rex 2.0.9 → 2.0.10

data/lib/rex/post/meterpreter/packet_parser.rb

@@ -12,6 +12,11 @@ module Meterpreter
 ###
 class PacketParser
 
+  # 4 byte xor
+  # 4 byte length
+  # 4 byte type
+  HEADER_SIZE = 12
+
   #
   # Initializes the packet parser context with an optional cipher.
   #
@@ -26,7 +31,7 @@ class PacketParser
   #
   def reset
     self.raw = ''
-    self.hdr_length_left = 8
+    self.hdr_length_left = HEADER_SIZE
     self.payload_length_left = 0
   end
 
@@ -34,6 +39,9 @@ class PacketParser
   # Reads data from the wire and parse as much of the packet as possible.
   #
   def recv(sock)
+    # Create a typeless packet
+    packet = Packet.new(0)
+
     if (self.hdr_length_left > 0)
       buf = sock.read(self.hdr_length_left)
 
@@ -49,7 +57,10 @@ class PacketParser
       # payload length left to the number of bytes
       # specified in the length
       if (self.hdr_length_left == 0)
-        self.payload_length_left = raw.unpack("N")[0] - 8
+        xor_key = raw[0, 4].unpack('N')[0]
+        length_bytes = packet.xor_bytes(xor_key, raw[4, 4])
+        # header size doesn't include the xor key, which is always tacked on the front
+        self.payload_length_left = length_bytes.unpack("N")[0] - (HEADER_SIZE - 4)
       end
     elsif (self.payload_length_left > 0)
       buf = sock.read(self.payload_length_left)
@@ -67,14 +78,11 @@ class PacketParser
     if ((self.hdr_length_left == 0) &&
         (self.payload_length_left == 0))
 
-      # Create a typeless packet
-      packet = Packet.new(0)
-
       # TODO: cipher decryption
       if (cipher)
       end
 
-      # Serialize the packet from the raw buffer
+      # Deserialize the packet from the raw buffer
       packet.from_r(self.raw)
 
       # Reset our state

data/lib/rex/post/meterpreter/packet_response_waiter.rb

@@ -15,6 +15,30 @@ module Meterpreter
 ###
 class PacketResponseWaiter
 
+  # Arbitrary argument to {#completion_routine}
+  #
+  # @return [Object,nil]
+  attr_accessor :completion_param
+
+  # A callback to be called when this waiter is notified of a packet's
+  # arrival. If not nil, this will be called with the response packet as first
+  # parameter and {#completion_param} as the second.
+  #
+  # @return [Proc,nil]
+  attr_accessor :completion_routine
+
+  # @return [ConditionVariable]
+  attr_accessor :cond
+
+  # @return [Mutex]
+  attr_accessor :mutex
+
+  # @return [Packet]
+  attr_accessor :response
+
+  # @return [Fixnum] request ID to wait for
+  attr_accessor :rid
+
   #
   # Initializes a response waiter instance for the supplied request
   # identifier.
@@ -27,7 +51,8 @@ class PacketResponseWaiter
       self.completion_routine = completion_routine
       self.completion_param   = completion_param
     else
-      self.done  = false
+      self.mutex = Mutex.new
+      self.cond  = ConditionVariable.new
     end
   end
 
@@ -42,41 +67,37 @@ class PacketResponseWaiter
   #
   # Notifies the waiter that the supplied response packet has arrived.
   #
+  # @param response [Packet]
+  # @return [void]
   def notify(response)
-    self.response = response
-
     if (self.completion_routine)
+      self.response = response
       self.completion_routine.call(response, self.completion_param)
     else
-      self.done = true
+      self.mutex.synchronize do
+        self.response = response
+        self.cond.signal
+      end
     end
   end
 
   #
-  # Waits for a given time interval for the response packet to arrive.
-  # If the interval is -1 we can wait forever.
+  # Wait for a given time interval for the response packet to arrive.
   #
+  # @param interval [Fixnum,nil] number of seconds to wait, or nil to wait
+  #   forever
+  # @return [Packet,nil] the response, or nil if the interval elapsed before
+  #   receiving one
   def wait(interval)
-    if( interval and interval == -1 )
-      while(not self.done)
-        ::IO.select(nil, nil, nil, 0.1)
-      end
-    else
-      begin
-        Timeout.timeout(interval) {
-          while(not self.done)
-            ::IO.select(nil, nil, nil, 0.1)
-          end
-        }
-      rescue Timeout::Error
-        self.response = nil
+    interval = nil if interval and interval == -1
+    self.mutex.synchronize do
+      if self.response.nil?
+        self.cond.wait(self.mutex, interval)
       end
     end
     return self.response
   end
 
