buby 1.1.6-java

data/lib/buby/extends.rb

@@ -0,0 +1,4 @@
+
+require 'buby/extends/buby_array_wrapper'
+require 'buby/extends/http_request_response'
+require 'buby/extends/scan_issue'

data/lib/buby/extends/buby_array_wrapper.rb

@@ -0,0 +1,41 @@
+
+class Buby
+  class BubyArrayWrapper
+    include Enumerable
+
+    attr_reader :array_obj
+
+    def initialize(obj)
+      @array_obj = obj
+    end
+
+    def [](*args)
+      if args.size == 1 and args.first.kind_of? Numeric
+        self.array_obj[args[0]]
+      else
+        self.to_a(*args)
+      end
+    end
+
+    def each
+      self.array_obj.size.times do |idx|
+        yield self.array_obj[idx]
+      end
+    end
+
+    def size
+      self.array_obj.size
+    end
+    alias length size
+
+    def first
+      return(self.array_obj[0]) if(self.size > 0)
+    end
+
+    def last
+      return self.array_obj[self.size - 1] if(self.size > 0)
+    end
+
+  end
+
+end

data/lib/buby/extends/http_request_response.rb

@@ -0,0 +1,95 @@
+require 'uri'
+
+class Buby
+
+  class HttpRequestResponseList < BubyArrayWrapper
+    def initialize(obj)
+      HttpRequestResponseHelper.implant(obj[0]) if obj.size > 0
+      super(obj)
+    end
+
+  end
+
+
+  module HttpRequestResponseHelper
+
+    # returns the response as a Ruby String object - returns an empty string
+    # if response is nil.
+    def response_str
+      return response().nil? ? "" : ::String.from_java_bytes(response())
+    end
+    alias response_string response_str
+    alias rsp_str response_str
+
+
+    # returns an array of response headers split into header name and value. 
+    # For example:
+    #   [ 
+    #     ["HTTP/1.1 301 Moved Permanently"],
+    #     ["Server", "Apache/1.3.41 ..."],
+    #     ...
+    #   ]
+    def response_headers
+      if headers=(@rsp_split ||= rsp_str.split(/\r?\n\r?\n/, 2))[0]
+        @rsp_headers ||= headers.split(/\r?\n/).map {|h| h.split(/\s*:\s*/,2)}
+      end
+    end
+    alias rsp_headers response_headers
+
+    # Returns the message body of the response, minus headers
+    def response_body
+      (@rsp_split ||= rsp_str.split(/\r?\n\r?\n/, 2))[1]
+    end
+    alias rsp_body response_body
+
+
+    # Returns the full request as a Ruby String - returns an empty string if 
+    # request is nil.
+    def request_str
+      return request().nil? ? "" : ::String.from_java_bytes(request())
+    end
+    alias request_string request_str
+    alias req_str request_str
+
+
+    # Returns a split array of headers. Example:
+    #   [
+    #     ["GET / HTTP/1.1"],
+    #     ["Host", "www.example.org"],
+    #     ["User-Agent", "Mozilla/5.0 (..."],
+    #     ...
+    #   ]
+    def request_headers
+      if headers=(@req_split ||= req_str.split(/\r?\n\r?\n/, 2))[0]
+        @req_headers ||= headers.split(/\r?\n/).map {|h| h.split(/\s*:\s*/,2)}
+      end
+    end
+    alias req_headers request_headers
+
+
+    # Returns the request message body or an empty string if there is none.
+    def request_body
+      (@req_split ||= req_str.split(/\r?\n\r?\n/, 2))[1]
+    end
+    alias req_body request_body
+
+
+    # Returns a Ruby URI object derived from the java.net.URL object
+    def uri
+      @uri ||= URI.parse url.to_s if not url.nil?
+    end
+
+
+    # one-shot method to implant ourselves onto a target object's class
+    # interface in ruby. All later instances will also get 'us' for free!
+    def self.implant(base)
+      return if @implanted
+      base.class.instance_eval { include(HttpRequestResponseHelper) }
+      @implanted = true
+    end
+
+
+    def self.implanted? ; @implanted; end
+  end
+
+end

data/lib/buby/extends/scan_issue.rb

@@ -0,0 +1,36 @@
+require 'uri'
+
+class Buby
+
+  class ScanIssuesList < BubyArrayWrapper
+    def initialize(obj)
+      ScanIssueHelper.implant(obj[0]) if obj.size > 0 
+      super(obj)
+    end
+
+  end
+
+  module ScanIssueHelper
+    # Returns a Ruby URI object derived from the java.net.URL object
+    def uri
+      @uri ||= URI.parse url.to_s if not url.nil?
+    end
+
+    # one-shot method to implant ourselves onto a target object's class
+    # interface in ruby. All later instances will also get 'us' for free!
+    def self.implant(base)
+      return if @implanted
+      base.class.instance_eval { include(ScanIssueHelper) }
+      @implanted = true
+    end
+
+    def http_messages
+      HttpRequestResponseList.new( self.getHttpMessages() )
+    end
+    alias messages http_messages
+    alias messages http_messages
+
+    def self.implanted? ; @implanted; end
+  end
+end
+

