librex 0.0.51 → 0.0.52

data/README.markdown

@@ -3,7 +3,7 @@
 A non-official re-packaging of the Rex library as a gem for easy of usage of the Metasploit REX framework in a non Metasploit application. I received permission from HDM to create this package.
 
 Currently based on:
-SVN Revision: 13694
+SVN Revision: 13798
 
 # Credits
 The Metasploit development team <http://www.metasploit.com>

data/lib/rex/exploitation/jsobfu.rb

@@ -1,8 +1,7 @@
 ##
-# $Id: jsobfu.rb 12843 2011-06-03 17:52:34Z egypt $
+# $Id: jsobfu.rb 13761 2011-09-19 23:01:26Z jduck $
 ##
 
-$:.unshift("lib")
 require 'rex/text'
 require 'rkelly'
 

data/lib/rex/parser/acunetix_nokogiri.rb

@@ -190,7 +190,7 @@ module Rex
 			return unless @state[:fullurl].kind_of? URI
 			return unless @state[:form_variables].kind_of? Array
 			return if @state[:form_variables].empty?
-			method = @state[:form_variables].first[1]
+			method = parse_method(@state[:form_variables].first[1])
 			vars = @state[:form_variables].map {|x| x[0]}
 			form_info = {}
 			form_info[:web_site] = @state[:web_site]
@@ -276,6 +276,17 @@ module Rex
 			parsed
 		end
 
+		# Don't cause the web report to die just because we can't tell
+		# what method was used -- default to GET. Sometimes it's just "POST," and
+		# sometimes it's "URL encoded POST," and sometimes it might be something
+		# else.
+		def parse_method(meth)
+			verbs = "(GET|POST|PATH)"
+			real_method = meth.match(/^\s*#{verbs}/)
+			real_method ||= meth.match(/\s*#{verbs}\s*$/)
+			( real_method && real_method[1] ) ? real_method[1] : "GET"
+		end
+
 		def report_host(&block)
 			return unless @report_data[:host]
 			return unless in_tag("Scan")

data/lib/rex/pescan/analyze.rb

@@ -134,9 +134,50 @@ module Analyze
 				LoaderFlags
 				NumberOfRvaAndSizes
 			})
+
 			$stdout.puts tbl.to_s
 			$stdout.puts "\n\n"
 
+			# Get DllCharacteristics (in Integer)
+			dllcharacteristics = pe.hdr.opt.struct[23].value
+
+			if (dllcharacteristics > 0)
+				tbl = table("DllCharacteristics", ['Flag', 'Value'])
+
+				# http://msdn.microsoft.com/en-us/library/ms680339(v=vs.85).aspx
+				traits = {
+					:ASLR      => 'False',  #IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
+					:Integrity => 'False',  #IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
+					:NX        => 'False',  #IMAGE_DLLCHARACTERISTICS_NX_COMPAT
+					:Isolation => 'False',  #IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
+					:SEH       => 'False',  #IMAGE_DLLCHARACTERISTICS_NO_SEH
+					:Bind      => 'False',  #IMAGE_DLLCHARACTERISTICS_NO_BIND
+					:WDM       => 'False',  #IMAGE_DLLCHARACTERISTICS_WDM_DRIVER
+					:Terminal  => 'False'   #IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
+				}
+
+				# Convert integer to an bit array
+				c_bits = ("%32d" %dllcharacteristics.to_s(2)).split('').map { |e| e.to_i }.reverse
+
+				# Check characteristics
+				traits[:ASLR]      = 'True' if c_bits[6]  == 1  #0x0040
+				traits[:Integrity] = 'True' if c_bits[7]  == 1  #0x0080
+				traits[:NX]        = 'True' if c_bits[8]  == 1  #0x0100
+				traits[:Isolation] = 'True' if c_bits[9]  == 1  #0x0200
+				traits[:SEH]       = 'True' if c_bits[10] == 1  #0x0400
+				traits[:Bind]      = 'True' if c_bits[11] == 1  #0x0800
+				traits[:WDM]       = 'True' if c_bits[13] == 1  #2000
+				traits[:Terminal]  = 'True' if c_bits[15] == 1  #0x8000
+
+				# Putting results to table
+				traits.each do |trait_name, trait_value|
+					tbl << [trait_name, trait_value]
+				end
+
+				$stdout.puts tbl.to_s
+				$stdout.puts "\n\n"
+			end
+
 			if (pe.exports)
 				tbl = table("Exported Functions", ['Ordinal', 'Name', 'Address'])
 				pe.exports.entries.each do |ent|
@@ -146,13 +187,28 @@ module Analyze
 				$stdout.puts "\n\n"
 			end
 