-  attr_accessor :rid, :done, :response # :nodoc:
-  attr_accessor :completion_routine, :completion_param # :nodoc:
 end
 
 end; end; end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb

@@ -29,7 +29,9 @@ class Console::CommandDispatcher::Android
       'device_shutdown'   => 'Shutdown device',
       'send_sms'          => 'Sends SMS from target session',
       'wlan_geolocate'    => 'Get current lat-long using WLAN information',
-      'interval_collect'  => 'Manage interval collection capabilities'
+      'interval_collect'  => 'Manage interval collection capabilities',
+      'activity_start'    => 'Start an Android activity from a Uri string',
+      'set_audio_mode'    => 'Set Ringer Mode'
     }
 
     reqs = {
@@ -41,7 +43,9 @@ class Console::CommandDispatcher::Android
       'device_shutdown'  => ['device_shutdown'],
       'send_sms'         => ['send_sms'],
       'wlan_geolocate'   => ['wlan_geolocate'],
-      'interval_collect' => ['interval_collect']
+      'interval_collect' => ['interval_collect'],
+      'activity_start'   => ['activity_start'],
+      'set_audio_mode'   => ['set_audio_mode']
     }
 
     # Ensure any requirements of the command are met
@@ -151,6 +155,36 @@ class Console::CommandDispatcher::Android
     end
   end
 
+  def cmd_set_audio_mode(*args)
+    help = false
+    mode = 1
+    set_audio_mode_opts = Rex::Parser::Arguments.new(
+      '-h' => [ false, "Help Banner" ],
+      '-m' => [ true, "Set Mode - (0 - Off, 1 - Normal, 2 - Max) (Default: '#{mode}')"]
+    )
+
+    set_audio_mode_opts.parse(args) do |opt, _idx, val|
+      case opt
+      when '-h'
+        help = true
+      when '-m'
+        mode = val.to_i
+      else
+        help = true
+      end
+    end
+
+    if help || mode < 0 || mode > 2
+      print_line('Usage: set_audio_mode [options]')
+      print_line('Set Ringer mode.')
+      print_line(set_audio_mode_opts.usage)
+      return
+    end
+
+    client.android.set_audio_mode(mode)
+    print_status("Ringer mode was changed to #{mode}!")
+  end
+
   def cmd_dump_sms(*args)
     path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_sms_opts = Rex::Parser::Arguments.new(
@@ -457,7 +491,7 @@ class Console::CommandDispatcher::Android
       end
     end
 
-    if dest.blank? || body.blank?
+    if dest.to_s.empty? || body.to_s.empty?
       print_error("You must enter both a destination address -d and the SMS text body -t")
       print_error('e.g. send_sms -d +351961234567 -t "GREETINGS PROFESSOR FALKEN."')
       print_line(send_sms_opts.usage)
@@ -509,7 +543,7 @@ class Console::CommandDispatcher::Android
       wlan_list << [mac, ssid, ss.to_s]
     end
 
-    if wlan_list.blank?
+    if wlan_list.to_s.empty?
       print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
       return
     end
@@ -528,6 +562,22 @@ class Console::CommandDispatcher::Android
     end
   end
 
+  def cmd_activity_start(*args)
+    if (args.length < 1)
+      print_line("Usage: activity_start <uri>\n")
+      print_line("Start an Android activity from a uri")
+      return
+    end
+
+    uri = args[0]
+    result = client.android.activity_start(uri)
+    if result.nil?
+      print_status("Intent started")
+    else
+      print_error("Error: #{result}")
+    end
+  end
+
   #
   # Name for this dispatcher
   #

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -816,16 +816,18 @@ class Console::CommandDispatcher::Core
   end
 
