811 lines
17 KiB
Ruby
811 lines
17 KiB
Ruby
require 'rexml/rexml'
|
|
require 'rexml/source'
|
|
require 'rexml/document'
|
|
require 'rexml/parsers/treeparser'
|
|
require 'rex/proto/http'
|
|
require 'uri'
|
|
|
|
module Rex
|
|
module Exploitation
|
|
module OpcodeDb
|
|
|
|
module OpcodeResult # :nodoc:
|
|
def initialize(hash)
|
|
@hash = hash
|
|
end
|
|
attr_reader :hash
|
|
end
|
|
|
|
###
|
|
#
|
|
# A cachable entry.
|
|
#
|
|
###
|
|
module Cachable
|
|
|
|
def create(hash) # :nodoc:
|
|
@Cache = {} unless (@Cache)
|
|
if (hash_key(hash) and @Cache[hash_key(hash)])
|
|
@Cache[hash_key(hash)]
|
|
else
|
|
@Cache[hash_key(hash)] = self.new(hash)
|
|
end
|
|
end
|
|
|
|
def hash_key(hash) # :nodoc:
|
|
hash['id'] || nil
|
|
end
|
|
|
|
def flush_cache # :nodoc:
|
|
@Cache.clear
|
|
end
|
|
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class provides a general interface to items that come from that opcode
|
|
# database that have a symbolic entry identifier and name.
|
|
#
|
|
###
|
|
module DbEntry
|
|
include OpcodeResult
|
|
|
|
def initialize(hash)
|
|
super
|
|
|
|
@id = hash['id'].to_i
|
|
@name = hash['name']
|
|
end
|
|
|
|
#
|
|
# Fields that could possibly be filtered on for this database entry.
|
|
#
|
|
def filter_hash
|
|
{
|
|
"id" => id,
|
|
"name" => name
|
|
}
|
|
end
|
|
|
|
#
|
|
# The unique server identifier.
|
|
#
|
|
attr_reader :id
|
|
#
|
|
# The unique name for this entry.
|
|
#
|
|
attr_reader :name
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class represents a particular image module including its name,
|
|
# segments, imports, exports, base address, and so on.
|
|
#
|
|
###
|
|
class ImageModule
|
|
include DbEntry
|
|
|
|
###
|
|
#
|
|
# This class contains information about a module-associated segment.
|
|
#
|
|
###
|
|
class Segment
|
|
def initialize(hash)
|
|
@type = hash['type']
|
|
@base_address = hash['base_address'].to_i
|
|
@size = hash['segment_size'].to_i
|
|
@writable = hash['writable'] == "true" ? true : false
|
|
@readable = hash['readable'] == "true" ? true : false
|
|
@executable = hash['executable'] == "true" ? true : false
|
|
end
|
|
|
|
#
|
|
# The type of the segment, such as ".text".
|
|
#
|
|
attr_reader :type
|
|
#
|
|
# The base address of the segment.
|
|
#
|
|
attr_reader :base_address
|
|
#
|
|
# The size of the segment in bytes.
|
|
#
|
|
attr_reader :size
|
|
#
|
|
# Boolean that indicates whether or not the segment is writable.
|
|
#
|
|
attr_reader :writable
|
|
#
|
|
# Boolean that indicates whether or not the segment is readable.
|
|
#
|
|
attr_reader :readable
|
|
#
|
|
# Boolean that indicates whether or not the segment is executable.
|
|
#
|
|
attr_reader :executable
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class contains information about a module-associated import.
|
|
#
|
|
###
|
|
class Import
|
|
def initialize(hash)
|
|
@name = hash['name']
|
|
@address = hash['address'].to_i
|
|
@ordinal = hash['ordinal'].to_i
|
|
end
|
|
|
|
#
|
|
# The name of the imported function.
|
|
#
|
|
attr_reader :name
|
|
#
|
|
# The address of the function pointer in the IAT.
|
|
#
|
|
attr_reader :address
|
|
#
|
|
# The ordinal of the imported symbol.
|
|
#
|
|
attr_reader :ordinal
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class contains information about a module-associated export.
