ronin-exploits 0.1.1 → 0.2.0

data/lib/ronin/exploits/{format_string_target.rb → ftp.rb}

@@ -21,22 +21,16 @@
 #++
 #
 
-require 'ronin/exploits/exploit_target'
+require 'ronin/exploits/remote_tcp'
 
 module Ronin
   module Exploits
-    class FormatStringTarget < ExploitTarget
+    class FTP < RemoteTCP
 
-      # Pop length
-      property :pop_length, Integer, :default => 0
+      contextify :ronin_ftp_exploit
 
-      # Address
-      property :address, Integer, :default => 0x0
-
-      # Overwrite
-      property :overwrite, Integer, :default => 0x0
-
-      belongs_to :format_string
+      # Default port to connect to
+      property :default_port, Integer, :default => 21
 
     end
   end

data/lib/ronin/exploits/helpers.rb

@@ -0,0 +1,27 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/helpers/binary'
+require 'ronin/exploits/helpers/padding'
+require 'ronin/exploits/helpers/buffer_overflow'
+require 'ronin/exploits/helpers/format_string'

data/lib/ronin/exploits/helpers/binary.rb

@@ -0,0 +1,44 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exceptions/target_data_missing'
+require 'ronin/formatting/binary'
+
+module Ronin
+  module Exploits
+    module Helpers
+      module Binary
+        #
+        # Packs the specified _integer_ using the current targeted arch
+        # and the given _address_length_. The _address_length_ will
+        # default to the address length of the currently targeted arch.
+        #
+        def pack(integer,address_length=nil)
+          verify_arch!
+
+          return integer.pack(arch,(address_length || arch.address_length))
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/helpers/buffer_overflow.rb

@@ -0,0 +1,102 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/exceptions/payload_size'
+require 'ronin/exploits/targets/buffer_overflow'
+require 'ronin/exploits/helpers/binary'
+require 'ronin/exploits/helpers/padding'
+
+module Ronin
+  module Exploits
+    module Helpers
+      module BufferOverflow
+        def self.included(base)
+          base.module_eval do
+            include Ronin::Exploits::Helpers::Binary
+            include Ronin::Exploits::Helpers::Padding
+
+            has n, :targets,
+                   :class_name => 'Ronin::Exploits::Targets::BufferOverflow'
+
+            # The buffer to use for the buffer overflow
+            attr_reader :buffer
+          end
+        end
+
+        def self.extended(obj)
+          obj.instance_eval do
+            extend Ronin::Exploits::Helpers::Binary
+            extend Ronin::Exploits::Helpers::Padding
+
+            #
+            # Returns the buffer to use for the buffer overflow.
+            #
+            def buffer
+              @buffer
+            end
+          end
+        end
+
+        #
+        # Adds a new Targets::BufferOverflow with the given _attributes_
+        # and _block_.
+        #
+        def targeting(attributes={},&block)
+          self.targets << Targets::BufferOverflow.new(attributes,&block)
+        end
+
+        protected
+       
+        #
+        # Builds the buffer with the current target and payload to be
+        # used in the buffer overflow exploit.
+        #
+        def build_buffer
+          verify_target!
+
+          if encoded_payload.length > target.buffer_length
+            raise(PayloadSize,"the specified payload is too large for the target's buffer length",caller)
+          end
+
+          buffer = pad(target.buffer_length - encoded_payload.length) + encoded_payload
+          ip_packed = pack(target.ip)
+
+          if target.bp
+            buffer << ((pack(target.bp) + ip_packed) * target.frame_repeat)
+          else
+            buffer << ((ip_packed * 2) * target.frame_repeat)
+          end
+
+          return buffer
+        end
+
+        #
+        # Default builder method which simply calls build_buffer.
+        #
+        def build
+          @buffer = build_buffer
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/helpers/format_string.rb