   @@migrate_opts = Rex::Parser::Arguments.new(
-    '-p'  => [true,  'Writable path - Linux only (eg. /tmp).'],
-    '-t'  => [true,  'The number of seconds to wait for migration to finish (default: 60).'],
-    '-h'  => [false, 'Help menu.']
+    '-P' => [true, 'PID to migrate to.'],
+    '-N' => [true, 'Process name to migrate to.'],
+    '-p' => [true,  'Writable path - Linux only (eg. /tmp).'],
+    '-t' => [true,  'The number of seconds to wait for migration to finish (default: 60).'],
+    '-h' => [false, 'Help menu.']
   )
 
   def cmd_migrate_help
     if client.platform =~ /linux/
-      print_line('Usage: migrate <pid> [-p writable_path] [-t timeout]')
+      print_line('Usage: migrate <<pid> | -P <pid> | -N <name>> [-p writable_path] [-t timeout]')
     else
-      print_line('Usage: migrate <pid> [-t timeout]')
+      print_line('Usage: migrate <<pid> | -P <pid> | -N <name>> [-t timeout]')
     end
     print_line
     print_line('Migrates the server instance to another process.')
@@ -840,29 +842,53 @@ class Console::CommandDispatcher::Core
   #   platforms a path for the unix domain socket used for IPC.
   # @return [void]
   def cmd_migrate(*args)
-    if args.length == 0 || args.include?('-h')
+    if args.length == 0 || args.any? { |arg| %w(-h --pid --name).include? arg }
       cmd_migrate_help
       return true
     end
 
-    pid = args[0].to_i
-    if pid == 0
-      print_error('A process ID must be specified, not a process name')
-      return
-    end
-
+    pid = nil
     writable_dir = nil
     opts = {
       timeout: nil
     }
 
-    @@transport_opts.parse(args) do |opt, idx, val|
+    @@migrate_opts.parse(args) do |opt, idx, val|
       case opt
       when '-t'
         opts[:timeout] = val.to_i
       when '-p'
         writable_dir = val
+      when '-P'
+        unless val =~ /^\d+$/
+          print_error("Not a PID: #{val}")
+          return
+        end
+        pid = val.to_i
+      when '-N'
+        if val.to_s.empty?
+          print_error("No process name provided")
+          return
+        end
+        # this will migrate to the first process with a matching name
+        unless (process = client.sys.process.processes.find { |p| p['name'] == val })
+          print_error("Could not find process name #{val}")
+          return
+        end
+        pid = process['pid']
+      end
+    end
+
+    unless pid
+      unless (pid = args.first)
+        print_error('A process ID or name argument must be provided')
+        return
+      end
+      unless pid =~ /^\d+$/
+        print_error("Not a PID: #{pid}")
+        return
       end
+      pid = pid.to_i
     end
 
     begin

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb

@@ -52,6 +52,7 @@ class Console::CommandDispatcher::Stdapi::Fs
       'cat'        => 'Read the contents of a file to the screen',
       'cd'         => 'Change directory',
       'del'        => 'Delete the specified file',
+      'dir'        => 'List files (alias for ls)',
       'download'   => 'Download a file or directory',
       'edit'       => 'Edit a file',
       'getlwd'     => 'Print local working directory',
@@ -73,6 +74,7 @@ class Console::CommandDispatcher::Stdapi::Fs
       'cat'        => [],
       'cd'         => ['stdapi_fs_chdir'],
       'del'        => ['stdapi_fs_rm'],
+      'dir'        => ['stdapi_fs_stat', 'stdapi_fs_ls'],
       'download'   => [],
       'edit'       => [],
       'getlwd'     => [],
@@ -598,6 +600,12 @@ class Console::CommandDispatcher::Stdapi::Fs
     return true
   end
 
+  #
+  # Alias the ls command to dir, for those of us who have windows muscle-memory
+  #
+  alias cmd_dir cmd_ls
+
+
   #
   # Make one or more directory.
   #

data/lib/rex/proto/adb.rb

@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+#
+# Support for the ADB android debugging protocol
+#
+
+require 'rex/proto/adb/client'
+require 'rex/proto/adb/message'

data/lib/rex/proto/adb/client.rb

@@ -0,0 +1,39 @@
+# -*- coding: binary -*-
+
+##
+# ADB protocol support
+##
+
+require 'rex/proto/adb/message'
+
+module Rex
+module Proto
+module ADB
+
+class Client
+
+  def initialize(sock, opts = {})
+    @sock = sock
+    @opts = opts
+    @local_id_counter = 0x0a
+  end
+
+  def connect
+    ADB::Message::Connect.new.send_recv(@sock)
+  end
+
+  def exec_cmd(cmd)
+    local_id = @local_id_counter += 1
+    response = ADB::Message::Open.new(local_id, "shell:"+cmd).send_recv(@sock)
+    ADB::Message::Close.new(local_id, response.arg0).send_recv(@sock)
+  end
+
+  def read_message
+    ADB::Message.read(@sock)
+  end
+
+end # Client
+
+end # ADB
+end # Proto
+end # Rex

