librex 0.0.29 → 0.0.30

data/README.markdown

@@ -3,7 +3,7 @@
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 
 Currently based on:
-SVN Revision: 12371
+SVN Revision: 12516
 
 # Credits
 The Metasploit development team <http://www.metasploit.com>

data/lib/rex/io/ring_buffer.rb

@@ -54,7 +54,7 @@ class RingBuffer
 	end
 	
 	#
-	# The built-in monitor thread 
+	# The built-in monitor thread (normally unused with Metasploit)
 	#
 	def monitor_thread
 		Thread.new do 
@@ -74,8 +74,8 @@ class RingBuffer
 	# Push data back into the associated stream socket. Logging must occur
 	# elsewhere, this function is simply a passthrough.
 	#
-	def put(data)
-		self.fd.put(data)
+	def put(data, opts={})
+		self.fd.put(data, opts={})
 	end
 	
 	#

data/lib/rex/io/stream.rb

@@ -35,20 +35,20 @@ module Stream
 		total_sent   = 0
 		total_length = buf.length
 		block_size   = 32768
+		
 		begin
 			while( total_sent < total_length )
 				s = Rex::ThreadSafe.select( nil, [ fd ], nil, 0.2 )
 				if( s == nil || s[0] == nil )
 					next
 				end
-				data = buf[0, block_size]
+				data = buf[total_sent, block_size]
 				sent = fd.write_nonblock( data )
 				if sent > 0
 					total_sent += sent
-					buf[0, sent] = ""
 				end
 			end
-		rescue ::Errno::EAGAIN
+		rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
 			# Sleep for a half a second, or until we can write again
 			Rex::ThreadSafe.select( nil, [ fd ], nil, 0.5 )
 			# Decrement the block size to handle full sendQs better
@@ -57,8 +57,8 @@ module Stream
 			retry
 		rescue ::IOError, ::Errno::EPIPE
 			return nil if (fd.abortive_close == true)
-			raise $!
 		end
+		
 		total_sent
 	end
 
@@ -66,12 +66,16 @@ module Stream
 	# This method reads data of the supplied length from the stream.
 	#
 	def read(length = nil, opts = {})
-		# XXX handle length being nil
+		
 		begin
-			fd.readpartial(length)
-		rescue ::IOError, ::EOFError, ::Errno::EPIPE
+			return fd.read_nonblock( length ) 				
+		rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+			# Sleep for a half a second, or until we can read again
+			Rex::ThreadSafe.select( [ fd ], nil, nil, 0.5 )
+			# Decrement the block size to handle full sendQs better
+			retry
+		rescue ::IOError, ::Errno::EPIPE
 			return nil if (fd.abortive_close == true)
-			raise $!
 		end
 	end
 

data/lib/rex/io/stream_abstraction.rb

@@ -68,19 +68,19 @@ module StreamAbstraction
 	end
 
 	#
-	# Writes to the local side.
+	# Low-level write to the local side.
 	#
 	def syswrite(buffer)
 		lsock.syswrite(buffer)
 	end
-
+	
 	#
-	# Reads from the local side.
+	# Low-level read from the local side.
 	#
 	def sysread(length)
 		lsock.sysread(length)
 	end
-
+	
 	#
 	# Shuts down the local side of the stream abstraction.
 	#
@@ -160,15 +160,18 @@ protected
 					total_length = buf.length
 					while( total_sent < total_length )
 						begin
-							data = buf[0, buf.length]
+							data = buf[total_sent, buf.length]
+							
+							# Note that this must be write() NOT syswrite() or put() or anything like it.
+							# Using syswrite() breaks SSL streams.
 							sent = self.write( data )
-							# sf: Only remove the data off the queue is syswrite was successfull.
+							
+							# sf: Only remove the data off the queue is write was successfull.
 							#     This way we naturally perform a resend if a failure occured.
 							#     Catches an edge case with meterpreter TCP channels where remote send
 							#     failes gracefully and a resend is required.
 							if( sent > 0 )
 								total_sent += sent
-								buf[0, sent] = ""
 							end
 						rescue ::IOError => e
 							closed = true

data/lib/rex/job_container.rb

@@ -177,6 +177,18 @@ class JobContainer < Hash
 		self.delete(inst.jid.to_s)
 	end
 
