Module: Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLHelper

Included in:
DLL, MultiCaller, Util
Defined in:
lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb

Overview

shared functions

Instance Method Summary collapse

Instance Method Details

#asciiz_to_str(asciiz) ⇒ Object

converts 0-terminated ASCII string to ruby string


45
46
47
48
49
50
51
52
# File 'lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb', line 45

def asciiz_to_str(asciiz)
  zero_byte_idx = asciiz.index("\x00")
  if zero_byte_idx != nil
    return asciiz[0, zero_byte_idx]
  else
    return asciiz
  end
end

#assemble_buffer(direction, function, args) ⇒ Object

assembles the buffers “in” and “inout”


96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# File 'lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb', line 96

def assemble_buffer(direction, function, args)
  layout = {} # paramName => BufferItem
  blob = ""
  #puts " building buffer: #{direction}"
  function.params.each_with_index do |param_desc, param_idx|
    #puts "  processing #{param_desc[0]} #{param_desc[1]} #{param_desc[2]}"
    # we care only about inout buffers
    if param_desc[2] == direction
      buffer = nil
      # Special case:
      # The user can choose to supply a Null pointer instead of a buffer
      # in this case we don't need space in any heap buffer
      if param_desc[0][0,1] == 'P' # type is a pointer
        if args[param_idx] == nil
          next
        end
      end

      case param_desc[0] # required argument type
        when "PDWORD"
          dw = param_to_number(args[param_idx])
          buffer = [dw].pack('V')
        when "PWCHAR"
          raise "param #{param_desc[1]}: string expected" unless args[param_idx].class == String
          buffer = str_to_uni_z(args[param_idx])
        when "PCHAR"
          raise "param #{param_desc[1]}: string expected" unless args[param_idx].class == String
          buffer = str_to_ascii_z(args[param_idx])
        when "PBLOB"
          raise "param #{param_desc[1]}: please supply your BLOB as string!" unless args[param_idx].class == String
          buffer = args[param_idx]
        # other types (non-pointers) don't reference buffers
        # and don't need any treatment here
      end

      if buffer != nil
        #puts "   adding #{buffer.length} bytes to heap blob"
        layout[param_desc[1]] = BufferItem.new(param_idx, blob.length, buffer.length, param_desc[0])
        blob += buffer
        # sf: force 8 byte alignment to satisfy x64, wont matter on x86.
        while( blob.length % 8 != 0 )
          blob += "\x00"
        end
        #puts "   heap blob size now #{blob.length}"
      end
    end
  end
  #puts "  built buffer: #{direction}"
  return [layout, blob]
end

#param_to_number(v, win_consts = @win_consts) ⇒ Object

parses a number param and returns the value raises an exception if the param cannot be converted to a number examples:

nil => 0
3 => 3
"MB_OK" => 0
"SOME_CONSTANT | OTHER_CONSTANT" => 17
"tuna" => !!!!!!!!!!Exception

Parameter “win_consts” is a WinConstantManager


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# File 'lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb', line 76

def param_to_number(v, win_consts = @win_consts)
  if v.class == NilClass then
    return 0
  elsif v.class == Fixnum then
    return v # ok, it's already a number
  elsif v.class == Bignum then
    return v # ok, it's already a number
  elsif v.class == String then
    dw = win_consts.parse(v) # might raise an exception
    if dw != nil
      return dw
    else
      raise ArgumentError, "Param #{v} (class #{v.class}) cannot be converted to a number. It's a string but matches no constants I know."
    end
  else
    raise "Param #{v} (class #{v.class}) should be a number but isn't"
  end
end

#str_to_ascii_z(str) ⇒ Object

converts ruby string to zero-terminated ASCII string


40
41
42
# File 'lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb', line 40

def str_to_ascii_z(str)
  return str+"\x00"
end

#str_to_uni_z(str) ⇒ Object

converts ruby string to zero-terminated WCHAR string


55
56
57
58
59
# File 'lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb', line 55

def str_to_uni_z(str)
  enc = str.unpack("C*").pack("v*")
  enc += "\x00\x00"
  return enc
end

#uniz_to_str(uniz) ⇒ Object

converts 0-terminated UTF16 to ruby string


62
63
64
# File 'lib/rex/post/meterpreter/extensions/stdapi/railgun/dll_helper.rb', line 62

def uniz_to_str(uniz)
  uniz.unpack("v*").pack("C*").unpack("A*")[0]
end