librex 0.0.33 → 0.0.34

data/README.markdown

@@ -3,7 +3,7 @@
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 
 Currently based on:
-SVN Revision: 12724
+SVN Revision: 12756
 
 # Credits
 The Metasploit development team <http://www.metasploit.com>

data/lib/rex/parser/nexpose_raw_nokogiri.rb

@@ -0,0 +1,363 @@
+require File.join(File.expand_path(File.dirname(__FILE__)),"nokogiri_doc_mixin")
+
+module Rex
+	module Parser
+
+		# If Nokogiri is available, define Template document class. 
+		load_nokogiri && class NexposeRawDocument < Nokogiri::XML::SAX::Document
+
+		include NokogiriDocMixin
+
+		attr_reader :tests
+
+		# Triggered every time a new element is encountered. We keep state
+		# ourselves with the @state variable, turning things on when we
+		# get here (and turning things off when we exit in end_element()).
+		def start_element(name=nil,attrs=[])
+			attrs = normalize_attrs(attrs)
+			block = @block
+			@state[:current_tag][name] = true
+			case name
+			when "nodes" # There are two main sections, nodes and VulnerabilityDefinitions
+				@tests = []
+			when "node"
+				record_host(attrs)
+			when "name"
+				@state[:has_text] = true
+			when "endpoint"
+				record_service(attrs)
+			when "service"
+				record_service_info(attrs)
+			when "fingerprint"
+				record_service_fingerprint(attrs)
+			when "os"
+				record_os_fingerprint(attrs)
+			when "test" # All the vulns tested for
+				record_host_test(attrs)
+				record_service_test(attrs)
+			when "vulnerability"
+				record_vuln(attrs)
+			when "reference"
+				@state[:has_text] = true
+				record_reference(attrs)
+			end
+		end
+
+		# This breaks on xml-encoded characters, so need to append
+		def characters(text)
+			return unless @state[:has_text]
+			@text ||= ""
+			@text << text
+		end
+
+		# When we exit a tag, this is triggered.
+		def end_element(name=nil)
+			block = @block
+			case name
+			when "node" # Wrap it up
+				collect_host_data
+				host_object = report_host &block
+				report_services(host_object)
+				report_fingerprint(host_object)
+				# Reset the state once we close a host
+				@state.delete_if {|k| k.to_s !~ /^(current_tag|in_nodes)$/}
+				@report_data = {:wspace => @args[:wspace]}
+			when "name"
+				collect_hostname
+				@state[:has_text] = false
+			when "endpoint"
+				collect_service_data
+			when "os"
+				collect_os_fingerprints
+			when "test"
+				save_test
+			when "vulnerability"
+				collect_vuln_info
+				report_vuln(&block)
+				@state.delete_if {|k| k.to_s !~ /^(current_tag|in_vulndefs)$/}
+			when "reference"
+				@state[:has_text] = false
+				collect_reference
+				@text = nil
+			end
+			@state[:current_tag].delete name
+		end
+
+		def collect_reference
+			return unless in_tag("references")
+			return unless in_tag("vulnerability")
+			@state[:ref][:value] = @text.to_s.strip
+			@report_data[:refs] ||= []
+			@report_data[:refs] << @state[:ref]
+			@state[:ref] = nil
+		end
+
+		def collect_vuln_info
+			return unless in_tag("VulnerabilityDefinitions")
+			return unless in_tag("vulnerability")
+			return unless @state[:vuln]
+			vuln = @state[:vuln]
+			vuln[:refs] = @report_data[:refs]
+			@report_data[:vuln] = vuln
+			@state[:vuln] = nil
+			@report_data[:refs] = nil
+		end
+
+		def report_vuln(&block)
+			return unless in_tag("VulnerabilityDefinitions")
+			return unless @report_data[:vuln]
+			return unless @report_data[:vuln][:matches].kind_of? Array
+			refs = normalize_references(@report_data[:vuln][:refs])
+			refs << "NEXPOSE-#{report_data[:vuln]["id"]}"
+			db.emit(:vuln, [refs.last,@report_data[:vuln][:matches].size], &block)
+			data = {
+				:workspace => @args[:wspace],
+				:name => refs.last,
+				:info => @report_data[:vuln]["title"],
+				:refs => refs.uniq
+			}
+			hosts_keys = {}
+			@report_data[:vuln][:matches].each do |match|
+				host_data = data.dup
+				host_data[:host] = match[:host]
+				host_data[:port] = match[:port] if match[:port]
+				host_data[:proto] = match[:protocol] if match[:protocol]
+				db.report_vuln(host_data)
+				if match[:key]
+					hosts_keys[host_data[:host]] ||= []
+					hosts_keys[host_data[:host]] << match[:key]
+				end
+			end
+			report_key_note(hosts_keys,data)
+			@report_data[:vuln] = nil
+		end
+
+		def report_key_note(hosts_keys,data)
+			return if hosts_keys.empty?
+			hosts_keys.each do |key_host,key_values|
+				key_note = {
+					:workspace => @args[:wspace],
+					:host => key_host,
+					:type => "host.vuln.nexpose_keys",
+					:data => {},
+					:update => :unique_data
+				}
+				key_values.each do |key_value|
+					key_note[:data][data[:name]] ||= []
+					next if key_note[:data][data[:name]].include? key_value
+					key_note[:data][data[:name]] << key_value
+				end
+				db.report_note(key_note)
+			end
+		end
+
+		def record_reference(attrs)
+			return unless in_tag("VulnerabilityDefinitions")
+			return unless in_tag("vulnerability")
+			@state[:ref] = attr_hash(attrs)
+		end
+
+		def record_vuln(attrs)
+			return unless in_tag("VulnerabilityDefinitions")
+			vuln = attr_hash(attrs)
+			matching_tests = @tests.select {|x| x[:id] == vuln["id"].downcase}
+			return if matching_tests.empty?
+			@state[:vuln] = vuln
+			@state[:vuln][:matches] = matching_tests
+		end
+
+		def save_test
+			return unless in_tag("nodes")
+			return unless in_tag("node")
+			return unless @state[:test]
+			test = { :id => @state[:test][:id]}
+			test[:host] = @state[:address]
+			test[:port] = @state[:test][:port] if @state[:test][:port]
+			test[:protocol] = @state[:test][:protocol] if @state[:test][:protocol]
+			test[:key] = @state[:test][:key] if @state[:test][:key]
+			@tests << test
+			@state[:test] = nil
+		end
+
+		def record_os_fingerprint(attrs)
+			return unless in_tag("nodes")
