rex-exploitation 0.1.42 → 0.1.44
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +6 -3
- data/lib/rex/exploitation/vbsobfuscate.rb +141 -0
- data/lib/rex/exploitation/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f95db6775c2b63c9e88cb814b0447bfcd3907e026ae8daa6949df37ca620f411
|
|
4
|
+
data.tar.gz: a0b71c494ced6fd66448674d3bb482fb3f8e82994e984bc0a644584ec3e1549a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 61e4dba7238278e4820d476221fd3de8c8a86ec533a4ebcfeb4e13019bbe33556f7d85f6eea410848a8d86c1ccb6fd06de72a8259a1fba9d91ece011951aecfd
|
|
7
|
+
data.tar.gz: 6b902bc437632db80984d5b1831e5ebf596c530b9a9fde7823b4d981b15603459cd84382848e0f63dabfad523ac13c9b146c53424ea8086053700ed21d8b8c3d
|
data/README.md
CHANGED
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
# -*- coding: binary -*-
|
|
2
|
+
|
|
3
|
+
module Rex
|
|
4
|
+
module Exploitation
|
|
5
|
+
#
|
|
6
|
+
# VBScript obfuscation library
|
|
7
|
+
#
|
|
8
|
+
class VBSObfuscate
|
|
9
|
+
# The VBScript code that this obfuscator will transform
|
|
10
|
+
attr_accessor :code
|
|
11
|
+
|
|
12
|
+
# Saves +code+ for later obfuscation with #obfuscate!
|
|
13
|
+
#
|
|
14
|
+
# @param code [#to_s] the code to obfuscate
|
|
15
|
+
# @param opts [Hash] an options hash
|
|
16
|
+
def initialize(code = nil, _opts = {})
|
|
17
|
+
self.code = code
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
# @return [String] the (possibly obfuscated) code
|
|
21
|
+
def to_s
|
|
22
|
+
@code
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
# Append +str+ to the (possibly obfuscated) code
|
|
26
|
+
def <<(str)
|
|
27
|
+
@code << str
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
# Obfuscate VBScript code.
|
|
31
|
+
#
|
|
32
|
+
# @option iterations [Integer] number of times to run the obfuscator on this code (1)
|
|
33
|
+
# @option normalize_whitespace [Boolean] normalize line endings and strip leading/trailing whitespace from each line (true)
|
|
34
|
+
# @option dynamic_execution [Boolean] dynamically execute obfuscated code with Execute (true)
|
|
35
|
+
#
|
|
36
|
+
# @return [self]
|
|
37
|
+
def obfuscate!(iterations: 1, normalize_whitespace: true, dynamic_execution: true)
|
|
38
|
+
raise(ArgumentError, 'code must be present') if @code.nil?
|
|
39
|
+
raise(ArgumentError, 'iterations must be a positive integer') unless iterations.integer? && iterations.positive?
|
|
40
|
+
|
|
41
|
+
obfuscated = @code.dup
|
|
42
|
+
|
|
43
|
+
iterations.times do
|
|
44
|
+
# Normalize line endings and strip leading/trailing whitespace
|
|
45
|
+
if normalize_whitespace
|
|
46
|
+
obfuscated.gsub!(/\r\n/, "\n")
|
|
47
|
+
obfuscated = obfuscated.lines.map(&:strip).reject(&:empty?).join("\n")
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
# Convert all VBScript to a string to be dynamically executed with Execute()
|
|
51
|
+
if dynamic_execution
|
|
52
|
+
obfuscated = 'Execute ' + vbscript_string_for_execute(obfuscated)
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
# Obfuscate strings
|
|
56
|
+
obfuscated = chunk_vbscript_strings(obfuscated)
|
|
57
|
+
obfuscated.gsub!(/"((?:[^"]|"")*)"/) do
|
|
58
|
+
raw = ::Regexp.last_match(1).gsub('""', '"')
|
|
59
|
+
raw.chars.map { |c| "chr(#{generate_number_expression(c.ord)})" }.join('&')
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
# Obfuscate integers
|
|
63
|
+
obfuscated.gsub!(/\b\d+\b/) do |num|
|
|
64
|
+
generate_number_expression(num.to_i)
