ronin-exploits 0.1.0

data/lib/ronin/exploits/exploit_author.rb

@@ -0,0 +1,34 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/author'
+
+module Ronin
+  module Exploits
+    class ExploitAuthor < Author
+
+      belongs_to :exploit
+
+    end
+  end
+end

data/lib/ronin/exploits/exploit_target.rb

@@ -0,0 +1,48 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/target'
+require 'ronin/product'
+
+module Ronin
+  module Exploits
+    class ExploitTarget < Target
+
+      # Target comments
+      property :description, String
+
+      # Targeted architecture
+      belongs_to :arch
+
+      # Targeted platform
+      belongs_to :platform
+
+      # Targeted product
+      belongs_to :product
+
+      # The exploit the target belongs to
+      belongs_to :exploit, :class_name => 'BinaryExploit'
+
+    end
+  end
+end

data/lib/ronin/exploits/exploitable.rb

@@ -0,0 +1,77 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2006-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/extensions/meta'
+
+module Ronin
+  module Exploits
+    module Exploitable
+      def self.included(base)
+        base.metaclass_eval do
+          #
+          # Returns the Hash of the exploit names and the +Proc+
+          # objects used to generate various Exploit objects.
+          #
+          def exploit_generators
+            @ronin_exploit_generators ||= {}
+          end
+
+          def each_exploit_generator(&block)
+            self.class.ancestors.each do |super_class|
+              if super_class.include?(Ronin::Exploits::Exploitable)
+                super_class.exploit_generators.each(&block)
+              end
+            end
+          end
+
+          #
+          # Registers a new exploit generator with the specified _name_
+          # and the specified _block_ which will return an Array of
+          # exploits.
+          # 
+          #   has_exploits :lfi do |url|
+          #     ...
+          #   end
+          #
+          def has_exploits(name,&block)
+            self.exploit_generators[name.to_sym] = block
+
+            return self
+          end
+        end
+      end
+
+      def exploits
+        viable_exploits = []
+
+        self.class.each_exploit_generator do |name,block|
+          viable_exploits += block.call(self).select do |exp|
+            exp.vulnerable?
+          end
+        end
+
+        return viable_exploits
+      end
+    end
+  end
+end

data/lib/ronin/exploits/format_string.rb

@@ -0,0 +1,84 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/format_string_target'
+require 'ronin/exploits/binary_exploit'
+
+module Ronin
+  module Exploits
+    class FormatString < BinaryExploit
+
+      objectify :ronin_format_string
+
+      # Targets of the format string
+      has n, :targets, :class_name => 'FormatStringTarget'
+
+      #
+      # Adds a new FormatStringTarget with the given _options_. If a _block_
+      # is given, it will be passed the new FormatStringTarget object.
+      #
+      def target(options={},&block)
+        self.targets << FormatStringTarget.new(options,&block)
+      end
+
+      #
+      # Builds the format string with the given _options_.
+      #
+      def build_format_string(options={})
+        target = (options[:target] || selected_target)
+        payload = (options[:payload] || @payload).to_s
+
+        buffer = target.overwrite.pack(target.platform.arch)+(target.overwrite+(target.platform.arch.address_length/2)).pack(target.platform.arch)
+
+        low_mask = 0xff
+        (target.platform.arch.address_length/2).times do
+          low_mask <<= 8
+          low_mask |= 0xff
+        end
+
+        high_mask = low_mask << (target.platform.arch.address_length*4)
+        high = (target.address & high_mask) >> (target.platform.arch.address_length/2)
+        low = target.address & low_mask
+
+        if low<high
+          low -= (target.platform.arch.address_length*2)
+          buffer += format("%%.%ud%%%lu$hn%%.%ud%%%lu$hn",low,target.pop_length,high-low,target.pop_length+1)
+        else
+          high -= (target.platform.arch.address_length*2)
+          buffer += format("%%.%ud%%%lu$hn%%.%ud%%%lu$hn",high,target.pop_length+1,low-high,target.pop_length)
+        end
+        buffer += payload
+
+        return buffer
+      end
+
+      #
+      # The default builder method, simply calls build_format_string.
+      #
+      def builder
+        @package = build_format_string
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/format_string_target.rb

@@ -0,0 +1,43 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exploit_target'
+
+module Ronin
+  module Exploits
+    class FormatStringTarget < ExploitTarget
+
+      # Pop length
+      property :pop_length, Integer, :default => 0
+
+      # Address
+      property :address, Integer, :default => 0x0
+
+      # Overwrite
+      property :overwrite, Integer, :default => 0x0
+
+      belongs_to :format_string
+
+    end
+  end
+end

data/lib/ronin/exploits/impact.rb

@@ -0,0 +1,46 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/vulnerability/behavior'
+require 'ronin/exploits/exploit'
+
+require 'ronin/model'
+
+module Ronin
+  module Exploits
+    class Impact
+
+      include Model
+
+      # The behavior which the impact allows
+      belongs_to :behavior, :class_name => 'Vulnerability::Behavior'
+
+      # The exploit which facilitates the impact
+      belongs_to :exploit
+
+      # Validates
+      validates_present :behavior_id, :exploit_id
+
+    end
+  end
+end

data/lib/ronin/exploits/requirement.rb

@@ -0,0 +1,46 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/vulnerability/behavior'
+require 'ronin/exploits/exploit'
+
+require 'ronin/model'
+
+module Ronin
+  module Exploits
+    class Requirement
+
+      include Model
+
+      # The behavior which is required
+      belongs_to :behavior, :class_name => 'Vulnerability::Behavior'
+
+      # The exploit which requires the behavior
+      belongs_to :exploit
+
+      # Validates
+      validates_present :behavior_id, :exploit_id
+
+    end
+  end
+end

data/lib/ronin/exploits/version.rb

@@ -0,0 +1,29 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+module Ronin
+  module Exploits
+    # Ronin Exploits version
+    VERSION = '0.1.0'
+  end
+end

data/lib/ronin/exploits/web_exploit.rb

@@ -0,0 +1,77 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exploit'
+require 'ronin/sessions/http'
+require 'ronin/extensions/uri/http'
+
+require 'uri'
+
+module Ronin
+  module Exploits
+    class WebExploit < Exploit
+
+      include Sessions::HTTP
+
+      objectify :ronin_web_exploit
+
+      # The targeted URL path
+      property :url_path, String
+
+      # The targeted URL query string
+      property :url_query, String
+
+      # The targeted HTTP host
+      parameter :host, :description => 'The targeted HTTP host'
+
+      # The targeted HTTP port
+      parameter :port, :description => 'The targeted HTTP port'
+
+      # The optional URL path prefix
+      parameter :url_prefix, :description => 'The optional URL path prefix'
+
+      #
+      # Returns the targeted URL based on the +http_host+, +http_port+
+      # and +url_prefix+ parameters as well as the +url_path+ and
+      # +url_query+ properties.
+      #
+      def targeted_url
+        require_params :host
+
+        url = ::URI::HTTP.build(
+          :host => @host,
+          :port => @port,
+          :path => self.url_path,
+          :query => self.url_query
+        )
+
+        if @url_prefix
+          url.path = @url_prefix.to_s + url.path
+        end
+
+        return url
+      end
+
+    end
+  end
+end