librex 0.0.70 → 0.0.71

data/lib/rex/exploitation/powershell/param.rb

@@ -0,0 +1,23 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  class Param
+    attr_accessor :klass, :name
+    def initialize(klass, name)
+      @klass = klass.strip
+      @name = name.strip.gsub(/\s|,/, '')
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell param
+    def to_s
+      "[#{klass}]$#{name}"
+    end
+  end
+end
+end
+end

data/lib/rex/exploitation/powershell/parser.rb

@@ -0,0 +1,183 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Exploitation
+    module Powershell
+      module Parser
+        # Reserved special variables
+        # Acquired with: Get-Variable | Format-Table name, value -auto
+        RESERVED_VARIABLE_NAMES = [
+          '$$',
+          '$?',
+          '$^',
+          '$_',
+          '$args',
+          '$ConfirmPreference',
+          '$ConsoleFileName',
+          '$DebugPreference',
+          '$Env',
+          '$Error',
+          '$ErrorActionPreference',
+          '$ErrorView',
+          '$ExecutionContext',
+          '$false',
+          '$FormatEnumerationLimit',
+          '$HOME',
+          '$Host',
+          '$input',
+          '$LASTEXITCODE',
+          '$MaximumAliasCount',
+          '$MaximumDriveCount',
+          '$MaximumErrorCount',
+          '$MaximumFunctionCount',
+          '$MaximumHistoryCount',
+          '$MaximumVariableCount',
+          '$MyInvocation',
+          '$NestedPromptLevel',
+          '$null',
+          '$OutputEncoding',
+          '$PID',
+          '$PROFILE',
+          '$ProgressPreference',
+          '$PSBoundParameters',
+          '$PSCulture',
+          '$PSEmailServer',
+          '$PSHOME',
+          '$PSSessionApplicationName',
+          '$PSSessionConfigurationName',
+          '$PSSessionOption',
+          '$PSUICulture',
+          '$PSVersionTable',
+          '$PWD',
+          '$ReportErrorShowExceptionClass',
+          '$ReportErrorShowInnerException',
+          '$ReportErrorShowSource',
+          '$ReportErrorShowStackTrace',
+          '$ShellId',
+          '$StackTrace',
+          '$true',
+          '$VerbosePreference',
+          '$WarningPreference',
+          '$WhatIfPreference'
+        ].map(&:downcase).freeze
+
+        #
+        # Get variable names from code, removes reserved names from return
+        #
+        # @return [Array] variable names
+        def get_var_names
+          our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+          our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
+        end
+
+        #
+        # Get function names from code
+        #
+        # @return [Array] function names
+        def get_func_names
+          code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
+        end
+
+        #
+        # Attempt to find string literals in PSH expression
+        #
+        # @return [Array] string literals
+        def get_string_literals
+          code.scan(/@"(.+?)"@|@'(.+?)'@/m)
+        end
+
+        #
+        # Scan code and return matches with index
+        #
+        # @param str [String] string to match in code
+        # @param source [String] source code to match, defaults to @code
+        #
+        # @return [Array[String,Integer]] matched items with index
+        def scan_with_index(str, source = code)
+          ::Enumerator.new do |y|
+            source.scan(str) do
+              y << ::Regexp.last_match
+            end
+          end.map { |m| [m.to_s, m.offset(0)[0]] }
+        end
+
+        #
+        # Return matching bracket type
+        #
+        # @param char [String] opening bracket character
+        #
+        # @return [String] matching closing bracket
+        def match_start(char)
+          case char
+          when '{'
+            '}'
+          when '('
+            ')'
+          when '['
+            ']'
+          when '<'
+            '>'
+          else
+            fail ArgumentError, 'Unknown starting bracket'
+          end
+        end
+
+        #
+        # Extract block of code inside brackets/parenthesis
+        #
+        # Attempts to match the bracket at idx, handling nesting manually
+        # Once the balanced matching bracket is found, all script content
+        # between idx and the index of the matching bracket is returned
+        #
+        # @param idx [Integer] index of opening bracket
+        #
+        # @return [String] content between matching brackets
+        def block_extract(idx)
+          fail ArgumentError unless idx
+
+          if idx < 0 || idx >= code.length
+            fail ArgumentError, 'Invalid index'
+          end
+
+          start = code[idx]
+          stop = match_start(start)
+          delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
+          delims.map { |x| x[1] = x[1] + idx + 1 }
+          c = 1
+          sidx = nil
+          # Go through delims till we balance, get idx
+          while (c != 0) && (x = delims.shift)
+            sidx = x[1]
+            x[0] == stop ? c -= 1 : c += 1
+          end
+
+          code[idx..sidx]
+        end
+
+        #
+        # Extract a block of function code
+        #
+        # @param func_name [String] function name
+        # @param delete [Boolean] delete the function from the code
+        #
+        # @return [String] function block
+        def get_func(func_name, delete = false)
+          start = code.index(func_name)
+
+          return nil unless start
+
+          idx = code[start..-1].index('{') + start
+          func_txt = block_extract(idx)
+
+          if delete
+            delete_code = code[0..idx]
+            delete_code << code[(idx + func_txt.length)..-1]
+            @code = delete_code
+          end
+
+          Function.new(func_name, func_txt)
+        end
+      end # Parser
+    end
+  end
+end

