Make changes for initial linux railgun support

Author: zeroSteiner

lib/rex/post/meterpreter/extensions/stdapi/railgun/dll.rb

@@ -221,7 +221,7 @@ def process_function_call(function, args, client)
         # it's not a pointer (LPVOID is a pointer but is not backed by railgun memory, ala PBLOB)
         buffer = [0].pack(native)
         case param_desc[0]
-          when "LPVOID", "HANDLE"
+          when "LPVOID", "HANDLE", "SIZE_T"
             num     = param_to_number(args[param_idx])
             buffer += [num].pack(native)
           when "DWORD"

lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_function.rb

@@ -40,8 +40,9 @@ class DLLFunction
     "DWORD"  => ["in", "return"],
     "WORD"   => ["in", "return"],
     "BYTE"   => ["in", "return"],
-    "LPVOID" => ["in", "return"], # sf: for specifying a memory address (e.g. VirtualAlloc/HeapAlloc/...) where we dont want ot back it up with actuall mem ala PBLOB
+    "LPVOID" => ["in", "return"], # sf: for specifying a memory address (e.g. VirtualAlloc/HeapAlloc/...) where we don't want to back it up with actual mem ala PBLOB
     "HANDLE" => ["in", "return"],
+    "SIZE_T" => ["in", "return"],
     "PDWORD" => ["in", "out", "inout"], # todo: support for functions that return pointers to strings
     "PWCHAR" => ["in", "out", "inout"],
     "PCHAR"  => ["in", "out", "inout"],

lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb

@@ -170,7 +170,7 @@ def call(functions)
             # it's not a pointer
             buffer = [0].pack(@native)
             case param_desc[0]
-              when "LPVOID", "HANDLE"
+              when "LPVOID", "HANDLE", "SIZE_T"
                 num     = param_to_number(args[param_idx])
                 buffer += [num].pack(@native)
               when "DWORD"
@@ -209,7 +209,7 @@ def call(functions)
         group.add_tlv(TLV_TYPE_RAILGUN_STACKBLOB, literal_pairs_blob)
         group.add_tlv(TLV_TYPE_RAILGUN_BUFFERBLOB_IN, in_only_buffer)
         group.add_tlv(TLV_TYPE_RAILGUN_BUFFERBLOB_INOUT, inout_buffer)
-        group.add_tlv(TLV_TYPE_RAILGUN_DLLNAME, dll_name )
+        group.add_tlv(TLV_TYPE_RAILGUN_DLLNAME, dll_host.dll_path)
         group.add_tlv(TLV_TYPE_RAILGUN_FUNCNAME, function.windows_name)
         request.tlvs << group
 

lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb

@@ -212,13 +212,13 @@ def add_function(dll_name, function_name, return_type, params, windows_name=nil,
   # Raises an exception if a dll with the given name has already been
   # defined.
   #
-  def add_dll(dll_name, windows_name=dll_name)
+  def add_dll(dll_name, remote_name=dll_name)
 
     if dlls.has_key? dll_name
       raise "A DLL of name #{dll_name} has already been loaded."
     end
 
-    dlls[dll_name] = DLL.new(windows_name, constant_manager)
+    dlls[dll_name] = DLL.new(remote_name, constant_manager)
   end
 
 

test/modules/post/test/railgun.rb

@@ -11,16 +11,139 @@ class MetasploitModule < Msf::Post
 
   def initialize(info={})
     super( update_info( info,
-        'Name'          => 'Railgun API Tests',
-        'Description'   => %q{ This module will test railgun api functions},
-        'License'       => MSF_LICENSE,
-        'Author'        => [ 'Spencer McIntyre'],
-        'Platform'      => [ 'windows' ]
-      ))
+      'Name'          => 'Railgun API Tests',
+      'Description'   => %q{ This module will test railgun api functions },
+      'License'       => MSF_LICENSE,
+      'Author'        => [ 'Spencer McIntyre' ],
+      'Platform'      => [ 'linux', 'windows' ]
+    ))
   end
 
-  def test_api_function_calls
+  def init_railgun_defs
+    unless session.railgun.dlls.has_key?('libc')
+      session.railgun.add_dll('libc', 'libc.so.6')
+    end
+    session.railgun.add_function(
+      'libc',
+      'calloc',
+      'LPVOID',
+      [
+        ['SIZE_T', 'nmemb', 'in'],
+        ['SIZE_T', 'size', 'in']
+      ],
+      nil,
+      'cdecl'
+    )
+    session.railgun.add_function(
+      'libc',
+      'getpid',
+      'DWORD',
+      [],
+      nil,
+      'cdecl'
+    )
+    session.railgun.add_function(
+      'libc',
+      'inet_ntop',
+      'LPVOID',
+      [
+        ['DWORD', 'af', 'in'],
+        ['PBLOB', 'src', 'in'],
+        ['PBLOB', 'dst', 'out'],
+        ['DWORD', 'size', 'in']
+      ],
+      nil,
+      'cdecl'
+    )
+    session.railgun.add_function(
+      'libc',
+      'malloc',
+      'LPVOID',
+      [['SIZE_T', 'size', 'in']],
+      nil,
+      'cdecl'
+    )
+    session.railgun.add_function(
+      'libc',
+      'memfrob',
+      'LPVOID',
+      [
+        ['PBLOB', 'mem', 'inout'],
+        ['SIZE_T', 'length', 'in']
+      ],
+      nil,
+      'cdecl'
+    )
+  end
 