@@ -0,0 +1,107 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/targets/format_string'
+require 'ronin/exploits/helpers/binary'
+
+module Ronin
+  module Exploits
+    module Helpers
+      module FormatString
+        def self.included(base)
+          base.module_eval do
+            include Ronin::Exploits::Helpers::Binary
+
+            has n, :targets,
+                   :class_name => 'Ronin::Exploits::Targets::FormatString'
+
+            # The built format string
+            attr_reader :format_string
+          end
+        end
+
+        def self.extended(obj)
+          obj.instance_eval do
+            extend Ronin::Exploits::Helpers::Binary
+
+            #
+            # Returns the format string of the exploit.
+            #
+            def format_string
+              @format_string
+            end
+          end
+        end
+
+        #
+        # Adds a new Targets::FormatString with the given _attributes_
+        # and _block_.
+        #
+        def targeting(attributes={},&block)
+          self.targets << Targets::FormatString.new(attributes,&block)
+        end
+
+        protected
+
+        #
+        # Builds a format string using the current target and payload to
+        # be used in the format string exploit.
+        #
+        def build_format_string
+          verify_target!
+
+          buffer = pack(target.overwrite) + 
+                   pack(target.overwrite + (target.arch.address_length / 2))
+
+          low_mask = 0xff
+          (target.arch.address_length/2).times do
+            low_mask <<= 8
+            low_mask |= 0xff
+          end
+
+          high_mask = low_mask << (target.arch.address_length*4)
+          high = (target.address & high_mask) >> (target.arch.address_length/2)
+          low = target.address & low_mask
+
+          if low < high
+            low -= (target.arch.address_length*2)
+            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1)
+          else
+            high -= (target.arch.address_length*2)
+            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length)
+          end
+
+          buffer << encoded_payload
+          return buffer
+        end
+
+        #
+        # The default builder method, simply calls build_format_string.
+        #
+        def build
+          @format_string = build_format_string
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/helpers/padding.rb

@@ -0,0 +1,84 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/formatting/text'
+
+module Ronin
+  module Exploits
+    module Helpers
+      module Padding
+        def self.included(base)
+          base.module_eval do
+            # String to pad extra space with
+            parameter :padding,
+                      :default => 'A',
+                      :description => 'padding string'
+          end
+        end
+
+        def self.extended(obj)
+          obj.instance_eval do
+            # String to pad extra space with
+            parameter :padding,
+                      :default => 'A',
+                      :description => 'padding string'
+          end
+        end
+
+        protected
+
+        #
+        # Returns padding with the specified _max_length_.
+        #
+        #   pad(28)
+        #   # => "AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+        #
+        def pad(max_length)
+          ''.pad(@padding.to_s,max_length)
+        end
+
+        #
+        # Pads the specified _data_ to the left up to the specified
+        # _max_length_.
+        #
+        #   pad_left("\xff\xff",48)
+        #   # => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xff\xff"
+        #
+        def pad_left(data,max_length)
+          pad(max_length - data.length) + data
+        end
+
+        #
+        # Pads the specified _data_ to the right up to the specified
+        # _max_length_.
+        #
+        #   pad_right("\xff\xff",48)
+        #   # => "\xff\xffAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+        #
+        def pad_right(data,max_length)
+          data.to_s.pad(@padding,max_length)
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/http.rb

@@ -0,0 +1,37 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/exploits/remote_tcp'
+
+module Ronin
+  module Exploits
+    class HTTP < RemoteTCP
+
+      contextify :ronin_http_exploit
+
+      # Default port to connect to
+      property :default_port, Integer, :default => 80
+
+    end
+  end
+end

data/lib/ronin/exploits/{requirement.rb → local.rb}

@@ -21,25 +21,13 @@
 #++
 #
 
-require 'ronin/vuln/behavior'
 require 'ronin/exploits/exploit'
 
-require 'ronin/model'
-
 module Ronin
   module Exploits
-    class Requirement
-
-      include Model
-
-      # The behavior which is required
-      belongs_to :behavior, :class_name => 'Vuln::Behavior'
-
-      # The exploit which requires the behavior
-      belongs_to :exploit
+    class Local < Exploit
 
-      # Validates
-      validates_present :behavior_id, :exploit_id
+      contextify :ronin_local_exploit
 
     end
   end