ronin-exploits 0.3.0 → 1.0.0.beta1

data/lib/ronin/exploits/xss.rb

@@ -0,0 +1,102 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/client_side_web_vuln'
+require 'ronin/exploits/mixins/html'
+
+require 'ronin/vulns/reflected_xss'
+require 'ronin/payloads/javascript_payload'
+require 'ronin/payloads/builtin/test/xss'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a [Cross Site Scripting (XSS)][XSS] exploit.
+    #
+    # [XSS]: https://owasp.org/www-community/attacks/xss/
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/xss'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < XSS
+    #     
+    #           register 'my_exploit'
+    #    
+    #           base_path '/path/to/page.php'
+    #           query_param 'title'
+    #    
+    #         end
+    #       end
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class XSS < ClientSideWebVuln
+
+      include Mixins::HTML
+
+      payload_class Payloads::JavaScriptPayload
+
+      references [
+        'https://owasp.org/www-community/attacks/xss/'
+      ]
+
+      #
+      # Initializes the XSS exploit and defaults the {#payload} to a XSS test
+      # payload.
+      #
+      # @param [Ronin::Payloads::JavaScriptPayload, String, nil] payload
+      #   The payload to use.
+      #
+      def initialize(payload: Payloads::Test::XSS.new, **kwargs)
+        super(payload: payload, **kwargs)
+      end
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :xss
+      end
+
+      #
+      # The XSS vulnerability to exploit.
+      #
+      # @return [Ronin::Vulns::ReflectedXSS]
+      #
+      def vuln
+        @vuln ||= Vulns::ReflectedXSS.new(url,**web_vuln_kwargs)
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits.rb

@@ -1,40 +1,33 @@
 #
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
-# This program is distributed in the hope that it will be useful,
+# ronin-exploits is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-require 'ronin/exploits/targets'
+require 'ronin/exploits/registry'
+require 'ronin/exploits/mixins'
 require 'ronin/exploits/exploit'
-require 'ronin/exploits/local'
-require 'ronin/exploits/remote'
-require 'ronin/exploits/remote_tcp'
-require 'ronin/exploits/remote_udp'
-require 'ronin/exploits/ftp'
-require 'ronin/exploits/http'
+require 'ronin/exploits/memory_corruption'
+require 'ronin/exploits/stack_overflow'
+require 'ronin/exploits/seh_overflow'
+require 'ronin/exploits/heap_overflow'
+require 'ronin/exploits/use_after_free'
 require 'ronin/exploits/web'
+require 'ronin/exploits/lfi'
+require 'ronin/exploits/rfi'
+require 'ronin/exploits/sqli'
 require 'ronin/exploits/version'
-require 'ronin/database'
-
-require 'reverse_require'
-
-require_for 'ronin-exploits', 'ronin/exploits'
-
-module Ronin
-  Database.update!
-end

data/man/ronin-exploits-irb.1

@@ -0,0 +1,31 @@
+.\" Generated by kramdown-man 0.1.8
+.\" https://github.com/postmodern/kramdown-man#readme
+.TH ronin-exploits-irb 1 "May 2022" Ronin "User Manuals"
+.LP
+.SH SYNOPSIS
+.LP
+.HP
+\fBronin-exploits irb\fR \[lB]\fIoptions\fP\[rB]
+.LP
+.SH DESCRIPTION
+.LP
+.PP
+Starts an interactive Ruby shell with \fBronin/exploits\fR loaded\.
+.LP
+.SH OPTIONS
+.LP
+.TP
+\fB-h\fR, \fB--help\fR
+Print help information
+.LP
+.SH AUTHOR
+.LP
+.PP
+Postmodern 
+.MT postmodern\.mod3\[at]gmail\.com
+.ME
+.LP
+.SH SEE ALSO
+.LP
+.PP
+ronin\-exploits\-list(1) ronin\-exploits\-show(1) ronin\-exploits\-run(1)

data/man/ronin-exploits-irb.1.md

@@ -0,0 +1,22 @@
+# ronin-exploits-irb 1 "May 2022" Ronin "User Manuals"
+
+## SYNOPSIS
+
+`ronin-exploits irb` [*options*]
+
+## DESCRIPTION
+
+Starts an interactive Ruby shell with `ronin/exploits` loaded.
+
+## OPTIONS
+
+`-h`, `--help`
+  Print help information
+
+## AUTHOR
+
+Postmodern <postmodern.mod3@gmail.com>
+
+## SEE ALSO
+
+ronin-exploits-list(1) ronin-exploits-show(1) ronin-exploits-run(1)

