librex 0.0.68 → 0.0.70

data/lib/rex/registry/nodekey.rb

@@ -7,46 +7,46 @@ module Registry
 
 class NodeKey
 
-	attr_accessor :timestamp, :parent_offset, :subkeys_count, :lf_record_offset
-	attr_accessor :value_count, :value_list_offset, :security_key_offset
-	attr_accessor :class_name_offset, :name_length, :class_name_length, :full_path
-	attr_accessor :name, :lf_record, :value_list, :class_name_data, :readable_timestamp
+  attr_accessor :timestamp, :parent_offset, :subkeys_count, :lf_record_offset
+  attr_accessor :value_count, :value_list_offset, :security_key_offset
+  attr_accessor :class_name_offset, :name_length, :class_name_length, :full_path
+  attr_accessor :name, :lf_record, :value_list, :class_name_data, :readable_timestamp
 
-	def initialize(hive, offset)
+  def initialize(hive, offset)
 
-		offset = offset + 0x04
+    offset = offset + 0x04
 
-		nk_header = hive[offset, 2]
-		nk_type = hive[offset+0x02, 2]
+    nk_header = hive[offset, 2]
+    nk_type = hive[offset+0x02, 2]
 
-		if nk_header !~ /nk/
-			return
-		end
+    if nk_header !~ /nk/
+      return
+    end
 
-		@timestamp = hive[offset+0x04, 8].unpack('q').first
-		@parent_offset = hive[offset+0x10, 4].unpack('l').first
-		@subkeys_count = hive[offset+0x14, 4].unpack('l').first
-		@lf_record_offset = hive[offset+0x1c, 4].unpack('l').first
-		@value_count = hive[offset+0x24, 4].unpack('l').first
-		@value_list_offset = hive[offset+0x28, 4].unpack('l').first
-		@security_key_offset = hive[offset+0x2c, 4].unpack('l').first
-		@class_name_offset = hive[offset+0x30, 4].unpack('l').first
-		@name_length = hive[offset+0x48, 2].unpack('c').first
-		@class_name_length = hive[offset+0x4a, 2].unpack('c').first
-		@name = hive[offset+0x4c, @name_length].to_s
+    @timestamp = hive[offset+0x04, 8].unpack('q').first
+    @parent_offset = hive[offset+0x10, 4].unpack('l').first
+    @subkeys_count = hive[offset+0x14, 4].unpack('l').first
+    @lf_record_offset = hive[offset+0x1c, 4].unpack('l').first
+    @value_count = hive[offset+0x24, 4].unpack('l').first
+    @value_list_offset = hive[offset+0x28, 4].unpack('l').first
+    @security_key_offset = hive[offset+0x2c, 4].unpack('l').first
+    @class_name_offset = hive[offset+0x30, 4].unpack('l').first
+    @name_length = hive[offset+0x48, 2].unpack('c').first
+    @class_name_length = hive[offset+0x4a, 2].unpack('c').first
+    @name = hive[offset+0x4c, @name_length].to_s
 
-		windows_time = @timestamp
-		unix_time = windows_time/10000000-11644473600
-		ruby_time = Time.at(unix_time)
+    windows_time = @timestamp
+    unix_time = windows_time/10000000-11644473600
+    ruby_time = Time.at(unix_time)
 
-		@readable_timestamp = ruby_time
+    @readable_timestamp = ruby_time
 
-		@lf_record = LFBlock.new(hive, @lf_record_offset + 0x1000) if @lf_record_offset != -1
-		@value_list = ValueList.new(hive, @value_list_offset + 0x1000, @value_count) if @value_list_offset != -1
+    @lf_record = LFBlock.new(hive, @lf_record_offset + 0x1000) if @lf_record_offset != -1
+    @value_list = ValueList.new(hive, @value_list_offset + 0x1000, @value_count) if @value_list_offset != -1
 
-		@class_name_data = hive[@class_name_offset + 0x04 + 0x1000, @class_name_length]
+    @class_name_data = hive[@class_name_offset + 0x04 + 0x1000, @class_name_length]
 
-	end
+  end
 
 end
 

data/lib/rex/registry/regf.rb

@@ -4,21 +4,21 @@ module Registry
 
 class RegfBlock
 
-	attr_accessor :timestamp, :root_key_offset
+  attr_accessor :timestamp, :root_key_offset
 
