RubyGems - rex - Versions diffs - 2.0.9 → 2.0.10 - Mend

rex 2.0.9 → 2.0.10

Files changed (48) hide show

checksums.yaml +4 -4
data/lib/rex/exploitation/cmdstager/bourne.rb +14 -8
data/lib/rex/exploitation/cmdstager/echo.rb +3 -3
data/lib/rex/exploitation/js/memory.rb +1 -1
data/lib/rex/java/serialization/model/contents.rb +1 -1
data/lib/rex/mime/message.rb +1 -1
data/lib/rex/parser/acunetix_nokogiri.rb +2 -0
data/lib/rex/parser/appscan_nokogiri.rb +1 -1
data/lib/rex/parser/burp_issue_nokogiri.rb +139 -0
data/lib/rex/parser/burp_session_nokogiri.rb +1 -1
data/lib/rex/parser/fs/bitlocker.rb +233 -0
data/lib/rex/parser/fusionvm_nokogiri.rb +2 -2
data/lib/rex/parser/ini.rb +1 -8
data/lib/rex/parser/nokogiri_doc_mixin.rb +5 -0
data/lib/rex/payloads/meterpreter/config.rb +23 -4
data/lib/rex/post/meterpreter/channel.rb +8 -3
data/lib/rex/post/meterpreter/client.rb +1 -0
data/lib/rex/post/meterpreter/client_core.rb +2 -2
data/lib/rex/post/meterpreter/extensions/android/android.rb +86 -1
data/lib/rex/post/meterpreter/extensions/android/tlv.rb +29 -0
data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +1 -1
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +75 -89
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +8 -2
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +10 -5
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +7 -2
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +10 -5
data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +8 -2
data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +1 -1
data/lib/rex/post/meterpreter/packet.rb +38 -0
data/lib/rex/post/meterpreter/packet_dispatcher.rb +101 -108
data/lib/rex/post/meterpreter/packet_parser.rb +14 -6
data/lib/rex/post/meterpreter/packet_response_waiter.rb +42 -21
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +54 -4
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +39 -13
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +8 -0
data/lib/rex/proto/adb.rb +7 -0
data/lib/rex/proto/adb/client.rb +39 -0
data/lib/rex/proto/adb/message.rb +164 -0
data/lib/rex/proto/dcerpc/svcctl/packet.rb +9 -9
data/lib/rex/proto/http/client_request.rb +2 -1
data/lib/rex/proto/http/response.rb +1 -1
data/lib/rex/proto/kademlia/bootstrap_response.rb +2 -2
data/lib/rex/proto/ntp/modes.rb +17 -0
data/lib/rex/text.rb +12 -0
data/lib/rex/zip/blocks.rb +1 -1
data/lib/rex/zip/entry.rb +1 -1
data/rex.gemspec +28 -1
metadata +106 -3

data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb CHANGED

@@ -60,7 +60,9 @@ class EventLog
   def initialize(hand)
     self.client = self.class.client
     self.handle = hand
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, hand))
   end
   def self.finalize(client,handle)
@@ -185,7 +187,11 @@ class EventLog
   # Instance method
   def close
-    self.class.close(self.client, self.handle)
+    unless self.handle.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, self.handle)
+      self.handle = nil
+    end
   end
 end

data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb CHANGED

@@ -285,11 +285,12 @@ class Process < Rex::Post::Process
         'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
       })
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
   end
-  def self.finalize(client,handle)
-    proc { self.close(client,handle) }
+  def self.finalize(client, handle)
+    proc { self.close(client, handle) }
   end
   #
@@ -320,8 +321,12 @@ class Process < Rex::Post::Process
   #
   # Instance method
   #
-  def close(handle=self.handle)
-    self.class.close(self.client, handle)
+  def close(handle = self.handle)
+    unless self.pid.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, handle)
+      self.pid = nil
+    end
   end
   #

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb CHANGED

@@ -30,7 +30,8 @@ class RegistryKey
     self.perm     = perm
     self.hkey     = hkey
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.hkey) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, hkey))
   end
   def self.finalize(client,hkey)
@@ -115,7 +116,11 @@ class RegistryKey
   # Instance method for the same
   def close()
-    self.class.close(self.client, self.hkey)
+    unless self.hkey.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, self.hkey)
+      self.hkey = nil
+    end
   end
   ##