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
@code = obfuscated
|
|
69
|
+
|
|
70
|
+
self
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
private
|
|
74
|
+
|
|
75
|
+
# Converts all VBScript in +vbscript+ to a string for dynamic execution
|
|
76
|
+
# with Execute().
|
|
77
|
+
#
|
|
78
|
+
# @param vbscript [String] VBScript code
|
|
79
|
+
#
|
|
80
|
+
# @return [String] obfuscated VBScript code for use with Execute()
|
|
81
|
+
def vbscript_string_for_execute(vbscript)
|
|
82
|
+
lines = vbscript.lines.map(&:chomp).map do |line|
|
|
83
|
+
escaped_line = line.gsub('"', '""')
|
|
84
|
+
"\"#{escaped_line}\""
|
|
85
|
+
end
|
|
86
|
+
lines.join('&vbCrLf&')
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
# Returns a random math expression evaluating to input +int+
|
|
90
|
+
#
|
|
91
|
+
# @param int [Integer] input integer
|
|
92
|
+
#
|
|
93
|
+
# @return [String] math expression evaluating to input +int+
|
|
94
|
+
def generate_number_expression(int)
|
|
95
|
+
case rand(4)
|
|
96
|
+
when 0 # Sum
|
|
97
|
+
a = rand(0..int)
|
|
98
|
+
b = int - a
|
|
99
|
+
"(#{a}+#{b})"
|
|
100
|
+
when 1 # Difference
|
|
101
|
+
r1 = int + rand(1..10)
|
|
102
|
+
r2 = r1 - int
|
|
103
|
+
"(#{r1}-#{r2})"
|
|
104
|
+
when 2 # Product (only if divisible)
|
|
105
|
+
divisors = (1..int).select { |d| (int % d).zero? }
|
|
106
|
+
if divisors.size > 1
|
|
107
|
+
d = divisors.sample
|
|
108
|
+
"(#{d}*#{int / d})"
|
|
109
|
+
else
|
|
110
|
+
"(#{int}+0)"
|
|
111
|
+
end
|
|
112
|
+
when 3 # Quotient
|
|
113
|
+
r2 = rand(1..10)
|
|
114
|
+
r1 = int * r2
|
|
115
|
+
"(#{r1}/#{r2})"
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
|
|
119
|
+
# Return VBScript code with all strings split into chunks and concatenated
|
|
120
|
+
#
|
|
121
|
+
# @param vbscript [String] VBScript code
|
|
122
|
+
#
|
|
123
|
+
# @return [String] VBScript code with chunked strings
|
|
124
|
+
def chunk_vbscript_strings(vbscript)
|
|
125
|
+
vbscript.gsub(/"([^"]+)"/) do
|
|
126
|
+
original = Regexp.last_match(1)
|
|
127
|
+
chunks = []
|
|
128
|
+
|
|
129
|
+
i = 0
|
|
130
|
+
while i < original.length
|
|
131
|
+
chunk_size = rand(1..5)
|
|
132
|
+
chunks << "\"#{original[i, chunk_size]}\""
|
|
133
|
+
i += chunk_size
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
chunks.join('&')
|
|
137
|
+
end
|
|
138
|
+
end
|
|
139
|
+
end
|
|
140
|
+
end
|
|
141
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rex-exploitation
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.44
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Metasploit Hackers
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-
|
|
11
|
+
date: 2025-09-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -229,6 +229,7 @@ files:
|
|
|
229
229
|
- lib/rex/exploitation/opcodedb.rb
|
|
230
230
|
- lib/rex/exploitation/ropdb.rb
|
|
231
231
|
- lib/rex/exploitation/seh.rb
|
|
232
|
+
- lib/rex/exploitation/vbsobfuscate.rb
|
|
232
233
|
- lib/rex/exploitation/version.rb
|
|
233
234
|
- rex-exploitation.gemspec
|
|
234
235
|
homepage: https://github.com/rapid7/rex-exploitation
|