librex 0.0.70 → 0.0.71

Sign up to get free protection for your applications and to get access to all the features.
Files changed (59) hide show
  1. checksums.yaml +5 -13
  2. data/README.markdown +5 -10
  3. data/Rakefile +1 -1
  4. data/lib/rex/arch.rb +1 -1
  5. data/lib/rex/encoder/bloxor/bloxor.rb +1 -0
  6. data/lib/rex/encoder/ndr.rb +1 -1
  7. data/lib/rex/exploitation/heaplib.rb +4 -2
  8. data/lib/rex/exploitation/powershell.rb +62 -0
  9. data/lib/rex/exploitation/powershell/function.rb +63 -0
  10. data/lib/rex/exploitation/powershell/obfu.rb +98 -0
  11. data/lib/rex/exploitation/powershell/output.rb +151 -0
  12. data/lib/rex/exploitation/powershell/param.rb +23 -0
  13. data/lib/rex/exploitation/powershell/parser.rb +183 -0
  14. data/lib/rex/exploitation/powershell/psh_methods.rb +70 -0
  15. data/lib/rex/exploitation/powershell/script.rb +99 -0
  16. data/lib/rex/exploitation/ropdb.rb +1 -0
  17. data/lib/rex/mac_oui.rb +1 -0
  18. data/lib/rex/ole/util.rb +2 -2
  19. data/lib/rex/parser/group_policy_preferences.rb +185 -0
  20. data/lib/rex/parser/outpost24_nokogiri.rb +1 -0
  21. data/lib/rex/poly/machine.rb +1 -0
  22. data/lib/rex/poly/machine/machine.rb +1 -0
  23. data/lib/rex/poly/machine/x86.rb +1 -0
  24. data/lib/rex/post/meterpreter/extensions/android/android.rb +128 -0
  25. data/lib/rex/post/meterpreter/extensions/android/tlv.rb +40 -0
  26. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb +32 -0
  27. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb +6 -6
  28. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb +4 -4
  29. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +2 -1
  30. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb +4 -4
  31. data/lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb +4 -4
  32. data/lib/rex/post/meterpreter/packet.rb +3 -3
  33. data/lib/rex/post/meterpreter/ui/console.rb +2 -0
  34. data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +383 -0
  35. data/lib/rex/proto/dcerpc/ndr.rb +1 -1
  36. data/lib/rex/proto/ipmi/channel_auth_reply.rb +1 -0
  37. data/lib/rex/proto/ipmi/open_session_reply.rb +1 -0
  38. data/lib/rex/proto/ipmi/rakp2.rb +1 -0
  39. data/lib/rex/proto/natpmp/packet.rb +8 -8
  40. data/lib/rex/proto/ntp.rb +3 -0
  41. data/lib/rex/proto/ntp/constants.rb +12 -0
  42. data/lib/rex/proto/ntp/modes.rb +130 -0
  43. data/lib/rex/proto/pjl.rb +1 -0
  44. data/lib/rex/proto/pjl/client.rb +1 -0
  45. data/lib/rex/proto/sip.rb +4 -0
  46. data/lib/rex/proto/sip/response.rb +61 -0
  47. data/lib/rex/proto/smb/exceptions.rb +11 -3
  48. data/lib/rex/random_identifier_generator.rb +1 -0
  49. data/lib/rex/registry/lfkey.rb +1 -1
  50. data/lib/rex/registry/nodekey.rb +10 -10
  51. data/lib/rex/registry/valuekey.rb +5 -5
  52. data/lib/rex/registry/valuelist.rb +1 -1
  53. data/lib/rex/socket/ip.rb +1 -0
  54. data/lib/rex/sslscan/result.rb +1 -0
  55. data/lib/rex/sslscan/scanner.rb +1 -0
  56. data/lib/rex/text.rb +2 -13
  57. data/lib/rex/ui/text/output/buffer/stdout.rb +1 -0
  58. data/lib/rex/ui/text/table.rb +4 -4
  59. metadata +23 -4
checksums.yaml CHANGED
@@ -1,15 +1,7 @@
1
1
  ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- MTE3MDlmNTgwOWY2ZjUyYjVlZTY4Y2I2ZjM2YTQ0OTAwNjIwNWYyMQ==
5
- data.tar.gz: !binary |-
6
- YmQyNDM3OTQzNjY5OGE5ZGY1MTIxNGIwZDE4NTU3MGRmYmM3NDg0OA==
2
+ SHA1:
3
+ metadata.gz: ba1abe4c2b8ac1bdcaf2d07b087f8b9a772b8df1
4
+ data.tar.gz: cd3019d0c19e33a256a59a45a686b77de93a31b4
7
5
  SHA512:
8
- metadata.gz: !binary |-
9
- ODk4OTk1ODQwODRiZTMyMDRhZjAyM2U5MWNhNzdjNDBjM2M4OTBhNjM5MDJm
10
- YjhkZDAxNTAzZmZlOTg3OTA1YmNkOGQwYjAxMzE4MGZiOWZkZTQ0ZTY4YTBm
11
- OWFjOWZmZTA4NWJmNjlmMzE1OWY2OTE0NDEwOWI5YTU1MTJhMWI=
12
- data.tar.gz: !binary |-
13
- ZWRkMmZkMjJlZDkxMDgxZGMzYThlZjVhNmFlZWI2N2Q1YWYwNzNlYjBhOTFl
14
- YzQ4MjNlYjQwZDk1NmVhYjQxNTcxOGE1NDMwYzM2YmRiN2VjNjVjZGFjMTMy
15
- MDRhOTFiNzUyNmRmM2ZiZTcyMzEzMThjMWM3MWFjODQ1ZDM4NzM=
6
+ metadata.gz: f1404ce46d3e817ec9f4d0e2797b1e0f72e5fe487cd0ccf8505dd2b71b3ac7efda51469b79c0f5c10f1f3d477b6da5808d9a70b59c060c25512dc157258b6c0b
7
+ data.tar.gz: 8255db5895f34f62923de6220e9a79b06203f3685422e19d6095a6be6a2cc97e754deff4b040ca391100d5b1b842345cbe936d5898b5d75c4bdb6808cc1da3d5
@@ -1,17 +1,12 @@
1
1
  # Rex
2
2
 
