rex 2.0.3 → 2.0.4

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    MDQwMjkwNWY0OTJlZGI3NDkyYjg2NWE0MzQ1ODE2MGU5NWFjNGRiYw==
-  data.tar.gz: !binary |-
-    NDQ2YzQwN2FiNzY1Y2M0YjY3YzE0NTU1NDc1OWZjZDNlZDc4MDliZA==
+SHA1:
+  metadata.gz: 79a1308c4fbc5e37cc531c402b45228f0480314a
+  data.tar.gz: 55b5f247534fdac3322b929d4c46e4846c9ec9bb
 SHA512:
-  metadata.gz: !binary |-
-    ZTk4N2VhZWJlNzkyZjhmYTA2MWM0NTM0NzU2MTc1MjgzZTRjYzY5ZTJhNGZi
-    NDFiOGIzNjIwZGQwZjVkYTk4MmU3YzEzYTA4MDgxNmFiY2YyYTFlNjA3M2U1
-    ZGI3YmY0MjRiMjc2ODk1MzAxYTRkNTIzYjFjNGVlOGJjYjc2NzI=
-  data.tar.gz: !binary |-
-    NDM1MjdjM2MyNjZjMWM3MmQ4M2JmMWJlZmU0Nzg5MDdmYjc1NDIzZmJjZTcx
-    NjI3MjUzOTY1NWZkNmMwYzNiN2JjZDRhODU5MDBhMWM0Nzk3ZjhkMDY5M2M3
-    MWY3MWM3YTcwM2Y2ZDQ0NWMxMDg0Mjc2N2RhZjg0ZWQ5MWJjNTA=
+  metadata.gz: 49e7741c0bc14e27943de1291b38e69300173bdffd3a1598372d5db5d1338040201ef011e67680bf42ba611948dd18cc5ad0627388a80d1079ef58c80088bd3e
+  data.tar.gz: 10161b1c288d4c7aab84399ad7f66048ef276d7225b4a701b8ac8eac784ada87786499137dad1fed0f652c4dea529b65c7678f7e2b0b958be5e29dc232da480b

data/lib/rex.rb

@@ -1,8 +1,9 @@
+# -*- coding: binary -*-
 =begin
 
 The Metasploit Rex library is provided under the 3-clause BSD license.
 
-Copyright (c) 2005-2010, Rapid7, Inc.
+Copyright (c) 2005-2014, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

data/lib/rex/arch.rb

@@ -48,7 +48,7 @@ module Arch
     case arch
       when ARCH_X86
         [addr].pack('V')
-      when ARCH_X86_64
+      when ARCH_X86_64, ARCH_X64
         [addr].pack('Q<')
       when ARCH_MIPS # ambiguous
         [addr].pack('N')

data/lib/rex/arch/x86.rb

@@ -244,7 +244,7 @@ module X86
     _check_reg(dst)
 
     # If the value is 0 try xor/sub dst, dst (2 bytes)
-    if(val == 0)
+    if val == 0
       opcodes = Rex::Text.remove_badchars("\x29\x2b\x31\x33", badchars)
       if !opcodes.empty?
         return opcodes[rand(opcodes.length)].chr + encode_modrm(dst, dst)
@@ -261,8 +261,9 @@ module X86
 
     # try clear dst, mov BYTE dst (4 bytes)
     begin
-      # break if val == 0
-      return _check_badchars(clear(dst, badchars) + mov_byte(dst, val), badchars)
+      unless val == 0 # clear tries to set(dst, 0, badchars), entering an infinite recursion
+        return _check_badchars(clear(dst, badchars) + mov_byte(dst, val), badchars)
+      end
     rescue ::ArgumentError, ::RuntimeError, ::RangeError
     end
 
@@ -280,8 +281,9 @@ module X86
 
     # try clear dst, mov WORD dst (6 bytes)
     begin
-      # break if val == 0
-      return _check_badchars(clear(dst, badchars) + mov_word(dst, val), badchars)
+      unless val == 0 # clear tries to set(dst, 0, badchars), entering an infinite recursion
+        return _check_badchars(clear(dst, badchars) + mov_word(dst, val), badchars)
+      end
     rescue ::ArgumentError, ::RuntimeError, ::RangeError
     end
 

data/lib/rex/elfparsey/elf.rb

@@ -34,7 +34,7 @@ class Elf < ElfBase
         isource.read(offset, PROGRAM_HEADER_SIZE), ei_data
       )
 