-	def initialize(hive)
+  def initialize(hive)
 
-		regf_header = hive[0x00, 4]
+    regf_header = hive[0x00, 4]
 
-		if regf_header !~ /regf/
-			puts "Not a registry hive"
-			return
-		end
+    if regf_header !~ /regf/
+      puts "Not a registry hive"
+      return
+    end
 
-		@timestamp = hive[0x0C, 8].unpack('q').first
-		@root_key_offset = 0x20
+    @timestamp = hive[0x0C, 8].unpack('q').first
+    @root_key_offset = 0x20
 
-	end
+  end
 end
 
 end

data/lib/rex/registry/valuekey.rb

@@ -4,63 +4,63 @@ module Registry
 
 class ValueKey
 
-	attr_accessor :name_length, :length_of_data, :data_offset, :full_path
-	attr_accessor :value_type, :readable_value_type, :name, :value
+  attr_accessor :name_length, :length_of_data, :data_offset, :full_path
+  attr_accessor :value_type, :readable_value_type, :name, :value
 
-	def initialize(hive, offset)
-		offset = offset + 4
+  def initialize(hive, offset)
+    offset = offset + 4
 
-		vk_header = hive[offset, 2]
+    vk_header = hive[offset, 2]
 
-		if vk_header !~ /vk/
-			puts "no vk at offset #{offset}"
-			return
-		end
+    if vk_header !~ /vk/
+      puts "no vk at offset #{offset}"
+      return
+    end
 
-		@name_length = hive[offset+0x02, 2].unpack('c').first
-		@length_of_data = hive[offset+0x04, 4].unpack('l').first
-		@data_offset = hive[offset+ 0x08, 4].unpack('l').first
-		@value_type = hive[offset+0x0C, 4].unpack('c').first
+    @name_length = hive[offset+0x02, 2].unpack('c').first
+    @length_of_data = hive[offset+0x04, 4].unpack('l').first
+    @data_offset = hive[offset+ 0x08, 4].unpack('l').first
+    @value_type = hive[offset+0x0C, 4].unpack('c').first
 
-		if @value_type == 1
-			@readable_value_type = "Unicode character string"
-		elsif @value_type == 2
-			@readable_value_type = "Unicode string with %VAR% expanding"
-		elsif @value_type == 3
-			@readable_value_type = "Raw binary value"
-		elsif @value_type == 4
-			@readable_value_type = "Dword"
-		elsif @value_type == 7
-			@readable_value_type = "Multiple unicode strings separated with '\\x00'"
-		end
+    if @value_type == 1
+      @readable_value_type = "Unicode character string"
+    elsif @value_type == 2
+      @readable_value_type = "Unicode string with %VAR% expanding"
+    elsif @value_type == 3
+      @readable_value_type = "Raw binary value"
+    elsif @value_type == 4
+      @readable_value_type = "Dword"
+    elsif @value_type == 7
+      @readable_value_type = "Multiple unicode strings separated with '\\x00'"
+    end
 
-		flag = hive[offset+0x10, 2].unpack('c').first
+    flag = hive[offset+0x10, 2].unpack('c').first
 
-		if flag == 0
-			@name = "Default"
-		else
-			@name = hive[offset+0x14, @name_length].to_s
-		end
+    if flag == 0
+      @name = "Default"
+    else
+      @name = hive[offset+0x14, @name_length].to_s
+    end
 
-		@value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)
-	end
+    @value = ValueKeyData.new(hive, @data_offset, @length_of_data, @value_type, offset)
+  end
 end
 
 class ValueKeyData
 
-	attr_accessor :data
+  attr_accessor :data
 
-	def initialize(hive, offset, length, datatype, parent_offset)
-		offset = offset + 4
+  def initialize(hive, offset, length, datatype, parent_offset)
+    offset = offset + 4
 