+			return unless in_tag("fingerprints")
+			return unless in_tag("node")
+			return if in_tag("service")
+			@state[:os] = attr_hash(attrs)
+		end
+
+		# Just keep the highest scoring, which is usually the most vague. :(
+		def collect_os_fingerprints
+			@report_data[:os] ||= {}
+			return unless @state[:os]["certainty"].to_f > 0
+			return if @report_data[:os]["os_certainty"].to_f > @state[:os]["certainty"].to_f
+			@report_data[:os] = {} # Zero it out if we're replacing it.
+			@report_data[:os]["os_certainty"] = @state[:os]["certainty"]
+			@report_data[:os]["os_vendor"] = @state[:os]["vendor"]
+			@report_data[:os]["os_family"] = @state[:os]["family"]
+			@report_data[:os]["os_product"] = @state[:os]["product"]
+			@report_data[:os]["os_version"] = @state[:os]["version"]
+			@report_data[:os]["os_arch"] = @state[:os]["arch"]
+		end
+
+		# Just taking the first one.
+		def collect_hostname
+			if in_tag("node")
+				@state[:hostname] ||= @text.to_s.strip if @text
+				@text = nil
+			end
+		end
+
+		def record_service_fingerprint(attrs)
+			return unless in_tag("nodes")
+			return unless in_tag("node")
+			return unless in_tag("service")
+			return unless in_tag("fingerprint")
+			@state[:service_fingerprint] = attr_hash(attrs)
+		end
+
+		def record_service_info(attrs)
+			return unless in_tag("nodes")
+			return unless in_tag("node")
+			return unless in_tag("service")
+			@state[:service].merge! attr_hash(attrs)
+		end
+
+		def report_fingerprint(host_object)
+			return unless host_object.kind_of? ::Msf::DBManager::Host
+			return unless @report_data[:os].kind_of? Hash
+			note = {
+				:workspace => host_object.workspace,
+				:host => host_object,
+				:type => "host.os.nexpose_fingerprint",
+				:data => {
+					:family => @report_data[:os]["os_family"],
+					:certainty => @report_data[:os]["os_certainty"]
+				}
+			}
+			note[:data][:vendor] = @report_data[:os]["os_vendor"] if @report_data[:os]["os_vendor"]
+			note[:data][:product] = @report_data[:os]["os_product"] if @report_data[:os]["os_prduct"]
+			note[:data][:version] = @report_data[:os]["os_version"] if @report_data[:os]["os_version"]
+			note[:data][:arch] = @report_data[:os]["os_arch"] if @report_data[:os]["os_arch"]
+			db.report_note(note)
+		end
+
+		def report_services(host_object)
+			return unless host_object.kind_of? ::Msf::DBManager::Host
+			return unless @report_data[:ports]
+			return if @report_data[:ports].empty?
+			reported = []
+			@report_data[:ports].each do |svc|
+				reported << db.report_service(svc.merge(:host => host_object))
+			end
+			reported
+		end
+
+		def record_service(attrs)
+			return unless in_tag("nodes")
+			return unless in_tag("node")
+			return unless in_tag("endpoint")
+			@state[:service] = attr_hash(attrs)
+		end
+
+		def collect_service_data
+			return unless in_tag("node")
+			return unless in_tag("endpoint")
+			port_hash = {}
+			@report_data[:ports] ||= []
+			@state[:service].each do |k,v|
+				case k
+				when "protocol"
+					port_hash[:protocol] = v
+				when "port"
+					port_hash[:port] = v
+				when "status"
+					port_hash[:status] = (v == "open" ? Msf::ServiceState::Open : Msf::ServiceState::Closed)
+				end
+			end
+			if @state[:service]
+				port_hash[:name] = @state[:service]["name"] if @state[:service]["name"] != "<unknown>"
+			end
+			if @state[:service_fingerprint]
+				info = []
+				info << @state[:service_fingerprint]["product"] if @state[:service_fingerprint]["product"]
+				info << @state[:service_fingerprint]["version"] if @state[:service_fingerprint]["version"]
+				port_hash[:info] = info.join(" ") if info[0]
+			end
+			@report_data[:ports] << port_hash
+		end
+
+		def actually_vulnerable(test)
+			return false unless test.has_key? "status"
+			return false unless test.has_key? "id"
+			['vulnerable-exploited', 'vulnerable-version', 'potential'].include? test["status"]
+		end
+
+		def record_host_test(attrs)
+			return unless in_tag("nodes")
+			return unless in_tag("node")
+			return if in_tag("service")
+			return unless in_tag("tests")
+			test = attr_hash(attrs)
+			return unless actually_vulnerable(test)
+			@state[:test] = {:id => test["id"].downcase}
+			@state[:test][:key] = test["key"] if test["key"]
+		end
+
+		def record_service_test(attrs)
+			return unless in_tag("nodes")
+			return unless in_tag("node")
+			return unless in_tag("service")
+			return unless in_tag("tests")
+			test = attr_hash(attrs)
+			return unless actually_vulnerable(test)
+			@state[:test] = {
+				:id => test["id"].downcase,
+				:port => @state[:service]["port"],
+				:protocol => @state[:service]["protocol"],
+			}
+			@state[:test][:key] = test["key"] if test["key"]
+		end
+
+		def record_host(attrs)
+			return unless in_tag("nodes")
+			host_attrs = attr_hash(attrs)
+			if host_attrs["status"] == "alive"
+				@state[:host_is_alive] = true
+				@state[:address] = host_attrs["address"]
+				@state[:mac] = host_attrs["hardware-address"] if host_attrs["hardware-address"]
+			end
+		end
+
+		def collect_host_data
+			return unless in_tag("node")
+			@report_data[:host] = @state[:address]
+			@report_data[:state] = Msf::HostState::Alive
+			@report_data[:name] = @state[:hostname] if @state[:hostname]
+			if @state[:mac]
+				if @state[:mac] =~ /[0-9a-fA-f]{12}/
+					@report_data[:mac] = @state[:mac].scan(/.{2}/).join(":")
+				else
+					@report_data[:mac] = @state[:mac]
+				end
+			end
+		end
+
+		def report_host(&block)
+			if host_is_okay
+				db.emit(:address,@report_data[:host],&block) if block
+				host_object = db.report_host( @report_data.merge(
+					:workspace => @args[:wspace] ) )
+					if host_object
+						db.report_import_note(host_object.workspace, host_object)
+					end
+					host_object
+			end
+		end
+
+	end
+
+end
+end
+