-      if program_header[-1].p_type == PT_LOAD && base_addr == 0
+      if program_header[-1].p_type == PT_LOAD && program_header[-1].p_flags & PF_EXEC > 0
         base_addr = program_header[-1].p_vaddr
       end
 

data/lib/rex/elfparsey/elfbase.rb

@@ -214,6 +214,15 @@ class ElfBase
     [ 'uint32n', 'p_align',  0 ]
   )
 
+  # p_flags  This member tells which permissions should have the segment
+
+  # Flags
+
+  PF_EXEC    = 1
+  PF_WRITE   = 2
+  PF_READ    = 4 
+
+
   #
   # p_type  This member tells what kind of segment this array element
   # describes or how to interpret the array element's information.

data/lib/rex/encoder/nonalpha.rb

@@ -7,7 +7,7 @@ module Encoder
 
 class NonAlpha
 
-  def NonAlpha.gen_decoder()
+  def NonAlpha.gen_decoder
     decoder =
       "\x66\xB9\xFF\xFF" +
       "\xEB\x19"  +               # Jmp to table
@@ -28,13 +28,13 @@ class NonAlpha
   end
 
   def NonAlpha.encode_byte(block, table, tablelen)
-    if (tablelen > 255) or (block == 0x7B)
+    if tablelen > 255 || block == 0x7B
       raise RuntimeError, "BadChar"
     end
 
-    if (block >= 0x41 and block <= 0x5A) or (block >= 0x61 and block <= 0x7A)
+    if (block >= 0x41 && block <= 0x5A) || (block >= 0x61 && block <= 0x7A)
       # gen offset, return magic
-      offset = 0x7b - block;
+      offset = 0x7b - block
       table += offset.chr
       tablelen = tablelen + 1
       block = 0x7B

data/lib/rex/exploitation/js/detect.rb

@@ -15,10 +15,12 @@ class Detect
   # Provides several javascript functions for determining the OS and browser versions of a client.
   #
   # getVersion():  returns an object with the following properties
-  # os_name      -  OS name, one of the Msf::OperatingSystems constants
-  # os_flavor    -  OS flavor as a string (e.g.: "XP", "2000")
+  # os_name      -  OS name such as "Windows 8", "Linux", "Mac OS X"
+  # os_flavor    -  OS flavor as a string such as "Home", "Enterprise", etc
   # os_sp        -  OS service pack (e.g.: "SP2", will be empty on non-Windows)
   # os_lang      -  OS language (e.g.: "en-us")
+  # os_vendor    -  A company or organization name such as Microsoft, Ubuntu, Apple, etc
+  # os_device    -  A specific piece of hardware such as iPad, iPhone, etc
   # ua_name      -  Client name, one of the Msf::HttpClients constants
   # ua_version   -  Client version as a string (e.g.: "3.5.1", "6.0;SP2")
   # arch         -  Architecture, one of the ARCH_* constants

data/lib/rex/exploitation/jsobfu.rb

@@ -1,513 +1,17 @@
 # -*- coding: binary -*-
 
-require 'rex/text'
-require 'rex/random_identifier_generator'
-require 'rkelly'
+require 'jsobfu'
 
