rex 2.0.9 → 2.0.10

data/lib/rex/parser/fusionvm_nokogiri.rb

@@ -59,7 +59,7 @@ module Parser
     unless in_tag("JobOrder")
       case name
       when "OS"
-        unless @host.nil? or @text.blank?
+        unless @host.nil? or @text.to_s.empty?
           tnote = {
             :type       => "host.os.fusionvm_fingerprint",
             :data       => { :os => @text.strip },
@@ -86,7 +86,7 @@ module Parser
       when "CVE"
         @vuln[:refs] << "CVE-#{@text.strip}"
       when "References"
-        unless @text.blank?
+        unless @text.to_s.empty?
           @text.split(' ').each do |ref|
             next unless ref.start_with? "http"
             if ref =~ /MS\d{2}-\d{3}/

data/lib/rex/parser/ini.rb

@@ -49,14 +49,7 @@ class Ini < Hash
     end
   end
 
-  #
-  # Enumerates the groups hash keys.
-  #
-  def each_group(&block)
-    self.keys.each { |k|
-      yield
-    }
-  end
+  alias each_group each_key
 
   #
   # Adds a group of the supplied name if it doesn't already exist.

data/lib/rex/parser/nokogiri_doc_mixin.rb

@@ -200,6 +200,11 @@ module Parser
       return attr_pairs
     end
 
+    # Removes HTML from a string
+    def strip_html_tags(text)
+      return text.gsub!(/(<[^>]*>)|\n|\t/s) {" "}
+    end
+
     # This breaks xml-encoded characters, so need to append.
     # It's on the end_element tag name to turn the appending
     # off and clear out the data.

data/lib/rex/payloads/meterpreter/config.rb

@@ -120,6 +120,20 @@ private
     extension_data = [ ext.length, ext ].pack('VA*')
   end
 
+  def extension_init_block(name, value)
+    # for now, we're going to blindly assume that the value is a path to a file
+    # which contains the data that gets passed to the extension
+    content = ::File.read(value)
+    data = [
+      name,
+      "\x00",
+      content.length,
+      content
+    ]
+
+    data.pack('A*A*VA*')
+  end
+
   def config_block
     # start with the session information
     config = session_block(@opts)
@@ -142,12 +156,17 @@ private
     end
 
     # terminate the extensions with a 0 size
-    if is_x86?
-      config << [0].pack('V')
-    else
-      config << [0].pack('Q<')
+    config << [0].pack('V')
+
+    # wire in the extension init data
+    (@opts[:ext_init] || '').split(':').each do |cfg|
+      name, value = cfg.split(',')
+      config << extension_init_block(name, value)
     end
 
+    # terminate the ext init config with a final null byte
+    config << "\x00"
+
     # and we're done
     config
   end

data/lib/rex/post/meterpreter/channel.rb

@@ -141,7 +141,9 @@ class Channel
     if (cid and client)
       client.add_channel(self)
     end
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.cid) )
+
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, cid))
   end
 
   def self.finalize(client,cid)
@@ -288,8 +290,11 @@ class Channel
   end
 
   def _close(addends = nil)
-    self.class._close(self.client, self.cid, addends)
-    self.cid = nil
+    unless self.cid.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class._close(self.client, self.cid, addends)
+      self.cid = nil
+    end
   end
   #
   # Enables or disables interactive mode.

data/lib/rex/post/meterpreter/client.rb

@@ -112,6 +112,7 @@ class Client
     self.target_id    = opts[:target_id]
     self.capabilities = opts[:capabilities] || {}
     self.commands     = []
+    self.last_checkin = Time.now
 
     self.conn_id      = opts[:conn_id]
     self.url          = opts[:url]

data/lib/rex/post/meterpreter/client_core.rb

@@ -469,7 +469,7 @@ class ClientCore < Extension
     end
 
     if client.platform =~ /linux/
-      if writable_dir.blank?
+      if writable_dir.to_s.empty?
         writable_dir = tmp_folder
       end
 
@@ -752,7 +752,7 @@ class ClientCore < Extension
   def tmp_folder
     tmp = client.sys.config.getenv('TMPDIR')
 
-    if tmp.blank?
+    if tmp.to_s.empty?
       tmp = '/tmp'
     end
 

data/lib/rex/post/meterpreter/extensions/android/android.rb

@@ -20,6 +20,8 @@ module Android
 class Android < Extension
 
   COLLECT_TYPE_WIFI = 1
+  COLLECT_TYPE_GEO  = 2
+  COLLECT_TYPE_CELL = 3
 
   COLLECT_ACTION_START  = 1
   COLLECT_ACTION_PAUSE  = 2
@@ -28,7 +30,9 @@ class Android < Extension
   COLLECT_ACTION_DUMP   = 5
 
