Land rapid7#3484, bad pack/unpack specifier fix

Author: wvu

lib/bit-struct/octet-field.rb

@@ -37,7 +37,7 @@ def add_accessors_to(cl, attr = name) # :nodoc:
         old_writer = "#{attr_chars}="
 
         define_method "#{attr}=" do |val|
-          data = val.split(sep).map{|s|s.to_i(base)}.pack("c*")
+          data = val.split(sep).map{|s|s.to_i(base)}.pack("C*")
           send(old_writer, data)
         end
       end

lib/msf/core/exploit/afp.rb

@@ -246,8 +246,7 @@ def parse_info_response(response)
   end
 
   def parse_header(packet)
-    header = packet.unpack('CCnNNN') #ruby 1.8.7 don't support unpacking signed integers in big-endian order
-    header[3] = packet[4..7].reverse.unpack("l").first
+    header = packet.unpack('CCnNNN')
     return header
   end
 

lib/msf/core/post/windows/accounts.rb

@@ -270,7 +270,7 @@ def check_dir_perms(dir, token)
 
     #define generic mapping structure
     gen_map = [0,0,0,0]
-    gen_map = gen_map.pack("L")
+    gen_map = gen_map.pack("V")
     buffer_size = 500
 
     #get Security Descriptor for the directory

lib/msf/core/post/windows/ldap.rb

@@ -248,15 +248,15 @@ def query_ldap(session_handle, base, scope, filter, fields)
   # @param pEntry [Fixnum] Pointer to the Entry
   # @return [Array] Entry data structure
   def get_entry(pEntry)
-    return client.railgun.memread(pEntry,41).unpack('LLLLLLLLLSCCC')
+    return client.railgun.memread(pEntry,41).unpack('VVVVVVVVVvCCC')
   end
 
   # Get BER Element data structure from LDAPMessage
   #
   # @param msg [String] The LDAP Message from the server
   # @return [String] The BER data structure
   def get_ber(msg)
-    ber = client.railgun.memread(msg[2],60).unpack('L*')
+    ber = client.railgun.memread(msg[2],60).unpack('V*')
 
     # BER Pointer is different between x86 and x64
     if client.platform =~ /x64/

lib/msf/core/post/windows/services.rb

@@ -334,7 +334,7 @@ def service_status(name, server=nil)
         raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}")
       end
 
-      vals = status['lpServiceStatus'].unpack('L*')
+      vals = status['lpServiceStatus'].unpack('V*')
       adv.CloseServiceHandle(handle["return"])
 
       ret = {

lib/msf/util/exe.rb

@@ -340,22 +340,22 @@ def self.to_winpe_only(framework, code, opts={}, arch="x86")
 
     # look for section with entry point
     sections_header.each do |sec|
-      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
-      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
-      characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
+      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('V')[0]
+      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('V')[0]
+      characteristics = sec[1][characteristics_offset,0x4].unpack('V')[0]
 
       if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint)
-        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0]
+        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('V')[0]
         if (importsTable - addressOfEntryPoint) < code.length
           #shift original entry point to prevent tables overwritting
           addressOfEntryPoint = importsTable - (code.length + 4)
 
           entry_point_offset = pe._dos_header.v['e_lfanew'] + entryPoint_offset
-          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('L')
+          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('V')
         end
         # put this section writable
         characteristics |= 0x8000_0000
-        newcharacteristics = [characteristics].pack('L')
+        newcharacteristics = [characteristics].pack('V')
         exe[sec[0],newcharacteristics.length] = newcharacteristics
       end
     end
@@ -572,20 +572,20 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
         "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
         "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
-        "\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\x8D\x85"+[svcmain_code_offset].pack('V')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
         "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
         "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
-         [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
-        "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+         [hash_code_offset].pack('V')+pushed_service_name+"\x89\xE1\x8D" +
+        "\x85"+[svcctrlhandler_code_offset].pack('V')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
         "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
         "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
         "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
-        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
+        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('V')+"\x57\x51\x68\xAE\x87" +
         "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
-         [shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
+         [shellcode_code_offset].pack('V')+"\x54\x68"+[code.length].pack('V') +
         "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
@@ -654,12 +654,17 @@ def self.replace_msi_buffer(pe, opts)
       msi = fd.read(fd.stat.size)
     }
 
