rex-socket 0.1.0

data/lib/rex/socket/ssh_factory.rb

@@ -0,0 +1,46 @@
+module Rex
+  module Socket
+
+    # This class exists to abuse the Proxy capabilities in the Net::SSH library to allow the use of Rex::Sockets
+    # for the transport layer in Net::SSH. The SSHFactory object will respond to the #open method and create the
+    # {Rex::Socket::Tcp}
+    class SSHFactory
+
+      # @!attribute msfraemwork
+      #   @return [Object] The framework instance object
+      attr_accessor :framework
+      # @!attribute msfmodule
+      #   @return [Object] The metasploit module this socket belongs to
+      attr_accessor :msfmodule
+      # @!attribute proxies
+      #   @return [String] Any proxies to use for the connection
+      attr_accessor :proxies
+
+      def initialize(framework, msfmodule, proxies)
+        @framework = framework
+        @msfmodule   = msfmodule
+        @proxies     = proxies
+      end
+
+      # Responds to the proxy setup routine Net::SSH will call when
+      # initialising the Transport Layer. This will instead create our
+      # {Rex::Socket::Tcp} and tie the socket back to the calling module
+      # @param host [String] The host to open the connection to
+      # @param port [Fixnum] the port to open the connection on
+      # @param options [Hash] the options hash
+      def open(host, port, options={})
+        socket = Rex::Socket::Tcp.create(
+          'PeerHost' => host,
+          'PeerPort' => port,
+          'Proxies' => proxies,
+          'Context'  => {
+            'Msf'          => framework,
+            'MsfExploit'   => msfmodule
+          }
+        )
+        msfmodule.add_socket(socket) if msfmodule
+        socket
+      end
+    end
+  end
+end

data/lib/rex/socket/ssl_tcp.rb

@@ -0,0 +1,374 @@
+# -*- coding: binary -*-
+require 'rex/socket'
+###
+#
+# This class provides methods for interacting with an SSL TCP client
+# connection.
+#
+###
+module Rex::Socket::SslTcp
+
+begin
+  @@loaded_openssl = false
+
+  begin
+    require 'openssl'
+    @@loaded_openssl = true
+    require 'openssl/nonblock'
+  rescue ::Exception
+  end
+
+
+  include Rex::Socket::Tcp
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  #
+  # Creates an SSL TCP instance.
+  #
+  def self.create(hash = {})
+    raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl
+    hash['SSL'] = true
+    self.create_param(Rex::Socket::Parameters.from_hash(hash))
+  end
+
+  #
+  # Set the SSL flag to true and call the base class's create_param routine.
+  #
+  def self.create_param(param)
+    param.ssl   = true
+    Rex::Socket::Tcp.create_param(param)
+  end
+
+  ##
+  #
+  # Class initialization
+  #
+  ##
+
+  #
+  # Initializes the SSL socket.
+  #
+  def initsock(params = nil)
+    super
+
+    # Default to SSLv23 (automatically negotiate)
+    version = :SSLv23
+
+    # Let the caller specify a particular SSL/TLS version
+    if params
+      case params.ssl_version
+      when 'SSL2', :SSLv2
+        version = :SSLv2
+      # 'TLS' will be the new name for autonegotation with newer versions of OpenSSL
+      when 'SSL23', :SSLv23, 'TLS', 'Auto'
+        version = :SSLv23
+      when 'SSL3', :SSLv3
+        version = :SSLv3
+      when 'TLS1','TLS1.0', :TLSv1
+        version = :TLSv1
+      when 'TLS1.1', :TLSv1_1
+        version = :TLSv1_1
+      when 'TLS1.2', :TLSv1_2
+        version = :TLSv1_2
+      end
+    end
+
+    # Raise an error if no selected versions are supported
+    if ! OpenSSL::SSL::SSLContext::METHODS.include? version
+      raise ArgumentError, 'The system OpenSSL does not support the requested SSL/TLS version'
+    end
+
+    # Try intializing the socket with this SSL/TLS version
+    # This will throw an exception if it fails
+    initsock_with_ssl_version(params, version)
+
+    # Track the SSL version
+    self.ssl_negotiated_version = version
+  end
+
+  def initsock_with_ssl_version(params, version)
+    # Build the SSL connection
+    self.sslctx  = OpenSSL::SSL::SSLContext.new(version)
+
+    # Configure the SSL context
+    # TODO: Allow the user to specify the verify mode callback
+    # Valid modes:
+    #  VERIFY_CLIENT_ONCE
+    #  VERIFY_FAIL_IF_NO_PEER_CERT
+    #  VERIFY_NONE
+    #  VERIFY_PEER
+    if params.ssl_verify_mode
+      self.sslctx.verify_mode = OpenSSL::SSL.const_get("VERIFY_#{params.ssl_verify_mode}".intern)
+    else
+      # Could also do this as graceful faildown in case a passed verify_mode is not supported
+      self.sslctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    end
+
+    self.sslctx.options = OpenSSL::SSL::OP_ALL
+
+    if params.ssl_cipher
+      self.sslctx.ciphers = params.ssl_cipher
+    end
+
+    # Set the verification callback
+    self.sslctx.verify_callback = Proc.new do |valid, store|
+      self.peer_verified = valid
+      true
+    end
+
+    # Tie the context to a socket
+    self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx)
+
+    # If peerhost looks like a hostname, set the undocumented 'hostname'
+    # attribute on sslsock, which enables the Server Name Indication (SNI)
+    # extension
+    self.sslsock.hostname = self.peerhost if !Rex::Socket.dotted_ip?(self.peerhost)
+
+    # Force a negotiation timeout
+    begin
+    Timeout.timeout(params.timeout) do
+      if not allow_nonblock?
