psrp 0.0.1

data/lib/transport.rb

@@ -0,0 +1,208 @@
+# encoding: UTF-8
+#
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+
+require_relative "response_handler"
+
+require 'monitor'
+
+module PSRP
+  module HTTP
+
+    # straight copy from WinRM
+    # NTLM/Negotiate, secure, HTTP transport
+    class Negotiate
+
+      DEFAULT_RECEIVE_TIMEOUT = 3600
+      
+      def initialize(endpoint, user, pass, opts)
+        @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
+        @httpcli = HTTPClient.new(agent_name: 'Ruby PSRP Client')
+        @httpcli.receive_timeout = DEFAULT_RECEIVE_TIMEOUT
+        @logger = Logging.logger[self]
+        require 'rubyntlm'
+        #p "USING HTTP NEGOTIATE"
+
+        # Deleting SSPI authentication
+        auths = @httpcli.www_auth.instance_variable_get('@authenticator')
+        auths.delete_if { |i| i.is_a? HTTPClient::SSPINegotiateAuth }
+
+        user_parts = user.split('\\')
+        if(user_parts.length > 1)
+          opts[:domain] = user_parts[0]
+          user = user_parts[1]
+        end
+
+        @ntlmcli = Net::NTLM::Client.new(user, pass, opts)
+        @retryable = true
+        no_ssl_peer_verification! if opts[:no_ssl_peer_verification]
+        @ssl_peer_fingerprint = opts[:ssl_peer_fingerprint]
+        @httpcli.ssl_config.set_trust_ca(opts[:ca_trust_path]) if opts[:ca_trust_path]
+
+      end
+
+      # Disable SSL Peer Verification
+      def no_ssl_peer_verification!
+        @httpcli.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+
+      # SSL Peer Fingerprint Verification prior to connecting
+      def ssl_peer_fingerprint_verification!
+        return unless @ssl_peer_fingerprint && ! @ssl_peer_fingerprint_verified
+
+        with_untrusted_ssl_connection do |connection|
+          connection_cert = connection.peer_cert_chain.last
+          verify_ssl_fingerprint(connection_cert)
+        end
+        @logger.info("initial ssl fingerprint #{@ssl_peer_fingerprint} verified\n")
+        @ssl_peer_fingerprint_verified = true
+        no_ssl_peer_verification!
+      end
+
+      # Connect without verification to retrieve untrusted ssl context
+      def with_untrusted_ssl_connection
+        noverify_peer_context = OpenSSL::SSL::SSLContext.new
+        noverify_peer_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        tcp_connection = TCPSocket.new(@endpoint.host, @endpoint.port)
+        begin
+          ssl_connection = OpenSSL::SSL::SSLSocket.new(tcp_connection, noverify_peer_context)
+          ssl_connection.connect
+          yield ssl_connection
+        ensure
+          tcp_connection.close
+        end
+      end
+
+      # compare @ssl_peer_fingerprint to current ssl context
+      def verify_ssl_fingerprint(cert)
+        return unless @ssl_peer_fingerprint
+        conn_fingerprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
+        return unless @ssl_peer_fingerprint.casecmp(conn_fingerprint) != 0
+        fail "ssl fingerprint mismatch!!!!\n"
+      end
+
+      # HTTP Client receive timeout. How long should a remote call wait for a
+      # for a response from WinRM?
+      def receive_timeout=(sec)
+        @httpcli.receive_timeout = sec
+      end
+
+      def receive_timeout
+        @httpcli.receive_timeout
+      end
+
+
+      def send_request(message, auth_header = nil)
+        ssl_peer_fingerprint_verification!
+        auth_header = init_auth if @ntlmcli.session.nil?
