ronin-exploits 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. data/COPYING.txt +339 -0
  2. data/History.txt +18 -0
  3. data/Manifest.txt +42 -0
  4. data/README.txt +69 -0
  5. data/Rakefile +15 -0
  6. data/TODO.txt +25 -0
  7. data/lib/ronin/exploits.rb +39 -0
  8. data/lib/ronin/exploits/binary_exploit.rb +133 -0
  9. data/lib/ronin/exploits/buffer_overflow.rb +76 -0
  10. data/lib/ronin/exploits/buffer_overflow_target.rb +46 -0
  11. data/lib/ronin/exploits/exceptions.rb +25 -0
  12. data/lib/ronin/exploits/exceptions/exploit_not_built.rb +29 -0
  13. data/lib/ronin/exploits/exceptions/restricted_char.rb +29 -0
  14. data/lib/ronin/exploits/exploit.rb +263 -0
  15. data/lib/ronin/exploits/exploit_author.rb +34 -0
  16. data/lib/ronin/exploits/exploit_target.rb +48 -0
  17. data/lib/ronin/exploits/exploitable.rb +77 -0
  18. data/lib/ronin/exploits/format_string.rb +84 -0
  19. data/lib/ronin/exploits/format_string_target.rb +43 -0
  20. data/lib/ronin/exploits/impact.rb +46 -0
  21. data/lib/ronin/exploits/requirement.rb +46 -0
  22. data/lib/ronin/exploits/version.rb +29 -0
  23. data/lib/ronin/exploits/web_exploit.rb +77 -0
  24. data/lib/ronin/models.rb +38 -0
  25. data/lib/ronin/payloads.rb +33 -0
  26. data/lib/ronin/payloads/ability.rb +46 -0
  27. data/lib/ronin/payloads/binary_payload.rb +40 -0
  28. data/lib/ronin/payloads/payload.rb +203 -0
  29. data/lib/ronin/payloads/payload_author.rb +34 -0
  30. data/lib/ronin/payloads/shellcode.rb +34 -0
  31. data/lib/ronin/payloads/web_payload.rb +34 -0
  32. data/lib/ronin/translators/xor.rb +96 -0
  33. data/lib/ronin/vuln/behavior.rb +92 -0
  34. data/spec/exploits/exploit_spec.rb +80 -0
  35. data/spec/exploits/exploitable_spec.rb +21 -0
  36. data/spec/exploits/web_exploit_spec.rb +29 -0
  37. data/spec/exploits_spec.rb +9 -0
  38. data/spec/payloads/payload_spec.rb +60 -0
  39. data/spec/spec_helper.rb +11 -0
  40. data/spec/translators/xor_spec.rb +26 -0
  41. data/spec/vuln/behavior_spec.rb +15 -0
  42. data/tasks/spec.rb +9 -0
  43. metadata +119 -0
@@ -0,0 +1,34 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/author'
25
+
26
+ module Ronin
27
+ module Exploits
28
+ class ExploitAuthor < Author
29
+
30
+ belongs_to :exploit
31
+
32
+ end
33
+ end
34
+ end
@@ -0,0 +1,48 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/target'
25
+ require 'ronin/product'
26
+
27
+ module Ronin
28
+ module Exploits
29
+ class ExploitTarget < Target
30
+
31
+ # Target comments
32
+ property :description, String
33
+
34
+ # Targeted architecture
35
+ belongs_to :arch
36
+
37
+ # Targeted platform
38
+ belongs_to :platform
39
+
40
+ # Targeted product
41
+ belongs_to :product
42
+
43
+ # The exploit the target belongs to
44
+ belongs_to :exploit, :class_name => 'BinaryExploit'
45
+
46
+ end
47
+ end
48
+ end
@@ -0,0 +1,77 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2006-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/extensions/meta'
25
+
26
+ module Ronin
27
+ module Exploits
28
+ module Exploitable
29
+ def self.included(base)
30
+ base.metaclass_eval do
31
+ #
32
+ # Returns the Hash of the exploit names and the +Proc+
33
+ # objects used to generate various Exploit objects.