data/man/ronin-exploits-list.1

@@ -0,0 +1,37 @@
+.\" Generated by kramdown-man 0.1.8
+.\" https://github.com/postmodern/kramdown-man#readme
+.TH ronin-exploits-list 1 "May 2022" Ronin "User Manuals"
+.LP
+.SH SYNOPSIS
+.LP
+.HP
+\fBronin-exploits list\fR \[lB]\fIoptions\fP\[rB] \fIDIR\fP
+.LP
+.SH DESCRIPTION
+.LP
+.PP
+Lists available exploits\.
+.LP
+.SH ARGUMENTS
+.LP
+.TP
+\fIDIR\fP
+The optional directory to list exploits from\.
+.LP
+.SH OPTIONS
+.LP
+.TP
+\fB-h\fR, \fB--help\fR
+Print help information
+.LP
+.SH AUTHOR
+.LP
+.PP
+Postmodern 
+.MT postmodern\.mod3\[at]gmail\.com
+.ME
+.LP
+.SH SEE ALSO
+.LP
+.PP
+ronin\-exploits\-show(1) ronin\-exploits\-run(1)

data/man/ronin-exploits-list.1.md

@@ -0,0 +1,27 @@
+# ronin-exploits-list 1 "May 2022" Ronin "User Manuals"
+
+## SYNOPSIS
+
+`ronin-exploits list` [*options*] *DIR*
+
+## DESCRIPTION
+
+Lists available exploits.
+
+## ARGUMENTS
+
+*DIR*
+  The optional directory to list exploits from.
+
+## OPTIONS
+
+`-h`, `--help`
+  Print help information
+
+## AUTHOR
+
+Postmodern <postmodern.mod3@gmail.com>
+
+## SEE ALSO
+
+ronin-exploits-show(1) ronin-exploits-run(1)

data/man/ronin-exploits-new.1

@@ -0,0 +1,98 @@
+.\" Generated by kramdown-man 0.1.8
+.\" https://github.com/postmodern/kramdown-man#readme
+.TH ronin-exploits-new 1 "May 2022" Ronin "User Manuals"
+.LP
+.SH SYNOPSIS
+.LP
+.HP
+\fBronin-exploits new\fR \[lB]\fIoptions\fP\[rB] \fIFILE\fP
+.LP
+.SH DESCRIPTION
+.LP
+.PP
+Creates a new exploit file\.
+.LP
+.SH ARGUMENTS
+.LP
+.TP
+\fIFILE\fP
+The path to the exploit file to generate\.
+.LP
+.SH OPTIONS
+.LP
+.TP
+\fB-t\fR, \fB--type\fR \fBexploit\fR\[or]\fBheap_overflow\fR\[or]\fBstack_overflow\fR\[or]\fBweb\fR\[or]\fBopen_redirect\fR\[or]\fBlfi\fR\[or]\fBrfi\fR\[or]\fBsqli\fR\[or]\fBssti\fR\[or]\fBxss\fR
+The type for the new exploit\.
+.LP
+.TP
+\fB-a\fR, \fB--author\fR \fINAME\fP
+The name of the author\. Defaults to the configured git author name or the
+\fBUSERNAME\fR environment variable\.
+.LP
+.TP
+\fB-e\fR, \fB--author-email\fR \fIEMAIL\fP
+The email address of the author\. Defaults to the configured git author email\.
+.LP
+.TP
+\fB-s\fR, \fB--summary\fR \fITEXT\fP
+One sentence summary for the exploit\.
+.LP
+.TP
+\fB-d\fR, \fB--description\fR \fITEXT\fP
+Longer description for the exploit\.
+.LP
+.TP
+\fB-I\fR, \fB--advisory-id\fR \fIID\fP
+Add the advisory ID to the exploit\.
+.LP
+.TP
+\fB-R\fR, \fB--reference\fR \fIURL\fP
+Adds a reference to the exploit\.
+.LP
+.TP
+\fB-P\fR, \fB--has-payload\fR \fBpayload\fR\[or]\fBasm\fR\[or]\fBshellcode\fR\[or]\fBc\fR\[or]\fBshell\fR\[or]\fBpowershell\fR\[or]\fBhtml\fR\[or]\fBjavascript\fR\[or]\fBtyppescript\fR\[or]\fBjava\fR\[or]\fBsql\fR\[or]\fBphp\fR\[or]\fBnodejs\fR
+The payload type the exploit uses\.
+.LP
+.TP
+\fB-N\fR, \fB--networking\fR \fBremote_tcp\fR\[or]\fBremote_udp\fR\[or]\fBhttp\fR
+The networking mixin to use\.
+.LP
+.TP
+\fB-A\fR, \fB--arch\fR \fBx86\fR\[or]\fBx86-64\fR\[or]\fBamd64\fR\[or]\fBia64\fR\[or]\fBppc\fR\[or]\fBppc64\fR\[or]\fBarm\fR\[or]\fBarmbe\fR\[or]\fBarm64\fR\[or]\fBarm64be\fR\[or]\fBmips\fR\[or]\fBmipsle\fR\[or]\fBmips64\fR\[or]\fBmips64le\fR
+The architecture to target\.
+.LP
+.TP
+\fB-O\fR, \fB--os\fR \fBlinux\fR\[or]\fBmacos\fR\[or]\fBwindows\fR\[or]\fBfreebsd\fR\[or]\fBopenbsd\fR\[or]\fBnetbsd\fR
+The Operating System (OS) to target\.
+.LP
+.TP
+\fB--os-version\fR \fIVERSION\fP
+The OS version to target\.
+.LP
+.TP
+\fB-S\fR, \fB--software\fR \fINAME\fP
+The software to target\.
+.LP
+.TP
+\fB-V\fR, \fB--software-version\fR \fIVERSION\fP
+The software version to target\.
+.LP
+.TP
+\fB-L\fR, \fB--loot\fR
+Adds the loot mixin\.
+.LP
+.TP
+\fB-h\fR, \fB--help\fR
+Print help information
+.LP
+.SH AUTHOR
+.LP
+.PP
+Postmodern 
+.MT postmodern\.mod3\[at]gmail\.com
+.ME
+.LP
+.SH SEE ALSO
+.LP
+.PP
+ronin\-exploits\-show(1) ronin\-exploits\-run(1)

