RubyGems - rex - Versions diffs - 2.0.9 → 2.0.10 - Mend

rex 2.0.9 → 2.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

checksums.yaml +4 -4
data/lib/rex/exploitation/cmdstager/bourne.rb +14 -8
data/lib/rex/exploitation/cmdstager/echo.rb +3 -3
data/lib/rex/exploitation/js/memory.rb +1 -1
data/lib/rex/java/serialization/model/contents.rb +1 -1
data/lib/rex/mime/message.rb +1 -1
data/lib/rex/parser/acunetix_nokogiri.rb +2 -0
data/lib/rex/parser/appscan_nokogiri.rb +1 -1
data/lib/rex/parser/burp_issue_nokogiri.rb +139 -0
data/lib/rex/parser/burp_session_nokogiri.rb +1 -1
data/lib/rex/parser/fs/bitlocker.rb +233 -0
data/lib/rex/parser/fusionvm_nokogiri.rb +2 -2
data/lib/rex/parser/ini.rb +1 -8
data/lib/rex/parser/nokogiri_doc_mixin.rb +5 -0
data/lib/rex/payloads/meterpreter/config.rb +23 -4
data/lib/rex/post/meterpreter/channel.rb +8 -3
data/lib/rex/post/meterpreter/client.rb +1 -0
data/lib/rex/post/meterpreter/client_core.rb +2 -2
data/lib/rex/post/meterpreter/extensions/android/android.rb +86 -1
data/lib/rex/post/meterpreter/extensions/android/tlv.rb +29 -0
data/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb +1 -1
data/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb +75 -89
data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb +8 -2
data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb +10 -5
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb +7 -2
data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb +10 -5
data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb +8 -2
data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +1 -1
data/lib/rex/post/meterpreter/packet.rb +38 -0
data/lib/rex/post/meterpreter/packet_dispatcher.rb +101 -108
data/lib/rex/post/meterpreter/packet_parser.rb +14 -6
data/lib/rex/post/meterpreter/packet_response_waiter.rb +42 -21
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +54 -4
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +39 -13
data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb +8 -0
data/lib/rex/proto/adb.rb +7 -0
data/lib/rex/proto/adb/client.rb +39 -0
data/lib/rex/proto/adb/message.rb +164 -0
data/lib/rex/proto/dcerpc/svcctl/packet.rb +9 -9
data/lib/rex/proto/http/client_request.rb +2 -1
data/lib/rex/proto/http/response.rb +1 -1
data/lib/rex/proto/kademlia/bootstrap_response.rb +2 -2
data/lib/rex/proto/ntp/modes.rb +17 -0
data/lib/rex/text.rb +12 -0
data/lib/rex/zip/blocks.rb +1 -1
data/lib/rex/zip/entry.rb +1 -1
data/rex.gemspec +28 -1
metadata +106 -3

data/lib/rex/post/meterpreter/extensions/stdapi/sys/event_log.rb CHANGED

@@ -60,7 +60,9 @@ class EventLog
   def initialize(hand)
     self.client = self.class.client
     self.handle = hand
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, hand))
   end
   def self.finalize(client,handle)
@@ -185,7 +187,11 @@ class EventLog
   # Instance method
   def close
-    self.class.close(self.client, self.handle)
+    unless self.handle.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, self.handle)
+      self.handle = nil
+    end
   end
 end

data/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb CHANGED

@@ -285,11 +285,12 @@ class Process < Rex::Post::Process
         'thread' => Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread.new(self),
       })
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.handle) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, handle))
   end
-  def self.finalize(client,handle)
-    proc { self.close(client,handle) }
+  def self.finalize(client, handle)
+    proc { self.close(client, handle) }
   end
   #
@@ -320,8 +321,12 @@ class Process < Rex::Post::Process
   #
   # Instance method
   #
-  def close(handle=self.handle)
-    self.class.close(self.client, handle)
+  def close(handle = self.handle)
+    unless self.pid.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, handle)
+      self.pid = nil
+    end
   end
   #