+
+        original_length = message.length
+
+        emessage = @ntlmcli.session.seal_message message
+        signature = @ntlmcli.session.sign_message message
+        seal = "\x10\x00\x00\x00#{signature}#{emessage}"
+        
+        hdr = {
+          "Content-Type" => "multipart/encrypted;protocol=\"application/HTTP-SPNEGO-session-encrypted\";boundary=\"Encrypted Boundary\""
+        }
+        hdr.merge!(auth_header) if auth_header
+
+        # p hdr
+
+        body = [
+          "--Encrypted Boundary",
+          "Content-Type: application/HTTP-SPNEGO-session-encrypted",
+          "OriginalContent: type=application/soap+xml;charset=UTF-8;Length=#{original_length}",
+          "--Encrypted Boundary",
+          "Content-Type: application/octet-stream",
+          "#{seal}--Encrypted Boundary--",
+          ""
+        ].join("\r\n")
+
+        @logger.debug("\nOut-Message\n\n")
+        doc = REXML::Document.new message
+        out = ""
+        doc.write(out, 2)
+        @logger.debug(out)
+        @logger.debug("\n\n")
+
+        resp = @httpcli.post(@endpoint, body, hdr)
+        verify_ssl_fingerprint(resp.peer_cert)
+        if resp.status == 401 && @retryable
+          @retryable = false
+          send_request(message, init_auth)
+        else
+          
+                    
+          @retryable = true
+          decrypted_body = resp.body.empty? ? '' : decrypt(resp.body)
+          handler = PSRP::ResponseHandler.new(decrypted_body, resp.status)
+          data = handler.parse_to_xml()
+          
+          @logger.debug("Response data\n\n")
+          doc = REXML::Document.new decrypted_body
+          out = ""
+          doc.write(out, 2)
+          @logger.debug(out)
+          
+          data
+        end
+      end
+
+      private
+
+      def decrypt(str)
+        str.force_encoding('BINARY')
+        str.sub!(/^.*Content-Type: application\/octet-stream\r\n(.*)--Encrypted.*$/m, '\1')
+
+        signature = str[4..19]
+        message = @ntlmcli.session.unseal_message str[20..-1]
+        if @ntlmcli.session.verify_signature(signature, message)
+          message
+        else
+          raise PSRP::PSRPError, "Could not verify SOAP message."
+        end
+      end
+
+      def init_auth
+        auth1 = @ntlmcli.init_context
+        hdr = {"Authorization" => "Negotiate #{auth1.encode64}",
+               "Content-Type" => "application/soap+xml;charset=UTF-8"
+        }
+        @logger.debug("Sending HTTP POST for Negotiate Authentication")
+        r = @httpcli.post(@endpoint, "", hdr)
+        verify_ssl_fingerprint(r.peer_cert)
+        itok = r.header["WWW-Authenticate"].pop.split.last
+        binding = r.peer_cert.nil? ? nil : Net::NTLM::ChannelBinding.create(r.peer_cert)
+        auth3 = @ntlmcli.init_context(itok, binding)
+        { "Authorization" => "Negotiate #{auth3.encode64}" }
+      end
+
+      def log_soap_message(message)
+        return unless @logger.debug?
+        xml_msg = REXML::Document.new(message)
+        formatter = REXML::Formatters::Pretty.new(2)
+        formatter.compact = true
+        formatter.write(xml_msg, @logger)
+        @logger.debug("\n")
+      rescue StandardError => e
+        @logger.debug("Couldn't log SOAP request/response: #{e.message} - #{message}")
+      end
+    end
+  end
+end
+

data/lib/version.rb

@@ -0,0 +1,7 @@
+# encoding: UTF-8
+
+# PSRP module
+module PSRP
+  # The version of the PSRP library
+  VERSION = '0.0.1'
+end

data/lib/wsmv/command_output_processor.rb

@@ -0,0 +1,153 @@
+# encoding: UTF-8
+#
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'commands/receive'
+
+module PSRP
+
+  module WSMV
+    # Class to handle getting all the output of a command until it completes
+    class CommandOutputProcessor
+      
+      attr :msgs
+
+      INPUT_REQUIRED = [
+        PSRP::Message::MESSAGE_TYPES[:PIPELINE_HOST_CALL],
+        PSRP::Message::MESSAGE_TYPES[:RUNSPACEPOOL_HOST_CALL]
+      ]
+
+      # Creates a new command output processor
+      # @param connection_opts [ConnectionOpts] The WinRM connection options
+      # @param transport [HttpTransport] The WinRM SOAP transport
+      # @param out_opts [Hash] Additional output options
+      def initialize(connection_opts, transport, out_opts = {})
+        @connection_opts = connection_opts
+        @transport = transport
+        @out_opts = out_opts
+        @has_error = false
+        @command_done = false
+        @input_required = false
+        @msgs = {}
+      end
+
+      # Gets the command output from the remote shell
+      # @param shell_id [UUID] The remote shell id running the command
+      # @param command_id [UUID] The command id to get output for
+      # @param block Optional callback for any output
+      def command_output(shell_id, command_id, reset = false)
+        if reset == true
+          @has_error = false
+          @command_done = false
+          @input_required = false
+        end
+
+        out_message = command_output_message(shell_id, command_id)
+        resp_doc = send_get_output_message(out_message)
+        streams(resp_doc)
+        @command_done = REXML::XPath.match(
+          resp_doc,
+          "//*[@State='http://schemas.microsoft.com/wbem/wsman/1/windows/shell/" \
+          "CommandState/Done']").any?