-    section_size =	2**(msi[30..31].unpack('s')[0])
-    sector_allocation_table = msi[section_size..section_size*2].unpack('l*')
+    section_size =	2**(msi[30..31].unpack('v')[0])
+
+    # This table is one of the few cases where signed values are needed
+    sector_allocation_table = msi[section_size..section_size*2].unpack('l<*')
 
     buffer_chain = []
-    current_secid = 5	# This is closely coupled with the template provided and ideally
-          # would be calculated from the dir stream?
+    
+    # This is closely coupled with the template provided and ideally
+    # would be calculated from the dir stream?
+    current_secid = 5	
+    
 
     until current_secid == -2
       buffer_chain << current_secid
@@ -827,22 +832,22 @@ def self.to_exe_elf(framework, opts, template, code, big_endian=false)
 
     # Check EI_CLASS to determine if the header is 32 or 64 bit
     # Use the proper offsets and pack size
-    case elf[4]
-    when 1, "\x01" # ELFCLASS32 - 32 bit (ruby 1.8 and 1.9)
+    case elf[4,1].unpack("C").first
+    when 1 # ELFCLASS32 - 32 bit (ruby 1.9+)
       if big_endian
         elf[0x44,4] = [elf.length].pack('N') #p_filesz
         elf[0x48,4] = [elf.length + code.length].pack('N') #p_memsz
       else # little endian
         elf[0x44,4] = [elf.length].pack('V') #p_filesz
         elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz
       end
-    when 2, "\x02" # ELFCLASS64 - 64 bit (ruby 1.8 and 1.9)
+    when 2 # ELFCLASS64 - 64 bit (ruby 1.9+)
       if big_endian
         elf[0x60,8] = [elf.length].pack('Q>') #p_filesz
         elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz
       else # little endian
-        elf[0x60,8] = [elf.length].pack('Q') #p_filesz
-        elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz
+        elf[0x60,8] = [elf.length].pack('Q<') #p_filesz
+        elf[0x68,8] = [elf.length + code.length].pack('Q<') #p_memsz
       end
     else
       raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported"

lib/rex/arch.rb

@@ -49,7 +49,7 @@ def self.pack_addr(arch, addr)
       when ARCH_X86
         [addr].pack('V')
       when ARCH_X86_64
-        [addr].pack('Q')
+        [addr].pack('Q<')
       when ARCH_MIPS # ambiguous
         [addr].pack('N')
       when ARCH_MIPSBE

lib/rex/encoder/ndr.rb

@@ -28,7 +28,7 @@ def NDR.short(string)
   # use to encode:
   #       byte element_1;
   def NDR.byte(string)
-    return [string].pack('c')
+    return [string].pack('C')
   end
 
   # Encode a byte array

lib/rex/ole/util.rb

@@ -124,15 +124,15 @@ def self.pack8(value)
 
 
   def self.getUnicodeString(buf)
-    buf = buf.unpack('S*').pack('C*')
+    buf = buf.unpack('v*').pack('C*')
     if (idx = buf.index(0x00.chr))
       buf.slice!(idx, buf.length)
     end
     buf
   end
 
   def self.putUnicodeString(buf)
-    buf = buf.unpack('C*').pack('S*')
+    buf = buf.unpack('C*').pack('v*')
     if (buf.length < 0x40)
       buf << "\x00" * (0x40 - buf.length)
     end

lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb

@@ -27,8 +27,8 @@ def self.pack_pointer(pointer, platform)
 
     case platform
     when PlatformUtil::X86_64
-      # XXX: Only works if attacker and victim are like-endianed
-      [pointer].pack('Q')
+      # Assume little endian
+      [pointer].pack('Q<')
     when PlatformUtil::X86_32
       [pointer].pack('V')
     else
@@ -40,8 +40,8 @@ def self.pack_pointer(pointer, platform)
   def self.unpack_pointer(packed_pointer, platform)
     case platform
     when PlatformUtil::X86_64
-      # XXX: Only works if attacker and victim are like-endianed
-      packed_pointer.unpack('Q').first
+      # Assume little endian
+      packed_pointer.unpack('Q<').first
     when PlatformUtil::X86_32
       packed_pointer.unpack('V').first
     else