librex 0.0.70 → 0.0.71

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    MTE3MDlmNTgwOWY2ZjUyYjVlZTY4Y2I2ZjM2YTQ0OTAwNjIwNWYyMQ==
-  data.tar.gz: !binary |-
-    YmQyNDM3OTQzNjY5OGE5ZGY1MTIxNGIwZDE4NTU3MGRmYmM3NDg0OA==
+SHA1:
+  metadata.gz: ba1abe4c2b8ac1bdcaf2d07b087f8b9a772b8df1
+  data.tar.gz: cd3019d0c19e33a256a59a45a686b77de93a31b4
 SHA512:
-  metadata.gz: !binary |-
-    ODk4OTk1ODQwODRiZTMyMDRhZjAyM2U5MWNhNzdjNDBjM2M4OTBhNjM5MDJm
-    YjhkZDAxNTAzZmZlOTg3OTA1YmNkOGQwYjAxMzE4MGZiOWZkZTQ0ZTY4YTBm
-    OWFjOWZmZTA4NWJmNjlmMzE1OWY2OTE0NDEwOWI5YTU1MTJhMWI=
-  data.tar.gz: !binary |-
-    ZWRkMmZkMjJlZDkxMDgxZGMzYThlZjVhNmFlZWI2N2Q1YWYwNzNlYjBhOTFl
-    YzQ4MjNlYjQwZDk1NmVhYjQxNTcxOGE1NDMwYzM2YmRiN2VjNjVjZGFjMTMy
-    MDRhOTFiNzUyNmRmM2ZiZTcyMzEzMThjMWM3MWFjODQ1ZDM4NzM=
+  metadata.gz: f1404ce46d3e817ec9f4d0e2797b1e0f72e5fe487cd0ccf8505dd2b71b3ac7efda51469b79c0f5c10f1f3d477b6da5808d9a70b59c060c25512dc157258b6c0b
+  data.tar.gz: 8255db5895f34f62923de6220e9a79b06203f3685422e19d6095a6be6a2cc97e754deff4b040ca391100d5b1b842345cbe936d5898b5d75c4bdb6808cc1da3d5

data/README.markdown

@@ -1,17 +1,12 @@
 # Rex
 
-An re-packaging of the Rex library included in the Metasploit Framework for use by non-Metasploit applications. Originally created by Jacob Hammack and 
-made official by the Rapid7 development team. The upstream of this package is the rex subdirectory of https://github.com/rapid7/metasploit-framework
+An re-packaging of the Rex library included in the Metasploit Framework for use by non-Metasploit applications. Originally created by Jacob Hammack and made official by the Rapid7 development team. The upstream of this package is the rex subdirectory of https://github.com/rapid7/metasploit-framework
 
-Currently based on:
-SVN Revision: 15951
+Currently based on Metasploit master branch 2014-07-15
 
-# Notes
-
-This gem takes a ridiculously long time to generate documentation. We recommend using the following command to install this gem:
-
-$ gem install --no-ri --no-rdoc librex
 
+$ gem install librex
 # Credits
-The Rapid7 Metasploit team <http://www.metasploit.com>
+The Metasploit Community
 Jacob Hammack <https://github.com/hammackj>
+Rapid7 <http://www.rapid7.com/>

data/Rakefile

@@ -92,7 +92,7 @@ task :update do
 	
 	system "git commit -a -m \"Updated at #{Time.now.strftime("%Y-%m-%d")}\" &> /dev/null"
 	puts "[*] Commiting and pushing updates"
-	system "git push origin mnaster"
+	system "git push origin master"
 
 	rescue ::Exception
 		$stderr.puts "[-] Error: #{$!.class} #{$!} #{$!.backtrace}"

data/lib/rex/arch.rb

@@ -49,7 +49,7 @@ module Arch
       when ARCH_X86
         [addr].pack('V')
       when ARCH_X86_64
-        [addr].pack('Q')
+        [addr].pack('Q<')
       when ARCH_MIPS # ambiguous
         [addr].pack('N')
       when ARCH_MIPSBE

data/lib/rex/encoder/bloxor/bloxor.rb

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 require 'rex/poly/machine'
 

data/lib/rex/encoder/ndr.rb

@@ -28,7 +28,7 @@ module NDR
   # use to encode:
   #       byte element_1;
   def NDR.byte(string)
-    return [string].pack('c')
+    return [string].pack('C')
   end
 