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb CHANGED

@@ -29,11 +29,12 @@ class RemoteRegistryKey
     self.target_host = target_host
     self.hkey     = hkey
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.hkey) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, hkey))
   end
-  def self.finalize(client,hkey)
-    proc { self.close(client,hkey) }
+  def self.finalize(client, hkey)
+    proc { self.close(client, hkey) }
   end
   ##
@@ -113,8 +114,12 @@ class RemoteRegistryKey
   end
   # Instance method for the same
-  def close()
-    self.class.close(self.client, self.hkey)
+  def close
+    unless self.hkey.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, self.hkey)
+      self.hkey = nil
+    end
   end
   ##

data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb CHANGED

@@ -34,7 +34,9 @@ class Thread < Rex::Post::Thread
     self.process = process
     self.handle  = handle
     self.tid     = tid
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.process.client, self.handle) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(process.client, handle))
   end
   def self.finalize(client,handle)
@@ -168,7 +170,11 @@ class Thread < Rex::Post::Thread
   # Instance method
   def close
-    self.class.close(self.process.client, self.handle)
+    unless self.handle.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.process.client, self.handle)
+      self.handle = nil
+    end
   end
   attr_reader :process, :handle, :tid # :nodoc:

data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb CHANGED

@@ -66,7 +66,7 @@ class Webcam
     remote_browser_path = webrtc_browser_path
-    if remote_browser_path.blank?
+    if remote_browser_path.to_s.empty?
       fail "Unable to find a suitable browser on the target machine"
     end

data/lib/rex/post/meterpreter/packet.rb CHANGED

@@ -665,6 +665,44 @@ class Packet < GroupTlv
     end
   end
+  #
+  # Override the function that creates the raw byte stream for
+  # sending so that it generates an XOR key, uses it to scramble
+  # the serialized TLV content, and then returns the key plus the
+  # scrambled data as the payload.
+  #
+  def to_r
+    raw = super
+    xor_key = rand(254) + 1
+    xor_key |= (rand(254) + 1) << 8
+    xor_key |= (rand(254) + 1) << 16
+    xor_key |= (rand(254) + 1) << 24
+    result = [xor_key].pack('N') + xor_bytes(xor_key, raw)
+    result
+  end
+  #
+  # Override the function that reads from a raw byte stream so
+  # that the XORing of data is included in the process prior to
+  # passing it on to the default functionality that can parse
+  # the TLV values.
+  #
+  def from_r(bytes)
+    xor_key = bytes[0,4].unpack('N')[0]
+    super(xor_bytes(xor_key, bytes[4, bytes.length]))
+  end
+  #
+  # Xor a set of bytes with a given DWORD xor key.
+  #
+  def xor_bytes(xor_key, bytes)
+    result = ''
+    bytes.bytes.zip([xor_key].pack('V').bytes.cycle).each do |b|
+      result << (b[0].ord ^ b[1].ord).chr
+    end
+    result
+  end
   ##
   #
   # Conditionals

