ronin-exploits 0.1.1 → 0.2.0

data/lib/ronin/ui/command_line/commands/payload.rb

@@ -0,0 +1,106 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/payloads'
+require 'ronin/ui/command_line/command'
+require 'ronin/ui/verbose'
+require 'ronin/database'
+
+require 'parameters/parser'
+
+module Ronin
+  module UI
+    module CommandLine
+      module Commands
+        class Payload < Command
+
+          include Parameters::Parser
+
+          def defaults
+            @path = nil
+            @query = {}
+            @params = {}
+          end
+
+          def define_options(opts)
+            opts.usage = '[options] [NAME]'
+
+            opts.options do
+              opts.on('-D','--database URI','The URI for the database') do |uri|
+                Database.config = uri.to_s
+              end
+
+              opts.on('-p','--param NAME=VALUE','Add a parameter NAME and VALUE') do |name_and_value|
+                @params.merge!(Parser.parse_param(name_and_value))
+              end
+
+              opts.on('-f','--file PATH','Load the payload from the specified FILE') do |path|
+                @path = path
+              end
+
+              opts.on('-v','--verbose','Enables verbose output') do
+                UI::Verbose.enable!
+              end
+
+              opts.on('-V','--version VERSION','Use the payload with the specified VERSION') do |version|
+                @query[:version] = version.to_s
+              end
+            end
+
+            opts.arguments(
+              'NAME' => 'The NAME of the payload to load'
+            )
+
+            opts.summary %{
+              Build the specified payload
+            }
+          end
+
+          def arguments(*args)
+            Database.setup!
+
+            # Load the payload
+            if @path
+              payload = Payloads::Payload.load_from(@path)
+            elsif args.length >= 1
+              @query[:name] = args.first
+
+              unless (payload = Payloads::Payload.first(@query))
+                fail("could not find the specified payload")
+              end
+            else
+              fail("must either specify a payload NAME or a PATH")
+            end
+
+            # Build the payload
+            payload.build!(@params)
+
+            # Dump the built payload
+            puts payload.payload.dump
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/ui/command_line/commands/payloads.rb

@@ -0,0 +1,73 @@
+#
+#--
+# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#++
+#
+
+require 'ronin/ui/command_line/command'
+
+require 'ronin/payloads'
+require 'ronin/database'
+
+module Ronin
+  module UI
+    module CommandLine
+      module Commands
+        class Payloads < Command
+
+          def defaults
+            @query = {}
+          end
+
+          def define_options(opts)
+            opts.usage = '[options]'
+
+            opts.options do
+              opts.on('-D','--database URI','The URI for the database') do |uri|
+                Database.config = uri.to_s
+              end
+
+              opts.on('-n','--name NAME','Search for payloads with the similar NAME') do |name|
+                @query[:name.like] = name.to_s
+              end
+
+              opts.on('-v','--version VERSION','Search for payloads with the similar VERSION') do |version|
+                @query[:version.like] = version.to_s
+              end
+            end
+          end
+
+          def arguments(*args)
+            Database.setup!
+
+            payloads = Ronin::Payloads::Payload.all(@query)
+
+            if payloads.empty?
+              fail("could not find similar payloads")
+            end
+
+            payloads.each { |payload| puts "  #{payload.name}" }
+          end
+
+        end
+      end
+    end
+  end
+end

data/spec/exploits/binary_exploit_spec.rb

@@ -0,0 +1,44 @@
+require 'ronin/exploits/local'
+require 'ronin/exploits/helpers/binary'
+
+require 'spec_helper'
+
+describe Exploits::Helpers::Binary do
+  before(:all) do
+    @exploit = Exploits::Local.new do
+      helper :binary
+
+      targeting(:arch => Arch.i686)
+      targeting(:arch => nil)
+
+      def pack_integer
+        pack(0xffffaaaa)
+      end
+
+      def pack_integer_with_address_length
+        pack(0xffffaaaa,2)
+      end
+    end
+  end
+
+  it "should require a targeted arch" do
+    @exploit.target = @exploit.targets.last
+    @exploit.target.arch.should be_nil
+
+    lambda {
+      @exploit.pack_integer
+    }.should raise_error(Exploits::TargetDataMissing)
+  end
+
+  it "should be able to pack an integer" do
+    @exploit.target = @exploit.targets.first
+
+    @exploit.pack_integer.should == "\xaa\xaa\xff\xff"
+  end
+
+  it "should be able to pack an integer with an address length" do
+    @exploit.target = @exploit.targets.first
+
+    @exploit.pack_integer_with_address_length.should == "\xaa\xaa"
+  end
+end