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/registry_key.rb CHANGED

@@ -30,7 +30,8 @@ class RegistryKey
     self.perm     = perm
     self.hkey     = hkey
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.hkey) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, hkey))
   end
   def self.finalize(client,hkey)
@@ -115,7 +116,11 @@ class RegistryKey
   # Instance method for the same
   def close()
-    self.class.close(self.client, self.hkey)
+    unless self.hkey.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, self.hkey)
+      self.hkey = nil
+    end
   end
   ##

data/lib/rex/post/meterpreter/extensions/stdapi/sys/registry_subsystem/remote_registry_key.rb CHANGED

@@ -29,11 +29,12 @@ class RemoteRegistryKey
     self.target_host = target_host
     self.hkey     = hkey
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.client, self.hkey) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(client, hkey))
   end
-  def self.finalize(client,hkey)
-    proc { self.close(client,hkey) }
+  def self.finalize(client, hkey)
+    proc { self.close(client, hkey) }
   end
   ##
@@ -113,8 +114,12 @@ class RemoteRegistryKey
   end
   # Instance method for the same
-  def close()
-    self.class.close(self.client, self.hkey)
+  def close
+    unless self.hkey.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.client, self.hkey)
+      self.hkey = nil
+    end
   end
   ##

data/lib/rex/post/meterpreter/extensions/stdapi/sys/thread.rb CHANGED

@@ -34,7 +34,9 @@ class Thread < Rex::Post::Thread
     self.process = process
     self.handle  = handle
     self.tid     = tid
-    ObjectSpace.define_finalizer( self, self.class.finalize(self.process.client, self.handle) )
+    # Ensure the remote object is closed when all references are removed
+    ObjectSpace.define_finalizer(self, self.class.finalize(process.client, handle))
   end
   def self.finalize(client,handle)
@@ -168,7 +170,11 @@ class Thread < Rex::Post::Thread
   # Instance method
   def close
-    self.class.close(self.process.client, self.handle)
+    unless self.handle.nil?
+      ObjectSpace.undefine_finalizer(self)
+      self.class.close(self.process.client, self.handle)
+      self.handle = nil
+    end
   end
   attr_reader :process, :handle, :tid # :nodoc:

data/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb CHANGED

@@ -66,7 +66,7 @@ class Webcam
     remote_browser_path = webrtc_browser_path
-    if remote_browser_path.blank?
+    if remote_browser_path.to_s.empty?
       fail "Unable to find a suitable browser on the target machine"
     end

data/lib/rex/post/meterpreter/packet.rb CHANGED

@@ -665,6 +665,44 @@ class Packet < GroupTlv
     end
   end
+  #
+  # Override the function that creates the raw byte stream for
+  # sending so that it generates an XOR key, uses it to scramble
+  # the serialized TLV content, and then returns the key plus the
+  # scrambled data as the payload.
+  #
+  def to_r
+    raw = super
+    xor_key = rand(254) + 1
+    xor_key |= (rand(254) + 1) << 8
+    xor_key |= (rand(254) + 1) << 16
+    xor_key |= (rand(254) + 1) << 24
+    result = [xor_key].pack('N') + xor_bytes(xor_key, raw)
+    result
+  end
+  #
+  # Override the function that reads from a raw byte stream so
+  # that the XORing of data is included in the process prior to
+  # passing it on to the default functionality that can parse
+  # the TLV values.
+  #
+  def from_r(bytes)
+    xor_key = bytes[0,4].unpack('N')[0]
+    super(xor_bytes(xor_key, bytes[4, bytes.length]))
+  end
+  #
+  # Xor a set of bytes with a given DWORD xor key.
+  #
+  def xor_bytes(xor_key, bytes)
+    result = ''
+    bytes.bytes.zip([xor_key].pack('V').bytes.cycle).each do |b|
+      result << (b[0].ord ^ b[1].ord).chr
+    end
+    result
+  end
   ##
   #
   # Conditionals