data/lib/rex/post/meterpreter/packet_dispatcher.rb CHANGED

@@ -42,23 +42,32 @@ end
 ###
 module PacketDispatcher
-  PacketTimeout = 600
+  # Defualt time, in seconds, to wait for a response after sending a packet
+  PACKET_TIMEOUT = 600
-  ##
-  #
-  # Synchronization
+  # Number of seconds to wait without getting any packets before we try to
+  # send a liveness check. A minute should be generous even on the highest
+  # latency networks
   #
-  ##
+  # @see #keepalive
+  PING_TIME = 60
+  # This mutex is used to lock out new commands during an
+  # active migration. Unused if this is a passive dispatcher
   attr_accessor :comm_mutex
-  ##
-  #
-  #
   # Passive Dispatching
   #
-  ##
-  attr_accessor :passive_service, :send_queue, :recv_queue
+  # @return [Rex::ServiceManager]
+  # @return [nil] if this is not a passive dispatcher
+  attr_accessor :passive_service
+  # @return [Array]
+  attr_accessor :send_queue
+  # @return [Array]
+  attr_accessor :recv_queue
   def initialize_passive_dispatcher
     self.send_queue = []
@@ -108,8 +117,7 @@ module PacketDispatcher
     self.last_checkin = Time.now
-    # If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
-    if req.body[0,4] == "RECV"
+    if req.method == 'GET'
       rpkt = send_queue.shift
       resp.body = rpkt || ''
       begin
@@ -159,9 +167,6 @@ module PacketDispatcher
     if (raw)
-      # This mutex is used to lock out new commands during an
-      # active migration.
       self.comm_mutex.synchronize do
         begin
           bytes = self.sock.write(raw)
@@ -170,13 +175,11 @@ module PacketDispatcher
         end
       end
       if bytes.to_i == 0
         # Mark the session itself as dead
         self.alive = false
-        # Indicate that the dispatcher should shut down too
-        @finish = true
         # Reraise the error to the top-level caller
         raise err if err
       end
@@ -188,15 +191,16 @@ module PacketDispatcher
   #
   # Sends a packet and waits for a timeout for the given time interval.
   #
-  def send_request(packet, t = self.response_timeout)
-    if not t
-      send_packet(packet)
-      return nil
-    end
-    response = send_packet_wait_response(packet, t)
+  # @param packet [Packet] request to send
+  # @param timeout [Fixnum,nil] seconds to wait for response, or nil to ignore the
+  #   response and return immediately
+  # @return (see #send_packet_wait_response)
+  def send_request(packet, timeout = self.response_timeout)
+    response = send_packet_wait_response(packet, timeout)
-    if (response == nil)
+    if timeout.nil?
+      return nil
+    elsif response.nil?
       raise TimeoutError.new("Send timed out")
     elsif (response.result != 0)
       einfo = lookup_error(response.result)
@@ -213,26 +217,58 @@ module PacketDispatcher
   #
   # Transmits a packet and waits for a response.
   #
-  def send_packet_wait_response(packet, t)
+  # @param packet [Packet] the request packet to send
+  # @param timeout [Fixnum,nil] number of seconds to wait, or nil to wait
+  #   forever
+  def send_packet_wait_response(packet, timeout)
     # First, add the waiter association for the supplied packet
     waiter = add_response_waiter(packet)
+    bytes_written = send_packet(packet)
     # Transmit the packet
-    if (send_packet(packet).to_i <= 0)
+    if (bytes_written.to_i <= 0)
       # Remove the waiter if we failed to send the packet.
       remove_response_waiter(waiter)
       return nil
     end
+    if not timeout
+      return nil
+    end
     # Wait for the supplied time interval
-    waiter.wait(t)
+    response = waiter.wait(timeout)
     # Remove the waiter from the list of waiters in case it wasn't
-    # removed
+    # removed. This happens if the waiter timed out above.
     remove_response_waiter(waiter)
     # Return the response packet, if any
-    return waiter.response
+    return response
+  end
+  # Send a ping to the server.
+  #
+  # Our 'ping' is a check for eof on channel id 0. This method has no side
+  # effects and always returns an answer (regardless of the existence of chan
+  # 0), which is all that's needed for a liveness check. The answer itself is
+  # unimportant and is ignored.
+  #
+  # @return [void]
+  def keepalive
+    if @ping_sent
+      if Time.now.to_i - last_checkin.to_i > PING_TIME*2
+        dlog("No response to ping, session #{self.sid} is dead", LEV_3)
+        self.alive = false
+      end
+    else
+      pkt = Packet.create_request('core_channel_eof')
+      pkt.add_tlv(TLV_TYPE_CHANNEL_ID, 0)
+      add_response_waiter(pkt, Proc.new { @ping_sent = false })
+      send_packet(pkt)
+      @ping_sent = true
+    end
   end
   ##
@@ -253,59 +289,23 @@ module PacketDispatcher
     self.waiters = []
-    @pqueue = []
-    @finish = false
-    @last_recvd = Time.now
+    @pqueue = ::Queue.new
     @ping_sent = false
-    self.alive = true
     # Spawn a thread for receiving packets
     self.receiver_thread = Rex::ThreadFactory.spawn("MeterpreterReceiver", false) do
       while (self.alive)
         begin
-          rv = Rex::ThreadSafe.select([ self.sock.fd ], nil, nil, 0.25)
-          ping_time = 60
-          # If there's nothing to read, and it's been awhile since we
-          # saw a packet, we need to send a ping.  We wait
-          # ping_time*2 seconds before deciding a session is dead.
-          if (not rv and self.send_keepalives and Time.now - @last_recvd > ping_time)
-            # If the queue is empty and we've already sent a
-            # keepalive without getting a reply, then this
-            # session is hosed, and we should give up on it.
-            if @ping_sent and @pqueue.empty? and (Time.now - @last_recvd > ping_time * 2)
-              dlog("No response to ping, session #{self.sid} is dead", LEV_3)
-              self.alive = false
-              @finish = true