3
- An re-packaging of the Rex library included in the Metasploit Framework for use by non-Metasploit applications. Originally created by Jacob Hammack and
4
- made official by the Rapid7 development team. The upstream of this package is the rex subdirectory of https://github.com/rapid7/metasploit-framework
3
+ An re-packaging of the Rex library included in the Metasploit Framework for use by non-Metasploit applications. Originally created by Jacob Hammack and made official by the Rapid7 development team. The upstream of this package is the rex subdirectory of https://github.com/rapid7/metasploit-framework
5
4
 
6
- Currently based on:
7
- SVN Revision: 15951
5
+ Currently based on Metasploit master branch 2014-07-15
8
6
 
9
- # Notes
10
-
11
- This gem takes a ridiculously long time to generate documentation. We recommend using the following command to install this gem:
12
-
13
- $ gem install --no-ri --no-rdoc librex
14
7
 
8
+ $ gem install librex
15
9
  # Credits
16
- The Rapid7 Metasploit team <http://www.metasploit.com>
10
+ The Metasploit Community
17
11
  Jacob Hammack <https://github.com/hammackj>
12
+ Rapid7 <http://www.rapid7.com/>
data/Rakefile CHANGED
@@ -92,7 +92,7 @@ task :update do
92
92
 
93
93
  system "git commit -a -m \"Updated at #{Time.now.strftime("%Y-%m-%d")}\" &> /dev/null"
94
94
  puts "[*] Commiting and pushing updates"
95
- system "git push origin mnaster"
95
+ system "git push origin master"
96
96
 
97
97
  rescue ::Exception
98
98
  $stderr.puts "[-] Error: #{$!.class} #{$!} #{$!.backtrace}"
@@ -49,7 +49,7 @@ module Arch
49
49
  when ARCH_X86
50
50
  [addr].pack('V')
51
51
  when ARCH_X86_64
52
- [addr].pack('Q')
52
+ [addr].pack('Q<')
53
53
  when ARCH_MIPS # ambiguous
54
54
  [addr].pack('N')
55
55
  when ARCH_MIPSBE
@@ -1,3 +1,4 @@
1
+ # -*- coding: binary -*-
1
2
 