data/lib/rex/parser/nexpose_simple_nokogiri.rb

@@ -0,0 +1,329 @@
+require File.join(File.expand_path(File.dirname(__FILE__)),"nokogiri_doc_mixin")
+
+module Rex
+	module Parser
+
+		# If Nokogiri is available, define Nexpose document class. 
+		load_nokogiri && class NexposeSimpleDocument < Nokogiri::XML::SAX::Document
+
+		include NokogiriDocMixin
+
+		attr_reader :text
+
+		# Triggered every time a new element is encountered. We keep state
+		# ourselves with the @state variable, turning things on when we
+		# get here (and turning things off when we exit in end_element()).
+		def start_element(name=nil,attrs=[])
+			attrs = normalize_attrs(attrs)
+			block = @block
+			@state[:current_tag][name] = true
+			case name
+			when "device"
+				record_device(attrs)
+			when "service"
+				record_service(attrs)
+			when "fingerprint"
+				record_service_fingerprint(attrs)
+				record_host_fingerprint(attrs)
+			when "description"
+				@state[:has_text] = true
+				record_host_fingerprint_data(name,attrs)
+			when "vendor", "family", "product", "version", "architecture"
+				@state[:has_text] = true
+				record_host_fingerprint_data(name,attrs)
+			when "vulnerability"
+				record_service_vuln(attrs)
+				record_host_vuln(attrs)
+			when "id"
+				@state[:has_text] = true
+				record_service_vuln_id(attrs)
+				record_host_vuln_id(attrs)
+			end
+		end
+
+		# This breaks xml-encoded characters, so need to append
+		def characters(text)
+			return unless @state[:has_text]
+			@text ||= ""
+			@text << text
+		end
+
+		# When we exit a tag, this is triggered.
+		def end_element(name=nil)
+			block = @block
+			case name
+			when "device" # Wrap it up
+				collect_device_data
+				host_object = report_host &block
+				report_services(host_object)
+				report_host_fingerprint(host_object)
+				report_vulns(host_object)
+				# Reset the state once we close a host
+				@state.delete_if {|k| k != :current_tag}
+				@report_data = {:wspace => @args[:wspace]}
+			when "description"
+				@state[:has_text] = false
+				collect_service_fingerprint_description
+				collect_host_fingerprint_data(name)
+				@text = nil
+			when "vendor", "family", "product", "version", "architecture"
+				@state[:has_text] = false
+				collect_host_fingerprint_data(name)
+				@text = nil
+			when "service"
+				collect_service_data
+			when "id"
+				@state[:has_text] = false
+				collect_service_vuln_id
+				collect_host_vuln_id
+				@text = nil
+			when "vulnerability"
+				collect_service_vuln
+				collect_host_vuln
+				@state[:references] = nil
+			end
+			@state[:current_tag].delete name
+		end
+
+		def report_vulns(host_object)
+			vuln_count = 0
+			block = @block
+			return unless host_object.kind_of? Msf::DBManager::Host
+			return unless @report_data[:vulns]
+			@report_data[:vulns].each do |vuln|
+				if vuln[:refs]
+					vuln[:refs] << vuln[:name]
+				else
+					vuln[:refs] = [vuln[:name]]
+				end
+				vuln[:refs].uniq!
+				data = {
+					:workspace => host_object.workspace,
+					:host => host_object,
+					:name => vuln[:name],
+					:info => vuln[:info],
+					:refs => vuln[:refs]
+				}
+				if vuln[:port] && vuln[:proto]
+					data[:port] = vuln[:port] 
+					data[:proto] = vuln[:proto]
+				end
+				db.report_vuln(data)
+			end
+			
+		end
+
+		def collect_host_vuln_id
+			return unless in_tag("device")
+			return unless in_tag("vulnerability")
+			return if in_tag("service")
+			return unless @state[:host_vuln_id]
+			@state[:references] ||= []
+			ref = normalize_ref( @state[:host_vuln_id]["type"], @text )
+			@state[:references] << ref if ref
+			@state[:host_vuln_id] = nil
+			@text = nil
+		end
+
+		def collect_service_vuln_id
+			return unless in_tag("device")
+			return unless in_tag("vulnerability")
+			return unless in_tag("service")
+			return unless @state[:service_vuln_id]
+			@state[:references] ||= []
+			ref = normalize_ref( @state[:service_vuln_id]["type"], @text )
+			@state[:references] << ref if ref
+			@state[:service_vuln_id] = nil
+			@text = nil
+		end
+
+		def collect_service_vuln
+			return unless in_tag("device")
+			return unless in_tag("vulnerability")
+			return unless in_tag("service")
+			@report_data[:vulns] ||= []
+			return unless actually_vulnerable(@state[:service_vuln])
+			return if @state[:service]["port"].to_i == 0
+			vid = @state[:service_vuln]["id"].to_s.downcase
+			vuln = {
+				:name => "NEXPOSE-#{vid}",
+				:info => vid,
+				:refs => @state[:references],
+				:port => @state[:service]["port"].to_i,
+				:proto => @state[:service]["protocol"]
+			}
+			@report_data[:vulns] << vuln
+		end
+
+		def collect_host_vuln
+			return unless in_tag("vulnerability")
+			return unless in_tag("device")
+			return if in_tag("service")