+        resp_doc
+      end
+
+      def command_output_message(shell_id, command_id)
+        cmd_out_opts = {
+          shell_id: shell_id
+        }.merge(@out_opts)
+        if command_id
+          cmd_out_opts[:command_id] = command_id
+        end
+        PSRP::WSMV::ReceiveOutput.new(@connection_opts, cmd_out_opts).build
+      end
+
+      def send_get_output_message(message)
+        resp_doc = @transport.send_request(message)
+      rescue PSRP::WSManFault => e
+        # If no output is available before the wsman:OperationTimeout expires,
+        # the server MUST return a WSManFault with the Code attribute equal to
+        # 2150858793. When the client receives this fault, it SHOULD issue
+        # another Receive request.
+        # http://msdn.microsoft.com/en-us/library/cc251676.aspx
+        if e.fault_code == '2150858793'
+          retry
+        else
+          raise
+        end
+      end
+
+      def exit_code(resp_doc)
+        REXML::XPath.first(resp_doc, "//#{NS_WIN_SHELL}:ExitCode").text.to_i
+      end
+
+      def streams(resp_doc)
+        REXML::XPath.match(resp_doc, "//#{PSRP::WSMV::NS_WIN_SHELL}:Stream").each do |n|
+          next if n.text.nil? || n.text.empty?
+          msg = decode(n.text)
+          if not @msgs.has_key? msg.message_id
+            @msgs[msg.message_id] = []
+          end
+          @msgs[msg.message_id].push(msg)
+          if INPUT_REQUIRED.include? msg.message_type
+            @input_required = true
+          elsif msg.message_type == PSRP::Message::MESSAGE_TYPES[:ERROR_RECORD]
+            @has_error = true
+          end
+        end
+      end
+
+      # Defragment Messages
+      def defragmented
+        datas = {}
+        @msgs.each do |msg_id, msg_list|
+          msg_list.sort do |a, b|
+            a.fragment_id <=> b.fragment_id
+          end
+          unfragmented = msg_list.inject('') do |data, msg|
+            data += msg.data
+          end
+          datas[msg_id] = {
+            message_type: msg_list[0].message_type,
+            data: unfragmented,
+          }
+        end
+        datas
+      end
+
+      def has_error?
+        @has_error
+      end
+
+      def input_required?
+        @input_required
+      end
+
+      def command_done?