data/man/ronin-exploits-new.1.md

@@ -0,0 +1,73 @@
+# ronin-exploits-new 1 "May 2022" Ronin "User Manuals"
+
+## SYNOPSIS
+
+`ronin-exploits new` [*options*] *FILE*
+
+## DESCRIPTION
+
+Creates a new exploit file.
+
+## ARGUMENTS
+
+*FILE*
+  The path to the exploit file to generate.
+
+## OPTIONS
+
+`-t`, `--type` `exploit`\|`heap_overflow`\|`stack_overflow`\|`web`\|`open_redirect`\|`lfi`\|`rfi`\|`sqli`\|`ssti`\|`xss`
+  The type for the new exploit.
+
+`-a`, `--author` *NAME*
+  The name of the author. Defaults to the configured git author name or the
+  `USERNAME` environment variable.
+
+`-e`, `--author-email` *EMAIL*
+  The email address of the author. Defaults to the configured git author email.
+
+`-s`, `--summary` *TEXT*
+  One sentence summary for the exploit.
+
+`-d`, `--description` *TEXT*
+  Longer description for the exploit.
+
+`-I`, `--advisory-id` *ID*
+  Add the advisory ID to the exploit.
+
+`-R`, `--reference` *URL*
+  Adds a reference to the exploit.
+
+`-P`, `--has-payload` `payload`\|`asm`\|`shellcode`\|`c`\|`shell`\|`powershell`\|`html`\|`javascript`\|`typpescript`\|`java`\|`sql`\|`php`\|`nodejs`
+  The payload type the exploit uses.
+
+`-N`, `--networking` `remote_tcp`\|`remote_udp`\|`http`
+  The networking mixin to use.
+
+`-A`, `--arch` `x86`\|`x86-64`\|`amd64`\|`ia64`\|`ppc`\|`ppc64`\|`arm`\|`armbe`\|`arm64`\|`arm64be`\|`mips`\|`mipsle`\|`mips64`\|`mips64le`
+  The architecture to target.
+
+`-O`, `--os` `linux`\|`macos`\|`windows`\|`freebsd`\|`openbsd`\|`netbsd`
+  The Operating System (OS) to target.
+
+`--os-version` *VERSION*
+  The OS version to target.
+
+`-S`, `--software` *NAME*
+  The software to target.
+
+`-V`, `--software-version` *VERSION*
+  The software version to target.
+  
+`-L`, `--loot`
+  Adds the loot mixin.
+
+`-h`, `--help`
+  Print help information
+
+## AUTHOR
+
+Postmodern <postmodern.mod3@gmail.com>
+
+## SEE ALSO
+
+ronin-exploits-show(1) ronin-exploits-run(1)