+			@report_data[:vulns] ||= []
+			return unless actually_vulnerable(@state[:host_vuln])
+			vid = @state[:host_vuln]["id"].to_s.downcase
+			vuln = {
+				:name => "NEXPOSE-#{vid}",
+				:info => vid,
+				:refs => @state[:references]
+			}
+			@report_data[:vulns] << vuln
+		end
+
+		def record_host_vuln_id(attrs)
+			return unless in_tag("device")
+			return if in_tag("service")
+			@state[:host_vuln_id] = attr_hash(attrs)
+		end
+
+		def record_host_vuln(attrs)
+			return unless in_tag("device")
+			return if in_tag("service")
+			@state[:host_vuln] = attr_hash(attrs)
+		end
+
+		def record_service_vuln_id(attrs)
+			return unless in_tag("device")
+			return unless in_tag("service")
+			@state[:service_vuln_id] = attr_hash(attrs)
+		end
+
+		def record_service_vuln(attrs)
+			return unless in_tag("device")
+			return unless in_tag("service")
+			@state[:service_vuln] = attr_hash(attrs)
+		end
+
+		def actually_vulnerable(vuln)
+			vuln_result = vuln["resultCode"]
+			vuln_result =~ /^V[VE]$/
+		end
+
+		def record_device(attrs)
+			attrs.each do |k,v|
+				next unless k == "address"
+				@state[:address] = v
+			end
+		end
+
+		def record_host_fingerprint(attrs)
+			return unless in_tag("device")
+			return if in_tag("service")
+			@state[:host_fingerprint] = attr_hash(attrs)
+		end
+
+		def collect_device_data
+			return unless in_tag("device")
+			@report_data[:host] = @state[:address]
+			@report_data[:state] = Msf::HostState::Alive # always
+		end
+
+		def record_host_fingerprint_data(name, attrs)
+			return unless in_tag("device")
+			return if in_tag("service")
+			return unless in_tag("fingerprint")
+			@state[:host_fingerprint] ||= {}
+			@state[:host_fingerprint].merge! attr_hash(attrs)
+		end
+
+		def collect_host_fingerprint_data(name)
+			return unless in_tag("device")
+			return if in_tag("service")
+			return unless in_tag("fingerprint")
+			return unless @text
+			@report_data[:host_fingerprint] ||= {}
+			@report_data[:host_fingerprint].merge!(@state[:host_fingerprint])
+			@report_data[:host_fingerprint][name] = @text.to_s.strip
+			@text = nil
+		end
+
+		def report_host(&block)
+			if host_is_okay
+				db.emit(:address,@report_data[:host],&block) if block
+				host_object = db.report_host( @report_data.merge(
+					:workspace => @args[:wspace] ) )
+				if host_object
+					db.report_import_note(host_object.workspace, host_object)
+				end
+				host_object
+			end
+		end
+
+		def report_host_fingerprint(host_object)
+			return unless host_object.kind_of? ::Msf::DBManager::Host
+			return unless @report_data[:host_fingerprint].kind_of? Hash
+			@report_data[:host_fingerprint].reject! {|k,v| v.nil? || v.empty?}
+			return if @report_data[:host_fingerprint].empty?
+			note = {
+				:workspace => host_object.workspace,
+				:host => host_object,
+				:type => "host.os.nexpose_fingerprint"
+			}
+			data = {
+				:desc => @report_data[:host_fingerprint]["description"],
+				:vendor => @report_data[:host_fingerprint]["vendor"],
+				:family => @report_data[:host_fingerprint]["family"],
+				:product => @report_data[:host_fingerprint]["product"],
+				:version => @report_data[:host_fingerprint]["version"],
+				:arch => @report_data[:host_fingerprint]["architecture"]
+			}
+			db.report_note(note.merge(:data => data))
+		end
+
+		def record_service(attrs)
+			return unless in_tag("device")
+			@state[:service] = attr_hash(attrs)
+		end
+
+		def record_service_fingerprint(attrs)
+			return unless in_tag("device")
+			return unless in_tag("service")
+			@state[:service][:fingerprint] = attr_hash(attrs)
+		end
+
+		def collect_service_data
+			return unless in_tag("device")
+			port_hash = {}
+			@report_data[:ports] ||= []
+			@state[:service].each do |k,v|
+				case k
+				when "protocol"
+					port_hash[:protocol] = v
+				when "port"
+					port_hash[:port] = v
+				when "name"
+					port_hash[:name] = v.to_s.downcase.split("(")[0].strip
+					port_hash.delete(:name) if port_hash[:name] == "<unknown>"
+				end
+			end
+			if @state[:service_fingerprint]
+				port_hash[:info] = "#{@state[:service_fingerprint]}"
+			end
+			@report_data[:ports] << port_hash
+		end
+
+		def collect_service_fingerprint_description
+			return unless in_tag("device")
+			return unless in_tag("service")
+			return unless in_tag("fingerprint")
+			return unless @text
+			@state[:service_fingerprint] = @text.to_s.strip
+			@text = nil
+		end
+
+		def report_services(host_object)
+			return unless host_object.kind_of? ::Msf::DBManager::Host
+			return unless @report_data[:ports]
+			return if @report_data[:ports].empty?
+			reported = []
+			@report_data[:ports].each do |svc|
+				reported << db.report_service(svc.merge(:host => host_object))
+			end
+			reported
+		end
+
+	end
+
+end
+end
+

