rex 2.0.4 → 2.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 79a1308c4fbc5e37cc531c402b45228f0480314a
-  data.tar.gz: 55b5f247534fdac3322b929d4c46e4846c9ec9bb
+  metadata.gz: 31837db98ac01dead4073a5d9785ee8c3885772a
+  data.tar.gz: 0976f856604fdeee60805d11fe36faeee0e4656b
 SHA512:
-  metadata.gz: 49e7741c0bc14e27943de1291b38e69300173bdffd3a1598372d5db5d1338040201ef011e67680bf42ba611948dd18cc5ad0627388a80d1079ef58c80088bd3e
-  data.tar.gz: 10161b1c288d4c7aab84399ad7f66048ef276d7225b4a701b8ac8eac784ada87786499137dad1fed0f652c4dea529b65c7678f7e2b0b958be5e29dc232da480b
+  metadata.gz: f35c3bb765efa30161a507f41e8e1016296bacb8bb8b80eb0220c8cfc18092957f479f3ea17b1994fc4e38e58e60eed8bcb3e545f6a3f62cebe54a44afca9099
+  data.tar.gz: 89e3d3600fd209b95a8bf231df5d4ab8d839ca6b1b8e1178e23b676cddf1d1afd7461985c2689b54d71d437fb3839e12497c9f7bde7b5f1f9a59a1655fda82ed

data/lib/rex/arch/x86.rb

@@ -520,6 +520,22 @@ module X86
     return nil
   end
 
+  #
+  # Parse a list of registers as a space or command delimited
+  # string and return the internal register IDs as an array
+  #
+  def self.register_names_to_ids(str)
+    register_ids = []
+    str.to_s.strip.split(/[,\s]/).
+      map    {|reg| reg.to_s.strip.upcase }.
+      select {|reg| reg.length > 0        }.
+      uniq.each do |reg|
+        next unless self.const_defined?(reg.intern)
+        register_ids << self.const_get(reg.intern)
+      end
+    register_ids
+  end
+
 end
 
