psrp 0.0.1

data/lib/wsmv/commands/close_shell.rb

@@ -0,0 +1,48 @@
+# encoding: utf-8 
+#
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'base'
+
+module PSRP
+  module WSMV
+    # WSMV message to close a remote shell
+    class CloseShell < Base
+      def initialize(session_opts, shell_id)
+        @session_opts = session_opts
+        @shell_id = shell_id
+      end
+
+      protected
+
+      def create_header(header)
+        header << Gyoku.xml(close_header)
+      end
+
+      def create_body(_body)
+        # no body
+      end
+
+      private
+
+      def close_header
+        merge_headers(shared_headers(@session_opts),
+                      resource_uri_shell(RESOURCE_URI_POWERSHELL),
+                      action_delete,
+                      selector_shell_id(@shell_id))
+      end
+    end
+  end
+end

data/lib/wsmv/commands/create_pipeline.rb

@@ -0,0 +1,64 @@
+# encoding: utf-8
+#
+# Copyright 2016 Matt Wrock <matt@mattwrock.com>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'base'
+
+module PSRP
+  module WSMV
+    # WSMV message to execute a command via psrp
+    class CreatePipeline < Base
+      attr_accessor :shell_id
+
+      def initialize(session_opts, shell_id, pipeline)
+        @session_opts = session_opts
+        @shell_id = shell_id
+        @pipeline = pipeline
+      end
+
+      protected
+
+      def create_header(header)
+        header << Gyoku.xml(command_headers)
+      end
+
+      def create_body(body)
+        body.tag!("#{NS_WIN_SHELL}:CommandLine") do |cl|
+          cl << Gyoku.xml(command_body)
+        end
+      end
+
+      private
+
+      # MS-PSRP 3.1.5.3.3
+      # MS-PSRP 2.2.2.10
+      def command_body
+        {
+          "#{NS_WIN_SHELL}:Command" => '',
+          "#{NS_WIN_SHELL}:Arguments" => encode_bytes(@pipeline)
+        }
+      end
+      
+      
+      def command_headers
+        merge_headers(shared_headers(@session_opts),
+                      resource_uri_shell(RESOURCE_URI_POWERSHELL),
+                      action_command,
+                      selector_shell_id(shell_id))
+      end
+    end
+  end
+end

data/lib/wsmv/commands/init_runspace_pool.rb

@@ -0,0 +1,92 @@
+# encoding: utf-8
+#
+# Copyright 2016 Matt Wrock <matt@mattwrock.com>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'base'
+
+module PSRP
+  module WSMV
+
+
+    # WSMV message to create a remote shell
+    class InitRunspacePool < Base
+      attr_accessor :shell_id
+
+      def initialize(session_opts)
+        @session_opts = session_opts
+        @shell_id = SecureRandom.uuid.to_s.upcase
+      end
+
+      protected
+
+      def create_header(header)
+        header << Gyoku.xml(shell_headers)
+      end
+
+      def create_body(body)
+        body.tag!("#{NS_WIN_SHELL}:Shell") { |s| s << Gyoku.xml(shell_body) }
+      end
+
+      private
+
+      def shell_body
+        body = {
+          "#{NS_WIN_SHELL}:InputStreams" => 'stdin pr',
+          "#{NS_WIN_SHELL}:OutputStreams" => 'stdout'
+        }
+        session_capabilities = PSRP::MessageEncoder.new(shell_id, nil, :SESSION_CAPABILITY)
+        runspace_init = PSRP::MessageEncoder.new(shell_id, nil, :INIT_RUNSPACEPOOL)
+        body['creationXml'] = encode_bytes(session_capabilities.fragments[0] + runspace_init.fragments[0])
+        body[:attributes!] = {
+          'creationXml' => {
+            'xmlns' => 'http://schemas.microsoft.com/powershell'
+          }
+        }
+        body
+      end
+
+      def header_opts
+        {
+          "#{NS_WSMAN_DMTF}:OptionSet" => {
+            "#{NS_WSMAN_DMTF}:Option" => 2.1,
+            :attributes! => {
+              "#{NS_WSMAN_DMTF}:Option" => {
+                'Name' => 'protocolversion',
+                'MustComply' => 'true'
+              }
+            }
+          },
+          :attributes! => {
+            "#{NS_WSMAN_DMTF}:OptionSet" => {
+              'env:mustUnderstand' => 'true'
+            }
+          }
+        }
+      end
+
+      def shell_headers
+        merge_headers(shared_headers(@session_opts),
+                      resource_uri_shell(RESOURCE_URI_POWERSHELL),
+                      header_opts,
+                      action_create,
+                      selector_shell_id(shell_id))
+
+      end
+
+   
+    end
+  end
+end