data/lib/rex/parser/nmap_nokogiri.rb

@@ -36,12 +36,6 @@ module Rex
 			block = @block
 			@state[:current_tag][name] = true
 			case name
-			when "host"
-				@state[:in_host] = true
-			when "os"
-				if @state[:in_host]
-					@state[:in_os] = true
-				end
 			when "status"
 				record_host_status(attrs)
 			when "address"
@@ -71,32 +65,65 @@ module Rex
 			end
 		end
 
+		# When we exit a tag, this is triggered.
+		def end_element(name=nil)
+			block = @block
+			case name
+			when "os"
+				collect_os_data
+				@state[:os] = {}
+			when "port"
+				collect_port_data 
+				@state[:port] = {}
+			when "script"
+				if in_tag("host")
+					if in_tag("port")
+						@state[:portscripts] = {}
+					else
+						@state[:hostscripts] = {}
+					end
+				end
+			when "host" # Roll everything up now
+				collect_host_data
+				host_object = report_host &block
+				if host_object
+					db.report_import_note(@args[:wspace],host_object)
+					report_services(host_object,&block)
+					report_fingerprint(host_object)
+					report_uptime(host_object)
+					report_traceroute(host_object)
+				end
+				@state.delete_if {|k| k != :current_tag}
+				@report_data = {:wspace => @args[:wspace]}
+			end
+			@state[:current_tag].delete name
+		end
+
 		# We can certainly get fancier with self.send() magic, but
 		# leaving this pretty simple for now.
 
 		def record_host_hop(attrs)
-			return unless @state[:in_host]
-			return unless @state[:in_trace]
+			return unless in_tag("host")
+			return unless in_tag("trace")
 			hops = attr_hash(attrs)
 			hops["name"] = hops.delete "host"
 			@state[:trace][:hops] << hops
 		end
 
 		def record_host_trace(attrs)
-			return unless @state[:in_host]
-			@state[:in_trace] = true
+			return unless in_tag("host")
 			@state[:trace] = attr_hash(attrs)
 			@state[:trace][:hops] = []
 		end
 
 		def record_host_uptime(attrs)
-			return unless @state[:in_host]
+			return unless in_tag("host")
 			@state[:uptime] = attr_hash(attrs)
 		end
 
 		def record_host_osmatch(attrs)
-			return unless @state[:in_host]
-			return unless @state[:in_os]
+			return unless in_tag("host")
+			return unless in_tag("os")
 			temp_hash = attr_hash(attrs)
 			if temp_hash["accuracy"].to_i == 100
 				@state[:os]["osmatch"] = temp_hash["name"]
@@ -104,8 +131,8 @@ module Rex
 		end
 
 		def record_host_osclass(attrs)
-			return unless @state[:in_host]
-			return unless @state[:in_os]
+			return unless in_tag("host")
+			return unless in_tag("os")
 			@state[:os] ||= {}
 			temp_hash = attr_hash(attrs)
 			if better_os_match(@state[:os],temp_hash)
@@ -114,15 +141,15 @@ module Rex
 		end
 
 		def record_hostname(attrs)
-			return unless @state[:in_host]
+			return unless in_tag("host")
 			if attr_hash(attrs)["type"] == "PTR"
 				@state[:hostname] = attr_hash(attrs)["name"]
 			end
 		end
 
 		def record_host_script(attrs)
-			return unless @state[:in_host]
-			return if @state[:in_port]
+			return unless in_tag("host")
+			return if in_tag("port")
 			temp_hash = attr_hash(attrs)
 			@state[:hostscripts] ||= {}
 			@state[:hostscripts].merge! temp_hash
@@ -131,8 +158,8 @@ module Rex
 		end
 
 		def record_port_script(attrs)
-			return unless @state[:in_host]
-			return unless @state[:in_port]
+			return unless in_tag("host")
+			return unless in_tag("port")
 			temp_hash = attr_hash(attrs)
 			@state[:portscripts] ||= {}
 			@state[:portscripts].merge! temp_hash
@@ -142,8 +169,8 @@ module Rex
 		end
 