+	#
+	# Overrides the builtin 'each' operator to avoid the following exception on Ruby 1.9.2+
+	#    "can't add a new key into hash during iteration"
+	#
+	def each(&block)
+		list = []
+		self.keys.sort.each do |sidx|
+			list << [sidx, self[sidx]]
+		end
+		list.each(&block)
+	end
+	
 protected
 
 	attr_accessor :job_id_pool # :nodoc:

data/lib/rex/parser/apple_backup_manifestdb.rb

@@ -0,0 +1,131 @@
+#
+# This is a Ruby port of the Python manifest parsing code posted to:
+# 	http://stackoverflow.com/questions/3085153/how-to-parse-the-manifest-mbdb-file-in-an-ios-4-0-itunes-backup/3130860#3130860
+#
+
+module Rex
+module Parser
+class AppleBackupManifestDB
+
+	attr_accessor :entry_offsets
+	attr_accessor :entries
+	attr_accessor :mbdb, :mbdx
+	attr_accessor :mbdb_data, :mbdx_data
+	attr_accessor :mbdb_offset, :mbdx_offset
+	
+	def initialize(mbdb_data, mbdx_data)	
+		self.entries = {}
+		self.entry_offsets = {}
+		self.mbdb_data = mbdb_data
+		self.mbdx_data = mbdx_data
+		parse_mbdb
+		parse_mbdx
+	end
+	
+	def self.from_files(mbdb_file, mbdx_file)
+		mbdb_data = ""
+		::File.open(mbdb_file, "rb") {|fd| mbdb_data = fd.read(fd.stat.size) }
+		mbdx_data = ""
+		::File.open(mbdx_file, "rb") {|fd| mbdx_data = fd.read(fd.stat.size) }
+		
+		self.new(mbdb_data, mbdx_data)
+	end
+	
+	def parse_mbdb
+		raise ArgumentError, "Not valid MBDB data" if self.mbdb_data[0,4] != "mbdb"	
+		self.mbdb_offset = 4
+		self.mbdb_offset = self.mbdb_offset + 2 # Maps to \x05 \x00 (unknown)
+
+		while self.mbdb_offset < self.mbdb_data.length
+			info = {}
+			info[:start_offset] = self.mbdb_offset
+			info[:domain]       = mbdb_read_string
+			info[:filename]     = mbdb_read_string			
+			info[:linktarget]   = mbdb_read_string			
+			info[:datahash]     = mbdb_read_string
+			info[:unknown1]     = mbdb_read_string
+			info[:mode]         = mbdb_read_int(2)
+			info[:unknown2]     = mbdb_read_int(4)			
+			info[:unknown3]     = mbdb_read_int(4)				
+			info[:uid]          = mbdb_read_int(4)				
+			info[:gid]          = mbdb_read_int(4)				
+			info[:mtime]        = Time.at(mbdb_read_int(4))
+			info[:atime]        = Time.at(mbdb_read_int(4))
+			info[:ctime]        = Time.at(mbdb_read_int(4))
+			info[:length]       = mbdb_read_int(8)	
+			info[:flag]         = mbdb_read_int(1)
+			property_count      = mbdb_read_int(1)
+			info[:properties]   = {}
+			1.upto(property_count) do |i|
+				k = mbdb_read_string
+				v = mbdb_read_string
+				info[:properties][k] = v
+			end
+			self.entry_offsets[ info[:start_offset] ] = info
+		end
+		self.mbdb_data = ""
+	end
+    	
+	def parse_mbdx
+		raise ArgumentError, "Not a valid MBDX file" if self.mbdx_data[0,4] != "mbdx"
+
+		self.mbdx_offset = 4
+		self.mbdx_offset = self.mbdx_offset + 2 # Maps to \x02 \x00 (unknown)
+
+		file_count = mbdx_read_int(4)
+
+		while self.mbdx_offset < self.mbdx_data.length
+			file_id = self.mbdx_data[self.mbdx_offset, 20].unpack("C*").map{|c| "%02x" % c}.join
+			self.mbdx_offset += 20
+			entry_offset = mbdx_read_int(4) + 6
+			mode = mbdx_read_int(2)
+			entry = entry_offsets[ entry_offset ]
+			# May be corrupted if there is no matching entry, but what to do about it?
+			next if not entry
+			self.entries[file_id] = entry.merge({:mbdx_mode => mode, :file_id => file_id})
+		end
+		self.mbdx_data = ""
+	end
+	
+	def mbdb_read_string
+		raise RuntimeError, "Corrupted MBDB file" if self.mbdb_offset > self.mbdb_data.length
+		len = self.mbdb_data[self.mbdb_offset, 2].unpack("n")[0]
+		self.mbdb_offset += 2
+		return '' if len == 65535
+		val = self.mbdb_data[self.mbdb_offset, len]
+		self.mbdb_offset += len
+		return val
+	end
+	
+	def mbdb_read_int(size)
+		val = 0
+		size.downto(1) do |i|
+			val = (val << 8) + self.mbdb_data[self.mbdb_offset, 1].unpack("C")[0]
+			self.mbdb_offset += 1
+		end
+ 		val
+	end
+	
+	def mbdx_read_string
+		raise RuntimeError, "Corrupted MBDX file" if self.mbdx_offset > self.mbdx_data.length
+		len = self.mbdx_data[self.mbdx_offset, 2].unpack("n")[0]
+		self.mbdx_offset += 2
+		return '' if len == 65535
+		val = self.mbdx_data[self.mbdx_offset, len]
+		self.mbdx_offset += len
+		return val
+	end
+	
+	def mbdx_read_int(size)
+		val = 0
+		size.downto(1) do |i|
+			val = (val << 8) + self.mbdx_data[self.mbdx_offset, 1].unpack("C")[0]
+			self.mbdx_offset += 1
+		end
+ 		val
+	end
+end
+
+
+end
+end