+			# Rex::PeParsey::Pe doesn't seem to give us any offset information for each function,
+			# which makes it difficult to calculate the actual addresses for them. So instead we
+			# are using Metasm::COFF::ImportDirectory to do this task.  The ability to see
+			# addresses is mainly for ROP.
 			if (pe.imports)
-				tbl = table("Imported Functions", ['Library', 'Ordinal', 'Name'])
-				pe.imports.each do |lib|
-					lib.entries.each do |ent|
-						tbl << [lib.name, ent.ordinal, ent.name]
+				tbl = table("Imported Functions", ['Library', 'Address', 'Ordinal', 'Name'])
+				exefmt = Metasm::AutoExe.orshellcode{ Metasm.const_get('x86_64').new }
+				exe = exefmt.decode_file(pe._isource.file.path)
+				ibase = pe.image_base
+				exe_imports = exe.imports
+				exe_imports.each do |lib|
+					lib_name   = lib.libname
+					ini_offset = lib.iat_p
+					func_table = lib.imports
+					offset     = 0
+					func_table.each do |func|
+						func_addr = "0x%08x" %(ibase + ini_offset + offset)
+						tbl << [lib_name, func_addr, func.hint, func.name]
+						offset += 4
 					end
 				end
+
 				$stdout.puts tbl.to_s
 				$stdout.puts "\n\n"
 			end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb

@@ -73,7 +73,7 @@ class Console::CommandDispatcher::Priv::Timestomp
 				when "-e"
 					emodified = str_to_time(val)
 				when "-z"
-					puts "#{val}"
+					print_line("#{val}")
 					modified  = str_to_time(val)
 					accessed  = str_to_time(val)
 					creation  = str_to_time(val)
@@ -129,4 +129,4 @@ end
 end
 end
 end
-end
+end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/sniffer.rb

@@ -91,7 +91,7 @@ class Console::CommandDispatcher::Sniffer
 		stats = client.sniffer.capture_stats(intf)
 		print_status("Capture statistics for interface #{intf}")
 		stats.each_key do |k|
-			puts "\t#{k}: #{stats[k]}"
+			print_line("\t#{k}: #{stats[k]}")
 		end
 		
 		return true		

data/lib/rex/proto/dhcp/server.rb

@@ -1,4 +1,4 @@
-# $Id: server.rb 13639 2011-08-25 22:48:33Z scriptjunkie $
+# $Id: server.rb 13779 2011-09-23 15:12:19Z scriptjunkie $
 
 require 'rex/socket'
 require 'rex/proto/dhcp'
@@ -275,7 +275,6 @@ protected
 				return
 			end
 		elsif messageType == DHCPRequest #DHCP Request - send DHCP ACK
-			self.served[buf[28..43]][1] = true # mark as requested
 			pkt << [DHCPAck].pack('C')
 			# now we ignore their discovers (but we'll respond to requests in case a packet was lost)
 			if ( self.served_over != 0 )
@@ -322,6 +321,9 @@ protected
 
 		pkt << ("\x00" * 32) #padding
 
+		# And now we mark as requested
+		self.served[buf[28..43]][1] = true if messageType == DHCPRequest
+
 		send_packet(nil, pkt)
 	end
 

data/lib/rex/ropbuilder/rop.rb

@@ -15,7 +15,7 @@ class RopBase
 
 	def to_csv(gadgets = [])
 		if gadgets.empty? and @gadgets.nil? or @gadgets.empty?
-			print_error("No gadgets collected to convert to CSV format.")
+			@stdio.print_error("No gadgets collected to convert to CSV format.")
 			return
 		end
 