 end end

data/lib/rex/constants.rb

@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+
 #
 # Log severities
 #

data/lib/rex/constants/windows.rb

@@ -0,0 +1,147 @@
+module Rex::Constants
+module Windows
+
+  ##
+  #
+  # Access Types
+  # winnt.h
+  #
+  ##
+
+  STANDARD_RIGHTS_REQUIRED = 0x000F0000
+
+  ##
+  #
+  # Errors
+  #
+  ##
+
+  ERROR_SUCCESS = 0x0
+  ERROR_FILE_NOT_FOUND = 0x2
+  ERROR_ACCESS_DENIED = 0x5
+  ERROR_SERVICE_REQUEST_TIMEOUT = 0x41D
+  ERROR_SERVICE_EXISTS = 0x431
+
+  ##
+  #
+  # SVCCTL Protocol Functions
+  # http://msdn.microsoft.com/en-us/library/cc245920.aspxa
+  #
+  ##
+
+  CLOSE_SERVICE_HANDLE = 0x00
+  CONTROL_SERVICE = 0x01
+  DELETE_SERVICE = 0x02
+  QUERY_SERVICE_STATUS = 0x05
+  CHANGE_SERVICE_CONFIG_W = 0x0b
+  CREATE_SERVICE_W = 0x0c
+  OPEN_SC_MANAGER_W = 0x0f
+  OPEN_SERVICE_W = 0x10
+  CHANGE_SERVICE_CONFIG2_W = 0x25
+
+  ##
+  #
+  # Services
+  # winsvc.h
+  ##
+
+  SERVICE_WIN32_OWN_PROCESS = 0x10
+  SERVICE_INTERACTIVE_PROCESS = 0x100
+
+  SERVICE_BOOT_START = 0x00
+  SERVICE_SYSTEM_START = 0x01
+  SERVICE_AUTO_START = 0x02
+  SERVICE_DEMAND_START = 0x03
+  SERVICE_DISABLED = 0x04
+
+  SERVICE_ERROR_IGNORE = 0x0
+
+  SERVICE_NO_CHANGE =            0xffffffff
+  SERVICE_ACTIVE =               0x00000001
+  SERVICE_INACTIVE =             0x00000002
+  SERVICE_STATE_ALL =            (SERVICE_ACTIVE   |
+                                  SERVICE_INACTIVE)
+  SERVICE_CONTROL_STOP =                 0x00000001
+  SERVICE_CONTROL_PAUSE =                0x00000002
+  SERVICE_CONTROL_CONTINUE =             0x00000003
+  SERVICE_CONTROL_INTERROGATE =          0x00000004
+  SERVICE_CONTROL_SHUTDOWN =             0x00000005
+  SERVICE_CONTROL_PARAMCHANGE =          0x00000006
+  SERVICE_CONTROL_NETBINDADD =           0x00000007
+  SERVICE_CONTROL_NETBINDREMOVE =        0x00000008
+  SERVICE_CONTROL_NETBINDENABLE =        0x00000009
+  SERVICE_CONTROL_NETBINDDISABLE =       0x0000000A
+  SERVICE_CONTROL_DEVICEEVENT =          0x0000000B
+  SERVICE_CONTROL_HARDWAREPROFILECHANGE =0x0000000C
+  SERVICE_CONTROL_POWEREVENT =           0x0000000D
+  SERVICE_CONTROL_SESSIONCHANGE =        0x0000000E
+  SERVICE_CONTROL_PRESHUTDOWN =          0x0000000F
+  SERVICE_CONTROL_TIMECHANGE =           0x00000010
+  SERVICE_CONTROL_TRIGGEREVENT =         0x00000020
+  SERVICE_STOPPED =                      0x00000001
+  SERVICE_START_PENDING =                0x00000002
+  SERVICE_STOP_PENDING =                 0x00000003
+  SERVICE_RUNNING =                      0x00000004
+  SERVICE_CONTINUE_PENDING =             0x00000005
+  SERVICE_PAUSE_PENDING =                0x00000006
+  SERVICE_PAUSED =                       0x00000007
+  SERVICE_ACCEPT_STOP =                  0x00000001
+  SERVICE_ACCEPT_PAUSE_CONTINUE =        0x00000002
+  SERVICE_ACCEPT_SHUTDOWN =              0x00000004
+  SERVICE_ACCEPT_PARAMCHANGE =           0x00000008
+  SERVICE_ACCEPT_NETBINDCHANGE =         0x00000010
+  SERVICE_ACCEPT_HARDWAREPROFILECHANGE = 0x00000020
+  SERVICE_ACCEPT_POWEREVENT =            0x00000040
+  SERVICE_ACCEPT_SESSIONCHANGE =         0x00000080
+  SERVICE_ACCEPT_PRESHUTDOWN =           0x00000100
+  SERVICE_ACCEPT_TIMECHANGE =            0x00000200
+  SERVICE_ACCEPT_TRIGGEREVENT =          0x00000400
+  SC_MANAGER_CONNECT =            0x0001
+  SC_MANAGER_CREATE_SERVICE =     0x0002
+  SC_MANAGER_ENUMERATE_SERVICE =  0x0004
+  SC_MANAGER_LOCK =               0x0008
+  SC_MANAGER_QUERY_LOCK_STATUS =  0x0010
+  SC_MANAGER_MODIFY_BOOT_CONFIG = 0x0020
+
+  SC_MANAGER_ALL_ACCESS =        (STANDARD_RIGHTS_REQUIRED      |
+                                          SC_MANAGER_CONNECT            |
+                                          SC_MANAGER_CREATE_SERVICE     |
+                                          SC_MANAGER_ENUMERATE_SERVICE  |
+                                          SC_MANAGER_LOCK               |
+                                          SC_MANAGER_QUERY_LOCK_STATUS  |
+                                          SC_MANAGER_MODIFY_BOOT_CONFIG)
+
+  SERVICE_QUERY_CONFIG =         0x0001
+  SERVICE_CHANGE_CONFIG =        0x0002
+  SERVICE_QUERY_STATUS =         0x0004
+  SERVICE_ENUMERATE_DEPENDENTS = 0x0008
+  SERVICE_START =                0x0010
+  SERVICE_STOP =                 0x0020
+  SERVICE_PAUSE_CONTINUE =       0x0040
+  SERVICE_INTERROGATE =          0x0080
+  SERVICE_USER_DEFINED_CONTROL = 0x0100
+  SERVICE_ALL_ACCESS =           (STANDARD_RIGHTS_REQUIRED     | \
+                                          SERVICE_QUERY_CONFIG         | \
+                                          SERVICE_CHANGE_CONFIG        | \
+                                          SERVICE_QUERY_STATUS         | \
+                                          SERVICE_ENUMERATE_DEPENDENTS | \
+                                          SERVICE_START                | \
+                                          SERVICE_STOP                 | \
+                                          SERVICE_PAUSE_CONTINUE       | \
+                                          SERVICE_INTERROGATE          | \
+                                          SERVICE_USER_DEFINED_CONTROL)
+
+  SERVICE_RUNS_IN_SYSTEM_PROCESS =  0x00000001
+  SERVICE_CONFIG_DESCRIPTION =              1
+  SERVICE_CONFIG_FAILURE_ACTIONS =          2
+  SERVICE_CONFIG_DELAYED_AUTO_START_INFO =  3
+  SERVICE_CONFIG_FAILURE_ACTIONS_FLAG =     4
+  SERVICE_CONFIG_SERVICE_SID_INFO =         5
+  SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO = 6
+  SERVICE_CONFIG_PRESHUTDOWN_INFO =         7
+  SERVICE_CONFIG_TRIGGER_INFO =             8
+  SERVICE_CONFIG_PREFERRED_NODE =           9
+  SERVICE_CONFIG_LAUNCH_PROTECTED =         12
+
+end
+end

