rex 2.0.5 → 2.0.7

data/lib/rex/post/meterpreter/packet_dispatcher.rb

@@ -355,7 +355,13 @@ module PacketDispatcher
 
           begin
           if ! dispatch_inbound_packet(pkt)
-            # Only requeue packets newer than the timeout
+            # Keep Packets in the receive queue until a handler is registered
+            # for them. Packets will live in the receive queue for up to
+            # PacketTimeout, after which they will be dropped.
+            #
+            # A common reason why there would not immediately be a handler for
+            # a received Packet is in channels, where a connection may
+            # open and receive data before anything has asked to read.
             if (::Time.now.to_i - pkt.created_at.to_i < PacketTimeout)
               incomplete << pkt
             end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -69,7 +69,7 @@ class Console::CommandDispatcher::Core
     # whatever reason it is not adding core_migrate to its list of commands.
     # Use a dumb platform til it gets sorted.
     #if client.commands.include? "core_migrate"
-    if client.platform =~ /win/
+    if client.platform =~ /win/ || client.platform =~ /linux/
       c["migrate"] = "Migrate the server to another process"
     end
 
@@ -321,7 +321,11 @@ class Console::CommandDispatcher::Core
   end
 
   def cmd_migrate_help
-    print_line "Usage: migrate <pid>"
+    if client.platform =~ /linux/
+      print_line "Usage: migrate <pid> [writable_path]"
+    else
+      print_line "Usage: migrate <pid>"
+    end
     print_line
     print_line "Migrates the server instance to another process."
     print_line "NOTE: Any open channels or other dynamic state will be lost."
@@ -331,7 +335,8 @@ class Console::CommandDispatcher::Core
   #
   # Migrates the server to the supplied process identifier.
   #
-  # @param args [Array<String>] Commandline arguments, only -h or a pid
+  # @param args [Array<String>] Commandline arguments, -h or a pid. On linux
+  #   platforms a path for the unix domain socket used for IPC.
   # @return [void]
   def cmd_migrate(*args)
     if ( args.length == 0 or args.include?("-h") )
@@ -345,6 +350,10 @@ class Console::CommandDispatcher::Core
       return
     end
 
+    if client.platform =~ /linux/
+      writable_dir = (args.length >= 2) ? args[1] : nil
+    end
+
     begin
       server = client.sys.process.open
     rescue TimeoutError => e
@@ -385,7 +394,11 @@ class Console::CommandDispatcher::Core
     server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}")
 
     # Do this thang.
-    client.core.migrate(pid)
+    if client.platform =~ /linux/
+      client.core.migrate(pid, writable_dir)
+    else
+      client.core.migrate(pid)
+    end
 
     print_status("Migration completed successfully.")
 

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -503,10 +503,17 @@ class Console::CommandDispatcher::Stdapi::Fs
           client.framework.events.on_session_upload(client, src, dest) if msf_loaded?
         }
       elsif (stat.file?)
-        client.fs.file.upload(dest, src) { |step, src, dst|
-          print_status("#{step.ljust(11)}: #{src} -> #{dst}")
-          client.framework.events.on_session_upload(client, src, dest) if msf_loaded?
-        }
+        if client.fs.file.exists?(dest) and client.fs.file.stat(dest).directory?
+          client.fs.file.upload(dest, src) { |step, src, dst|
+            print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+            client.framework.events.on_session_upload(client, src, dest) if msf_loaded?
+          }
+        else
+          client.fs.file.upload_file(dest, src) { |step, src, dst|
+            print_status("#{step.ljust(11)}: #{src} -> #{dst}")
+            client.framework.events.on_session_upload(client, src, dest) if msf_loaded?
+          }
+        end
       end
     }
 

