rex-exploitation 0.1.41 → 0.1.43

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00a6301c12431b63061105814a0b8bba05defa1441017141aaabc5de99d7c582
-  data.tar.gz: 7d3560f6be5291faba7ccd5b3cee9d2c23c93d41e10db807d6e6262769637f9d
+  metadata.gz: d57ee0a86e51281389fe57ae6bdef8d5a05973ddf9159ab084d61a494e9f525f
+  data.tar.gz: e77944b1b5b69f1fe584923a31005957af5f8e773f4c9335616fd288f1825524
 SHA512:
-  metadata.gz: fa8d466c2aa62cf82dafde186aece2555902d11c7eed2f9761888354c5a604c8be1cb44768ba6d12752501d95130c2e532b1567419fda6f878fbb4e2c6bdbf16
-  data.tar.gz: bdb2e5968cc1b9a8d922a01057b51418081eccb92dee2e7e56fc2b8fb7897150d07ce40f436067f513e8da0d454166e4430c42f497c44363ba09ee8329358fa0
+  metadata.gz: c479681a255e5faab29066c3fe06ebabc3d3b868572a0e99aa9c5400b50c691ef451a1c1d6cf3de5d188fcaa03b2b67276b015d9bbb4b8381f5209083f0ff66b
+  data.tar.gz: 798d4dd5d42818fa41d86d6a835716f7631516d8dd56605eae15125e6b50a9de7aac35a085d02a9f8d4a9443f2878a5de889c3ed266b81fea25c7b07caa30bc5

data/.github/workflows/verify.yml

@@ -9,44 +9,5 @@ on:
       - '*'
 
 jobs:
-  test:
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
-
-    strategy:
-      fail-fast: true
-      matrix:
-        ruby:
-          - '2.7'
-          - '3.0'
-          - '3.1'
-          - '3.2'
-        os:
-          - ubuntu-20.04
-          - ubuntu-latest
-        exclude:
-          - { os: ubuntu-latest, ruby: '2.7' }
-          - { os: ubuntu-latest, ruby: '3.0' }
-        test_cmd:
-          - bundle exec rspec
-
-    env:
-      RAILS_ENV: test
-
-    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: ${{ matrix.ruby }}
-          bundler-cache: true
-
-      - name: ${{ matrix.test_cmd }}
-        run: |
-          echo "${CMD}"
-          bash -c "${CMD}"
-        env:
-          CMD: ${{ matrix.test_cmd }}
+  build:
+    uses: rapid7/metasploit-framework/.github/workflows/shared_gem_verify.yml@master