data/man/ronin-exploits-run.1

@@ -0,0 +1,117 @@
+.\" Generated by kramdown-man 0.1.8
+.\" https://github.com/postmodern/kramdown-man#readme
+.TH ronin-exploits-run 1 "May 2022" Ronin "User Manuals"
+.LP
+.SH SYNOPSIS
+.LP
+.HP
+\fBronin-exploits run\fR \[lB]\fIoptions\fP\[rB] \[lC]\fINAME\fP \[or] \fB--file\fR \fIFILE\fP\[rC]
+.LP
+.SH DESCRIPTION
+.LP
+.PP
+Loads and runs an exploit\.
+.LP
+.SH ARGUMENTS
+.LP
+.TP
+\fINAME\fP
+The name of the exploit to load\.
+.LP
+.SH OPTIONS
+.LP
+.TP
+\fB-f\fR, \fB--file\fR \fIFILE\fP
+The exploit file to load\.
+.LP
+.TP
+\fB-p\fR, \fB--param\fR \fINAME\fP\[eq]\fIVALUE\fP
+Sets a param for the exploit\.
+.LP
+.TP
+\fB-D\fR, \fB--dry-run\fR
+Builds the exploit but does not launch it\.
+.LP
+.TP
+\fB--payload-file\fR \fIFILE\fP
+Load the payload from the given Ruby file\.
+.LP
+.TP
+\fB--read-payload\fR \fIFILE\fP
+Reads the payload string from the file\.
+.LP
+.TP
+\fB--payload-string\fR \fISTRING\fP
+Uses the raw payload string instead\.
+.LP
+.TP
+\fB-P\fR, \fB--payload\fR \fINAME\fP
+The payload to load and use\.
+.LP
+.TP
+\fB--payload-param\fR \fINAME\fP\[eq]\fIVALUE\fP
+Sets a param in the payload\.
+.LP
+.TP
+\fB--encoder-file\fR \fIFILE\fP
+Load the payload encoder from the Ruby file\.
+.LP
+.TP
+\fB-E\fR, \fB--encoder\fR \fINAME\fP
+Loads the payload encoder by name\.
+.LP
+.TP
+\fB--encoder-param\fR \fIENCODER\fP\.\fINAME\fP\[eq]\fIVALUE\fP
+Sets a param for the ENCODER\.
+.LP
+.TP
+\fB-t\fR, \fB--target\fR \fIINDEX\fP
+Selects the target by index\.
+.LP
+.TP
+\fB-A\fR, \fB--target-arch\fR \fBx86\fR\[or]\fBx86-64\fR\[or]\fBamd64\fR\[or]\fBia64\fR\[or]\fBppc\fR\[or]\fBppc64\fR\[or]\fBarm\fR\[or]\fBarmbe\fR\[or]\fBarm64\fR\[or]\fBarm64be\fR\[or]\fBmips\fR\[or]\fBmipsle\fR\[or]\fBmips64\fR\[or]\fBmips64le\fR
+Selects the target with the matching arch\.
+.LP
+.TP
+\fB-O\fR, \fB--target-os\fR \fBlinux\fR\[or]\fBmacos\fR\[or]\fBwindows\fR\[or]\fBfreebsd\fR\[or]\fBopenbsd\fR\[or]\fBnetbsd\fR
+Selects the target with the matching OS\.
+.LP
+.TP
+\fB--target-os-version\fR \fIVERSION\fP
+Selects the target with the matching OS version\.
+.LP
+.TP
+\fB-S\fR, \fB--target-software\fR \fINAME\fP
+Selects the target with the matching software name\.
+.LP
+.TP
+\fB-V\fR, \fB--target-version\fR \fIVERSION\fP
+Selects the target with the matching software version\.
+.LP
+.TP
+\fB-L\fR, \fB--save-loot\fR \fIDIR\fP
+Saves any found loot to the \fIDIR\fP\.
+.LP
+.TP
+\fB-D\fR, \fB--debug\fR
+Enables debugging messages\.
+.LP
+.TP
+\fB--irb\fR
+Open an interactive Ruby shell inside the exploit\.
+.LP
+.TP
+\fB-h\fR, \fB--help\fR
+Print help information
+.LP
+.SH AUTHOR
+.LP
+.PP
+Postmodern 
+.MT postmodern\.mod3\[at]gmail\.com
+.ME
+.LP
+.SH SEE ALSO
+.LP
+.PP
+ronin\-exploits\-list(1) ronin\-exploits\-show(1) ronin\-exploits\-new(1)

