info <module>'
+			return
+		end
+		
+		module_name = args.shift
+		mod = client.framework.modules.create(module_name);
+		
+		if mod.nil?
+			print_error 'Invalid module: ' << module_name
+		end
+
+		if (mod)
+			print_line ::Msf::Serializer::ReadableText.dump_module(mod)
+		end
+	end
+
+	def cmd_info_tabs(*args)
+		return unless msf_loaded?
+		tab_complete_postmods
+	end
+
 	#
 	# Writes data to a channel.
 	#
@@ -527,27 +598,13 @@ class Console::CommandDispatcher::Core
 		return true
 	end
 
-	#
-	# Provide command-specific tab completion
-	# Stolen directly from msf/ui/console/command_dispatcher/core.rb
-	# perhaps this should be moved into rex/ui/text/dispatcher_shell.rb ?
-	#
-	def tab_complete_helper(str, words)
-		items = []
-
-		# Is the user trying to tab complete one of our commands?
-		if (commands.include?(words[0]))
-			if (self.respond_to?('cmd_'+words[0]+'_tabs'))
-				res = self.send('cmd_'+words[0]+'_tabs', str, words)
-				return nil if res.nil?
-				items.concat(res)
-			else
-				# Avoid the default completion list for known commands
-				return nil
-			end
-		end
+	@@client_extension_search_paths = [ ::File.join(Rex::Root, "post", "meterpreter", "ui", "console", "command_dispatcher") ]
 
-		return items
+	def self.add_client_extension_search_path(path)
+		@@client_extension_search_paths << path unless @@client_extension_search_paths.include?(path)
+	end
+	def self.client_extension_search_paths
+		@@client_extension_search_paths
 	end
 
 protected
@@ -561,29 +618,40 @@ protected
 	# Loads the client extension specified in mod
 	#
 	def add_extension_client(mod)
-		path = "post/meterpreter/ui/console/command_dispatcher/#{mod}.rb"
-
-		if ((klass = CommDispatcher.check_hash(path)) == nil)
-			clirb = File.join(Rex::Root, path)
-			old   = CommDispatcher.constants
-
-			if (require(clirb))
-				new  = CommDispatcher.constants
-				diff = new - old
-
-				if (diff.empty? == true)
-					print_error("Failed to load client portion of #{mod}.")
+		loaded = false
+		klass = nil
+		self.class.client_extension_search_paths.each do |path|
+			path = ::File.join(path, "#{mod}.rb")
+			klass = CommDispatcher.check_hash(path)
+			if (klass == nil)
+				old   = CommDispatcher.constants
+				next unless ::File.exist? path
+
+				if (require(path))
+					new  = CommDispatcher.constants
+					diff = new - old
+
+					next if (diff.empty?)
+
+					klass = CommDispatcher.const_get(diff[0])
+
+					CommDispatcher.set_hash(path, klass)
+					loaded = true
+					break
+				else
+					print_error("Failed to load client script file: #{path}")
 					return false
 				end
-
-				klass = CommDispatcher.const_get(diff[0])
-
-				CommDispatcher.set_hash(path, klass)
 			else
-				print_error("Failed to load client script file: #{clirb}")
-				return false
+				# the klass is already loaded, from a previous invocation
+				loaded = true
+				break
 			end
 		end
+		unless loaded
+			print_error("Failed to load client portion of #{mod}.")
+			return false
+		end
 
 		# Enstack the dispatcher
 		self.shell.enstack_dispatcher(klass)
@@ -591,6 +659,24 @@ protected
 		# Insert the module into the list of extensions
 		self.extensions << mod
 	end
+
+	def tab_complete_postmods
+		# XXX This might get slow with a large number of post
+		# modules.  The proper solution is probably to implement a
+		# Module::Post#session_compatible?(session_object_or_int) method
+		tabs = client.framework.modules.post.map { |name,klass|
+			mod = klass.new
+			if mod.compatible_sessions.include?(client.sid)
+				mod.fullname.dup
+			else
+				nil
+			end
+		}
+
+		# nils confuse readline
+		tabs.compact
+	end
+
 end
 
 end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -428,6 +428,12 @@ class Console::CommandDispatcher::Stdapi::Fs
 		return true
 	end
 
