RubyGems - librex - Versions diffs - 0.0.38 → 0.0.39 - Mend

librex 0.0.38 → 0.0.39

Files changed (9) hide show

data/README.markdown +1 -1
data/lib/rex/post/meterpreter/channel.rb +6 -5
data/lib/rex/post/meterpreter/client.rb +77 -32
data/lib/rex/post/meterpreter/client_core.rb +61 -14
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +19 -18
data/lib/rex/post/meterpreter/packet_dispatcher.rb +109 -14
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +22 -6
data/lib/rex/proto/http/packet.rb +1 -1
metadata +3 -3

data/README.markdown CHANGED Viewed

@@ -3,7 +3,7 @@
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 Currently based on:
-SVN Revision: 13029
+SVN Revision: 13058
 # Credits
 The Metasploit development team <http://www.metasploit.com>

data/lib/rex/post/meterpreter/channel.rb CHANGED Viewed

@@ -172,7 +172,8 @@ class Channel
 		request = Packet.create_request('core_channel_read')
 		if (length == nil)
-			length = 65536
+			# Default block size to a higher amount for passive dispatcher
+			length = self.client.passive_service ? (1024*1024) : 65536
 		end
 		request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
@@ -228,12 +229,12 @@ class Channel
 		# Populate the request
 		request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
 		cdata = request.add_tlv(TLV_TYPE_CHANNEL_DATA, buf)
 		if( ( self.flags & CHANNEL_FLAG_COMPRESS ) == CHANNEL_FLAG_COMPRESS )
-			cdata.compress = true
+			cdata.compress = true
 		end
 		request.add_tlv(TLV_TYPE_LENGTH, length)
 		request.add_tlvs(addends)
@@ -285,7 +286,7 @@ class Channel
 		return true
 	end
 	def _close(addends = nil)
 		self.class._close(self.client, self.cid, addends)
 		self.cid = nil