+        self.sslsock.connect
+      else
+        begin
+          self.sslsock.connect_nonblock
+        # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+        rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+            IO::select(nil, nil, nil, 0.10)
+            retry
+
+        # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+        rescue ::Exception => e
+          if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+            IO::select( [ self.sslsock ], nil, nil, 0.10 )
+            retry
+          end
+
+          if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+            IO::select( nil, [ self.sslsock ], nil, 0.10 )
+            retry
+          end
+
+          raise e
+        end
+      end
+    end
+
+    rescue ::Timeout::Error
+      raise Rex::ConnectionTimeout.new(params.peerhost, params.peerport)
+    end
+  end
+
+  ##
+  #
+  # Stream mixin implementations
+  #
+  ##
+
+  #
+  # Writes data over the SSL socket.
+  #
+  def write(buf, opts = {})
+    return sslsock.write(buf) if not allow_nonblock?
+
+    total_sent   = 0
+    total_length = buf.length
+    block_size   = 16384
+    retry_time   = 0.5
+
+    begin
+      while( total_sent < total_length )
+        s = Rex::ThreadSafe.select( nil, [ self.sslsock ], nil, 0.25 )
+        if( s == nil || s[0] == nil )
+          next
+        end
+        data = buf[total_sent, block_size]
+        sent = sslsock.write_nonblock( data )
+        if sent > 0
+          total_sent += sent
+        end
+      end
+
+    rescue ::IOError, ::Errno::EPIPE
+      return nil
+
+    # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+    rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+      # Sleep for a half a second, or until we can write again
+      Rex::ThreadSafe.select( nil, [ self.sslsock ], nil, retry_time )
+      # Decrement the block size to handle full sendQs better
+      block_size = 1024
+      # Try to write the data again
+      retry
+
+    # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+    rescue ::Exception => e
+      if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+        IO::select( [ self.sslsock ], nil, nil, retry_time )
+        retry
+      end
+
+      if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+        IO::select( nil, [ self.sslsock ], nil, retry_time )
+        retry
+      end
+
+      # Another form of SSL error, this is always fatal
+      if e.kind_of?(::OpenSSL::SSL::SSLError)
+        return nil
+      end
+
+      # Bubble the event up to the caller otherwise
+      raise e
+    end
+
+    total_sent
+  end
+
+  #
+  # Reads data from the SSL socket.
+  #
+  def read(length = nil, opts = {})
+    if not allow_nonblock?
+      length = 16384 unless length
+      begin
+        return sslsock.sysread(length)
+      rescue ::IOError, ::Errno::EPIPE, ::OpenSSL::SSL::SSLError
+        return nil
+      end
+      return
+    end
+
+
+    begin
+      while true
+        s = Rex::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 )
+        if( s == nil || s[0] == nil )
+          next
+        end
+        return sslsock.read_nonblock( length )
+      end
+
+    rescue ::IOError, ::Errno::EPIPE
+      return nil
+
+    # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+    rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+      # Sleep for a tenth a second, or until we can read again
+      Rex::ThreadSafe.select( [ self.sslsock ], nil, nil, 0.10 )
+      # Decrement the block size to handle full sendQs better
+      block_size = 1024
+      # Try to write the data again
+      retry
+
+    # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+    rescue ::Exception => e
+      if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+        IO::select( [ self.sslsock ], nil, nil, 0.5 )
+        retry
+      end
+
+      if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+        IO::select( nil, [ self.sslsock ], nil, 0.5 )
+        retry
+      end
+
+      # Another form of SSL error, this is always fatal
+      if e.kind_of?(::OpenSSL::SSL::SSLError)
+        return nil
+      end
+
+      raise e
+    end
+
+  end
+
+
+  #
+  # Closes the SSL socket.