2
3
  require 'rex/poly/machine'
3
4
 
@@ -28,7 +28,7 @@ module NDR
28
28
  # use to encode:
29
29
  # byte element_1;
30
30
  def NDR.byte(string)
31
- return [string].pack('c')
31
+ return [string].pack('C')
32
32
  end
33
33
 
34
34
  # Encode a byte array
@@ -88,8 +88,10 @@ protected
88
88
 
89
89
  if opts[:newobfu]
90
90
  # Obfuscate the javascript using the new lexer method
91
- @js = JSObfu.new(@js)
92
- return @js.obfuscate
91
+ js_obfu = JSObfu.new(@js)
92
+ js_obfu.obfuscate
93
+ @js = js_obfu.to_s
94
+ return @js
93
95
  elsif opts[:noobfu]
94
96
  # Do not obfuscate, let the exploit do the work (useful to avoid double obfuscation)
95
97
  return @js
@@ -0,0 +1,62 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'rex/exploitation/powershell/output'
4
+ require 'rex/exploitation/powershell/parser'
5
+ require 'rex/exploitation/powershell/obfu'
6
+ require 'rex/exploitation/powershell/param'
7
+ require 'rex/exploitation/powershell/function'
8
+ require 'rex/exploitation/powershell/script'
9
+ require 'rex/exploitation/powershell/psh_methods'
10
+
11
+ module Rex
12
+ module Exploitation
13
+ module Powershell
14
+ #
15
+ # Reads script into a PowershellScript
16
+ #
17
+ # @param script_path [String] Path to the Script File
18
+ #
19
+ # @return [Script] Powershell Script object
20
+ def self.read_script(script_path)
21
+ Rex::Exploitation::Powershell::Script.new(script_path)
22
+ end
23
+
24
+ #
25
+ # Insert substitutions into the powershell script
26
+ # If script is a path to a file then read the file
27
+ # otherwise treat it as the contents of a file
28
+ #
29
+ # @param script [String] Script file or path to script
30
+ # @param subs [Array] Substitutions to insert
31
+ #
32
+ # @return [String] Modified script file
33
+ def self.make_subs(script, subs)
34
+ if ::File.file?(script)
35
+ script = ::File.read(script)
36
+ end
37
+
38
+ subs.each do |set|
39
+ script.gsub!(set[0], set[1])
40
+ end
41
+
42
+ script
43
+ end
44
+
45
+ #
46
+ # Return an array of substitutions for use in make_subs
47
+ #
48
+ # @param subs [String] A ; seperated list of substitutions
49
+ #
50
+ # @return [Array] An array of substitutions
51
+ def self.process_subs(subs)
52
+ return [] if subs.nil? or subs.empty?
53
+ new_subs = []
54
+ subs.split(';').each do |set|
55
+ new_subs << set.split(',', 2)
56
+ end
57
+
58
+ new_subs
59
+ end
60
+ end
61
+ end
62
+ end
@@ -0,0 +1,63 @@
1
+ # -*- coding: binary -*-
2
+
3
+ module Rex
4
+ module Exploitation
5
+ module Powershell
6
+ class Function
7
+ FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
8
+ PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
9
+ attr_accessor :code, :name, :params
10
+
11
+ include Output
12
+ include Parser
13
+ include Obfu
14
+
15
+ def initialize(name, code)
16
+ @name = name
17
+ @code = code
18
+ populate_params
19
+ end
20
+
21
+ #
22
+ # To String
23
+ #
24
+ # @return [String] Powershell function
25
+ def to_s
26
+ "function #{name} #{code}"
27
+ end
28
+
29
+ #
30
+ # Identify the parameters from the code and
31
+ # store as Param in @params
32
+ #
33
+ def populate_params
34
+ @params = []
35
+ start = code.index(PARAMETER_REGEX)
36
+ return unless start
37
+ # Get start of our block
38
+ idx = scan_with_index('(', code[start..-1]).first.last + start
39
+ pclause = block_extract(idx)
40
+
41
+ matches = pclause.scan(FUNCTION_REGEX)
42
+
43
+ # Ignore assignment, create params with class and variable names
44
+ matches.each do |param|
45
+ klass = nil
46
+ name = nil
47
+ param.each do |value|
48
+ if value
49
+ if klass
50
+ name = value
51
+ @params << Param.new(klass, name)
52
+ break
53
+ else