-		#If the data-size is lower than 5, the data-offset value is used to store
-		#the data itself!
-		if length < 5
-			@data = hive[parent_offset + 0x08, 4]
-		else
-			@data = hive[offset + 0x1000, length]
-		end
-	end
+    #If the data-size is lower than 5, the data-offset value is used to store
+    #the data itself!
+    if length < 5
+      @data = hive[parent_offset + 0x08, 4]
+    else
+      @data = hive[offset + 0x1000, length]
+    end
+  end
 end
 
 end

data/lib/rex/registry/valuelist.rb

@@ -6,23 +6,23 @@ module Registry
 
 class ValueList
 
-	attr_accessor :values
+  attr_accessor :values
 
-	def initialize(hive, offset, number_of_values)
-		offset = offset + 4
-		inner_offset = 0
+  def initialize(hive, offset, number_of_values)
+    offset = offset + 4
+    inner_offset = 0
 
-		@values = []
+    @values = []
 
-		1.upto(number_of_values) do |v|
-			valuekey_offset = hive[offset + inner_offset, 4]
-			next if !valuekey_offset
+    1.upto(number_of_values) do |v|
+      valuekey_offset = hive[offset + inner_offset, 4]
+      next if !valuekey_offset
 
-			valuekey_offset = valuekey_offset.unpack('l').first
-			@values << ValueKey.new(hive, valuekey_offset + 0x1000)
-			inner_offset = inner_offset + 4
-		end
-	end
+      valuekey_offset = valuekey_offset.unpack('l').first
+      @values << ValueKey.new(hive, valuekey_offset + 0x1000)
+      inner_offset = inner_offset + 4
+    end
+  end
 end
 
 end

data/lib/rex/ropbuilder/rop.rb

@@ -9,262 +9,263 @@ module Rex
 module RopBuilder
 
 class RopBase
-	def initialize()
-		@stdio = Rex::Ui::Text::Output::Stdio.new
-		@gadgets = []
-	end
-
-	def to_csv(gadgets = [])
-		if gadgets.empty? and @gadgets.nil? or @gadgets.empty?
-			@stdio.print_error("No gadgets collected to convert to CSV format.")
-			return
-		end
-
-		# allow the users to import gadget collections from multiple files
-		if @gadgets.empty? or @gadgets.nil?
-			@gadgets = gadgets
-		end
-
-		table = Rex::Ui::Text::Table.new(
-		'Header'    => "#{@file} ROP Gadgets",
-		'Indent'    => 1,
-		'Columns'   =>
-		[
-			"Address",
-			"Raw",
-			"Disassembly",
-		])
-
-		@gadgets.each do |gadget|
-			table << [gadget[:address], gadget[:raw].unpack('H*')[0], gadget[:disasm].gsub(/\n/, ' | ')]
-		end
-
-		return table.to_csv
-	end
-
-	def import(file)
-		begin
-			data = File.new(file, 'r').read
-		rescue
-			@stdio.print_error("Error reading #{file}")
-			return []
-		end
-
-		if data.empty? or data.nil?
-			return []
-		end
-
-		data.gsub!(/\"/, '')
-		data.gsub!("Address,Raw,Disassembly\n", '')
-
-		@gadgets = []
-
-		data.each_line do |line|
-			addr, raw, disasm = line.split(',', 3)
-			if addr.nil? or raw.nil? or disasm.nil?
-				@stdio.print_error("Import file format corrupted")
-				return []
-			end
-			disasm.gsub!(/: /, ":\t")
-			disasm.gsub!(' | ', "\n")
-			raw = [raw].pack('H*')
-			@gadgets << {:file => file, :address => addr, :raw => raw, :disasm => disasm.chomp!}
-		end
-			@gadgets
-	end
-
-	def print_msg(msg, color=true)
-		if not @stdio
-			@stdio = Rex::Ui::Text::Output::Stdio.new
-		end
-
-		if color == true
-			@stdio.auto_color
-		else
-		    @stdio.disable_color
-		end
-		@stdio.print_raw(@stdio.substitute_colors(msg))
-	end
+  def initialize()
+    @stdio = Rex::Ui::Text::Output::Stdio.new
+    @gadgets = []
+  end
+
+  def to_csv(gadgets = [])
+    if gadgets.empty? and @gadgets.nil? or @gadgets.empty?
+      @stdio.print_error("No gadgets collected to convert to CSV format.")
+      return
+    end
+
+    # allow the users to import gadget collections from multiple files
+    if @gadgets.empty? or @gadgets.nil?
+      @gadgets = gadgets
+    end
+
+    table = Rex::Ui::Text::Table.new(
+    'Header'    => "#{@file} ROP Gadgets",
+    'Indent'    => 1,
+    'Columns'   =>
+    [
+      "Address",
+      "Raw",
+      "Disassembly",
+    ])
+
+    @gadgets.each do |gadget|
+      table << [gadget[:address], gadget[:raw].unpack('H*')[0], gadget[:disasm].gsub(/\n/, ' | ')]
+    end
+
+    return table.to_csv
+  end
+
+  def import(file)
+    begin
+      data = File.new(file, 'r').read
+    rescue
+      @stdio.print_error("Error reading #{file}")
+      return []
+    end
+
+    if data.empty? or data.nil?
+      return []
+    end
+
+    data.gsub!(/\"/, '')
+    data.gsub!("Address,Raw,Disassembly\n", '')
+
+    @gadgets = []
+
+    data.each_line do |line|
+      addr, raw, disasm = line.split(',', 3)
+      if addr.nil? or raw.nil? or disasm.nil?
+        @stdio.print_error("Import file format corrupted")
+        return []
+      end
+      disasm.gsub!(/: /, ":\t")
+      disasm.gsub!(' | ', "\n")
+      raw = [raw].pack('H*')
+      @gadgets << {:file => file, :address => addr, :raw => raw, :disasm => disasm.chomp!}
+    end
+      @gadgets
+  end
+
+  def print_msg(msg, color=true)
+    if not @stdio
+      @stdio = Rex::Ui::Text::Output::Stdio.new
+    end
+
+    if color == true
+      @stdio.auto_color
+    else
+        @stdio.disable_color
+    end
+    @stdio.print_raw(@stdio.substitute_colors(msg))
+  end
 end
 
