librex 0.0.70 → 0.0.71

data/lib/rex/proto/dcerpc/ndr.rb

@@ -34,7 +34,7 @@ class NDR
   #       byte element_1;
   def self.byte(string)
     warn 'should be using Rex::Encoder::NDR'
-    return [string].pack('c')
+    return [string].pack('C')
   end
 
   # Encode a byte array

data/lib/rex/proto/ipmi/channel_auth_reply.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Proto

data/lib/rex/proto/ipmi/open_session_reply.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Proto

data/lib/rex/proto/ipmi/rakp2.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Proto

data/lib/rex/proto/natpmp/packet.rb

@@ -12,32 +12,32 @@ module Proto
 module NATPMP
 
   # Return a NAT-PMP request to get the external address.
-  def self.external_address_request
+  def external_address_request
     [ 0, 0 ].pack('nn')
   end
 
   # Parse a NAT-PMP external address response +resp+.
   # Returns the decoded parts of the response as an array.
-  def self.parse_external_address_response(resp)
-    (ver, op, result, epoch, addr) = resp.unpack("CCSLN")
+  def parse_external_address_response(resp)
+    (ver, op, result, epoch, addr) = resp.unpack("CCnNN")
     [ ver, op, result, epoch, Rex::Socket::addr_itoa(addr) ]
   end
 
   # Return a NAT-PMP request to map remote port +rport+/+protocol+ to local port +lport+ for +lifetime+ ms
-  def self.map_port_request(lport, rport, protocol, lifetime)
-    [   Rex::Proto::NATPMP::Version, # version
+  def map_port_request(lport, rport, protocol, lifetime)
+    [ Rex::Proto::NATPMP::Version, # version
       protocol, # opcode, which is now the protocol we are asking to forward
       0, # reserved
       lport,
       rport,
       lifetime
-    ].pack("ccnnnN")
+    ].pack("CCnnnN")
   end
 
   # Parse a NAT-PMP mapping response +resp+.
   # Returns the decoded parts as an array.
-  def self.parse_map_port_response(resp)
-    resp.unpack("CCSLnnN")
+  def parse_map_port_response(resp)
+    resp.unpack("CCnNnnN")
   end
 end
 

data/lib/rex/proto/ntp.rb

@@ -0,0 +1,3 @@
+# -*- coding: binary -*-
+require 'rex/proto/ntp/constants'
+require 'rex/proto/ntp/modes'

data/lib/rex/proto/ntp/constants.rb

@@ -0,0 +1,12 @@
+# -*- coding: binary -*-
+module Rex
+module Proto
+module NTP
+VERSIONS = (0..7).to_a
+MODES = (0..7).to_a
+MODE_6_OPERATIONS = (0..31).to_a
+MODE_7_IMPLEMENTATIONS = (0..255).to_a
+MODE_7_REQUEST_CODES = (0..255).to_a
+end
+end
+end

