ronin-exploits 0.3.0 → 1.0.0.beta1

data/lib/ronin/exploits/open_redirect.rb

@@ -0,0 +1,103 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/client_side_web_vuln'
+
+require 'ronin/vulns/open_redirect'
+require 'ronin/payloads/url_payload'
+require 'ronin/payloads/builtin/test/open_redirect'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a [Open Redirect] exploit.
+    #
+    # [Open Redirect]: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/open_redirect'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < OpenRedirect
+    #     
+    #           register 'my_exploit'
+    #    
+    #           base_path '/path/to/page.php'
+    #           query_param 'url'
+    #    
+    #         end
+    #       end
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class OpenRedirect < ClientSideWebVuln
+
+      payload_class Payloads::URLPayload
+
+      references [
+        'https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html'
+      ]
+
+      param :redirect_url, String, desc: 'The URL to redirect to'
+
+      #
+      # Initializes the Open Redirect exploit and defaults the {#payload} to a
+      # Open Redirect test payload.
+      #
+      # @param [Ronin::Payloads::URLtPayload, String, nil] payload
+      #   The payload to use.
+      #
+      def initialize(payload: Payloads::Test::OpenRedirect.new, **kwargs)
+        super(payload: payload, **kwargs)
+      end
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :open_redirect
+      end
+
+      #
+      # The open redirect vulnerability to exploit.
+      #
+      # @return [Ronin::Vulns::OpenRedirect]
+      #
+      def vuln
+        @vuln ||= Vulns::OpenRedirect.new(url, test_url: params[:redirect_url],
+                                               **web_vuln_kwargs)
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/params/base_url.rb

@@ -0,0 +1,84 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'uri'
+
+module Ronin
+  module Exploits
+    module Params
+      #
+      # Adds the required `base_url` param to the exploit.
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module BaseURL
+        #
+        # Adds the required `base_url` param to the exploit including
+        # {Params::BaseURL}.
+        #
+        # @param [Class<Exploit>] exploit
+        #   The exploit class including {Params::BaseURL}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.param :base_url, URI, required: true,
+                                        desc: 'The base URL of the target'
+        end
+
+        #
+        # The targeted host.
+        #
+        # @return [String]
+        #
+        def host
+          params[:base_url].host
+        end
+
+        #
+        # The targeted port.
+        #
+        # @return [Integer]
+        #
+        def port
+          params[:base_url].port
+        end
+
+        #
+        # Expands the URL or path into a fully qualitifed URL.
+        #
+        # @param [String] path
+        #   The URL or path to expand.
+        #
+        # @return [URI::HTTP, URI::HTTPS]
+        #   If a URL is given, it will be returned as a `URI::HTTP` or
+        #   `URI::HTTPS` object. If a path was given, it will be joined with
+        #   the `base_url` param and a `URI::HTTP` or `URI::HTTPS` object will
+        #   be returned.
+        #
+        def url_for(path)
+          params[:base_url].merge(path)
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/params/bind_host.rb

@@ -0,0 +1,53 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    module Params
+      #
+      # Adds an optional `bind_host` param to the exploit.
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module BindHost
+        #
+        # Adds the `bind_host` param to the exploit class.
+        #
+        # @param [Class<Ronin::Exploits::Exploit>] exploit
+        #   The exploit class including {Params::BindPort}.
+        #
+        def self.included(exploit)
+          exploit.param :bind_host, desc: 'Local host to bind to'
+        end
+
+        #
+        # The `bind_host` param.
+        #
+        # @return [String]
+        #
+        def bind_host
+          params[:bind_host]
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/params/bind_port.rb

@@ -0,0 +1,53 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    module Params
+      #
+      # Adds an optional `bind_port` param to the exploit.
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module BindPort
+        #
+        # Adds the `bind_port` param to the exploit class.
+        #
+        # @param [Class<Ronin::Exploits::Exploit>] exploit
+        #   The exploit class including {Params::BindPort}.
+        #
+        def self.included(exploit)
+          exploit.param :bind_port, Integer, desc: 'Local port to bind to'
+        end
+
+        #
+        # The `bind_port` param.
+        #
+        # @return [Integer]
+        #
+        def bind_port
+          params[:bind_port]
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/params/filename.rb

