rex 2.0.9 → 2.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5a35ae088f817815b2d3cd56ad4f298a1dc36a73
-  data.tar.gz: f486b6412dd555646eb747c4b65a4b01dd623f38
+  metadata.gz: 905f84863b058a5c12986cb77bd82bfeb9e5948f
+  data.tar.gz: c13bf88f1ffda5f7b730a29d6131c80e6a3a106c
 SHA512:
-  metadata.gz: 96d9eed7f6fa713ae93f52a629113b9f5cdb41aed48db814731612bf2dbe74a0c657f83905640e188c1dcb622b3781125737e1faf1b06ab1eb29d15e99941acc
-  data.tar.gz: a7092a603aeab1a5291f522438f8a94a56e28a6f6134d1024c1b8fce85956e0432e818bf83fcee1710bdd2aeeb0c1bf2b297e7f40154f2a7544f20fb043d69f0
+  metadata.gz: 2e2b6a00d84ebf9e551c906d131695a01842c0249c1bb7fb2c7882f41bfd1e5d8da535e092d03a2862c44a1a82355fa0d0efc55d70c680aadd8e38e0c8243561
+  data.tar.gz: 6702bf1c601ca43627ecf06303ebe80b507b7b178081b872f353956806949961eda4c3c21ed01f20400db12c7ac791ad13cab486aea80c03be3dd93113423bc3

data/lib/rex/exploitation/cmdstager/bourne.rb

@@ -12,14 +12,20 @@ class CmdStagerBourne < CmdStagerBase
   def initialize(exe)
     super
 
-    @var_encoded = Rex::Text.rand_text_alpha(5)
+    @var_encoded = Rex::Text.rand_text_alpha(5) + '.b64'
     @var_decoded = Rex::Text.rand_text_alpha(5)
   end
 
   def generate(opts = {})
     opts[:temp] = opts[:temp] || '/tmp/'
+    opts[:temp] = opts[:temp].empty?? opts[:temp] : opts[:temp] + '/'
+    opts[:temp] = opts[:temp].gsub(/\/{2,}/, '/')
     opts[:temp] = opts[:temp].gsub(/'/, "\\\\'")
     opts[:temp] = opts[:temp].gsub(/ /, "\\ ")
+    if (opts[:file])
+        @var_encoded = opts[:file] + '.b64'
+        @var_decoded = opts[:file]
+    end
     super
   end
 
@@ -29,7 +35,7 @@ class CmdStagerBourne < CmdStagerBase
   def generate_cmds(opts)
     # Set the start/end of the commands here (vs initialize) so we have @tempdir
     @cmd_start = "echo -n "
-    @cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+    @cmd_end   = ">>'#{@tempdir}#{@var_encoded}'"
     xtra_len = @cmd_start.length + @cmd_end.length + 1
     opts.merge!({ :extra => xtra_len })
     super
@@ -78,27 +84,27 @@ class CmdStagerBourne < CmdStagerBase
       decoder_cmd << "(which #{binary} >&2 && #{cmd})"
     end
     decoder_cmd = decoder_cmd.join(" || ")
-    decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > #{@tempdir}#{@var_decoded}.bin < #{@tempdir}#{@var_encoded}.b64"
+    decoder_cmd = "(" << decoder_cmd << ") 2> /dev/null > '#{@tempdir}#{@var_decoded}' < '#{@tempdir}#{@var_encoded}'"
     [ decoder_cmd ]
   end
 
   def compress_commands(cmds, opts)
     # Make it all happen
-    cmds << "chmod +x #{@tempdir}#{@var_decoded}.bin"
+    cmds << "chmod +x '#{@tempdir}#{@var_decoded}'"
     # Background the process, allowing the cleanup code to continue and delete the data
     # while allowing the original shell to continue to function since it isn't waiting
     # on the payload to exit.  The 'sleep' is required as '&' is a command terminator
     # and having & and the cmds delimiter ';' next to each other is invalid.
     if opts[:background]
-      cmds << "#{@tempdir}#{@var_decoded}.bin & sleep 2"
+      cmds << "'#{@tempdir}#{@var_decoded}' & sleep 2"
     else
-      cmds << "#{@tempdir}#{@var_decoded}.bin"
+      cmds << "'#{@tempdir}#{@var_decoded}'"
     end
 
