ronin-exploits 0.3.1 → 1.0.0.beta1

data/lib/ronin/exploits/seh_overflow.rb

@@ -0,0 +1,90 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/memory_corruption'
+require 'ronin/exploits/mixins/seh'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a Structured Exception Handler (SEH) overflow.
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/seh_overflow'
+    #     require 'ronin/exploits/mixins/remote_tcp'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < SEHOverflow
+    #     
+    #           register 'my_exploit'
+    #     
+    #           include Mixins::RemoteTCP
+    #     
+    #           def build
+    #             nseh = 0x06eb9090 # short jump 6 bytes
+    #             seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+    #     
+    #             @buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)
+    #           end
+    #    
+    #           def launch
+    #             tcp_send "USER #{@buffer}"
+    #           end
+    #     
+    #         end
+    #       end
+    #     end
+    #
+    # If you want more control over how the buffer is constructed:
+    #
+    #     def build
+    #       nseh = 0x06eb9090 # short jump 6 bytes
+    #       seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+    #    
+    #       @buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class SEHOverflow < MemoryCorruption
+
+      include Mixins::SEH
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :seh_overflow
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/sqli.rb

@@ -0,0 +1,172 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/web_vuln'
+require 'ronin/exploits/mixins/has_payload'
+
+require 'ronin/vulns/sqli'
+require 'ronin/payloads/sql_payload'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a [SQL injection (SQLi)][SQLI] exploit.
+    #
+    # [SQLI]: https://owasp.org/www-community/attacks/SQL_Injection
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/sqli'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < SQLI
+    #     
+    #           register 'my_exploit'
+    #    
+    #           base_path '/path/to/page.php'
+    #           query_param 'id'
+    #           escape_quote true
+    #    
+    #         end
+    #       end
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class SQLI < WebVuln
+
+      include Mixins::HasPayload
+
+      payload_class Payloads::SQLPayload
+
+      references [
+        'https://owasp.org/www-community/attacks/SQL_Injection'
+      ]
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :sqli
+      end
+
+      #
+      # Gets or sets whether to escape quotation marks.
+      #
+      # @param [Boolean, nil] new_escape_quote
+      #   The optional new escape quote value.
+      #
+      # @return [Boolean]
+      #   Specifies whether to escape quotation marks.
+      #
+      def self.escape_quote(new_escape_quote=nil)
+        if new_escape_quote != nil
+          @escape_quote = new_escape_quote
+        else
+          if @escape_quote != nil
+            @escape_quote
+          elsif superclass < SQLI
+            superclass.escape_quote
+          else
+            false
+          end
+        end
+      end
+
+      #
+      # Gets or sets whether to escape parenthesis.
+      #
+      # @param [Boolean, nil] new_escape_parens
+      #   The optional new escape parenthesis value.
+      #
+      # @return [Boolean]
+      #   Specifies whether to escape parenthesis.
+      #
+      def self.escape_parens(new_escape_parens=nil)
+        if new_escape_parens != nil
+          @escape_parens = new_escape_parens
+        else
+          if @escape_parens != nil
+            @escape_parens
+          elsif superclass < SQLI
+            superclass.escape_parens
+          else
+            false
+          end
+        end
+      end
+
+      #
+      # Gets or sets whether to terminate the injected SQL expression.
+      #
+      # @param [Boolean, nil] new_terminate
+      #   The optional new terminate value.
+      #
+      # @return [Boolean]
+      #   Specifies whether to terminate the injected SQL expression.
+      #
+      def self.terminate(new_terminate=nil)
+        if new_terminate != nil
+          @terminate = new_terminate
+        else
+          if @terminate != nil
+            @terminate
+          elsif superclass < SQLI
+            superclass.terminate
+          else
+            false
+          end
+        end
+      end
+
+      #
+      # The SQL injection (SQLi) vulnerability to exploit.
+      #
+      # @return [Ronin::Vulns::SQLi]
+      #
+      def vuln
+        @vuln ||= Vulns::SQLI.new(
+                    url, escape_quote:  self.class.escape_quote,
+                         escape_parens: self.class.escape_parens,
+                         terminate:     self.class.terminate,
+                         **web_vuln_kwargs
+                  )
+      end
+
+      #
+      # Launches SQL injection (SQLi) exploit with the SQL payload.
+      #
+      def launch
+        vuln.exploit(@payload)
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/ssti.rb