data/lib/rex/parser/nexpose_xml.rb

@@ -51,6 +51,10 @@ class NexposeXMLStreamParser
 		when "test"
 			if attributes["status"] == "vulnerable-exploited" or attributes["status"] == "vulnerable-version"
 				@host["vulns"][attributes["id"]] = attributes.dup
+				if attributes["key"]
+					@host["notes"] ||= []
+					@host["notes"] << [attributes["id"], attributes["key"]]
+				end
 			end
 		when "vulnerability"
 			@vuln.merge! attributes

data/lib/rex/post/meterpreter/client.rb

@@ -128,7 +128,32 @@ class Client
 		ctx = generate_ssl_context()
 		ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
 
-		ssl.accept
+		if not ssl.respond_to?(:accept_nonblock)
+			ssl.accept
+		else
+			begin
+				ssl.accept_nonblock
+
+			# Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+			rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+					IO::select(nil, nil, nil, 0.10)
+					retry
+					
+			# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable		
+			rescue ::Exception => e
+				if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+					IO::select( [ ssl ], nil, nil, 0.10 )
+					retry
+				end
+					
+				if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)						
+					IO::select( nil, [ ssl ], nil, 0.10 )
+					retry
+				end
+					
+				raise e
+			end
+		end			
 
 		self.sock.extend(Rex::Socket::SslTcp)
 		self.sock.sslsock = ssl

data/lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -72,12 +72,14 @@ class Priv < Extension
 		if( response.result == 0 and technique != nil )
 			client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
 			client.sys.config.getprivs
-			client.framework.db.report_note(
-				:host => client.sock.peerhost,
-				:workspace => client.framework.db.workspace,
-				:type => "meterpreter.getsystem",
-				:data => {:technique => technique}
-			) rescue nil
+			if client.framework.db and client.framework.db.active
+				client.framework.db.report_note(
+					:host => client.sock.peerhost,
+					:workspace => client.framework.db.workspace,
+					:type => "meterpreter.getsystem",
+					:data => {:technique => technique}
+				) rescue nil
+			end
 			return [ true, technique ]
 		end
 