34
+ #
35
+ def exploit_generators
36
+ @ronin_exploit_generators ||= {}
37
+ end
38
+
39
+ def each_exploit_generator(&block)
40
+ self.class.ancestors.each do |super_class|
41
+ if super_class.include?(Ronin::Exploits::Exploitable)
42
+ super_class.exploit_generators.each(&block)
43
+ end
44
+ end
45
+ end
46
+
47
+ #
48
+ # Registers a new exploit generator with the specified _name_
49
+ # and the specified _block_ which will return an Array of
50
+ # exploits.
51
+ #
52
+ # has_exploits :lfi do |url|
53
+ # ...
54
+ # end
55
+ #
56
+ def has_exploits(name,&block)
57
+ self.exploit_generators[name.to_sym] = block
58
+
59
+ return self
60
+ end
61
+ end
62
+ end
63
+
64
+ def exploits
65
+ viable_exploits = []
66
+
67
+ self.class.each_exploit_generator do |name,block|
68
+ viable_exploits += block.call(self).select do |exp|
69
+ exp.vulnerable?
70
+ end
71
+ end
72
+
73
+ return viable_exploits
74
+ end
75
+ end
76
+ end
77
+ end
@@ -0,0 +1,84 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/exploits/format_string_target'
25
+ require 'ronin/exploits/binary_exploit'
26
+
27
+ module Ronin
28
+ module Exploits
29
+ class FormatString < BinaryExploit
30
+
31
+ objectify :ronin_format_string
32
+
33
+ # Targets of the format string
34
+ has n, :targets, :class_name => 'FormatStringTarget'
35
+
36
+ #
37
+ # Adds a new FormatStringTarget with the given _options_. If a _block_
38
+ # is given, it will be passed the new FormatStringTarget object.
39
+ #
40
+ def target(options={},&block)
41
+ self.targets << FormatStringTarget.new(options,&block)
42
+ end
43
+
44
+ #
45
+ # Builds the format string with the given _options_.
46
+ #
47
+ def build_format_string(options={})
48
+ target = (options[:target] || selected_target)
49
+ payload = (options[:payload] || @payload).to_s
50
+
51
+ buffer = target.overwrite.pack(target.platform.arch)+(target.overwrite+(target.platform.arch.address_length/2)).pack(target.platform.arch)
52
+
53
+ low_mask = 0xff
54
+ (target.platform.arch.address_length/2).times do
55
+ low_mask <<= 8
56
+ low_mask |= 0xff
57
+ end
58
+
59
+ high_mask = low_mask << (target.platform.arch.address_length*4)
60
+ high = (target.address & high_mask) >> (target.platform.arch.address_length/2)
61
+ low = target.address & low_mask
62
+
63
+ if low<high
64
+ low -= (target.platform.arch.address_length*2)
65
+ buffer += format("%%.%ud%%%lu$hn%%.%ud%%%lu$hn",low,target.pop_length,high-low,target.pop_length+1)
66
+ else
67
+ high -= (target.platform.arch.address_length*2)
68
+ buffer += format("%%.%ud%%%lu$hn%%.%ud%%%lu$hn",high,target.pop_length+1,low-high,target.pop_length)
69
+ end
70
+ buffer += payload
71
+
72
+ return buffer
73
+ end
74
+
75
+ #
76
+ # The default builder method, simply calls build_format_string.