data/lib/rex/post/meterpreter/client.rb CHANGED Viewed

@@ -45,7 +45,7 @@ class Client
 	# Cached SSL certificate (required to scale)
 	#
 	@@ssl_ctx = nil
 	#
 	# Mutex to synchronize class-wide operations
 	#
@@ -89,38 +89,59 @@ class Client
 			extension.cleanup if extension.respond_to?( 'cleanup' )
 		end
 		dispatcher_thread.kill if dispatcher_thread
+		core.shutdown rescue nil
+		shutdown_passive_dispatcher
 	end
 	#
 	# Initializes the meterpreter client instance
 	#
 	def init_meterpreter(sock,opts={})
-		self.sock        = sock
-		self.parser      = PacketParser.new
-		self.ext         = ObjectAliases.new
-		self.ext_aliases = ObjectAliases.new
-		self.alive       = true
-		self.target_id   = opts[:target_id]
-		self.capabilities= opts[:capabilities] || {}
-		self.response_timeout =  opts[:timeout] || self.class.default_timeout
+		self.sock         = sock
+		self.parser       = PacketParser.new
+		self.ext          = ObjectAliases.new
+		self.ext_aliases  = ObjectAliases.new
+		self.alive        = true
+		self.target_id    = opts[:target_id]
+		self.capabilities = opts[:capabilities] || {}
+		self.conn_id      = opts[:conn_id]
+		self.url          = opts[:url]
+		self.ssl          = opts[:ssl]
+		self.expiration   = opts[:expiration]
+		self.comm_timeout = opts[:comm_timeout]
+		self.passive_dispatcher = opts[:passive_dispatcher]
+		self.response_timeout = opts[:timeout] || self.class.default_timeout
 		self.send_keepalives  = true
+		if opts[:passive_dispatcher]
+			initialize_passive_dispatcher
-		# Switch the socket to SSL mode and receive the hello if needed
-		if capabilities[:ssl] and not opts[:skip_ssl]
-			swap_sock_plain_to_ssl()
-		end
+			register_extension_alias('core', ClientCore.new(self))
-		register_extension_alias('core', ClientCore.new(self))
+			initialize_inbound_handlers
+			initialize_channels
-		initialize_inbound_handlers
-		initialize_channels
+			# Register the channel inbound packet handler
+			register_inbound_handler(Rex::Post::Meterpreter::Channel)
+		else
+			# Switch the socket to SSL mode and receive the hello if needed
+			if capabilities[:ssl] and not opts[:skip_ssl]
+				swap_sock_plain_to_ssl()
+			end
-		# Register the channel inbound packet handler
-		register_inbound_handler(Rex::Post::Meterpreter::Channel)
+			register_extension_alias('core', ClientCore.new(self))
-		monitor_socket
+			initialize_inbound_handlers
+			initialize_channels
+			# Register the channel inbound packet handler
+			register_inbound_handler(Rex::Post::Meterpreter::Channel)
+			monitor_socket
+		end
 	end
 	def swap_sock_plain_to_ssl
@@ -138,22 +159,22 @@ class Client
 			rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
 					IO::select(nil, nil, nil, 0.10)
 					retry
-			# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+			# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
 			rescue ::Exception => e
 				if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
 					IO::select( [ ssl ], nil, nil, 0.10 )
 					retry
 				end
-				if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+				if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
 					IO::select( nil, [ ssl ], nil, 0.10 )
 					retry
 				end
 				raise e
 			end
-		end
+		end
 		self.sock.extend(Rex::Socket::SslTcp)
 		self.sock.sslsock = ssl
@@ -175,11 +196,11 @@ class Client
 	end
 	def generate_ssl_context
-		@@ssl_mutex.synchronize do
+		@@ssl_mutex.synchronize do
 		if not @@ssl_ctx
 		wlog("Generating SSL certificate for Meterpreter sessions")
 		key  = OpenSSL::PKey::RSA.new(1024){ }
 		cert = OpenSSL::X509::Certificate.new
 		cert.version = 2
@@ -223,12 +244,12 @@ class Client
 		ctx.session_id_context = Rex::Text.rand_text(16)
 		wlog("Generated SSL certificate for Meterpreter sessions")
 		@@ssl_ctx = ctx
 		end # End of if not @ssl_ctx
 		end # End of mutex.synchronize
 		@@ssl_ctx
 	end
@@ -379,6 +400,30 @@ class Client
 	# The libraries available to this meterpreter server
 	#
 	attr_accessor :capabilities
+	#
+	# The Connection ID
+	#
+	attr_accessor :conn_id
+	#
+	# The Connect URL
+	#
+	attr_accessor :url
+	#
+	# Use SSL (HTTPS)
+	#
+	attr_accessor :ssl
+	#
+	# The Session Expiration Timeout
+	#
+	attr_accessor :expiration
+	#
+	# The Communication Timeout
+	#
+	attr_accessor :comm_timeout
+	#
+	# The Passive Dispatcher
+	#
+	attr_accessor :passive_dispatcher
 protected
 	attr_accessor :parser, :ext_aliases # :nodoc:

