ronin-exploits 0.3.0 → 1.0.0.beta1

data/lib/ronin/exploits/exploit_author.rb

@@ -1,33 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/author'
-
-module Ronin
-  module Exploits
-    class ExploitAuthor < Author
-
-      # The exploit the author wrote
-      belongs_to :exploit, :nullable => true
-
-    end
-  end
-end

data/lib/ronin/exploits/ftp.rb

@@ -1,45 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/remote_tcp'
-
-module Ronin
-  module Exploits
-    class FTP < RemoteTCP
-
-      # Default port to connect to
-      DEFAULT_PORT = 21
-
-      #
-      # Creates a new Ronin::Exploits::FTP object using the given _block_.
-      #
-      #   ronin_ftp_exploit do
-      #     ...
-      #   end
-      #
-      contextify :ronin_ftp_exploit
-
-      # Default port to connect to
-      property :default_port, Integer
-
-    end
-  end
-end

data/lib/ronin/exploits/helpers/binary.rb

@@ -1,50 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/exceptions/target_data_missing'
-require 'ronin/formatting/binary'
-
-module Ronin
-  module Exploits
-    module Helpers
-      module Binary
-        #
-        # Packs an integer using the current targeted architecture
-        # and the address-length.
-        #
-        # @param [Integer] integer
-        #   The integer to pack.
-        #
-        # @param [Integer] address_length
-        #   The address-length to pack the integer into.
-        #
-        # @return [String]
-        #   The packed integer.
-        #
-        def pack(integer,address_length=nil)
-          verify_arch!
-
-          return integer.pack(arch,(address_length || arch.address_length))
-        end
-      end
-    end
-  end
-end

data/lib/ronin/exploits/helpers/buffer_overflow.rb

@@ -1,115 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/exceptions/payload_size'
-require 'ronin/exploits/targets/buffer_overflow'
-require 'ronin/exploits/helpers/binary'
-require 'ronin/exploits/helpers/padding'
-require 'ronin/payloads/shellcode'
-
-module Ronin
-  module Exploits
-    module Helpers
-      module BufferOverflow
-        def self.extended(obj)
-          obj.instance_eval do
-            extend Ronin::Exploits::Helpers::Binary
-            extend Ronin::Exploits::Helpers::Padding
-          end
-        end
-
-        #
-        # @return [String]
-        #   The buffer to use for the buffer overflow.
-        #
-        def buffer
-          @buffer ||= ''
-        end
-
-        #
-        # Adds a new target to the exploit.
-        #
-        # @param [Hash] attributes
-        #   Additional attributes to create the new target with.
-        #
-        # @yield [target]
-        #   If a block is given, it will be passed the newly created target.
-        #
-        # @yieldparam [Targets::BufferOverflow] target
-        #   The new target.
-        #
-        def targeting(attributes={},&block)
-          self.targets << Targets::BufferOverflow.new(attributes,&block)
-        end
-
-        #
-        # @return [Payloads::Shellcode]
-        #   The model which will be searched for acceptable payloads.
-        #
-        # @since 0.3.0
-        #
-        def use_payload_class
-          Payloads::Shellcode
-        end
-
-        protected
-       
-        #
-        # Builds the buffer with the current target and payload to be
-        # used in the buffer overflow exploit.
-        #
-        # @return [String]
-        #   The built buffer.
-        #
-        # @raise [PayloadSize]
-        #   The encoded payload is too large to fit within the targeted
-        #   buffer length.
-        #
-        def build_buffer
-          verify_target!
-
-          if encoded_payload.length > target.buffer_length
-            raise(PayloadSize,"the specified payload is too large for the target's buffer length",caller)
-          end
-
-          buffer = pad(target.buffer_length - encoded_payload.length) + encoded_payload
-          ip_packed = pack(target.ip)
-
-          if target.bp
-            buffer << ((pack(target.bp) + ip_packed) * target.frame_repeat)
-          else
-            buffer << ((ip_packed * 2) * target.frame_repeat)
-          end
-
-          return buffer
-        end
-
-        #
-        # Default builder method which simply calls build_buffer and sets
-        # the +@buffer+ instance variable..
-        #
-        def build
-          @buffer = build_buffer
-        end
-      end
-    end
-  end
-end