data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb.ut.rb

@@ -0,0 +1,175 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..','..','..','..','..', 'lib')) 
+
+require 'rex/post/meterpreter/extensions/stdapi/railgun/dll'
+require 'test/unit'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+class DLL::UnitTest < Test::Unit::TestCase
+
+	TLV_TYPE_NAMES = {
+		TLV_TYPE_RAILGUN_SIZE_OUT => "TLV_TYPE_RAILGUN_SIZE_OUT",
+		TLV_TYPE_RAILGUN_STACKBLOB => "TLV_TYPE_RAILGUN_STACKBLOB",
+		TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "TLV_TYPE_RAILGUN_BUFFERBLOB_IN", 
+		TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT",
+		TLV_TYPE_RAILGUN_DLLNAME => "TLV_TYPE_RAILGUN_DLLNAME",
+		TLV_TYPE_RAILGUN_FUNCNAME => "TLV_TYPE_RAILGUN_FUNCNAME",
+	}
+
+	class MockRailgunClient
+		attr_reader :platform, :check_request, :response_tlvs
+
+		def initialize(platform, response_tlvs, check_request)
+			@check_request = check_request
+			@response_tlvs = response_tlvs
+			@platform = platform 
+		end
+
+		def send_request(request)
+			check_request.call(request)
+
+			(Class.new do
+				def initialize(response_tlvs)
+					@response_tlvs = response_tlvs
+				end
+				def get_tlv_value(type)
+					return @response_tlvs[type]
+				end
+			end).new(@response_tlvs)
+		end
+	end
+
+	def make_mock_client(platform = "x86/win32", target_request_tlvs = [], response_tlvs = [])
+		check_request = lambda do |request|
+			target_request_tlvs.each_pair do |type, target_value|
+				assert_equal(target_value, request.get_tlv_value(type),
+					"process_function_call should send to client appropriate #{TLV_TYPE_NAMES[type]}")
+			end
+		end
+
+		return  MockRailgunClient.new(platform, response_tlvs, check_request)
+	end
+
+	def test_add_function
+		function_descriptions.each do |func|
+			dll = DLL.new(func[:dll_name], make_mock_client(func[:platform]), nil)
+			dll.add_function(func[:name], func[:return_type], func[:params])
+
+			assert(dll.functions.has_key?(func[:name]),
+				"add_function should expand the list of available functions")
+		end
+	end
+
+	def test_method_missing
+		function_descriptions.each do |func|
+			client = make_mock_client(func[:platform], func[:request_to_client], func[:response_from_client])
+			dll = DLL.new(func[:dll_name], client, nil)
+
+			dll.add_function(func[:name], func[:return_type], func[:params])
+
+			actual_returned_hash = dll.send(:method_missing, func[:name].to_sym, *func[:ruby_args])
+
+			assert(func[:returned_hash].has_key?('GetLastError'),
+				"process_function_call should add the result of GetLastError to the key GetLastError")
+
+			assert_equal(func[:returned_hash], actual_returned_hash,
+				"process_function_call convert function result to a ruby hash")
+		end
+	end
+
+	# These are sample descriptions of functions to use for testing.
+	def function_descriptions
+		[
+			{
+				:platform => "x86/win32",
+				:name => "LookupAccountSidA",
+				:params => [
+					["PCHAR","lpSystemName","in"],
+					["LPVOID","Sid","in"],
+					["PCHAR","Name","out"],
+					["PDWORD","cchName","inout"],
+					["PCHAR","ReferencedDomainName","out"],
+					["PDWORD","cchReferencedDomainName","inout"],
+					["PBLOB","peUse","out"],
+				],
+				:return_type => "BOOL",
+				:dll_name => "advapi32",
+				:ruby_args => [nil, 1371864, 100, 100, 100, 100, 1],
+				:request_to_client => {
+					TLV_TYPE_RAILGUN_SIZE_OUT => 201,
+					TLV_TYPE_RAILGUN_STACKBLOB => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xD8\xEE\x14\x00\x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00d\x00\x00\x00\x03\x00\x00\x00\b\x00\x00\x00\x02\x00\x00\x00\xC8\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "d\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_DLLNAME => "advapi32",
+					TLV_TYPE_RAILGUN_FUNCNAME => "LookupAccountSidA"
+				},
+				:response_from_client => {
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT => "\x06\x00\x00\x00\x00\x00\x00\x00\f\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT => "SYSTEM\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANT AUTHORITY\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x05",
+					TLV_TYPE_RAILGUN_BACK_RET => 1,
+					TLV_TYPE_RAILGUN_BACK_ERR => 997
+				},
+				:returned_hash => {
+					"GetLastError" => 997,
+					"return" => true,
+					"Name" => "SYSTEM",
+					"ReferencedDomainName" => "NT AUTHORITY",
+					"peUse" => "\x05",
+					"cchName" => 6,
+					"cchReferencedDomainName" => 12
+				},
+			},
+			{
+				:platform => 'x64/win64',
+				:name => 'LookupAccountSidA',
+				:params => [
+					["PCHAR", "lpSystemName", "in"],
+					["LPVOID", "Sid", "in"],
+					["PCHAR", "Name", "out"],
+					["PDWORD", "cchName", "inout"],
+					["PCHAR", "ReferencedDomainName", "out"],
+					["PDWORD", "cchReferencedDomainName", "inout"],
+					["PBLOB", "peUse", "out"]
+				],
+				:return_type => 'BOOL',
+				:dll_name => 'advapi32',
+				:ruby_args => [nil, 1631552, 100, 100, 100, 100, 1],
+				:request_to_client => {
+					TLV_TYPE_RAILGUN_SIZE_OUT => 201,
+					TLV_TYPE_RAILGUN_STACKBLOB => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\xE5\x18\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\b\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_IN => "",
+					TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT => "d\x00\x00\x00\x00\x00\x00\x00d\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_DLLNAME => 'advapi32',
+					TLV_TYPE_RAILGUN_FUNCNAME => 'LookupAccountSidA',
+				},
+				:response_from_client => {
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_INOUT => "\x06\x00\x00\x00\x00\x00\x00\x00\f\x00\x00\x00\x00\x00\x00\x00",
+					TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT => "SYSTEM\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANT AUTHORITY\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x05",
+					TLV_TYPE_RAILGUN_BACK_RET => 1,
+					TLV_TYPE_RAILGUN_BACK_ERR => 0,
+				},
+				:returned_hash => {
+					"GetLastError"=>0,
+					"return"=>true,
+					"Name"=>"SYSTEM",
+					"ReferencedDomainName"=>"NT AUTHORITY",
+					"peUse"=>"\x05",
+					"cchName"=>6,
+					"cchReferencedDomainName"=>12
+				},
+			},
+		]
+	end
+end
+end
+end
+end
+end
+end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -555,7 +555,9 @@ class Console::CommandDispatcher::Core
 		end
 