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb

@@ -150,7 +150,7 @@ class Console::CommandDispatcher::Stdapi::Ui
         when "-p"
           path = val
         when "-v"
-          view = false if ( val =~ /^(f|n|0)/i )
+          view = true if ( val =~ /^(t|y|1)/i )
       end
     }
 

data/lib/rex/proto.rb

@@ -5,6 +5,8 @@ require 'rex/proto/ntlm'
 require 'rex/proto/dcerpc'
 require 'rex/proto/drda'
 require 'rex/proto/iax2'
+require 'rex/proto/kerberos'
+require 'rex/proto/rmi'
 
 module Rex
 module Proto

data/lib/rex/proto/acpp.rb

@@ -0,0 +1,17 @@
+# -*- coding: binary -*-
+#
+# Support for the protocol used by Apple Airport products, typically on
+# 5009/TCP.  This protocol is not documented and doesn't appear to have a name,
+# so I'm calling it ACPP because that is the protocol header.
+#
+
+require 'rex/proto/acpp/client'
+require 'rex/proto/acpp/message'
+
+module Rex
+  module Proto
+    module ACPP
+      DEFAULT_PORT = 5009
+    end
+  end
+end

data/lib/rex/proto/acpp/client.rb

@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+##
+# ACPP protocol support
+##
+
+module Rex
+module Proto
+module ACPP
+
+class Client
+
+  def initialize(sock, opts = {})
+    @sock = sock
+    @opts = opts
+  end
+
+  def authenticate(password = 'public')
+    login = Message.new
+    login.password = password
+    login.type = 20
+    @sock.put(login.to_s)
+    # TODO: the checksum never validates here
+    Message.decode(@sock.get_once(128), false)
+  end
+end
+end
+end
+end

