librex 0.0.46 → 0.0.47
Sign up to get free protection for your applications and to get access to all the features.
- data/README.markdown +1 -1
- data/lib/rex/compat.rb +1 -1
- data/lib/rex/parser/nexpose_raw_nokogiri.rb +5 -5
- data/lib/rex/parser/nexpose_simple_nokogiri.rb +1 -1
- data/lib/rex/parser/nmap_nokogiri.rb +1 -1
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb +12 -1
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb +31 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +29 -14
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +64 -31
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb.ut.rb +1 -1
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +61 -35
- data/lib/rex/proto/dhcp/server.rb +2 -2
- data/lib/rex/ui/text/dispatcher_shell.rb +4 -0
- metadata +4 -3
data/README.markdown
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
|
4
4
|
|
5
5
|
Currently based on:
|
6
|
-
SVN Revision:
|
6
|
+
SVN Revision: 13604
|
7
7
|
|
8
8
|
# Credits
|
9
9
|
The Metasploit development team <http://www.metasploit.com>
|
data/lib/rex/compat.rb
CHANGED
@@ -133,7 +133,7 @@ def self.open_browser(url='http://metasploit.com/')
|
|
133
133
|
# "sensible-browser" opens the "default" browser in Ubuntu and others, so try that first
|
134
134
|
# but also provide fallbacks
|
135
135
|
['sensible-browser', 'firefox', 'opera', 'chromium-browser', 'konqueror'].each do |browser|
|
136
|
-
|
136
|
+
ENV['PATH'].split(':').each do |path|
|
137
137
|
# Does the browser exists?
|
138
138
|
if File.exists?("#{path}/#{browser}")
|
139
139
|
system("#{browser} #{url} &")
|
@@ -263,7 +263,7 @@ module Rex
|
|
263
263
|
@state[:service].each do |k,v|
|
264
264
|
case k
|
265
265
|
when "protocol"
|
266
|
-
port_hash[:
|
266
|
+
port_hash[:proto] = v
|
267
267
|
when "port"
|
268
268
|
port_hash[:port] = v
|
269
269
|
when "status"
|
@@ -351,10 +351,10 @@ module Rex
|
|
351
351
|
db.emit(:address,@report_data[:host],&block) if block
|
352
352
|
host_object = db_report(:host, @report_data.merge(
|
353
353
|
:workspace => @args[:wspace] ) )
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
354
|
+
if host_object
|
355
|
+
db.report_import_note(host_object.workspace, host_object)