data/lib/rex/exploitation/vbsobfuscate.rb

@@ -0,0 +1,141 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Exploitation
+    #
+    # VBScript obfuscation library
+    #
+    class VBSObfuscate
+      # The VBScript code that this obfuscator will transform
+      attr_accessor :code
+
+      # Saves +code+ for later obfuscation with #obfuscate!
+      #
+      # @param code [#to_s] the code to obfuscate
+      # @param opts [Hash] an options hash
+      def initialize(code = nil, _opts = {})
+        self.code = code
+      end
+
+      # @return [String] the (possibly obfuscated) code
+      def to_s
+        @code
+      end
+
+      # Append +str+ to the (possibly obfuscated) code
+      def <<(str)
+        @code << str
+      end
+
+      # Obfuscate VBScript code.
+      #
+      # @option iterations            [Integer] number of times to run the obfuscator on this code (1)
+      # @option normalize_whitespace  [Boolean] normalize line endings and strip leading/trailing whitespace from each line (true)
+      # @option dynamic_execution     [Boolean] dynamically execute obfuscated code with Execute (true)
+      #
+      # @return [self]
+      def obfuscate!(iterations: 1, normalize_whitespace: true, dynamic_execution: true)
+        raise(ArgumentError, 'code must be present') if @code.nil?
+        raise(ArgumentError, 'iterations must be a positive integer') unless iterations.integer? && iterations.positive?
+
+        obfuscated = @code.dup
+
+        iterations.times do
+          # Normalize line endings and strip leading/trailing whitespace
+          if normalize_whitespace
+            obfuscated.gsub!(/\r\n/, "\n")
+            obfuscated = obfuscated.lines.map(&:strip).reject(&:empty?).join("\n")
+          end
+
+          # Convert all VBScript to a string to be dynamically executed with Execute()
+          if dynamic_execution
+            obfuscated = 'Execute ' + vbscript_string_for_execute(obfuscated)
+          end
+
+          # Obfuscate strings
+          obfuscated = chunk_vbscript_strings(obfuscated)
+          obfuscated.gsub!(/"((?:[^"]|"")*)"/) do
+            raw = ::Regexp.last_match(1).gsub('""', '"')
+            raw.chars.map { |c| "chr(#{generate_number_expression(c.ord)})" }.join('&')
+          end
+
+          # Obfuscate integers
+          obfuscated.gsub!(/\b\d+\b/) do |num|
+            generate_number_expression(num.to_i)
+          end
+        end
+
+        @code = obfuscated
+
+        self
+      end
+
+      private
+
+      # Converts all VBScript in +vbscript+ to a string for dynamic execution
+      # with Execute().
+      #
+      # @param vbscript [String] VBScript code
+      #
+      # @return [String] obfuscated VBScript code for use with Execute()
+      def vbscript_string_for_execute(vbscript)
+        lines = vbscript.lines.map(&:chomp).map do |line|
+          escaped_line = line.gsub('"', '""')
+          "\"#{escaped_line}\""
+        end
+        lines.join('&vbCrLf&')
+      end
+
+      # Returns a random math expression evaluating to input +int+
+      #
+      # @param int [Integer] input integer
+      #
+      # @return [String] math expression evaluating to input +int+
+      def generate_number_expression(int)
+        case rand(4)
+        when 0 # Sum
+          a = rand(0..int)
+          b = int - a
+          "(#{a}+#{b})"
+        when 1 # Difference
+          r1 = int + rand(1..10)
+          r2 = r1 - int
+          "(#{r1}-#{r2})"
+        when 2 # Product (only if divisible)
+          divisors = (1..int).select { |d| (int % d).zero? }
+          if divisors.size > 1
+            d = divisors.sample
+            "(#{d}*#{int / d})"
+          else
+            "(#{int}+0)"
+          end
+        when 3 # Quotient
+          r2 = rand(1..10)
+          r1 = int * r2
+          "(#{r1}/#{r2})"
+        end
+      end
+
+      # Return VBScript code with all strings split into chunks and concatenated
+      #
+      # @param vbscript [String] VBScript code
+      #
+      # @return [String] VBScript code with chunked strings
+      def chunk_vbscript_strings(vbscript)
+        vbscript.gsub(/"([^"]+)"/) do
+          original = Regexp.last_match(1)
+          chunks = []
+
+          i = 0
+          while i < original.length
+            chunk_size = rand(1..5)
+            chunks << "\"#{original[i, chunk_size]}\""
+            i += chunk_size
+          end
+
+          chunks.join('&')
+        end
+      end
+    end
+  end
+end

data/lib/rex/exploitation/version.rb

@@ -1,5 +1,5 @@
 module Rex
   module Exploitation
-    VERSION = "0.1.41"
+    VERSION = "0.1.43"
   end
 end

data/rex-exploitation.gemspec

@@ -34,4 +34,12 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'metasm'
   # Needed for Javascript obfuscation
   spec.add_runtime_dependency 'jsobfu'
+
+  # bigdecimal and racc are not part of the default gems starting from Ruby 3.4.0: https://www.ruby-lang.org/en/news/2023/12/25/ruby-3-3-0-released/
+  %w[
+    bigdecimal
+    racc
+  ].each do |library|
+    spec.add_runtime_dependency library
+  end
 end