|
|
#
|
|
###
|
|
class Export
|
|
def initialize(hash)
|
|
@name = hash['name']
|
|
@address = hash['address'].to_i
|
|
@ordinal = hash['ordinal'].to_i
|
|
end
|
|
|
|
#
|
|
# The name of the exported function.
|
|
#
|
|
attr_reader :name
|
|
#
|
|
# The address of the exported function.
|
|
#
|
|
attr_reader :address
|
|
#
|
|
# The ordinal of the exported symbol.
|
|
#
|
|
attr_reader :ordinal
|
|
end
|
|
|
|
class <<self
|
|
include Cachable
|
|
def hash_key(hash) # :nodoc:
|
|
(hash['id'] || '') +
|
|
(hash['segments'] || '').to_s +
|
|
(hash['exports'] || '').to_s +
|
|
(hash['imports'] || '').to_s
|
|
end
|
|
end
|
|
|
|
def initialize(hash)
|
|
super
|
|
|
|
@locale = Locale.create(hash['locale'])
|
|
@maj_maj_ver = hash['maj_maj_ver'].to_i
|
|
@maj_min_ver = hash['maj_min_ver'].to_i
|
|
@min_maj_ver = hash['min_maj_ver'].to_i
|
|
@min_min_ver = hash['min_min_ver'].to_i
|
|
@timestamp = Time.at(hash['timestamp'].to_i)
|
|
@vendor = hash['vendor']
|
|
@base_address = hash['base_address'].to_i
|
|
@image_size = hash['image_size'].to_i
|
|
|
|
@segments = hash['segments'].map { |ent|
|
|
Segment.new(ent)
|
|
} if (hash['segments'])
|
|
@imports = hash['imports'].map { |ent|
|
|
Import.new(ent)
|
|
} if (hash['imports'])
|
|
@exports = hash['exports'].map { |ent|
|
|
Export.new(ent)
|
|
} if (hash['exports'])
|
|
@platforms = hash['platforms'].map { |ent|
|
|
OsVersion.create(ent)
|
|
} if (hash['platforms'])
|
|
|
|
@segments = [] unless(@segments)
|
|
@imports = [] unless(@imports)
|
|
@exports = [] unless(@exports)
|
|
@platforms = [] unless(@platforms)
|
|
end
|
|
|
|
#
|
|
# An instance of a Locale class that is associated with this module.
|
|
#
|
|
attr_reader :locale
|
|
#
|
|
# The module's major major version number (X.x.x.x).
|
|
#
|
|
attr_reader :maj_maj_ver
|
|
#
|
|
# The module's major minor version number (x.X.x.x).
|
|
#
|
|
attr_reader :maj_min_ver
|
|
#
|
|
# The module's minor major version number (x.x.X.x).
|
|
#
|
|
attr_reader :min_maj_ver
|
|
#
|
|
# The module's minor minor version number (x.x.x.X).
|
|
#
|
|
attr_reader :min_min_ver
|
|
#
|
|
# The timestamp that the image was compiled (as a Time instance).
|
|
#
|
|
attr_reader :timestamp
|
|
#
|
|
# The vendor that created the module.
|
|
#
|
|
attr_reader :vendor
|
|
#
|
|
# The preferred base address at which the module will load.
|
|
#
|
|
attr_reader :base_address
|
|
#
|
|
# The size of the image mapping associated with the module in bytes.
|
|
#
|
|
attr_reader :image_size
|
|
#
|
|
# An array of Segment instances.
|
|
#
|
|
attr_reader :segments
|
|
#
|
|
# An array of Import instances.
|
|
#
|
|
attr_reader :imports
|
|
#
|
|
# An array of Export instances.
|
|
#
|
|
attr_reader :exports
|
|
#
|
|
# An array of OsVersion instances.
|
|
#
|
|
attr_reader :platforms
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class contains information about a specific locale, such as English.
|
|
#
|
|
###
|
|
class Locale
|
|
include DbEntry
|
|
class <<self
|
|
include Cachable
|
|
end
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class contains information about a platform (operating system) version.
|
|
#
|
|
###
|
|
class OsVersion
|
|
include DbEntry
|
|
|
|
class <<self
|
|
include Cachable
|
|
def hash_key(hash)
|
|
hash['id'] + (hash['modules'] || '')
|
|
end
|
|
end
|
|
|
|
def initialize(hash)
|
|
super
|
|
|
|
@modules = (hash['modules']) ? hash['modules'].to_i : 0
|
|
@desc = hash['desc']
|
|
@arch = hash['arch']