data/spec/exploits/buffer_overflow_exploit_spec.rb

@@ -0,0 +1,70 @@
+require 'ronin/exploits/local'
+require 'ronin/exploits/helpers/buffer_overflow'
+
+require 'spec_helper'
+
+describe Exploits::Helpers::BufferOverflow do
+  before(:all) do
+    @exploit = Exploits::Local.new do
+      helper :buffer_overflow
+
+      self.name = 'example_bof'
+
+      targeting do |target|
+        target.arch = Arch.i686
+        target.buffer_length = 256
+        target.ip = 0xffffaaaa
+      end
+
+      targeting do |target|
+        target.arch = Arch.i686
+        target.buffer_length = 256
+        target.bp = 0xffffbbbb
+        target.ip = 0xffffaaaa
+      end
+
+      targeting do |target|
+        target.arch = Arch.i686
+        target.buffer_length = 256
+        target.bp = 0xffffbbbb
+        target.ip = 0xffffaabb
+        target.frame_repeat = 2
+      end
+    end
+  end
+
+  it "should use Targets::BufferOverflow for targets" do
+    @exploit.targets.all? { |target|
+      target.class == Exploits::Targets::BufferOverflow
+    }.should == true
+  end
+
+  it "should build a buffer overflow" do
+    @exploit.target = @exploit.targets[0]
+    @exploit.build!
+
+    @exploit.buffer.length.should == (256 + 4*2)
+    @exploit.buffer[256,4].should == "\xaa\xaa\xff\xff"
+    @exploit.buffer[260,4].should == "\xaa\xaa\xff\xff"
+  end
+
+  it "should build a buffer overflow that includes the BP" do
+    @exploit.target = @exploit.targets[1]
+    @exploit.build!
+
+    @exploit.buffer.length.should == (256 + 4*2)
+    @exploit.buffer[256,4].should == "\xbb\xbb\xff\xff"
+    @exploit.buffer[260,4].should == "\xaa\xaa\xff\xff"
+  end
+
+  it "should build a buffer overflow that has repeating stack frames" do
+    @exploit.target = @exploit.targets[2]
+    @exploit.build!
+
+    @exploit.buffer.length.should == (256 + 4*4)
+    @exploit.buffer[256,4].should == "\xbb\xbb\xff\xff"
+    @exploit.buffer[260,4].should == "\xbb\xaa\xff\xff"
+    @exploit.buffer[264,4].should == "\xbb\xbb\xff\xff"
+    @exploit.buffer[268,4].should == "\xbb\xaa\xff\xff"
+  end
+end

data/spec/exploits/exploit_spec.rb

@@ -1,18 +1,16 @@
 require 'ronin/exploits/exploit'
 
 require 'spec_helper'
+require 'helpers/objects'
 
 describe Exploits::Exploit do
   before(:each) do
-    @exp = Exploits::Exploit.new(:name => 'test') do
-      def builder
-        'result'
-      end
-    end
+    @exploit = load_exploit('test')
+    @payload = load_payload('example')
   end
 
   it "should require a name attribute" do
-    exp2 = Exploits::Exploit.new(:object_path => 'test.rb')
+    exp2 = Exploits::Exploit.new
     exp2.should_not be_valid
 
     exp2.name = 'test'
@@ -21,60 +19,159 @@ describe Exploits::Exploit do
 
   it "should have a unique name and version" do
     first_exp = Exploits::Exploit.create(
-      :object_path => 'test.rb',
-      :name => 'test',
+      :name => 'test2',
       :version => '0.0.1'
     )
     first_exp.should be_valid
 
     second_exp = Exploits::Exploit.new(
-      :object_path => 'other.rb',
-      :name => 'test',
+      :name => 'test2',
       :version => '0.0.1'
     )
     second_exp.should_not be_valid
 
     third_exp = Exploits::Exploit.new(
-      :object_path => 'other.rb',
-      :name => 'test',
+      :name => 'test2',
       :version => '0.0.2'
     )
     third_exp.should be_valid
   end
 
+  it "should not have any allowances by default" do
+    @exploit.allows.should be_empty
+  end
+
+  it "should specify the behaviors allowed by the exploit" do
+    @exploit.allowing :memory_read
+
+    @exploit.behaviors.first.should == Vuln::Behavior[:memory_read]
+  end
+
+  it "should allow for the extending of Helper modules" do
+    @exploit.instance_eval { helper :padding }.should == true
+  end
+
+  it "should raise an UnknownHelper when extending an unknown helper" do
+    lambda {
+      @exploit.instance_eval { helper :obvious_not_there }
+    }.should raise_error(Exploits::UnknownHelper)
+  end
+
+  it "should have targeted Archs" do
+    @exploit.targeted_archs.should == [Arch.i686, Arch.i386]
+  end
+
+  it "should have targeted OSes" do
+    @exploit.targeted_oses.should == [
+      OS.linux_version('2.6.23'),
+      OS.windows_version('7.1')
+    ]
+  end
+
+  it "should have targeted products" do
+    @exploit.targeted_products.all? { |product|
+      product.name == 'ExampleWare' && product.version == '1.5'
+    }.should == true
+  end
+
+  it "should allow the explicit selection of a target" do
+    @exploit.select_target { |target| target.arch == Arch.i686 }
+
+    @exploit.target.arch.should == Arch.i686
+  end
+
+  it "should have a default target" do
+    @exploit.target.should_not be_nil
+
+    @exploit.target.arch.should == Arch.i686
+
+    @exploit.target.os.name.should == 'Linux'
+    @exploit.target.os.version.should == '2.6.23'
+  end
+
+  it "should have a default targeted Arch" do
+    @exploit.arch.should == Arch.i686
+  end
+
+  it "should have a default targeted OS" do
+    @exploit.os.should == OS.linux_version('2.6.23')
+  end
+
+  it "should have a default targeted Product" do
+    @exploit.product.name.should == 'ExampleWare'
+    @exploit.product.version.should == '1.5'
+  end
+
   it "should be able to switch between payloads" do
-    @exp.payload = 'payload1'
+    @exploit.payload = @payload
 
-    @exp.switch_payload('payload2') do
-      @exp.payload.should == 'payload2'
+    @exploit.switch_payload('other_payload') do
+      @exploit.payload.should == 'other_payload'
     end
 
-    @exp.payload.should == 'payload1'
+    @exploit.payload.should == @payload
+  end
+
+  it "should build the payload if it is a kind of Payloads::Payload" do
+    @exploit.payload = @payload
+    @exploit.encode_payload!
+
+    @exploit.payload.should be_built
+  end
+
+  it "should share parameters with the payload if it is a kind of Payloads::Payload" do
+    @exploit.payload = @payload
+    @exploit.encode_payload!
+
+    @payload.var.should == @exploit.var
+  end
+
+  it "should encode a String payload" do
+    @exploit.payload = 'data'
+
+    @exploit.encode_payload!
+    @exploit.encoded_payload.should == 'data'
+  end
+
+  it "should encode a String using encoders" do
+    @exploit.payload = 'data'
+    @exploit.encoders << lambda { |payload| payload.upcase }
+
+    @exploit.encode_payload!
+    @exploit.encoded_payload.should == 'DATA'
+  end
+
+  it "should ignore payload encoders which return nil" do
+    @exploit.payload = 'data'
+    @exploit.encoders << lambda { |payload| nil }
+
+    @exploit.encode_payload!
+    @exploit.encoded_payload.should == 'data'
   end
 
   it "should have 'unbuilt' and 'built' states" do
-    @exp.should_not be_built
-    @exp.build
-    @exp.should be_built
+    @exploit.should_not be_built
+    @exploit.build!
+    @exploit.should be_built
   end
 
   it "should return the result of the builder" do
-    @exp.build.should == 'result'
+    @exploit.build!.should == 'result'
   end
 
   it "should require the exploit is built before being deployed" do
-    lambda { @exp.deploy }.should raise_error(Exploits::ExploitNotBuilt)
+    lambda { @exploit.deploy! }.should raise_error(Exploits::ExploitNotBuilt)
   end
 
   it "should have a default deployer method" do
-    @exp.build
+    @exploit.build!
 
-    @exp.deploy do |exploit|
-      @exp.should == exploit
+    @exploit.deploy! do |exploit|
+      @exploit.should == exploit
     end
   end
 
   it "should return the name and the version when calling to_s" do
-    @exp.to_s.should == 'test 0.1'
+    @exploit.to_s.should == 'test 0.2'
   end
 end