@@ -45,14 +45,25 @@ class RopBase
 		begin
 			data = File.new(file, 'r').read
 		rescue
-			print_error("Error reading #{file}")
+			@stdio.print_error("Error reading #{file}")
+			return []
+		end
+
+		if data.empty? or data.nil?
+			return []
 		end
 
 		data.gsub!(/\"/, '')
 		data.gsub!("Address,Raw,Disassembly\n", '')
+
 		@gadgets = []
+		
 		data.each_line do |line|
 			addr, raw, disasm = line.split(',', 3)
+			if addr.nil? or raw.nil? or disasm.nil?
+				@stdio.print_error("Import file format corrupted")
+				return []
+			end
 			disasm.gsub!(/: /, ":\t")
 			disasm.gsub!(' | ', "\n")
 			raw = [raw].pack('H*')
@@ -77,6 +88,7 @@ end
 
 class RopCollect < RopBase
 	def initialize(file="")
+		@stdio = Rex::Ui::Text::Output::Stdio.new
 		@file = file if not file.empty?
 		@bin = Metasm::AutoExe.decode_file(file) if not file.empty?
 		@disassembler = @bin.disassembler if not @bin.nil?
@@ -254,4 +266,4 @@ class RopCollect < RopBase
 	end
 end
 end
-end
+end

data/lib/rex/socket.rb

@@ -152,27 +152,26 @@ module Socket
 	#
 	def self.getaddress(addr, accept_ipv6 = true)
 		begin
-		
 			if dotted_ip?(addr)
 				return addr
 			end
-			
+
 			res = ::Socket.gethostbyname(addr)
 			return nil if not res
-			
+
 			# Shift the first three elements out
 			rname  = res.shift
 			ralias = res.shift
 			rtype  = res.shift
-			
-			# Reject IPv6 addresses if we don't accept them			
+
+			# Reject IPv6 addresses if we don't accept them
 			if not accept_ipv6
 				res.reject!{|nbo| nbo.length != 4}
 			end
-			
+
 			# Make sure we have at least one name
-			return nil if res.length == 0			
-			
+			return nil if res.length == 0
+
 			# Return the first address of the result
 			self.addr_ntoa( res[0] )
 		rescue ::ArgumentError # Win32 bug
@@ -236,10 +235,10 @@ module Socket
 		addr_ntoi(resolv_nbo(host))
 	end
 
-	# 
+	#
 	# Converts an ASCII IP address to a CIDR mask. Returns
 	# nil if it's not convertable.
-	# 
+	#
 	def self.addr_atoc(mask)
 		mask_i = resolv_nbo_i(mask)
 		cidr = nil
@@ -476,7 +475,7 @@ module Socket
 	##
 
 	#
-	# This method does NOT send any traffic to the destination, instead, it uses a 
+	# This method does NOT send any traffic to the destination, instead, it uses a
 	# "bound" UDP socket to determine what source address we would use to
 	# communicate with the specified destination. The destination defaults to
 	# Google's DNS server to make the standard behavior determine which IP
@@ -491,14 +490,14 @@ module Socket
 			)
 			r = s.getsockname[1]
 			s.close
-			
+
 			# Trim off the trailing interface ID for link-local IPv6
 			return r.split('%').first
 		rescue ::Exception
 			return '127.0.0.1'
 		end
 	end
-	
+
 	#
 	# Identifies the link-local address of a given interface (if IPv6 is enabled)
 	#
@@ -507,10 +506,10 @@ module Socket
 		return if not (r and r =~ /^fe80/i)
 		r
 	end
-	
+
 	#
 	# Identifies the mac address of a given interface (if IPv6 is enabled)
-	#	
+	#
 	def self.ipv6_mac(intf)
 		r = ipv6_link_address(intf)
 		return if not r

data/lib/rex/text.rb

@@ -862,7 +862,7 @@ module Text
 		0.upto(len-1) do |i|
 			setnum = i % sets.size
 
-			puts counter.inspect
+			#puts counter.inspect
 		end
 
 		return buf

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: librex
 version: !ruby/object:Gem::Version
-  version: 0.0.51
+  version: 0.0.52
   prerelease: 
 platform: ruby
 authors:
@@ -10,10 +10,10 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-09-05 00:00:00.000000000Z
+date: 2011-09-27 00:00:00.000000000Z
 dependencies: []
 description: Rex provides a variety of classes useful for security testing and exploit
-  development. Based on SVN Revision 13694
+  development. Based on SVN Revision 13798
 email:
 - hdm@metasploit.com
 - jacob.hammack@hammackj.com