ronin-exploits 0.2.0 → 0.2.1

data/History.txt

@@ -1,3 +1,30 @@
+=== 0.2.1 / 2009-07-02
+
+* Use Hoe >= 2.0.0.
+* Require ronin >= 0.2.4.
+* Added Ronin::Model::TargetsArch.
+* Added Ronin::Model::TargetsOS.
+* Added Ronin::Mode::HasDefaultPort.
+* Added Exploit#deployed?.
+* Added Exploit#inspect.
+* Added Exploits::Helpers::FileBased.
+* Added Exploits::Web#http_method.
+* Added Exploits::Web#targeted_url_path.
+* Added Payload#inspect.
+* Added Payload#call method.
+* Renamed Exploit#exploit to Exploit#call.
+* Renamed Payloads::Helpers::Unimplemented to
+  Payloads::Helpers::NotImplemented.
+* Renamed RPC#call to RPC#call_method.
+* Removed Exploit#switch_payload.
+* Moved verifier methods into Exploits::Verifiers.
+* Allow Exploit#allow to accept multiple behaviors.
+* Include UI::Diagnostics into Ronin::Exploits::Exploit.
+* Include Sessions::HTTP into Exploits::Web.
+* Include UI::Diagnostics into Ronin::Payloads::Payload.
+* Allow Payload#controlling to accept multiple behaviors.
+* Added more specs.
+
 === 0.2.0 / 2009-04-11
 
 * Added Ronin::TargetedArch.

data/Manifest.txt

@@ -7,9 +7,7 @@ TODO.txt
 bin/ronin-payload
 bin/ronin-payloads
 bin/ronin-exploits
-lib/ronin/targeted_arch.rb
-lib/ronin/targeted_os.rb
-lib/ronin/targeted_product.rb
+lib/ronin/model/has_default_port.rb
 lib/ronin/model/targets_arch.rb
 lib/ronin/model/targets_os.rb
 lib/ronin/vuln/behavior.rb
@@ -21,7 +19,13 @@ lib/ronin/exploits/exceptions/target_data_missing.rb
 lib/ronin/exploits/exceptions/exploit_not_built.rb
 lib/ronin/exploits/exceptions/restricted_char.rb
 lib/ronin/exploits/exceptions/payload_size.rb
+lib/ronin/exploits/arch.rb
+lib/ronin/exploits/os.rb
+lib/ronin/exploits/license.rb
+lib/ronin/exploits/product.rb
+lib/ronin/exploits/verifiers.rb
 lib/ronin/exploits/helpers.rb
+lib/ronin/exploits/helpers/file_based.rb
 lib/ronin/exploits/helpers/binary.rb
 lib/ronin/exploits/helpers/padding.rb
 lib/ronin/exploits/helpers/buffer_overflow.rb
@@ -44,12 +48,15 @@ lib/ronin/exploits/version.rb
 lib/ronin/payloads.rb
 lib/ronin/payloads/exceptions.rb
 lib/ronin/payloads/exceptions/unknown_helper.rb
+lib/ronin/payloads/license.rb
+lib/ronin/payloads/arch.rb
+lib/ronin/payloads/os.rb
 lib/ronin/payloads/encoder.rb
 lib/ronin/payloads/encoders.rb
 lib/ronin/payloads/encoders/xor.rb
 lib/ronin/payloads/helpers.rb
 lib/ronin/payloads/helpers/exceptions.rb
-lib/ronin/payloads/helpers/exceptions/unimplemented.rb
+lib/ronin/payloads/helpers/exceptions/not_implemented.rb
 lib/ronin/payloads/helpers/exceptions/program_not_found.rb
 lib/ronin/payloads/helpers/file_system.rb
 lib/ronin/payloads/helpers/shell.rb
@@ -58,6 +65,7 @@ lib/ronin/payloads/control.rb
 lib/ronin/payloads/payload_author.rb
 lib/ronin/payloads/payload.rb
 lib/ronin/payloads/binary_payload.rb
+lib/ronin/payloads/asm_payload.rb
 lib/ronin/payloads/nops.rb
 lib/ronin/payloads/shellcode.rb
 lib/ronin/payloads/web_payload.rb
@@ -69,9 +77,16 @@ spec/spec_helper.rb
 spec/helpers/database.rb
 spec/helpers/objects.rb
 spec/objects/exploits/test.rb
+spec/objects/exploits/example.rb
 spec/objects/payloads/test.rb
-spec/objects/payloads/example.rb
 spec/exploits_spec.rb
+spec/model/models/default_port_model.rb
+spec/model/models/non_default_port_model.rb
+spec/model/models/targets_arch_model.rb
+spec/model/models/targets_os_model.rb
+spec/model/has_default_port_spec.rb
+spec/model/targets_arch_spec.rb
+spec/model/targets_os_spec.rb
 spec/vuln/behavior_spec.rb
 spec/exploits/targets/buffer_overflow_spec.rb
 spec/exploits/target_spec.rb
@@ -81,6 +96,7 @@ spec/exploits/remote_udp_spec.rb
 spec/exploits/ftp_spec.rb
 spec/exploits/http_spec.rb
 spec/exploits/web_spec.rb
+spec/exploits/file_based_exploit_spec.rb
 spec/exploits/binary_exploit_spec.rb
 spec/exploits/padding_exploit_spec.rb
 spec/exploits/buffer_overflow_exploit_spec.rb