|
356
|
+
end
|
357
|
+
host_object
|
358
358
|
end
|
359
359
|
end
|
360
360
|
|
@@ -8,13 +8,21 @@ module Extensions
|
|
8
8
|
module Stdapi
|
9
9
|
module Railgun
|
10
10
|
|
11
|
+
#
|
12
|
+
# A container holding useful Windows API Constants.
|
13
|
+
#
|
11
14
|
class ApiConstants
|
12
15
|
|
13
16
|
# This will be lazily loaded in self.manager
|
14
17
|
@@manager = nil
|
18
|
+
|
19
|
+
# Mutex to ensure we don't add constants more than once via thread races.
|
15
20
|
@@manager_semaphore = Mutex.new
|
16
21
|
|
17
|
-
#
|
22
|
+
#
|
23
|
+
# Provides a frozen constant manager for the constants defined in
|
24
|
+
# self.add_constants
|
25
|
+
#
|
18
26
|
def self.manager
|
19
27
|
|
20
28
|
# The first check for nil is to potentially skip the need to synchronize
|
@@ -35,6 +43,9 @@ class ApiConstants
|
|
35
43
|
return @@manager
|
36
44
|
end
|
37
45
|
|
46
|
+
#
|
47
|
+
# Slurp in a giant list of known constants.
|
48
|
+
#
|
38
49
|
def self.add_constants(win_const_mgr)
|
39
50
|
win_const_mgr.add_const('MCI_DGV_SETVIDEO_TINT',0x00004003)
|
40
51
|
win_const_mgr.add_const('EVENT_TRACE_FLAG_PROCESS',0x00000001)
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module Rex
|
2
|
+
module Post
|
3
|
+
module Meterpreter
|
4
|
+
module Extensions
|
5
|
+
module Stdapi
|
6
|
+
module Railgun
|
7
|
+
module Def
|
8
|
+
|
9
|
+
class Def_crypt32
|
10
|
+
|
11
|
+
def self.create_dll(dll_path = 'crypt32')
|
12
|
+
dll = DLL.new(dll_path, ApiConstants.manager)
|
13
|
+
|
14
|
+
dll.add_function('CryptUnprotectData', 'BOOL', [
|
15
|
+
['PBLOB','pDataIn', 'in'],
|
16
|
+
['PWCHAR', 'szDataDescr', 'out'],
|
17
|
+
['PBLOB', 'pOptionalEntropy', 'in'],
|
18
|
+
['PDWORD', 'pvReserved', 'in'],
|
19
|
+
['PBLOB', 'pPromptStruct', 'in'],
|
20
|
+
['DWORD', 'dwFlags', 'in'],
|
21
|
+
['PBLOB', 'pDataOut', 'out']
|
22
|
+
])
|
23
|
+
|
24
|
+
return dll
|
25
|
+
end
|
26
|
+
|
27
|
+
end
|
28
|
+
|
29
|
+
end; end; end; end; end; end; end
|
30
|
+
|
31
|
+
|
@@ -36,7 +36,7 @@ module Stdapi
|
|
36
36
|
module Railgun
|
37
37
|
|
38
38
|
#
|
39
|
-
#
|
39
|
+
# Represents a DLL, e.g. kernel32.dll
|
40
40
|
#
|
41
41
|
class DLL
|
42
42
|
|
@@ -62,6 +62,15 @@ class DLL
|
|
62
62
|
return functions[name]
|
63
63
|
end
|
64
64
|
|
65
|
+
#
|
66
|
+
# Perform a function call in this DLL on the remote system.
|
67
|
+
#
|
68
|
+
# Returns a Hash containing the return value, the result of GetLastError(),
|
69
|
+
# and any +inout+ parameters.
|
70
|
+
#
|
71
|
+
# Raises an exception if +func_symbol+ is not a known function in this DLL,
|
72
|
+
# i.e., it hasn't been defined in a Def.
|
73
|
+
#
|
65
74
|
def call_function(func_symbol, args, client)
|
66
75
|
func_name = func_symbol.to_s
|
67
76
|
|
@@ -74,22 +83,29 @@ class DLL
|
|
74
83
|
return process_function_call(function, args, client)