data/lib/rex/post/meterpreter/packet_dispatcher.rb CHANGED

@@ -42,23 +42,32 @@ end
 ###
 module PacketDispatcher
-  PacketTimeout = 600
+  # Defualt time, in seconds, to wait for a response after sending a packet
+  PACKET_TIMEOUT = 600
-  ##
-  #
-  # Synchronization
+  # Number of seconds to wait without getting any packets before we try to
+  # send a liveness check. A minute should be generous even on the highest
+  # latency networks
   #
-  ##
+  # @see #keepalive
+  PING_TIME = 60
+  # This mutex is used to lock out new commands during an
+  # active migration. Unused if this is a passive dispatcher
   attr_accessor :comm_mutex
-  ##
-  #
-  #
   # Passive Dispatching
   #
-  ##
-  attr_accessor :passive_service, :send_queue, :recv_queue
+  # @return [Rex::ServiceManager]
+  # @return [nil] if this is not a passive dispatcher
+  attr_accessor :passive_service
+  # @return [Array]
+  attr_accessor :send_queue
+  # @return [Array]
+  attr_accessor :recv_queue
   def initialize_passive_dispatcher
     self.send_queue = []
@@ -108,8 +117,7 @@ module PacketDispatcher
     self.last_checkin = Time.now
-    # If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
-    if req.body[0,4] == "RECV"
+    if req.method == 'GET'
       rpkt = send_queue.shift
       resp.body = rpkt || ''
       begin
@@ -159,9 +167,6 @@ module PacketDispatcher
     if (raw)
-      # This mutex is used to lock out new commands during an
-      # active migration.
       self.comm_mutex.synchronize do
         begin
           bytes = self.sock.write(raw)
@@ -170,13 +175,11 @@ module PacketDispatcher
         end
       end
       if bytes.to_i == 0
         # Mark the session itself as dead
         self.alive = false
-        # Indicate that the dispatcher should shut down too
-        @finish = true
         # Reraise the error to the top-level caller
         raise err if err
       end
@@ -188,15 +191,16 @@ module PacketDispatcher
   #
   # Sends a packet and waits for a timeout for the given time interval.
   #
-  def send_request(packet, t = self.response_timeout)
-    if not t
-      send_packet(packet)
-      return nil
-    end
-    response = send_packet_wait_response(packet, t)
+  # @param packet [Packet] request to send
+  # @param timeout [Fixnum,nil] seconds to wait for response, or nil to ignore the
+  #   response and return immediately
+  # @return (see #send_packet_wait_response)
+  def send_request(packet, timeout = self.response_timeout)
+    response = send_packet_wait_response(packet, timeout)
-    if (response == nil)
+    if timeout.nil?
+      return nil
+    elsif response.nil?
       raise TimeoutError.new("Send timed out")
     elsif (response.result != 0)
       einfo = lookup_error(response.result)
@@ -213,26 +217,58 @@ module PacketDispatcher
   #
   # Transmits a packet and waits for a response.
   #
-  def send_packet_wait_response(packet, t)
+  # @param packet [Packet] the request packet to send
+  # @param timeout [Fixnum,nil] number of seconds to wait, or nil to wait
+  #   forever
+  def send_packet_wait_response(packet, timeout)
     # First, add the waiter association for the supplied packet
     waiter = add_response_waiter(packet)
+    bytes_written = send_packet(packet)
     # Transmit the packet
-    if (send_packet(packet).to_i <= 0)
+    if (bytes_written.to_i <= 0)
       # Remove the waiter if we failed to send the packet.
       remove_response_waiter(waiter)
       return nil
     end
+    if not timeout
+      return nil
+    end
     # Wait for the supplied time interval
-    waiter.wait(t)
+    response = waiter.wait(timeout)
     # Remove the waiter from the list of waiters in case it wasn't
-    # removed
+    # removed. This happens if the waiter timed out above.
     remove_response_waiter(waiter)
     # Return the response packet, if any
-    return waiter.response
+    return response
+  end