 module Rex
 module Exploitation
 
-
-#
-# Obfuscate JavaScript by randomizing as much as possible and removing
-# easily-signaturable string constants.
-#
-# Example:
-#   js = ::Rex::Exploitation::JSObfu.new %Q|
-#     var a = "0\\612\\063\\x34\\x35\\x36\\x37\\x38\\u0039";
-#     var b = { foo : "foo", bar : "bar" }
-#     alert(a);
-#     alert(b.foo);
-#   |
-#   js.obfuscate
-#   puts js
-# Example Output:
-#   var VwxvESbCgv = String.fromCharCode(0x30,0x31,062,063,064,53,0x36,067,070,0x39);
-#   var ToWZPn = {
-#     "\146\157\x6f": (function () { var yDyv="o",YnCL="o",Qcsa="f"; return Qcsa+YnCL+yDyv })(),
-#     "\142ar": String.fromCharCode(0142,97,0162)
-#   };
-#   alert(VwxvESbCgv);
-#   alert(ToWZPn.foo);
-#
-# NOTE: Variables MUST be declared with a 'var' statement BEFORE first use (or
-# not at all) for this to generate correct code!  If variables are not declared
-# they will not be randomized but the generated code will be correct.
 #
-# Bad Example Javascript:
-#   a = "asdf"; // this variable hasn't been declared and will not be randomized
-#   var a;
-#   alert(a); // real js engines will alert "asdf" here
-# Bad Example Obfuscated:
-#   a = (function () { var hpHu="f",oyTm="asd"; return oyTm+hpHu })();
-#   var zSrnHpEfJZtg;
-#   alert(zSrnHpEfJZtg);
-# Notice that the first usage of +a+ (before it was declared) is not
-# randomized.  Thus, the obfuscated version will alert 'undefined' instead of
-# "asdf".
+# Simple wrapper class that makes the JSObfu functionality
+# from the gem available under the Rex namespace.
 #
-class JSObfu
-
-  # these keywords should never be used as a random var name
-  # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
-  RESERVED_KEYWORDS = %w(
-    break case catch continue debugger default delete do else finally
-    for function if in instanceof new return switch this throw try
-    typeof var void while with class enum export extends import super
-    implements interface let package private protected public static yield
-  )
-
-  #
-  # Abstract Syntax Tree generated by RKelly::Parser#parse
-  #
-  attr_reader :ast
-
-  #
-  # Saves +code+ for later obfuscation with #obfuscate
-  #
-  def initialize(code)
-    @code = code
-    @funcs = {}
-    @vars  = {}
-    @debug = false
-    @rand_gen = Rex::RandomIdentifierGenerator.new(
-      :max_length => 15,
-      :first_char_set => Rex::Text::Alpha+"_$",
-      :char_set => Rex::Text::AlphaNumeric+"_$"
-    )
-  end
-
-  #
-  # Add +str+ to the un-obfuscated code.
-  #
-  # Calling this method after #obfuscate is undefined
-  #
-  def <<(str)
-    @code << str
-  end
-
-  #
-  # Return the (possibly obfuscated) code as a string.
-  #
-  # If #obfuscate has not been called before this, returns the parsed,
-  # unobfuscated code.  This can be useful for example to remove comments and
-  # standardize spacing.
-  #
-  def to_s
-    parse if not @ast
-    @ast.to_ecma
-  end
-
-  #
-  # Return the obfuscated name of a symbol
-  #
-  # You MUST call #obfuscate before this method!
-  #
-  def sym(lookup)
-    if @vars[lookup]
-      ret = @vars[lookup]
-    elsif @funcs[lookup]
-      ret = @funcs[lookup]
-    else
-      ret = lookup
-    end
-    ret
-  end
-
-  #
-  # Parse and obfuscate
-  #
-  def obfuscate
-    parse
-    obfuscate_r(@ast)
-  end
-
-  # @return [String] a unique random var name that is not a reserved keyword
-  def random_var_name
-    loop do
-      text = random_string
-      unless @vars.has_value?(text) or RESERVED_KEYWORDS.include?(text)
-        return text
-      end
-    end
-  end
-
-protected
-
-  # @return [String] a random string
-  def random_string
-    @rand_gen.generate
-  end
-
-  #
-  # Recursive method to obfuscate the given +ast+.
-  #
-  # +ast+ should be the result of RKelly::Parser#parse
-  #
-  def obfuscate_r(ast)
-    ast.each do |node|
-      #if node.respond_to? :value and node.value.kind_of? String and node.value =~ /bodyOnLoad/i
-      #	$stdout.puts("bodyOnLoad: #{node.class}: #{node.value}")
-      #end
-
-      case node
-      when nil
-        nil
-
-      when ::RKelly::Nodes::SourceElementsNode
-        # Recurse
-        obfuscate_r(node.value)
-
-      #when ::RKelly::Nodes::ObjectLiteralNode
-        # TODO
-        #$stdout.puts(node.methods - Object.new.methods)
-        #$stdout.puts(node.value.inspect)
-
-      when ::RKelly::Nodes::PropertyNode
-        # Property names must be bare words or string literals NOT
-        # expressions!  Can't use transform_string() here
-        if node.name =~ /^[a-zA-Z_][a-zA-Z0-9_]*$/
-          n = '"'
-          node.name.unpack("C*") { |c|
-            case rand(3)
-            when 0; n << "\\x%02x"%(c)
-            when 1; n << "\\#{c.to_s 8}"
-            when 2; n << [c].pack("C")
-            end