data/lib/rex/exploitation/powershell/psh_methods.rb

@@ -0,0 +1,70 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  ##
+  # Convenience methods for generating powershell code in Ruby
+  ##
+
+  module PshMethods
+    #
+    # Download file via .NET WebClient
+    #
+    # @param src [String] URL to the file
+    # @param target [String] Location to save the file
+    #
+    # @return [String] Powershell code to download a file
+    def self.download(src, target)
+      target ||= '$pwd\\' << src.split('/').last
+      %Q^(new-object System.Net.WebClient).DownloadFile("#{src}", "#{target}")^
+    end
+
+    #
+    # Uninstall app, or anything named like app
+    #
+    # @param app [String] Name of application
+    # @param fuzzy [Boolean] Whether to apply a fuzzy match (-like) to
+    #   the application name
+    #
+    # @return [String] Powershell code to uninstall an application
+    def self.uninstall(app, fuzzy = true)
+      match = fuzzy ? '-like' : '-eq'
+      %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+    end
+
+    #
+    # Create secure string from plaintext
+    #
+    # @param str [String] String to create as a SecureString
+    #
+    # @return [String] Powershell code to create a SecureString
+    def self.secure_string(str)
+      %Q(ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$)
+    end
+
+    #
+    # Find PID of file lock owner
+    #
+    # @param filename [String] Filename
+    #
+    # @return [String] Powershell code to identify the PID of a file
+    #   lock owner
+    def self.who_locked_file(filename)
+      %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
+    end
+
+    #
+    # Return last time of login
+    #
+    # @param user [String] Username
+    #
+    # @return [String] Powershell code to return the last time of a user
+    #   login
+    def self.get_last_login(user)
+      %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+    end
+  end
+end
+end
+end

data/lib/rex/exploitation/powershell/script.rb

@@ -0,0 +1,99 @@
+# -*- coding: binary -*-
+
+require 'rex'
+require 'forwardable'
+
+module Rex
+module Exploitation
+module Powershell
+  class Script
+    attr_accessor :code
+    attr_reader :functions, :rig
+
+    include Output
+    include Parser
+    include Obfu
+    # Pretend we are actually a string
+    extend ::Forwardable
+    # In case someone messes with String we delegate based on its instance methods
+    # eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
+                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub, :dump, :match, :to_sym,
+                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
+                   :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
+                   :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
+                   :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
+                   :delete!, :chop, :lines, :replace, :next, :=~, :==, :rstrip!, :%, :upcase!, :each_char,
+                   :hash, :rstrip, :length, :reverse, :setbyte, :bytesize, :squeeze, :>, :center, :[],
+                   :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
+                   :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
+                   :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
+                   :initialize_clone, :to_str, :to_enum, :tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
+                   :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
+                   :end_with?
+
+    def initialize(code)
+      @code = ''
+      @rig = Rex::RandomIdentifierGenerator.new
+
+      begin
+        # Open code file for reading
+        fd = ::File.new(code, 'rb')
+        while (line = fd.gets)
+          @code << line
+        end
+
+        # Close open file
+        fd.close
+      rescue Errno::ENAMETOOLONG, Errno::ENOENT
+        # Treat code as a... code
+        @code = code.to_s.dup # in case we're eating another script
+      end
+      @functions = get_func_names.map { |f| get_func(f) }
+    end
+
+    ##
+    # Class methods
+    ##
+
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    # @param input_data [String] Path to powershell file or powershell
+    #   code string
+    # @param var_name [String] Byte array variable name
+    #
+    # @return [String] input_data as a powershell byte array
+    def self.to_byte_array(input_data, var_name = Rex::Text.rand_text_alpha(rand(3) + 3))
+      # File will raise an exception if the path contains null byte
+      if input_data.include? "\x00"
+        code = input_data
+      else
+        code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      end
+
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length - 1) do |byte|
+        if (byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
+
+      psh << lines.join('') + "\r\n"
+    end
+
+    #
+    # Return list of code modifier methods
+    #
+    # @return [Array] Code modifiers
+    def self.code_modifiers
+      instance_methods.select { |m| m =~ /^(strip|sub)/ }
+    end
+  end # class Script
+end
+end
+end