 class RopCollect < RopBase
-	def initialize(file="")
-		@stdio = Rex::Ui::Text::Output::Stdio.new
-		@file = file if not file.empty?
-		@bin = Metasm::AutoExe.decode_file(file) if not file.empty?
-		@disassembler = @bin.disassembler if not @bin.nil?
-		if @disassembler
-			@disassembler.cpu = Metasm::Ia32.new('386_common')
-		end
-		super()
-	end
-
-	def collect(depth, pattern)
-		matches = []
-		gadgets = []
-
-		# find matches by scanning for the pattern
-		matches = @disassembler.pattern_scan(pattern)
-		if @bin.kind_of?(Metasm::PE)
-			@bin.sections.each do |section|
-				next if section.characteristics.include? 'MEM_EXECUTE'
-				# delete matches if the address is outside the virtual address space
-				matches.delete_if do |ea|
-					va = section.virtaddr + @bin.optheader.image_base
-					ea >= va and ea < va + section.virtsize
-				end
-			end
-		elsif @bin.kind_of?(Metasm::ELF)
-			@bin.segments.each do |seg|
-				next if seg.flags.include? 'X'
-				matches.delete_if do |ea|
-					ea >= seg.vaddr and ea < seg.vaddr + seg.memsz
-				end
-			end
-		elsif @bin.kind_of?(Metasm::MachO)
-			@bin.segments.each do |seg|
-				next if seg.initprot.include? 'EXECUTE'
-				matches.delete_if do |ea|
-					ea >= seg.virtaddr and ea < seg.virtaddr + seg.filesize
-				end
-			end
-		end
-
-		gadgets = process_gadgets(matches, depth)
-		gadgets.each do |gadget|
-			@gadgets << gadget
-		end
-		gadgets
-	end
-
-	def pattern_search(pattern)
-		p = Regexp.new("(" + pattern + ")")
-		matches = []
-
-		@gadgets.each do |gadget|
-			disasm = ""
-			addrs = []
-
-			gadget[:disasm].each_line do |line|
-				addr, asm = line.split("\t", 2)
-				addrs << addr
-				disasm << asm
-			end
-
-			if gadget[:raw] =~ p or gadget[:disasm] =~ p or disasm =~ p
-				matches << {:gadget => gadget, :disasm => disasm, :addrs => addrs}
-			end
-		end
-		matches.each do |match|
-			@stdio.print_status("gadget with address: %bld%cya#{match[:gadget][:address]}%clr matched")
-			color_pattern(match[:gadget], match[:disasm], match[:addrs], p)
-		end
-		matches
-	end
-
-	def color_pattern(gadget, disasm, addrs, p)
-		idx = disasm.index(p)
-		if idx.nil?
-			print_msg(gadget[:disasm])
-			return
-		end
-
-		disasm = disasm.insert(idx, "%bld%grn")
-
-		asm = ""
-		cnt = 0
-		colors = false
-		disasm.each_line do |line|
-			# if we find this then we are in the matching area
-			if line.index(/\%bld\%grn/)
-				colors = true
-			end
-			asm << "%clr" + addrs[cnt] + "\t"
-
-			# color the remaining parts of the gadget
-			if colors and line.index("%bld%grn").nil?
-				asm << "%bld%grn" + line
-			else
-				asm << line
-			end
-
-			cnt += 1
-		end
-		asm << "%clr\n"
-		print_msg(asm)
-	end
-
-	def process_gadgets(rets, num)
-		ret = {}
-		gadgets = []
-		tmp = []
-		rets.each do |ea|
-			insn = @disassembler.disassemble_instruction(ea)
-			next if not insn
-
-			xtra = insn.bin_length
-
-			1.upto(num) do |x|
-				addr = ea - x
-
-				# get the disassembled instruction at this address
-				di = @disassembler.disassemble_instruction(addr)
-
-				# skip invalid instructions
-				next if not di
-				next if di.opcode.props[:setip]
