rex 2.0.4 → 2.0.5

data/lib/rex/proto/kademlia.rb

@@ -0,0 +1,8 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/kademlia/bootstrap_request'
+require 'rex/proto/kademlia/bootstrap_response'
+require 'rex/proto/kademlia/message'
+require 'rex/proto/kademlia/ping'
+require 'rex/proto/kademlia/pong'
+require 'rex/proto/kademlia/util'

data/lib/rex/proto/kademlia/bootstrap_request.rb

@@ -0,0 +1,19 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/kademlia/message'
+
+module Rex
+module Proto
+module Kademlia
+  # Opcode for a BOOTSTRAP request
+  BOOTSTRAP_REQUEST = 0x01
+
+  # A Kademlia bootstrap request message
+  class BootstrapRequest < Message
+    def initialize
+      super(BOOTSTRAP_REQUEST)
+    end
+  end
+end
+end
+end

data/lib/rex/proto/kademlia/bootstrap_response.rb

@@ -0,0 +1,79 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/kademlia/message'
+require 'rex/proto/kademlia/util'
+
+module Rex
+module Proto
+module Kademlia
+  # Opcode for a bootstrap response
+  BOOTSTRAP_RESPONSE = 0x09
+
+  # A Kademlia bootstrap response message
+  class BootstrapResponse < Message
+    # @return [String] the ID of the peer that send the bootstrap response
+    attr_reader :peer_id
+    # @return [Integer] the TCP port that the responding peer is listening on
+    attr_reader :tcp_port
+    # @return [Integer] the version of this peer
+    attr_reader :version
+    # @return [Array<Hash<String, Object>>] the peer ID, IP address, UDP/TCP ports and version of each peer
+    attr_reader :peers
+
+    # Constructs a new bootstrap response
+    #
+    # @param peer_id [String] the ID of this peer
+    # @param tcp_port [Integer] the TCP port that this peer is listening on
+    # @param version [Integer] the version of this peer
+    # @param peers [Array<Hash<String, Object>>] the peer ID, IP address, UDP/TCP ports and version of each peer
+    def initialize(peer_id, tcp_port, version, peers)
+      @peer_id = peer_id
+      @tcp_port = tcp_port
+      @version = version
+      @peers = peers
+    end
+
+    # The minimum size of a peer in a KADEMLIA2_BOOTSTRAP_RES message:
+    # peer ID (16-bytes), IP (4 bytes), UDP port (2 bytes), TCP port (2 bytes)
+    # and version (1 byte)
+    BOOTSTRAP_PEER_SIZE = 25
+
+    # Builds a bootstrap response from given data
+    #
+    # @param data [String] the data to decode
+    # @return [BootstrapResponse] the bootstrap response if the data is valid, nil otherwise
+    def self.from_data(data)
+      message = Message.from_data(data)
+      # abort if this isn't a valid response
+      return unless message
+      return unless message.type == BOOTSTRAP_RESPONSE
+      return unless message.body.size >= 23
+      bootstrap_peer_id = Rex::Proto::Kademlia.decode_peer_id(message.body.slice!(0, 16))
+      bootstrap_tcp_port, bootstrap_version, num_peers = message.body.slice!(0, 5).unpack('vCv')
+      # protocol says there are no peers and the body confirms this, so just return with no peers
+      if num_peers == 0 && message.body.blank?
+        peers = []
+      else
+        peers_data = message.body
+        # peers data is too long/short, abort
+        return if peers_data.size % BOOTSTRAP_PEER_SIZE != 0
+        peers = []
+        until peers_data.blank?
+          peer_data = peers_data.slice!(0, BOOTSTRAP_PEER_SIZE)
+          peer_id = Rex::Proto::Kademlia.decode_peer_id(peer_data.slice!(0, 16))
+          ip, udp_port, tcp_port, version = peer_data.unpack('VvvC')
+          peers << {
+            id: peer_id,
+            ip: Rex::Socket.addr_itoa(ip),
+            tcp_port: tcp_port,
+            udp_port: udp_port,
+            version: version
+          }
+        end
+      end
+      BootstrapResponse.new(bootstrap_peer_id, bootstrap_tcp_port, bootstrap_version, peers)
+    end
+  end
+end
+end
+end