 		if (mod)
-			print_line ::Msf::Serializer::ReadableText.dump_module(mod)
+			print_line(::Msf::Serializer::ReadableText.dump_module(mod))
+			mod_opt = ::Msf::Serializer::ReadableText.dump_options(mod, '   ')
+			print_line("\nModule options (#{mod.fullname}):\n\n#{mod_opt}") if (mod_opt and mod_opt.length > 0)
 		end
 	end
 

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -21,11 +21,13 @@ class Console::CommandDispatcher::Stdapi::Fs
 	# Options for the download command.
 	#
 	@@download_opts = Rex::Parser::Arguments.new(
+		"-h" => [ false, "Help banner." ],
 		"-r" => [ false, "Download recursively." ])
 	#
 	# Options for the upload command.
 	#
 	@@upload_opts = Rex::Parser::Arguments.new(
+		"-h" => [ false, "Help banner." ],
 		"-r" => [ false, "Upload recursively." ])
 
 	#
@@ -179,17 +181,21 @@ class Console::CommandDispatcher::Stdapi::Fs
 	end
 	
 	alias :cmd_del :cmd_rm
+
+	def cmd_download_help
+		print_line "Usage: download [options] src1 src2 src3 ... destination" 
+		print_line
+		print_line "Downloads remote files and directories to the local machine."
+		print_line @@download_opts.usage
+	end
 	
 	#
 	# Downloads a file or directory from the remote machine to the local
 	# machine.
 	#
 	def cmd_download(*args)
-		if (args.empty?)
-			print(
-				"Usage: download [options] src1 src2 src3 ... destination\n\n" +
-				"Downloads remote files and directories to the local machine.\n" +
-				@@download_opts.usage)
+		if (args.empty? or args.include? "-h")
+			cmd_download_help
 			return true
 		end
 
@@ -361,7 +367,7 @@ class Console::CommandDispatcher::Stdapi::Fs
 	# Removes one or more directory if it's empty.
 	#
 	def cmd_rmdir(*args)
-		if (args.length == 0)
+		if (args.length == 0 or args.include?("-h"))
 		 	print_line("Usage: rmdir dir1 dir2 dir3 ...")
 			return true
 		end
@@ -374,16 +380,20 @@ class Console::CommandDispatcher::Stdapi::Fs
 		return true
 	end
 
+	def cmd_upload_help
+		print_line "Usage: upload [options] src1 src2 src3 ... destination"
+		print_line
+		print_line "Uploads local files and directories to the remote machine."
+		print_line @@upload_opts.usage
+	end
+
 	#
 	# Uploads a file or directory to the remote machine from the local
 	# machine.
 	#
 	def cmd_upload(*args)
-		if (args.empty?)
-			print(
-				"Usage: upload [options] src1 src2 src3 ... destination\n\n" +
-				"Uploads local files and directories to the remote machine.\n" +
-				@@upload_opts.usage)
+		if (args.empty? or args.include?("-h"))
+			cmd_upload_help
 			return true
 		end
 

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -51,7 +51,7 @@ class Console::CommandDispatcher::Stdapi::Sys
 			"execute"  => "Execute a command",
 			"getpid"   => "Get the current process identifier",
 			"getuid"   => "Get the user that the server is running as",
-			"getprivs" => "List all privileges available to the current process",
+			"getprivs" => "Attempt to enable all privileges available to the current process",
 			"kill"     => "Terminate a process",
 			"ps"       => "List running processes",
 			"reboot"   => "Reboots the remote computer",
@@ -421,10 +421,24 @@ class Console::CommandDispatcher::Stdapi::Sys
 		client.sys.config.revert_to_self
 	end
 