data/lib/rex/proto/acpp/message.rb

@@ -0,0 +1,183 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+module ACPP
+  # From what I've been able to gather from the very limited findings on the
+  # web about this protocol, playing with it against a real Airport device and
+  # referencing the airport-utils package in Debian/Ubuntu, the format of (at
+  # least) the login message is:
+  #
+  # acpp            # the header tag, always exactly acpp (4 bytes)
+  # unknown1        # unknown 4-byte field.  Almost always 0x00000001
+  # messageChecksum # checksum of the message, 4 bytes
+  # payloadChecksum # checksum of the payload, 4 bytes
+  # payloadSize     # size of the payload, 4 bytes
+  # unknown2        # unknown 8-byte field.  probably some sort of
+  #                   request/response identifier.  generally 0 for requests, 1 for replies
+  # messageType     # the type of message, 4 bytes.  see below.
+  # status          # the status of this message, 4 bytes.
+  #                   generally 0 for success and !0 for failure.
+  # unknown3        # unknown 12-byte field, seemingly always 0.  Probably 'reserved'
+  # password        # 32-byte password, 'encrypted' by XOR'ing it with a 256-byte static key (see XOR_KEY)
+  # unknown4        # unknown 48-byte field, always 0.
+  #
+  # There are several possible message types:
+  #
+  #   * 20 -- retrieve settings (payload is some list of settings to obtain)
+  #   * 21 -- update setttings (and if the 'acRB' setting is set, it reboots)
+  #   * 3  -- Upload firmware
+  #
+  # TODO: if you find more, add them above.
+  #
+  # When the message type is anything other than 20 or 3, payloadSize is set to -1 and
+  # payloadChecksum is set to 1.  It may be a bug that 21 doesn't look at the
+  # checksum.  Adler32 is used to compute the checksum.
+  #
+  # The message payload is a bit of an unknown right now, as it *seems* like
+  # the payload always comes in a subsequent request.  Simply appending
+  # a payload to the existing message does not appear to work (but this needs
+  # more testing)
+
+  # This was taken from airport-util's AirportInforRecord for ease of copying, but can
+  # also be obtained by XOR'ing the null-padded known plain text with the appropriate 32-byte
+  # ciphertext from an airport-util request
+  XOR_KEY = [
+    14, 57, -8, 5, -60, 1, 85, 79, 12, -84,
+    -123, 125, -122, -118, -75, 23, 62, 9, -56, 53,
+    -12, 49, 101, 127, 60, -100, -75, 109, -106, -102,
+    -91, 7, 46, 25, -40, 37, -28, 33, 117, 111,
+    44, -116, -91, -99, 102, 106, 85, -9, -34, -23,
+    40, -43, 20, -47, -123, -97, -36, 124, 85, -115,
+    118, 122, 69, -25, -50, -7, 56, -59, 4, -63,
+    -107, -113, -52, 108, 69, -67, 70, 74, 117, -41,
+    -2, -55, 8, -11, 52, -15, -91, -65, -4, 92,
+    117, -83, 86, 90, 101, -57, -18, -39, 24, -27,
+    36, -31, -75, -81, -20, 76, 101, -35, 38, 42,
+    21, -73, -98, -87, 104, -107, 84, -111, -59, -33,
+    -100, 60, 21, -51, 54, 58, 5, -89, -114, -71,
+    120, -123, 68, -127, -43, -49, -116, 44, 5, -3,
+    6, 10, 53, -105, -66, -119, 72, -75, 116, -79,
+    -27, -1, -68, 28, 53, -19, 22, 26, 37, -121,
+    -82, -103, 88, -91, 100, -95, -11, -17, -84, 12,
+    37, 29, -26, -22, -43, 119, 94, 105, -88, 85,
+    -108, 81, 5, 31, 92, -4, -43, 13, -10, -6,
+    -59, 103, 78, 121, -72, 69, -124, 65, 21, 15,
+    76, -20, -59, 61, -58, -54, -11, 87, 126, 73,
+    -120, 117, -76, 113, 37, 63, 124, -36, -11, 45,
+    -42, -38, -27, 71, 110, 89, -104, 101, -92, 97,
+    53, 47, 108, -52, -27, 93, -90, -86, -107, 55,
+    30, 41, -24, 21, -44, 17, 69, 95, 28, -68,
+    -107, 77, -74, -70, -123, 39
+  ].pack("C*")
+
+  class Message
+    # @return [Integer] the type of this message