data/lib/ronin/exploits/helpers/file_based.rb

@@ -1,112 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/config'
-
-require 'set'
-require 'fileutils'
-
-module Ronin
-  module Exploits
-    module Helpers
-      module FileBased
-        def self.extended(obj)
-          obj.instance_eval do
-            # The output directory for file creation
-            parameter :output_dir,
-                      :default => Config::TMP_DIR,
-                      :description => 'Directory to save built file in'
-
-            # The name of the output file
-            parameter :output_file_name,
-                      :default => 'exploit',
-                      :description => 'Name of the file'
-
-            # Whether or not to delete the output file at exit
-            parameter :clean_file,
-                      :default => true,
-                      :description => 'Delete the file on exit'
-          end
-        end
-
-        #
-        # List of files to delete upon exit.
-        #
-        # @return [Set]
-        #   The list of files to delete upon exit.
-        #
-        def FileBased.clean_files
-          @@ronin_exploits_file_based_clean_files ||= Set[]
-        end
-
-        #
-        # Will forcibly delete the files listed in FileBased.clean_files.
-        #
-        # @return [true]
-        #   The all files were successfully deleted.
-        #
-        def FileBased.clean!
-          FileBased.clean_files.each do |path|
-            FileUtils.rm(path, :force => true)
-          end
-
-          FileBased.clean_files.clear
-          return true
-        end
-
-        at_exit(&FileBased.method(:clean!))
-
-        #
-        # @return [String]
-        #   The absolute path of the file to be built.
-        #
-        def output_file_path
-          sanitized_name = File.expand_path(File.join('',@output_file_name))
-
-          return File.expand_path(File.join(@output_dir,sanitized_name))
-        end
-
-        protected
-
-        #
-        # Opens the file to be built.
-        #
-        # @yield [file]
-        #   If a block is given, it will be passed the newly opened file.
-        #
-        # @yieldparam [File] file
-        #   The newly opened file.
-        #
-        # @example
-        #   build_file do |file|
-        #     file << 'some data'
-        #   end
-        #
-        def build_file(&block)
-          path = self.output_file_path
-
-          FileBased.clean_files << path if @clean_file
-          return File.open(path,'w',&block)
-        end
-      end
-    end
-  end
-end

data/lib/ronin/exploits/helpers/format_string.rb

@@ -1,117 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/targets/format_string'
-require 'ronin/exploits/helpers/binary'
-require 'ronin/payloads/shellcode'
-
-module Ronin
-  module Exploits
-    module Helpers
-      module FormatString
-        def self.extended(obj)
-          obj.instance_eval do
-            extend Ronin::Exploits::Helpers::Binary
-          end
-        end
-
-        #
-        # @return [String]
-        #   The format string of the exploit.
-        #
-        def format_string
-          @format_string ||= ''
-        end
-
-        #
-        # Adds a new target to the exploit.
-        #
-        # @param [Hash] attributes
-        #   Additioanl attributes to create the target with.
-        #
-        # @yield [target]
-        #   If a block is given, it will be passed the newly created target.
-        #
-        # @yieldparam [Targets::FormatString] target
-        #   The newly created target.
-        #
-        def targeting(attributes={},&block)
-          self.targets << Targets::FormatString.new(attributes,&block)
-        end
-
-        #
-        # @return [Payloads::Shellcode]
-        #   The model which will be searched for acceptable payloads.
-        #
-        # @since 0.3.0
-        #
-        def use_payload_class
-          Payload::Shellcode
-        end
-
-        protected
-
-        #
-        # Builds a format string using the current target and payload to
-        # be used in the format string exploit.
-        #
-        # @return [String]
-        #   The built format string.
-        #
-        def build_format_string
-          verify_target!
-
-          buffer = pack(target.overwrite) + 
-                   pack(target.overwrite + (target.arch.address_length / 2))
-
-          low_mask = 0xff
-          (target.arch.address_length/2).times do
-            low_mask <<= 8
-            low_mask |= 0xff
-          end
-
-          high_mask = low_mask << (target.arch.address_length*4)
-          high = (target.address & high_mask) >> (target.arch.address_length/2)
-          low = target.address & low_mask
-
-          if low < high
-            low -= (target.arch.address_length*2)
-            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,target.pop_length,high-low,target.pop_length+1)
-          else
-            high -= (target.arch.address_length*2)
-            buffer += format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,target.pop_length+1,low-high,target.pop_length)
-          end
-
-          buffer << encoded_payload
-          return buffer
-        end
-
-        #
-        # The default builder method which simply calls build_format_string
-        # and sets the +@format_string+ instance variable.
-        #
-        def build
-          @format_string = build_format_string
-        end
-      end
-    end
-  end
-end