data/README.txt

@@ -71,32 +71,51 @@ of Ronin.
 * Define a shellcode payload:
 
     ronin_shellcode do
+      #
+      # Cacheable data.
+      #
       cache do
         self.name = 'test'
         self.version = '0.5'
+        self.description = %{This is an example shellcode payload.}
+
+        author(:name => 'Postmodern', :organization => 'SophSec')
 
         self.arch :i686
         self.os :name => 'Linux'
       end
 
+      #
+      # Configurable parameters.
+      #
       parameter :exit_status,
                 :default => 0,
                 :description => 'Exit status of shellcode'
 
+      #
+      # Builds the assembly payload, which will call the SYS_EXIT
+      # syscall with the exit_status of the shellcode.
+      #
       def build
         @payload = "\x66\x31\xc0\xfe\xc0"
 
-	unless @exit_status == 0
-          @payload << "\xb3#{@exit_status.chr}\xcd\x80"
+        unless @exit_status == 0
+          @payload << "\xb3#{@exit_status.chr}"
         else
-          @payload << "\x66\x31\xdb\xcd\x80"
+          @payload << "\x66\x31\xdb"
         end
+
+        @payload << "\xcd\x80"
+        return @payload
       end
     end
 
 * Define a payload encoder:
 
     ronin_payload_encoder do
+      #
+      # Cacheable data.
+      #
       cache do
         self.name = 'base64_encode'
         self.description = %{Example base64 payload encoder}
@@ -105,6 +124,9 @@ of Ronin.
         self.os :name => 'Linux'
       end
 
+      #
+      # Base64 encodes the specified _data_.
+      #
       def call(data)
         return data.to_s.base64_encode
       end
@@ -115,8 +137,17 @@ of Ronin.
     ronin_remote_tcp_exploit do
       helper :buffer_overflow
 
+      #
+      # Cacheable data.
+      #
       cache do
         self.name = 'test'
+        self.description = %{This is an example exploit.}
+
+        self.status = :potential
+        self.disclosure = [:in_wild, :public]
+
+        author(:name => 'Postmodern', :organization => 'SophSec')
 
         targeting do |target|
           target.arch :i686
@@ -125,10 +156,16 @@ of Ronin.
         end
       end
 
+      #
+      # Builds the exploit.
+      #
       def build
         @buffer = "USER #{build_buffer}\n"
       end
 
