ronin-exploits 0.3.0 → 1.0.0.beta1

data/Rakefile

@@ -1,26 +1,40 @@
-# -*- ruby -*-
-
 require 'rubygems'
-require 'hoe'
-require 'hoe/signing'
-require './tasks/spec.rb'
-require './tasks/yard.rb'
-
-Hoe.spec('ronin-exploits') do
-  self.rubyforge_name = 'ronin'
-  self.developer('Postmodern', 'postmodern.mod3@gmail.com')
-  self.remote_rdoc_dir = 'docs/ronin-exploits'
-  self.extra_deps = [
-    ['ronin', '>=0.3.0'],
-    ['ronin-gen', '>=0.2.0']
-  ]
-
-  self.extra_dev_deps = [
-    ['rspec', '>=1.2.8'],
-    ['yard', '>=0.2.3.5']
-  ]
-
-  self.spec_extras = {:has_rdoc => 'yard'}
+
+begin
+  require 'bundler'
+rescue LoadError => e
+  warn e.message
+  warn "Run `gem install bundler` to install Bundler."
+  exit -1
+end
+
+begin
+  Bundler.setup(:development)
+rescue Bundler::BundlerError => e
+  warn e.message
+  warn "Run `bundle install` to install missing gems"
+  exit e.status_code
 end
 
-# vim: syntax=Ruby
+require 'rake'
+
+require 'rubygems/tasks'
+Gem::Tasks.new(sign: {checksum: true, pgp: true})
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+namespace :spec do
+  RSpec::Core::RakeTask.new(:network) do |t|
+    t.rspec_opts = '--tag network'
+  end
+end
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new
+
+require 'kramdown/man/task'
+Kramdown::Man::Task.new

data/bin/ronin-exploits

@@ -2,11 +2,18 @@
 
 require 'rubygems'
 
-lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
-unless $LOAD_PATH.include?(lib_dir)
-  $LOAD_PATH << lib_dir
+root = File.expand_path(File.join(File.dirname(__FILE__),'..'))
+if File.file?(File.join(root,'Gemfile.lock'))
+  Dir.chdir(root) do
+    begin
+      require 'bundler/setup'
+    rescue LoadError => e
+      warn e.message
+      warn "Run `gem install bundler` to install Bundler"
+      exit -1
+    end
+  end
 end
 
-require 'ronin/ui/command_line/commands/exploits'
-
-Ronin::UI::CommandLine::Commands::Exploits.start
+require 'ronin/exploits/cli'
+Ronin::Exploits::CLI.start