+    attr_accessor :type
+    # @return [String] the password to attempt to authenticate with
+    attr_accessor :password
+    # @return [String] the optional message payload
+    attr_accessor :payload
+    # @return [Integer] the status of this message
+    attr_accessor :status
+
+    def initialize
+      @payload = ''
+      @type = 0
+      @status = 0
+      @password = ''
+      @unknown1 = 1
+      @unknown2 = ''
+      @unknown3 = ''
+      @unknown4 = ''
+    end
+
+    # Determines if this message has a successful status code
+    #
+    # @return [Boolean] true iff @status is 0, false otherwise
+    def successful?
+      @status == 0
+    end
+
+    # Get this Message as a String
+    #
+    # @return [String] the string representation of this Message
+    def to_s
+      with_checksum(Zlib.adler32(with_checksum(0)))
+    end
+
+    # Compares this Message and another Message for equality
+    #
+    # @param other [Message] the Message to compare
+    # @return [Boolean] true iff the two messages are equal, false otherwise
+    def ==(other)
+      other.type == @type &&
+        other.status == @status &&
+        other.password == @password &&
+        other.payload == @payload
+    end
+
+    # Decodes the provided data into a Message
+    #
+    # @param data [String] the data to parse as a Message
+    # @param validate_checksum [Boolean] true to validate the message and
+    #   payload checksums, false to not.  Defaults to true.
+    # @return [Message] the decoded Message
+    def self.decode(data, validate_checksum = true)
+      data = data.dup
+      fail "Incorrect ACPP message size #{data.size} -- must be 128" unless data.size == 128
+      fail 'Unexpected header' unless 'acpp' == data.slice!(0, 4)
+      _unknown1 = data.slice!(0, 4)
+      read_message_checksum = data.slice!(0, 4).unpack('N').first
+      read_payload_checksum = data.slice!(0, 4).unpack('N').first
+      _read_payload_size = data.slice!(0, 4).unpack('N').first
+      _unknown2 = data.slice!(0, 8)
+      type = data.slice!(0, 4).unpack('N').first
+      status = data.slice!(0, 4).unpack('N').first
+      _unknown3 = data.slice!(0, 12)
+      password = Rex::Encoding::Xor::Generic.encode(data.slice!(0, 32), XOR_KEY).first.strip
+      _unknown4 = data.slice!(0, 48)
+      payload = data
+      m = new
+      m.type = type
+      m.password = password
+      m.status = status
+      m.payload = payload
+
+      # we can now validate the checksums if desired
+      if validate_checksum
+        actual_message_checksum = Zlib.adler32(m.with_checksum(0))
+        if actual_message_checksum != read_message_checksum
+          fail "Invalid message checksum (expected #{read_message_checksum}, calculated #{actual_message_checksum})"
+        end
+        # I'm not sure this can ever happen -- if the payload checksum is wrong, then the
+        # message checksum will also be wrong.  So, either I misunderstand the protocol
+        # or having two checksums is useless
+        actual_payload_checksum = Zlib.adler32(payload)
+        if actual_payload_checksum != read_payload_checksum
+          fail "Invalid payload checksum (expected #{read_payload_checksum}, calculated #{actual_payload_checksum})"
+        end
+      end
+      m
+    end
+
+    def with_checksum(message_checksum)
+      [
+        'acpp',
+        @unknown1,
+        message_checksum,
+        Zlib.adler32(@payload),
+        @payload.size,
+        @unknown2,
+        @type,
+        @status,
+        @unknown3,
+        Rex::Encoding::Xor::Generic.encode([@password].pack('a32').slice(0, 32), XOR_KEY).first,
+        @unknown4,
+        payload
+      ].pack('a4NNNNa8NNa12a32a48a*')
+    end
+  end
+end
+end
+end