data/samples/drb_buby.rb

@@ -0,0 +1,31 @@
+
+require 'rubygems'
+require 'buby'
+require 'drb'
+
+module DrbBuby
+  attr_reader :drb_server
+
+  def evt_register_callbacks(cb)
+    super(cb)
+#    cb.issueAlert("[DrbBuby] Service on: #{@drb_server.uri}")
+  end
+
+  def init_DrbBuby
+    ## want to bind the DRb service on a specific socket?
+    uri ='druby://127.0.0.1:9999'
+    ## or let it choose one automatically:
+    #  uri = nil 
+    @drb_server = DRb.start_service uri, self
+    puts "[DrbBuby] Service on: #{@drb_server.uri}"
+    self.alert("[DrbBuby] Service on: #{@drb_server.uri}")
+  end
+end
+
+if __FILE__ == $0
+  $burp = Buby.new
+  $burp.extend(DrbBuby)
+  $burp.start_burp()
+  $burp.init_DrbBuby
+end
+

data/samples/drb_sample_cli.rb

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+# notice... we're using MRI ruby here, not JRuby (but either will work)
+
+require 'drb'
+
+unless drb_uri = ARGV.shift
+  STDERR.puts "Usage: #{File.basename $0} druby://<addr>:<port>"
+  exit 1
+end
+
+drb = DRbObject.new nil, drb_uri
+rsp=drb.make_http_request 'example.com', 80, false, "GET / HTTP/1.0\r\n\r\n"
+
+puts rsp

data/samples/mechanize_burp.rb

@@ -0,0 +1,57 @@
+#!/usr/bin/env jruby
+
+require 'rubygems'
+require 'buby'
+require 'mechanize'
+require 'rbkb/http'
+require 'irb'
+
+include Java
+
+# This Buby handler implementation simply keeps cookie state synched
+# for a Mechanize agent by intercepting all requests sent through the
+# Burp proxy. This lets you use Mechanize in tandem with your browser
+# through Burp without having to fuss around with cookies.
+module MechGlue
+  attr_accessor :mech_agent
+
+  def evt_proxy_message(*param)
+    msg_ref, is_req, rhost, rport, is_https, http_meth, url, 
+    resourceType, status, req_content_type, message, action = param
+
+    if (not is_req) and (message =~ /Set-Cookie/i)
+
+      rsp = Rbkb::Http::Response.new(message, :ignore_content_length => true)
+
+      # Get an uri object ready for mechanize
+      uri = URI.parse(url)
+      uri.scheme = (is_https)? "https" : "http"
+      uri.host = rhost
+      uri.port = rport
+      
+      # Grab cookies from headers:
+      rsp.headers.get_header_value('Set-Cookie').each do |cookie| 
+        WWW::Mechanize::Cookie.parse(uri, cookie) do |c|
+          @mech_agent.cookie_jar.add(uri, c)
+        end
+      end
+    end
+    return(message)
+  end
+end
+
+
+if __FILE__ == $0
+  $mech = WWW::Mechanize.new
+  #$mech.set_proxy('localhost', '8080')
+
+  $burp = Buby.new()
+  $burp.extend(MechGlue)
+  $burp.mech_agent = $mech
+  $burp.start_burp
+
+  puts "$burp is set to #{$burp.class}"
+  puts "$mech is set to #{$mech.class}"
+  IRB.start
+end
+