+	def cmd_getprivs_help
+		print_line "Usage: getprivs"
+		print_line
+		print_line "Attempt to enable all privileges, such as SeDebugPrivilege, available to the"
+		print_line "current process.  Note that this only enables existing privs and does not change"
+		print_line "users or tokens."
+		print_line
+		print_line "See also: steal_token, getsystem"
+		print_line
+	end
+
 	#
 	# Obtains as many privileges as possible on the target machine.
 	#
 	def cmd_getprivs(*args)
+		if args.include? "-h"
+			cmd_getprivs_help
+		end
 		print_line("=" * 60)
 		print_line("Enabled Process Privileges")
 		print_line("=" * 60)

data/lib/rex/proto/dhcp/constants.rb

@@ -1,4 +1,4 @@
-# $Id: constants.rb 12196 2011-04-01 00:51:33Z egypt $
+# $Id: constants.rb 12375 2011-04-20 14:21:36Z jduck $
 require 'rex/proto/dhcp'
 
 module Rex
@@ -20,6 +20,7 @@ OpLeaseTime = 0x33
 OpSubnetMask = 1
 OpRouter = 3
 OpDns = 6
+OpHostname = 0x0c
 OpEnd = 0xff
 
 PXEMagic = "\xF1\x00\x74\x7E"

data/lib/rex/proto/dhcp/server.rb

@@ -1,4 +1,4 @@
-# $Id: server.rb 12196 2011-04-01 00:51:33Z egypt $
+# $Id: server.rb 12471 2011-04-29 22:58:55Z scriptjunkie $
 
 require 'rex/socket'
 require 'rex/proto/dhcp'
@@ -12,6 +12,9 @@ module DHCP
 # DHCP Server class
 # not completely configurable - written specifically for a PXE server
 # - scriptjunkie
+#
+# extended to support testing/exploiting CVE-2011-0997
+# - apconole@yahoo.com
 ##
 
 class Server
@@ -82,6 +85,17 @@ class Server
 		else
 			self.servePXE = false
 		end
+
+		# Always assume we don't give out hostnames ...
+		self.give_hostname = false
+		self.served_over = 0
+		if (hash['HOSTNAME'])
+			self.give_hostname = true
+			self.served_hostname = hash['HOSTNAME']
+			if ( hash['HOSTSTART'] )
+				self.served_over = hash['HOSTSTART'].to_i
+			end
+		end
 		
 		self.leasetime = 600
 		self.relayip = "\x00\x00\x00\x00" # relay ip - not currently suported
@@ -116,7 +130,8 @@ class Server
 	def set_option(opts)
 		allowed_options = [
 			:serveOnce, :servePXE, :relayip, :leasetime, :dnsserv,
-			:pxeconfigfile, :pxepathprefix, :pxereboottime, :router
+			:pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
+			:give_hostname, :served_hostname, :served_over
 		]
 
 		opts.each_pair { |k,v|
@@ -144,6 +159,7 @@ class Server
 	attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
 	attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
 	attr_accessor :servePXE, :pxeconfigfile, :pxepathprefix, :pxereboottime
+	attr_accessor :give_hostname, :served_hostname, :served_over
 
 protected
 
@@ -263,6 +279,12 @@ protected
 			pkt << [DHCPAck].pack('C')
 			# now we ignore their discovers (but we'll respond to requests in case a packet was lost)
 			self.served.merge!( buf[28..43] => true ) 
+			if ( self.served_over != 0 )
+				# NOTE: this is sufficient for low-traffic net
+				# for high-traffic, this will probably lead to
+				# hostname collision
+				self.served_over += 1
+			end
 		else
 			#dlog("ignoring unknown DHCP request - type #{messageType}")
 			return
@@ -278,6 +300,16 @@ protected
 		pkt << dhcpoption(OpPXEConfigFile, self.pxeconfigfile)
 		pkt << dhcpoption(OpPXEPathPrefix, self.pxepathprefix)
 		pkt << dhcpoption(OpPXERebootTime, [self.pxereboottime].pack('N'))
+		if ( self.give_hostname == true )
+			send_hostname = self.served_hostname
+			if ( self.served_over != 0 )
+				# NOTE : see above comments for the 'uniqueness'
+				# of this value
+				send_hostname += self.served_over.to_s
+			end
+			pkt << dhcpoption(OpHostname, send_hostname)
+		end
+
 		pkt << dhcpoption(OpEnd)
 
 		pkt << ("\x00" * 32) #padding

data/lib/rex/proto/http/header.rb

@@ -141,6 +141,18 @@ class Packet::Header < Hash
 		self.dcase_hash.clear
 	end
 
+	#
+	# Overrides the builtin 'each' operator to avoid the following exception on Ruby 1.9.2+
+	#    "can't add a new key into hash during iteration"
+	#
+	def each(&block)
+		list = []
+		self.keys.sort.each do |sidx|
+			list << [sidx, self[sidx]]
+		end
+		list.each(&block)
+	end
+	
 	#
 	# The raw command string associated with the header which will vary between
 	# requests and responses.