data/lib/rex/proto/http/client.rb

@@ -86,7 +86,7 @@ class Client
       typ = self.config_types[var] || 'string'
 
       # These are enum types
-      if(typ.class.to_s == 'Array')
+      if typ.is_a?(Array)
         if not typ.include?(val)
           raise RuntimeError, "The specified value for #{var} is not one of the valid choices"
         end
@@ -719,4 +719,3 @@ end
 end
 end
 end
-

data/lib/rex/proto/iax2/call.rb

@@ -72,7 +72,14 @@ class Call
     end
 
     chall = nil
-    if res[2][14] == "\x00\x03" and res[2][IAX_IE_CHALLENGE_DATA]
+
+    # Look for IAX_AUTH_MD5 (2) as an available auth method
+    if res[2][14].unpack("n")[0] & 2 <= 0
+      dprint("REGAUTH: MD5 authentication is not enabled on the server")
+      return
+    end
+
+    if res[2][IAX_IE_CHALLENGE_DATA]
       self.dcall = res[0][0]
       chall = res[2][IAX_IE_CHALLENGE_DATA]
     end
@@ -114,9 +121,21 @@ class Call
     # Handle authentication if its requested
     if res[1] == IAX_SUBTYPE_AUTHREQ
       chall = nil
-      if res[2][14] == "\x00\x03" and res[1][15]
+
+      # Look for IAX_AUTH_MD5 (2) as an available auth method
+      if res[2][14].unpack("n")[0] & 2 <= 0
+        dprint("REGAUTH: MD5 authentication is not enabled on the server")
+        return
+      end
+
+      if res[2][IAX_IE_CHALLENGE_DATA]
         self.dcall = res[0][0]
-        chall = res[2][15]
+        chall = res[2][IAX_IE_CHALLENGE_DATA]
+      end
+
+      if chall.nil?
+        dprint("REGAUTH: No challenge data received")
+        return
       end
 
       self.client.send_authrep_chall_response(self, chall)

data/lib/rex/proto/iax2/client.rb

@@ -34,6 +34,7 @@ class Client
     self.server_port   = opts[:server_port]
     self.username      = opts[:username]
     self.password      = opts[:password]
+    self.debugging     = opts[:debugging]
 