 		def record_port_service(attrs)
-			return unless @state[:in_host]
-			return unless @state[:in_port]
+			return unless in_tag("host")
+			return unless in_tag("port")
 			svc = attr_hash(attrs)
 			if svc["name"] && @args[:fix_services]
 				svc["name"] = db.nmap_msf_service_map(svc["name"])
@@ -152,22 +179,21 @@ module Rex
 		end
 
 		def record_port_state(attrs)
-			return unless @state[:in_host]
-			return unless @state[:in_port]
+			return unless in_tag("host")
+			return unless in_tag("port")
 			temp_hash = attr_hash(attrs)
 			@state[:port] = @state[:port].merge(temp_hash)
 		end
 
 		def record_port(attrs)
-			return unless @state[:in_host]
-			@state[:in_port] = true
+			return unless in_tag("host")
 			@state[:port] ||= {}
 			svc = attr_hash(attrs)
 			@state[:port] = @state[:port].merge(svc)
 		end
 
 		def record_host_status(attrs)
-			return unless @state[:in_host]
+			return unless in_tag("host")
 			attrs.each do |k,v|
 				next unless k == "state"
 				@state[:host_alive] = (v == "up") 
@@ -175,7 +201,7 @@ module Rex
 		end
 
 		def record_address(attrs)
-			return unless @state[:in_host]
+			return unless in_tag("host")
 			@state[:addresses] ||= {}
 			address = nil
 			type = nil
@@ -189,55 +215,8 @@ module Rex
 			@state[:addresses][type] = address
 		end
 
-		# When we exit a tag, this is triggered.
-		def end_element(name=nil)
-			block = @block
-			@state[:current_tag].delete name
-			case name
-			when "os"
-				collect_os_data
-				@state[:in_os] = false
-				@state[:os] = {}
-			when "port"
-				collect_port_data 
-				@state[:in_port] = false
-				@state[:port] = {}
-			when "script"
-				if @state[:in_host]
-					if @state[:in_port]
-						@state[:portscripts] = {}
-					else
-						@state[:hostscripts] = {}
-					end
-				end
-			when "trace"
-				@state[:in_trace] = false
-			when "host" # Roll everything up now
-				collect_host_data
-				host_object = report_host &block
-				if host_object
-					db.report_import_note(@args[:wspace],host_object)
-					report_services(host_object,&block)
-					report_fingerprint(host_object)
-					report_uptime(host_object)
-					report_traceroute(host_object)
-				end
-				@state.delete_if {|k| k != :current_tag}
-			end
-		end
-
-		def end_document
-			block = @block
-			unless @state[:current_tag].empty?
-				missing_ends = @state[:current_tag].keys.map {|x| "'#{x}'"}.join(", ")
-				msg = "Warning, the provided file is incomplete, and there may be missing\n"
-				msg << "data. The following tags were not closed: #{missing_ends}."
-				db.emit(:warning,msg,&block)
-			end
-		end
-
 		def collect_os_data
-			return unless @state[:in_host]
+			return unless in_tag("host")
 			if @state[:os]
 				@report_data[:os_fingerprint] = {
 					:type => "host.os.nmap_fingerprint",
@@ -281,8 +260,8 @@ module Rex
 			end
 		end
 
-		def collect_port_data(&block)
-			return unless @state[:in_host]
+		def collect_port_data
+			return unless in_tag("host")
 			if @args[:fix_services]
 				if @state[:port]["state"] == "filtered"
 					return

data/lib/rex/parser/nokogiri_doc_mixin.rb

@@ -24,76 +24,132 @@ module Rex
 			!!@nokogiri_loaded
 		end
 
-		module NokogiriDocMixin
-
-			# Set up the getters and instance variables for the document
-			eval("attr_reader :args, :db, :state, :block, :report_data")
-
-			def initialize(args,db,&block)
-				@args = args
-				@db = db
-				@state = {}
-				@state[:current_tag] = {}
-				@block = block if block
-				@report_data = {:wspace => args[:wspace]}
-				super()
-			end
+		# Useful during development, shouldn't be used in normal operation.
+		def self.reload(fname)
+			$stdout.puts "Reloading #{fname}..."
+			load __FILE__
+			load File.join(File.expand_path(File.dirname(__FILE__)),fname)
+		end
 
-			# Turn XML attribute pairs in to more workable hashes (there
-			# are better Enumerable tricks in Ruby 1.9, but ignoring for now)
-			def attr_hash(attrs)
-				h = {}
-				attrs.each {|k,v| h[k] = v}
-				h
-			end
+	end
+end
 
-			def valid_ip(addr)
-				valid = false
-				valid = ::Rex::Socket::RangeWalker.new(addr).valid? rescue false
-				!!valid
-			end
+module Rex
+module Parser
+
+		load_nokogiri && module NokogiriDocMixin
+
+		# Set up the getters and instance variables for the document
+		eval("attr_reader :args, :db, :state, :block, :report_data")
+
+		def initialize(args,db,&block)
+			@args = args
+			@db = db
+			@state = {}
+			@state[:current_tag] = {}
+			@block = block if block
+			@report_data = {:wspace => args[:wspace]}
+			super()
+		end
+
+		# Turn XML attribute pairs in to more workable hashes (there
+		# are better Enumerable tricks in Ruby 1.9, but ignoring for now)
+		def attr_hash(attrs)
+			h = {}
+			attrs.each {|k,v| h[k] = v}
+			h
+		end
+
+		def valid_ip(addr)
+			valid = false
+			valid = ::Rex::Socket::RangeWalker.new(addr).valid? rescue false
+			!!valid
+		end
 