-          }
-          n << '"'
-          node.instance_variable_set(:@name, n)
-        end
-
-      # Variables
-      when ::RKelly::Nodes::VarDeclNode
-        if @vars[node.name].nil?
-          @vars[node.name] = random_var_name
-        end
-        node.name = @vars[node.name]
-      when ::RKelly::Nodes::ParameterNode
-        if @vars[node.value].nil?
-          @vars[node.value] = random_var_name
-        end
-        node.value = @vars[node.value]
-      when ::RKelly::Nodes::ResolveNode
-        #$stdout.puts("Resolve bodyOnload: #{@vars[node.value]}") if "bodyOnLoad" == node.value
-        node.value = @vars[node.value] if @vars[node.value]
-      when ::RKelly::Nodes::DotAccessorNode
-        case node.value
-        when ::RKelly::Nodes::ResolveNode
-          if @vars[node.value.value]
-            node.value.value = @vars[node.value.value]
-          end
-        #else
-        #	$stderr.puts("Non-resolve node as target of dotaccessor: #{node.value.class}")
-        end
-
-      # Functions
-      when ::RKelly::Nodes::FunctionDeclNode
-        #$stdout.puts("FunctionDecl: #{node.value}")
-        # Functions can also act as objects, so store them in the vars
-        # and the functions list so we can replace them in both places
-        if @funcs[node.value].nil? and not @funcs.values.include?(node.value)
-          @funcs[node.value] = random_var_name
-          if @vars[node.value].nil?
-            @vars[node.value] = @funcs[node.value]
-          end
-          node.value = @funcs[node.value]
-        end
-      when ::RKelly::Nodes::FunctionCallNode
-        # The value of a FunctionCallNode is some sort of accessor node or a ResolveNode
-        # so this is basically useless
-        #$stdout.puts("Function call: #{node.name} => #{@funcs[node.name]}")
-        #node.value = @funcs[node.value] if @funcs[node.value]
-
-      # Transformers
-      when ::RKelly::Nodes::NumberNode
-        node.value = transform_number(node.value)
-      when ::RKelly::Nodes::StringNode
-        node.value = transform_string(node.value)
-      else
-        #$stderr.puts "#{node.class}: #{node.value}"
-        #$stderr.puts "#{node.class}"
-      end
-
-      #unless node.kind_of? ::RKelly::Nodes::SourceElementsNode
-      #	$stderr.puts "#{node.class}: #{node.value}"
-      #end
-    end
-
-    nil
-  end
-
-  #
-  # Generate an Abstract Syntax Tree (#ast) for later obfuscation
-  #
-  def parse
-    parser = RKelly::Parser.new
-    @ast = parser.parse(@code)
-  end
-
-  #
-  # Convert a number to a random base (decimal, octal, or hexedecimal).
-  #
-  # Given 10 as input, the possible return values are:
-  #   "10"
-  #   "0xa"
-  #   "012"
-  #
-  def rand_base(num)
-    case rand(3)
-    when 0; num.to_s
-    when 1; "0%o" % num
-    when 2; "0x%x" % num
-    end
-  end
-
-  #
-  # Return a mathematical expression that will evaluate to the given number
-  # +num+.
-  #
-  # +num+ can be a float or an int, but should never be negative.
-  #
-  def transform_number(num)
-    case num
-    when Fixnum
-      if num == 0
-        r = rand(10) + 1
-        transformed = "('#{Rex::Text.rand_text_alpha(r)}'.length - #{r})"
-      elsif num > 0 and num < 10
-        # use a random string.length for small numbers
-        transformed = "'#{Rex::Text.rand_text_alpha(num)}'.length"
-      else
-        transformed = "("
-        divisor = rand(num) + 1
-        a = num / divisor.to_i
-        b = num - (a * divisor)
-        # recurse half the time for a
-        a = (rand(2) == 0) ? transform_number(a) : rand_base(a)
-        # recurse half the time for divisor
-        divisor = (rand(2) == 0) ? transform_number(divisor) : rand_base(divisor)
-        transformed << "#{a}*#{divisor}"
-        transformed << "+#{b}"
-        transformed << ")"
-      end
-    when Float
-      transformed = "(#{num - num.floor} + #{rand_base(num.floor)})"
-    end
-
-    #puts("#{num} == #{transformed}")
-
-    transformed
-  end
-
-  #
-  # Convert a javascript string into something that will generate that string.
-  #
-  # Randomly calls one of the +transform_string_*+ methods
-  #
-  def transform_string(str)
-    quote = str[0,1]
-    # pull off the quotes
-    str = str[1,str.length - 2]
-    return quote*2 if str.length == 0
-
-    case rand(2)
-    when 0
-      transformed = transform_string_split_concat(str, quote)
-    when 1
-      transformed = transform_string_fromCharCode(str)
-    #when 2
-    #	# Currently no-op
-    #	transformed = transform_string_unescape(str)
-    end
-
-    #$stderr.puts "Obfuscating str: #{str.ljust 30} #{transformed}"
-    transformed
-  end
-
-  #
-  # Split a javascript string, +str+, without breaking escape sequences.
-  #
-  # The maximum length of each piece of the string is half the total length