data/lib/rex/post/meterpreter/client_core.rb CHANGED Viewed

@@ -184,7 +184,7 @@ class ClientCore < Extension
 		# We cant migrate into a process that does not exist.
 		if( process == nil )
-			raise RuntimeError, "Cannot migrate into non existant process", caller
+			raise RuntimeError, "Cannot migrate into non existent process", caller
 		end
 		# We cant migrate into a process that we are unable to open
@@ -216,13 +216,42 @@ class ClientCore < Extension
 		migrate_stager = c.new()
 		migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.install_root, "data", "meterpreter", "metsrv.#{binary_suffix}" )
-		payload = migrate_stager.stage_payload
+		blob = migrate_stager.stage_payload
+		if client.passive_service
+			# Replace the transport string first (TRANSPORT_SOCKET_SSL
+			i = blob.index("METERPRETER_TRANSPORT_SSL")
+			if i
+				str = client.ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
+				blob[i, str.length] = str
+			end
+			conn_id = self.client.conn_id
+			i = blob.index("https://" + ("X" * 256))
+			if i
+				str = self.client.url
+				blob[i, str.length] = str
+			end
+			i = blob.index([0xb64be661].pack("V"))
+			if i
+				str = [ self.client.expiration ].pack("V")
+				blob[i, str.length] = str
+			end
+			i = blob.index([0xaf79257f].pack("V"))
+			if i
+				str = [ self.client.comm_timeout ].pack("V")
+				blob[i, str.length] = str
+			end
+		end
 		# Build the migration request
 		request = Packet.create_request( 'core_migrate' )
 		request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
-		request.add_tlv( TLV_TYPE_MIGRATE_LEN, payload.length )
-		request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, payload, false, client.capabilities[:zlib])
+		request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
+		request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
 		if( process['arch'] == ARCH_X86_64 )
 			request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
 		else
@@ -232,19 +261,28 @@ class ClientCore < Extension
 		# Send the migration request (bump up the timeout to 60 seconds)
 		response = client.send_request( request, 60 )
-		# Disable the socket request monitor
-		client.monitor_stop
+		if client.passive_service
+			# Sleep for 5 seconds to allow the full handoff, this prevents
+			# the original process from stealing our loadlib requests
+			::IO.select(nil, nil, nil, 5.0)
+		else
+			# Prevent new commands from being sent while we finish migrating
+			client.comm_mutex.synchronize do
+				# Disable the socket request monitor
+				client.monitor_stop
-		###
-		# Now communicating with the new process
-		###
+				###
+				# Now communicating with the new process
+				###
-		# Renegotiate SSL over this socket
-		client.swap_sock_ssl_to_plain()
-		client.swap_sock_plain_to_ssl()
+				# Renegotiate SSL over this socket
+				client.swap_sock_ssl_to_plain()
+				client.swap_sock_plain_to_ssl()
-		# Restart the socket monitor
-		client.monitor_socket
+				# Restart the socket monitor
+				client.monitor_socket
+			end
+		end
 		# Update the meterpreter platform/suffix for loading extensions as we may have changed target architecture
 		# sf: this is kinda hacky but it works. As ruby doesnt let you un-include a module this is the simplest solution I could think of.
@@ -268,6 +306,15 @@ class ClientCore < Extension
 		return true
 	end
+	#
+	# Shuts the session down
+	#
+	def shutdown
+		request  = Packet.create_request('core_shutdown')
+		response = self.client.send_packet_wait_response(request, 15)
+		true
+	end
 end
 end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb CHANGED Viewed

@@ -27,27 +27,27 @@ SEPARATOR = "\\"
 Separator = "\\"
 	include Rex::Post::File
 	class << self
 		attr_accessor :client
 	end
 	#
 	# Search for files.
 	#
 	def File.search( root=nil, glob="*.*", recurse=true, timeout=-1 )
 		files = ::Array.new
 		request = Packet.create_request( 'stdapi_fs_search' )
 		root = root.chomp( '\\' ) if root
 		request.add_tlv( TLV_TYPE_SEARCH_ROOT, root )
 		request.add_tlv( TLV_TYPE_SEARCH_GLOB, glob )
 		request.add_tlv( TLV_TYPE_SEARCH_RECURSE, recurse )
-		# we set the response timeout to -1 to wait indefinatly as a
+		# we set the response timeout to -1 to wait indefinatly as a
 		# search could take an indeterminate ammount of time to complete.
 		response = client.send_request( request, timeout )
 		if( response.result == 0 )
@@ -59,10 +59,10 @@ Separator = "\\"
 				}
 			end
 		end
 		return files
 	end
 	#
 	# Returns the base name of the supplied file path to the caller.
 	#
@@ -86,7 +86,7 @@ Separator = "\\"
 		request.add_tlv(TLV_TYPE_FILE_PATH, path)
 		response = client.send_request(request)
 		return response.get_tlv_value(TLV_TYPE_FILE_PATH)
 	end
@@ -104,27 +104,27 @@ Separator = "\\"
 		r = client.fs.filestat.new(name) rescue nil
 		r ? true : false
 	end
 	#
 	# Performs a delete on the specified file.
 	#
-	def File.rm(name)
+	def File.rm(name)
 		request = Packet.create_request('stdapi_fs_delete_file')
 		request.add_tlv(TLV_TYPE_FILE_PATH,name)
 		response = client.send_request(request)
 		return response
 	end
 	#
 	# Performs a delete on the specified file.
 	#
 	def File.unlink(name)
 		return File.rm(name)
-	end
+	end
 	#
 	# Upload one or more files to the remote computer the remote
 	# directory supplied in destination.
@@ -151,7 +151,7 @@ Separator = "\\"
 		# all of the contents of the local file
 		dest_fd = client.fs.file.new(dest_file, "wb")
 		src_buf = ''
 		::File.open(src_file, 'rb') { |f|
 			src_buf = f.read(f.stat.size)
 		}
@@ -164,7 +164,7 @@ Separator = "\\"
 	end
 	#
-	# Download one or more files from the remote computer to the local
+	# Download one or more files from the remote computer to the local
 	# directory supplied in destination.
 	#
 	def File.download(destination, *src_files, &stat)
@@ -178,7 +178,7 @@ Separator = "\\"
 			end
 			download_file(dest, src)
 			stat.call('downloaded', src, dest) if (stat)
 		}
 	end
@@ -272,3 +272,4 @@ protected
 end
 end; end; end; end; end; end