-				next if di.opcode.props[:stopexec]
-
-				# get raw bytes
-				buf = @disassembler.read_raw_data(addr, x + xtra)
-				
-
-				# make sure disassembling forward leads to our instruction
-				next if not ends_with_addr(buf, addr, ea)
-
-				dasm = ""
-				while addr <= ea
-					di = @disassembler.disassemble_instruction(addr)
-					dasm << ("0x%08x:\t" % addr) + di.instruction.to_s + "\n"
-					addr = addr + di.bin_length
-				end
-
-				if not tmp.include?(ea)
-					tmp << ea
-				else
-					next
-				end
-				# otherwise, we create a new tailchunk and add it to the list
-				ret = {:file => @file, :address => ("0x%08x" % (ea - x)), :raw => buf, :disasm => dasm}
-				gadgets << ret
-			end
-		end
-		gadgets
-	end
-
-	private
-	def ends_with_addr(raw, base, addr)
-		dasm2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
-		offset = 0
-		while ((di = dasm2.disassemble_instruction(offset)))
-			return true if (base + offset) == addr
-			return false if di.opcode.props[:setip]
-			return false if di.opcode.props[:stopexec]
-			offset = di.next_addr
-		end
-		false
-	end
-
-	def raw_instructions(raw)
-		insns = []
-		d2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
-		addr = 0
-		while ((di = d2.disassemble_instruction(addr)))
-			insns << di.instruction
-			addr = di.next_addr
-		end
-		insns
-	end
+  def initialize(file="")
+    @stdio = Rex::Ui::Text::Output::Stdio.new
+    @file = file if not file.empty?
+    @bin = Metasm::AutoExe.decode_file(file) if not file.empty?
+    @disassembler = @bin.disassembler if not @bin.nil?
+    if @disassembler
+      @disassembler.cpu = Metasm::Ia32.new('386_common')
+    end
+    super()
+  end
+
+  def collect(depth, pattern)
+    matches = []
+    gadgets = []
+
+    # find matches by scanning for the pattern
+    matches = @disassembler.pattern_scan(pattern)
+    if @bin.kind_of?(Metasm::PE)
+      @bin.sections.each do |section|
+        next if section.characteristics.include? 'MEM_EXECUTE'
+        # delete matches if the address is outside the virtual address space
+        matches.delete_if do |ea|
+          va = section.virtaddr + @bin.optheader.image_base
+          ea >= va and ea < va + section.virtsize
+        end
+      end
+    elsif @bin.kind_of?(Metasm::ELF)
+      @bin.segments.each do |seg|
+        next if seg.flags.include? 'X'
+        matches.delete_if do |ea|
+          ea >= seg.vaddr and ea < seg.vaddr + seg.memsz
+        end
+      end
+    elsif @bin.kind_of?(Metasm::MachO)
+      @bin.segments.each do |seg|
+        next if seg.initprot.include? 'EXECUTE'
+        matches.delete_if do |ea|
+          ea >= seg.virtaddr and ea < seg.virtaddr + seg.filesize
+        end
+      end
+    end
+
+    gadgets = process_gadgets(matches, depth)
+    gadgets.each do |gadget|
+      @gadgets << gadget
+    end
+    gadgets
+  end
+
+  def pattern_search(pattern)
+    p = Regexp.new("(" + pattern + ")")
+    matches = []
+
+    @gadgets.each do |gadget|
+      disasm = ""
+      addrs = []
+
+      gadget[:disasm].each_line do |line|
+        addr, asm = line.split("\t", 2)
+        addrs << addr