   COLLECT_TYPES = {
-    'wifi' => COLLECT_TYPE_WIFI
+    'wifi' => COLLECT_TYPE_WIFI,
+    'geo'  => COLLECT_TYPE_GEO,
+    'cell' => COLLECT_TYPE_CELL,
   }
 
   COLLECT_ACTIONS = {
@@ -68,6 +72,12 @@ class Android < Extension
     response.get_tlv(TLV_TYPE_SHUTDOWN_OK).value
   end
 
+  def set_audio_mode(n)
+    request = Packet.create_request('set_audio_mode')
+    request.add_tlv(TLV_TYPE_AUDIO_MODE, n)
+    response = client.send_request(request)
+  end
+
   def interval_collect(opts)
     request = Packet.create_request('interval_collect')
     request.add_tlv(TLV_TYPE_COLLECT_ACTION, COLLECT_ACTIONS[opts[:action]])
@@ -107,6 +117,64 @@ class Android < Extension
       records.each do |k, v|
         result[:entries] << v
       end
+
+    when COLLECT_TYPE_GEO
+      result[:headers] = ['Timestamp', 'Latitude', 'Longitude']
+      result[:entries] = []
+      records = {}
+
+      response.each(TLV_TYPE_COLLECT_RESULT_GROUP) do |g|
+        timestamp = g.get_tlv_value(TLV_TYPE_COLLECT_RESULT_TIMESTAMP)
+        timestamp = Time.at(timestamp).to_datetime.strftime('%Y-%m-%d %H:%M:%S')
+
+        g.each(TLV_TYPE_COLLECT_RESULT_GEO) do |w|
+          lat = w.get_tlv_value(TLV_TYPE_GEO_LAT)
+          lng = w.get_tlv_value(TLV_TYPE_GEO_LONG)
+          result[:entries] << [timestamp, lat, lng]
+        end
+      end
+
+    when COLLECT_TYPE_CELL
+      result[:headers] = ['Timestamp', 'Cell Info']
+      result[:entries] = []
+      records = {}
+
+      response.each(TLV_TYPE_COLLECT_RESULT_GROUP) do |g|
+        timestamp = g.get_tlv_value(TLV_TYPE_COLLECT_RESULT_TIMESTAMP)
+        timestamp = Time.at(timestamp).to_datetime.strftime('%Y-%m-%d %H:%M:%S')
+
+        g.each(TLV_TYPE_COLLECT_RESULT_CELL) do |cell|
+
+          cell.each(TLV_TYPE_CELL_ACTIVE_GSM) do |info|
+            cid = info.get_tlv_value(TLV_TYPE_CELL_CID)
+            lac = info.get_tlv_value(TLV_TYPE_CELL_LAC)
+            psc = info.get_tlv_value(TLV_TYPE_CELL_PSC)
+            info = sprintf("cid=%d lac=%d psc=%d", cid, lac, psc)
+            result[:entries] << [timestamp, "GSM: #{info}"]
+          end
+
+          cell.each(TLV_TYPE_CELL_ACTIVE_CDMA) do |info|
+            bid = info.get_tlv_value(TLV_TYPE_CELL_BASE_ID)
+            lat = info.get_tlv_value(TLV_TYPE_CELL_BASE_LAT)
+            lng = info.get_tlv_value(TLV_TYPE_CELL_BASE_LONG)
+            net = info.get_tlv_value(TLV_TYPE_CELL_NET_ID)
+            sys = info.get_tlv_value(TLV_TYPE_CELL_SYSTEM_ID)
+            info = sprintf("base_id=%d lat=%d lng=%d net_id=%d sys_id=%d", bid, lat, lng, net, sys)
+            result[:entries] << [timestamp, "CDMA: #{info}"]
+          end
+
+          cell.each(TLV_TYPE_CELL_NEIGHBOR) do |w|
+            net = w.get_tlv_value(TLV_TYPE_CELL_NET_TYPE)
+            cid = w.get_tlv_value(TLV_TYPE_CELL_CID)
+            lac = w.get_tlv_value(TLV_TYPE_CELL_LAC)
+            psc = w.get_tlv_value(TLV_TYPE_CELL_PSC)
+            sig = w.get_tlv_value(TLV_TYPE_CELL_RSSI) * -1
+            inf = sprintf("network_type=%d cid=%d lac=%d psc=%d rssi=%d", net, cid, lac, psc, sig)
+            result[:entries] << [timestamp, inf]
+          end
+
+        end
+      end
     end
 
     result
@@ -180,6 +248,23 @@ class Android < Extension
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
 