data/lib/rex/proto/kademlia/message.rb

@@ -0,0 +1,72 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+##
+#
+# Minimal support for the newer Kademlia protocol, referred to here and often
+# elsewhere as Kademlia2.  It is unclear how this differs from the old protocol.
+#
+# Protocol details are hard to come by because most documentation is academic
+# in nature and glosses over the low-level network details.  The best
+# documents I found on the protocol are:
+#
+# http://gbmaster.wordpress.com/2013/05/05/botnets-surrounding-us-an-initial-focus-on-kad/
+# http://gbmaster.wordpress.com/2013/06/16/botnets-surrounding-us-sending-kademlia2_bootstrap_req-kademlia2_hello_req-and-their-strict-cousins/
+# http://gbmaster.wordpress.com/2013/11/23/botnets-surrounding-us-performing-requests-sending-out-kademlia2_req-and-asking-contact-where-art-thou/
+#
+##
+module Kademlia
+  # A simple Kademlia message
+  class Message
+    # The header that non-compressed Kad messages use
+    STANDARD_PACKET = 0xE4
+    # The header that compressed Kad messages use, which is currently unsupported
+    COMPRESSED_PACKET = 0xE5
+
+    # @return [Integer] the message type
+    attr_reader :type
+    # @return [String] the message body
+    attr_reader :body
+
+    # Construct a new Message from the provided type and body
+    #
+    # @param type [String] the message type
+    # @param body [String] the message body
+    def initialize(type, body = '')
+      @type = type
+      @body = body
+    end
+
+    # Construct a new Message from the provided data
+    #
+    # @param data [String] the data to interpret as a Kademlia message
+    # @return [Message] the message if valid, nil otherwise
+    def self.from_data(data)
+      return if data.length < 2
+      header, type = data.unpack('CC')
+      if header == COMPRESSED_PACKET
+        fail NotImplementedError, "Unable to handle #{data.length}-byte compressed Kademlia message"
+      end
+      return if header != STANDARD_PACKET
+      Message.new(type, data[2, data.length])
+    end
+
+    # Get this Message as a String
+    #
+    # @return [String] the string representation of this Message
+    def to_str
+      [STANDARD_PACKET, @type].pack('CC') + @body
+    end
+
+    # Compares this Message and another Message for equality
+    #
+    # @param other [Message] the Message to compare
+    # @return [Boolean] true iff the two messages have equal types and bodies, false otherwise
+    def ==(other)
+      type == other.type && body == other.body
+    end
+  end
+end
+end
+end

data/lib/rex/proto/kademlia/ping.rb

@@ -0,0 +1,19 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/kademlia/message'
+
+module Rex
+module Proto
+module Kademlia
+  # Opcode for a PING request
+  PING = 0x60
+
+  # A Kademlia ping message.
+  class Ping < Message
+    def initialize
+      super(PING)
+    end
+  end
+end
+end
+end

data/lib/rex/proto/kademlia/pong.rb

@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/kademlia/message'
+
+module Rex
+module Proto
+module Kademlia
+  # Opcode for a PING response
+  PONG = 0x61
+
+  # A Kademlia pong message.
+  class Pong < Message
+    # @return [Integer] the source port from which the PING was received
+    attr_reader :port
+
+    def initialize(port = nil)
+      super(PONG)
+      @port = port
+    end
+
+    # Builds a pong from given data
+    #
+    # @param data [String] the data to decode
+    # @return [Pong] the pong if the data is valid, nil otherwise
+    def self.from_data(data)
+      message = super(data)
+      return if message.type != PONG
+      return if message.body.size != 2
+      Pong.new(message.body.unpack('v')[0])
+    end
+
+    # Get this Pong as a String
+    #
+    # @return [String] the string representation of this Pong
+    def to_str
+      super + [@port].pack('v')
+    end
+  end
+end
+end
+end

data/lib/rex/proto/kademlia/util.rb

@@ -0,0 +1,22 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+module Kademlia
+  # Decodes an on-the-wire representation of a Kademlia peer to its 16-character hex equivalent
+  #
+  # @param bytes [String] the on-the-wire representation of a Kademlia peer
+  # @return [String] the peer ID if valid, nil otherwise
+  def self.decode_peer_id(bytes)
+    peer_id = 0
+    return nil unless bytes.size == 16
+    bytes.unpack('VVVV').map { |p| peer_id = ((peer_id << 32) ^ p) }
+    peer_id.to_s(16).upcase
+  end
+
+  # TODO
+  # def encode_peer_id(id)
+  # end
+end
+end
+end

data/lib/rex/proto/natpmp/packet.rb

@@ -3,8 +3,6 @@
 #
 # NAT-PMP protocol support
 #
-# by Jon Hart <jhart@spoofed.org>
-#
 ##
 
 module Rex
@@ -16,6 +14,20 @@ module NATPMP
     [ 0, 0 ].pack('nn')
   end
 
+  def get_external_address(udp_sock, host, port, timeout=1)
+    vprint_status("#{host}:#{port} - Probing NAT-PMP for external address")
+    udp_sock.sendto(external_address_request, host, port, 0)
+    external_address = nil
+    while (r = udp_sock.recvfrom(12, timeout) and r[1])
+      (ver, op, result, epoch, external_address) = parse_external_address_response(r[0])
+      if external_address
+        vprint_good("#{host}:#{port} - NAT-PMP external address is #{external_address}")
+        break
+      end
+    end
+    external_address
+  end
+
   # Parse a NAT-PMP external address response +resp+.
   # Returns the decoded parts of the response as an array.
   def parse_external_address_response(resp)
@@ -23,6 +35,21 @@ module NATPMP
     [ ver, op, result, epoch, Rex::Socket::addr_itoa(addr) ]
   end
 