-			# If there's an address, it's not on the blacklist, 
-			# it has ports, and the port list isn't
-			# empty... it's okay.
-			def host_is_okay
-				return false unless @report_data[:host]
-				return false unless valid_ip(@report_data[:host])
-				return false unless @report_data[:state] == Msf::HostState::Alive
-				if @args[:blacklist]
-					return false if @args[:blacklist].include?(@report_data[:host])
+		def normalize_ref(ref_type, ref_value)
+			return if ref_type.nil? || ref_type.empty? || ref_value.nil? || ref_value.empty?
+			ref_value = ref_value.strip
+			ref_type = ref_type.strip.upcase
+			ret = case ref_type
+				when "CVE" 
+					ref_value.gsub("CAN", "CVE")
+				when "MS"  
+					"MSB-MS-#{ref_value}"
+				when "URL", "BID"
+					"#{ref_type}-#{ref_value}"
+				else # Handle others?
+					"#{ref_type}-#{ref_value}"
 				end
-				return false unless @report_data[:ports]
-				return false if @report_data[:ports].empty?
-				return true
-			end
+			return ret
+		end
 
-			# XXX: Define this
-			def determine_port_state(v)
-				return v
+		def normalize_references(orig_refs)
+			return [] unless orig_refs
+			refs = []
+			orig_refs.each do |ref_hash|
+				ref_hash_sym = Hash[ref_hash.map {|k, v| [k.to_sym, v] }]
+				ref_type = ref_hash_sym[:source].to_s.strip.upcase
+				ref_value = ref_hash_sym[:value].to_s.strip
+				refs << normalize_ref(ref_type, ref_value)
 			end
+			return refs.compact.uniq
+		end
 
-			# Nokogiri 1.4.4 (and presumably beyond) generates attrs as pairs,
-			# like [["value1","foo"],["value2","bar"]] (but not hashes for some 
-			# reason). 1.4.3.1 (and presumably 1.4.3.x and prior) generates attrs
-			# as a flat array of strings. We want array_pairs.
-			def normalize_attrs(attrs)
-				attr_pairs = []
-				case attrs.first
-				when Array, NilClass
-					attr_pairs = attrs
-				when String
-					attrs.each_index {|i| 
-						next if i % 2 == 0
-						attr_pairs << [attrs[i-1],attrs[i]]
-					}
-				else # Wow, yet another format! It's either from the distant past or distant future.
-					raise ::Msf::DBImportError.new("Unknown format for XML attributes. Please check your Nokogiri version.")
-				end
-				return attr_pairs
+		def in_tag(tagname)
+			@state[:current_tag].keys.include? tagname
+		end
+
+		# If there's an address, it's not on the blacklist, 
+		# it has ports, and the port list isn't
+		# empty... it's okay.
+		def host_is_okay
+			return false unless @report_data[:host]
+			return false unless valid_ip(@report_data[:host])
+			return false unless @report_data[:state] == Msf::HostState::Alive
+			if @args[:blacklist]
+				return false if @args[:blacklist].include?(@report_data[:host])
 			end
+			return false unless @report_data[:ports]
+			return false if @report_data[:ports].empty?
+			return true
+		end
 
+		# XXX: Define this
+		def determine_port_state(v)
+			return v
+		end
 
+		# Nokogiri 1.4.4 (and presumably beyond) generates attrs as pairs,
+		# like [["value1","foo"],["value2","bar"]] (but not hashes for some 
+		# reason). 1.4.3.1 (and presumably 1.4.3.x and prior) generates attrs
+		# as a flat array of strings. We want array_pairs.
+		def normalize_attrs(attrs)
+			attr_pairs = []
+			case attrs.first
+			when Array, NilClass
+				attr_pairs = attrs
+			when String
+				attrs.each_index {|i| 
+					next if i % 2 == 0
+					attr_pairs << [attrs[i-1],attrs[i]]
+				}
+			else # Wow, yet another format! It's either from the distant past or distant future.
+				raise ::Msf::DBImportError.new("Unknown format for XML attributes. Please check your Nokogiri version.")
+			end
+			return attr_pairs
+		end
+
+		def end_document
+			block = @block
+			unless @state[:current_tag].empty?
+				missing_ends = @state[:current_tag].keys.map {|x| "'#{x}'"}.join(", ")
+				msg = "Warning, the provided file is incomplete, and there may be missing\n"
+				msg << "data. The following tags were not closed: #{missing_ends}."
+				db.emit(:warning,msg,&block)
+			end
 		end
+
 	end
+
+end
 end

data/lib/rex/pescan/scanner.rb

@@ -1,3 +1,5 @@
+require 'metasm'
+
 module Rex
 module PeScan
 module Scanner
@@ -27,8 +29,15 @@ module Scanner
 					msg  = hit[1].is_a?(Array) ? hit[1].join(" ") : hit[1]
 					$stdout.puts pe.ptr_s(vma) + " " + msg
 					if(param['disasm'])
-						::Rex::Assembly::Nasm.disassemble([msg].pack("H*")).split("\n").each do |line|
-							$stdout.puts "\t#{line.strip}"
+						insns = []
+						d2 = Metasm::Shellcode.decode(msg, Metasm::Ia32.new).disassembler
+						addr = 0
+						while ((di = d2.disassemble_instruction(addr)))
+							insns << di.instruction
+							disasm = "0x%08x\t" % (vma + addr)
+							disasm << di.instruction.to_s
+							$stdout.puts disasm
+							addr = di.next_addr
 						end
 					end
 				end