@@ -0,0 +1,108 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/web_vuln'
+
+require 'ronin/vulns/ssti'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a [Server Side Template Injection (SSTI)][SSTI] exploit.
+    #
+    # [SSTI]: https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/ssti'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < SSTI
+    #     
+    #           register 'my_exploit'
+    #    
+    #           base_path '/path/to/page.php'
+    #           query_param 'name'
+    #           escape_expr ->(expr) { "${{#{expr}}}" }
+    #    
+    #         end
+    #       end
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class SSTI < WebVuln
+
+      references [
+        'https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection'
+      ]
+
+      #
+      # Gets or sets the exploit's SSTI escape logic.
+      #
+      # @param [Proc, nil] new_escape_expr
+      #   The optional new escape proc.
+      #
+      # @return [Proc, nil]
+      #   The escape expression proc.
+      #
+      # @example
+      #   escape_expr ->(expr) { "${{#{expr}}}" }
+      #
+      def self.escape_expr(new_escape_expr=nil)
+        if new_escape_expr
+          @escape_expr = new_escape_expr
+        else
+          @escape_expr || if superclass < SSTI
+                            superclass.escape_expr
+                          end
+        end
+      end
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :ssti
+      end
+
+      #
+      # The Server Side Template Injection (SSTI) vulnerability to exploit.
+      #
+      # @return [Ronin::Vulns::SSTI]
+      #
+      def vuln
+        @vuln ||= Vulns::SSTI.new(url, escape: self.class.escape_expr,
+                                       **web_vuln_kwargs)
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/stack_overflow.rb

@@ -0,0 +1,90 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/memory_corruption'
+require 'ronin/exploits/mixins/stack_overflow'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a stack overflow exploit.
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/stack_overflow'
+    #     require 'ronin/exploits/mixins/remote_tcp'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < StackOverflow
+    #     
+    #           register 'my_exploit'
+    #     
+    #           include Mixins::RemoteTCP
+    #     
+    #           def build
+    #             ebp = 0x06eb9090
+    #             eip = 0x1001ae86
+    #     
+    #             @buffer = buffer_overflow(length: 1024, nops: 16, payload: payload, bp: ebp, ip: eip)
+    #           end
+    #     
+    #           def launch
+    #             tcp_send "USER #{@buffer}"
+    #           end
+    #     
+    #         end
+    #       end
+    #     end
+    #
+    # If you want more control over how the buffer is constructed:
+    #
+    #     def build
+    #       ebp = 0x06eb9090
+    #       eip = 0x1001ae86
+    #     
+    #       @buffer = junk(1024) + nops(16) + payload + stack_frame(ebp,eip)
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class StackOverflow < MemoryCorruption
+
+      include Mixins::StackOverflow
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :stack_overflow
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/target.rb

@@ -1,141 +1,101 @@
 #
-# Ronin Exploits - A Ruby library for Ronin that provides exploitation and
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2009 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
-# This program is distributed in the hope that it will be useful,
+# ronin-exploits is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-require 'ronin/exploits/exceptions/target_data_missing'
-require 'ronin/model/targets_arch'
-require 'ronin/model/targets_os'
-require 'ronin/model/targets_product'
-require 'ronin/model'
-
-require 'dm-types/yaml'
+require 'ostruct'
 
 module Ronin
   module Exploits
-    class Target
-
-      include Model
-      include Model::TargetsArch
-      include Model::TargetsOS
-      include Model::TargetsProduct
-
-      # Primary key
-      property :id, Serial
-
-      # Target comments
-      property :description, String
-
-      # The exploit the target belongs to
-      belongs_to :exploit
+    #
+    # Contains targeting information used for exploits.
+    # A target may specify which architecture, Operating System (OS),
+    # software version is targets. The target may also contain additional target
+    # parameters.
+    #
+    class Target < OpenStruct
 