data/samples/poc_generator.rb

@@ -0,0 +1,124 @@
+require 'uri'
+require 'htmlentities'
+
+# This set up as a buby module extension. You can load it from the CLI when 
+# launching buby as follows:
+#
+#   buby -r csrf_poc_generator.rb -e CsrfPocGenerator -i
+# 
+module PocGenerator
+  HEX = %w{0 1 2 3 4 5 6 7 8 9 a b c d e f}
+
+  # Take a HTTP POST string and convert it to HTML proof of concept with a
+  # form full of hidden variables that gets auto-submitted on load. 
+  #
+  # Especially handy for burp since you don't always know whether what you're 
+  # playing with in repeater will actually work in the browser. Also handy for 
+  # testing reflected/stored XSS if the request happens to require a POST. 
+  #
+  # Handles www-form-urlencoded as well as multi-part. Note if your multi-part 
+  # data has any files in it, they'll just get jammed into a hidden var with 
+  # the rest. This may or may not be what you actually want.
+  #
+  # @param req can be a index into proxy_history, string, java byte array, or 
+  # HttpRequestResponse object
+  #
+  # @param options:
+  #   :uri  = uri to set form action to (default - auto)
+  #   :meth = form http method (default - POST)
+  #   :enc  = form enctype (default - 'application/www-form-urlencoded')
+  #   :host = override 'host' in uri with this. (default - auto)
+  #   :scheme = override 'scheme' in uri with this. (default - 'http')
+  #   :port = override 'port' in uri with this. (default - blank)
+  #
+  # The URI, host scheme, and port are all automatically pulled from req if
+  # it is a HttpRequest. Otherwise, the code will attempt to gather this info
+  # from the Host: header and HTTP action. Note that in the latter case, the
+  # determination of http/https is impossible, so you'll want to specify the
+  # scheme
+  def post_to_poc(req, opts = {})
+    uri  = opts[:uri]
+    meth = opts[:meth] || "POST"
+    enc  = opts[:enc] || opts[:encoding] || 'application/www-form-urlencoded'
+    host = opts[:host]
+    scheme = opts[:scheme]
+    port = opts[:port]
+
+    reqstr =
+      if req.kind_of? String
+        req
+      elsif req.respond_to? :java_class and req.java_class.to_s == "[B"
+        String.from_java_bytes 
+      elsif req.kind_of? Numeric
+        req = getProxyHistory()[req]
+        uri ||= req.uri
+        req.req_str
+      elsif req.respond_to?(:req_str)
+        req.req_str 
+      end
+
+    params = getParameters(reqstr).to_a.select {|x| x[2] == "body parameter"}.map {|p| [p[0], p[1].chomp]}
+    headers = getHeaders(reqstr).to_a
+    verb, action, vers = headers.first.split(/\s+/, 3)
+
+    if headers.grep(/^content-type: application\/(?:x-)?(?:www-form-url|url-)encoded(?:\W|$)/i)
+      params = params.map do |p| 
+        p.map do |f|
+          f.gsub(/%[a-f0-9]{2}/i) do |x| 
+            ((HEX.index(x[1,1].downcase) << 4) + HEX.index(x[2,1].downcase)).chr
+          end
+        end
+      end
+    end
+
+    if uri.nil?  
+      uri =
+        if req.respond_to? :uri
+          uri = req.uri
+        else
+          uri = URI.parse(action)
+        end
+    elsif uri.is_a? String
+      uri = URI.parse(action)
+    end
+
+    if opts[:host]
+      uri.host = host
+      uri.scheme = scheme if scheme
+    elsif host.nil? and hhost = headers.grep(/host: (.*)$/i){|h| $1 }.first
+      uri.host, uri.port = hhost.split(':', 2)
+      uri.scheme = scheme || 'http'
+    else
+      uri.scheme = scheme if scheme
+    end
+
+    uri.port = port if port
+
+    ret = %{<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head></head>
+<body>
+   <form name="doit_form" method="#{meth.to_s.upcase}" action=#{uri.to_s.inspect} enctype=#{enc.inspect}>
+}
+
+    coder = HTMLEntities.new
+    params.each do |p|
+      name = coder.encode(p[0]).inspect
+      val  = coder.encode(p[1]).inspect
+      ret << "        <input type=\"hidden\" name=#{name} value=#{val} />\n"
+    end
+
+    ret << %{
+    <input type="submit" value="click me if this doesnt redirect'" />
+  </form>
+  <script> document.doit_form.submit(); </script>
+</body>
+</html>}
+
+    return ret
+  end
+
+  def init_CsrfPocGenerator
+    # nop
+  end
+end
+

data/samples/verb_tamperer.rb

@@ -0,0 +1,25 @@
+#!/usr/bin/env jruby
+require 'rubygems'
+require 'buby'
+
+module VerbTamperer
+  def evt_proxy_message(*param)
+    msg_ref, is_req, rhost, rport, is_https, http_meth, url, 
+    resourceType, status, req_content_type, message, action = param
+
+    if is_req and http_meth == "GET"
+      message[0,3] = "PET"
+      action[0] = Buby::ACTION_DONT_INTERCEPT
+
+      return super(*param).dup
+    else
+      return super(*param)
+    end
+  end
+end
+
+if __FILE__ == $0
+  $burp = Buby.new()
+  $burp.extend(VerbTamperer)
+  $burp.start_burp()
+end

data/samples/watch_scan.rb

@@ -0,0 +1,21 @@
+
+module WatchScan
+  def evt_http_message(tool_name, is_request, message_info)
+    super(tool_name, is_request, message_info)
+    if tool_name == 'scanner' 
+      if is_request
+        puts "#"*70, "# REQUEST: #{message_info.url.toString}", "#"*70
+        puts message_info.req_str
+        puts
+      else
+        puts "#"*70, "# RESPONSE: #{message_info.url.toString}", "#"*70
+        puts message_info.rsp_str
+        puts
+      end
+    end
+  end
+
+  def init_WatchScan
+    puts "WatchScan module initialized"
+  end
+end