+  def map_port(udp_sock, host, port, int_port, ext_port, protocol, lifetime, timeout=1)
+    vprint_status("#{host}:#{port} - Sending NAT-PMP mapping request")
+    # build the mapping request
+    req = map_port_request(int_port, ext_port,
+      Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), datastore['LIFETIME'])
+    # send it
+    udp_sock.sendto(req, host, datastore['RPORT'], 0)
+    # handle the reply
+    while (r = udp_sock.recvfrom(16, timeout) and r[1])
+      (_, _, result, _, _, actual_ext_port, _) = parse_map_port_response(r[0])
+      return (result == 0 ? actual_ext_port : nil)
+    end
+    nil
+  end
+
   # Return a NAT-PMP request to map remote port +rport+/+protocol+ to local port +lport+ for +lifetime+ ms
   def map_port_request(lport, rport, protocol, lifetime)
     [ Rex::Proto::NATPMP::Version, # version
@@ -39,6 +66,7 @@ module NATPMP
   def parse_map_port_response(resp)
     resp.unpack("CCnNnnN")
   end
+
 end
 
 end

data/lib/rex/proto/quake.rb

@@ -0,0 +1,3 @@
+# -*- coding: binary -*-
+
+require 'rex/proto/quake/message'

data/lib/rex/proto/quake/message.rb

@@ -0,0 +1,73 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+##
+#
+# Quake 3 protocol, taken from ftp://ftp.idsoftware.com/idstuff/quake3/docs/server.txt
+#
+##
+module Quake
+  HEADER = 0xFFFFFFFF
+
+  def decode_message(message)
+    # minimum size is header (4) + <command> + <stuff>
+    return if message.length < 7
+    header = message.unpack('N')[0]
+    return if header != HEADER
+    message[4, message.length]
+  end
+
+  def encode_message(payload)
+    [HEADER].pack('N') + payload
+  end
+
+  def getstatus
+    encode_message('getstatus')
+  end
+
+  def getinfo
+    encode_message('getinfo')
+  end
+
+  def decode_infostring(infostring)
+    # decode an "infostring", which is just a (supposedly) quoted string of tokens separated
+    # by backslashes, generally terminated with a newline
+    token_re = /([^\\]+)\\([^\\]+)/
+    return nil unless infostring =~ token_re
+    # remove possibly present leading/trailing double quote
+    infostring.gsub!(/(?:^"|"$)/, '')
+    # remove the trailing \n, if present
+    infostring.gsub!(/\n$/, '')
+    # split on backslashes and group into key value pairs
+    infohash = {}
+    infostring.scan(token_re).each do |kv|
+      infohash[kv.first] = kv.last
+    end
+    infohash
+  end
+
+  def decode_response(message, type)
+    resp = decode_message(message)
+    if /^print\n(?<error>.*)\n?/m =~ resp
+      # XXX: is there a better exception to throw here?
+      fail ::ArgumentError, "#{type} error: #{error}"
+    # why doesn't this work?
+    # elsif /^#{type}Response\n(?<infostring>.*)/m =~ resp
+    elsif resp =~ /^#{type}Response\n(.*)/m
+      decode_infostring(Regexp.last_match(1))
+    else
+      nil
+    end
+  end
+
+  def decode_status(message)
+    decode_response(message, 'status')
+  end
+
+  def decode_info(message)
+    decode_response(message, 'info')
+  end
+end
+end
+end

data/lib/rex/proto/smb/client.rb

@@ -1872,6 +1872,7 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
 
   # Enumerates a specific path on the mounted tree
   def find_first(path)
+    sid = nil
     files = { }
     parm = [
       26,  # Search for ALL files

data/lib/rex/proto/smb/simpleclient.rb

@@ -66,6 +66,10 @@ attr_accessor :socket, :client, :direct, :shares, :last_share
 
       self.client.spnopt = spnopt
 
+      # In case the user unsets the password option, we make sure this is
+      # always a string
+      pass ||= ''
+
       ok = self.client.session_setup(user, pass, domain)
     rescue ::Interrupt
       raise $!

data/lib/rex/proto/sunrpc/client.rb

@@ -6,10 +6,21 @@ module Rex
 module Proto
 module SunRPC
 
+class RPCError < ::StandardError
+  def initialize(msg = 'RPC operation failed')
+    super
+    @msg = msg
+  end
+
+  def to_s
+    @msg
+  end
+end
+
 class RPCTimeout < ::Interrupt
-   def initialize(msg = 'Operation timed out.')
-      @msg = msg
-   end
+  def initialize(msg = 'Operation timed out.')
+    @msg = msg
+  end
 
   def to_s
     @msg