data/lib/rex/exploitation/ropdb.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'rex/text'
 require 'rexml/document'
 

data/lib/rex/mac_oui.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Oui

data/lib/rex/ole/util.rb

@@ -124,7 +124,7 @@ class Util
 
 
   def self.getUnicodeString(buf)
-    buf = buf.unpack('S*').pack('C*')
+    buf = buf.unpack('v*').pack('C*')
     if (idx = buf.index(0x00.chr))
       buf.slice!(idx, buf.length)
     end
@@ -132,7 +132,7 @@ class Util
   end
 
   def self.putUnicodeString(buf)
-    buf = buf.unpack('C*').pack('S*')
+    buf = buf.unpack('C*').pack('v*')
     if (buf.length < 0x40)
       buf << "\x00" * (0x40 - buf.length)
     end

data/lib/rex/parser/group_policy_preferences.rb

@@ -0,0 +1,185 @@
+# -*- coding: binary -*-
+#
+
+module Rex
+module Parser
+
+# This is a parser for the Windows Group Policy Preferences file
+# format. It's used by modules/post/windows/gather/credentials/gpp.rb
+# and uses REXML (as opposed to Nokogiri) for its XML parsing.
+# See: http://msdn.microsoft.com/en-gb/library/cc232587.aspx
+class GPP
+  require 'rex'
+  require 'rexml/document'
+
+  def self.parse(data)
+    if data.nil?
+      return []
+    end
+
+    xml = REXML::Document.new(data).root
+    results = []
+
+    unless xml and xml.elements and xml.elements.to_a("//Properties")
+      return []
+    end
+
+    xml.elements.to_a("//Properties").each do |node|
+      epassword = node.attributes['cpassword']
+      next if epassword.to_s.empty?
+      password = self.decrypt(epassword)
+
+      user = node.attributes['runAs'] if node.attributes['runAs']
+      user = node.attributes['accountName'] if node.attributes['accountName']
+      user = node.attributes['username'] if node.attributes['username']
+      user = node.attributes['userName'] if node.attributes['userName']
+      user = node.attributes['newName'] unless node.attributes['newName'].nil? || node.attributes['newName'].empty?
+      changed = node.parent.attributes['changed']
+
+      # Printers and Shares
+      path = node.attributes['path']
+
+      # Datasources
+      dsn = node.attributes['dsn']
+      driver = node.attributes['driver']
+
+      # Tasks
+      app_name = node.attributes['appName']
+
+      # Services
+      service = node.attributes['serviceName']
+
+      # Groups
+      expires = node.attributes['expires']
+      never_expires = node.attributes['neverExpires']
+      disabled = node.attributes['acctDisabled']
+
+      result = {
+        :USER => user,
+        :PASS => password,
+        :CHANGED => changed
+      }
+
+      result.merge!({ :EXPIRES => expires }) unless expires.nil? || expires.empty?
+      result.merge!({ :NEVER_EXPIRES => never_expires.to_i }) unless never_expires.nil? || never_expires.empty?
+      result.merge!({ :DISABLED => disabled.to_i }) unless disabled.nil? || disabled.empty?
+      result.merge!({ :PATH => path }) unless path.nil? || path.empty?
+      result.merge!({ :DATASOURCE => dsn }) unless dsn.nil? || dsn.empty?
+      result.merge!({ :DRIVER => driver }) unless driver.nil? || driver.empty?
+      result.merge!({ :TASK => app_name }) unless app_name.nil? || app_name.empty?
+      result.merge!({ :SERVICE => service }) unless service.nil? || service.empty?
+
+      attributes = []
+      node.elements.each('//Attributes//Attribute') do |dsn_attribute|
+        attributes << {
+          :A_NAME => dsn_attribute.attributes['name'],
+          :A_VALUE => dsn_attribute.attributes['value']