     # Clean up after unless requested not to..
     if (not opts[:nodelete])
-      cmds << "rm -f #{@tempdir}#{@var_decoded}.bin"
-      cmds << "rm -f #{@tempdir}#{@var_encoded}.b64"
+      cmds << "rm -f '#{@tempdir}#{@var_decoded}'"
+      cmds << "rm -f '#{@tempdir}#{@var_encoded}'"
     end
 
     super

data/lib/rex/exploitation/cmdstager/echo.rb

@@ -35,7 +35,7 @@ class CmdStagerEcho < CmdStagerBase
     end
 
     # by default use the 'hex' encoding
-    opts[:enc_format] = opts[:enc_format] || 'hex'
+    opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
 
     unless ENCODINGS.keys.include?(opts[:enc_format])
       raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
@@ -58,7 +58,7 @@ class CmdStagerEcho < CmdStagerBase
     xtra_len = @cmd_start.length + @cmd_end.length
     opts.merge!({ :extra => xtra_len })
 
-    @prefix = ENCODINGS[opts[:enc_format]]
+    @prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
     min_part_size = 5 # for both encodings
 
     if (opts[:linemax] - opts[:extra]) < min_part_size
@@ -108,7 +108,7 @@ class CmdStagerEcho < CmdStagerBase
     # Make it all happen
     cmds << "chmod 777 #{@tempdir}#{@var_elf}"
     #cmds << "chmod +x #{@tempdir}#{@var_elf}"
-    cmds << "#{@tempdir}#{@var_elf}"
+    cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
 
     # Clean up after unless requested not to..
     unless opts[:nodelete]

data/lib/rex/exploitation/js/memory.rb

@@ -27,7 +27,7 @@ class Memory
   def self.heaplib2(custom_js='', opts={})
     js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heaplib2.js"))
 
-    unless custom_js.blank?
+    unless custom_js.to_s.empty?
       js << custom_js
     end
 

data/lib/rex/java/serialization/model/contents.rb

@@ -88,7 +88,7 @@ module Rex
             when NewClassDesc
               encoded << [TC_CLASSDESC].pack('C')
             when ProxyClassDesc
-              content = [TC_PROXYCLASSDESC].pack('C')
+              encoded << [TC_PROXYCLASSDESC].pack('C')
             when NullReference
               encoded << [TC_NULL].pack('C')
             when Reset

data/lib/rex/mime/message.rb

@@ -126,7 +126,7 @@ class Message
     header_string = self.header.to_s
 
     msg = header_string.empty? ? '' : force_crlf(self.header.to_s + "\r\n")
-    msg << force_crlf(self.content + "\r\n") unless self.content.blank?
+    msg << force_crlf(self.content + "\r\n") unless self.content.to_s.empty?
 
     self.parts.each do |part|
       msg << force_crlf("--" + self.bound + "\r\n")

data/lib/rex/parser/acunetix_nokogiri.rb

@@ -59,6 +59,8 @@ module Rex
         @text = nil
       when "StartURL" # Populates @state[:starturl_uri], we use this a lot
         @state[:has_text] = false
+        # StartURL does not always include the scheme
+        @text.prepend("http://") unless URI.parse(@text).scheme
         collect_host
         collect_service
         @text = nil

data/lib/rex/parser/appscan_nokogiri.rb

@@ -195,7 +195,7 @@ module Rex
       res_header = Rex::Proto::Http::Packet::Header.new
       req_header.from_s request_headers.lstrip
       res_header.from_s response_headers.lstrip
-      if response_body.blank?
+      if response_body.to_s.empty?
         response_body = ''
       end
       @state[:request_headers] = req_header