|
|
@maj_ver = hash['maj_ver'].to_i
|
|
@min_ver = hash['min_ver'].to_i
|
|
@maj_patch_level = hash['maj_patch_level'].to_i
|
|
@min_patch_level = hash['min_patch_level'].to_i
|
|
end
|
|
|
|
#
|
|
# The number of modules that exist in this operating system version.
|
|
#
|
|
attr_reader :modules
|
|
#
|
|
# The operating system version description, such as Windows XP 5.2.0.0
|
|
# (IA32).
|
|
#
|
|
attr_reader :desc
|
|
#
|
|
# The architecture that the operating system version runs on, such as IA32.
|
|
#
|
|
attr_reader :arch
|
|
#
|
|
# The major version of the operating system version.
|
|
#
|
|
attr_reader :maj_ver
|
|
#
|
|
# The minor version of the operating system version.
|
|
#
|
|
attr_reader :min_ver
|
|
#
|
|
# The major patch level of the operating system version, such as a service
|
|
# pack.
|
|
#
|
|
attr_reader :maj_patch_level
|
|
#
|
|
# The minor patch level of the operating system version.
|
|
#
|
|
attr_reader :min_patch_level
|
|
end
|
|
|
|
###
|
|
#
|
|
# An opcode group (esp => eip).
|
|
#
|
|
###
|
|
class Group
|
|
include DbEntry
|
|
class <<self
|
|
include Cachable
|
|
end
|
|
end
|
|
|
|
###
|
|
#
|
|
# An opcode type (jmp esp).
|
|
#
|
|
###
|
|
class Type
|
|
include DbEntry
|
|
|
|
class <<self
|
|
include Cachable
|
|
end
|
|
|
|
def initialize(hash)
|
|
super
|
|
|
|
@opcodes = (hash['opcodes']) ? hash['opcodes'].to_i : 0
|
|
@meta_type = MetaType.create(hash['meta_type']) if (hash['meta_type'])
|
|
@group = Group.create(hash['group']) if (hash['group'])
|
|
@arch = hash['arch']
|
|
end
|
|
|
|
#
|
|
# The number of opcodes associated with this type, or 0 if this information
|
|
# is not available.
|
|
#
|
|
attr_reader :opcodes
|
|
#
|
|
# An instance of the MetaType to which this opcode type belongs, or nil.
|
|
#
|
|
attr_reader :meta_type
|
|
#
|
|
# An instance of the Group to which this opcode type belongs, or nil.
|
|
#
|
|
attr_reader :group
|
|
#
|
|
# The architecture that this opcode type is associated with.
|
|
#
|
|
attr_reader :arch
|
|
end
|
|
|
|
###
|
|
#
|
|
# An opcode meta type (jmp reg).
|
|
#
|
|
###
|
|
class MetaType
|
|
include DbEntry
|
|
class <<self
|
|
include Cachable
|
|
end
|
|
end
|
|
|
|
###
|
|
#
|
|
# An opcode that has a specific address and is associated with one or more
|
|
# modules.
|
|
#
|
|
###
|
|
class Opcode
|
|
include DbEntry
|
|
|
|
def initialize(hash)
|
|
super
|
|
|
|
@address = hash['address'].to_i
|
|
@type = Type.create(hash['type'])
|
|
@group = @type.group
|
|
@modules = hash['modules'].map { |ent|
|
|
ImageModule.create(ent)
|
|
} if (hash['modules'])
|
|
|
|
@modules = [] unless(@modules)
|
|
end
|
|
|
|
#
|
|
# The address of the opcode.
|
|
#
|
|
attr_reader :address
|
|
#
|
|
# The type of the opcode indicating which instruction is found at the
|
|
# address. This is an instance of the Type class.
|
|
#
|
|
attr_reader :type
|
|
#
|
|
# A Group instance that reflects the group to which the opcode type found
|
|
# at the instance's address belongs.
|
|
#
|
|
attr_reader :group
|
|
#
|
|
# An array of ImageModule instances that show the modules that contain this
|
|
# address.
|
|
#
|
|
attr_reader :modules
|
|
end
|
|
|
|
###
|
|
#
|
|
# Current statistics of the opcode database.
|
|
#
|
|
###
|
|
class Statistics
|
|
def initialize(hash)
|
|
@modules = hash['modules'].to_i
|
|
@opcodes = hash['opcodes'].to_i
|
|
@opcode_types = hash['opcode_types'].to_i
|
|
@platforms = hash['platforms'].to_i
|
|
@architectures = hash['architectures'].to_i
|
|
@module_segments = hash['module_segments'].to_i
|
|
@module_imports = hash['module_imports'].to_i
|
|
@module_exports = hash['module_exports'].to_i
|
|
@last_update = Time.at(hash['last_update'].to_i)