data/lib/rex/proto/ntp/modes.rb

@@ -0,0 +1,130 @@
+# -*- coding: binary -*-
+
+require 'bit-struct'
+
+module Rex
+module Proto
+module NTP
+
+  # A very generic NTP message
+  #
+  # Uses the common/similar parts from versions 1-4 and considers everything
+  # after to be just one big field.  For the particulars on the different versions,
+  # see:
+  #   http://tools.ietf.org/html/rfc958#appendix-B
+  #   http://tools.ietf.org/html/rfc1059#appendix-B
+  #   pages 45/48 of http://tools.ietf.org/pdf/rfc1119.pdf
+  #   http://tools.ietf.org/html/rfc1305#appendix-D
+  #   http://tools.ietf.org/html/rfc5905#page-19
+  class NTPGeneric < BitStruct
+    #    0                   1                   2                   3
+    #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    #   |LI | VN  | mode|    Stratum    |      Poll     |   Precision   |
+    #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    unsigned :li, 2,  default: 0
+    unsigned :version, 3,  default: 0
+    unsigned :mode, 3,  default: 0
+    unsigned :stratum, 8,  default: 0
+    unsigned :poll, 8,  default: 0
+    unsigned :precision, 8,  default: 0
+    rest :payload
+  end
+
+  # An NTP control message.  Control messages are only specified for NTP
+  # versions 2-4, but this is a fuzzer so why not try them all...
+  class NTPControl < BitStruct
+    #  0                   1                   2                   3
+    #  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |00 | VN  |   6 |R E M|  op     |     Sequence                  |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |              status           |      association id           |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |              offset           |     count                     |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    unsigned :reserved, 2, default: 0
+    unsigned :version, 3,  default: 0
+    unsigned :mode, 3,  default: 6
+    unsigned :response, 1,  default: 0
+    unsigned :error, 1,  default: 0
+    unsigned :more, 1,  default: 0
+    unsigned :operation, 5,  default: 0
+    unsigned :sequence, 16,  default: 0
+    unsigned :status, 16,  default: 0
+    unsigned :association_id, 16,  default: 0
+    # TODO: there *must* be bugs in the handling of these next two fields!
+    unsigned :payload_offset, 16,  default: 0
+    unsigned :payload_size, 16,  default: 0
+    rest :payload
+  end
+
+  # An NTP "private" message.  Private messages are only specified for NTP
+  # versions 2-4, but this is a fuzzer so why not try them all...
+  class NTPPrivate < BitStruct
+    #  0                   1                   2                   3
+    #  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |R M| VN  |   7 |A|  Sequence   | Implementation| Req code      |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    # |  err  | Number of data items  |  MBZ   |   Size of data item  |
+    # +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    unsigned :response, 1, default: 0
+    unsigned :more, 1, default: 0
+    unsigned :version, 3,  default: 0
+    unsigned :mode, 3,  default: 7
+    unsigned :auth, 1, default: 0
+    unsigned :sequence, 7, default: 0
+    unsigned :implementation, 8, default: 0
+    unsigned :request_code, 8, default: 0
+    unsigned :error, 4, default: 0
+    unsigned :record_count, 12, default: 0
+    unsigned :mbz, 4, default: 0
+    unsigned :record_size, 12, default: 0
+    rest :payload
+
+    def records
+      records = []
+      1.upto(record_count) do |record_num|
+        records << payload[record_size*(record_num-1), record_size]
+      end
+      records
+    end
+  end
+
+  def self.ntp_control(version, operation, payload = nil)
+    n = NTPControl.new
+    n.version = version
+    n.operation = operation
+    if payload
+      n.payload_offset = 0
+      n.payload_size = payload.size
+      n.payload = payload
+    end
+    n
+  end
+
+  def self.ntp_private(version, implementation, request_code, payload = nil)
+    n = NTPPrivate.new
+    n.version = version
+    n.implementation = implementation
+    n.request_code = request_code
+    n.payload = payload if payload
+    n
+  end
+
+  def self.ntp_generic(version, mode)
+    n = NTPGeneric.new
+    n.version = version
+    n.mode = mode
+    n
+  end
+
+  # Parses the given message and provides a description about the NTP message inside
+  def self.describe(message)
+    ntp = NTPGeneric.new(message)
+    "#{message.size}-byte version #{ntp.version} mode #{ntp.mode} reply"
+  end
+end
+end
+end

data/lib/rex/proto/pjl.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # https://en.wikipedia.org/wiki/Printer_Job_Language
 # See external links for PJL spec
 

data/lib/rex/proto/pjl/client.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # https://en.wikipedia.org/wiki/Printer_Job_Language
 # See external links for PJL spec
 

data/lib/rex/proto/sip.rb

@@ -0,0 +1,4 @@
+# encoding: binary
+
+# SIP protocol support
+require 'rex/proto/sip/response'