-              break
-            end
-            # Let the packet queue processor finish up before
-            # we send a ping.
-            if not @ping_sent and @pqueue.empty?
-              # Our 'ping' is actually just a check for eof on
-              # channel id 0.  This method has no side effects
-              # and always returns an answer (regardless of the
-              # existence of chan 0), which is all that's
-              # needed for a liveness check.  The answer itself
-              # is unimportant and is ignored.
-              pkt = Packet.create_request('core_channel_eof')
-              pkt.add_tlv(TLV_TYPE_CHANNEL_ID, 0)
-              waiter = Proc.new { |response, param|
-                  @ping_sent = false
-                  @last_recvd = Time.now
-                }
-              send_packet(pkt, waiter)
-              @ping_sent = true
-            end
-            next
+          rv = Rex::ThreadSafe.select([ self.sock.fd ], nil, nil, PING_TIME)
+          if rv
+            packet = receive_packet
+            @pqueue << packet if packet
+          elsif self.send_keepalives && @pqueue.empty?
+            keepalive
           end
-          next if not rv
-          packet = receive_packet
-          @pqueue << packet if packet
-          @last_recvd = Time.now
-        rescue ::Exception
-          dlog("Exception caught in monitor_socket: #{$!}", 'meterpreter', LEV_1)
-          @finish = true
+        rescue ::Exception => e
+          dlog("Exception caught in monitor_socket: #{e.class}: #{e}", 'meterpreter', LEV_1)
+          dlog("Call stack: #{e.backtrace.join("\n")}", 'meterpreter', LEV_2)
           self.alive = false
           break
         end
@@ -315,19 +315,13 @@ module PacketDispatcher
     # Spawn a new thread that monitors the socket
     self.dispatcher_thread = Rex::ThreadFactory.spawn("MeterpreterDispatcher", false) do
       begin
-      # Whether we're finished or not is determined by the receiver
-      # thread above.
-      while(not @finish)
-        if(@pqueue.empty?)
-          ::IO.select(nil, nil, nil, 0.10)
-          next
-        end
+      while (self.alive)
         incomplete = []
         backlog    = []
+        backlog << @pqueue.pop
         while(@pqueue.length > 0)
-          backlog << @pqueue.shift
+          backlog << @pqueue.pop
         end
         #
@@ -356,7 +350,6 @@ module PacketDispatcher
         backlog.push(*tmp_channel)
         backlog.push(*tmp_close)
         #
         # Process the message queue
         #
@@ -367,12 +360,12 @@ module PacketDispatcher
           if ! dispatch_inbound_packet(pkt)
             # Keep Packets in the receive queue until a handler is registered
             # for them. Packets will live in the receive queue for up to
-            # PacketTimeout, after which they will be dropped.
+            # PACKET_TIMEOUT seconds, after which they will be dropped.
             #
             # A common reason why there would not immediately be a handler for
             # a received Packet is in channels, where a connection may
             # open and receive data before anything has asked to read.
-            if (::Time.now.to_i - pkt.created_at.to_i < PacketTimeout)
+            if (::Time.now.to_i - pkt.created_at.to_i < PACKET_TIMEOUT)
               incomplete << pkt
             end
           end
@@ -393,11 +386,16 @@ module PacketDispatcher
           ::IO.select(nil, nil, nil, 0.10)
         end
-        @pqueue.unshift(*incomplete)
+        while incomplete.length > 0
+          @pqueue << incomplete.shift
+        end
         if(@pqueue.length > 100)
-          dlog("Backlog has grown to over 100 in monitor_socket, dropping older packets: #{@pqueue[0 .. 25].map{|x| x.inspect}.join(" - ")}", 'meterpreter', LEV_1)
-          @pqueue = @pqueue[25 .. 100]
+          removed = []
+          (1..25).each {
+            removed << @pqueue.pop
+          }
+          dlog("Backlog has grown to over 100 in monitor_socket, dropping older packets: #{removed.map{|x| x.inspect}.join(" - ")}", 'meterpreter', LEV_1)
         end
       end
       rescue ::Exception => e
@@ -454,15 +452,16 @@ module PacketDispatcher
   # if anyone.
   #
   def notify_response_waiter(response)
+    handled = false
     self.waiters.each() { |waiter|
       if (waiter.waiting_for?(response))
         waiter.notify(response)
         remove_response_waiter(waiter)
+        handled = true
         break
       end
     }
+    return handled
   end
   #
@@ -491,21 +490,15 @@ module PacketDispatcher
   # Otherwise, the packet is passed onto any registered dispatch
   # handlers until one returns success.
   #
-  def dispatch_inbound_packet(packet, client = nil)
+  def dispatch_inbound_packet(packet)
     handled = false
-    # If no client context was provided, return self as PacketDispatcher
-    # is a mixin for the Client instance
-    if (client == nil)
-      client = self
-    end
     # Update our last reply time
-    client.last_checkin = Time.now
+    self.last_checkin = Time.now
     # If the packet is a response, try to notify any potential
     # waiters
-    if ((resp = packet.response?))
+    if packet.response?
       if (notify_response_waiter(packet))
         return true
       end
@@ -518,11 +511,11 @@ module PacketDispatcher
       handled = nil
       begin
-      if ! resp
-        handled = handler.request_handler(client, packet)
-      else
-        handled = handler.response_handler(client, packet)
-      end
+        if packet.response?
+          handled = handler.response_handler(self, packet)
+        else
+          handled = handler.request_handler(self, packet)
+        end
       rescue ::Exception => e
         dlog("Exception caught in dispatch_inbound_packet: handler=#{handler} #{e.class} #{e} #{e.backtrace}", 'meterpreter', LEV_1)