54
+ klass = value
55
+ end
56
+ end
57
+ end
58
+ end
59
+ end
60
+ end
61
+ end
62
+ end
63
+ end
@@ -0,0 +1,98 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'rex/text'
4
+
5
+ module Rex
6
+ module Exploitation
7
+ module Powershell
8
+ module Obfu
9
+ MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
10
+ SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
11
+ WINDOWS_EOL_REGEX = Regexp.new(/[\r\n]+/)
12
+ UNIX_EOL_REGEX = Regexp.new(/[\n]+/)
13
+ WHITESPACE_REGEX = Regexp.new(/\s+/)
14
+ EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
15
+
16
+ #
17
+ # Remove comments
18
+ #
19
+ # @return [String] code without comments
20
+ def strip_comments
21
+ # Multi line
22
+ code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
23
+ # Single line
24
+ code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')
25
+
26
+ code
27
+ end
28
+
29
+ #
30
+ # Remove empty lines
31
+ #
32
+ # @return [String] code without empty lines
33
+ def strip_empty_lines
34
+ # Windows EOL
35
+ code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
36
+ # UNIX EOL
37
+ code.gsub!(UNIX_EOL_REGEX, "\n")
38
+
39
+ code
40
+ end
41
+
42
+ #
43
+ # Remove whitespace
44
+ # This can break some codes using inline .NET
45
+ #
46
+ # @return [String] code with whitespace stripped
47
+ def strip_whitespace
48
+ code.gsub!(WHITESPACE_REGEX, ' ')
49
+
50
+ code
51
+ end
52
+
53
+ #
54
+ # Identify variables and replace them
55
+ #
56
+ # @return [String] code with variable names replaced with unique values
57
+ def sub_vars
58
+ # Get list of variables, remove reserved
59
+ get_var_names.each do |var, _sub|
60
+ code.gsub!(var, "$#{@rig.init_var(var)}")
61
+ end
62
+
63
+ code
64
+ end
65
+
66
+ #
67
+ # Identify function names and replace them
68
+ #
69
+ # @return [String] code with function names replaced with unique
70
+ # values
71
+ def sub_funcs
72
+ # Find out function names, make map
73
+ get_func_names.each do |var, _sub|
74
+ code.gsub!(var, @rig.init_var(var))
75
+ end
76
+
77
+ code
78
+ end
79
+
80
+ #
81
+ # Perform standard substitutions
82
+ #
83
+ # @return [String] code with standard substitution methods applied
84
+ def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
85
+ # Save us the trouble of breaking injected .NET and such
86
+ subs.delete('strip_whitespace') unless get_string_literals.empty?
87
+ # Run selected modifiers
88
+ subs.each do |modifier|
89
+ send(modifier)
90
+ end
91
+ code.gsub!(EMPTY_LINE_REGEX, '')
92
+
93
+ code
94
+ end
95
+ end # Obfu
96
+ end
97
+ end
98
+ end
@@ -0,0 +1,151 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'zlib'
4
+ require 'rex/text'
5
+
6
+ module Rex
7
+ module Exploitation
8
+ module Powershell
9
+ module Output
10
+ #
11
+ # To String
12
+ #
13
+ # @return [String] Code
14
+ def to_s
15
+ code
16
+ end
17
+
18
+ #
19
+ # Returns code size
20
+ #
21
+ # @return [Integer] Code size
22
+ def size
23
+ code.size
24
+ end
25
+
26
+ #
27
+ # Return code with numbered lines
28
+ #
29
+ # @return [String] Powershell code with line numbers
30
+ def to_s_lineno
31
+ numbered = ''
32
+ code.split(/\r\n|\n/).each_with_index do |line, idx|
33
+ numbered << "#{idx}: #{line}"
34
+ end
35
+
36
+ numbered
37
+ end
38
+
39
+ #
40
+ # Return a zlib compressed powershell code wrapped in decode stub
41
+ #
42
+ # @param eof [String] End of file identifier to append to code
43
+ #
44
+ # @return [String] Zlib compressed powershell code wrapped in
45
+ # decompression stub
46
+ def deflate_code(eof = nil)
47
+ # Compress using the Deflate algorithm
48
+ compressed_stream = ::Zlib::Deflate.deflate(code,
49
+ ::Zlib::BEST_COMPRESSION)
50