+	def cmd_upload_tabs(str, words)
+		return [] if words.length > 1
+
+		tab_complete_filenames(str, words)
+	end
+
 end
 
 end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb

@@ -185,9 +185,7 @@ class Console::CommandDispatcher::Stdapi::Net
 		@@portfwd_opts.parse(args) { |opt, idx, val|
 			case opt
 				when "-h"
-					print(
-						"Usage: portfwd [-h] [add / delete / list] [args]\n\n" +
-						@@portfwd_opts.usage)
+					cmd_portfwd_help
 					return true
 				when "-l"
 					lport = val.to_i
@@ -265,9 +263,17 @@ class Console::CommandDispatcher::Stdapi::Net
 					print_error("Failed to stop TCP relay on #{lhost || '0.0.0.0'}:#{lport}")
 				end
 
+			else
+				cmd_portfwd_help
 		end
 	end
 
+	def cmd_portfwd_help
+		print_line "Usage: portfwd [-h] [add / delete / list] [args]"
+		print_line
+		print @@portfwd_opts.usage
+	end
+
 protected
 
 	#

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -457,11 +457,13 @@ class Console::CommandDispatcher::Stdapi::Sys
 	#
 	def cmd_sysinfo(*args)
 		info = client.sys.config.sysinfo
+		width = 0
+		info.keys.each { |k| width = k.length if k.length > width }
 
-		print_line("Computer: " + info['Computer'])
-		print_line("OS      : " + info['OS'])
-		print_line("Arch    : " + info['Architecture']) if info['Architecture']
-		print_line("Language: " + info['System Language']) if info['System Language']
+		info.each_pair do |key, value|
+			print_line("#{key.ljust(width+1)}: #{value}") if value
+		end
+		print_line("#{"Meterpreter".ljust(width+1)}: #{client.platform}")
 
 		return true
 	end

data/lib/rex/proto.rb

@@ -1,5 +1,6 @@
 require 'rex/proto/http'
 require 'rex/proto/smb'
+require 'rex/proto/ntlm'
 require 'rex/proto/dcerpc'
 require 'rex/proto/drda'
 

data/lib/rex/proto/dhcp/server.rb

@@ -1,4 +1,4 @@
-# $Id: server.rb 11003 2010-11-12 06:19:49Z hdm $
+# $Id: server.rb 11745 2011-02-12 22:25:02Z jduck $
 
 require 'rex/socket'
 require 'rex/proto/dhcp'
@@ -212,8 +212,10 @@ protected
 
 		# options parsing loop
 		spot = 240
-		while (spot < buf.length - 3 && buf[spot] != 0xff)
+		while (spot < buf.length - 3)
 			optionType = buf[spot,1].unpack("C").first
+			break if optionType == 0xff
+
 			optionLen = buf[spot + 1,1].unpack("C").first
 			optionValue = buf[(spot + 2)..(spot + optionLen + 1)]
 			spot = spot + optionLen + 2

data/lib/rex/proto/http/packet.rb

@@ -166,9 +166,8 @@ class Packet
 	# Converts the packet to a string.
 	#
 	def to_s
-		# Duplicate and make sure this is 8BIT safe for Ruby 1.9
-		content = self.body.unpack("C*").pack("C*")
-		
+		content = self.body.dup
+
 		# Update the content length field in the header with the body length.
 		if (content)
 			if !self.compress.nil?
@@ -267,7 +266,7 @@ protected
 	def parse_header
 