   # Encode a byte array

data/lib/rex/exploitation/heaplib.rb

@@ -88,8 +88,10 @@ protected
 
     if opts[:newobfu]
       # Obfuscate the javascript using the new lexer method
-      @js = JSObfu.new(@js)
-      return @js.obfuscate
+      js_obfu = JSObfu.new(@js)
+      js_obfu.obfuscate
+      @js = js_obfu.to_s
+      return @js
     elsif opts[:noobfu]
       # Do not obfuscate, let the exploit do the work (useful to avoid double obfuscation)
       return @js

data/lib/rex/exploitation/powershell.rb

@@ -0,0 +1,62 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/powershell/output'
+require 'rex/exploitation/powershell/parser'
+require 'rex/exploitation/powershell/obfu'
+require 'rex/exploitation/powershell/param'
+require 'rex/exploitation/powershell/function'
+require 'rex/exploitation/powershell/script'
+require 'rex/exploitation/powershell/psh_methods'
+
+module Rex
+  module Exploitation
+    module Powershell
+      #
+      # Reads script into a PowershellScript
+      #
+      # @param script_path [String] Path to the Script File
+      #
+      # @return [Script] Powershell Script object
+      def self.read_script(script_path)
+        Rex::Exploitation::Powershell::Script.new(script_path)
+      end
+
+      #
+      # Insert substitutions into the powershell script
+      # If script is a path to a file then read the file
+      # otherwise treat it as the contents of a file
+      #
+      # @param script [String] Script file or path to script
+      # @param subs [Array] Substitutions to insert
+      #
+      # @return [String] Modified script file
+      def self.make_subs(script, subs)
+        if ::File.file?(script)
+          script = ::File.read(script)
+        end
+
+        subs.each do |set|
+          script.gsub!(set[0], set[1])
+        end
+
+        script
+      end
+
+      #
+      # Return an array of substitutions for use in make_subs
+      #
+      # @param subs [String] A ; seperated list of substitutions
+      #
+      # @return [Array] An array of substitutions
+      def self.process_subs(subs)
+        return [] if subs.nil? or subs.empty?
+        new_subs = []
+        subs.split(';').each do |set|
+          new_subs << set.split(',', 2)
+        end
+
+        new_subs
+      end
+    end
+  end
+end

data/lib/rex/exploitation/powershell/function.rb

@@ -0,0 +1,63 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+module Powershell
+  class Function
+    FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
+    PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
+    attr_accessor :code, :name, :params
+
+    include Output
+    include Parser
+    include Obfu
+
+    def initialize(name, code)
+      @name = name
+      @code = code
+      populate_params
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell function
+    def to_s
+      "function #{name} #{code}"
+    end
+
+    #
+    # Identify the parameters from the code and
+    # store as Param in @params
+    #
+    def populate_params
+      @params = []
+      start = code.index(PARAMETER_REGEX)
+      return unless start
+      # Get start of our block
+      idx = scan_with_index('(', code[start..-1]).first.last + start
+      pclause = block_extract(idx)
+
+      matches = pclause.scan(FUNCTION_REGEX)
+
+      # Ignore assignment, create params with class and variable names
+      matches.each do |param|
+        klass = nil
+        name = nil
+        param.each do |value|
+          if value
+            if klass
+              name = value
+              @params << Param.new(klass, name)
+              break
+            else
+              klass = value
+            end
+          end
+        end
+      end
+    end
+  end
+end
+end
+end