|
|
end
|
|
|
|
#
|
|
# The number of modules found within the opcode database.
|
|
#
|
|
attr_reader :modules
|
|
#
|
|
# The number of opcodes supported by the opcode database.
|
|
#
|
|
attr_reader :opcodes
|
|
#
|
|
# The number of opcode types supported by the database.
|
|
#
|
|
attr_reader :opcode_types
|
|
#
|
|
# The number of platforms supported by the database.
|
|
#
|
|
attr_reader :platforms
|
|
#
|
|
# The number of architectures supported by the database.
|
|
#
|
|
attr_reader :architectures
|
|
#
|
|
# The number of module segments supported by the database.
|
|
#
|
|
attr_reader :module_segments
|
|
#
|
|
# The number of module imports supported by the database.
|
|
#
|
|
attr_reader :module_imports
|
|
#
|
|
# The number of module exports supported by the database.
|
|
#
|
|
attr_reader :module_exports
|
|
#
|
|
# The time at which the last database update occurred.
|
|
#
|
|
attr_reader :last_update
|
|
end
|
|
|
|
###
|
|
#
|
|
# This class implements a client interface to the Metasploit Opcode Database.
|
|
# It is intended to be used as a method of locating reliable return addresses
|
|
# given a set of executable files and a set of usable opcodes.
|
|
#
|
|
###
|
|
class Client
|
|
|
|
DefaultServerHost = "www.metasploit.com"
|
|
DefaultServerPort = 80
|
|
DefaultServerUri = "/users/opcode/msfopcode_server.cgi"
|
|
|
|
#
|
|
# Returns an instance of an initialized client that will use the supplied
|
|
# server values.
|
|
#
|
|
def initialize(host = DefaultServerHost, port = DefaultServerPort, uri = DefaultServerUri)
|
|
self.server_host = host
|
|
self.server_port = port
|
|
self.server_uri = uri
|
|
end
|
|
|
|
#
|
|
# Disables response parsing.
|
|
#
|
|
def disable_parse
|
|
@disable_parse = true
|
|
end
|
|
|
|
#
|
|
# Enables response parsing.
|
|
#
|
|
def enable_parse
|
|
@disable_parse = false
|
|
end
|
|
|
|
#
|
|
# Returns an array of MetaType instances.
|
|
#
|
|
def meta_types
|
|
request('meta_types').map { |ent| MetaType.create(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an array of Group instances.
|
|
#
|
|
def groups
|
|
request('groups').map { |ent| Group.create(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an array of Type instances. Opcode types are specific opcodes,
|
|
# such as a jmp esp. Optionally, a filter hash can be passed to include
|
|
# extra information in the results.
|
|
#
|
|
# Statistics (Bool)
|
|
#
|
|
# If this hash element is set to true, the number of opcodes currently in
|
|
# the database of this type will be returned.
|
|
#
|
|
def types(filter = {})
|
|
request('types', filter).map { |ent| Type.create(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an array of OsVersion instances. OS versions are associated with
|
|
# a particular operating system release (including service packs).
|
|
# Optionally, a filter hash can be passed to limit the number of results
|
|
# returned. If no filter hash is supplied, all results are returned.
|
|
#
|
|
# Names (Array)
|
|
#
|
|
# If this hash element is specified, only the operating systems that
|
|
# contain one or more of the names specified will be returned.
|
|
#
|
|
# Statistics (Bool)
|
|
#
|
|
# If this hash element is set to true, the number of modules associated
|
|
# with this matched operating system versions will be returned.
|
|
#
|
|
def platforms(filter = {})
|
|
request('platforms', filter).map { |ent| OsVersion.create(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an array of ImageModule instances. Image modules are
|
|
# version-specific, locale-specific, and operating system version specific
|
|
# image files. Modules have opcodes, segments, imports and exports
|
|
# associated with them. Optionally, a filter hash can be specified to
|
|
# limit the number of results returned from the database. If no filter
|
|
# hash is supplied, all modules will be returned.
|
|
#
|
|
# LocaleNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific locale by name.
|
|
#
|
|
# PlatformNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific platform by
|
|
# name.
|
|
#
|
|
# ModuleNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific module by name.
|
|
#
|
|
# Segments (Bool)
|
|
#
|
|
# If this hash element is set to true, the segments associated with each
|
|
# resulting module will be returned by the server.
|
|
#
|
|
# Imports (Bool)
|
|
#
|
|
# If this hash element is set to true, the imports associated with each
|
|
# resulting module will be returned by the server.
|
|
#
|
|
# Exports (Bool)
|
|
#
|
|
# If this hash element is set to true, the exports associated with each
|
|
# resulting module will be returned by the server.
|
|
#
|
|
def modules(filter = {})
|
|
request('modules', filter).map { |ent| ImageModule.create(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an array of Locale instances that are supported by the server.