 		head,data = self.bufq.split(/\r?\n\r?\n/, 2)
-		
+
 		return if not data
 
 		self.headers.from_s(head)
@@ -339,7 +338,7 @@ protected
 
 			# If we didn't get a newline, then this might not be the full
 			# length, go back and get more.
-			# e.g. 
+			# e.g.
 			#  first packet: "200"
 			#  second packet: "0\r\n\r\n<html>..."
 			if not bufq.index("\n")
@@ -350,7 +349,7 @@ protected
 			clen = self.bufq.slice!(/^[a-fA-F0-9]+\r?\n/)
 
 			clen.rstrip! if (clen)
-			
+
 			# if we happen to fall upon the end of the buffer for the next chunk len and have no data left, go get some more...
 			if clen.nil? and self.bufq.length == 0
 				return

data/lib/rex/proto/ntlm.rb

@@ -0,0 +1,7 @@
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/exceptions'
+require 'rex/proto/ntlm/crypt'
+require 'rex/proto/ntlm/utils'
+require 'rex/proto/ntlm/base'
+require 'rex/proto/ntlm/message'
+

data/lib/rex/proto/ntlm.rb.ut.rb

@@ -0,0 +1,177 @@
+#!/usr/bin/env ruby
+require 'test/unit'
+require 'rex/proto/ntlm'
+require 'rex/socket'
+
+class ConnectionTest < Test::Unit::TestCase
+	def setup
+		@user = "admin"
+		@pass = "1234"
+		@domain = ""
+		@host = "192.168.145.161"
+	end
+
+	def test_socket_connectivity
+		assert_nothing_raised do
+			socket = Rex::Socket.create_tcp(
+				'PeerHost' => @host,
+				'PeerPort' => 80
+			)
+			assert_kind_of Socket, socket
+			assert !socket.closed?
+			socket.close
+			assert socket.closed?
+		end
+	end
+
+	def http_message(msg)
+		get_req = "GET / HTTP/1.1\r\n"
+		get_req += "Host: #{@host}\r\n"
+		get_req += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
+		get_req += "Authorization: NTLM #{msg.encode64}\r\n"
+		get_req += "Content-type: application/x-www-form-urlencoded\r\n"
+		get_req += "Content-Length: 0\r\n"
+		get_req += "\r\n"
+	end
+
+	def client_auth(pw)
+		msg_1 = Rex::Proto::NTLM::Message::Type1.new
+		get_req = http_message(msg_1)
+		socket = Rex::Socket.create_tcp(
+			'PeerHost' => @host,
+			'PeerPort' => 80
+		)
+		socket.put get_req
+		res = socket.get(3)
+		assert res =~ /WWW-Authenticate: NTLM TlRM/
+			res_ntlm = res.match(/WWW-Authenticate: NTLM ([A-Z0-9\x2b\x2f=]+)/i)[1]
+		assert_operator res_ntlm.size, :>=, 24
+		msg_2 = Rex::Proto::NTLM::Message.decode64(res_ntlm)
+		assert msg_2
+		msg_3 = msg_2.response({:user => @user, :password => pw}, {:ntlmv2 => true})
+		assert msg_3
+		auth_req = http_message(msg_3)
+		socket.put auth_req
+		auth_res = socket.get(3)
+		socket.close
+		return auth_res
+	end
+
+	def test_client_auth_success
+		assert_equal client_auth(@pass)[0,12], "HTTP/1.1 200"
+	end
+
+	def test_client_auth_fail
+		assert_not_equal client_auth("badpass")[0,12], "HTTP/1.1 200"
+		assert_equal client_auth("badpass")[0,12], "HTTP/1.1 401"
+	end
+end
+
+# FunctionTest by Minero Aoki
+
+class FunctionTest < Test::Unit::TestCase #:nodoc:
+	def setup
+		@passwd = "SecREt01"
+		@user   = "user"
+		@domain = "domain"
+		@challenge = ["0123456789abcdef"].pack("H*")