data/lib/rex/exploitation/powershell/obfu.rb

@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+
+module Rex
+module Exploitation
+module Powershell
+  module Obfu
+    MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
+    SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
+    WINDOWS_EOL_REGEX = Regexp.new(/[\r\n]+/)
+    UNIX_EOL_REGEX = Regexp.new(/[\n]+/)
+    WHITESPACE_REGEX = Regexp.new(/\s+/)
+    EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
+
+    #
+    # Remove comments
+    #
+    # @return [String] code without comments
+    def strip_comments
+      # Multi line
+      code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
+      # Single line
+      code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')
+
+      code
+    end
+
+    #
+    # Remove empty lines
+    #
+    # @return [String] code without empty lines
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
+      # UNIX EOL
+      code.gsub!(UNIX_EOL_REGEX, "\n")
+
+      code
+    end
+
+    #
+    # Remove whitespace
+    # This can break some codes using inline .NET
+    #
+    # @return [String] code with whitespace stripped
+    def strip_whitespace
+      code.gsub!(WHITESPACE_REGEX, ' ')
+
+      code
+    end
+
+    #
+    # Identify variables and replace them
+    #
+    # @return [String] code with variable names replaced with unique values
+    def sub_vars
+      # Get list of variables, remove reserved
+      get_var_names.each do |var, _sub|
+        code.gsub!(var, "$#{@rig.init_var(var)}")
+      end
+
+      code
+    end
+
+    #
+    # Identify function names and replace them
+    #
+    # @return [String] code with function names replaced with unique
+    #   values
+    def sub_funcs
+      # Find out function names, make map
+      get_func_names.each do |var, _sub|
+        code.gsub!(var, @rig.init_var(var))
+      end
+
+      code
+    end
+
+    #
+    # Perform standard substitutions
+    #
+    # @return [String] code with standard substitution methods applied
+    def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
+      # Save us the trouble of breaking injected .NET and such
+      subs.delete('strip_whitespace') unless get_string_literals.empty?
+      # Run selected modifiers
+      subs.each do |modifier|
+        send(modifier)
+      end
+      code.gsub!(EMPTY_LINE_REGEX, '')
+
+      code
+    end
+  end # Obfu
+end
+end
+end

data/lib/rex/exploitation/powershell/output.rb

@@ -0,0 +1,151 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+module Powershell
+  module Output
+    #
+    # To String
+    #
+    # @return [String] Code
+    def to_s
+      code
+    end
+
+    #
+    # Returns code size
+    #
+    # @return [Integer] Code size
+    def size
+      code.size
+    end
+
+    #
+    # Return code with numbered lines
+    #
+    # @return [String] Powershell code with line numbers
+    def to_s_lineno
+      numbered = ''
+      code.split(/\r\n|\n/).each_with_index do |line, idx|
+        numbered << "#{idx}: #{line}"
+      end
+
+      numbered
+    end
+
+    #
+    # Return a zlib compressed powershell code wrapped in decode stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Zlib compressed powershell code wrapped in
+    # decompression stub
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+                                                  ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << '$s.ReadByte();'
+      psh_expression << '$s.ReadByte();'
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.DeflateStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Return Base64 encoded powershell code
+    #
+    # @return [String] Base64 encoded powershell code
+    def encode_code
+      @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
+    end
+
+    #
+    # Return a gzip compressed powershell code wrapped in decoder stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Gzip compressed powershell code wrapped in
+    # decompression stub
+    def gzip_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = Rex::Text.gzip(code)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.GzipStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
+
+      # If eof is set, add a marker to signify end of code output
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Compresses script contents with gzip (default) or deflate
+    #
+    # @param eof [String] End of file identifier to append to code
+    # @param gzip [Boolean] Whether to use gzip compression or deflate
+    #
+    # @return [String] Compressed code wrapped in decompression stub
+    def compress_code(eof = nil, gzip = true)
+      @code = gzip ? gzip_code(eof) : deflate_code(eof)
+    end
+
+    #
+    # Reverse the compression process
+    # Try gzip, inflate if that fails
+    #
+    # @return [String] Decompressed powershell code
+    def decompress_code
+      # Extract substring with payload
+      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Decode and decompress the string
+      unencoded = Rex::Text.decode_base64(encoded_stream)
+      begin
+        @code = Rex::Text.ungzip(unencoded) || Rex::Text.zlib_inflate(unencoded)
+      rescue Zlib::GzipFile::Error
+        begin
+          @code = Rex::Text.zlib_inflate(unencoded)
+        rescue Zlib::DataError => e
+          raise RuntimeError, 'Invalid compression'
+        end
+      end
+
+      @code
+    end
+  end
+end
+end
+end