+  def test_api_function_calls_linux
+    return unless session.platform == 'linux'
+    init_railgun_defs
+    buffer = nil
+    buffer_size = 128
+    buffer_value = nil
+    it "Should include error information in the results" do
+      ret = true
+      result = session.railgun.libc.malloc(128)
+      ret &&= result['GetLastError'] == 0
+      ret &&= result['ErrorMessage'].is_a? String
+    end
+
+    it "Should support functions with no parameters" do
+      ret = true
+      result = session.railgun.libc.getpid()
+      ret &&= result['GetLastError'] == 0
+      ret &&= result['return'] == session.sys.process.getpid
+    end
+
+    it "Should support functions with literal parameters" do
+      ret = true
+      result = session.railgun.libc.calloc(buffer_size, 1)
+      ret &&= result['GetLastError'] == 0
+      buffer = result['return']
+      ret &&= buffer != 0
+    end
+
+    it "Should support functions with in/out/inout parameter types" do
+      ret = true
+      # first test in/out parameter types
+      result = session.railgun.libc.inet_ntop(2, "\x0a\x00\x00\x01", 128, 128)
+      ret &&= result['GetLastError'] == 0
+      ret &&= result['return'] != 0
+      ret &&= result['dst'][0...8] == '10.0.0.1'
+      # then test the inout parameter type
+      result = session.railgun.libc.memfrob('metasploit', 10)
+      ret &&= result['GetLastError'] == 0
+      ret &&= result['return'] != 0
+      ret &&= result['mem'] == 'GO^KYZFEC^'
+    end
+
+    it "Should support calling multiple functions at once" do
+      ret = true
+      multi_rail = [
+        ['libc', 'getpid', []],
+        ['libc', 'memfrob', ['metasploit', 10]]
+      ]
+      results = session.railgun.multi(multi_rail)
+      ret &&= results.length == multi_rail.length
+      ret &&= results[0]['return'] == session.sys.process.getpid
+      ret &&= results[1]['mem'] == 'GO^KYZFEC^'
+    end
+
+    it "Should support writing memory" do
+      ret = true
+      buffer_value = Rex::Text.rand_text_alphanumeric(buffer_size)
+      ret &&= session.railgun.memwrite(buffer, buffer_value, buffer_size)
+    end
+
+    it "Should support reading memory" do
+      ret = true
+      ret &&= session.railgun.memread(buffer, buffer_size) == buffer_value
+    end
+  end
+
+  def test_api_function_calls_windows
+    return unless session.platform == 'windows'
     it "Should include error information in the results" do
       ret = true
       result = session.railgun.kernel32.GetCurrentProcess()
@@ -70,43 +193,39 @@ def test_api_function_calls
       ret &&= results[2]['return'] == session.sys.process.getpid
     end
 
-    it "Should support reading memory" do
-      ret = true
-      result = client.railgun.kernel32.GetModuleHandleA('kernel32')
-      ret &&= result['GetLastError'] == 0
-      ret &&= result['return'] != 0
-      return false unless ret
-
-      handle = result['return']
-      mz_header = client.railgun.memread(handle, 4)
-      ret &&= mz_header == "MZ\x90\x00"
-    end
-
     it "Should support writing memory" do
       ret = true
-      result = client.railgun.kernel32.GetProcessHeap()
+      result = session.railgun.kernel32.GetProcessHeap()
       ret &&= result['GetLastError'] == 0
       ret &&= result['return'] != 0
       return false unless ret
 
       buffer_size = 32
       handle = result['return']
-      result = client.railgun.kernel32.HeapAlloc(handle, 0, buffer_size)
+      result = session.railgun.kernel32.HeapAlloc(handle, 0, buffer_size)
       ret &&= result['GetLastError'] == 0
       ret &&= result['return'] != 0
       return false unless ret
 
       buffer_value = Rex::Text.rand_text_alphanumeric(buffer_size)
       buffer = result['return']
-      ret &&= client.railgun.memwrite(buffer, buffer_value, buffer_size)
-      ret &&= client.railgun.memread(buffer, buffer_size) == buffer_value
+      ret &&= session.railgun.memwrite(buffer, buffer_value, buffer_size)
+      ret &&= session.railgun.memread(buffer, buffer_size) == buffer_value
 
-      client.railgun.kernel32.HeapFree(handle, 0, buffer)
+      session.railgun.kernel32.HeapFree(handle, 0, buffer)
       ret
     end
 
-  end
+    it "Should support reading memory" do
+      ret = true
+      result = session.railgun.kernel32.GetModuleHandleA('kernel32')
+      ret &&= result['GetLastError'] == 0
+      ret &&= result['return'] != 0
+      return false unless ret
 
+      handle = result['return']
+      mz_header = session.railgun.memread(handle, 4)
+      ret &&= mz_header == "MZ\x90\x00"
+    end
+  end
 end
-
-