data/lib/rex/parser/burp_issue_nokogiri.rb

@@ -0,0 +1,139 @@
+# -*- coding: binary -*-
+require "rex/parser/nokogiri_doc_mixin"
+require 'uri'
+
+module Rex
+  module Parser
+
+    # If Nokogiri is available, define Burp Issue document class.
+    load_nokogiri && class BurpIssueDocument < Nokogiri::XML::SAX::Document
+
+      include NokogiriDocMixin
+
+      def start_element(name=nil,attrs=[])
+        attrs = normalize_attrs(attrs)
+        block = @block
+        @state[:current_tag][name] = true
+        case name
+          when "host", "name", "info", "issueDetail", "references"
+            @state[:has_text] = true
+        end
+      end
+
+      def end_element(name=nil)
+        block = @block
+        case name
+          when "issue"
+            report_web_host_info
+            report_web_service_info
+            report_vuln
+            # Reset the state once we close a host
+            @state = @state.select {|k| [:current_tag].include? k}
+          when "host"
+            @state[:has_text] = false
+            collect_host_info
+            @text = nil
+          when "name"
+            @state[:has_text] = false
+            collect_name
+            @text = nil
+          when "issueDetail"
+            @state[:has_text] = false
+            collect_issue_detail
+            @text = nil
+          when "references"
+            @state[:has_text] = false
+            collect_references
+            @text = nil
+        end
+        @state[:current_tag].delete name
+      end
+
+      def collect_host_info
+        return unless in_issue
+        return unless has_text
+        uri = URI(@text)
+
+        @state[:host] = uri.host
+        @state[:service_name] = uri.scheme
+        @state[:proto] = "tcp"
+
+        case @state[:service_name]
+          when "http"
+            @state[:port] = 80
+          when "https"
+            @state[:port] = 443
+        end
+      end
+
+      def collect_name
+        return unless in_issue
+        return unless has_text
+        @state[:vuln_name] = @text
+      end
+
+      def collect_issue_detail
+        return unless in_issue
+        return unless has_text
+        @state[:issue_detail] = @text
+      end
+
+      def collect_references
+        return unless in_issue
+        return unless has_text
+        uri = @text.match('href=[\'"]?([^\'" >]+)')[1]
+        @state[:refs] = ["URI-#{uri}"]
+      end
+
+      def report_web_host_info
+        return unless @state[:host]
+        address = Rex::Socket.resolv_to_dotted(@state[:host]) rescue nil
+        host_info = {:workspace => @args[:wspace]}
+        host_info[:address] = address
+        host_info[:name] = @state[:host]
+        db_report(:host, host_info)
+      end
+
+      def report_web_service_info
+        return unless @state[:host]
+        return unless @state[:port]
+        return unless @state[:proto]
+        return unless @state[:service_name]
+        service_info = {}
+        service_info[:host] = @state[:host]
+        service_info[:port] = @state[:port]
+        service_info[:proto] = @state[:proto]
+        service_info[:name] = @state[:service_name]
+        @state[:service_object] = db_report(:service, service_info)
+      end
+
+      def report_vuln
+        return unless @state[:service_object]
+        return unless @state[:vuln_name]
+        return unless @state[:issue_detail]
+        return unless @state[:refs]
+        vuln_info = {}
+        vuln_info[:service_id] = @state[:service_object].id
+        vuln_info[:host] = @state[:host]
+        vuln_info[:name] = @state[:vuln_name]
+        vuln_info[:info] = @state[:issue_detail]
+        vuln_info[:refs] = @state[:refs]
+        @state[:vuln_object] = db_report(:vuln, vuln_info)
+      end
+
+      def in_issue
+        return false unless in_tag("issue")
+        return false unless in_tag("issues")
+        return true
+      end
+
+      def has_text
+        return false unless @text
+        return false if @text.strip.empty?
+        @text = @text.strip
+      end
+    end
+
+  end
+end
+

data/lib/rex/parser/burp_session_nokogiri.rb

@@ -157,7 +157,7 @@ module Rex
       host_info = {:workspace => @args[:wspace]}
       host_info[:address] = @state[:web_site].service.host.address
       host_info[:name] = @state[:uri].host
-      report_db(:host, host_info)
+      db_report(:host, host_info)
     end
 