data/lib/rex/encoder/xdr.rb

@@ -16,8 +16,9 @@ module XDR
   end
 
   def XDR.decode_int!(data)
-      return data.slice!(0..3).unpack('N')[0] if data
-      data = 0
+    raise ArgumentError, 'XDR: No Integer data to decode' unless data
+    raise ArgumentError, "XDR: Too little data to decode (#{data.size})" if data.size < 4
+    return data.slice!(0..3).unpack('N')[0]
   end
 
   def XDR.encode_lchar(char)

data/lib/rex/exceptions.rb

@@ -213,25 +213,57 @@ class ConnectionTimeout < ConnectionError
   end
 end
 
+###
+#
+# This connection error is raised when an attempt is made to connect
+# to a broadcast or network address.
+#
+###
+class InvalidDestination < ConnectionError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The destination is invalid: #{addr_to_s}."
+  end
+end
 
 ###
 #
 # This exception is raised when an attempt to use an address or port that is
-# already in use occurs, such as binding to a host on a given port that is
-# already in use.  Note that Windows raises this in some cases when attempting
-# to connect to addresses that it can't handle, e.g. "0.0.0.0".  Thus, this is
-# a ConnectionError.
+# already in use or onot available occurs. such as binding to a host on a
+# given port that is already in use, or when a bind address is specified that
+# is not available to the host.
 #
 ###
+class BindFailed < ::ArgumentError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The address is already in use or unavailable: #{addr_to_s}."
+  end
+end
+
+##
+#
+# This exception is listed for backwards compatibility. We had been
+# using AddressInUse as the exception for both bind errors and connection
+# errors triggered by connection attempts to broadcast and network addresses.
+# The two classes above have split this into their respective sources, but
+# callers may still expect the old behavior.
+#
+##
 class AddressInUse < ConnectionError
   include SocketError
   include HostCommunicationError
 
   def to_s
-    "The address is already in use #{addr_to_s}."
+    "The address is already in use or unavailable: #{addr_to_s}."
   end
 end
 
+
 ###
 #
 # This exception is raised when an unsupported internet protocol is specified.

data/lib/rex/exploitation/cmdstager/bourne.rb

@@ -85,7 +85,15 @@ class CmdStagerBourne < CmdStagerBase
   def compress_commands(cmds, opts)
     # Make it all happen
     cmds << "chmod +x #{@tempdir}#{@var_decoded}.bin"
-    cmds << "#{@tempdir}#{@var_decoded}.bin"
+    # Background the process, allowing the cleanup code to continue and delete the data
+    # while allowing the original shell to continue to function since it isn't waiting
+    # on the payload to exit.  The 'sleep' is required as '&' is a command terminator
+    # and having & and the cmds delimiter ';' next to each other is invalid.
+    if opts[:background]
+      cmds << "#{@tempdir}#{@var_decoded}.bin & sleep 2"
+    else
+      cmds << "#{@tempdir}#{@var_decoded}.bin"
+    end
 
     # Clean up after unless requested not to..
     if (not opts[:nodelete])

data/lib/rex/exploitation/cmdstager/tftp.rb

@@ -31,14 +31,14 @@ class CmdStagerTFTP < CmdStagerBase
   end
 
   def setup(mod)
-    tftp = Rex::Proto::TFTP::Server.new
-    tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
-    tftp.start
-    mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
+    self.tftp = Rex::Proto::TFTP::Server.new
+    self.tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
+    self.tftp.start
+    mod.add_socket(self.tftp) # Hating myself for doing it... but it's just a first demo
   end
 
   def teardown(mod = nil)
-    tftp.stop
+    self.tftp.stop
   end
 
   #

data/lib/rex/java.rb

@@ -0,0 +1,3 @@
+# -*- coding: binary -*-
+
+require 'rex/java/serialization'