|
75
84
|
end
|
76
85
|
|
77
|
-
#
|
78
|
-
#
|
79
|
-
# "DWORD", # return value
|
80
|
-
# [["DWORD","hWnd","in"], # params
|
81
|
-
# ["PWCHAR","lpText","in"],
|
82
|
-
# ["PWCHAR","lpCaption","in"],
|
83
|
-
# ["DWORD","uType","in"],
|
84
|
-
# ])
|
86
|
+
#
|
87
|
+
# Define a function for this DLL.
|
85
88
|
#
|
86
89
|
# Every function argument is described by a tuple (type,name,direction)
|
87
90
|
#
|
88
|
-
#
|
89
|
-
#
|
90
|
-
#
|
91
|
+
# Example:
|
92
|
+
# add_function("MessageBoxW", # name
|
93
|
+
# "DWORD", # return value
|
94
|
+
# [ # params
|
95
|
+
# ["DWORD","hWnd","in"],
|
96
|
+
# ["PWCHAR","lpText","in"],
|
97
|
+
# ["PWCHAR","lpCaption","in"],
|
98
|
+
# ["DWORD","uType","in"],
|
99
|
+
# ])
|
100
|
+
#
|
101
|
+
# Use +windows_name+ when the actual windows name is different from the
|
102
|
+
# ruby variable. You might need to do this for example when the actual
|
103
|
+
# func name is myFunc@4 or when you want to create an alternative version
|
104
|
+
# of an existing function.
|
105
|
+
#
|
106
|
+
# When the new function is called it will return a list containing the
|
107
|
+
# return value and all inout params. See #call_function.
|
91
108
|
#
|
92
|
-
# When new function is called it will return a list containing the return value and all inout params
|
93
109
|
def add_function(name, return_type, params, windows_name=nil)
|
94
110
|
if windows_name == nil
|
95
111
|
windows_name = name
|
@@ -99,7 +115,6 @@ class DLL
|
|
99
115
|
|
100
116
|
private
|
101
117
|
|
102
|
-
# called when a function like "MessageBoxW" is called
|
103
118
|
def process_function_call(function, args, client)
|
104
119
|
raise "#{function.params.length} arguments expected. #{args.length} arguments provided." unless args.length == function.params.length
|
105
120
|
|
@@ -53,13 +53,18 @@ module Railgun
|
|
53
53
|
# The Railgun class to dynamically expose the Windows API.
|
54
54
|
#
|
55
55
|
class Railgun
|
56
|
-
|
57
|
-
#
|
58
|
-
#
|
59
|
-
#
|
60
|
-
#
|
61
|
-
#
|
62
|
-
#
|
56
|
+
|
57
|
+
#
|
58
|
+
# Railgun::DLL's that have builtin definitions.
|
59
|
+
#
|
60
|
+
# If you want to add additional DLL definitions to be preloaded create a
|
61
|
+
# definition class 'rex/post/meterpreter/extensions/stdapi/railgun/def/'.
|
62
|
+
# Naming is important and should follow convention. For example, if your
|
63
|
+
# dll's name was "my_dll"
|
64
|
+
# file name:: def_my_dll.rb
|
65
|
+
# class name:: Def_my_dll
|
66
|
+
# entry below:: 'my_dll'
|
67
|
+
#
|
63
68
|
BUILTIN_DLLS = [
|
64
69
|
'kernel32',
|
65
70
|
'ntdll',
|
@@ -69,30 +74,25 @@ class Railgun
|
|
69
74
|
'advapi32',
|
70
75
|
'shell32',
|
71
76
|
'netapi32',
|
77
|
+
'crypt32'
|
72
78
|
].freeze
|
73
79
|
|
74
80
|
##
|
75
|
-
#
|
76
|
-
#
|
77
|
-
#
|
78
|
-
#
|
79
|
-
# and copies of any frozen dlls (added directly with self.add_function)
|
80
|
-
# that the user attempted to modify with self.add_function
|
81
|
+
# Returns a Hash containing DLLs added to this instance with #add_dll
|
82
|
+
# as well as references to any frozen cached dlls added directly in #get_dll
|
83
|
+
# and copies of any frozen dlls (added directly with #add_function)
|
84
|
+
# that the user attempted to modify with #add_function.
|
81
85
|
#
|
82
86
|
# Keys are friendly DLL names and values are the corresponding DLL instance
|
83
87
|
attr_accessor :dlls
|
84
88
|
|
85
89
|
##
|
86
|
-
# client
|
87
|
-
#
|
88
90
|
# Contains a reference to the client that corresponds to this instance of railgun
|
89
91
|
attr_accessor :client
|
90
92
|
|
91
93
|
##
|
92
|
-
# @@cached_dlls
|
93
|
-
#
|
94
94
|
# These DLLs are loaded lazily and then shared amongst all railgun instances.
|
95
|
-
# For safety reasons this variable should only be read/written within get_dll.
|
95
|
+
# For safety reasons this variable should only be read/written within #get_dll.
|
96
96
|
@@cached_dlls = {}
|
97
97
|
|
98
98
|
# if you are going to touch @@cached_dlls, wear protection
|
@@ -103,20 +103,30 @@ class Railgun
|
|
103
103
|
self.dlls = {}
|
104
104
|
end
|
105
105
|
|
106
|
+
#
|
107
|
+
# Return this Railgun's Util instance.
|
108
|
+
#
|
106
109
|
def util
|
107
110
|
if @util.nil?
