ronin-exploits 0.1.0

data/Rakefile

@@ -0,0 +1,15 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require 'hoe'
+require './tasks/spec.rb'
+require './lib/ronin/exploits/version.rb'
+
+Hoe.new('ronin-exploits', Ronin::Exploits::VERSION) do |p|
+  p.rubyforge_name = 'ronin'
+  p.developer('Postmodern', 'postmodern.mod3@gmail.com')
+  p.remote_rdoc_dir = 'docs/ronin-exploits'
+  p.extra_deps = [['ronin', '>=0.1.3']]
+end
+
+# vim: syntax=Ruby

data/TODO.txt

@@ -0,0 +1,25 @@
+== TODO:
+
+=== Ronin Exploits 0.1.0:
+
+* Complete exploit/payload taxonomy code.
+  * Add dm-scope methods for finding exploits based on their taxonomy
+    relations.
+
+=== Ronin Exploits 0.1.1:
+
+* Add more dm-scope methods for finding exploits and payloads based:
+  * Target attributes:
+    * Arch (name).
+    * Platform (os, version).
+  * Authors
+* Spec exploit/payload relations and dm-scope methods.
+* Add methods for chaining exploits.
+
+=== Ronin Exploits 0.1.2:
+
+* Design a basic Vulnerability Scanner class:
+  * Scan networks of hosts.
+  * Scan web-sites.
+  * Custom tests.
+

data/lib/ronin/exploits.rb

@@ -0,0 +1,39 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/requirement'
+require 'ronin/exploits/impact'
+require 'ronin/exploits/exploit_author'
+require 'ronin/exploits/exploit_target'
+require 'ronin/exploits/exploit'
+require 'ronin/exploits/binary_exploit'
+require 'ronin/exploits/buffer_overflow_target'
+require 'ronin/exploits/buffer_overflow'
+require 'ronin/exploits/format_string_target'
+require 'ronin/exploits/format_string'
+
+require 'reverse_require'
+
+module Ronin
+  require_for 'ronin', 'ronin/exploits'
+end

data/lib/ronin/exploits/binary_exploit.rb

@@ -0,0 +1,133 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exceptions/exploit_not_built'
+require 'ronin/exploits/exceptions/restricted_char'
+require 'ronin/exploits/exploit_target'
+require 'ronin/exploits/exploit'
+require 'ronin/chars/char_set'
+require 'ronin/formatting/binary'
+
+module Ronin
+  module Exploits
+    class BinaryExploit < Exploit
+
+      objectify :ronin_binary_exploit
+
+      # Targets of the exploit
+      has n, :targets, :class_name => 'ExploitTarget'
+
+      # Target index to use
+      parameter :target_index,
+                :value => 0,
+                :description => 'default target index'
+
+      # Custom target to use
+      parameter :custom_target, :description => 'custom target'
+
+      # String to pad extra space with
+      parameter :pad, :value => 'A', :description => 'padding string'
+
+      # Restricted characters that may not occurr in the built exploit
+      attr_accessor :restricted
+
+      # The built exploit
+      attr_accessor :exploit
+
+      #
+      # Creates a new BinaryExploit object with the given _attributes_.
+      #
+      def initialize(attributes={})
+        super(attributes)
+
+        @restricted = Chars::CharSet.new(attributes[:restricted] || [])
+      end
+
+      #
+      # Adds an ExploitTarget with the given _attributes_. If a _block_ is
+      # given, it will be passed the ExploitTarget.
+      #
+      def target(attributes={},&block)
+        @targets << ExploitTarget.first_or_create(attributes,&block)
+      end
+
+      #
+      # Returns the selected target.
+      #
+      def selected_target
+        (@custom_target || @targets[@target_index])
+      end
+
+      #
+      # Creates a padded buffer of the specified _length_ using the
+      # specified _padding_ data.
+      #
+      def pad_buffer(padding,length)
+        padding = padding.to_s
+
+        buffer = (padding * (length / padding.length))
+        pad_remaining = (length % padding.length)
+
+        unless pad_remaining==0
+          buffer += padding[0,pad_remaining]
+        end
+
+        return buffer
+      end
+
+      #
+      # Adds the given _chars_ to the restricted list of characters.
+      #
+      #   restrict 0x00, "\n"
+      #   # => #<Ronin::Chars::CharSet: {"\0", "\n"}>
+      #
+      def restrict(*chars)
+        @restricted += pattern
+      end
+
+      def build
+        @exploit = ''
+        return super
+      end
+
+      #
+      # Verifies that the exploit is built and does not contain any
+      # restricted characters.
+      #
+      def verify
+        unless @exploit
+          raise(ExploitNotBuilt,"cannot verify an unbuilt exploit",caller)
+        end
+
+        @restricted.each do |char|
+          if @exploit.include?(char)
+            raise(RestrictedChar,"Restricted character '#{char}' was found in the built exploit",caller)
+          end
+        end
+
+        return super
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/buffer_overflow.rb