data/data/new/exploit.rb.erb

@@ -0,0 +1,158 @@
+#!/usr/bin/env -S ronin-exploits run -f
+
+require 'ronin/exploits/<%= @exploit_type[:file] -%>'
+<%- if @networking_mixin -%>
+require 'ronin/exploits/mixins/<%= @networking_mixin[:file] -%>'
+<%- end -%>
+<%- if @target -%>
+require 'ronin/exploits/mixins/has_target'
+<%- end -%>
+<%- if @has_payload -%>
+require 'ronin/exploits/mixins/has_payload'
+require 'ronin/payloads/<%= @has_payload[:file] -%>'
+<%- end -%>
+<%- if @loot -%>
+require 'ronin/exploits/mixins/loot'
+<%- end -%>
+
+module Ronin
+  module Exploits
+    class <%= @class_name -%> < <%= @exploit_type[:class] %>
+      <%- if @networking_mixin || @has_payload || @target -%>
+
+      <%- if @networking_mixin -%>
+      include Mixins::<%= @networking_mixin[:module] %>
+      <%- end -%>
+      <%- if @has_payload -%>
+      include Mixins::HasPayload
+      <%- end -%>
+      <%- if @target -%>
+      include Mixins::HasTargets
+      <%- end -%>
+      <%- end -%>
+      <%- if @loot -%>
+      include Mixins::Loot
+      <%- end -%>
+
+      register '<%= @file_name -%>'
+
+      quality :poc
+      # release_date    'YYYY-MM-DD'
+      # disclosure_date 'YYYY-MM-DD'
+      <%- unless @advisories.empty? -%>
+      <%-   @advisories.each do |advisory| -%>
+      advisory '<%= advisory -%>'
+      <%-   end -%>
+      <%- else -%>
+      # advisory 'CVE-YYYY-NNNN'
+      # advisory 'GHSA-XXXXXX'
+      <%- end -%>
+
+      <%- if @author_email -%>
+      author '<%= @author_name %>', email: '<%= @author_email -%>'
+      <%- else -%>
+      author '<%= @author_name %>'
+      <%- end -%>
+      <%- if @summary -%>
+      summary "<%= @summary %>"
+      <%- else -%>
+      # summary "FIX ME"
+      <%- end -%>
+      <%- if @description -%>
+      description <<~DESC
+        <%= @description %>
+      DESC
+      <%- else -%>
+      # description <<~DESC
+      #   FIX ME
+      # DESC
+      <%- end -%>
+      <%- unless @references.empty? -%>
+      references [
+        <%- @references.each do |url| -%>
+        <%=   url.inspect -%><% if index < @references.length-1 %>,<% end %>
+        <%- end -%>
+      ]
+      <%- else -%>
+      # references [
+      #   "https:/...",
+      #   "https:/..."
+      # ]
+      <%- end -%>
+      <%- if web_vuln_exploit? -%>
+
+      <%- if @exploit_type[:class] == 'LFI' -%>
+      # depth 7
+      <%- elsif @exploit_type[:class] == 'SQLI' -%>
+      # escape_quote true
+      # escape_parens true
+      # terminate true
+      <%- elsif @exploit_type[:class] == 'SSTI' -%>
+      # escape_expr ->(expr) { "{{${expr}}}" }
+      <%- end -%>
+      <%- else -%>
+      <%- if @has_payload -%>
+
+      payload_class Payloads::<%= @has_payload[:class] %>
+      <%- end -%>
+      <%- if @target -%>
+
+      target <%= format_kwargs(@target) -%>
+
+      # target arch: '...', os: '...', software_version: '...' do |t|
+      #   t.var1 = 'foo'
+      #   t.var2 = 0x1234
+      # end
+      <%- end -%>
+
+      # #
+      # # Test whether the target systme is vulnerable.
+      # #
+      # def test
+      #   # return Vulnerable('host is vulnerable')
+      #   # return NotVulnerable('host is patched')
+      #   # return Unknown('host may or may not be vulnerable')
+      # end
+
+      def build
+        <%- if stack_overflow_exploit? -%>
+        bp = 0x11223344
+        ip = 0xAABBCCEE
+
+        @buffer = buffer_overflow(length: 1024, nops: 16, payload: @payload, bp: bp, ip: ip)
+        <%- elsif seh_overflow_exploit? -%>
+        nseh = 0x11223344
+        seh  = 0xAABBCCEE
+
+        @buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: @payload, nseh: nseh, seh: seh)
+        <%- elsif @has_payload -%>
+        @buffer = "EXPLOIT #{@payload}"
+        <%- else -%>
+        @buffer = "EXPLOIT"
+        <%- end -%>
+      end
+
+      def launch
+        <%- case @networking -%>
+        <%- when :remote_tcp -%>
+        @socket = tcp_connect
+        @socket.write(@buffer)
+        <%- when :remote_udp -%>
+        @socket = udp_connect
+        @socket.write(@buffer)
+        <%- when :http -%>
+        http_get(query_params: {'foo' => @buffer})
+        <%- end -%>
+      end
+
+      def cleanup
+        <%- case @networking -%>
+        <%- when :remote_tcp, :remote_udp -%>
+        @socket.close
+        <%- end -%>
+      end
+      <%- end -%>
+
+    end
+  end
+end

data/gemspec.yml

@@ -0,0 +1,37 @@
+name: ronin-exploits
+summary: A Ruby micro-framework for writing and running exploits and payloads.
+description:
+  ronin-exploits is a Ruby micro-framework for writing and running exploits.
+  ronin-exploits allows one to write exploits as plain old Ruby classes.
+  ronin-exploits can be distributed as Ruby files or as git repositories that
+  can be installed using ronin-reps.
+
+license: LGPL-3.0
+authors: Postmodern
+email: postmodern.mod3@gmail.com
+homepage: https://ronin-rb.dev/exploits/
+has_yard: true
+
+required_ruby_version: ">= 3.0.0"
+
+generated_files:
+  - man/ronin-exploits.1
+  - man/ronin-exploits-irb.1
+  - man/ronin-exploits-list.1
+  - man/ronin-exploits-new.1
+  - man/ronin-exploits-run.1
+  - man/ronin-exploits-show.1
+
+dependencies:
+  uri-query_params: ~> 0.6
+  # Ronin dependencies:
+  ronin-support: ~> 1.0.0.beta1
+  ronin-code-sql: ~> 2.0.0.beta1
+  ronin-payloads: ~> 0.1.0.beta1
+  ronin-vulns: ~> 0.1.0.beta1
+  ronin-post_ex: ~> 0.1.0.beta1
+  ronin-core: ~> 0.1.0.beta1
+  ronin-repos: ~> 0.1.0.beta1
+
+development_dependencies:
+  bundler: ~> 2.0