-  # of the string, ensuring we (almost) always split into at least two
-  # pieces.  This won't always be true when given a string like "AA\x41",
-  # where escape sequences artificially increase the total length (escape
-  # sequences are considered a single character).
-  #
-  # Returns an array of two-element arrays.  The zeroeth element is a
-  # randomly generated variable name, the first is a piece of the string
-  # contained in +quote+s.
-  #
-  # See #escape_length
-  #
-  def safe_split(str, quote)
-    parts = []
-    max_len = str.length / 2
-    while str.length > 0
-      len = 0
-      loop do
-        e_len = escape_length(str[len..-1])
-        e_len = 1 if e_len.nil?
-        len += e_len
-        # if we've reached the end of the string, bail
-        break unless str[len]
-        break if len > max_len
-        # randomize the length of each part
-        break if (rand(4) == 0)
-      end
-
-      part = str.slice!(0, len)
-
-      var = Rex::Text.rand_text_alpha(4)
-      parts.push( [ var, "#{quote}#{part}#{quote}" ] )
-    end
-
-    parts
-  end
-
-  #
-  # Stolen from obfuscatejs.rb
-  #
-  # Determines the length of an escape sequence
-  #
-  def escape_length(str)
-    esc_len = nil
-    if str[0,1] == "\\"
-      case str[1,1]
-      when "u"; esc_len = 6     # unicode \u1234
-      when "x"; esc_len = 4     # hex, \x41
-      when /[0-7]/              # octal, \123, \0
-        str[1,3] =~ /([0-7]{1,3})/
-        if $1.to_i(8) > 255
-          str[1,3] =~ /([0-7]{1,2})/
-        end
-        esc_len = 1 + $1.length
-      else; esc_len = 2         # \" \n, etc.
-      end
-    end
-    esc_len
-  end
-
-  #
-  # Split a javascript string, +str+, into multiple randomly-ordered parts
-  # and return an anonymous javascript function that joins them in the
-  # correct order.  This method can be called safely on strings containing
-  # escape sequences.  See #safe_split.
-  #
-  def transform_string_split_concat(str, quote)
-    parts = safe_split(str, quote)
-    func = "(function () { var "
-    ret = "; return "
-    parts.sort { |a,b| rand }.each do |part|
-      func << "#{part[0]}=#{part[1]},"
-    end
-    func.chop!
-
-    ret  << parts.map{|part| part[0]}.join("+")
-    final = func + ret + " })()"
-
-    final
-  end
-
-
-  # TODO
-  #def transform_string_unescape(str)
-  #	str
-  #end
-
-  #
-  # Return a call to String.fromCharCode() with each char of the input as arguments
-  #
-  # Example:
-  #   input : "A\n"
-  #   output: String.fromCharCode(0x41, 10)
-  #
-  def transform_string_fromCharCode(str)
-    buf = "String.fromCharCode("
-    bytes = str.unpack("C*")
-    len = 0
-    while str.length > 0
-      if str[0,1] == "\\"
-        str.slice!(0,1)
-        # then this is an escape sequence and we need to deal with all
-        # the special cases
-        case str[0,1]
-        # For chars that contain their non-escaped selves, step past
-        # the backslash and let the rand_base() below decide how to
-        # represent the character.
-        when '"', "'", "\\", " "
-          char = str.slice!(0,1).unpack("C").first
-        # For symbolic escapes, use the known value
-        when "n"; char = 0x0a; str.slice!(0,1)
-        when "t"; char = 0x09; str.slice!(0,1)
-        # Lastly, if it's a hex, unicode, or octal escape, pull out the
-        # real value and use that
-        when "x"
-          # Strip the x
-          str.slice!(0,1)
-          char = str.slice!(0,2).to_i 16
-        when "u"
-          # This can potentially lose information in the case of
-          # characters like \u0041, but since regular ascii is stored
-          # as unicode internally, String.fromCharCode(0x41) will be
-          # represented as 00 41 in memory anyway, so it shouldn't
-          # matter.
-          str.slice!(0,1)
-          char = str.slice!(0,4).to_i 16
-        when /[0-7]/
-          # Octals are a bit harder since they are variable width and
-          # don't necessarily mean what you might think. For example,
-          # "\61" == "1" and "\610" == "10".  610 is a valid octal
-          # number, but not a valid ascii character.  Javascript will
-          # interpreter as much as it can as a char and use the rest
-          # as a literal.  Boo.
-          str =~ /([0-7]{1,3})/
-          char = $1.to_i 8
-          if char > 255
-            str =~ /([0-7]{1,2})/
-            char = $1.to_i 8
-          end
-          str.slice!(0,$1.length)
-        end
-      else
-        char = str.slice!(0,1).unpack("C").first
-      end
-      buf << "#{rand_base(char)},"
-    end
-    # Strip off the last comma
-    buf = buf[0,buf.length-1] + ")"
-    transformed = buf
-
-    transformed
-  end
-
+class JSObfu < ::JSObfu
 