+  # Send a ping to the server.
+  #
+  # Our 'ping' is a check for eof on channel id 0. This method has no side
+  # effects and always returns an answer (regardless of the existence of chan
+  # 0), which is all that's needed for a liveness check. The answer itself is
+  # unimportant and is ignored.
+  #
+  # @return [void]
+  def keepalive
+    if @ping_sent
+      if Time.now.to_i - last_checkin.to_i > PING_TIME*2
+        dlog("No response to ping, session #{self.sid} is dead", LEV_3)
+        self.alive = false
+      end
+    else
+      pkt = Packet.create_request('core_channel_eof')
+      pkt.add_tlv(TLV_TYPE_CHANNEL_ID, 0)
+      add_response_waiter(pkt, Proc.new { @ping_sent = false })
+      send_packet(pkt)
+      @ping_sent = true
+    end
   end
   ##
@@ -253,59 +289,23 @@ module PacketDispatcher
     self.waiters = []
-    @pqueue = []
-    @finish = false
-    @last_recvd = Time.now
+    @pqueue = ::Queue.new
     @ping_sent = false
-    self.alive = true
     # Spawn a thread for receiving packets
     self.receiver_thread = Rex::ThreadFactory.spawn("MeterpreterReceiver", false) do
       while (self.alive)
         begin
-          rv = Rex::ThreadSafe.select([ self.sock.fd ], nil, nil, 0.25)
-          ping_time = 60
-          # If there's nothing to read, and it's been awhile since we
-          # saw a packet, we need to send a ping.  We wait
-          # ping_time*2 seconds before deciding a session is dead.
-          if (not rv and self.send_keepalives and Time.now - @last_recvd > ping_time)
-            # If the queue is empty and we've already sent a
-            # keepalive without getting a reply, then this
-            # session is hosed, and we should give up on it.
-            if @ping_sent and @pqueue.empty? and (Time.now - @last_recvd > ping_time * 2)
-              dlog("No response to ping, session #{self.sid} is dead", LEV_3)
-              self.alive = false
-              @finish = true
-              break
-            end
-            # Let the packet queue processor finish up before
-            # we send a ping.
-            if not @ping_sent and @pqueue.empty?
-              # Our 'ping' is actually just a check for eof on
-              # channel id 0.  This method has no side effects
-              # and always returns an answer (regardless of the
-              # existence of chan 0), which is all that's
-              # needed for a liveness check.  The answer itself
-              # is unimportant and is ignored.
-              pkt = Packet.create_request('core_channel_eof')
-              pkt.add_tlv(TLV_TYPE_CHANNEL_ID, 0)
-              waiter = Proc.new { |response, param|
-                  @ping_sent = false
-                  @last_recvd = Time.now
-                }
-              send_packet(pkt, waiter)
-              @ping_sent = true
-            end
-            next
+          rv = Rex::ThreadSafe.select([ self.sock.fd ], nil, nil, PING_TIME)
+          if rv
+            packet = receive_packet
+            @pqueue << packet if packet
+          elsif self.send_keepalives && @pqueue.empty?
+            keepalive
           end
-          next if not rv
-          packet = receive_packet
-          @pqueue << packet if packet
-          @last_recvd = Time.now
-        rescue ::Exception
-          dlog("Exception caught in monitor_socket: #{$!}", 'meterpreter', LEV_1)
-          @finish = true
+        rescue ::Exception => e
+          dlog("Exception caught in monitor_socket: #{e.class}: #{e}", 'meterpreter', LEV_1)
+          dlog("Call stack: #{e.backtrace.join("\n")}", 'meterpreter', LEV_2)
           self.alive = false
           break
         end
@@ -315,19 +315,13 @@ module PacketDispatcher
     # Spawn a new thread that monitors the socket
     self.dispatcher_thread = Rex::ThreadFactory.spawn("MeterpreterDispatcher", false) do
       begin