data/lib/ronin/exploits/advisory.rb

@@ -0,0 +1,84 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    #
+    # Represents a security advisory.
+    #
+    # @api semipublic
+    #
+    # @since 1.0.0
+    #
+    class Advisory
+
+      # The advisory ID.
+      #
+      # @return [String]
+      attr_reader :id
+
+      # The advisory URL.
+      #
+      # @return [String]
+      attr_reader :url
+
+      #
+      # Initializes the advisory.
+      #
+      # @param [String] id
+      #   The advisory ID.
+      #
+      # @param [String] url
+      #   The advisory URL.
+      #
+      def initialize(id,url=self.class.url_for(id))
+        @id  = id
+        @url = url
+      end
+
+      #
+      # Generates a default URL for the given advisory ID.
+      #
+      # @param [String] id
+      #   The advisory ID.
+      #
+      # @return [String, nil]
+      #   The URL for the advisory.
+      #
+      def self.url_for(id)
+        case id
+        when /\ACVE-/  then "https://nvd.nist.gov/vuln/detail/#{id}"
+        when /\AGHSA-/ then "https://github.com/advisories/#{id}"
+        end
+      end
+
+      #
+      # Converts the advisory to a String.
+      #
+      # @return [String]
+      #   The advisory ID.
+      #
+      def to_s
+        @id.to_s
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/cli/command.rb

@@ -0,0 +1,39 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/root'
+require 'ronin/core/cli/command'
+
+module Ronin
+  module Exploits
+    class CLI
+      #
+      # Base class for all `ronin-exploits` commands.
+      #
+      class Command < Core::CLI::Command
+
+        man_dir File.join(ROOT,'man')
+
+        bug_report_url 'https://github.com/ronin-rb/ronin-exploits/issues/new'
+
+      end
+    end
+  end
+end

data/lib/ronin/exploits/cli/commands/irb.rb

@@ -0,0 +1,57 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/cli/exploit_command'
+require 'ronin/exploits/cli/ruby_shell'
+
+module Ronin
+  module Exploits
+    class CLI
+      module Commands
+        #
+        # Starts an interactive Ruby shell with `ronin-exploits` loaded.
+        #
+        # ## Usage
+        #
+        #     ronin-exploits irb [options]
+        #
+        # ## Options
+        #
+        #     -h, --help                       Print help information
+        #
+        class Irb < Command
+
+          description "Starts an interactive Ruby shell with ronin-exploits loaded"
+
+          man_page 'ronin-exploits-irb.1'
+
+          #
+          # Runs the `ronin-exploits irb` command.
+          #
+          def run
+            require 'ronin/exploits'
+            CLI::RubyShell.start
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/cli/commands/list.rb

@@ -0,0 +1,80 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/cli/command'
+require 'ronin/exploits/registry'
+
+module Ronin
+  module Exploits
+    class CLI
+      module Commands
+        #
+        # Lists the available exploits.
+        #
+        # ## Usage
+        #
+        #     ronin-exploits list [options] [NAME]
+        #
+        # ## Options
+        #
+        #     -h, --help                       Print help information
+        #
+        # ## Arguments
+        #
+        #     [NAME]                           The optional exploit name to list
+        #
+        class List < Command
+
+          usage '[options] [NAME]'
+
+          argument :name, required: false,
+                          desc:     'The optional exploit name to list'
+
+          description 'Lists the available exploits'
+
+          man_page 'ronin-exploits-list.1'
+
+          #
+          # Runs the `ronin-exploits list` command.
+          #
+          # @param [String, nil] dir
+          #   The optional exploit directory to list.
+          #
+          def run(dir=nil)
+            files = if dir
+                      dir = "#{dir}/" unless name.end_with?('/')
+
+                      Exploits.list_files.select do |file|
+                        file.start_with?(dir)
+                      end
+                    else
+                      Exploits.list_files
+                    end
+
+            files.each do |file|
+              puts "  #{file}"
+            end
+          end
+
+        end
+      end
+    end
+  end
+end