+  def activity_start(uri)
+    request = Packet.create_request('activity_start')
+    request.add_tlv(TLV_TYPE_URI_STRING, uri)
+    response = client.send_request(request)
+    if response.get_tlv(TLV_TYPE_ACTIVITY_START_RESULT).value
+      return nil
+    else
+      return response.get_tlv(TLV_TYPE_ACTIVITY_START_ERROR).value
+    end
+  end
+
+  def set_wallpaper(data)
+    request = Packet.create_request('set_wallpaper')
+    request.add_tlv(TLV_TYPE_WALLPAPER_DATA, data)
+    response = client.send_request(request)
+  end
+
   def send_sms(dest, body, dr)
     request = Packet.create_request('send_sms')
     request.add_tlv(TLV_TYPE_SMS_ADDRESS, dest)

data/lib/rex/post/meterpreter/extensions/android/tlv.rb

@@ -54,6 +54,35 @@ TLV_TYPE_COLLECT_RESULT_WIFI_BSSID   = TLV_TYPE_WLAN_BSSID
 TLV_TYPE_COLLECT_RESULT_WIFI_SSID    = TLV_TYPE_WLAN_SSID
 TLV_TYPE_COLLECT_RESULT_WIFI_LEVEL   = TLV_TYPE_WLAN_LEVEL
 
+
+TLV_TYPE_COLLECT_RESULT_GEO          = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9030)
+
+TLV_TYPE_COLLECT_RESULT_CELL         = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9060)
+
+TLV_TYPE_CELL_ACTIVE_GSM             = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9061)
+TLV_TYPE_CELL_ACTIVE_CDMA            = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9062)
+TLV_TYPE_CELL_NEIGHBOR               = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9063)
+
+TLV_TYPE_CELL_NET_TYPE               = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9065)
+TLV_TYPE_CELL_CID                    = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9066)
+TLV_TYPE_CELL_LAC                    = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9067)
+TLV_TYPE_CELL_PSC                    = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9068)
+TLV_TYPE_CELL_RSSI                   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9069)
+
+
+TLV_TYPE_CELL_BASE_ID                = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9070)
+TLV_TYPE_CELL_BASE_LAT               = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9071)
+TLV_TYPE_CELL_BASE_LONG              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9072)
+TLV_TYPE_CELL_NET_ID                 = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9073)
+TLV_TYPE_CELL_SYSTEM_ID              = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9074)
+TLV_TYPE_AUDIO_MODE                  = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9075)
+
+TLV_TYPE_URI_STRING                  = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9101)
+TLV_TYPE_ACTIVITY_START_RESULT       = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9102)
+TLV_TYPE_ACTIVITY_START_ERROR        = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9103)
+
+TLV_TYPE_WALLPAPER_DATA              = TLV_META_TYPE_RAW       | (TLV_EXTENSIONS + 9201)
+
 end
 end
 end

data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb

@@ -31,7 +31,7 @@ class Wmi
   def query(query, root = nil)
     request = Packet.create_request('extapi_wmi_query')
 
-    request.add_tlv(TLV_TYPE_EXT_WMI_DOMAIN, root) unless root.blank?
+    request.add_tlv(TLV_TYPE_EXT_WMI_DOMAIN, root) unless root.to_s.empty?
     request.add_tlv(TLV_TYPE_EXT_WMI_QUERY, query)
 
     response = client.send_request(request)

data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb

@@ -24,73 +24,59 @@ class TcpServerChannel < Rex::Post::Meterpreter::Channel
   #
   @@server_channels = {}
 