@@ -0,0 +1,76 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/buffer_overflow_target'
+require 'ronin/exploits/binary_exploit'
+
+module Ronin
+  module Exploits
+    class BufferOverflow < BinaryExploit
+
+      objectify :ronin_buffer_overflow
+
+      # Targets of the buffer overflow
+      has n, :targets, :class_name => 'BufferOverflowTarget'
+
+      #
+      # Adds a new BufferOverflowTarget with the given _attributes_. If a
+      # _block_ is given, it will be passed the BufferOverflowTarget object.
+      #
+      def target(options={},&block)
+        @targets << BufferOverflowTarget.new(options,&block)
+      end
+
+      #
+      # Builds the exploit buffer with the given _options_.
+      #
+      def build_buffer(options={})
+        target = (options[:target] || selected_target)
+        payload = (options[:payload] || @payload).to_s
+
+        unless payload.length<=target.buffer_length
+          raise(PayloadSize,"the specified payload is too large for the target's buffer length",caller)
+        end
+
+        buffer = pad_buffer(@pad,(target.buffer_length-payload.length))+payload
+
+        ip_packed = target.ip.pack(target.arch)
+        unless target.bp==0
+          buffer += (target.bp.pack(target.arch)+ip_packed)*target.return_length
+        else
+          buffer += ip_packed*(target.return_length*2)
+        end
+
+        return buffer
+      end
+
+      #
+      # Default builder method which simply calls build_buffer.
+      #
+      def builder
+        @package = build_buffer
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/buffer_overflow_target.rb

@@ -0,0 +1,46 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exploit_target'
+
+module Ronin
+  module Exploits
+    class BufferOverflowTarget < ExploitTarget
+
+      # Buffer length
+      property :buffer_length, Integer, :default => 0
+
+      # Return length
+      property :return_length, Integer, :default => 1
+
+      # Instruction Pointer
+      property :ip, Integer, :default => 0x0
+
+      # Stack base pointer
+      property :bp, Integer
+
+      belongs_to :buffer_overflow
+
+    end
+  end
+end

data/lib/ronin/exploits/exceptions.rb

@@ -0,0 +1,25 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exceptions/exploit_not_built'
+require 'ronin/exploits/exceptions/restricted_char'

data/lib/ronin/exploits/exceptions/exploit_not_built.rb

@@ -0,0 +1,29 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+module Ronin
+  module Exploits
+    class ExploitNotBuilt < RuntimeError
+    end
+  end
+end

data/lib/ronin/exploits/exceptions/restricted_char.rb

@@ -0,0 +1,29 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+module Ronin
+  module Exploits
+    class RestrictedChar < RuntimeError
+    end
+  end
+end