     self.sock = Rex::Socket::Udp.create(
       'PeerHost' => self.server_host,

data/lib/rex/proto/kerberos.rb

@@ -0,0 +1,13 @@
+# -*- coding: binary -*-
+
+# Kerberos 5 implementation according to RFC 1510
+
+require 'openssl'
+require 'rex/socket'
+require 'rex/text'
+require 'rex/proto/kerberos/crypto'
+require 'rex/proto/kerberos/pac'
+require 'rex/proto/kerberos/model'
+require 'rex/proto/kerberos/client'
+require 'rex/proto/kerberos/credential_cache'
+

data/lib/rex/proto/kerberos/client.rb

@@ -0,0 +1,213 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      # This class is a representation of a kerberos client.
+      class Client
+        # @!attribute host
+        #   @return [String] The kerberos server host
+        attr_accessor :host
+        # @!attribute port
+        #   @return [Fixnum] The kerberos server port
+        attr_accessor :port
+        # @!attribute timeout
+        #   @return [Fixnum] The connect / read timeout
+        attr_accessor :timeout
+        # @todo Support UDP
+        # @!attribute protocol
+        #   @return [String] The transport protocol used (tcp/udp)
+        attr_accessor :protocol
+        # @!attribute connection
+        #   @return [IO] The connection established through Rex sockets
+        attr_accessor :connection
+        # @!attribute context
+        #   @return [Hash] The Msf context where the connection belongs to
+        attr_accessor :context
+
+        def initialize(opts = {})
+          self.host = opts[:host]
+          self.port     = (opts[:port] || 88).to_i
+          self.timeout  = (opts[:timeout] || 10).to_i
+          self.protocol = opts[:protocol] || 'tcp'
+          self.context  = opts[:context] || {}
+        end
+
+        # Creates a connection through a Rex socket
+        #
+        # @return [Rex::Socket::Tcp]
+        # @raise [RuntimeError] if the connection can not be created
+        def connect
+          return connection if connection
+
+          case protocol
+          when 'tcp'
+            self.connection = create_tcp_connection
+          when 'udp'
+            raise ::NotImplementedError, 'Kerberos Client: UDP not supported'
+          else
+            raise ::RuntimeError, 'Kerberos Client: unknown transport protocol'
+          end
+
+          connection
+        end
+
+        # Closes the connection
+        def close
+          if connection
+            connection.shutdown
+            connection.close unless connection.closed?
+          end
+
+          self.connection = nil
+        end
+
+        # Sends a kerberos request through the connection
+        #
+        # @param req [Rex::Proto::Kerberos::Model::KdcRequest] the request to send
+        # @return [Fixnum] the number of bytes sent
+        # @raise [RuntimeError] if the transport protocol is unknown
+        # @raise [NotImplementedError] if the transport protocol isn't supported
+        def send_request(req)
+          connect
+
+          sent = 0
+          case protocol
+          when 'tcp'
+            sent = send_request_tcp(req)
+          when 'udp'
+            sent = send_request_udp(req)
+          else
+            raise ::RuntimeError, 'Kerberos Client: unknown transport protocol'
+          end
+
+          sent
+        end
+
+        # Receives a kerberos response through the connection
+        #
+        # @return [<Rex::Proto::Kerberos::Model::KrbError, Rex::Proto::Kerberos::Model::KdcResponse>] the kerberos
+        #   response message
+        # @raise [RuntimeError] if the connection isn't established, the transport protocol is unknown, not supported
+        #   or the response can't be parsed
+        # @raise [NotImplementedError] if the transport protocol isn't supported
+        def recv_response
+          if connection.nil?
+            raise ::RuntimeError, 'Kerberos Client: connection not established'
+          end
+
+          res = nil
+          case protocol
+          when 'tcp'
+            res = recv_response_tcp
+          when 'udp'
+            res = recv_response_udp
+          else
+            raise ::RuntimeError, 'Kerberos Client: unknown transport protocol'
+          end
+
+          res
+        end
+
+        # Sends a kerberos request, and reads the response through the connection
+        #
+        # @param req [Rex::Proto::Kerberos::Model::KdcRequest] the request to send
+        # @return [<Rex::Proto::Kerberos::Model::KrbError, Rex::Proto::Kerberos::Model::KdcResponse>] The kerberos message
+        # @raise [RuntimeError] if the transport protocol is unknown or the response can't be parsed.
+        # @raise [NotImplementedError] if the transport protocol isn't supported
+        def send_recv(req)
+          send_request(req)
+          res = recv_response
+
+          res
+        end
+
+        private
+
+        # Creates a TCP connection using Rex::Socket::Tcp
+        #
+        # @return [Rex::Socket::Tcp]
+        def create_tcp_connection
+          self.connection = Rex::Socket::Tcp.create(
+            'PeerHost'   => host,
+            'PeerPort'   => port.to_i,
+            'Context'    => context,
+            'Timeout'    => timeout
+          )
+        end
+
+        # Sends a Kerberos Request over a tcp connection
+        #
+        # @param req [Rex::Proto::Kerberos::Model::KdcRequest] the request to send
+        # @return [Fixnum] the number of bytes sent
+        # @raise [RuntimeError] if the request can't be encoded
+        def send_request_tcp(req)
+          data = req.encode
+          length = [data.length].pack('N')
+          connection.put(length + data)
+        end
+
+        # UDP isn't supported
+        #
+        # @raise [NotImplementedError]
+        def send_request_udp(req)
+          raise ::NotImplementedError, 'Kerberos Client: UDP unsupported'
+        end
+
+        # Receives a Kerberos Response over a tcp connection
+        #
+        # @return [<Rex::Proto::Kerberos::Model::KrbError, Rex::Proto::Kerberos::Model::KdcResponse>] the kerberos message response
+        # @raise [RuntimeError] if the response can't be processed
+        # @raise [EOFError] if expected data can't be read
+        def recv_response_tcp
+          length_raw = connection.get_once(4, timeout)
+          unless length_raw && length_raw.length == 4
+            raise ::RuntimeError, 'Kerberos Client: failed to read response'
+          end
+          length = length_raw.unpack('N')[0]
+
+          data = connection.get_once(length, timeout)
+          unless data && data.length == length
+            raise ::RuntimeError, 'Kerberos Client: failed to read response'
+          end
+
+          res = decode_kerb_response(data)
+
+          res
+        end
+
+        # UDP isn't supported
+        #
+        # @raise [NotImplementedError]
+        def recv_response_udp
+          raise ::NotImplementedError, 'Kerberos Client: UDP unsupported'
+        end
+
+        private
+
+        # Decodes a Kerberos response
+        #
+        # @param input [String] the raw response message
+        # @return [<Rex::Proto::Kerberos::Model::KrbError, Rex::Proto::Kerberos::Model::KdcResponse>] the kerberos message response
+        # @raise [RuntimeError] if the response can't be processed
+        def decode_kerb_response(data)
+          asn1 = OpenSSL::ASN1.decode(data)
+          msg_type = asn1.value[0].value[1].value[0].value
+
+          case msg_type
+          when Rex::Proto::Kerberos::Model::KRB_ERROR
+            res = Rex::Proto::Kerberos::Model::KrbError.decode(asn1)
+          when Rex::Proto::Kerberos::Model::AS_REP
+            res = Rex::Proto::Kerberos::Model::KdcResponse.decode(asn1)
+          when Rex::Proto::Kerberos::Model::TGS_REP
+            res = Rex::Proto::Kerberos::Model::KdcResponse.decode(asn1)
+          else
+            raise ::RuntimeError, 'Kerberos Client: Unknown response'
+          end
+
+          res
+        end
+      end
+    end
+  end
+end