data/lib/rex/proto/proxy/socks4a.rb

@@ -193,11 +193,10 @@ class Socks4a
 							total_length = buf.length
 							while( total_sent < total_length )
 								begin
-									data = buf[0, buf.length]
+									data = buf[total_sent, buf.length]
 									sent = self.write( data )
 									if( sent > 0 )
 										total_sent += sent
-										buf[0, sent] = ""
 									end
 								rescue
 									closed = true

data/lib/rex/proto/smb/constants.rb

@@ -3,7 +3,6 @@ module Proto
 module SMB
 class Constants
 
-require 'rex/text'
 require 'rex/struct2'
 
 # SMB Commands

data/lib/rex/service_manager.rb

@@ -127,6 +127,18 @@ class ServiceManager < Hash
 		return false
 	end
 
+	#
+	# Overrides the builtin 'each' operator to avoid the following exception on Ruby 1.9.2+
+	#    "can't add a new key into hash during iteration"
+	#
+	def each(&block)
+		list = []
+		self.keys.sort.each do |sidx|
+			list << [sidx, self[sidx]]
+		end
+		list.each(&block)
+	end
+	
 protected
 
 	# 
@@ -138,4 +150,4 @@ protected
 	
 end
 
-end
+end

data/lib/rex/socket/comm/local.rb

@@ -206,7 +206,7 @@ class Rex::Socket::Comm::Local
 
 		# If a server TCP instance is being created...
 		if (param.server?)
-			sock.listen(128)
+			sock.listen(256)
 
 			if (param.bare? == false)
 				klass = Rex::Socket::TcpServer

data/lib/rex/socket/ssl_tcp.rb

@@ -14,9 +14,10 @@ begin
 	begin
 		require 'openssl'
 		@@loaded_openssl = true
+		require 'openssl/nonblock'
 	rescue ::Exception
 	end
-	
+
 
 	include Rex::Socket::Tcp
 
@@ -55,12 +56,13 @@ begin
 	def initsock(params = nil)
 		super
 
-
 		version = :SSLv3
 		if(params)
 			case params.ssl_version
 			when 'SSL2'
 				version = :SSLv2
+			when 'SSL23'
+				version = :SSLv23				
 			when 'TLS1'
 				version = :TLSv1
 			end
@@ -87,15 +89,40 @@ begin
 		
 		# Tie the context to a socket
 		self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx)
-		
+
 		# XXX - enabling this causes infinite recursion, so disable for now
 		# self.sslsock.sync_close = true
 
+				
 		# Force a negotiation timeout
 		begin
 		Timeout.timeout(params.timeout) do 	
-			# Negotiate the connection
-			self.sslsock.connect
+			if not self.sslsock.respond_to?(:connect_nonblock)
+				self.sslsock.connect
+			else
+				begin
+					self.sslsock.connect_nonblock
+				
+				# Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+				rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+						IO::select(nil, nil, nil, 0.10)
+						retry	
+				
+				# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable			
+				rescue ::Exception => e
+					if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+						IO::select( [ self.sslsock ], nil, nil, 0.10 )
+						retry
+					end
+					
+					if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)						
+						IO::select( nil, [ self.sslsock ], nil, 0.10 )
+						retry
+					end
+					
+					raise e
+				end
+			end
 		end
 
 		rescue ::Timeout::Error
@@ -113,22 +140,111 @@ begin
 	# Writes data over the SSL socket.
 	#
 	def write(buf, opts = {})
-		return sslsock.write(buf)
+		return sslsock.write(buf) if not self.sslsock.respond_to?(:write_nonblock)
+
+		total_sent   = 0
+		total_length = buf.length
+		block_size   = 32768
+
+		begin
+			while( total_sent < total_length )
+				s = Rex::ThreadSafe.select( nil, [ self.sslsock ], nil, 0.25 )
+				if( s == nil || s[0] == nil )
+					next
+				end
+				data = buf[total_sent, block_size]
+				sent = sslsock.write_nonblock( data )
+				if sent > 0
+					total_sent += sent
+				end
+			end
+
+		rescue ::IOError, ::Errno::EPIPE
+			return nil if (fd.abortive_close == true)
+		
+		# Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+		rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+			# Sleep for a half a second, or until we can write again
+			Rex::ThreadSafe.select( nil, [ self.sslsock ], nil, 0.5 )
+			# Decrement the block size to handle full sendQs better
+			block_size = 1024
+			# Try to write the data again
+			retry
+			
+		# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable	
+		rescue ::Exception => e
+			if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+				IO::select( [ self.sslsock ], nil, nil, 0.5 )
+				retry
+			end
+					
+			if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)						
+				IO::select( nil, [ self.sslsock ], nil, 0.5 )
+				retry
+			end
+				
+			raise e
+		end
+
+		total_sent
 	end
 