data/lib/rex/java/serialization.rb

@@ -0,0 +1,54 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Java
+    # Include constants defining terminal and constant
+    # values expected in a stream.
+    module Serialization
+      STREAM_MAGIC = 0xaced
+      STREAM_VERSION = 5
+      TC_NULL = 0x70
+      TC_REFERENCE = 0x71
+      TC_CLASSDESC = 0x72
+      TC_OBJECT = 0x73
+      TC_STRING = 0x74
+      TC_ARRAY = 0x75
+      TC_CLASS = 0x76
+      TC_BLOCKDATA = 0x77
+      TC_ENDBLOCKDATA = 0x78
+      TC_RESET = 0x79
+      TC_BLOCKDATALONG = 0x7A
+      TC_EXCEPTION = 0x7B
+      TC_LONGSTRING =  0x7C
+      TC_PROXYCLASSDESC =  0x7D
+      TC_ENUM =  0x7E
+      BASE_WIRE_HANDLE = 0x7E0000
+
+      SC_WRITE_METHOD = 0x01 # if SC_SERIALIZABLE
+      SC_BLOCK_DATA = 0x08   # if SC_EXTERNALIZABLE
+      SC_SERIALIZABLE = 0x02
+      SC_EXTERNALIZABLE = 0x04
+      SC_ENUM = 0x10
+
+      PRIMITIVE_TYPE_CODES = {
+        'B' => 'byte',
+        'C' => 'char',
+        'D' => 'double',
+        'F' => 'float',
+        'I' => 'int',
+        'J' => 'long',
+        'S' => 'short',
+        'Z' => 'boolean'
+      }
+
+      OBJECT_TYPE_CODES = {
+        '[' => 'array',
+        'L' => 'object'
+      }
+
+      TYPE_CODES = PRIMITIVE_TYPE_CODES.merge(OBJECT_TYPE_CODES)
+    end
+  end
+end
+
+require 'rex/java/serialization/model'

data/lib/rex/java/serialization/model.rb

@@ -0,0 +1,20 @@
+# -*- coding: binary -*-
+
+require 'rex/java/serialization/model/element'
+require 'rex/java/serialization/model/null_reference'
+require 'rex/java/serialization/model/reference'
+require 'rex/java/serialization/model/reset'
+require 'rex/java/serialization/model/utf'
+require 'rex/java/serialization/model/long_utf'
+require 'rex/java/serialization/model/block_data'
+require 'rex/java/serialization/model/block_data_long'
+require 'rex/java/serialization/model/end_block_data'
+require 'rex/java/serialization/model/contents'
+require 'rex/java/serialization/model/new_enum'
+require 'rex/java/serialization/model/field'
+require 'rex/java/serialization/model/new_array'
+require 'rex/java/serialization/model/annotation'
+require 'rex/java/serialization/model/class_desc'
+require 'rex/java/serialization/model/new_class_desc'
+require 'rex/java/serialization/model/new_object'
+require 'rex/java/serialization/model/stream'

data/lib/rex/java/serialization/model/annotation.rb

@@ -0,0 +1,69 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Java
+    module Serialization
+      module Model
+        # This class provides an annotation representation. It's used for both class
+        # annotations (classAnnotation) and object annotations (objectAnnotation).
+        class Annotation < Element
+
+          include Rex::Java::Serialization::Model::Contents
+
+          # @!attribute contents
+          #   @return [Array] The annotation contents
+          attr_accessor :contents
+
+          # @param stream [Rex::Java::Serialization::Model::Stream] the stream where it belongs to
+          def initialize(stream = nil)
+            super(stream)
+            self.contents = []
+          end
+
+          # Deserializes a Rex::Java::Serialization::Model::Annotation
+          #
+          # @param io [IO] the io to read from
+          # @return [self] if deserialization succeeds
+          # @raise [RuntimeError] if deserialization doesn't succeed
+          def decode(io)
+            loop do
+              content = decode_content(io, stream)
+              self.contents << content
+              return self if content.class == EndBlockData
+            end
+
+            self
+          end
+
+          # Serializes the Rex::Java::Serialization::Model::Annotation
+          #
+          # @return [String] if serialization suceeds
+          # @raise [RuntimeError] if serialization doesn't succeed
+          def encode
+            raise ::RuntimeError, 'Failed to serialize Annotation with empty contents' if contents.empty?
+
+            encoded = ''
+
+            contents.each do |content|
+              encoded << encode_content(content)
+            end
+
+            encoded
+          end
+
+          # Creates a print-friendly string representation
+          #
+          # @return [String]
+          def to_s
+            str = '[ '
+            contents_data = contents.collect {|content| "#{print_content(content)}"}
+            str << contents_data.join(', ')
+            str << ' ]'
+            str
+          end
+
+        end
+      end
+    end
+  end
+end