+        @command_done
+      end
+
+      # Decode the raw PSRP output into decoded and human consumable object
+      
+      # @param raw_output [String] The raw encoded output
+      # @return [String] The decoded output
+      def decode(raw_output)
+        # TODO: Add better decoding based on MS-PSRP 2.2.5
+        PSRP::MessageDecoder.new(raw_output)
+      end
+    end
+  end
+end

data/lib/wsmv/commands/base.rb

@@ -0,0 +1,293 @@
+# encoding: UTF-8
+#
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative '../psrp_message'
+
+module Iso8601Duration
+  # Convert the number of seconds to an ISO8601 duration format
+  # @see http://tools.ietf.org/html/rfc2445#section-4.3.6
+  # @param [Fixnum] seconds The amount of seconds for this duration
+  def self.sec_to_dur(seconds)
+    seconds = seconds.to_i
+    iso_str = 'P'
+    if seconds > 604_800 # more than a week
+      weeks = seconds / 604_800
+      seconds -= (604_800 * weeks)
+      iso_str << "#{weeks}W"
+    end
+    if seconds > 86_400 # more than a day
+      days = seconds / 86_400
+      seconds -= (86_400 * days)
+      iso_str << "#{days}D"
+    end
+    if seconds > 0
+      iso_str << 'T'
+      if seconds > 3600 # more than an hour
+        hours = seconds / 3600
+        seconds -= (3600 * hours)
+        iso_str << "#{hours}H"
+      end
+      if seconds > 60 # more than a minute
+        minutes = seconds / 60
+        seconds -= (60 * minutes)
+        iso_str << "#{minutes}M"
+      end
+      iso_str << "#{seconds}S"
+    end
+
+    iso_str
+  end
+end
+
+module PSRP
+  module WSMV
+    # Base class for all WSMV message classes
+
+    NS_SOAP_ENV    = 's'   # http://www.w3.org/2003/05/soap-envelope
+    NS_ADDRESSING  = 'a'   # http://schemas.xmlsoap.org/ws/2004/08/addressing
+    NS_CIMBINDING  = 'b'   # http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd
+    NS_ENUM        = 'n'   # http://schemas.xmlsoap.org/ws/2004/09/enumeration
+    NS_TRANSFER    = 'x'   # http://schemas.xmlsoap.org/ws/2004/09/transfer
+    NS_WSMAN_DMTF  = 'w'   # http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
+    NS_WSMAN_MSFT  = 'p'   # http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd
+    NS_SCHEMA_INST = 'xsi' # http://www.w3.org/2001/XMLSchema-instance
+    NS_WIN_SHELL   = 'rsp' # http://schemas.microsoft.com/wbem/wsman/1/windows/shell
+    NS_WSMAN_FAULT = 'f'   # http://schemas.microsoft.com/wbem/wsman/1/wsmanfault
+    NS_WSMAN_CONF  = 'cfg' # http://schemas.microsoft.com/wbem/wsman/1/config
+
+    # WSMan URI of the regular Windows cmd shell
+    RESOURCE_URI_CMD = 'http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd'
+      
+    # WSMan URI for PowerShell
+    RESOURCE_URI_POWERSHELL = 'http://schemas.microsoft.com/powershell/Microsoft.PowerShell'
+
+    class Base
+
+      # Builds the WSMV message XML payload
+      def build
+        builder = Builder::XmlMarkup.new
+        builder.instruct!(:xml, encoding: 'UTF-8')
+        builder.tag! :env, :Envelope, namespaces do |env|
+          env.tag!(:env, :Header) do |env_header|
+            create_header(env_header)
+          end
+          env.tag!(:env, :Body) do |env_body|
+            create_body(env_body)
+          end
+        end
+      end
+
+      def namespaces
+        @namespaces ||= {
+          'xmlns:xsd' => 'http://www.w3.org/2001/XMLSchema',
+          'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',
+          'xmlns:env' => 'http://www.w3.org/2003/05/soap-envelope',
+          "xmlns:#{NS_ADDRESSING}" => 'http://schemas.xmlsoap.org/ws/2004/08/addressing',
+          "xmlns:#{NS_CIMBINDING}" => 'http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd',
+          "xmlns:#{NS_ENUM}" => 'http://schemas.xmlsoap.org/ws/2004/09/enumeration',
+          "xmlns:#{NS_TRANSFER}" => 'http://schemas.xmlsoap.org/ws/2004/09/transfer',
+          "xmlns:#{NS_WSMAN_DMTF}" => 'http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd',
+          "xmlns:#{NS_WSMAN_MSFT}" => 'http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd',
+          "xmlns:#{NS_WIN_SHELL}" => 'http://schemas.microsoft.com/wbem/wsman/1/windows/shell',
+          "xmlns:#{NS_WSMAN_CONF}" => 'http://schemas.microsoft.com/wbem/wsman/1/config'
+        }
+      end
+
+      protected
+
+      def create_header
+        fail 'create_header must be implemented'
+      end
+
+      def create_body
+        fail 'create_body must be implemented'
+      end
+
+      def encode_bytes(bytes)
+        Base64.strict_encode64(bytes.pack('C*'))
+      end
+
+      # Merge the various header hashes and make sure we carry all of the attributes
+      # through instead of overwriting them.