data/lib/rex/proto/adb/message.rb

@@ -0,0 +1,164 @@
+# -*- coding: binary -*-
+
+##
+# ADB protocol support
+##
+
+module Rex
+module Proto
+module ADB
+
+# A Message for the ADB protocol. For documentation see:
+# https://android.googlesource.com/platform/system/core/+/master/adb/protocol.txt
+class Message
+
+  WORD_WIDTH = 4 # bytes
+  WORD_PACK = 'L<'
+
+  attr_accessor :command
+  attr_accessor :arg0
+  attr_accessor :arg1
+  attr_accessor :data
+
+  def initialize(arg0, arg1, data)
+    self.command = self.class::COMMAND if defined?(self.class::COMMAND)
+    self.arg0 = arg0
+    self.arg1 = arg1
+    self.data = data + "\0"
+  end
+
+  def data_check
+    # this check is implemented in adb/transport.cpp, in the send_packet method.
+    # it is not crc32 as the docs make it appear, it is just a 32bit sum.
+    data.bytes.inject(&:+) & 0xffffffff
+  end
+
+  def magic
+    command_word ^ 0xffffffff
+  end
+
+  def command_word
+    command.unpack(WORD_PACK)[0]
+  end
+
+  def send_recv(socket)
+    socket.print self.serialize
+    Message.read socket
+  end
+
+  def serialize
+    [
+      command_word,
+      arg0,
+      arg1,
+      data.bytes.length,
+      data_check,
+      magic
+    ].pack(WORD_PACK+'*') + data
+  end
+
+  def to_s
+    [
+      "command=#{command}",
+      "arg0=0x#{arg0.to_s(16)}",
+      "arg1=0x#{arg1.to_s(16)}",
+      "data=#{data}"
+    ].join("\n")
+  end
+
+  def self.read(socket)
+    header = socket.recvfrom(6 * WORD_WIDTH)[0]
+    command = header[0, WORD_WIDTH]
+    arg0 = header[WORD_WIDTH, WORD_WIDTH].unpack(WORD_PACK)[0]
+    arg1 = header[WORD_WIDTH*2, WORD_WIDTH].unpack(WORD_PACK)[0]
+    payload_len = header[WORD_WIDTH*3, WORD_WIDTH].unpack(WORD_PACK)[0]
+    payload = socket.recvfrom(payload_len)[0]
+
+    klass = MESSAGE_TYPES.find { |klass| klass::COMMAND == command }
+    if klass.nil?
+      raise "Invalid adb command: #{command}"
+    end
+
+    message = klass.allocate
+    message.command = command
+    message.arg0 = arg0
+    message.arg1 = arg1
+    message.data = payload
+    message
+  end
+
+  #
+  # Subclasses inside Message:: namespace for specific message types
+  #
+
+  class Connect < Message
+    COMMAND = "CNXN"
+    DEFAULT_VERSION = 0x01000000
+    DEFAULT_MAXDATA = 4096
+    DEFAULT_IDENTITY = "host::"
+
+    def initialize(version=DEFAULT_VERSION,
+                   maxdata=DEFAULT_MAXDATA,
+                   system_identity_string=DEFAULT_IDENTITY)
+      super
+    end
+  end
+
+  class Auth < Message
+    COMMAND = "AUTH"
+    TYPE_TOKEN = 1
+    TYPE_SIGNATURE = 2
+
+    def initialize(type, data)
+      super(type, 0, data)
+    end
+  end
+
+  class Open < Message
+    COMMAND = "OPEN"
+
+    def initialize(local_id, destination)
+      super(local_id, 0, destination)
+    end
+  end
+
+  class Ready < Message
+    COMMAND = "OKAY"
+
+    def initialize(local_id, remote_id)
+      super(local_id, remote_id, "")
+    end
+  end
+
+  class Write < Message
+    COMMAND = "WRTE"
+
+    def initialize(local_id, remote_id, data)
+      super
+    end
+  end
+
+  class Close < Message
+    COMMAND = "CLSE"
+
+    def initialize(local_id, remote_id)
+      super(local_id, remote_id, "")
+    end
+  end
+
+  class Sync < Message
+    COMMAND = "SYNC"
+
+    def initialize(online, sequence)
+      super(online, sequence, "")
+    end
+  end
+
+  # Avoid a dependency on Rails's nice Class#subclasses
+  MESSAGE_TYPES = [Connect, Auth, Open, Ready, Write, Close, Sync]
+
+end # Message
+
+end # ADB
+end # Proto
+end # Rex