data/lib/ronin/exploits/exploit.rb

@@ -0,0 +1,263 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/requirement'
+require 'ronin/exploits/impact'
+require 'ronin/exploits/exploit_author'
+require 'ronin/vulnerability/behavior'
+require 'ronin/objectify'
+require 'ronin/has_license'
+
+module Ronin
+  module Exploits
+    class Exploit
+
+      include Objectify
+      include HasLicense
+
+      objectify :ronin_exploit
+      
+      # Primary key of the exploit
+      property :id, Serial
+
+      # Name of the exploit
+      property :name, String, :index => true
+
+      # Version of the exploit
+      property :version, String, :default => '0.1', :index => true
+
+      # Description of the exploit
+      property :description, Text
+
+      # Author(s) of the exploit
+      has n, :authors, :class_name => 'ExploitAuthor'
+
+      # The requirements of the exploit
+      has n, :requirements
+
+      # Impact of the exploit
+      has n, :impact, :class_name => 'Impact'
+
+      # Validations
+      validates_present :name
+      validates_is_unique :version, :scope => [:name]
+
+      # Exploit payload
+      attr_accessor :payload
+
+      #
+      # Creates a new Exploit object with the given _attributes_.
+      #
+      def initialize(attributes={},&block)
+        super(attributes)
+
+        @built = false
+
+        instance_eval(&block) if block
+      end
+
+      #
+      # Finds all exploits with names like the specified _name_.
+      #
+      def self.named(name)
+        self.all(:name.like => "%#{name}%")
+      end
+
+      #
+      # Finds all exploits with descriptions like the specified
+      # _description_.
+      #
+      def self.describing(description)
+        self.all(:description.like => "%#{description}%")
+      end
+
+      #
+      # Finds the exploit with the most recent vesion.
+      #
+      def self.latest
+        self.first(:order => [:version.desc])
+      end
+
+      #
+      # Adds an ExploitAuthor with the given _attributes_ to the exploit.
+      # If a _block_ is given, it will be passed the ExploitAuthro object.
+      #
+      def author(attributes={},&block)
+        self.authors << ExploitAuthor.first_or_create(attributes,&block)
+      end
+
+      #
+      # Adds a new Requirement for the Ability with the specified
+      # _behavior_.
+      #
+      def requires(behavior)
+        self.requirements << Requirement.new(
+          :behavior => behavior,
+          :exploit => self
+        )
+
+        return self
+      end
+
+      #
+      # Adds a new Impact granting the specified _behavior_.
+      #
+      def allows(behavior)
+        self.impact << Impact.new(
+          :behavior => behavior,
+          :exploit => self
+        )
+
+        return self
+      end
+
+      #
+      # Switches to the _new_payload_ then calls the specified _block_.
+      # After the _block_ has been called the payload will be reverted to
+      # it's previous value.
+      #
+      def switch_payload(new_payload,&block)
+        old_payload = @payload
+        @payload = new_payload
+
+        block.call(self)
+
+        @payload = old_payload
+        return self
+      end
+
+      #
+      # Default vulnerability test method. Returning +true+ symbolizes
+      # that the target of the exploit is vulnerable. Returning +nil+
+      # symbolizes that the exploit cannot determine if the target is
+      # vulnerable or not. Returning +false+ symbolizes that the target
+      # of the exploit is definitely not vulnerable. Returns +nil+ by
+      # default.
+      #
+      def vulnerable?
+        nil
+      end
+
+      #
+      # Default builder method.
+      #
+      def builder
+      end
+
+      #
+      # Returns +true+ if the exploit is built, returns +false+ otherwise.
+      #
+      def built?
+        @built == true
+      end
+
+      #
+      # Builds the exploit with the given _options_ and checks for
+      # restricted characters or patterns. If any restricted characters or
+      # patterns are found in the built exploit, a RestrictedText exception
+      # will be raised.
+      #
+      def build(options={})
+        self.params = options
+
+        @payload = (options[:payload] || @payload)
+
+        if (@payload && @payload.include?(Parameters))
+          @payload.params = options
+        end
+
+        @built = false
+
+        result = builder
+
+        @built = true
+        return result
+      end
+
+      #
+      # Default exploit verifier method.
+      #
+      def verifier
+      end
+
+      #
+      # Verifies the exploit is properly configured, built and ready to be
+      # deployed. An exception should be raised if the exploit is not ready
+      # to be deployed, returns +true+ otherwise.
+      #
+      def verify
+        unless built?
+          raise(ExploitNotBuilt,"cannot deploy an unbuilt exploit",caller)
+        end
+
+        verifier
+        return true
+      end
+
+      #
+      # Default exploit deployer method, passes the exploit object to the
+      # given _block_ by default.
+      #
+      def deployer(&block)
+        block.call(self) if block
+      end
+
+      #
+      # Deploys the exploit. If a _block_ is given and the payload used is
+      # a kind of Payload, then the payloads deploy method will be passed
+      # the given _block_. If the payload used is not a kind of Payload and
+      # a _block_ is given, the _block_ will be passed to the exploits
+      # deployer method. If the exploit has not been previously built, an
+      # ExploitNotBuilt exception will be raised.
+      #
+      def deploy(&block)
+        verify
+
+        if (@payload && @payload.kind_of?(Payloads::Payload))
+          deployer()
+
+          return @payload.deploy(&block)
+        else
+          return deployer(&block)
+        end
+      end
+
+      #
+      # Builds, deploys and then cleans the exploit with the given _options_.
+      #
+      def exploit(options={},&block)
+        build(options)
+
+        return deploy(&block)
+      end
+
+      #
+      # Returns the built exploit.
+      #
+      def to_s
+        "#{self.name} #{self.version}"
+      end
+
+    end
+  end
+end