data/lib/rex/pescan/search.rb

@@ -3,44 +3,50 @@ module PeScan
 module Search
 
 	require "rex/assembly/nasm"
-	
+
 	class DumpRVA
 		attr_accessor :pe
-		
+
 		def initialize(pe)
 			self.pe = pe
 		end
-		
+
 		def config(param)
 			@address = pe.vma_to_rva(param['args'])
 		end
-		
+
 		def scan(param)
 			config(param)
-			
+
 			$stdout.puts "[#{param['file']}]"
-			
+
 			# Adjust based on -A and -B flags
 			pre = param['before'] || 0
 			suf = param['after']  || 16
-			
+
 			@address -= pre
 			@address = 0 if (@address < 0 || ! @address)
-			
+
 			begin
 				buf = pe.read_rva(@address, suf)
 			rescue ::Rex::PeParsey::WtfError
 				return
 			end
-			
+
 			$stdout.puts pe.ptr_s(pe.rva_to_vma(@address)) + " " + buf.unpack("H*")[0]
 			if(param['disasm'])
-				::Rex::Assembly::Nasm.disassemble(buf).split("\n").each do |line|
-					$stdout.puts "\t#{line.strip}"
+				insns = []
+				d2 = Metasm::Shellcode.decode(buf, Metasm::Ia32.new).disassembler
+				addr = 0
+				while ((di = d2.disassemble_instruction(addr)))
+					insns << di.instruction
+					disasm = "0x%08x\t" % (pe.rva_to_vma(@address) + addr)
+					disasm << di.instruction.to_s
+					$stdout.puts disasm
+					addr = di.next_addr
 				end
 			end
-			
-		end	
+		end
 	end
 
 	class DumpOffset < DumpRVA
@@ -50,7 +56,7 @@ module Search
 			rescue Rex::PeParsey::BoundsError
 			end
 		end
-	end	
+	end
 end
 end
 end

data/lib/rex/zip/jar.rb

@@ -149,9 +149,12 @@ class Jar < Archive
 	# directly supported by keytool for some unfathomable reason
 	# http://www.agentbob.info/agentbob/79-AB.html
 	#
-	def sign(key, cert)
+	def sign(key, cert, ca_certs=nil)
 		m = self.entries.find { |e| e.name == "META-INF/MANIFEST.MF" }
 		raise RuntimeError.new("Jar has no manifest") unless m
+
+		ca_certs ||= [ cert ]
+
 		new_manifest = ''
 		sigdata =  "Signature-Version: 1.0\r\n"
 		sigdata << "Created-By: 1.6.0_18 (Sun Microsystems Inc.)\r\n"
@@ -192,25 +195,25 @@ class Jar < Archive
 		flags = 0
 		flags |= OpenSSL::PKCS7::BINARY
 		flags |= OpenSSL::PKCS7::DETACHED
-		# SMIME and ATTRs are technically valid in the signature but they both
-		# screw up the java verifier, so don't include them.
+		# SMIME and ATTRs are technically valid in the signature but they
+		# both screw up the java verifier, so don't include them.
 		flags |= OpenSSL::PKCS7::NOSMIMECAP
 		flags |= OpenSSL::PKCS7::NOATTR
 
-		signature = OpenSSL::PKCS7.sign(cert, key, sigdata, [cert], flags)
+		signature = OpenSSL::PKCS7.sign(cert, key, sigdata, ca_certs, flags)
 		sigalg = case key
 			when OpenSSL::PKey::RSA; "RSA"
 			when OpenSSL::PKey::DSA; "DSA"
 			# Don't really know what to do if it's not DSA or RSA.  Can
 			# OpenSSL::PKCS7 actually sign stuff with it in that case?
-			# Regardless, the java spec says signatures can only be RSA, DSA,
-			# or PGP, so just assume it's PGP and hope for the best
+			# Regardless, the java spec says signatures can only be RSA,
+			# DSA, or PGP, so just assume it's PGP and hope for the best
 			else; "PGP"
 			end
 
 		# SIGNFILE is the default name in documentation.  MYKEY is probably
-		# more common, though because that's what keytool defaults to.  We can
-		# probably randomize this with no ill effects.
+		# more common, though because that's what keytool defaults to.  We
+		# can probably randomize this with no ill effects.
 		add_file("META-INF/SIGNFILE.SF", sigdata)
 		add_file("META-INF/SIGNFILE.#{sigalg}", signature.to_der)
 

metadata

@@ -2,7 +2,7 @@
 name: librex
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.0.33
+  version: 0.0.34
 platform: ruby
 authors: 
 - Metasploit Development Team
@@ -11,11 +11,11 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-05-25 00:00:00 -05:00
+date: 2011-05-27 00:00:00 -05:00
 default_executable: 
 dependencies: []
 
-description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 12724
+description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 12756
 email: 
 - hdm@metasploit.com
 - jacob.hammack@hammackj.com
@@ -159,6 +159,8 @@ files:
 - lib/rex/parser/ip360_xml.rb
 - lib/rex/parser/nessus_xml.rb
 - lib/rex/parser/netsparker_xml.rb
+- lib/rex/parser/nexpose_raw_nokogiri.rb
+- lib/rex/parser/nexpose_simple_nokogiri.rb
 - lib/rex/parser/nexpose_xml.rb
 - lib/rex/parser/nmap_nokogiri.rb
 - lib/rex/parser/nmap_xml.rb