data/man/ronin-exploits-run.1.md

@@ -0,0 +1,87 @@
+# ronin-exploits-run 1 "May 2022" Ronin "User Manuals"
+
+## SYNOPSIS
+
+`ronin-exploits run` [*options*] {*NAME* \| `--file` *FILE*}
+
+## DESCRIPTION
+
+Loads and runs an exploit.
+
+## ARGUMENTS
+
+*NAME*
+  The name of the exploit to load.
+
+## OPTIONS
+
+`-f`, `--file` *FILE*
+  The exploit file to load.
+
+`-p`, `--param` *NAME*=*VALUE*
+  Sets a param for the exploit.
+
+`-D`, `--dry-run`
+  Builds the exploit but does not launch it.
+
+`--payload-file` *FILE*
+  Load the payload from the given Ruby file.
+
+`--read-payload` *FILE*
+  Reads the payload string from the file.
+
+`--payload-string` *STRING*
+  Uses the raw payload string instead.
+
+`-P`, `--payload` *NAME*
+  The payload to load and use.
+
+`--payload-param` *NAME*=*VALUE*
+  Sets a param in the payload.
+
+`--encoder-file` *FILE*
+  Load the payload encoder from the Ruby file.
+
+`-E`, `--encoder` *NAME*
+  Loads the payload encoder by name.
+
+`--encoder-param` *ENCODER*.*NAME*=*VALUE*
+  Sets a param for the ENCODER.
+
+`-t`, `--target` *INDEX*
+  Selects the target by index.
+
+`-A`, `--target-arch` `x86`\|`x86-64`\|`amd64`\|`ia64`\|`ppc`\|`ppc64`\|`arm`\|`armbe`\|`arm64`\|`arm64be`\|`mips`\|`mipsle`\|`mips64`\|`mips64le`
+  Selects the target with the matching arch.
+
+`-O`, `--target-os` `linux`\|`macos`\|`windows`\|`freebsd`\|`openbsd`\|`netbsd`
+  Selects the target with the matching OS.
+
+`--target-os-version` *VERSION*
+  Selects the target with the matching OS version.
+
+`-S`, `--target-software` *NAME*
+  Selects the target with the matching software name.
+
+`-V`, `--target-version` *VERSION*
+  Selects the target with the matching software version.
+
+`-L`, `--save-loot` *DIR*
+  Saves any found loot to the *DIR*.
+
+`-D`, `--debug`
+  Enables debugging messages.
+
+`--irb`
+  Open an interactive Ruby shell inside the exploit.
+
+`-h`, `--help`
+  Print help information
+
+## AUTHOR
+
+Postmodern <postmodern.mod3@gmail.com>
+
+## SEE ALSO
+
+ronin-exploits-list(1) ronin-exploits-show(1) ronin-exploits-new(1)

data/man/ronin-exploits-show.1

@@ -0,0 +1,45 @@
+.\" Generated by kramdown-man 0.1.8
+.\" https://github.com/postmodern/kramdown-man#readme
+.TH ronin-exploits-show 1 "May 2022" Ronin "User Manuals"
+.LP
+.SH SYNOPSIS
+.LP
+.HP
+\fBronin-exploits show\fR \[lB]\fIoptions\fP\[rB] \[lC]\fINAME\fP \[or] \-\-file \fIFILE\fP\[rC]
+.LP
+.SH DESCRIPTION
+.LP
+.PP
+Prints information about an exploit\.
+.LP
+.SH ARGUMENTS
+.LP
+.TP
+\fINAME\fP
+The name of the exploit to load\.
+.LP
+.SH OPTIONS
+.LP
+.TP
+\fB-v\fR, \fB--verbose\fR
+Prints additional information about the exploit\.
+.LP
+.TP
+\fB-f\fR, \fB--file\fR \fIFILE\fP
+Optionally loads the exploit from the file\.
+.LP
+.TP
+\fB-h\fR, \fB--help\fR
+Print help information
+.LP
+.SH AUTHOR
+.LP
+.PP
+Postmodern 
+.MT postmodern\.mod3\[at]gmail\.com
+.ME
+.LP
+.SH SEE ALSO
+.LP
+.PP
+ronin\-exploits\-list(1) ronin\-exploits\-run(1)