+		@client_ch = ["ffffff0011223344"].pack("H*")
+		@timestamp = 1055844000
+		@trgt_info = [
+			"02000c0044004f004d00410049004e00" +
+			"01000c00530045005200560045005200" +
+			"0400140064006f006d00610069006e00" +
+			"2e0063006f006d000300220073006500" +
+			"72007600650072002e0064006f006d00" +
+			"610069006e002e0063006f006d000000" +
+			"0000"
+		].pack("H*")
+	end
+
+	def test_lm_hash
+		ahash = ["ff3750bcc2b22412c2265b23734e0dac"].pack("H*")
+		assert_equal ahash, Rex::Proto::NTLM::Crypt::lm_hash(@passwd)
+	end
+
+	def test_ntlm_hash
+		ahash = ["cd06ca7c7e10c99b1d33b7485a2ed808"].pack("H*")
+		assert_equal ahash, Rex::Proto::NTLM::Crypt::ntlm_hash(@passwd)
+	end
+
+	def test_ntlmv2_hash
+		ahash = ["04b8e0ba74289cc540826bab1dee63ae"].pack("H*")
+		assert_equal ahash, Rex::Proto::NTLM::Crypt::ntlmv2_hash(@user, @passwd, @domain)
+	end
+
+	def test_lm_response
+		ares = ["c337cd5cbd44fc9782a667af6d427c6de67c20c2d3e77c56"].pack("H*")
+		assert_equal ares, Rex::Proto::NTLM::Crypt::lm_response(
+			{
+			:lm_hash => Rex::Proto::NTLM::Crypt::lm_hash(@passwd),
+			:challenge => @challenge
+		}
+		)
+	end
+
+	def test_ntlm_response
+		ares = ["25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6"].pack("H*")
+		ntlm_hash = Rex::Proto::NTLM::Crypt::ntlm_hash(@passwd)
+		assert_equal ares, Rex::Proto::NTLM::Crypt::ntlm_response(
+			{
+			:ntlm_hash => ntlm_hash,
+			:challenge => @challenge
+		}
+		)
+	end
+
+	def test_lmv2_response
+		ares = ["d6e6152ea25d03b7c6ba6629c2d6aaf0ffffff0011223344"].pack("H*")
+		assert_equal ares, Rex::Proto::NTLM::Crypt::lmv2_response(
+			{
+			:ntlmv2_hash => Rex::Proto::NTLM::Crypt::ntlmv2_hash(@user, @passwd, @domain),
+			:challenge => @challenge
+		},
+			{ :client_challenge => @client_ch }
+		)
+	end
+
+	def test_ntlmv2_response
+		ares = [
+			"cbabbca713eb795d04c97abc01ee4983" +
+			"01010000000000000090d336b734c301" +
+			"ffffff00112233440000000002000c00" +
+			"44004f004d00410049004e0001000c00" +
+			"53004500520056004500520004001400" +
+			"64006f006d00610069006e002e006300" +
+			"6f006d00030022007300650072007600" +
+			"650072002e0064006f006d0061006900" +
+			"6e002e0063006f006d00000000000000" +
+			"0000"
+		].pack("H*")
+		assert_equal ares, Rex::Proto::NTLM::Crypt::ntlmv2_response(
+			{
+			:ntlmv2_hash => Rex::Proto::NTLM::Crypt::ntlmv2_hash(@user, @passwd, @domain),
+			:challenge => @challenge,
+			:target_info => @trgt_info
+		},
+			{
+			:timestamp => @timestamp,
+			:client_challenge => @client_ch
+		}
+		)
+	end
+
+	def test_ntlm2_session
+		acha = ["ffffff001122334400000000000000000000000000000000"].pack("H*")
+		ares = ["10d550832d12b2ccb79d5ad1f4eed3df82aca4c3681dd455"].pack("H*")
+		session = Rex::Proto::NTLM::Crypt::ntlm2_session(
+			{
+			:ntlm_hash => Rex::Proto::NTLM::Crypt::ntlm_hash(@passwd),
+			:challenge => @challenge
+		},
+			{ :client_challenge => @client_ch }
+		)
+		assert_equal acha, session[0]
+		assert_equal ares, session[1]
+	end
+end