data/lib/rex/post/meterpreter/packet_dispatcher.rb CHANGED Viewed

@@ -29,9 +29,9 @@ class RequestError < ArgumentError
 	# The error result that occurred, typically a windows error message.
 	attr_reader :result
 	# The error result that occurred, typically a windows error code.
-	attr_reader :code
+	attr_reader :code
 end
 ###
@@ -44,6 +44,84 @@ module PacketDispatcher
 	PacketTimeout = 600
+	##
+	#
+	# Synchronization
+	#
+	##
+	attr_accessor :comm_mutex
+	##
+	#
+	#
+	# Passive Dispatching
+	#
+	##
+	attr_accessor :passive_service, :send_queue, :recv_queue
+	def initialize_passive_dispatcher
+		self.send_queue = []
+		self.recv_queue = []
+		self.waiters    = []
+		self.alive      = true
+		self.passive_service = self.passive_dispatcher
+		self.passive_service.remove_resource("/" + self.conn_id  + "/")
+		self.passive_service.add_resource("/" + self.conn_id + "/",
+			'Proc'             => Proc.new { |cli, req| on_passive_request(cli, req) },
+			'VirtualDirectory' => true
+		)
+	end
+	def shutdown_passive_dispatcher
+		return if not self.passive_service
+		self.passive_service.remove_resource("/" + self.conn_id  + "/")
+		self.alive      = false
+		self.send_queue = []
+		self.recv_queue = []
+		self.waiters    = []
+		self.passive_service = nil
+	end
+	def on_passive_request(cli, req)
+		begin
+		resp = Rex::Proto::Http::Response.new(200, "OK")
+		resp['Content-Type'] = 'application/octet-stream'
+		resp['Connection']   = 'close'
+		# If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
+		if req.body[0,4] == "RECV"
+			rpkt = send_queue.pop
+			resp.body = rpkt || ''
+			begin
+				cli.send_response(resp)
+			rescue ::Exception => e
+				send_queue.unshift(rpkt) if rpkt
+				elog("Exception sending a reply to the reader request: #{cli.inspect} #{e.class} #{e} #{e.backtrace}")
+			end
+		else
+			resp.body = ""
+			if req.body and req.body.length > 0
+				packet = Packet.new(0)
+				packet.from_r(req.body)
+				dispatch_inbound_packet(packet)
+			end
+			cli.send_response(resp)
+		end
+		# Force a closure for older WinInet implementations
+		self.passive_service.close_client( cli )
+		rescue ::Exception => e
+			elog("Exception handling request: #{cli.inspect} #{req.inspect} #{e.class} #{e} #{e.backtrace}")
+		end
+	end
 	##
 	#
 	# Transmission
@@ -62,23 +140,34 @@ module PacketDispatcher
 		raw   = packet.to_r
 		err   = nil
+		# Short-circuit send when using a passive dispatcher
+		if self.passive_service
+			send_queue.push(raw)
+			return raw.size # Lie!
+		end
 		if (raw)
-			begin
-				bytes = self.sock.write(raw)
-			rescue ::Exception => e
-				err = e
+			# This mutex is used to lock out new commands during an
+			# active migration.
+			self.comm_mutex.synchronize do
+				begin
+					bytes = self.sock.write(raw)
+				rescue ::Exception => e
+					err = e
+				end
 			end
 			if bytes.to_i == 0
 				# Mark the session itself as dead
 				self.alive = false
 				# Indicate that the dispatcher should shut down too
 				@finish = true
 				# Reraise the error to the top-level caller
-				raise err if err
+				raise err if err
 			end
 		end
@@ -89,12 +178,12 @@ module PacketDispatcher
 	# Sends a packet and waits for a timeout for the given time interval.
 	#
 	def send_request(packet, t = self.response_timeout)
 		if not t
 			send_packet(packet)
 			return nil
 		end
 		response = send_packet_wait_response(packet, t)
 		if (response == nil)
@@ -146,6 +235,12 @@ module PacketDispatcher
 	# thread context and parsers all inbound packets.
 	#
 	def monitor_socket
+		# Skip if we are using a passive dispatcher
+		return if self.passive_service
+		self.comm_mutex = ::Mutex.new
 		self.waiters = []
 		@pqueue = []
@@ -303,6 +398,7 @@ module PacketDispatcher
 			self.receiver_thread.kill
 			self.receiver_thread = nil
 		end
 		if(self.dispatcher_thread)
 			self.dispatcher_thread.kill
 			self.dispatcher_thread = nil
@@ -385,7 +481,6 @@ module PacketDispatcher
 			end
 		end
 		# Enumerate all of the inbound packet handlers until one handles
 		# the packet
 		@inbound_handlers.each { |handler|