+        disasm << asm
+      end
+
+      if gadget[:raw] =~ p or gadget[:disasm] =~ p or disasm =~ p
+        matches << {:gadget => gadget, :disasm => disasm, :addrs => addrs}
+      end
+    end
+    matches.each do |match|
+      @stdio.print_status("gadget with address: %bld%cya#{match[:gadget][:address]}%clr matched")
+      color_pattern(match[:gadget], match[:disasm], match[:addrs], p)
+    end
+    matches
+  end
+
+  def color_pattern(gadget, disasm, addrs, p)
+    idx = disasm.index(p)
+    if idx.nil?
+      print_msg(gadget[:disasm])
+      return
+    end
+
+    disasm = disasm.insert(idx, "%bld%grn")
+
+    asm = ""
+    cnt = 0
+    colors = false
+    disasm.each_line do |line|
+      # if we find this then we are in the matching area
+      if line.index(/\%bld\%grn/)
+        colors = true
+      end
+      asm << "%clr" + addrs[cnt] + "\t"
+
+      # color the remaining parts of the gadget
+      if colors and line.index("%bld%grn").nil?
+        asm << "%bld%grn" + line
+      else
+        asm << line
+      end
+
+      cnt += 1
+    end
+    asm << "%clr\n"
+    print_msg(asm)
+  end
+
+  def process_gadgets(rets, num)
+    ret     = {}
+    gadgets = []
+    tmp     = []
+    rets.each do |ea|
+      insn = @disassembler.disassemble_instruction(ea)
+      next if not insn
+
+      xtra = insn.bin_length
+
+      num.downto(0) do |x|
+        addr = ea - x
+
+        # get the disassembled instruction at this address
+        di = @disassembler.disassemble_instruction(addr)
+
+        # skip invalid instructions
+        next if not di
+        next if di.opcode.props[:setip]
+        next if di.opcode.props[:stopexec]
+
+        # get raw bytes
+        buf = @disassembler.read_raw_data(addr, x + xtra)
+
+
+        # make sure disassembling forward leads to our instruction
+        next if not ends_with_addr(buf, addr, ea)
+
+        dasm = ""
+        while addr <= ea
+          di = @disassembler.disassemble_instruction(addr)
+          dasm << ("0x%08x:\t" % addr) + di.instruction.to_s + "\n"
+          addr = addr + di.bin_length
+        end
+
+        if not tmp.include?(ea)
+          tmp << ea
+        else
+          next
+        end
+
+        # otherwise, we create a new tailchunk and add it to the list
+        ret = {:file => @file, :address => ("0x%08x" % (ea - x)), :raw => buf, :disasm => dasm}
+        gadgets << ret
+      end
+    end
+    gadgets
+  end
+
+  private
+  def ends_with_addr(raw, base, addr)
+    dasm2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
+    offset = 0
+    while ((di = dasm2.disassemble_instruction(offset)))
+      return true if (base + offset) == addr
+      return false if di.opcode.props[:setip]
+      return false if di.opcode.props[:stopexec]
+      offset = di.next_addr
+    end
+    false
+  end
+
+  def raw_instructions(raw)
+    insns = []
+    d2 = Metasm::Shellcode.decode(raw, @disassembler.cpu).disassembler
+    addr = 0
+    while ((di = d2.disassemble_instruction(addr)))
+      insns << di.instruction
+      addr = di.next_addr
+    end
+    insns
+  end
 end
 end
 end