 end
-end
-end
-
-
-=begin
-if __FILE__ == $0
-  if ARGV[0]
-    code = File.read(ARGV[0])
-  else
-    #require 'rex/exploitation/javascriptosdetect'
-    #code = Rex::Exploitation::JavascriptOSDetect.new.to_s
-    code = <<-EOS
-      // Should alert "0123456789"
-      var a = "0\\612\\063\\x34\\x35\\x36\\x37\\x38\\u0039";
-      var a,b=2,c=3;
-      alert(a);
-      // should alert "asdfjkl;"
-      var d = (function() { var foo = "jkl;", blah = "asdf"; return blah + foo; })();
-      alert(d);
-    EOS
-  end
-  js = Rex::Exploitation::JSObfu.new(code)
-  js.obfuscate
-  puts js.to_s
 
 end
-
-=end
+end

data/lib/rex/image_source/image_source.rb

@@ -29,8 +29,12 @@ class ImageSource
     # FIXME, make me better
     string = ''
     loop do
-      char = read(offset, 1)
-      break if char == "\x00"
+      begin
+        char = read(offset, 1)
+      rescue RangeError
+        break
+      end
+      break if char.nil? || char == "\x00"
       offset += 1
       string << char
     end

data/lib/rex/mime/header.rb

@@ -25,8 +25,9 @@ class Header
         next
       end
 
-      var,val = line.split(':')
-      next if not val
+      var, val = line.split(':', 2)
+      next if val.nil?
+
       self.headers << [ var.to_s.strip, val.to_s.strip ]
       prev = self.headers.length - 1
     end

data/lib/rex/mime/message.rb

@@ -24,9 +24,8 @@ class Message
       self.header.parse(head)
       ctype = self.header.find('Content-Type')
 
-      if ctype and ctype[1] and ctype[1] =~ /multipart\/mixed;\s*boundary=([^\s]+)/
+      if ctype and ctype[1] and ctype[1] =~ /multipart\/mixed;\s*boundary="?([A-Za-z0-9'\(\)\+\_,\-\.\/:=\?^\s]+)"?/
         self.bound = $1
-
         chunks = body.to_s.split(/--#{self.bound}(--)?\r?\n/)
         self.content = chunks.shift.to_s.gsub(/\s+$/, '')
         self.content << "\r\n" if not self.content.empty?

data/lib/rex/parser/nexpose_raw_nokogiri.rb

@@ -504,7 +504,7 @@ module Rex
         }
       }
       note[:data][:vendor] = @report_data[:os]["os_vendor"] if @report_data[:os]["os_vendor"]
-      note[:data][:product] = @report_data[:os]["os_product"] if @report_data[:os]["os_prduct"]
+      note[:data][:product] = @report_data[:os]["os_product"] if @report_data[:os]["os_product"]
       note[:data][:version] = @report_data[:os]["os_version"] if @report_data[:os]["os_version"]
       note[:data][:arch] = @report_data[:os]["os_arch"] if @report_data[:os]["os_arch"]
       db_report(:note, note)

data/lib/rex/post/meterpreter/client.rb

@@ -248,7 +248,7 @@ class Client
     cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
     cert.sign(key, OpenSSL::Digest::SHA1.new)
 
-    ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
+    ctx = OpenSSL::SSL::SSLContext.new
     ctx.key = key
     ctx.cert = cert
 

data/lib/rex/proto/dhcp/constants.rb

@@ -19,8 +19,10 @@ OpDHCPServer = 0x36
 OpLeaseTime = 0x33
 OpSubnetMask = 1
 OpRouter = 3
+OpDomainName = 15
 OpDns = 6
 OpHostname = 0x0c
+OpURL = 0x72
 OpEnd = 0xff
 
 PXEMagic = "\xF1\x00\x74\x7E"

data/lib/rex/proto/dhcp/server.rb

@@ -94,6 +94,9 @@ class Server
     self.pxealtconfigfile = "update0"
     self.pxepathprefix = ""
     self.pxereboottime = 2000
+
+    self.domain_name = hash['DOMAINNAME'] || nil
+    self.url = hash['URL'] if hash.include?('URL')
   end
 
   def report(&block)
@@ -126,7 +129,7 @@ class Server
     allowed_options = [
       :serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
       :pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
-      :give_hostname, :served_hostname, :served_over, :serveOnlyPXE
+      :give_hostname, :served_hostname, :served_over, :serveOnlyPXE, :domain_name, :url
     ]
 
     opts.each_pair { |k,v|
@@ -151,10 +154,11 @@ class Server
   end
 
   attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
+  attr_accessor :domain_name
   attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
   attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
   attr_accessor :servePXE, :pxeconfigfile, :pxealtconfigfile, :pxepathprefix, :pxereboottime, :serveOnlyPXE
-  attr_accessor :give_hostname, :served_hostname, :served_over, :reporter
+  attr_accessor :give_hostname, :served_hostname, :served_over, :reporter, :url
 
 protected
 
@@ -166,7 +170,7 @@ protected
       wds = []
       eds = [@sock]
 
