offensivecomputing 0.1.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,14 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "shoulda", ">= 0"
+  gem "rdoc", "~> 3.12"
+  gem "bundler", "~> 1.1.5"
+  gem "jeweler", "~> 1.8.4"
+  gem "rcov", ">= 0"
+end

data/Gemfile.lock

@@ -0,0 +1,35 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (3.2.8)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    git (1.2.5)
+    i18n (0.6.0)
+    jeweler (1.8.4)
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      rake
+      rdoc
+    json (1.7.5)
+    multi_json (1.3.6)
+    rake (0.9.2.2)
+    rcov (1.0.0)
+    rdoc (3.12)
+      json (~> 1.4)
+    shoulda (3.1.1)
+      shoulda-context (~> 1.0)
+      shoulda-matchers (~> 1.2)
+    shoulda-context (1.0.0)
+    shoulda-matchers (1.2.0)
+      activesupport (>= 3.0.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.1.5)
+  jeweler (~> 1.8.4)
+  rcov
+  rdoc (~> 3.12)
+  shoulda

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2012 chrislee35
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,46 @@
+= offensivecomputing
+
+Rubygem for interacting with OffensiveComputing.net, a malware sharing community.  This allows for query and downloading of malware.
+
+	oc = OffensiveComputing::MalwareSearch.new(user, pass)
+	recs = oc.search("4462aae981360f73b0016d69029321b4")
+	pp recs => [#<struct OffensiveComputing::MalwareResult
+	  md5="4462aae981360f73b0016d69029321b4",
+	  sha1="f8229be77c429c84f4c612a4f106bc54a96a8733",
+	  sha256="f951deff6086a1e68f0d09bd3856f1c1af5c117590443ea05d171a75969bbb63",
+	  filename="4462aae981360f73b0016d69029321b4.EXE",
+	  added=Sat May 26 17:38:23 UTC 2007,
+	  magic="MZ executable for MS-DOS",
+	  packer=nil,
+	  avresults=
+	   [#<struct OffensiveComputing::AVResult
+	     name="ClamAV",
+	     signature="VGEN.735.3">,
+	    #<struct OffensiveComputing::AVResult
+	     name="BitDefender",
+	     signature="GenDropper.MutaGen">,
+	    #<struct OffensiveComputing::AVResult
+	     name="Kaspersky",
+	     signature="Virus.DOS.MutaGen.100.Test.1325">,
+	    #<struct OffensiveComputing::AVResult
+	     name="AVGScan",
+	     signature="Virus found Mutagen">],
+	  tags=nil,
+	  dlurl="download.php?id=1...7&auth=9...e">]
+
+
+== Contributing to offensivecomputing
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
+* Fork the project.
+* Start a feature/bugfix branch.
+* Commit and push until you are happy with your contribution.
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2012 chrislee35. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,54 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+	Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+	$stderr.puts e.message
+	$stderr.puts "Run `bundle install` to install missing gems"
+	exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+	# gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+	gem.name = "offensivecomputing"
+	gem.homepage = "http://github.com/chrislee35/offensivecomputing"
+	gem.license = "MIT"
+	gem.summary = %Q{Rubygem for interacting with OffensiveComputing.net, a malware sharing community}
+	gem.description = %Q{Rubygem for interacting with OffensiveComputing.net, a malware sharing community.  This allows for query and downloading of malware}
+	gem.email = "rubygems@chrislee.dhs.org"
+	gem.authors = ["chrislee35"]
+	gem.signing_key = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
+	gem.cert_chain  = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+	test.libs << 'lib' << 'test'
+	test.pattern = 'test/**/test_*.rb'
+	test.verbose = true
+end
+
+require 'rcov/rcovtask'
+Rcov::RcovTask.new do |test|
+	test.libs << 'test'
+	test.pattern = 'test/**/test_*.rb'
+	test.verbose = true
+	test.rcov_opts << '--exclude "gems/*"'
+end
+
+task :default => :test
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+	version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+	rdoc.rdoc_dir = 'rdoc'
+	rdoc.title = "offensivecomputing #{version}"
+	rdoc.rdoc_files.include('README*')
+	rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/lib/offensivecomputing.rb