data/lib/wsmv/commands/receive.rb

@@ -0,0 +1,81 @@
+# encoding: utf-8 
+#
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'base'
+
+module PSRP
+  module WSMV
+    # WSMV message to get output from a remote shell
+    class ReceiveOutput < Base
+      def initialize(session_opts, command_out_opts)
+        @session_opts = session_opts
+        @shell_id = command_out_opts[:shell_id]
+        @command_id = command_out_opts[:command_id]
+        @shell_uri = command_out_opts[:shell_uri] || RESOURCE_URI_POWERSHELL
+        @out_streams = command_out_opts[:out_streams] || %w(stdout)
+      end
+
+      protected
+
+      def create_header(header)
+        header << Gyoku.xml(output_header)
+      end
+
+      def create_body(body)
+        body.tag!("#{NS_WIN_SHELL}:Receive") { |cl| cl << Gyoku.xml(output_body) }
+      end
+
+      private
+
+      def output_header
+        merge_headers(shared_headers(@session_opts),
+                      resource_uri_shell(@shell_uri),
+                      action_receive,
+                      header_opts,
+                      selector_shell_id(@shell_id)
+                  )
+      end
+
+      def header_opts
+        {
+          "#{NS_WSMAN_DMTF}:OptionSet" => {
+            "#{NS_WSMAN_DMTF}:Option" => 'TRUE', :attributes! => {
+              "#{NS_WSMAN_DMTF}:Option" => { 
+               'Name' => 'WSMAN_CMDSHELL_OPTION_KEEPALIVE'
+              }
+            }
+          },
+          "#{NS_WSMAN_DMTF}:OperationTimeout" => 'PT20.000S'
+        }
+      end
+
+      def output_body
+        if @command_id
+          {
+            "#{NS_WIN_SHELL}:DesiredStream" => @out_streams.join(' '), :attributes! => {
+              "#{NS_WIN_SHELL}:DesiredStream" => {
+                'CommandId' => @command_id
+              }
+            }
+          }
+        else
+          { "#{NS_WIN_SHELL}:DesiredStream" => 'stdout' }
+        end
+      end
+    end
+  end
+end

data/lib/wsmv/commands/send_data.rb

@@ -0,0 +1,64 @@
+# encoding: utf-8 
+#
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative 'base'
+
+module PSRP
+  module WSMV
+    class SendData < Base
+
+      def initialize(session_opts, shell_id, command_id, pipeline)
+        @session_opts = session_opts
+        @shell_id = shell_id
+        @command_id = command_id
+        @pipeline = pipeline  
+      end
+
+      protected
+
+      def create_header(header)
+        header << Gyoku.xml(command_headers)
+      end
+
+      def create_body(body)
+        body.tag!("#{NS_WIN_SHELL}:Send") do |cl|
+          cl << Gyoku.xml(command_body)
+        end
+      end
+
+      private
+
+      def command_body
+        {
+          "#{NS_WIN_SHELL}:Stream" => encode_bytes(@pipeline),
+          :attributes! => {
+            "#{NS_WIN_SHELL}:Stream" => {
+              'Name': 'stdin',
+              'CommandId': @command_id
+            }
+          }
+        }
+      end
+      
+      def command_headers
+        merge_headers(shared_headers(@session_opts),
+                      resource_uri_shell(RESOURCE_URI_POWERSHELL),
+                      action_send,
+                      selector_shell_id(@shell_id))
+      end
+    end
+  end
+end

data/lib/wsmv/psrp_message.rb

@@ -0,0 +1,289 @@
+# encoding: UTF-8
+#
+# Copyright 2015 Matt Wrock <matt@mattwrock.com>
+# Copyright 2016 Shawn Neal <sneal@sneal.net>
+# Copyright 2016 Sam Oluwalana <soluwalana@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'erubis'
+
+
+# PowerShell Remoting Protcol module
+module PSRP
+  
+
+  class Message 
+    # Length of all the blob header fields:
+    # BOM, pipeline_id, runspace_pool_id, message_type, blob_destination
+    BLOB_HEADER_LEN = 43
+
+    # Maximum allowed length of the blob
+    BLOB_MAX_LEN = 32768 - BLOB_HEADER_LEN
+
+    # All known PSRP message types
+    MESSAGE_TYPES = {
+      SESSION_CAPABILITY: 0x00010002,
+      INIT_RUNSPACEPOOL: 0x00010004,
+      PUBLIC_KEY: 0x00010005,
+      ENCRYPTED_SESSION_KEY: 0x00010006,
+      PUBLIC_KEY_REQUEST: 0x00010007,
+      CONNECT_RUNSPACEPOOL: 0x00010008,
+      RUNSPACEPOOL_INIT_DATA: 0x0002100B,
+      RESET_RUNSPACE_STATE: 0x0002100C,
+      SET_MAX_RUNSPACES: 0x00021002,
+      SET_MIN_RUNSPACES: 0x00021003,
+      RUNSPACE_AVAILABILITY: 0x00021004,
+      RUNSPACEPOOL_STATE: 0x00021005,
+      CREATE_PIPELINE: 0x00021006,
+      GET_AVAILABLE_RUNSPACES: 0x00021007,
+      USER_EVENT: 0x00021008,
+      APPLICATION_PRIVATE_DATA: 0x00021009,
+      GET_COMMAND_METADATA: 0x0002100A,
+      RUNSPACEPOOL_HOST_CALL: 0x00021100,
+      RUNSPACEPOOL_HOST_RESPONSE: 0x00021101,
+      PIPELINE_INPUT:0x00041002,
+      END_OF_PIPELINE_INPUT: 0x00041003,
+      PIPELINE_OUTPUT: 0x00041004,
+      ERROR_RECORD: 0x00041005,
+      PIPELINE_STATE: 0x00041006,
+      DEBUG_RECORD: 0x00041007,
+      VERBOSE_RECORD: 0x00041008,
+      WARNING_RECORD: 0x00041009,
+      PROGRESS_RECORD: 0x00041010,
+      INFORMATION_RECORD: 0x00041011,
+      PIPELINE_HOST_CALL: 0x00041100,
+      PIPELINE_HOST_RESPONSE: 0x00041101
+    }
+
+    
+    # Format a UUID into a GUID compatible byte array for Windows
+    #
+    # https://msdn.microsoft.com/en-us/library/windows/desktop/aa373931(v=vs.85).aspx
+    # typedef struct _GUID {
+    #   DWORD Data1;
+    #   WORD  Data2;
+    #   WORD  Data3;
+    #   BYTE  Data4[8];
+    # } GUID;
+    #
+    # @param uuid [String] Canonical hex format with hypens.
+    # @return [Array<byte>] UUID in a Windows GUID compatible byte array layout.
+    def uuid_to_windows_guid_bytes(uuid)
+      return [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] unless uuid
+      b = uuid.scan(/[0-9a-fA-F]{2}/).map { |x| x.to_i(16) }
+      b[0..3].reverse + b[4..5].reverse + b[6..7].reverse + b[8..15]
+    end
+  end
+
+  class MessageDecoder < Message
+    attr :message_id, :fragment_id, :fragment_flags, :blob_length, :destination, :message_type, :client_runspace, :client_pid, :data
+    
+    def initialize(raw_text)
+      # Message ID - 8bytes
+      # Fragment ID - 8bytes
+      # reserved - 6bits
+      # end fragment - 1bit
+      # start fragment - 1bit
+      # blob_length - 4bytes
+      # destination - 4bytes
+      # message_type - 4bytes
+      # client runspace GUID - 16bytes
+      # client PID GUID - 16bytes
+      # BOM 3bytes
+      # 
+      # Data - blob_length - 43 bytes (40 blob bytes + BOM)
+      unencoded = Base64.decode64(raw_text)
+      fields = unencoded.unpack('Q>2CL>L<2h32h32C3A*')
+
+      @message_id = fields[0]
+      @fragment_id = fields[1]
+      @fragment_flags = fields[2]
+      @blob_length = fields[3]
+      
+      if is_start_fragment?
+        @destination = fields[4]
+        @message_type = fields[5]
+        @client_runspace = fields[6]
+        @client_pid = fields[7]
+        @data = fields[11]
+      else
+        fields = unencoded.unpack('Q>2CL>A*')
+        @destination = nil
+        @message_type = nil
+        @client_runspace = nil
+        @client_pid = nil
+        @data = fields[4]
+      end
+    end
+
+    def is_end_fragment?
+      (@fragment_flags & 2) != 0
+    end
+
+    def is_start_fragment?
+      (@fragment_flags & 1) != 0
+    end
+  end
+
+  # PowerShell Remoting Protocol base message.
+  # http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-PSRP%5D.pdf
+  class MessageEncoder < Message
+    
+    attr :fragments
+
+    TEMPLATES = {
+      SESSION_CAPABILITY: 'session_capability',
+      INIT_RUNSPACEPOOL: 'init_runspacepool',
+      CREATE_PIPELINE: 'create_pipeline',
+      RUNSPACE_AVAILABILITY: 'runspace_availability'
+
+    }
+
+    @@obj_id = 0
+
+    # Creates a new PSRP message instance
+    # @param id [Fixnum] The incrementing fragment id.
+    # @param shell_id [String] The UUID of the remote shell/runspace pool.
+    # @param command_id [String] The UUID to correlate the command/pipeline
+    # response.
+    # @param message_type [Fixnum] The PSRP MessageType. This is most commonly
+    # specified in hex, e.g. 0x00010002.
+     # @param payload [String] The PSRP payload as serialized XML
+    def initialize(shell_id, command_id, message_type, context = nil)
+      fail 'shell_id cannot be nil' if shell_id.nil?
+      @@obj_id += 1
+      @id = @@obj_id
+      @shell_id = shell_id
+      @command_id = command_id
+      @message_type = MESSAGE_TYPES[message_type]
+      @payload = render(TEMPLATES[message_type], context).force_encoding('utf-8').bytes
+
+      num_fragments = 1
+      num_fragments += (@payload.length / BLOB_MAX_LEN)
+      if (@payload.length % BLOB_MAX_LEN) == 0
+        num_fragments -= 1
+      end
+
+      @fragments = []
+
+      for i in 0..(num_fragments - 1)
+        start_pos = (i * BLOB_MAX_LEN)
+        end_pos = ((i + 1) * BLOB_MAX_LEN) - 1
+
+        if num_fragments == 1
+          flags = [3]
+        elsif i == 0
+          flags = [1]
+        elsif i == (num_fragments - 1)
+          flags = [2]
+        else
+          flags = [0]
+        end
+
+        @fragments.push(bytes(@payload[start_pos..end_pos], i, flags))
+      end      
+    end
+
+    # Renders the specified template with the given context
+    # @param template [String] The base filename of the PSRP message template.
+    # @param context [Hash] Any options required for rendering the template.
+    # @return [String] The rendered XML PSRP message.
+    # @api private
+    def render(template, context = nil)
+      template_path = File.expand_path(
+        "#{File.dirname(__FILE__)}/templates/#{template}.xml.erb")
+      template = File.read(template_path)
+      Erubis::Eruby.new(template).result(context)
+    end
+
+    # Returns the raw PSRP message bytes ready for transfer to Windows inside a
+    # WinRM message.
+    # @return [Array<Byte>] Unencoded raw byte array of the PSRP message.
+    # rubocop:disable Metrics/AbcSize
+    def bytes(blob, frag_id, flags)
+
+      # Packet fragment headers
+      message = message_id
+      message += fragment_id(frag_id)
+      message += flags
+
+      if frag_id == 0
+        # packet fragment header
+        message += blob_length(blob, BLOB_HEADER_LEN)
+
+        # PSRP message header
+        message += blob_destination
+        message += message_type
+        message += runspace_pool_id
+        message += pipeline_id
+        message += byte_order_mark + blob
+      
+      else
+        # packet fragment header
+        message += blob_length(blob, 0)
+        # PSRP fragment
+        message += blob
+      end
+      message
+    end
+
+    private
+
+    def message_id
+      int64be(@id)
+    end
+
+    def fragment_id(frag_id)
+      int64be(frag_id)
+    end
+
+    def blob_length(blob, header_len)
+      int16be(blob.length + header_len)
+    end
+
+    def blob_destination
+      [2, 0, 0, 0]
+    end
+
+    def message_type
+      int16le(@message_type)
+    end
+
+    def runspace_pool_id
+      uuid_to_windows_guid_bytes(@shell_id)
+    end
+
+    def pipeline_id
+      uuid_to_windows_guid_bytes(@command_id)
+    end
+
+    def byte_order_mark
+      [239, 187, 191]
+    end
+
+    def int64be(int64)
+      [int64 >> 32, int64 & 0x00000000ffffffff].pack('N2').unpack('C8')
+    end
+
+    def int16be(int16)
+      [int16].pack('N').unpack('C4')
+    end
+
+    def int16le(int16)
+      [int16].pack('N').unpack('C4').reverse
+    end
+
+  end
+end
+