+  #
+  def close
+    sslsock.close rescue nil
+    super
+  end
+
+  #
+  # Ignore shutdown requests
+  #
+  def shutdown(how=0)
+    # Calling shutdown() on an SSL socket can lead to bad things
+    # Cause of http://metasploit.com/dev/trac/ticket/102
+  end
+
+  #
+  # Access to peer cert
+  #
+  def peer_cert
+    sslsock.peer_cert if sslsock
+  end
+
+  #
+  # Access to peer cert chain
+  #
+  def peer_cert_chain
+    sslsock.peer_cert_chain if sslsock
+  end
+
+  #
+  # Access to the current cipher
+  #
+  def cipher
+    sslsock.cipher if sslsock
+  end
+
+  #
+  # Prevent a sysread from the bare socket
+  #
+  def sysread(*args)
+    raise RuntimeError, "Invalid sysread() call on SSL socket"
+  end
+
+  #
+  # Prevent a sysread from the bare socket
+  #
+  def syswrite(*args)
+    raise RuntimeError, "Invalid syswrite() call on SSL socket"
+  end
+
+  #
+  # This flag determines whether to use the non-blocking openssl
+  # API calls when they are available. This is still buggy on
+  # Linux/Mac OS X, but is required on Windows
+  #
+  def allow_nonblock?
+    avail = self.sslsock.respond_to?(:accept_nonblock)
+    if avail and Rex::Compat.is_windows
+      return true
+    end
+    false
+  end
+
+  attr_reader :peer_verified # :nodoc:
+  attr_reader :ssl_negotiated_version # :nodoc:
+  attr_accessor :sslsock, :sslctx, :sslhash # :nodoc:
+
+  def type?
+    return 'tcp-ssl'
+  end
+
+protected
+
+  attr_writer :peer_verified # :nodoc:
+  attr_writer :ssl_negotiated_version # :nodoc:
+
+
+rescue LoadError
+end
+
+end
+

data/lib/rex/socket/ssl_tcp_server.rb

@@ -0,0 +1,220 @@
+# -*- coding: binary -*-
+require 'rex/socket'
+require 'rex/socket/tcp_server'
+require 'rex/io/stream_server'
+require 'rex/socket/x509_certificate'
+
+###
+#
+# This class provides methods for interacting with an SSL wrapped TCP server.  It
+# implements the StreamServer IO interface.
+#
+###
+module Rex::Socket::SslTcpServer
+
+  @@loaded_openssl = false
+
+  begin
+    require 'openssl'
+    @@loaded_openssl = true
+    require 'openssl/nonblock'
+  rescue ::Exception
+  end
+
+  include Rex::Socket::TcpServer
+
+  ##
+  #
+  # Factory
+  #
+  ##
+
+  def self.create(hash = {})
+    hash['Proto']  = 'tcp'
+    hash['Server'] = true
+    hash['SSL']    = true
+    self.create_param(Rex::Socket::Parameters.from_hash(hash))
+  end
+
+  #
+  # Wrapper around the base class' creation method that automatically sets
+  # the parameter's protocol to TCP and sets the server flag to true.
+  #
+  def self.create_param(param)
+    param.proto  = 'tcp'
+    param.server = true
+    param.ssl    = true
+    Rex::Socket.create_param(param)
+  end
+
+  def initsock(params = nil)
+    raise RuntimeError, 'No OpenSSL support' unless @@loaded_openssl
+
+    if params && params.sslctx && params.sslctx.kind_of?(OpenSSL::SSL::SSLContext)
+      self.sslctx = params.sslctx
+    else
+      self.sslctx  = makessl(params)
+    end
+
+    super
+  end
+
+  # (see TcpServer#accept)
+  def accept(opts = {})
+    sock = super()
+    return if not sock
+
+    begin
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, self.sslctx)
+
+      if not allow_nonblock?(ssl)
+        ssl.accept
+      else
+        begin
+          ssl.accept_nonblock
+
+        # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
+        rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
+            IO::select(nil, nil, nil, 0.10)
+            retry
+
+        # Ruby 1.9.2+ uses IO::WaitReadable/IO::WaitWritable
+        rescue ::Exception => e
+          if ::IO.const_defined?('WaitReadable') and e.kind_of?(::IO::WaitReadable)
+            IO::select( [ ssl ], nil, nil, 0.10 )
+            retry
+          end
+
+          if ::IO.const_defined?('WaitWritable') and e.kind_of?(::IO::WaitWritable)
+            IO::select( nil, [ ssl ], nil, 0.10 )
+            retry
+          end
+
+          raise e
+        end
+      end
+
+      sock.extend(Rex::Socket::SslTcp)
+      sock.sslsock = ssl
+      sock.sslctx  = self.sslctx
+
+      return sock
+
+    rescue ::OpenSSL::SSL::SSLError
+      sock.close
+      nil
+    end
+  end
+
+  #
+  # Parse a certificate in unified PEM format that contains a private key and
+  # one or more certificates. The first certificate is the primary, while any
+  # additional certificates are treated as intermediary certificates. This emulates
+  # the behavior of web servers like nginx.