@@ -0,0 +1 @@
+require 'offensivecomputing/offensivecomputing'

data/lib/offensivecomputing/offensivecomputing.rb

@@ -0,0 +1,156 @@
+require 'net/http'
+require 'openssl'
+
+module OffensiveComputing
+	
+	class MalwareSearch
+		@@baseurl = "http://www.offensivecomputing.net"
+		@@user_agent = "Ruby/#{RUBY_VERSION} offensivecomputing rubygem (https://github.com/chrislee35/offensivecomputing)"
+
+		attr_reader :cookie
+		def initialize(username, password)
+			# login and get a cookie
+			# handle failures
+			params = {'edit[name]' => username, 'edit[pass]' => password, 'edit[form_id]' => 'user_login_block'}
+			@cookie = nil
+			@referer = @@baseurl
+			_post("?q=node&destination=node&op=Log+in", params)
+		end
+		
+		def _request(request, url)
+			request.add_field("User-Agent", @@user_agent)
+			request.add_field("Referer", @referer)
+			request.add_field("Cookie", @cookie) if @cookie
+
+			http = Net::HTTP.new(url.host, url.port)
+			if url.scheme == 'https'
+				http.use_ssl = true
+				http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+				http.verify_depth = 5
+			end
+			resp = http.request(request)
+			@cookie = resp.header["set-cookie"].split(/[,; ]+/).find_all{|x| x=~ /PHPSESSID/}.last if resp.header["set-cookie"]
+			resp.body
+		end
+		
+		def _post(path, params=nil)
+			url = URI.parse "#{@@baseurl}/#{path}"
+			path = url.path
+			if url.query
+				path += "?"+url.query
+			end
+			#puts path
+			request = Net::HTTP::Post.new(path)
+			request.set_form_data(params) if params
+			_request(request, url)
+		end
+
+		def _get(path, params=nil)
+			url = URI.parse "#{@@baseurl}/#{path}"
+			data = nil
+			path = url.path
+			if params and params.length > 0
+				data = params.map { |k,v|
+					"#{k}=#{v}".gsub(/([^ a-zA-Z0-9_.-=]+)/) do
+						'%' + $1.unpack('H2' * $1.bytesize).join('%').upcase
+					end.tr(' ', '+')
+				}.join("&")
+			end
+			if data and url.query
+				path += "?#{url.query}&#{data}"
+			elsif data
+				path += "?#{data}"
+			elsif url.query
+				path += "?#{url.query}"
+			end
+			request = Net::HTTP::Get.new(path)
+			_request(request, url)
+		end
+
+		def search(hash)
+			params = {'search'=>hash} # 'slowsearch'=>'on'
+			body = _post('?q=ocsearch', params)
+			records = []
+			table = body.match(/<\!\-\- begin content.*?<\!\-\- end content \-\->/).to_s
+			if table
+				urls = table.scan(/download[^\"]+/)
+				arr = table.gsub(/<.*?>/,"\t").gsub(/\s*\t+/,"\t").split(/\t/)
+				#pp arr
+				field = nil
+				rec = {}
+				avname = nil
+				arr.each do |item|
+					if item == "infected"
+						records << MalwareResult.new(rec[:md5],rec[:sha1],rec[:sha256],rec[:filename],rec[:added],rec[:magic],rec[:packer],rec[:avresults],rec[:tags],rec[:dlurl], self)
+					elsif item == "MD5:"
+						field = :md5
+					elsif item == "SHA1:"
+						field = :sha1
+					elsif item == "SHA256:"
+						field = :sha256
+					elsif item == "Original Submitted Filename:"
+						field = :filename
+					elsif item == "Date Added:"
+						field = :added
+					elsif item == "Magic File Type:"
+						field = :magic
+					elsif item == "Packer Signature:"
+						field = :packer
+					elsif item == "Anti-Virus Results:"
+						field = :avresults
+					elsif item == "Tags:"
+						field = :tags
+					elsif item == "Add a tag:"
+						field = nil
+					elsif item == "Download Sample"
+						rec[:dlurl] = urls.shift
+					elsif field == :md5 and item =~ /^[0-9a-f]{32}$/
+						rec[field] = item
+					elsif field == :sha1 and item =~ /^[0-9a-f]{40}$/
+						rec[field] = item
+					elsif field == :sha256 and item =~ /^[0-9a-f]{64}$/
+						rec[field] = item
+					elsif field == :filename
+						rec[field] = item
+					elsif field == :added and item =~ /^\d{4}\-\d{2}\-\d{2}/
+						rec[field] = Time.parse("#{item} +0000").utc
+					elsif field == :magic
+						rec[field] = item
+					elsif field == :avresults
+						#puts "DEBUG: avresults #{item}"
+						rec[field] = [] unless rec[field]
+						if avname
+							rec[field] << AVResult.new(avname,item)
+							avname = nil
+						else
+							avname = item
+						end
+					elsif field == :tags
+						rec[field] = [] unless rec[field]
+						rec[field] << item
+					end
+				end
+			end
+			records
+		end
+		
+		def download(malwareresult,filename=nil)
+			if malwareresult.respond_to? :dlurl and malwareresult.dlurl
+				doc = _get(malwareresult.dlurl)
+				if filename
+					File.open(filename,'w') do |f|
+						f.write(doc)
+					end
+				end
+				doc
+			end
+		end
+	end
+	
+	class MalwareResult < Struct.new(:md5, :sha1, :sha256, :filename, :added, :magic, :packer, :avresults, :tags, :dlurl, :malwaresearch); 
+		def download(filename=nil)
+			self.malwaresearch.download(self,filename)
+		end
+	end
+	class AVResult < Struct.new(:name, :signature); end
+end