+      def merge_headers(*headers)
+        hdr = {}
+        headers.each do |h|
+          hdr.merge!(h) do |k, v1, v2|
+            v1.merge!(v2) if k == :attributes!
+          end
+        end
+        hdr
+      end
+
+      def shared_headers(session_opts)
+        {
+          "#{NS_ADDRESSING}:To" => "#{session_opts[:endpoint]}",
+          "#{NS_ADDRESSING}:ReplyTo" => {
+            "#{NS_ADDRESSING}:Address" =>
+              'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous',
+            :attributes! => {
+              "#{NS_ADDRESSING}:Address" => {
+                'mustUnderstand' => true
+              }
+            }
+          },
+          "#{NS_WSMAN_DMTF}:MaxEnvelopeSize" => session_opts[:max_envelope_size],
+          "#{NS_ADDRESSING}:MessageID" => "uuid:#{SecureRandom.uuid.to_s.upcase}",
+          "#{NS_WSMAN_MSFT}:SessionId" => "uuid:#{session_opts[:session_id]}",
+          "#{NS_WSMAN_DMTF}:Locale/" => '',
+          "#{NS_WSMAN_MSFT}:DataLocale/" => '',
+          # "#{NS_WSMAN_DMTF}:OperationTimeout" =>
+          #   Iso8601Duration.sec_to_dur(session_opts[:operation_timeout]),
+          :attributes! => {
+            "#{NS_WSMAN_DMTF}:MaxEnvelopeSize" => { 'mustUnderstand' => true },
+            "#{NS_WSMAN_DMTF}:Locale/" => {
+              'xml:lang' => session_opts[:locale], 'mustUnderstand' => false
+            },
+            "#{NS_WSMAN_MSFT}:DataLocale/" => {
+              'xml:lang' => session_opts[:locale], 'mustUnderstand' => false
+            },
+            "#{NS_WSMAN_MSFT}:SessionId" => { 'mustUnderstand' => false }
+          }
+        }
+      end
+
+      # Helper methods for SOAP Headers
+
+      def resource_uri_shell(shell_uri)
+        {
+          "#{NS_WSMAN_DMTF}:ResourceURI" => shell_uri, :attributes! => {
+            "#{NS_WSMAN_DMTF}:ResourceURI" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def resource_uri_cmd
+        resource_uri_shell(RESOURCE_URI_CMD)
+      end
+
+      def resource_uri_wmi(namespace = 'root/cimv2/*')
+        {
+          "#{NS_WSMAN_DMTF}:ResourceURI" =>
+          "http://schemas.microsoft.com/wbem/wsman/1/wmi/#{namespace}",
+          :attributes! => {
+            "#{NS_WSMAN_DMTF}:ResourceURI" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_create
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.xmlsoap.org/ws/2004/09/transfer/Create',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_delete
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_command
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_send
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Send',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_receive
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_signal
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def action_enumerate
+        {
+          "#{NS_ADDRESSING}:Action" =>
+          'http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate',
+          :attributes! => {
+            "#{NS_ADDRESSING}:Action" => {
+              'mustUnderstand' => true
+            }
+          }
+        }
+      end
+
+      def selector_shell_id(shell_id)
+        {
+          "#{NS_WSMAN_DMTF}:SelectorSet" => {
+            "#{NS_WSMAN_DMTF}:Selector" => shell_id, :attributes! => {
+              "#{NS_WSMAN_DMTF}:Selector" => {
+                'Name' => 'ShellId'
+              }
+            }
+          }
+        }
+      end
+    end
+  end
+end