|
108
|
-
Util.new(self, client.platform)
|
111
|
+
@util = Util.new(self, client.platform)
|
109
112
|
end
|
110
113
|
|
111
114
|
return @util
|
112
115
|
end
|
113
116
|
|
117
|
+
#
|
118
|
+
# Return this Railgun's WinConstManager instance, initially populated with
|
119
|
+
# constants defined in ApiConstants.
|
120
|
+
#
|
114
121
|
def constant_manager
|
115
122
|
# Loads lazily
|
116
123
|
return ApiConstants.manager
|
117
124
|
end
|
118
125
|
|
119
|
-
#
|
126
|
+
#
|
127
|
+
# Read data from a memory address on the host (useful for working with
|
128
|
+
# LPVOID parameters)
|
129
|
+
#
|
120
130
|
def memread(address, length)
|
121
131
|
|
122
132
|
raise "Invalid parameters." if(not address or not length)
|
@@ -134,7 +144,10 @@ class Railgun
|
|
134
144
|
return nil
|
135
145
|
end
|
136
146
|
|
137
|
-
#
|
147
|
+
#
|
148
|
+
# Write data to a memory address on the host (useful for working with
|
149
|
+
# LPVOID parameters)
|
150
|
+
#
|
138
151
|
def memwrite(address, data, length)
|
139
152
|
|
140
153
|
raise "Invalid parameters." if(not address or not data or not length)
|
@@ -153,9 +166,13 @@ class Railgun
|
|
153
166
|
return false
|
154
167
|
end
|
155
168
|
|
156
|
-
#
|
157
|
-
#
|
158
|
-
#
|
169
|
+
#
|
170
|
+
# Adds a function to an existing DLL definition.
|
171
|
+
#
|
172
|
+
# If the DLL definition is frozen (ideally this should be the case for all
|
173
|
+
# cached dlls) an unfrozen copy is created and used henceforth for this
|
174
|
+
# instance.
|
175
|
+
#
|
159
176
|
def add_function(dll_name, function_name, return_type, params, windows_name=nil)
|
160
177
|
|
161
178
|
unless known_dll_names.include?(dll_name)
|
@@ -176,9 +193,16 @@ class Railgun
|
|
176
193
|
dll.add_function(function_name, return_type, params, windows_name)
|
177
194
|
end
|
178
195
|
|
179
|
-
#
|
180
|
-
#
|
181
|
-
#
|
196
|
+
#
|
197
|
+
# Adds a DLL to this Railgun.
|
198
|
+
#
|
199
|
+
# The +windows_name+ is the name used on the remote system and should be
|
200
|
+
# set appropriately if you want to include a path or the DLL name contains
|
201
|
+
# non-ruby-approved characters.
|
202
|
+
#
|
203
|
+
# Raises an exception if a dll with the given name has already been
|
204
|
+
# defined.
|
205
|
+
#
|
182
206
|
def add_dll(dll_name, windows_name=dll_name)
|
183
207
|
|
184
208
|
if dlls.has_key? dll_name
|
@@ -193,8 +217,11 @@ class Railgun
|
|
193
217
|
return BUILTIN_DLLS | dlls.keys
|
194
218
|
end
|
195
219
|
|
196
|
-
#
|
197
|
-
#
|
220
|
+
#
|
221
|
+
# Attempts to provide a DLL instance of the given name. Handles lazy
|
222
|
+
# loading and caching. Note that if a DLL of the given name does not
|
223
|
+
# exist, returns nil
|
224
|
+
#
|
198
225
|
def get_dll(dll_name)
|
199
226
|
|
200
227
|
# If the DLL is not local, we now either load it from cache or load it lazily.
|
@@ -224,11 +251,13 @@ class Railgun
|
|
224
251
|
return dlls[dll_name]
|
225
252
|
end
|
226
253
|
|
227
|
-
#
|
254
|
+
#
|
255
|
+
# Fake having members like user32 and kernel32.
|
228
256
|
# reason is that
|
229
257
|
# ...user32.MessageBoxW()
|
230
258
|
# is prettier than
|
231
259
|
# ...dlls["user32"].functions["MessageBoxW"]()
|
260
|
+
#
|
232
261
|
def method_missing(dll_symbol, *args)
|
233
262
|
dll_name = dll_symbol.to_s
|
234
263
|
|
@@ -241,12 +270,16 @@ class Railgun
|
|
241
270
|
return DLLWrapper.new(dll, client)
|
242
271
|
end
|
243
272
|
|
244
|
-
#
|
273
|
+
#
|
274
|
+
# Return a Windows constant matching +str+.
|
275
|
+
#
|
245
276
|
def const(str)
|
246
277
|
return constant_manager.parse(str)
|
247
278
|
end
|
248
279
|
|
280
|
+
#
|
249
281
|
# The multi-call shorthand (["kernel32", "ExitProcess", [0]])
|
282
|
+
#
|
250
283
|
def multi(functions)
|
251
284
|
if @multicaller.nil?