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb CHANGED Viewed

@@ -43,6 +43,7 @@ class Console::CommandDispatcher::Core
 			"close"      => "Closes a channel",
 			"channel"    => "Displays information about active channels",
 			"exit"       => "Terminate the meterpreter session",
+			"detach"     => "Detach the meterpreter session (for http/https)",
 			"help"       => "Help menu",
 			"interact"   => "Interacts with a channel",
 			"irb"        => "Drop into irb scripting mode",
@@ -204,11 +205,26 @@ class Console::CommandDispatcher::Core
 	# Terminates the meterpreter session.
 	#
 	def cmd_exit(*args)
+		print_status("Shutting down Meterpreter...")
+		client.core.shutdown rescue nil
+		client.shutdown_passive_dispatcher
 		shell.stop
 	end
 	alias cmd_quit cmd_exit
+	#
+	# Disconnects the session
+	#
+	def cmd_detach(*args)
+		if not client.passive_service
+			print_error("Detach is only possible for non-stream sessions (http/https)")
+			return
+		end
+		client.shutdown_passive_dispatcher
+		shell.stop
+	end
 	#
 	# Interacts with a channel.
 	#
@@ -385,11 +401,11 @@ class Console::CommandDispatcher::Core
 	def cmd_run_help
 		print_line "Usage: run <script> [arguments]"
-		print_line
+		print_line
 		print_line "Executes a ruby script or Metasploit Post module in the context of the"
 		print_line "meterpreter session.  Post modules can take arguments in var=val format."
 		print_line "Example: run post/foo/bar BAZ=abcd"
-		print_line
+		print_line
 	end
 	#
@@ -535,7 +551,7 @@ class Console::CommandDispatcher::Core
 	end
 	#
-	# Show info for a given Post module.
+	# Show info for a given Post module.
 	#
 	# See also +cmd_info+ in lib/msf/ui/console/command_dispatcher/core.rb
 	#
@@ -546,10 +562,10 @@ class Console::CommandDispatcher::Core
 			cmd_info_help
 			return
 		end
 		module_name = args.shift
 		mod = client.framework.modules.create(module_name);
 		if mod.nil?
 			print_error 'Invalid module: ' << module_name
 		end
@@ -655,7 +671,7 @@ class Console::CommandDispatcher::Core
 		tab_complete_filenames(str, words)
 	end
 	def cmd_resource(*args)
 		if args.empty?
 			print(

data/lib/rex/proto/http/packet.rb CHANGED Viewed

@@ -166,7 +166,7 @@ class Packet
 	# Converts the packet to a string.
 	#
 	def to_s
-		content = self.body.dup
+		content = self.body.to_s.dup
 		# Update the content length field in the header with the body length.
 		if (content)

metadata CHANGED Viewed

@@ -2,7 +2,7 @@
 name: librex
 version: !ruby/object:Gem::Version
   prerelease:
-  version: 0.0.38
+  version: 0.0.39
 platform: ruby
 authors:
 - Metasploit Development Team
@@ -11,11 +11,11 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-06-25 00:00:00 -05:00
+date: 2011-06-28 00:00:00 -05:00
 default_executable:
 dependencies: []
-description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13029
+description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13058
 email:
 - hdm@metasploit.com
 - jacob.hammack@hammackj.com