data/lib/ronin/exploits/helpers/padding.rb

@@ -1,101 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/formatting/text'
-
-module Ronin
-  module Exploits
-    module Helpers
-      module Padding
-        def self.extended(obj)
-          obj.instance_eval do
-            # String to pad extra space with
-            parameter :padding,
-                      :default => 'A',
-                      :description => 'padding string'
-          end
-        end
-
-        protected
-
-        #
-        # Creates padding out to a maximum length, using the +padding+
-        # parameter.
-        #
-        # @param [Integer] max_length
-        #   The maximum length to pad out to.
-        #
-        # @return [String]
-        #   A padded string.
-        #
-        # @example
-        #   pad(28)
-        #   # => "AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-        #
-        def pad(max_length)
-          ''.pad(@padding.to_s,max_length)
-        end
-
-        #
-        # Pads the a string on the right-hand side out to a maximum length,
-        # using the +padding+ parameter.
-        #
-        # @param [String] data
-        #   The string to add padding to.
-        #
-        # @param [Integer] max_length
-        #   The amount of padding to add.
-        #
-        # @return [String]
-        #   The left-hand side padded string.
-        #
-        # @example
-        #   pad_left("\xff\xff",48)
-        #   # => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xff\xff"
-        #
-        def pad_left(data,max_length)
-          pad(max_length - data.length) + data
-        end
-
-        #
-        # Pads the a string on the right-hand side out to a maximum length,
-        # using the +padding+ parameter.
-        #
-        # @param [String] data
-        #   The string to add padding to.
-        #
-        # @param [Integer] max_length
-        #   The amount of padding to add.
-        #
-        # @return [String]
-        #   The right-hand side padded string.
-        #
-        # @example
-        #   pad_right("\xff\xff",48)
-        #   # => "\xff\xffAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-        #
-        def pad_right(data,max_length)
-          data.to_s.pad(@padding,max_length)
-        end
-      end
-    end
-  end
-end

data/lib/ronin/exploits/helpers.rb

@@ -1,26 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/helpers/file_based'
-require 'ronin/exploits/helpers/binary'
-require 'ronin/exploits/helpers/padding'
-require 'ronin/exploits/helpers/buffer_overflow'
-require 'ronin/exploits/helpers/format_string'

data/lib/ronin/exploits/http.rb

@@ -1,52 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/remote_tcp'
-require 'ronin/network/helpers/http'
-
-module Ronin
-  module Exploits
-    class HTTP < RemoteTCP
-
-      # Default port to connect to
-      DEFAULT_PORT = 80
-
-      include Network::Helpers::HTTP
-
-      #
-      # Creates a new Ronin::Exploits::HTTP object using the given _block_.
-      #
-      #   ronin_http_exploit do
-      #     ...
-      #   end
-      #
-      contextify :ronin_http_exploit
-
-      # Default port to connect to
-      property :default_port, Integer, :default => 80
-
-      # The optional URL path prefix
-      parameter :url_prefix,
-                :description => 'Optional URL path prefix'
-
-    end
-  end
-end

data/lib/ronin/exploits/local.rb

@@ -1,40 +0,0 @@
-#
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
-# payload crafting functionality.
-#
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-#
-
-require 'ronin/exploits/exploit'
-
-module Ronin
-  module Exploits
-    class Local < Exploit
-
-      #
-      # Creates a new Ronin::Exploits::Local object using the given
-      # _block_.
-      #
-      #   ronin_local_exploit do
-      #     ...
-      #   end
-      #
-      contextify :ronin_local_exploit
-
-    end
-  end
-end