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'offensivecomputing'
+
+class Test::Unit::TestCase
+end

data/test/test_offensivecomputing.rb

@@ -0,0 +1,37 @@
+require 'helper'
+require 'digest/md5'
+require 'pp'
+
+class TestOffensivecomputing < Test::Unit::TestCase
+	should "log into OC and search for 4462aae981360f73b0016d69029321b4" do
+		fail "You must set OCUSER and OCPASS in your environment before running tests\nE.g.\nexport OCUSER=\"l33tsloth\"\nexport OCPASS=\"n3v3r+f33r\"\n" unless ENV['OCUSER'] and ENV['OCPASS']
+		oc = OffensiveComputing::MalwareSearch.new(ENV['OCUSER'], ENV['OCPASS'])
+		recs = oc.search("4462aae981360f73b0016d69029321b4")
+		assert_equal(1, recs.length)
+		rec = recs[0]
+		assert_equal(
+			["4462aae981360f73b0016d69029321b4",
+				"f8229be77c429c84f4c612a4f106bc54a96a8733",
+				"f951deff6086a1e68f0d09bd3856f1c1af5c117590443ea05d171a75969bbb63",
+				"4462aae981360f73b0016d69029321b4.EXE",
+				"Sat May 26 17:38:23 UTC 2007",
+				"MZ executable for MS-DOS", 
+				nil,
+				nil], [rec.md5,rec.sha1,rec.sha256,rec.filename,rec.added.to_s,rec.magic,rec.packer,rec.tags])
+		file = "test/test.bin"
+		dl = rec.download(file)
+		assert_equal(1277,dl.length)
+		assert_equal(1277,File.size(file))
+		assert_equal("103835290aa6daa55d270bf3dde84271",Digest::MD5.hexdigest(dl))
+		assert_equal("103835290aa6daa55d270bf3dde84271",Digest::MD5.hexdigest(File.open(file).read))
+		if File.exists? file
+			File.unlink(file)
+		end
+	end
+	should "log into OC and search for \"conficker\"" do
+		fail "You must set OCUSER and OCPASS in your environment before running tests\nE.g.\nexport OCUSER=\"l33tsloth\"\nexport OCPASS=\"n3v3r+f33r\"\n" unless ENV['OCUSER'] and ENV['OCPASS']
+		oc = OffensiveComputing::MalwareSearch.new(ENV['OCUSER'], ENV['OCPASS'])
+		recs = oc.search("conficker")
+		assert_equal(4, recs.length)
+	end
+end