|
|
#
|
|
def locales
|
|
request('locales').map { |ent| Locale.create(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an array of Opcode instances that match the filter limitations
|
|
# specified in the supplied filter hash. If no filter hash is specified,
|
|
# all opcodes will be returned (but are most likely going to be limited by
|
|
# the server). The filter hash limiters that can be specified are:
|
|
#
|
|
# ModuleNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific modules by
|
|
# name.
|
|
#
|
|
# GroupNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific opcode group by
|
|
# name.
|
|
#
|
|
# TypeNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific opcode type by
|
|
# name.
|
|
#
|
|
# MetaTypeNames (Array)
|
|
#
|
|
# This hash element limits results to one or more specific opcode meta
|
|
# type by name.
|
|
#
|
|
# LocaleNames (Array)
|
|
#
|
|
# Limits results to one or more specific locale by name.
|
|
#
|
|
# PlatformNames (Array)
|
|
#
|
|
# Limits reslts to one or more specific operating system version by name.
|
|
#
|
|
# Addresses (Array)
|
|
#
|
|
# Limits results to a specific set of addresses.
|
|
#
|
|
# Portable (Bool)
|
|
#
|
|
# If this hash element is true, opcode results will be limited to ones
|
|
# that span more than one operating system version.
|
|
#
|
|
def search(filter = {})
|
|
request('search', filter).map { |ent| Opcode.new(ent) }
|
|
end
|
|
|
|
#
|
|
# Returns an instance of the Statistics class that holds information about
|
|
# the server's database stats.
|
|
#
|
|
def statistics
|
|
Statistics.new(request('statistics'))
|
|
end
|
|
|
|
#
|
|
# These attributes convey information about the remote server and can be
|
|
# changed in order to point it to a locate copy as necessary.
|
|
#
|
|
attr_accessor :server_host, :server_port, :server_uri
|
|
|
|
#
|
|
# Retrieves the last raw XML response to be processed.
|
|
#
|
|
attr_reader :last_xml
|
|
|
|
protected
|
|
|
|
#
|
|
# Transmits a request to the Opcode database server and translates the
|
|
# response into a native general ruby datatype.
|
|
#
|
|
def request(method, opts = {})
|
|
client = Rex::Proto::Http::Client.new(server_host, server_port)
|
|
|
|
begin
|
|
# Initialize the request with the POST body.
|
|
request = client.gen_post(server_uri)
|
|
|
|
request.body += "method=#{method}"
|
|
|
|
# Enumerate each option filter specified and convert it into a CGI
|
|
# parameter.
|
|
opts.each_pair { |k, v|
|
|
request.body += "&#{k}=#{xlate_param(v)}"
|
|
}
|
|
|
|
# Send the request and grab the response.
|
|
response = client.send_request(request, 300)
|
|
|
|
# Non-200 return code?
|
|
if (response.code != 200)
|
|
raise RuntimeError, "Invalid response recieved from server."
|
|
end
|
|
|
|
# Convert the return value to the native type.
|
|
parse_response(response.body)
|
|
ensure
|
|
client.close
|
|
end
|
|
end
|
|
|
|
#
|
|
# Translates a parameter into a flat CGI parameter string.
|
|
#
|
|
def xlate_param(v)
|
|
if (v.kind_of?(Array))
|
|
v.map { |ent|
|
|
xlate_param(ent)
|
|
}.join(',,')
|
|
elsif (v.kind_of?(Hash))
|
|
v.map { |k,v|
|
|
"#{URI.escape(k)}:#{xlate_param(v)}" if (v)
|
|
}.join(',,')
|
|
else
|
|
URI.escape(v.to_s)
|
|
end
|
|
end
|
|
|
|
#
|
|
# Translate the data type from a flat string to a ruby native type.
|
|
#
|
|
def parse_response(xml)
|
|
@last_xml = xml
|
|
|
|
if (!@disable_parse)
|
|
source = REXML::Source.new(xml)
|
|
doc = REXML::Document.new
|
|
|
|
REXML::Parsers::TreeParser.new(source, doc).parse
|
|
|
|
translate_element(doc.root)
|
|
end
|
|
end
|
|
|
|
#
|
|
# Translate elements conveyed as data types.
|
|
#
|
|
def translate_element(element)
|
|
case element.name
|
|
when "Array"
|
|
return element.elements.map { |child| translate_element(child) }
|
|
when "Hash"
|
|
hsh = {}
|
|
|
|
element.each_element { |child|
|
|
if (e = child.elements[1])
|
|
v = translate_element(e)
|
|
else
|
|
v = child.text
|
|
end
|
|
|
|
hsh[child.attributes['name']] = v
|
|
}
|
|
|
|
return hsh
|
|
else
|
|
return element.text
|
|
end
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
end
|
|
end
|