-      r,w,e = ::IO.select(rds,wds,eds,1)
+      r,_,_ = ::IO.select(rds,wds,eds,1)
 
       if (r != nil and r[0] == self.sock)
         buf,host,port = self.sock.recvfrom(65535)
@@ -198,19 +202,19 @@ protected
     end
 
     # parse out the members
-    hwtype = buf[1,1]
+    _hwtype = buf[1,1]
     hwlen = buf[2,1].unpack("C").first
-    hops = buf[3,1]
-    txid = buf[4..7]
-    elapsed = buf[8..9]
-    flags = buf[10..11]
+    _hops = buf[3,1]
+    _txid = buf[4..7]
+    _elapsed = buf[8..9]
+    _flags = buf[10..11]
     clientip = buf[12..15]
-    givenip = buf[16..19]
-    nextip = buf[20..23]
-    relayip = buf[24..27]
-    clienthwaddr = buf[28..(27+hwlen)]
+    _givenip = buf[16..19]
+    _nextip = buf[20..23]
+    _relayip = buf[24..27]
+    _clienthwaddr = buf[28..(27+hwlen)]
     servhostname = buf[44..107]
-    filename = buf[108..235]
+    _filename = buf[108..235]
     magic = buf[236..239]
 
     if (magic != DHCPMagic)
@@ -293,6 +297,8 @@ protected
     pkt << dhcpoption(OpSubnetMask, self.netmaskn)
     pkt << dhcpoption(OpRouter, self.router)
     pkt << dhcpoption(OpDns, self.dnsserv)
+    pkt << dhcpoption(OpDomainName, self.domain_name)
+
     if self.servePXE  # PXE options
       pkt << dhcpoption(OpPXEMagic, PXEMagic)
       # We already got this one, serve localboot file
@@ -317,6 +323,7 @@ protected
         pkt << dhcpoption(OpHostname, send_hostname)
       end
     end
+    pkt << dhcpoption(OpURL, self.url) if self.url
     pkt << dhcpoption(OpEnd)
 
     pkt << ("\x00" * 32) #padding

data/lib/rex/proto/http/handler/proc.rb

@@ -36,7 +36,7 @@ class Handler::Proc < Handler
   def on_request(cli, req)
     begin
       procedure.call(cli, req)
-    rescue Errno::EPIPE
+    rescue Errno::EPIPE, ::Errno::ECONNRESET, ::Errno::ENOTCONN, ::Errno::ECONNABORTED
       elog("Proc::on_request: Client closed connection prematurely", LogSource)
     rescue
       elog("Proc::on_request: #{$!.class}: #{$!}\n\n#{$@.join("\n")}", LogSource)

data/lib/rex/proto/http/packet.rb

@@ -32,7 +32,7 @@ class Packet
     Completed        = 3
   end
 
-  require 'rex/proto/http/header'
+  require 'rex/proto/http/packet/header'
 
   #
   # Initializes an instance of an HTTP packet.

data/lib/rex/socket/parameters.rb

@@ -56,7 +56,7 @@ class Rex::Socket::Parameters
   # @option hash [Bool] 'Bool' Create a bare socket
   # @option hash [Bool] 'Server' Whether or not this should be a server
   # @option hash [Bool] 'SSL' Whether or not SSL should be used
-  # @option hash [String] 'SSLVersion' Specify SSL2, SSL3, or TLS1 (SSL3 is
+  # @option hash [String] 'SSLVersion' Specify Auto, SSL2, SSL3, or TLS1 (Auto is
   #   default)
   # @option hash [String] 'SSLCert' A file containing an SSL certificate (for
   #   server sockets)
@@ -117,7 +117,7 @@ class Rex::Socket::Parameters
       self.ssl = false
     end
 
-    supported_ssl_versions = ['SSL2', 'SSL23', 'TLS1', 'SSL3', :SSLv2, :SSLv3, :SSLv23, :TLSv1]
+    supported_ssl_versions = ['Auto', 'SSL2', 'SSL23', 'TLS1', 'SSL3', :Auto, :SSLv2, :SSLv3, :SSLv23, :TLSv1]
     if (hash['SSLVersion'] and supported_ssl_versions.include? hash['SSLVersion'])
       self.ssl_version = hash['SSLVersion']
     end
@@ -324,7 +324,7 @@ class Rex::Socket::Parameters
   # @return [Bool]
   attr_accessor :ssl
 