     def report_web_service_info

data/lib/rex/parser/fs/bitlocker.rb

@@ -0,0 +1,233 @@
+# -*- coding: binary -*-
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'openssl/ccm'
+require 'metasm'
+module Rex
+  module Parser
+    ###
+    #
+    # This class parses the content of a Bitlocker partition file.
+    # Author : Danil Bazin <danil.bazin[at]hsc.fr> @danilbaz
+    #
+    ###
+    class BITLOCKER
+      BLOCK_HEADER_SIZE = 64
+      METADATA_HEADER_SIZE = 48
+
+      ENTRY_TYPE_NONE  = 0x0000
+      ENTRY_TYPE_VMK  = 0x0002
+      ENTRY_TYPE_FVEK  = 0x0003
+      ENTRY_TYPE_STARTUP_KEY  = 0x0006
+      ENTRY_TYPE_DESC  = 0x0007
+      ENTRY_TYPE_HEADER  = 0x000f
+
+      VALUE_TYPE_ERASED = 0x0000
+      VALUE_TYPE_KEY = 0x0001
+      VALUE_TYPE_STRING = 0x0002
+      VALUE_TYPE_STRETCH_KEY = 0x0003
+      VALUE_TYPE_ENCRYPTED_KEY = 0x0005
+      VALUE_TYPE_TPM = 0x0006
+      VALUE_TYPE_VALIDATION = 0x0007
+      VALUE_TYPE_VMK = 0x0008
+      VALUE_TYPE_EXTERNAL_KEY = 0x0009
+      VALUE_TYPE_UPDATE = 0x000a
+      VALUE_TYPE_ERROR = 0x000b
+
+      PROTECTION_TPM = 0x0100
+      PROTECTION_CLEAR_KEY = 0x0000
+      PROTECTION_STARTUP_KEY = 0x0200
+      PROTECTION_RECOVERY_PASSWORD = 0x0800
+      PROTECTION_PASSWORD = 0x2000
+
+      def initialize(file_handler)
+        @file_handler = file_handler
+        volume_header = @file_handler.read(512)
+        @fs_sign = volume_header[3, 8]
+        unless @fs_sign == '-FVE-FS-'
+          fail ArgumentError, 'File system signature does not match Bitlocker :
+           #@fs_sign}, bitlocker not used', caller
+        end
+        @fve_offset = volume_header[176, 8].unpack('Q')[0]
+
+        @file_handler.seek(@fve_offset)
+        @fve_raw = @file_handler.read(4096)
+        @encryption_methods = @fve_raw[BLOCK_HEADER_SIZE + 36, 4].unpack('V')[0]
+        size = @fve_raw[BLOCK_HEADER_SIZE, 4].unpack('V')[0] -
+               METADATA_HEADER_SIZE
+        @metadata_entries = @fve_raw[BLOCK_HEADER_SIZE + METADATA_HEADER_SIZE,
+                                     size]
+        @version = @fve_raw[BLOCK_HEADER_SIZE + 4]
+        @fve_metadata_entries = fve_entries(@metadata_entries)
+        @vmk_entries_hash = vmk_entries
+      end
+
+      # Extract FVEK and prefix it with the encryption methods integer on
+      # 2 bytes
+      def fvek_from_recovery_password_dislocker(recoverykey)
+        [@encryption_methods].pack('v') +
+          fvek_from_recovery_password(recoverykey)
+      end
+
+      # stretch recovery key with all stretch key and try to decrypt all VMK
+      # encrypted with a recovery key
+      def vmk_from_recovery_password(recoverykey)
+        recovery_keys_stretched = recovery_key_transformation(recoverykey)
+        vmk_encrypted_in_recovery_password_list =  @vmk_entries_hash[
+                                                   PROTECTION_RECOVERY_PASSWORD]
+        vmk_recovery_password = ''
+        vmk_encrypted_in_recovery_password_list.each do |vmk|
+          vmk_encrypted = vmk[ENTRY_TYPE_NONE][VALUE_TYPE_ENCRYPTED_KEY][0]
+          recovery_keys_stretched.each do |recovery_key|
+            vmk_recovery_password = decrypt_aes_ccm_key(
+            vmk_encrypted, recovery_key)
+            break if vmk_recovery_password != ''
+          end
+          break if vmk_recovery_password != ''
+        end
+        if vmk_recovery_password == ''
+          fail ArgumentError, 'Wrong decryption, bad recovery key?'
+        end
+        vmk_recovery_password
+      end
+
+      # Extract FVEK using the provided recovery key
+      def fvek_from_recovery_password(recoverykey)
+        vmk_recovery_password = vmk_from_recovery_password(recoverykey)
+        fvek_encrypted = fvek_entries
+        fvek = decrypt_aes_ccm_key(fvek_encrypted, vmk_recovery_password)
+        fvek
+      end
+
+      def decrypt_aes_ccm_key(fve_entry, key)
+        nonce = fve_entry[0, 12]
+        mac = fve_entry[12, 16]
+        encrypted_data = fve_entry[28..-1]
+        ccm = OpenSSL::CCM.new('AES',  key, 16)
+        decrypted_data = ccm.decrypt(encrypted_data + mac, nonce)
+        decrypted_data[12..-1]
+      end
+
+      # Parse the metadata_entries and return a hashmap using the
+      # following format:
+      # {metadata_entry_type => {metadata_value_type => [fve_entry,...]}}
+      def fve_entries(metadata_entries)
+        offset_entry = 0
+        entry_size = metadata_entries[0, 2].unpack('v')[0]
+        result = Hash.new({})
+        while entry_size != 0
+          metadata_entry_type = metadata_entries[