-      # The extra target data to use for the exploit
-      property :data, Yaml, :default => {}
-
-      #
-      # Creates a new ExploitTarget object
-      #
-      # @param [Hash] attributes
-      #   Additional attributes to create the target with.
+      # The target's architecture.
       #
-      # @yield [target]
-      #   If a block is given, it will be passed the new target object.
-      #
-      # @yieldparam [Target] target
-      #   The newly created target object.
-      #
-      def initialize(attributes={},&block)
-        super(attributes)
-
-        block.call(self) if block
-      end
+      # @return [Symbol, nil]
+      attr_reader :arch
 
+      # The target's Operating System.
       #
-      # Searches for target data with the matching name.
-      #
-      # @param [Symbol, String] name
-      #   The name to search for.
-      #
-      # @return [Boolean]
-      #   Specifies whether the target contains data with the matching name.
-      #
-      def has?(name)
-        self.data.has_key?(name.to_sym)
-      end
+      # @return [Symbol, nil]
+      attr_reader :os
 
+      # The target's Operating System (OS) version.
       #
-      # Returns the target data with the matching name.
-      #
-      # @param [Symbol, String] name
-      #   The name of the target data to retrieve.
+      # @return [String, nil]
+      attr_reader :os_version
+
+      # The target's software.
       #
-      # @return [Object, nil]
-      #   The target data.
+      # @return [String, nil]
+      attr_reader :software
+
+      # The target's software version.
       #
-      def [](name)
-        self.data[name.to_sym]
-      end
+      # @return [String, nil]
+      attr_reader :version
 
       #
-      # Sets the target data with the matching name.
+      # Creates a new ExploitTarget object
       #
-      # @param [Symbol, String] name
-      #   The name of the target data to set.
+      # @param [Symbol, nil] arch
+      #   The architecture name of the target (ex: `:x86_64`).
       #
-      # @param [Object] value
-      #   The value to set for the target data.
+      # @param [Symbol, nil] os
+      #   The Operating System (OS) name of the target (ex: `:linux`).
       #
-      def []=(name,value)
-        self.data[name.to_sym] = value
-      end
-
-      protected
-
+      # @param [String, nil] os_version
+      #   The Operating System (OS) version of the target (ex: `"10.13"`).
       #
-      # Provides transparent access to the target data Hash.
+      # @param [String, nil] software
+      #   The software name of the target (ex: `"Apache"`).
       #
-      # @raise [TargetDataMissing]
-      #   The target does not have data associated with the specified name.
+      # @param [String, nil] version
+      #   The software version of the target (ex: `"2.4.54"`).
       #
-      # @example
-      #   target.ip
-      #   # => 0xff8025a0
+      # @yield [target]
+      #   If a block is given, it will be passed the new target object.
       #
-      # @example
-      #   target.ip = 0x41414141
+      # @yieldparam [Target] target
+      #   The newly created target object.
       #
-      def method_missing(name,*arguments,&block)
-        unless block
-          name = name.to_s
+      def initialize(arch:       nil,
+                     os:         nil,
+                     os_version: nil,
+                     software:   nil,
+                     version:    nil,
+                     **params)
+        super(**params)
+
+        @arch = arch
 
-          if (name[-1..-1] == '=' && arguments.length == 1)
-            return self[name.chop] = arguments.first
-          elsif arguments.length == 0
-            unless has?(name)
-              raise(TargetDataMissing,"the target is missing data for #{name.dump}",caller)
-            end
+        @os         = os
+        @os_version = os_version
 
-            return self[name]
-          end
-        end
+        @software = software
+        @version  = version
 
-        super(name,*arguments,&block)
+        yield self if block_given?
       end
 
     end