+
51
+ # Base64 encode the compressed file contents
52
+ encoded_stream = Rex::Text.encode_base64(compressed_stream)
53
+
54
+ # Build the powershell expression
55
+ # Decode base64 encoded command and create a stream object
56
+ psh_expression = '$s=New-Object IO.MemoryStream(,'
57
+ psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
58
+ # Read & delete the first two bytes due to incompatibility with MS
59
+ psh_expression << '$s.ReadByte();'
60
+ psh_expression << '$s.ReadByte();'
61
+ # Uncompress and invoke the expression (execute)
62
+ psh_expression << 'IEX (New-Object IO.StreamReader('
63
+ psh_expression << 'New-Object IO.Compression.DeflateStream('
64
+ psh_expression << '$s,'
65
+ psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
66
+ psh_expression << ')).ReadToEnd();'
67
+
68
+ # If eof is set, add a marker to signify end of code output
69
+ # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
70
+ psh_expression << "echo '#{eof}';" if eof
71
+
72
+ @code = psh_expression
73
+ end
74
+
75
+ #
76
+ # Return Base64 encoded powershell code
77
+ #
78
+ # @return [String] Base64 encoded powershell code
79
+ def encode_code
80
+ @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
81
+ end
82
+
83
+ #
84
+ # Return a gzip compressed powershell code wrapped in decoder stub
85
+ #
86
+ # @param eof [String] End of file identifier to append to code
87
+ #
88
+ # @return [String] Gzip compressed powershell code wrapped in
89
+ # decompression stub
90
+ def gzip_code(eof = nil)
91
+ # Compress using the Deflate algorithm
92
+ compressed_stream = Rex::Text.gzip(code)
93
+
94
+ # Base64 encode the compressed file contents
95
+ encoded_stream = Rex::Text.encode_base64(compressed_stream)
96
+
97
+ # Build the powershell expression
98
+ # Decode base64 encoded command and create a stream object
99
+ psh_expression = '$s=New-Object IO.MemoryStream(,'
100
+ psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
101
+ # Uncompress and invoke the expression (execute)
102
+ psh_expression << 'IEX (New-Object IO.StreamReader('
103
+ psh_expression << 'New-Object IO.Compression.GzipStream('
104
+ psh_expression << '$s,'
105
+ psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
106
+ psh_expression << ')).ReadToEnd();'
107
+
108
+ # If eof is set, add a marker to signify end of code output
109
+ # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
110
+ psh_expression << "echo '#{eof}';" if eof
111
+
112
+ @code = psh_expression
113
+ end
114
+
115
+ #
116
+ # Compresses script contents with gzip (default) or deflate
117
+ #
118
+ # @param eof [String] End of file identifier to append to code
119
+ # @param gzip [Boolean] Whether to use gzip compression or deflate
120
+ #
121
+ # @return [String] Compressed code wrapped in decompression stub
122
+ def compress_code(eof = nil, gzip = true)
123
+ @code = gzip ? gzip_code(eof) : deflate_code(eof)
124
+ end
125
+
126
+ #
127
+ # Reverse the compression process
128
+ # Try gzip, inflate if that fails
129
+ #
130
+ # @return [String] Decompressed powershell code
131
+ def decompress_code
132
+ # Extract substring with payload
133
+ encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
134
+ # Decode and decompress the string
135
+ unencoded = Rex::Text.decode_base64(encoded_stream)
136
+ begin
137
+ @code = Rex::Text.ungzip(unencoded) || Rex::Text.zlib_inflate(unencoded)
138
+ rescue Zlib::GzipFile::Error
139
+ begin
140
+ @code = Rex::Text.zlib_inflate(unencoded)
141
+ rescue Zlib::DataError => e
142
+ raise RuntimeError, 'Invalid compression'
143
+ end
144
+ end
145
+
146
+ @code
147
+ end
148
+ end
149
+ end
150
+ end
151
+ end