|
252
285
|
@multicaller = MultiCaller.new(client, self)
|
@@ -18,7 +18,7 @@ class Railgun::UnitTest < Test::Unit::TestCase
|
|
18
18
|
# DLLs we know should be available at the time of this writing,
|
19
19
|
# and DLLs that because of changes since then should be available
|
20
20
|
STOCK_DLLS =
|
21
|
-
['kernel32', 'ntdll', 'user32', 'ws2_32',
|
21
|
+
['kernel32', 'ntdll', 'user32', 'ws2_32', 'crypt32',
|
22
22
|
'iphlpapi', 'netapi32', 'advapi32', 'shell32'] | Railgun::BUILTIN_DLLS
|
23
23
|
|
24
24
|
include MockMagic
|
@@ -6,6 +6,10 @@ module Meterpreter
|
|
6
6
|
module Extensions
|
7
7
|
module Stdapi
|
8
8
|
module Railgun
|
9
|
+
|
10
|
+
#
|
11
|
+
# Utility methods and constants for dealing with most types of variables.
|
12
|
+
#
|
9
13
|
class Util
|
10
14
|
|
11
15
|
# Bring in some useful string manipulation utility functions
|
@@ -29,8 +33,10 @@ class Util
|
|
29
33
|
:wchar_t => 2,
|
30
34
|
}
|
31
35
|
|
32
|
-
#
|
33
|
-
#
|
36
|
+
#
|
37
|
+
# Maps a data type to its corresponding primitive or special type
|
38
|
+
# +:pointer+. Note, primitive types are mapped to themselves.
|
39
|
+
#
|
34
40
|
# typedef info: http://msdn.microsoft.com/en-us/library/aa383751(v=vs.85).aspx
|
35
41
|
TYPE_DEFINITIONS = {
|
36
42
|
##
|
@@ -312,7 +318,9 @@ class Util
|
|
312
318
|
@is_64bit = is_64bit_platform?(platform)
|
313
319
|
end
|
314
320
|
|
321
|
+
#
|
315
322
|
# Given a packed pointer, unpacks it according to architecture
|
323
|
+
#
|
316
324
|
def unpack_pointer(packed_pointer)
|
317
325
|
if is_64bit
|
318
326
|
# XXX: Only works if attacker and victim are like-endianed
|
@@ -322,14 +330,15 @@ class Util
|
|
322
330
|
end
|
323
331
|
end
|
324
332
|
|
325
|
-
###
|
326
|
-
# Summary: Returns true if pointer will be considered a 'null' pointer
|
327
333
|
#
|
328
|
-
#
|
329
|
-
#
|
330
|
-
# If
|
334
|
+
# Returns true if +pointer+ will be considered a 'null' pointer.
|
335
|
+
#
|
336
|
+
# If +pointer+ is nil or 0, returns true
|
337
|
+
# If +pointer+ is a String, if 0 after unpacking, returns true
|
331
338
|
# false otherwise
|
332
|
-
|
339
|
+
#
|
340
|
+
# See #unpack_pointer
|
341
|
+
#
|
333
342
|
def is_null_pointer(pointer)
|
334
343
|
if pointer.class == String
|
335
344
|
pointer = unpack_pointer(pointer)