@@ -0,0 +1,71 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/metadata/default_filename'
+
+module Ronin
+  module Exploits
+    module Params
+      #
+      # Adds the required `filename` param to the exploit.
+      #
+      # ## Examples
+      #
+      #     include Params::Filename
+      #
+      # Setting the default port value:
+      #
+      #     include Params::Filename
+      #     
+      #     default_filename 'exploit.docx'
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module Filename
+        #
+        # Adds the required `filename` param to the exploit class including
+        # {Params::Filename}.
+        #
+        # @param [Class<Exploit>] exploit
+        #   The exploit class including {Params::Filename}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.include Metadata::DefaultFilename
+          exploit.param :filename, String, required: true,
+                                           default:  ->{ exploit.default_filename },
+                                           desc:     'The filename for the exploit'
+        end
+
+        #
+        # The `filename` param.
+        #
+        # @return [String]
+        #
+        def filename
+          params[:filename]
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/params/host.rb

@@ -0,0 +1,56 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    module Params
+      #
+      # Adds the required `host` param to the exploit.
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module Host
+        #
+        # Adds the required `host` param to the exploit including
+        # {Params::Host}.
+        #
+        # @param [Class<Exploit>] exploit
+        #   The exploit class including {Params::Host}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.param :host, required: true, desc: 'Remote host to connect to'
+        end
+
+        #
+        # The `host` param.
+        #
+        # @return [String]
+        #
+        def host
+          params[:host]
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/params/port.rb

@@ -0,0 +1,71 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/metadata/default_port'
+
+module Ronin
+  module Exploits
+    module Params
+      #
+      # Adds the required `port` param to the exploit.
+      #
+      # ## Examples
+      #
+      #     include Params::Port
+      #
+      # Setting the default port value:
+      #
+      #     include Params::Port
+      #     
+      #     default_port 143
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module Port
+        #
+        # Adds the required `port` param to the exploit class including
+        # {Params::Port}.
+        #
+        # @param [Class<Exploit>] exploit
+        #   The exploit class including {Params::Port}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.include Metadata::DefaultPort
+          exploit.param :port, Integer, required: true,
+                                        default:  ->{ exploit.default_port },
+                                        desc:     'Remote port to connect to'
+        end
+
+        #
+        # The `port` param.
+        #
+        # @return [Integer]
+        #
+        def port
+          params[:port]
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/registry.rb

@@ -0,0 +1,32 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/core/class_registry'
+require 'ronin/repos/class_dir'
+
+module Ronin
+  module Exploits
+    include Core::ClassRegistry
+    include Repos::ClassDir
+
+    class_dir "#{__dir__}/exploits/builtin"
+    repo_class_dir 'exploits'
+  end
+end

data/lib/ronin/exploits/rfi.rb

@@ -0,0 +1,106 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/web_vuln'
+require 'ronin/exploits/mixins/has_payload'
+
+require 'ronin/vulns/rfi'
+require 'ronin/payloads/url_payload'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a [Remote File Inclusion (RFI)][RFI] exploit.
+    #
+    # [RFI]: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/rfi'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < RFI
+    #     
+    #           register 'my_exploit'
+    #    
+    #           base_path '/path/to/page.php'
+    #           query_param 'template'
+    #    
+    #         end
+    #       end
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class RFI < WebVuln
+
+      include Mixins::HasPayload
+
+      payload_class Payloads::URLPayload
+
+      references [
+        'https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion'
+      ]
+
+      param :test_script_url, String, desc: 'The URL for the RFI test script'
+
+      param :filter_bypass, Enum[:null_byte, :double_encode],
+                            desc: 'Optional filter bypass strategy'
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :rfi
+      end
+
+      #
+      # The RFI vulnerability to exploit.
+      #
+      # @return [Ronin::Vulns::RFI]
+      #
+      def vuln
+        @vuln ||= Vulns::RFI.new(
+                    url, test_script_url: params[:test_script_url],
+                         filter_bypass:   params[:filter_bypass],
+                         **web_vuln_kwargs
+                  )
+      end
+
+      #
+      # Launches the RFI exploit with the payload.
+      #
+      def launch
+        vuln.exploit(@payload)
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/root.rb

@@ -0,0 +1,28 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    # Path to `ronin-exploits` root directory.
+    #
+    # @api private
+    ROOT = File.expand_path(File.join(__dir__,'..','..','..'))
+  end
+end