data/lib/rex/proto/sip/response.rb

@@ -0,0 +1,61 @@
+# encoding: binary
+
+module Rex
+  module Proto
+    # SIP protocol support
+    module SIP
+      SIP_STATUS_REGEX = /^SIP\/(\d\.\d) (\d{3})\s*(.*)$/
+
+      # Represents a generic SIP message
+      class Message
+        attr_accessor :headers
+
+        def initialize
+          @headers = {}
+        end
+
+        # Returns a list of all values from all +name+ headers, regardless of case,
+        # or nil if no matching header is found
+        def header(name)
+          matches = @headers.select { |k, _| k.downcase == name.downcase }
+          return nil if matches.empty?
+          matches.values.flatten
+        end
+
+        # Returns a hash of header name to values mapping
+        # from the provided message, or nil if no headers
+        # are found
+        def self.extract_headers(message)
+          pairs = message.scan(/^([^\s:]+):\s*(.*)$/)
+          return nil if pairs.empty?
+          headers = {}
+          pairs.each do |pair|
+            headers[pair.first] ||= []
+            headers[pair.first] << pair.last.strip
+          end
+          headers
+        end
+      end
+
+      # Represents a SIP response message
+      class Response < Message
+        attr_accessor :code, :message, :status_line, :version
+
+        # Parses +data+, constructs and returns a Response
+        def self.parse(data)
+          response = Response.new
+          # do some basic sanity checking on this response to ensure that it is SIP
+          response.status_line = data.split(/\r\n/)[0]
+          unless response.status_line && response.status_line =~ SIP_STATUS_REGEX
+            fail(ArgumentError, "Invalid SIP status line: #{response.status_line}")
+          end
+          response.version = Regexp.last_match(1)
+          response.code = Regexp.last_match(2)
+          response.message = Regexp.last_match(3)
+          response.headers = extract_headers(data)
+          response
+        end
+      end
+    end
+  end
+end

data/lib/rex/proto/smb/exceptions.rb

@@ -739,11 +739,15 @@ class Error < ::RuntimeError
   # returns an error string if it exists, otherwise just the error code
   def get_error(error)
     string = ''
-    if @@errors[error]
+    if error && @@errors[error]
       string = @@errors[error]
-    else
+    elsif error
       string = sprintf('0x%.8x',error)
+    else
+      string = "Unknown error"
     end
+
+    string
   end
 end
 
@@ -781,6 +785,10 @@ class InvalidPacket < Error
   attr_accessor :word_count
   attr_accessor :command
   attr_accessor :error_code
+
+  def error_name
+    get_error(error_code)
+  end
 end
 
 class InvalidWordCount < InvalidPacket
@@ -807,7 +815,7 @@ end
 class ErrorCode < InvalidPacket
   def to_s
     'The server responded with error: ' +
-    self.get_error(self.error_code) +
+    self.error_name +
     " (Command=#{self.command} WordCount=#{self.word_count})"
   end
 end

data/lib/rex/random_identifier_generator.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 # A quick way to produce unique random strings that follow the rules of
 # identifiers, i.e., begin with a letter and contain only alphanumeric

data/lib/rex/registry/lfkey.rb

@@ -41,7 +41,7 @@ class LFHashRecord
   attr_accessor :nodekey_offset, :nodekey_name_verification
 
   def initialize(hive_blob, offset)
-    @nodekey_offset = hive_blob[offset, 4].unpack('l').first
+    @nodekey_offset = hive_blob[offset, 4].unpack('V').first
     @nodekey_name_verification = hive_blob[offset+0x04, 4].to_s
   end
 