+  #
+  # @param [String] ssl_cert
+  # @return [String, String, Array]
+  def self.ssl_parse_pem(ssl_cert)
+    Rex::Socket::X509Certificate.parse_pem(ssl_cert)
+  end
+
+  #
+  # Shim for the ssl_parse_pem module method
+  #
+  def ssl_parse_pem(ssl_cert)
+    Rex::Socket::SslTcpServer.ssl_parse_pem(ssl_cert)
+  end
+
+  #
+  # Generate a realistic-looking but obstensibly fake SSL
+  # certificate. This matches a typical "snakeoil" cert.
+  #
+  # @return [String, String, Array]
+  def self.ssl_generate_certificate
+    yr   = 24*3600*365
+    vf   = Time.at(Time.now.to_i - rand(yr * 3) - yr)
+    vt   = Time.at(vf.to_i + (10 * yr))
+    cn   = Rex::Text.rand_text_alpha_lower(rand(8)+2)
+    key  = OpenSSL::PKey::RSA.new(2048){ }
+    cert = OpenSSL::X509::Certificate.new
+    cert.version    = 2
+    cert.serial     = (rand(0xFFFFFFFF) << 32) + rand(0xFFFFFFFF)
+    cert.subject    = OpenSSL::X509::Name.new([["CN", cn]])
+    cert.issuer     = OpenSSL::X509::Name.new([["CN", cn]])
+    cert.not_before = vf
+    cert.not_after  = vt
+    cert.public_key = key.public_key
+
+    ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
+    cert.extensions = [
+      ef.create_extension("basicConstraints","CA:FALSE")
+    ]
+    ef.issuer_certificate = cert
+
+    cert.sign(key, OpenSSL::Digest::SHA256.new)
+
+    [key, cert, nil]
+  end
+
+  #
+  # Shim for the ssl_generate_certificate module method
+  #
+  def ssl_generate_certificate
+    Rex::Socket::SslTcpServer.ssl_generate_certificate
+  end
+
+  #
+  # Create a new ssl context.  If +ssl_cert+ is not given, generates a new
+  # key and a leaf certificate with random values.
+  #
+  # @param [Rex::Socket::Parameters] params
+  # @return [::OpenSSL::SSL::SSLContext]
+  def makessl(params)
+
+    if params.ssl_cert
+      key, cert, chain = ssl_parse_pem(params.ssl_cert)
+    else
+      key, cert, chain = ssl_generate_certificate
+    end
+
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.key = key
+    ctx.cert = cert
+    ctx.extra_chain_cert = chain
+    ctx.options = 0
+
+    if params.ssl_cipher
+      ctx.ciphers = params.ssl_cipher
+    end
+
+    # Older versions of OpenSSL do not export the OP_NO_COMPRESSION symbol
+    if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      # enable/disable the SSL/TLS-level compression
+      if params.ssl_compression
+        ctx.options &= ~OpenSSL::SSL::OP_NO_COMPRESSION
+      else
+        ctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
+      end
+    end
+
+    ctx.session_id_context = Rex::Text.rand_text(16)
+
+    return ctx
+  end
+
+  #
+  # This flag determines whether to use the non-blocking openssl
+  # API calls when they are available. This is still buggy on
+  # Linux/Mac OS X, but is required on Windows
+  #
+  def allow_nonblock?(sock=self.sock)
+    avail = sock.respond_to?(:accept_nonblock)
+    if avail and Rex::Compat.is_windows
+      return true
+    end
+    false
+  end
+
+  attr_accessor :sslctx
+end
+