+      #
+      # Deploys the built exploit.
+      #
       def deploy
         tcp_send @buffer
       end

data/Rakefile

@@ -2,14 +2,14 @@
 
 require 'rubygems'
 require 'hoe'
+require 'hoe/signing'
 require './tasks/spec.rb'
-require './lib/ronin/exploits/version.rb'
 
-Hoe.new('ronin-exploits', Ronin::Exploits::VERSION) do |p|
-  p.rubyforge_name = 'ronin'
-  p.developer('Postmodern', 'postmodern.mod3@gmail.com')
-  p.remote_rdoc_dir = 'docs/ronin-exploits'
-  p.extra_deps = [['ronin', '>=0.2.3']]
+Hoe.spec('ronin-exploits') do
+  self.rubyforge_name = 'ronin'
+  self.developer('Postmodern', 'postmodern.mod3@gmail.com')
+  self.remote_rdoc_dir = 'docs/ronin-exploits'
+  self.extra_deps = [['ronin', '>=0.2.4']]
 end
 
 # vim: syntax=Ruby

data/TODO.txt

@@ -1,16 +1,19 @@
 == TODO:
 
-=== Ronin Exploits 0.1.1:
+=== Ronin Exploits 0.2.1:
 
-* Add more dm-scope methods for finding exploits and payloads based:
-  * Target attributes:
-    * Arch (name).
-    * OS (name, version).
-  * Authors
-* Spec exploit/payload relations and dm-scope methods.
-* Add methods for chaining exploits.
+* Integreate with DataMapper 0.10.0.
 
-=== Ronin Exploits 0.2.0:
+=== Ronin Exploits 0.2.2:
+
+* Move RPC code out of ronin and into ronin-exploits:
+  * Define base XMLRPC Client, Call and Response classes.
+  * Define base JSONRPC Client, Call and Response classes.
+* Prepare Ronin::Payloads::Payload to use RPC.
+* Add top-level methods to Ronin::Exploits and Ronin::Payloads:
+  * Goal: Deploy an exploit/payload in one-line of code.
+
+=== Longterm:
 
 * Design a basic Vulnerability Scanner class:
   * Scan networks of hosts.

data/lib/ronin/exploits/allow.rb

@@ -38,7 +38,7 @@ module Ronin
       # The behavior which is allowed
       belongs_to :behavior,
                  :child_key => [:behavior_id],
-                 :class_name => '::Ronin::Vuln::Behavior'
+                 :class_name => 'Ronin::Vuln::Behavior'
 
       # The exploit which facilitates the behavior
       belongs_to :exploit

data/lib/ronin/{targeted_arch.rb → exploits/arch.rb}

@@ -24,15 +24,11 @@
 require 'ronin/arch'
 
 module Ronin
-  class TargetedArch < Arch
+  class Arch
 
     # The exploit targets for the Arch
     has n, :targets,
            :class_name => 'Ronin::Exploits::Target'
 
-    # The payloads which target the Arch
-    has n, :payloads,
-           :class_name => 'Ronin::Payloads::Payload'
-
   end
 end

data/lib/ronin/exploits/exploit.rb

@@ -26,13 +26,18 @@ require 'ronin/exploits/exceptions/target_unspecified'
 require 'ronin/exploits/exceptions/target_data_missing'
 require 'ronin/exploits/exceptions/restricted_char'
 require 'ronin/exploits/exceptions/exploit_not_built'
+require 'ronin/exploits/license'
+require 'ronin/exploits/verifiers'
 require 'ronin/exploits/exploit_author'
 require 'ronin/exploits/target'
 require 'ronin/exploits/allow'
-require 'ronin/payloads/payload'
 require 'ronin/vuln/behavior'
 require 'ronin/cacheable'
-require 'ronin/has_license'
+require 'ronin/model/has_name'
+require 'ronin/model/has_description'
+require 'ronin/model/has_version'
+require 'ronin/model/has_license'
+require 'ronin/ui/diagnostics'
 
 require 'parameters'
 require 'chars/char_set'
@@ -43,22 +48,18 @@ module Ronin
 
       include Parameters
       include Cacheable
-      include HasLicense
+      include Model::HasName
+      include Model::HasDescription
+      include Model::HasVersion
+      include Model::HasLicense
+      include UI::Diagnostics
+      include Verifiers
 
       contextify :ronin_exploit
       
       # Primary key of the exploit
       property :id, Serial
 
-      # Name of the exploit
-      property :name, String, :index => true
-
-      # Version of the exploit
-      property :version, String, :default => '0.1', :index => true
-
-      # Description of the exploit
-      property :description, Text
-
       # The status of the exploit (either, :potential, :proven or
       # :weaponized)
       property :status, Enum[
@@ -110,8 +111,11 @@ module Ronin
       def initialize(attributes={},&block)
         super(attributes)
 
+        initialize_params(attributes)
+
         @target = nil
         @built = false
+        @deployed = false
 
         @restricted_chars = Chars::CharSet.new
         @encoders = []
@@ -119,28 +123,6 @@ module Ronin
         instance_eval(&block) if block
       end
 
-      #
-      # Finds all exploits with names like the specified _name_.
-      #
-      def self.named(name)
-        self.all(:name.like => "%#{name}%")
-      end
-
-      #
-      # Finds all exploits with descriptions like the specified
-      # _description_.
-      #
-      def self.describing(description)
-        self.all(:description.like => "%#{description}%")
-      end
-
-      #
-      # Finds the exploit with the most recent vesion.
-      #
-      def self.latest
-        self.first(:order => [:version.desc])
-      end
-
       #
       # Adds an ExploitAuthor with the given _attributes_ to the exploit.
       # If a _block_ is given, it will be passed to the newly created
@@ -155,12 +137,14 @@ module Ronin
       end
 
       #
-      # Adds a new Allow object granting the specified _behavior_.
+      # Adds a new Allow object granting the specified _behaviors_.
       #
-      #   allowing :code_exec
+      #   allowing :code_exec, :auth_bypass
       #
-      def allowing(behavior)
-        self.allows << Allow.new(:behavior => Vuln::Behavior[behavior])
+      def allowing(*behaviors)
+        behaviors.each do |behavior|
+          self.allows << Allow.new(:behavior => Vuln::Behavior[behavior])
+        end
       end
 
       #
@@ -260,37 +244,14 @@ module Ronin
       end
 
       #
-      # Switches to the _new_payload_ then calls the specified _block_.
-      # After the _block_ has been called the payload will be reverted to
-      # it's previous value.
-      #
-      def switch_payload(new_payload,&block)
-        old_payload = @payload
-        @payload = new_payload
-
-        block.call(self)
-
-        @payload = old_payload
-        return self
-      end
-
-      #
-      # Builds and encodes the current payload, returning the encoded
-      # payload in String form.
+      # Encodes the current payload, returning the encoded payload in
+      # String form.
       #
       def encode_payload!
         @encoded_payload = ''
 
         if @payload
-          if @payload.class.include?(Parameters)
-            @payload.params = self.params
-          end
-
-          if @payload.kind_of?(Payloads::Payload)
-            @encoded_payload = @payload.build!
-          else
-            @encoded_payload = @payload.to_s
-          end
+          @encoded_payload = @payload.to_s
 
           @encoders.each do |encoder|
             if (new_payload = encoder.call(@encoded_payload))
@@ -317,7 +278,7 @@ module Ronin
       #
       def build!(options={})
         if options[:payload]
-          @payload ||= options.delete(:payload)
+          @payload = options.delete(:payload)
         end
 
         self.params = options
@@ -346,30 +307,37 @@ module Ronin
       end
 
       #
-      # Deploys the exploit. If a _block_ is given and the payload used is
-      # a kind of Payload, then the payloads deploy method will be passed
-      # the given _block_. If the payload used is not a kind of Payload and
-      # a _block_ is given, the _block_ will be passed to the exploits
-      # deploy method. If the exploit has not been previously built, an
-      # ExploitNotBuilt exception will be raised.
+      # Returns +true+ if the exploit has previously been deployed, returns
+      # +false+ otherwise.
+      #
+      def deployed?
+        @deployed == true
+      end
+
+      #
+      # Verifies then deploys the exploit with the given _block_. If a
+      # _block_ is given, it will be passed the deployed exploit. If the
+      # exploit has not been previously built, an ExploitNotBuilt exception
+      # will be raised.
       #
       def deploy!(&block)
         verify!
 
-        if @payload.kind_of?(Payloads::Payload)
-          deploy()
+        @deployed = false
 
-          return @payload.deploy!(&block)
-        else
-          return deploy(&block)
-        end
+        deploy()
+
+        @deployed = true
+
+        block.call(self) if block
+        return self
       end
 
       #
       # Builds the exploit with the given _options_, then deploys the
       # exploit with the given _block_.
       #
-      def exploit!(options={},&block)
+      def call(options={},&block)
         build!(options)
 
         return deploy!(&block)
@@ -382,6 +350,16 @@ module Ronin
         "#{self.name} #{self.version}"
       end
 
+      #
+      # Inspects the contents of the exploit.
+      #
+      def inspect
+        str = "#{self.class}: #{self}"
+        str << " #{self.params.inspect}" unless self.params.empty?
+
+        return "#<#{str}>"
+      end
+
       protected
 
       #
@@ -399,7 +377,9 @@ module Ronin
 
         begin
           require File.join('ronin','exploits','helpers',name)
-        rescue LoadError
+        rescue Gem::LoadError => e
+          raise(e)
+        rescue ::LoadError
           raise(UnknownHelper,"unknown helper #{name.dump}",caller)
         end
 
@@ -417,55 +397,6 @@ module Ronin
         return true
       end
 
-      #
-      # Verifies that a target has been selected. If a target has not been
-      # selected, a TargetUnspecified exception will be raised, otherwise
-      # +true+ will be returned.
-      #
-      def verify_target!
-        if target.nil?
-          raise(TargetUnspecified,"no suitable target provided",caller)
-        end
-
-        return true
-      end
-
-      #
-      # Verifies that the selected target has an arch property.
-      # If the selected target does not have an arch property, a
-      # TargetDataMissing exception will be raised, otherwise
-      # +true+ will be return.
-      #
-      def verify_arch!
-        if arch.nil?
-          raise(TargetDataMissing,"no suitable arch was provided",caller)
-        end
-      end
-
-      #
-      # Verifies that the selected target has an os property.
-      # If the selected target does not have an os property, a
-      # TargetDataMissing exception will be raised, otherwise
-      # +true+ will be return.
-      #
-      def verify_os!
-        if os.nil?
-          raise(TargetDataMissing,"no suitable os was provided",caller)
-        end
-      end
-
-      #
-      # Verifies that the selected target has an product property.
-      # If the selected target does not have an product property, a
-      # TargetDataMissing exception will be raised, otherwise
-      # +true+ will be return.
-      #
-      def verify_product!
-        if product.nil?
-          raise(TargetDataMissing,"no suitable product was provided",caller)
-        end
-      end
-
       #
       # Returns +true+ if the specified _text_ contains any restricted
       # characters, returns +false+ otherwise.
@@ -478,22 +409,6 @@ module Ronin
         return false
       end
 
-      #
-      # Raises a RestrictedChar exception if the specified _text_ contains
-      # any restricted characters, returns +true+ otherwise.
-      #
-      def verify_restricted!(text)
-        found = @restricted_chars.select { |char|
-          text.include?(char)
-        }.map { |char| char.dump }
-
-        unless found.empty?
-          raise(RestrictedChar,"restricted characters #{found.join(', ')} was detected in #{text.dump}",caller)
-        end
-
-        return true
-      end
-
       #
       # Default build method.
       #