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification 
+name: offensivecomputing
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- chrislee35
+autorequire: 
+bindir: bin
+cert_chain: 
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYjCCAkqgAwIBAgIBADANBgkqhkiG9w0BAQUFADBXMREwDwYDVQQDDAhydWJ5
+  Z2VtczEYMBYGCgmSJomT8ixkARkWCGNocmlzbGVlMRMwEQYKCZImiZPyLGQBGRYD
+  ZGhzMRMwEQYKCZImiZPyLGQBGRYDb3JnMB4XDTExMDIyNzE1MzAxOVoXDTEyMDIy
+  NzE1MzAxOVowVzERMA8GA1UEAwwIcnVieWdlbXMxGDAWBgoJkiaJk/IsZAEZFghj
+  aHJpc2xlZTETMBEGCgmSJomT8ixkARkWA2RoczETMBEGCgmSJomT8ixkARkWA29y
+  ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNM1Hjs6q58sf7Jp64A
+  vEY2cnRWDdFpD8UWpwaJK5kgSHOVgs+0mtszn+YlYjmx8kpmuYpyU4g9mNMImMQe
+  ow8pVsL4QBBK/1Ozgdxrsptk3IiTozMYA+g2I/+WvZSEDu9uHkKe8pvMBEMrg7RJ
+  IN7+jWaPnSzg3DbFwxwOdi+QRw33DjK7oFWcOaaBqWTUpI4epdi/c/FE1I6UWULJ
+  ZF/Uso0Sc2Pp/YuVhuMHGrUbn7zrWWo76nnK4DTLfXFDbZF5lIXT1w6BtIiN6Ho9
+  Rdr/W6663hYUo3WMsUSa3I5+PJXEBKmGHIZ2TNFnoFIRHha2fmm1HC9+BTaKwcO9
+  PLcCAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQURzsNkZo2rv86Ftc+hVww
+  RNICMrwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQBRRw/iNA/PdnvW
+  OBoNCSr/IiHOGZqMHgPJwyWs68FhThnLc2EyIkuLTQf98ms1/D3p0XX9JsxazvKT
+  W/in8Mm/R2fkVziSdzqChtw/4Z4bW3c+RF7TgX6SP5cKxNAfKmAPuItcs2Y+7bdS
+  hr/FktVtT2iAmISRnlEbdaTpfl6N2ZWNT83khV6iOs5xRkX/+0e+GgAv9mE6nqr1
+  AkuDXMhposxcnFZUrZ3UtMPEe/JnyP7Vv6pvr3qtZm8FidFZU91+rX/fwdyBU8RP
+  /5l8uLWXXNt1wEbtu4N1I66LwTK2iRrQZE8XtlgZGbxYDFUkiurq3OafF2YwRs6W
+  6yhklP75
+  -----END CERTIFICATE-----
+
+date: 2012-09-06 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: shoulda
+  version_requirements: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id001
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: rdoc
+  version_requirements: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 12
+        version: "3.12"
+  requirement: *id002
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: bundler
+  version_requirements: &id003 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 1
+        - 5
+        version: 1.1.5
+  requirement: *id003
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: jeweler
+  version_requirements: &id004 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 8
+        - 4
+        version: 1.8.4
+  requirement: *id004
+- !ruby/object:Gem::Dependency 
+  prerelease: false
+  type: :development
+  name: rcov
+  version_requirements: &id005 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  requirement: *id005
+description: Rubygem for interacting with OffensiveComputing.net, a malware sharing community.  This allows for query and downloading of malware
+email: rubygems@chrislee.dhs.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- .document
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/offensivecomputing.rb
+- lib/offensivecomputing/offensivecomputing.rb
+- test/helper.rb
+- test/test_offensivecomputing.rb
+has_rdoc: true
+homepage: http://github.com/chrislee35/offensivecomputing
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Rubygem for interacting with OffensiveComputing.net, a malware sharing community
+test_files: []
+