77
+ #
78
+ def builder
79
+ @package = build_format_string
80
+ end
81
+
82
+ end
83
+ end
84
+ end
@@ -0,0 +1,43 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/exploits/exploit_target'
25
+
26
+ module Ronin
27
+ module Exploits
28
+ class FormatStringTarget < ExploitTarget
29
+
30
+ # Pop length
31
+ property :pop_length, Integer, :default => 0
32
+
33
+ # Address
34
+ property :address, Integer, :default => 0x0
35
+
36
+ # Overwrite
37
+ property :overwrite, Integer, :default => 0x0
38
+
39
+ belongs_to :format_string
40
+
41
+ end
42
+ end
43
+ end
@@ -0,0 +1,46 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/vulnerability/behavior'
25
+ require 'ronin/exploits/exploit'
26
+
27
+ require 'ronin/model'
28
+
29
+ module Ronin
30
+ module Exploits
31
+ class Impact
32
+
33
+ include Model
34
+
35
+ # The behavior which the impact allows
36
+ belongs_to :behavior, :class_name => 'Vulnerability::Behavior'
37
+
38
+ # The exploit which facilitates the impact
39
+ belongs_to :exploit
40
+
41
+ # Validates
42
+ validates_present :behavior_id, :exploit_id
43
+
44
+ end
45
+ end
46
+ end
@@ -0,0 +1,46 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/vulnerability/behavior'
25
+ require 'ronin/exploits/exploit'
26
+
27
+ require 'ronin/model'
28
+
29
+ module Ronin
30
+ module Exploits
31
+ class Requirement
32
+
33
+ include Model
34
+
35
+ # The behavior which is required
36
+ belongs_to :behavior, :class_name => 'Vulnerability::Behavior'
37
+
38
+ # The exploit which requires the behavior
39
+ belongs_to :exploit
40
+
41
+ # Validates
42
+ validates_present :behavior_id, :exploit_id
43
+
44
+ end
45
+ end
46
+ end
@@ -0,0 +1,29 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ module Ronin
25
+ module Exploits
26
+ # Ronin Exploits version
27
+ VERSION = '0.1.0'
28
+ end
29
+ end
@@ -0,0 +1,77 @@
1
+ #
2
+ #--
3
+ # Ronin Exploits - A Ruby library for Ronin that provides exploitation and
4
+ # payload crafting functionality.
5
+ #
6
+ # Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
7
+ #
8
+ # This program is free software; you can redistribute it and/or modify
9
+ # it under the terms of the GNU General Public License as published by
10
+ # the Free Software Foundation; either version 2 of the License, or
11
+ # (at your option) any later version.
12
+ #
13
+ # This program is distributed in the hope that it will be useful,
14
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
15
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
+ # GNU General Public License for more details.
17
+ #
18
+ # You should have received a copy of the GNU General Public License
19
+ # along with this program; if not, write to the Free Software
20
+ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
21
+ #++
22
+ #
23
+
24
+ require 'ronin/exploits/exploit'
25
+ require 'ronin/sessions/http'
26
+ require 'ronin/extensions/uri/http'
27
+
28
+ require 'uri'
29
+
30
+ module Ronin
31
+ module Exploits
32
+ class WebExploit < Exploit
33
+
34
+ include Sessions::HTTP
35
+
36
+ objectify :ronin_web_exploit
37
+
38
+ # The targeted URL path
39
+ property :url_path, String
40
+
41
+ # The targeted URL query string
42
+ property :url_query, String
43
+
44
+ # The targeted HTTP host
45
+ parameter :host, :description => 'The targeted HTTP host'
46
+
47
+ # The targeted HTTP port
48
+ parameter :port, :description => 'The targeted HTTP port'
49
+
50
+ # The optional URL path prefix
51
+ parameter :url_prefix, :description => 'The optional URL path prefix'
52
+
53
+ #
54
+ # Returns the targeted URL based on the +http_host+, +http_port+
55
+ # and +url_prefix+ parameters as well as the +url_path+ and
56
+ # +url_query+ properties.
57
+ #
58
+ def targeted_url
59
+ require_params :host
60
+
61
+ url = ::URI::HTTP.build(
62
+ :host => @host,
63
+ :port => @port,
64
+ :path => self.url_path,
65
+ :query => self.url_query
66
+ )
67
+
68
+ if @url_prefix
69
+ url.path = @url_prefix.to_s + url.path
70
+ end
71
+
72
+ return url
73
+ end
74
+
75
+ end
76
+ end
77
+ end