-      # Whether we're finished or not is determined by the receiver
-      # thread above.
-      while(not @finish)
-        if(@pqueue.empty?)
-          ::IO.select(nil, nil, nil, 0.10)
-          next
-        end
+      while (self.alive)
         incomplete = []
         backlog    = []
+        backlog << @pqueue.pop
         while(@pqueue.length > 0)
-          backlog << @pqueue.shift
+          backlog << @pqueue.pop
         end
         #
@@ -356,7 +350,6 @@ module PacketDispatcher
         backlog.push(*tmp_channel)
         backlog.push(*tmp_close)
         #
         # Process the message queue
         #
@@ -367,12 +360,12 @@ module PacketDispatcher
           if ! dispatch_inbound_packet(pkt)
             # Keep Packets in the receive queue until a handler is registered
             # for them. Packets will live in the receive queue for up to
-            # PacketTimeout, after which they will be dropped.
+            # PACKET_TIMEOUT seconds, after which they will be dropped.
             #
             # A common reason why there would not immediately be a handler for
             # a received Packet is in channels, where a connection may
             # open and receive data before anything has asked to read.
-            if (::Time.now.to_i - pkt.created_at.to_i < PacketTimeout)
+            if (::Time.now.to_i - pkt.created_at.to_i < PACKET_TIMEOUT)
               incomplete << pkt
             end
           end
@@ -393,11 +386,16 @@ module PacketDispatcher
           ::IO.select(nil, nil, nil, 0.10)
         end
-        @pqueue.unshift(*incomplete)
+        while incomplete.length > 0
+          @pqueue << incomplete.shift
+        end
         if(@pqueue.length > 100)
-          dlog("Backlog has grown to over 100 in monitor_socket, dropping older packets: #{@pqueue[0 .. 25].map{|x| x.inspect}.join(" - ")}", 'meterpreter', LEV_1)
-          @pqueue = @pqueue[25 .. 100]
+          removed = []
+          (1..25).each {
+            removed << @pqueue.pop
+          }
+          dlog("Backlog has grown to over 100 in monitor_socket, dropping older packets: #{removed.map{|x| x.inspect}.join(" - ")}", 'meterpreter', LEV_1)
         end
       end
       rescue ::Exception => e
@@ -454,15 +452,16 @@ module PacketDispatcher
   # if anyone.
   #
   def notify_response_waiter(response)
+    handled = false
     self.waiters.each() { |waiter|
       if (waiter.waiting_for?(response))
         waiter.notify(response)
         remove_response_waiter(waiter)
+        handled = true
         break
       end
     }
+    return handled
   end
   #
@@ -491,21 +490,15 @@ module PacketDispatcher
   # Otherwise, the packet is passed onto any registered dispatch
   # handlers until one returns success.
   #
-  def dispatch_inbound_packet(packet, client = nil)
+  def dispatch_inbound_packet(packet)
     handled = false
-    # If no client context was provided, return self as PacketDispatcher
-    # is a mixin for the Client instance
-    if (client == nil)
-      client = self
-    end
     # Update our last reply time
-    client.last_checkin = Time.now
+    self.last_checkin = Time.now
     # If the packet is a response, try to notify any potential
     # waiters
-    if ((resp = packet.response?))
+    if packet.response?
       if (notify_response_waiter(packet))
         return true
       end
@@ -518,11 +511,11 @@ module PacketDispatcher
       handled = nil
       begin
-      if ! resp
-        handled = handler.request_handler(client, packet)
-      else
-        handled = handler.response_handler(client, packet)
-      end
+        if packet.response?
+          handled = handler.response_handler(self, packet)
+        else
+          handled = handler.request_handler(self, packet)
+        end
       rescue ::Exception => e
         dlog("Exception caught in dispatch_inbound_packet: handler=#{handler} #{e.class} #{e} #{e.backtrace}", 'meterpreter', LEV_1)