+                                offset_entry + 2, 2].unpack('v')[0]
+          metadata_value_type = metadata_entries[
+                                offset_entry + 4, 2].unpack('v')[0]
+          metadata_entry = metadata_entries[offset_entry + 8, entry_size - 8]
+          if result[metadata_entry_type] == {}
+            result[metadata_entry_type] = { metadata_value_type => [
+              metadata_entry] }
+          else
+            if result[metadata_entry_type][metadata_value_type].nil?
+              result[metadata_entry_type][metadata_value_type] = [
+                metadata_entry]
+            else
+              result[metadata_entry_type][metadata_value_type] += [
+                metadata_entry]
+            end
+          end
+          offset_entry += entry_size
+          if metadata_entries[offset_entry, 2] != ''
+            entry_size = metadata_entries[offset_entry, 2].unpack('v')[0]
+          else
+            entry_size = 0
+          end
+        end
+        result
+      end
+
+      # Dummy strcpy to use with metasm and string asignement
+      def strcpy(str_src, str_dst)
+        (0..(str_src.length - 1)).each do |cpt|
+          str_dst[cpt] = str_src[cpt].ord
+        end
+      end
+
+      # stretch all the Recovery key and returns it
+      def recovery_key_transformation(recoverykey)
+        # recovery key stretching phase 1
+        recovery_intermediate = recoverykey.split('-').map(&:to_i)
+        recovery_intermediate.each do |n|
+          n % 11 != 0 && (fail ArgumentError, 'Invalid recovery key')
+        end
+        recovery_intermediate =
+                           recovery_intermediate.map { |a| (a / 11) }.pack('v*')
+
+        # recovery key stretching phase 2
+        recovery_keys = []
+        cpu = Metasm.const_get('Ia32').new
+        exe = Metasm.const_get('Shellcode').new(cpu)
+        cp = Metasm::C::Parser.new(exe)
+        bitlocker_struct_src = <<-EOS
+          typedef struct {
+          unsigned char updated_hash[32];
+          unsigned char password_hash[32];
+          unsigned char salt[16];
+          unsigned long long int hash_count;
+          } bitlocker_chain_hash_t;
+        EOS
+        cp.parse bitlocker_struct_src
+        btl_struct = Metasm::C::AllocCStruct.new(cp, cp.find_c_struct(
+                                                     'bitlocker_chain_hash_t'))
+        vmk_protected_by_recovery_key = @vmk_entries_hash[
+                                        PROTECTION_RECOVERY_PASSWORD]
+        if vmk_protected_by_recovery_key.nil?
+          fail ArgumentError, 'No recovery key on disk'
+        end
+        vmk_protected_by_recovery_key.each do |vmk_encrypted|
+          vmk_encrypted_raw = vmk_encrypted[ENTRY_TYPE_NONE][
+                              VALUE_TYPE_STRETCH_KEY][0]
+          stretch_key_salt = vmk_encrypted_raw[4, 16]
+          strcpy(Digest::SHA256.digest(recovery_intermediate),
+                 btl_struct.password_hash)
+          strcpy(stretch_key_salt, btl_struct.salt)
+          btl_struct.hash_count = 0
+          sha256 = Digest::SHA256.new
+          btl_struct_raw = btl_struct.str
+          btl_struct_hash_count_offset = btl_struct.struct.fldoffset[
+                                         'hash_count']
+          (1..0x100000).each do |c|
+            updated_hash = sha256.digest(btl_struct_raw)
+            btl_struct_raw = updated_hash + btl_struct_raw \
+                             [btl_struct.updated_hash.sizeof..(
+                             btl_struct_hash_count_offset - 1)] + [c].pack('Q')
+            sha256.reset
+          end
+          recovery_keys += [btl_struct_raw[btl_struct.updated_hash.stroff,
+                           btl_struct.updated_hash.sizeof]]
+        end
+        recovery_keys
+      end
+
+      # Return FVEK entry, encrypted with the VMK
+      def fvek_entries
+        @fve_metadata_entries[ENTRY_TYPE_FVEK][
+          VALUE_TYPE_ENCRYPTED_KEY][ENTRY_TYPE_NONE]
+      end
+
+      # Produce a hash map using the following format:
+      # {PROTECTION_TYPE => [fve_entry, fve_entry...]}
+      def vmk_entries
+        res = {}
+        (@fve_metadata_entries[ENTRY_TYPE_VMK][VALUE_TYPE_VMK]).each do |vmk|
+          protection_type = vmk[26, 2].unpack('v')[0]
+          if res[protection_type].nil?
+            res[protection_type] = [fve_entries(vmk[28..-1])]
+          else
+            res[protection_type] += [fve_entries(vmk[28..-1])]
+          end
+        end
+        res
+      end
+    end
+  end
+end