metadata

@@ -1,40 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rex-exploitation
 version: !ruby/object:Gem::Version
-  version: 0.1.41
+  version: 0.1.43
 platform: ruby
 authors:
 - Metasploit Hackers
-autorequire: 
+autorequire:
 bindir: exe
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIERDCCAqygAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBttc2Zk
-  ZXYvREM9bWV0YXNwbG9pdC9EQz1jb20wHhcNMjMxMDMwMTYwNDI1WhcNMjUxMDI5
-  MTYwNDI1WjAmMSQwIgYDVQQDDBttc2ZkZXYvREM9bWV0YXNwbG9pdC9EQz1jb20w
-  ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZN/EKv+yVjwiKWvjAVhjF
-  aWNYI0E9bJ5d1qKd29omRYX9a+OOKBCu5+394fyF5RjwU4mYGr2iopX9ixRJrWXH
-  ojs70tEvV1CmvP9rhz7JKzQQoJOkinrz4d+StIylxVxVdgm7DeiB3ruTwvl7qKUv
-  piWzhrBFiVU6XIEAwq6wNEmnv2D+Omyf4h0Tf99hc6G0QmBnU3XydqvnZ+AzUbBV
-  24RH3+NQoigLbvK4M5aOeYhk19di58hznebOw6twHzNczshrBeMFQp985ScNgsvF
-  rL+7HNNwpcpngERwZfzDNn7iYN5X3cyvTcykShtsuPMa5zXsYo42LZrsTF87DW38
-  D8sxL6Dgdqu25Mltdw9m+iD4rHSfb1KJYEoNO+WwBJLO2Y4d6G1CR66tVeWsZspb
-  zneOVC+sDuil7hOm+6a7Y2yrrRyT6IfL/07DywjPAIRUp5+Jn8ZrkWRNo2AOwWBG
-  k5gz7SfJPHuyVnPlxoMA0MTFCUnnnbyHu882TGoJGgMCAwEAAaN9MHswCQYDVR0T
-  BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFIQfNa4E889ZE334cwU7eNu2hScH
-  MCAGA1UdEQQZMBeBFW1zZmRldkBtZXRhc3Bsb2l0LmNvbTAgBgNVHRIEGTAXgRVt
-  c2ZkZXZAbWV0YXNwbG9pdC5jb20wDQYJKoZIhvcNAQELBQADggGBAMfzvKcV27p7
-  pctmpW2JmIXLMrjNLyGJAxELH/t9pJueXdga7uj2fJkYQDbwGw5x4MGyFqhqJLH4
-  l/qsUF3PyAXDTSWLVaqXQVWO+IIHxecG0XjPXTNudzMU0hzqbqiBKvsW7/a3V5BP
-  SWlFzrFkoXWlPouFpoakyYMJjpW4SGdPzRv7pM4OhXtkXpHiRvx5985FrHgHlI89
-  NSIuIUbp8zqk4hP1i9MV0Lc/vTf2gOmo+RHnjqG1NiYfMCYyY/Mcd4W36kGOl468
-  I8VDTwgCufkAzFu7BJ5yCOueqtDcuq+d3YhAyU7NI4+Ja8EwazOnB+07sWhKpg7z
-  yuQ1mWYPmZfVQpoSVv1CvXsoqJYXVPBBLOacKKSj8ArVG6pPn9Bej7IOQdblaFjl
-  DgscAao7wB3xW2BWEp1KnaDWkf1x9ttgoBEYyuYwU7uatB67kBQG1PKvLt79wHvz
-  Dxs+KOjGbBRfMnPgVGYkORKVrZIwlaboHbDKxcVW5xv+oZc7KYXWGg==
-  -----END CERTIFICATE-----
-date: 2025-02-13 00:00:00.000000000 Z
+cert_chain: []
+date: 2025-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -148,6 +122,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: bigdecimal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: racc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |-
   This gem contains various helper mechanisms for creating exploits.
                             This includes SEH Overwrite helpers, egghunters, command stagers and more.
@@ -227,12 +229,13 @@ files:
 - lib/rex/exploitation/opcodedb.rb
 - lib/rex/exploitation/ropdb.rb
 - lib/rex/exploitation/seh.rb
+- lib/rex/exploitation/vbsobfuscate.rb
 - lib/rex/exploitation/version.rb
 - rex-exploitation.gemspec
 homepage: https://github.com/rapid7/rex-exploitation
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -247,8 +250,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
-signing_key: 
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: Ruby Exploitation(Rex) library for various exploitation helpers
 test_files: []

checksums.yaml.gz.sig

@@ -1,4 +0,0 @@
-��#bQd���^c�#9P����Dq����u�%��}�%䭞d=��͸��p��ݟ
-���U3�n�����B0�t�*|�R�W��a���
]Ih}xC౻,��`�hQ���W�_4� 0�:�"V>9���d�R�g:M�O�����
-�;;�}o�2a�q�����т��aG�������
-IEc�&��RGw2���̾�HU��d��͹�

metadata.gz.sig

@@ -1,3 +0,0 @@
-�J��F%J�L��2��`�pR�^��
V:x�GG�P��!��^�Y�ꁱn��"zo�
-	;��5�f��T�ޣ��ՠ*�8�W��#]wҤ�}d��QcP��v�-�h����q�Ag�o�
-o>����0�=7��z唠��˞=j��g\n�_���	tJ��;�/��HN/{�N���N]wi)M����X����]*Fg9|
-�R����6"��k\уg��mI