 	#
 	# Reads data from the SSL socket.
 	#
-	def read(length = nil, opts = {})
-		length = 16384 unless length
+	def read(length = nil, opts = {})	
+		if not self.sslsock.respond_to?(:read_nonblock)
+			length = 16384 unless length
+			begin
+				return sslsock.sysread(length)
+			rescue EOFError, ::Errno::EPIPE
+				raise EOFError
+			end
+			return
+		end
+		
 
 		begin
-			return sslsock.sysread(length)
-		rescue EOFError, ::Errno::EPIPE
-			raise EOFError
+			while true 
+				s = Rex::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 )	
+				if( s == nil || s[0] == nil )
+					next
+				end						
+				buf = sslsock.read_nonblock( length ) 				
+				return buf if buf
+				raise ::EOFError
+			end
+			
+		rescue ::IOError, ::Errno::EPIPE
+			return nil if (fd.abortive_close == true)
+
+		# Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno	
+		rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+			# Sleep for a tenth a second, or until we can read again
+			Rex::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 )
+			# Decrement the block size to handle full sendQs better
+			block_size = 1024
+			# Try to write the data again
+			retry
+		
+		# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+		rescue ::Exception => e
+			if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+				IO::select( [ self.sslsock ], nil, nil, 0.5 )
+				retry
+			end
+					
+			if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)						
+				IO::select( nil, [ self.sslsock ], nil, 0.5 )
+				retry
+			end
+				
+			raise e
 		end
+
 	end
 
+	
 	#
 	# Closes the SSL socket.
 	#
@@ -166,14 +282,14 @@ begin
 		sslsock.cipher if sslsock
 	end
 
-
-
 	attr_reader :peer_verified # :nodoc:
 	attr_accessor :sslsock, :sslctx # :nodoc:
+
 protected
 
 	attr_writer :peer_verified # :nodoc:
 
+
 rescue LoadError
 end
 

data/lib/rex/socket/ssl_tcp_server.rb

@@ -15,10 +15,10 @@ module Rex::Socket::SslTcpServer
 	begin
 		require 'openssl'
 		@@loaded_openssl = true
+		require 'openssl/nonblock'
 	rescue ::Exception
 	end
 
-
 	include Rex::Socket::TcpServer
 
 	##
@@ -57,10 +57,39 @@ module Rex::Socket::SslTcpServer
 
 		begin
 			ssl = OpenSSL::SSL::SSLSocket.new(sock, self.sslctx)
-			ssl.accept
+
+		
+			if not ssl.respond_to?(:accept_nonblock)	
+				ssl.accept
+			else
+				begin
+					ssl.accept_nonblock
+
+				# Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+				rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+						IO::select(nil, nil, nil, 0.10)
+						retry
+
+				# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable			
+				rescue ::Exception => e
+					if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+						IO::select( [ ssl ], nil, nil, 0.10 )
+						retry
+					end
+					
+					if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)						
+						IO::select( nil, [ ssl ], nil, 0.10 )
+						retry
+					end
+					
+					raise e
+				end
+			end
+			
 			sock.extend(Rex::Socket::SslTcp)
 			sock.sslsock = ssl
 			sock.sslctx  = self.sslctx
+
 			return sock
 
 		rescue ::OpenSSL::SSL::SSLError

data/lib/rex/socket/switch_board.rb

@@ -190,6 +190,12 @@ class SwitchBoard
 	def flush_routes
 		_init
 
+		# Remove each of the individual routes so the comms don't think they're
+		# still routing after a flush.
+		self.routes.each { |r|
+			r.comm.routes.delete("#{r.subnet}/#{r.netmask}")
+		}
+		# Re-initialize to an empty array
 		self.routes = Array.new
 	end
 

metadata

@@ -2,7 +2,7 @@
 name: librex
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.0.29
+  version: 0.0.30
 platform: ruby
 authors: 
 - Metasploit Development Team
@@ -11,11 +11,11 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-04-19 00:00:00 -05:00
+date: 2011-05-02 00:00:00 -05:00
 default_executable: 
 dependencies: []
 
-description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 12371
+description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 12516
 email: 
 - hdm@metasploit.com
 - jacob.hammack@hammackj.com
@@ -149,6 +149,7 @@ files:
 - lib/rex/ole/substorage.rb
 - lib/rex/ole/util.rb
 - lib/rex/ole.rb
+- lib/rex/parser/apple_backup_manifestdb.rb
 - lib/rex/parser/arguments.rb
 - lib/rex/parser/arguments.rb.ut.rb
 - lib/rex/parser/ini.rb
@@ -236,6 +237,7 @@ files:
 - lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_user32.rb
 - lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb
 - lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb
+- lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb.ut.rb
 - lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb
 - lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb.ut.rb
 - lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb