ronin-exploits 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data.tar.gz.sig +0 -0
- data/History.txt +27 -0
- data/Manifest.txt +21 -5
- data/README.txt +40 -3
- data/Rakefile +6 -6
- data/TODO.txt +12 -9
- data/lib/ronin/exploits/allow.rb +1 -1
- data/lib/ronin/{targeted_arch.rb → exploits/arch.rb} +1 -5
- data/lib/ronin/exploits/exploit.rb +59 -144
- data/lib/ronin/exploits/ftp.rb +4 -1
- data/lib/ronin/exploits/helpers.rb +1 -0
- data/lib/ronin/exploits/helpers/file_based.rb +113 -0
- data/lib/ronin/exploits/http.rb +10 -0
- data/lib/ronin/exploits/license.rb +34 -0
- data/lib/ronin/exploits/os.rb +34 -0
- data/lib/ronin/{targeted_product.rb → exploits/product.rb} +1 -1
- data/lib/ronin/exploits/remote_tcp.rb +2 -3
- data/lib/ronin/exploits/remote_udp.rb +2 -3
- data/lib/ronin/exploits/target.rb +8 -10
- data/lib/ronin/exploits/verifiers.rb +92 -0
- data/lib/ronin/exploits/version.rb +1 -1
- data/lib/ronin/exploits/web.rb +21 -1
- data/lib/ronin/model/has_default_port.rb +54 -0
- data/lib/ronin/model/targets_arch.rb +8 -10
- data/lib/ronin/model/targets_os.rb +9 -9
- data/lib/ronin/payloads.rb +1 -0
- data/lib/ronin/payloads/arch.rb +32 -0
- data/lib/ronin/payloads/asm_payload.rb +34 -0
- data/lib/ronin/payloads/encoder.rb +24 -18
- data/lib/ronin/payloads/helpers/exceptions.rb +2 -1
- data/lib/ronin/payloads/helpers/exceptions/{unimplemented.rb → not_implemented.rb} +1 -1
- data/lib/ronin/payloads/helpers/file_system.rb +12 -12
- data/lib/ronin/payloads/helpers/rpc.rb +7 -7
- data/lib/ronin/payloads/helpers/shell.rb +2 -2
- data/lib/ronin/payloads/license.rb +34 -0
- data/lib/ronin/payloads/nops.rb +3 -1
- data/lib/ronin/{targeted_os.rb → payloads/os.rb} +1 -5
- data/lib/ronin/payloads/payload.rb +89 -41
- data/lib/ronin/payloads/shellcode.rb +4 -1
- data/lib/ronin/ui/command_line/commands/exploits.rb +1 -1
- data/lib/ronin/ui/command_line/commands/payload.rb +2 -2
- data/lib/ronin/ui/command_line/commands/payloads.rb +1 -1
- data/spec/exploits/exploit_spec.rb +12 -30
- data/spec/exploits/file_based_exploit_spec.rb +39 -0
- data/spec/exploits/ftp_spec.rb +1 -5
- data/spec/exploits/http_spec.rb +4 -4
- data/spec/exploits/remote_tcp_spec.rb +7 -3
- data/spec/exploits/remote_udp_spec.rb +7 -3
- data/spec/exploits/target_spec.rb +9 -2
- data/spec/exploits/targets/buffer_overflow_spec.rb +6 -2
- data/spec/exploits/web_spec.rb +6 -0
- data/spec/model/has_default_port_spec.rb +27 -0
- data/spec/model/models/default_port_model.rb +13 -0
- data/spec/model/models/non_default_port_model.rb +11 -0
- data/spec/model/models/targets_arch_model.rb +11 -0
- data/spec/model/models/targets_os_model.rb +11 -0
- data/spec/model/targets_arch_spec.rb +22 -0
- data/spec/model/targets_os_spec.rb +23 -0
- data/spec/objects/exploits/example.rb +25 -0
- data/spec/objects/exploits/test.rb +0 -4
- data/spec/objects/payloads/test.rb +5 -1
- data/spec/payloads/encoder_spec.rb +5 -1
- data/spec/payloads/payload_spec.rb +77 -14
- metadata +58 -13
- metadata.gz.sig +0 -0
- data/spec/objects/payloads/example.rb +0 -19
data/lib/ronin/exploits/ftp.rb
CHANGED
@@ -27,10 +27,13 @@ module Ronin
|
|
27
27
|
module Exploits
|
28
28
|
class FTP < RemoteTCP
|
29
29
|
|
30
|
+
# Default port to connect to
|
31
|
+
DEFAULT_PORT = 21
|
32
|
+
|
30
33
|
contextify :ronin_ftp_exploit
|
31
34
|
|
32
35
|
# Default port to connect to
|
33
|
-
property :default_port, Integer
|
36
|
+
property :default_port, Integer
|
34
37
|
|
35
38
|
end
|
36
39
|
end
|
@@ -0,0 +1,113 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
|
4
|
+
# payload crafting functionality.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/config'
|
25
|
+
|
26
|
+
require 'set'
|
27
|
+
require 'fileutils'
|
28
|
+
|
29
|
+
module Ronin
|
30
|
+
module Exploits
|
31
|
+
module Helpers
|
32
|
+
module FileBased
|
33
|
+
def self.included(base)
|
34
|
+
base.module_eval do
|
35
|
+
parameter :output_dir,
|
36
|
+
:default => Config::TMP_DIR,
|
37
|
+
:description => 'Directory to save built file in'
|
38
|
+
|
39
|
+
parameter :file_name,
|
40
|
+
:default => 'exploit',
|
41
|
+
:description => 'Name of the file'
|
42
|
+
|
43
|
+
parameter :clean_file,
|
44
|
+
:default => true,
|
45
|
+
:description => 'Delete the file on exit'
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
def self.extended(obj)
|
50
|
+
obj.instance_eval do
|
51
|
+
parameter :output_dir,
|
52
|
+
:default => Config::TMP_DIR,
|
53
|
+
:description => 'Directory to save built file in'
|
54
|
+
|
55
|
+
parameter :file_name,
|
56
|
+
:default => 'exploit',
|
57
|
+
:description => 'Name of the file'
|
58
|
+
|
59
|
+
parameter :clean_file,
|
60
|
+
:default => true,
|
61
|
+
:description => 'Delete the file on exit'
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
#
|
66
|
+
# List of files to delete later.
|
67
|
+
#
|
68
|
+
def FileBased.clean_files
|
69
|
+
@@ronin_exploits_file_based_clean_files ||= Set[]
|
70
|
+
end
|
71
|
+
|
72
|
+
#
|
73
|
+
# Will forcibly delete the files listed in FileBased.clean_files,
|
74
|
+
# as well as empty the contents of FileBased.clean_files.
|
75
|
+
#
|
76
|
+
def FileBased.clean!
|
77
|
+
FileBased.clean_files.each do |path|
|
78
|
+
FileUtils.rm(path, :force => true)
|
79
|
+
end
|
80
|
+
|
81
|
+
FileBased.clean_files.clear
|
82
|
+
return true
|
83
|
+
end
|
84
|
+
|
85
|
+
at_exit(&FileBased.method(:clean!))
|
86
|
+
|
87
|
+
#
|
88
|
+
# Returns the absolute path of the file to be built.
|
89
|
+
#
|
90
|
+
def file_path
|
91
|
+
File.expand_path(::File.join(@output_dir,@file_name))
|
92
|
+
end
|
93
|
+
|
94
|
+
protected
|
95
|
+
|
96
|
+
#
|
97
|
+
# Opens the file to be built, passing a new File object to the given
|
98
|
+
# _block_.
|
99
|
+
#
|
100
|
+
# file_open do |file|
|
101
|
+
# file << 'some data'
|
102
|
+
# end
|
103
|
+
#
|
104
|
+
def file_open(&block)
|
105
|
+
path = self.file_path
|
106
|
+
|
107
|
+
FileBased.clean_files << path if @clean_file
|
108
|
+
return File.open(path,'w',&block)
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
112
|
+
end
|
113
|
+
end
|
data/lib/ronin/exploits/http.rb
CHANGED
@@ -22,16 +22,26 @@
|
|
22
22
|
#
|
23
23
|
|
24
24
|
require 'ronin/exploits/remote_tcp'
|
25
|
+
require 'ronin/sessions/http'
|
25
26
|
|
26
27
|
module Ronin
|
27
28
|
module Exploits
|
28
29
|
class HTTP < RemoteTCP
|
29
30
|
|
31
|
+
# Default port to connect to
|
32
|
+
DEFAULT_PORT = 80
|
33
|
+
|
34
|
+
include Sessions::HTTP
|
35
|
+
|
30
36
|
contextify :ronin_http_exploit
|
31
37
|
|
32
38
|
# Default port to connect to
|
33
39
|
property :default_port, Integer, :default => 80
|
34
40
|
|
41
|
+
# The optional URL path prefix
|
42
|
+
parameter :url_prefix,
|
43
|
+
:description => 'Optional URL path prefix'
|
44
|
+
|
35
45
|
end
|
36
46
|
end
|
37
47
|
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
|
4
|
+
# payload crafting functionality.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/license'
|
25
|
+
|
26
|
+
module Ronin
|
27
|
+
class License
|
28
|
+
|
29
|
+
# The exploits under the license
|
30
|
+
has n, :exploits,
|
31
|
+
:class_name => 'Ronin::Exploits::Exploit'
|
32
|
+
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
|
4
|
+
# payload crafting functionality.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
|
24
|
+
require 'ronin/os'
|
25
|
+
|
26
|
+
module Ronin
|
27
|
+
class OS
|
28
|
+
|
29
|
+
# The exploit targets for the OS
|
30
|
+
has n, :targets,
|
31
|
+
:class_name => 'Ronin::Exploits::Target'
|
32
|
+
|
33
|
+
end
|
34
|
+
end
|
@@ -22,19 +22,18 @@
|
|
22
22
|
#
|
23
23
|
|
24
24
|
require 'ronin/exploits/remote'
|
25
|
+
require 'ronin/model/has_default_port'
|
25
26
|
require 'ronin/sessions/tcp'
|
26
27
|
|
27
28
|
module Ronin
|
28
29
|
module Exploits
|
29
30
|
class RemoteTCP < Remote
|
30
31
|
|
32
|
+
include Model::HasDefaultPort
|
31
33
|
include Sessions::TCP
|
32
34
|
|
33
35
|
contextify :ronin_remote_tcp_exploit
|
34
36
|
|
35
|
-
# Default port to connect to
|
36
|
-
property :default_port, Integer
|
37
|
-
|
38
37
|
# remote host to connect to
|
39
38
|
parameter :host, :description => 'TCP remote host'
|
40
39
|
|
@@ -22,19 +22,18 @@
|
|
22
22
|
#
|
23
23
|
|
24
24
|
require 'ronin/exploits/remote'
|
25
|
+
require 'ronin/model/has_default_port'
|
25
26
|
require 'ronin/sessions/udp'
|
26
27
|
|
27
28
|
module Ronin
|
28
29
|
module Exploits
|
29
30
|
class RemoteUDP < Remote
|
30
31
|
|
32
|
+
include Model::HasDefaultPort
|
31
33
|
include Sessions::UDP
|
32
34
|
|
33
35
|
contextify :ronin_remote_udp_exploit
|
34
36
|
|
35
|
-
# Default port to connect to
|
36
|
-
property :default_port, Integer
|
37
|
-
|
38
37
|
# remote host to connect to
|
39
38
|
parameter :host, :description => 'UDP remote host'
|
40
39
|
|
@@ -22,10 +22,10 @@
|
|
22
22
|
#
|
23
23
|
|
24
24
|
require 'ronin/exploits/exceptions/target_data_missing'
|
25
|
+
require 'ronin/exploits/product'
|
25
26
|
require 'ronin/model/targets_arch'
|
26
27
|
require 'ronin/model/targets_os'
|
27
28
|
require 'ronin/model'
|
28
|
-
require 'ronin/targeted_product'
|
29
29
|
|
30
30
|
require 'dm-types/yaml'
|
31
31
|
|
@@ -44,9 +44,7 @@ module Ronin
|
|
44
44
|
property :description, String
|
45
45
|
|
46
46
|
# Targeted product
|
47
|
-
belongs_to :product
|
48
|
-
:child_key => [:product_id],
|
49
|
-
:class_name => 'Ronin::TargetedProduct'
|
47
|
+
belongs_to :product
|
50
48
|
|
51
49
|
# The exploit the target belongs to
|
52
50
|
belongs_to :exploit
|
@@ -65,20 +63,20 @@ module Ronin
|
|
65
63
|
end
|
66
64
|
|
67
65
|
#
|
68
|
-
# Returns the
|
69
|
-
#
|
70
|
-
#
|
66
|
+
# Returns the Product if no _arguments_ are given. If _arguments_ are
|
67
|
+
# given, a new Product object will be created from the given
|
68
|
+
# _arguments_ and associated with the target.
|
71
69
|
#
|
72
70
|
# target.product
|
73
71
|
# # => nil
|
74
72
|
#
|
75
73
|
# target.product(:name => 'Apache', :version => '1.3.3.7')
|
76
|
-
# # => #<Ronin::
|
77
|
-
# #
|
74
|
+
# # => #<Ronin::Product type=Ronin::Product id=nil name="Apache"
|
75
|
+
# # version="1.3.3.7" vendor="Apache">
|
78
76
|
#
|
79
77
|
def product(*arguments)
|
80
78
|
unless arguments.empty?
|
81
|
-
return self.product =
|
79
|
+
return self.product = Product.first_or_create(*arguments)
|
82
80
|
else
|
83
81
|
return product_association
|
84
82
|
end
|
@@ -0,0 +1,92 @@
|
|
1
|
+
#
|
2
|
+
#--
|
3
|
+
# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
|
4
|
+
# payload crafting functionality.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# This program is free software; you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU General Public License as published by
|
10
|
+
# the Free Software Foundation; either version 2 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# This program is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU General Public License
|
19
|
+
# along with this program; if not, write to the Free Software
|
20
|
+
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
21
|
+
#++
|
22
|
+
#
|
23
|
+
module Ronin
|
24
|
+
module Exploits
|
25
|
+
module Verifiers
|
26
|
+
#
|
27
|
+
# Verifies that a target has been selected. If a target has not been
|
28
|
+
# selected, a TargetUnspecified exception will be raised, otherwise
|
29
|
+
# +true+ will be returned.
|
30
|
+
#
|
31
|
+
def verify_target!
|
32
|
+
if target.nil?
|
33
|
+
raise(TargetUnspecified,"no suitable target provided",caller)
|
34
|
+
end
|
35
|
+
|
36
|
+
return true
|
37
|
+
end
|
38
|
+
|
39
|
+
#
|
40
|
+
# Verifies that the selected target has an arch property.
|
41
|
+
# If the selected target does not have an arch property, a
|
42
|
+
# TargetDataMissing exception will be raised, otherwise
|
43
|
+
# +true+ will be return.
|
44
|
+
#
|
45
|
+
def verify_arch!
|
46
|
+
if arch.nil?
|
47
|
+
raise(TargetDataMissing,"no suitable arch was provided",caller)
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
#
|
52
|
+
# Verifies that the selected target has an os property.
|
53
|
+
# If the selected target does not have an os property, a
|
54
|
+
# TargetDataMissing exception will be raised, otherwise
|
55
|
+
# +true+ will be return.
|
56
|
+
#
|
57
|
+
def verify_os!
|
58
|
+
if os.nil?
|
59
|
+
raise(TargetDataMissing,"no suitable os was provided",caller)
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
#
|
64
|
+
# Verifies that the selected target has an product property.
|
65
|
+
# If the selected target does not have an product property, a
|
66
|
+
# TargetDataMissing exception will be raised, otherwise
|
67
|
+
# +true+ will be return.
|
68
|
+
#
|
69
|
+
def verify_product!
|
70
|
+
if product.nil?
|
71
|
+
raise(TargetDataMissing,"no suitable product was provided",caller)
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
#
|
76
|
+
# Raises a RestrictedChar exception if the specified _text_ contains
|
77
|
+
# any restricted characters, returns +true+ otherwise.
|
78
|
+
#
|
79
|
+
def verify_restricted!(text)
|
80
|
+
found = @restricted_chars.select { |char|
|
81
|
+
text.include?(char)
|
82
|
+
}.map { |char| char.dump }
|
83
|
+
|
84
|
+
unless found.empty?
|
85
|
+
raise(RestrictedChar,"restricted characters #{found.join(', ')} was detected in #{text.dump}",caller)
|
86
|
+
end
|
87
|
+
|
88
|
+
return true
|
89
|
+
end
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
data/lib/ronin/exploits/web.rb
CHANGED
@@ -47,8 +47,28 @@ module Ronin
|
|
47
47
|
# The targeted HTTP port
|
48
48
|
parameter :port, :description => 'The targeted HTTP port'
|
49
49
|
|
50
|
+
# The HTTP Request method to use
|
51
|
+
parameter :http_method,
|
52
|
+
:default => :get,
|
53
|
+
:description => 'HTTP Request method to use'
|
54
|
+
|
50
55
|
# The optional URL path prefix
|
51
|
-
parameter :url_prefix, :description => '
|
56
|
+
parameter :url_prefix, :description => 'Optional URL path prefix'
|
57
|
+
|
58
|
+
#
|
59
|
+
# Returns the targeted URL path based on the +url_prefix+ parameter
|
60
|
+
# as well as the +url_path+ and +url_query+ properties.
|
61
|
+
#
|
62
|
+
def targeted_url_path
|
63
|
+
url = self.url_path.to_s
|
64
|
+
url << "?#{self.url_query}" if self.url_query
|
65
|
+
|
66
|
+
if @url_prefix
|
67
|
+
url = @url_prefix.to_s + url
|
68
|
+
end
|
69
|
+
|
70
|
+
return url
|
71
|
+
end
|
52
72
|
|
53
73
|
#
|
54
74
|
# Returns the targeted URL based on the +http_host+, +http_port+
|