data/lib/rex/registry/nodekey.rb

@@ -23,16 +23,16 @@ class NodeKey
       return
     end
 
-    @timestamp = hive[offset+0x04, 8].unpack('q').first
-    @parent_offset = hive[offset+0x10, 4].unpack('l').first
-    @subkeys_count = hive[offset+0x14, 4].unpack('l').first
-    @lf_record_offset = hive[offset+0x1c, 4].unpack('l').first
-    @value_count = hive[offset+0x24, 4].unpack('l').first
-    @value_list_offset = hive[offset+0x28, 4].unpack('l').first
-    @security_key_offset = hive[offset+0x2c, 4].unpack('l').first
-    @class_name_offset = hive[offset+0x30, 4].unpack('l').first
-    @name_length = hive[offset+0x48, 2].unpack('c').first
-    @class_name_length = hive[offset+0x4a, 2].unpack('c').first
+    @timestamp = hive[offset+0x04, 8].unpack('Q').first
+    @parent_offset = hive[offset+0x10, 4].unpack('V').first
+    @subkeys_count = hive[offset+0x14, 4].unpack('V').first
+    @lf_record_offset = hive[offset+0x1c, 4].unpack('V').first
+    @value_count = hive[offset+0x24, 4].unpack('V').first
+    @value_list_offset = hive[offset+0x28, 4].unpack('V').first
+    @security_key_offset = hive[offset+0x2c, 4].unpack('V').first
+    @class_name_offset = hive[offset+0x30, 4].unpack('V').first
+    @name_length = hive[offset+0x48, 2].unpack('C').first
+    @class_name_length = hive[offset+0x4a, 2].unpack('C').first
     @name = hive[offset+0x4c, @name_length].to_s
 
     windows_time = @timestamp

data/lib/rex/registry/valuekey.rb

@@ -17,10 +17,10 @@ class ValueKey
       return
     end
 
-    @name_length = hive[offset+0x02, 2].unpack('c').first
-    @length_of_data = hive[offset+0x04, 4].unpack('l').first
-    @data_offset = hive[offset+ 0x08, 4].unpack('l').first
-    @value_type = hive[offset+0x0C, 4].unpack('c').first
+    @name_length = hive[offset+0x02, 2].unpack('C').first
+    @length_of_data = hive[offset+0x04, 4].unpack('V').first
+    @data_offset = hive[offset+ 0x08, 4].unpack('V').first
+    @value_type = hive[offset+0x0C, 4].unpack('C').first
 
     if @value_type == 1
       @readable_value_type = "Unicode character string"
@@ -34,7 +34,7 @@ class ValueKey
       @readable_value_type = "Multiple unicode strings separated with '\\x00'"
     end
 
-    flag = hive[offset+0x10, 2].unpack('c').first
+    flag = hive[offset+0x10, 2].unpack('C').first
 
     if flag == 0
       @name = "Default"

data/lib/rex/registry/valuelist.rb

@@ -18,7 +18,7 @@ class ValueList
       valuekey_offset = hive[offset + inner_offset, 4]
       next if !valuekey_offset
 
-      valuekey_offset = valuekey_offset.unpack('l').first
+      valuekey_offset = valuekey_offset.unpack('V').first
       @values << ValueKey.new(hive, valuekey_offset + 0x1000)
       inner_offset = inner_offset + 4
     end

data/lib/rex/socket/ip.rb

@@ -75,6 +75,7 @@ module Rex::Socket::Ip
       Rex::Compat.is_macosx
       )
       gram=gram.dup
+      # Note that these are *intentionally* host order for BSD support
       gram[2,2]=gram[2,2].unpack("n").pack("s")
       gram[6,2]=gram[6,2].unpack("n").pack("s")
     end

data/lib/rex/sslscan/result.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 require 'rex/socket'
 require 'rex/ui/text/table'

data/lib/rex/sslscan/scanner.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'rex/socket'
 require 'rex/sslscan/result'
 

data/lib/rex/text.rb

@@ -3,6 +3,7 @@ require 'digest/md5'
 require 'digest/sha1'
 require 'stringio'
 require 'cgi'
+require 'rex/exploitation/powershell'
 
 %W{ iconv zlib }.each do |libname|
   begin
@@ -305,19 +306,7 @@ module Text
   # Converts a raw string to a powershell byte array
   #
   def self.to_powershell(str, name = "buf")
-    return "[Byte[]]$#{name} = ''" if str.nil? or str.empty?
-
-    code = str.unpack('C*')
-    buff = "[Byte[]]$#{name} = 0x#{code[0].to_s(16)}"
-    1.upto(code.length-1) do |byte|
-      if(byte % 10 == 0)
-        buff << "\r\n$#{name} += 0x#{code[byte].to_s(16)}"
-      else
-        buff << ",0x#{code[byte].to_s(16)}"
-      end
-    end
-
-    return buff
+    return Rex::Exploitation::Powershell::Script.to_byte_array(str, name)
   end
 
   #