-  class << self
-    include Rex::Post::Meterpreter::InboundPacketHandler
-
-    #
-    # This is the request handler which is registerd to the respective meterpreter instance via
-    # Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
-    # for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request
-    # received and store it in the respective tcp server channels list of new pending client channels.
-    # These new tcp client channels are passed off via a call the the tcp server channels accept() method.
-    #
-    def request_handler( client, packet )
-
-      if( packet.method == "tcp_channel_open" )
-
-        cid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
-        pid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
-        localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
-        localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
-        peerhost  = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
-        peerport  = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
-
-        if( cid == nil or pid == nil )
-          return false
-        end
-
-        server_channel = client.find_channel( pid )
-        if( server_channel == nil )
-          return false
-        end
-
-        params = Rex::Socket::Parameters.from_hash(
-          {
-            'Proto'     => 'tcp',
-            'LocalHost' => localhost,
-            'LocalPort' => localport,
-            'PeerHost'  => peerhost,
-            'PeerPort'  => peerport,
-            'Comm'      => server_channel.client
-          }
-        )
-
-        client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
-
-        client_channel.params = params
-
-        if( @@server_channels[server_channel] == nil )
-          @@server_channels[server_channel] = []
-        end
-
-        @@server_channels[server_channel] << client_channel
-
-        return true
-      end
-
-      return false
-    end
+  #
+  # This is the request handler which is registered to the respective meterpreter instance via
+  # Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
+  # for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request
+  # received and store it in the respective tcp server channels list of new pending client channels.
+  # These new tcp client channels are passed off via a call the the tcp server channels accept() method.
+  #
+  def self.request_handler(client, packet)
+    return false unless packet.method == "tcp_channel_open"
 
-    def cls
-      return CHANNEL_CLASS_STREAM
-    end
+    cid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
+    pid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
+    localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
+    localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
+    peerhost  = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
+    peerport  = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
+
+    return false if cid.nil? || pid.nil?
+
+    server_channel = client.find_channel(pid)
+
+    return false if server_channel.nil?
 
+    params = Rex::Socket::Parameters.from_hash(
+      {
+        'Proto'     => 'tcp',
+        'LocalHost' => localhost,
+        'LocalPort' => localport,
+        'PeerHost'  => peerhost,
+        'PeerPort'  => peerport,
+        'Comm'      => server_channel.client
+      }
+    )
+
+    client_channel = TcpClientChannel.new(client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS)
+
+    client_channel.params = params
+
+    @@server_channels[server_channel] ||= ::Queue.new
+    @@server_channels[server_channel].enq(client_channel)
+
+    true
+  end
+
+  def self.cls
+    CHANNEL_CLASS_STREAM
   end
 
   #
   # Open a new tcp server channel on the remote end.
   #
-  def TcpServerChannel.open(client, params)
+  # @return [Channel]
+  def self.open(client, params)
     c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
       [
         {
@@ -112,7 +98,7 @@ class TcpServerChannel < Rex::Post::Meterpreter::Channel
   def initialize(client, cid, type, flags)
     super(client, cid, type, flags)
     # add this instance to the class variables dictionary of tcp server channels
-    @@server_channels[self] = []
+    @@server_channels[self] ||= ::Queue.new
   end
 
   #
@@ -120,46 +106,46 @@ class TcpServerChannel < Rex::Post::Meterpreter::Channel
   # and returns nil if no new client connection is available.
   #
   def accept_nonblock
-    result = nil
-    if( @@server_channels[self].length > 0 )
-      channel = @@server_channels[self].shift
-      result = channel.lsock
-    end
-    return result
+    _accept(true)
   end
 
   #
   # Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
   # if no timeout is specified.
   #
-  def accept( opts={} )
-    timeout = opts['Timeout'] || -1
-    if( timeout == -1 )
-      result = _accept
-    else
-      begin
-        ::Timeout.timeout( timeout ) {
-          result = _accept
-        }
-      rescue Timeout::Error
-        result = nil
-      end
+  def accept(opts = {})
+    timeout = opts['Timeout']
+    if (timeout.nil? || timeout <= 0)
+      timeout = 0
     end
-    return result
+
+    result = nil
+    begin
+      ::Timeout.timeout(timeout) {
+        result = _accept
+      }
+    rescue Timeout::Error
+    end
+
+    result
   end
 
 protected
 
-  def _accept
-    while( true )
-      if( @@server_channels[self].empty? )
-        Rex::ThreadSafe.sleep( 0.2 )
-        next
-      end
-      result = accept_nonblock
-      break if result != nil
+  def _accept(nonblock = false)
+    result = nil
+
+    channel = @@server_channels[self].deq(nonblock)
+
+    if channel
+      result = channel.lsock
     end
-    return result
+
+    if result != nil && !result.kind_of?(Rex::Socket::Tcp)
+      result.extend(Rex::Socket::Tcp)
+    end
+
+    result
   end
 
 end