-  # What version of SSL to use (SSL2, SSL3, SSL23, TLS1)
+  # What version of SSL to use (Auto, SSL2, SSL3, SSL23, TLS1)
   # @return [String,Symbol]
   attr_accessor :ssl_version
 

data/lib/rex/socket/ssl_tcp.rb

@@ -56,18 +56,55 @@ begin
   def initsock(params = nil)
     super
 
-    version = :SSLv3
-    if(params)
+    # The autonegotiation preference for SSL/TLS versions
+    versions = [:TLSv1, :SSLv3, :SSLv23, :SSLv2]
+
+    # Limit this to a specific SSL/TLS version if specified
+    if params
       case params.ssl_version
       when 'SSL2', :SSLv2
-        version = :SSLv2
+        versions = [:SSLv2]
       when 'SSL23', :SSLv23
-        version = :SSLv23
+        versions = [:SSLv23]
+      when 'SSL3', :SSLv3
+        versions = [:SSLv3]
       when 'TLS1', :TLSv1
-        version = :TLSv1
+        versions = [:TLSv1]
+      else
+        # Leave the version list as-is (Auto)
       end
     end
 
+    # Limit our versions to those supported by the linked OpenSSL library
+    versions = versions.select {|v| OpenSSL::SSL::SSLContext::METHODS.include? v }
+
+    # Raise an error if no selected versions are supported
+    if versions.length == 0
+      raise ArgumentError, 'The system OpenSSL does not support the requested SSL/TLS version'
+    end
+
+    last_error = nil
+
+    # Iterate through SSL/TLS versions until we successfully negotiate
+    versions.each do |version|
+      begin
+        # Try intializing the socket with this SSL/TLS version
+        # This will throw an exception if it fails
+        initsock_with_ssl_version(params, version)
+
+        # Success! Record what method was used and return
+        self.ssl_negotiated_version = version
+        return
+      rescue OpenSSL::SSL::SSLError => e
+        last_error = e
+      end
+    end
+
+    # No SSL/TLS versions succeeded, raise the last error
+    raise last_error
+  end
+
+  def initsock_with_ssl_version(params, version)
     # Build the SSL connection
     self.sslctx  = OpenSSL::SSL::SSLContext.new(version)
 
@@ -84,7 +121,9 @@ begin
       # Could also do this as graceful faildown in case a passed verify_mode is not supported
       self.sslctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
     end
+
     self.sslctx.options = OpenSSL::SSL::OP_ALL
+
     if params.ssl_cipher
       self.sslctx.ciphers = params.ssl_cipher
     end
@@ -101,7 +140,6 @@ begin
     # XXX - enabling this causes infinite recursion, so disable for now
     # self.sslsock.sync_close = true
 
-
     # Force a negotiation timeout
     begin
     Timeout.timeout(params.timeout) do
@@ -327,11 +365,13 @@ begin
   end
 
   attr_reader :peer_verified # :nodoc:
+  attr_reader :ssl_negotiated_version # :nodoc:
   attr_accessor :sslsock, :sslctx # :nodoc:
 
 protected
 
   attr_writer :peer_verified # :nodoc:
+  attr_writer :ssl_negotiated_version # :nodoc:
 
 
 rescue LoadError

data/rex.gemspec

@@ -1,7 +1,7 @@
 # encoding: utf-8
 
 APP_NAME = "rex"
-VERSION  = "2.0.3"
+VERSION  = "2.0.4"
 
 Gem::Specification.new do |s|
   s.name                  = APP_NAME

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rex
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.4
 platform: ruby
 authors:
 - HD Moore
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-09-07 00:00:00.000000000 Z
+date: 2014-10-15 00:00:00.000000000 Z
 dependencies: []
 description: Rex provides a variety of classes useful for security testing and exploit
   development.
@@ -371,8 +371,8 @@ files:
 - lib/rex/proto/http/handler.rb
 - lib/rex/proto/http/handler/erb.rb
 - lib/rex/proto/http/handler/proc.rb
-- lib/rex/proto/http/header.rb
 - lib/rex/proto/http/packet.rb
+- lib/rex/proto/http/packet/header.rb
 - lib/rex/proto/http/request.rb
 - lib/rex/proto/http/response.rb
 - lib/rex/proto/http/server.rb
@@ -521,12 +521,12 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []