rex-bin_tools 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 787c1726c02358862ab0feaf1fb1f86df29bc2af
+  data.tar.gz: 66626707fa1ec982becf43c69959099a6744c9d8
+SHA512:
+  metadata.gz: 3910da97774e960cd3d1b89a19b90387dcdb2b69c795c08eafbb998325561cb324213eb48a8af773c5e406a7218633eea8576e92542d2acd2d66b982b981eb81
+  data.tar.gz: f021df69244b0ae8334212d564e8a84ad80c134d24289af4d7c2553554e1d2e49b05b2519ab04cd6a0c51e75d818369d61a7c95609f537febffd6cdd8e843f40

checksums.yaml.gz.sig

@@ -0,0 +1 @@
+^�,�hj���m�`j��

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.1
+before_install: gem install bundler -v 1.12.5

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,52 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project maintainers at msfdev@metasploit.com. If
+the incident involves a committer, you may report directly to
+egypt@metasploit.com or todb@metasploit.com.
+
+All complaints will be reviewed and investigated and will result in a
+response that is deemed necessary and appropriate to the circumstances.
+Maintainers are obligated to maintain confidentiality with regard to the
+reporter of an incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rex-bin_tools.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,27 @@
+Copyright (C) 2012-2013, Rapid7, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+	  this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice,
+	  this list of conditions and the following disclaimer in the documentation
+	  and/or other materials provided with the distribution.
+
+    * Neither the name of Rapid7 LLC nor the names of its contributors
+	  may be used to endorse or promote products derived from this software
+	  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,22 @@
+# Rex::BinTools
+
+Ruby Exploitation(Rex) Library for Binary Manipulation. This suite of tools contains ElfScan,MachScan, PEScan, and BinScan.
+These tools are designed to help you analyze an executable binary and search for particular instruction sets. This is aprticularly
+useful for things like building ROP chains or SEH exploits.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rex-bin_tools'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rex-bin_tools
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rex/bin_tools"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/msfbinscan

@@ -0,0 +1,284 @@
+#!/usr/bin/env ruby
+# -*- coding: binary -*-
+
+require 'metasm'
+require 'rex/elfparsey'
+require 'rex/elfscan'
+require 'rex/machparsey'
+require 'rex/machscan'
+require 'rex/peparsey'
+require 'rex/pescan'
+require 'rex/arch/x86'
+require 'optparse'
+
+def opt2i(o)
+  o.index("0x")==0 ? o.hex : o.to_i
+end
+
+opt = OptionParser.new
+
+opt.banner = "Usage: #{$PROGRAM_NAME} [mode] <options> [targets]"
+opt.separator('')
+opt.separator('Modes:')
+
+worker = nil
+param = {}
+files = []
+mode = ""
+
+opt.on('-j', '--jump [regA,regB,regC]', 'Search for jump equivalent instructions        [PE|ELF|MACHO]') do |t|
+  # take csv of register names (like eax,ebx) and convert
+  # them to an array of register numbers
+  mode = "jump"
+  regnums = t.split(',').collect { |o|
+    begin
+      Rex::Arch::X86.reg_number(o)
+    rescue
+      puts "Invalid register \"#{o}\""
+      exit(1)
+    end
+  }
+  param['args'] = regnums
+end
+
+opt.on('-p', '--poppopret', 'Search for pop+pop+ret combinations            [PE|ELF|MACHO]') do |t|
+  mode = "pop"
+  param['args'] = t
+end
+
+opt.on('-r', '--regex [regex]', 'Search for regex match                         [PE|ELF|MACHO]') do |t|
+  mode = "regex"
+  param['args'] = t
+end
+
+opt.on('-a', '--analyze-address [address]', 'Display the code at the specified address      [PE|ELF]') do |t|
+  mode = "analyze-address"
+  param['args'] = opt2i(t)
+end
+
+opt.on('-b', '--analyze-offset [offset]', 'Display the code at the specified offset       [PE|ELF]') do |t|
+  mode = "analyze-offset"
+  param['args'] = opt2i(t)
+end
+
+opt.on('-f', '--fingerprint', 'Attempt to identify the packer/compiler        [PE]') do |t|
+  mode = "fingerprint"
+  param['database'] = File.join(File.dirname(msfbase), 'data', 'msfpescan', 'identify.txt')
+end
+
+opt.on('-i', '--info', 'Display detailed information about the image   [PE]') do |t|
+  mode = "info"
+end
+
+opt.on('-R', '--ripper [directory]', 'Rip all module resources to disk               [PE]') do |t|
+  mode = "ripper"
+  param['dir'] = t
+end
+
+opt.on('--context-map [directory]', 'Generate context-map files                     [PE]') do |t|
+  mode = "context"
+  param['dir'] = t
+end
+
+opt.separator('')
+opt.separator('Options:')
+
+opt.on('-A', '--after [bytes]', 'Number of bytes to show after match (-a/-b)    [PE|ELF|MACHO]') do |t|
+  param['after'] = opt2i(t)
+end
+
+opt.on('-B', '--before [bytes]', 'Number of bytes to show before match (-a/-b)   [PE|ELF|MACHO]') do |t|
+  param['before'] = opt2i(t)
+end
+
+opt.on('-I', '--image-base [address]', 'Specify an alternate ImageBase                 [PE|ELF|MACHO]') do |t|
+  param['imagebase'] = opt2i(t)
+end
+
+opt.on('-D', '--disasm', 'Disassemble the bytes at this address          [PE|ELF]') do |t|
+  param['disasm'] = true
+end
+
+opt.on('-F', '--filter-addresses [regex]', 'Filter addresses based on a regular expression [PE]') do |t|
+  param['filteraddr'] = t
+end
+
+opt.on_tail("-h", "--help", "Show this message") do
+  $stderr.puts opt
+  exit
+end
+
+begin
+  opt.parse!
+rescue OptionParser::InvalidOption, OptionParser::MissingArgument
+  $stderr.puts "Invalid option, try -h for usage"
+  exit(1)
+end
+
+
+if mode.empty?
+  $stderr.puts "A mode must be selected"
+  $stderr.puts opt
+  exit(1)
+end
+
+# check if the file is a directory if it is collect all the entries
+ARGV.each do |file|
+
+  if(File.directory?(file))
+    dir = Dir.open(file)
+    dir.entries.each do |ent|
+      path = File.join(file, ent)
+      next if not File.file?(path)
+      files << File.join(path)
+    end
+  else
+    files << file
+  end
+end
+
+# we need to do some work to figure out the file format
+files.each do |file|
+  param['file'] = file
+
+  bin = Metasm::AutoExe.decode_file(file) if not file.empty?
+
+  if bin.kind_of?(Metasm::PE)
+    case mode
+    when "jump"
+      worker = Rex::PeScan::Scanner::JmpRegScanner
+    when "pop"
+      worker = Rex::PeScan::Scanner::PopPopRetScanner
+    when "regex"
+      worker = Rex::PeScan::Scanner::RegexScanner
+    when "analyze-address"
+      worker = Rex::PeScan::Search::DumpRVA
+    when "analyze-offset"
+      worker = Rex::PeScan::Search::DumpOffset
+    when "fingerprint"
+      worker = Rex::PeScan::Analyze::Fingerprint
+    when "info"
+      worker = Rex::PeScan::Analyze::Information
+    when "ripper"
+      worker = Rex::PeScan::Analyze::Ripper
+    when "context"
+      worker = Rex::PeScan::Analyze::ContextMapDumper
+    else
+      $stderr.puts("Mode unsupported by file format")
+    end
+
+    pe_klass = Rex::PeParsey::Pe
+    begin
+      pe = pe_klass.new_from_file(file, true)
+    rescue ::Interrupt
+      raise $!
+    rescue Rex::PeParsey::FileHeaderError
+      next if $!.message == "Couldn't find the PE magic!"
+      raise $!
+    rescue Errno::ENOENT
+      $stdout.puts("File does not exist: #{file}")
+      next
+    rescue ::Rex::PeParsey::SkipError
+      next
+    rescue ::Exception => e
+      $stdout.puts "[#{file}] #{e.class}: #{e}"
+      next
+    end
+
+    if (param['imagebase'])
+      pe.image_base = param['imagebase'];
+    end
+
+    if not worker
+      $stderr.puts("A mode could not be set for this file.")
+      next
+    end
+
+    o = worker.new(pe)
+    o.scan(param)
+
+    pe.close
+
+  elsif bin.kind_of?(Metasm::ELF)
+    case mode
+    when "jump"
+      worker = Rex::ElfScan::Scanner::JmpRegScanner
+    when "pop"
+      worker = Rex::ElfScan::Scanner::PopPopRetScanner
+    when "regex"
+      worker = Rex::ElfScan::Scanner::RegexScanner
+    when "analyze-address"
+      worker = Rex::ElfScan::Search::DumpRVA
+    when "analyze-offset"
+      worker = Rex::ElfScan::Search::DumpOffset
+    else
+      $stderr.puts("Mode unsupported by file format")
+    end
+    
+    begin
+      elf = Rex::ElfParsey::Elf.new_from_file(file, true)
+    rescue Rex::ElfParsey::ElfHeaderError
+      if $!.message == 'Invalid magic number'
+        $stderr.puts("Skipping #{file}: #{$!}")
+        next
+      end
+      raise $!
+    rescue Errno::ENOENT
+      $stderr.puts("File does not exist: #{file}")
+      next
+    end
+
+    if (param['imagebase'])
+      elf.base_addr = param['imagebase'];
+    end
+
+    if not worker
+      $stderr.puts("A mode could not be set for this file.")
+      next
+    end
+    
+    o = worker.new(elf)
+    o.scan(param)
+
+    elf.close
+
+  elsif bin.kind_of?(Metasm::MachO)
+    case mode
+    when "jump"
+      worker = Rex::MachScan::Scanner::JmpRegScanner
+    when "pop"
+      worker = Rex::MachScan::Scanner::PopPopRetScanner
+    when "regex"
+      worker = Rex::MachScan::Scanner::RegexScanner
+    else
+      $stderr.puts("Mode unsupported by file format")
+    end
+
+    begin
+      mach = Rex::MachParsey::Mach.new_from_file(file, true)
+      o = worker.new(mach)
+      o.scan(param)
+      mach.close
+    rescue Rex::MachParsey::MachHeaderError
+      $stderr.puts("File is not a Mach-O binary, trying Fat..\n")
+      begin
+        fat = Rex::MachParsey::Fat.new_from_file(file, true)
+        o = worker.new(fat)
+        o.scan(param)
+        fat.close
+      rescue
+        $stderr.puts("Error: " + $!.to_s)
+        $stderr.puts("Skipping #{file}")
+      end
+    rescue Errno::ENOENT
+      $stderr.puts("File does not exist: #{file}")
+      next
+    end
+  end
+
+  if not worker
+    $stderr.puts("Unsupported file format")
+    $stderr.puts("Skipping #{file}")
+    next
+  end
+end