|
@@ -338,12 +347,13 @@ class Util
|
|
338
347
|
return pointer.nil? || pointer == 0
|
339
348
|
end
|
340
349
|
|
341
|
-
###
|
342
|
-
# Summary: Reads null-terminated unicode strings from memory.
|
343
350
|
#
|
344
|
-
#
|
345
|
-
#
|
346
|
-
|
351
|
+
# Reads null-terminated unicode strings from memory.
|
352
|
+
#
|
353
|
+
# Given a pointer to a null terminated array of WCHARs, return a ruby
|
354
|
+
# String. If +pointer+ is NULL (see #is_null_pointer) returns an empty
|
355
|
+
# string.
|
356
|
+
#
|
347
357
|
def read_wstring(pointer, length = nil)
|
348
358
|
# Return an empty string for null pointers
|
349
359
|
if is_null_pointer(pointer)
|
@@ -364,12 +374,12 @@ class Util
|
|
364
374
|
return str
|
365
375
|
end
|
366
376
|
|
367
|
-
###
|
368
|
-
# Summary: Read a given number of bytes from memory or from a provided buffer.
|
369
377
|
#
|
370
|
-
#
|
371
|
-
#
|
372
|
-
|
378
|
+
# Read a given number of bytes from memory or from a provided buffer.
|
379
|
+
#
|
380
|
+
# If +buffer+ is not provided, read +size+ bytes from the client's memory.
|
381
|
+
# If +buffer+ is provided, reads +size+ characters from the index of +address+.
|
382
|
+
#
|
373
383
|
def memread(address, size, buffer = nil)
|
374
384
|
if buffer.nil?
|
375
385
|
return railgun.memread(address, size)
|
@@ -378,12 +388,16 @@ class Util
|
|
378
388
|
end
|
379
389
|
end
|
380
390
|
|
391
|
+
#
|
381
392
|
# Read and unpack a pointer from the given buffer at a given offset
|
393
|
+
#
|
382
394
|
def read_pointer(buffer, offset = 0)
|
383
395
|
unpack_pointer(buffer[offset, (offset + pointer_size)])
|
384
396
|
end
|
385
397
|
|
398
|
+
#
|
386
399
|
# Reads data structures and several windows data types
|
400
|
+
#
|
387
401
|
def read_data(type, position, buffer = nil)
|
388
402
|
if buffer.nil?
|
389
403
|
buffer = memread(position, sizeof_type(type))
|
@@ -426,8 +440,11 @@ class Util
|
|
426
440
|
return raw
|
427
441
|
end
|
428
442
|
|
429
|
-
#
|
430
|
-
#
|
443
|
+
#
|
444
|
+
# Read +length+ number of instances of +type+ from +bufptr+ .
|
445
|
+
#
|
446
|
+
# +bufptr+ is an index in +buffer+ or, if +buffer+ is nil, a memory address
|
447
|
+
#
|
431
448
|
def read_array(type, length, bufptr, buffer = nil)
|
432
449
|
if length <= 0
|
433
450
|
return []
|
@@ -448,8 +465,10 @@ class Util
|
|
448
465
|
end
|
449
466
|
end
|
450
467
|
|
451
|
-
#
|
452
|
-
#
|
468
|
+
#
|
469
|
+
# Construct the data structure described in +definition+ from +buffer+
|
470
|
+
# starting from the index +offset+
|
471
|
+
#
|
453
472
|
def read_struct(definition, buffer, offset = 0)
|
454
473
|
data = {}
|
455
474
|
|
@@ -520,7 +539,9 @@ class Util
|
|
520
539
|
raise "Unable to determine size for type #{type}."
|
521
540
|
end
|
522
541
|
|
523
|
-
#
|
542
|
+
#
|
543
|
+
# Calculates the size of +struct+ after alignment.
|
544
|
+
#
|
524
545
|
def sizeof_struct(struct)
|
525
546
|
offsets = struct_offsets(struct, 0)
|
526
547
|
last_data_size = sizeof_type(struct.last[1])
|
@@ -529,9 +550,11 @@ class Util
|
|
529
550
|
return size_no_padding + calc_padding(size_no_padding)
|
530
551
|
end
|
531
552
|
|
532
|
-
#
|
553
|
+
#
|
554
|
+
# Given a description of a data structure, returns an Array containing
|
533
555
|
# the offset from the beginning for each subsequent element, taking into
|
534
|
-
# consideration alignment and padding
|
556
|
+
# consideration alignment and padding.
|
557
|
+
#
|
535
558
|
def struct_offsets(definition, offset)
|
536
559
|
padding = 0
|
537
560
|
offsets = []