+        }
+      end
+
+      result.merge!({ :ATTRIBUTES => attributes }) unless attributes.empty?
+
+      results << result
+    end
+
+    results
+  end
+
+  def self.create_tables(results, filetype, domain=nil, dc=nil)
+    tables = []
+    results.each do |result|
+      table = Rex::Ui::Text::Table.new(
+        'Header'     => 'Group Policy Credential Info',
+        'Indent'     => 1,
+        'SortIndex'  => -1,
+        'Columns'    =>
+        [
+          'Name',
+          'Value',
+        ]
+      )
+
+      table << ["TYPE", filetype]
+      table << ["USERNAME", result[:USER]]
+      table << ["PASSWORD", result[:PASS]]
+      table << ["DOMAIN CONTROLLER", dc] unless dc.nil? || dc.empty?
+      table << ["DOMAIN", domain] unless domain.nil? || domain.empty?
+      table << ["CHANGED", result[:CHANGED]]
+      table << ["EXPIRES", result[:EXPIRES]] unless result[:EXPIRES].nil? || result[:EXPIRES].empty?
+      table << ["NEVER_EXPIRES?", result[:NEVER_EXPIRES]] unless result[:NEVER_EXPIRES].nil?
+      table << ["DISABLED", result[:DISABLED]] unless result[:DISABLED].nil?
+      table << ["PATH", result[:PATH]] unless result[:PATH].nil? || result[:PATH].empty?
+      table << ["DATASOURCE", result[:DSN]] unless result[:DSN].nil? || result[:DSN].empty?
+      table << ["DRIVER", result[:DRIVER]] unless result[:DRIVER].nil? || result[:DRIVER].empty?
+      table << ["TASK", result[:TASK]] unless result[:TASK].nil? || result[:TASK].empty?
+      table << ["SERVICE", result[:SERVICE]] unless result[:SERVICE].nil? || result[:SERVICE].empty?
+
+      unless result[:ATTRIBUTES].nil? || result[:ATTRIBUTES].empty?
+        result[:ATTRIBUTES].each do |dsn_attribute|
+          table << ["ATTRIBUTE", "#{dsn_attribute[:A_NAME]} - #{dsn_attribute[:A_VALUE]}"]
+        end
+      end
+
+      tables << table
+    end
+
+    tables
+  end
+
+  # Decrypts passwords using Microsoft's published key:
+  # http://msdn.microsoft.com/en-us/library/cc422924.aspx
+  def self.decrypt(encrypted_data)
+    password = ""
+    return password unless encrypted_data
+
+    password = ""
+    retries = 0
+    original_data = encrypted_data.dup
+
+    begin
+      mod = encrypted_data.length % 4
+
+      # PowerSploit code strips the last character, unsure why...
+      case mod
+      when 1
+        encrypted_data = encrypted_data[0..-2]
+      when 2, 3
+        padding = '=' * (4 - mod)
+        encrypted_data = "#{encrypted_data}#{padding}"
+      end
+
+      # Strict base64 decoding used here
+      decoded = encrypted_data.unpack('m0').first
+    rescue ::ArgumentError => e
+      # Appears to be some junk UTF-8 Padding appended at times in
+      # Win2k8 (not in Win2k8R2)
+      # Lets try stripping junk and see if we can decrypt
+      if retries < 8
+        retries += 1
+        original_data = original_data[0..-2]
+        encrypted_data = original_data
+        retry
+      else
+        return password
+      end
+    end
+
+    key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
+    aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
+    begin
+      aes.decrypt
+      aes.key = key
+      plaintext = aes.update(decoded)
+      plaintext << aes.final
+      password = plaintext.unpack('v*').pack('C*') # UNICODE conversion
+    rescue OpenSSL::Cipher::CipherError => e
+      puts "Unable to decode: \"#{encrypted_data}\" Exception: #{e}"
+    end
+
+    password
+  end
+
+end
+end
+end
+