|
@@ -558,7 +581,9 @@ class Util
|
|
558
581
|
is_64bit ? 8 : 4
|
559
582
|
end
|
560
583
|
|
561
|
-
#
|
584
|
+
#
|
585
|
+
# Number of bytes that needed to be added to be aligned.
|
586
|
+
#
|
562
587
|
def calc_padding(offset)
|
563
588
|
align = required_alignment
|
564
589
|
|
@@ -571,9 +596,11 @@ class Util
|
|
571
596
|
end
|
572
597
|
end
|
573
598
|
|
599
|
+
#
|
574
600
|
# Given an explicit array definition (e.g. BYTE[23]) return size (e.g. 23) and
|
575
|
-
# and type (e.g. BYTE). If a constant is given, attempt to resolve it
|
576
|
-
# that constant
|
601
|
+
# and +type+ (e.g. BYTE). If a constant is given, attempt to resolve it
|
602
|
+
# that constant.
|
603
|
+
#
|
577
604
|
def split_array_type(type)
|
578
605
|
if type =~ /^(\w+)\[(\w+)\]$/
|
579
606
|
element_type = $1
|
@@ -595,18 +622,17 @@ class Util
|
|
595
622
|
platform =~ /win64/
|
596
623
|
end
|
597
624
|
|
598
|
-
|
599
|
-
#
|
600
|
-
#
|
601
|
-
# and state of each bit.
|
625
|
+
#
|
626
|
+
# Evaluates a bit field, returning a hash representing the meaning and
|
627
|
+
# state of each bit.
|
602
628
|
#
|
603
629
|
# Parameters:
|
604
|
-
# value
|
605
|
-
# mappings
|
630
|
+
# +value+:: a bit field represented by a Fixnum
|
631
|
+
# +mappings+:: { 'WINAPI_CONSTANT_NAME' => :descriptive_symbol, ... }
|
606
632
|
#
|
607
633
|
# Returns:
|
608
634
|
# { :descriptive_symbol => true/false, ... }
|
609
|
-
|
635
|
+
#
|
610
636
|
def judge_bit_field(value, mappings)
|
611
637
|
flags = {}
|
612
638
|
rg = railgun
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# $Id: server.rb
|
1
|
+
# $Id: server.rb 13577 2011-08-18 00:18:43Z scriptjunkie $
|
2
2
|
|
3
3
|
require 'rex/socket'
|
4
4
|
require 'rex/proto/dhcp'
|
@@ -228,7 +228,7 @@ protected
|
|
228
228
|
spot = spot + optionLen + 2
|
229
229
|
if optionType == 53
|
230
230
|
messageType = optionValue.unpack("C").first
|
231
|
-
elsif optionType == 150
|
231
|
+
elsif optionType == 150 or (optionType == 60 and optionValue.include? "PXEClient")
|
232
232
|
pxeclient = true
|
233
233
|
end
|
234
234
|
end
|
@@ -82,6 +82,10 @@ module DispatcherShell
|
|
82
82
|
shell.update_prompt(prompt, prompt_char, mode)
|
83
83
|
end
|
84
84
|
|
85
|
+
def cmd_help_help
|
86
|
+
print_line "There's only so much I can do"
|
87
|
+
end
|
88
|
+
|
85
89
|
#
|
86
90
|
# Displays the help banner. With no arguments, this is just a list of
|
87
91
|
# all commands grouped by dispatcher. Otherwise, tries to use a method
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: librex
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.47
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -10,10 +10,10 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2011-08-
|
13
|
+
date: 2011-08-21 00:00:00.000000000Z
|
14
14
|
dependencies: []
|
15
15
|
description: Rex provides a variety of classes useful for security testing and exploit
|
16
|
-
development. Based on SVN Revision
|
16
|
+
development. Based on SVN Revision 13604
|
17
17
|
email:
|
18
18
|
- hdm@metasploit.com
|
19
19
|
- jacob.hammack@hammackj.com
|
@@ -239,6 +239,7 @@ files:
|
|
239
239
|
- lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb
|
240
240
|
- lib/rex/post/meterpreter/extensions/stdapi/railgun/buffer_item.rb.ut.rb
|
241
241
|
- lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
|
242
|
+
- lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_crypt32.rb
|
242
243
|
- lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_iphlpapi.rb
|
243
244
|
- lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb
|
244
245
|
- lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
|