ronin-exploits 0.3.1 → 1.0.0.beta1

data/spec/mixins/stack_overflow_spec.rb

@@ -0,0 +1,87 @@
+require 'spec_helper'
+require 'ronin/exploits/mixins/stack_overflow'
+
+require 'ronin/exploits/exploit'
+require 'ronin/exploits/metadata/arch'
+require 'ronin/exploits/metadata/os'
+
+describe Ronin::Exploits::Mixins::StackOverflow do
+  module TestSEHMixin
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Metadata::Arch
+      include Ronin::Exploits::Metadata::OS
+      include Ronin::Exploits::Mixins::StackOverflow
+
+      arch :x86
+      os :windows
+    end
+  end
+
+  let(:exploit_class) { TestSEHMixin::TestExploit }
+
+  it "must include Ronin::Exploits::Mixins::Text" do
+    expect(exploit_class).to include(Ronin::Exploits::Mixins::Text)
+  end
+
+  it "must include Ronin::Exploits::Mixins::Binary" do
+    expect(exploit_class).to include(Ronin::Exploits::Mixins::Binary)
+  end
+
+  it "must include Ronin::Exploits::Mixins::NOPS" do
+    expect(exploit_class).to include(Ronin::Exploits::Mixins::NOPS)
+  end
+
+  subject { exploit_class.new }
+
+  let(:bp) { 0x06eb9090 }
+  let(:ip)  { 0x1001ae86 }
+
+  describe "#stack_frame" do
+    it "must pack the nseh and seh arguments as machine words" do
+      expect(subject.stack_frame(bp,ip)).to eq(
+        [bp, ip].pack('L<2')
+      )
+    end
+  end
+
+  describe "#buffer_overflow" do
+    let(:length)  { 1024 }
+    let(:payload) { 'shellcode here'.b }
+
+    it "must return a buffer of the given size, containing junk data, the payload, stack base pointer (bp), and stack instruction pointer (ip) addresses" do
+      buffer = subject.buffer_overflow(
+        length: length, payload: payload, bp: bp, ip: ip
+      )
+
+      expect(buffer.length).to eq(length)
+
+      junk = subject.junk(length - payload.bytesize - (subject.platform[:machine_word].size * 2))
+
+      packed_bp = subject.pack(:machine_word,bp)
+      packed_ip = subject.pack(:machine_word,ip)
+
+      expect(buffer).to eq(junk + payload + packed_bp + packed_ip)
+    end
+
+    context "when the nops: keyword argument is given" do
+      let(:nops) { 16 }
+
+      it "must add additional NOP padding to the beginning of the payload" do
+        buffer = subject.buffer_overflow(
+          length: length, nops: nops, payload: payload, bp: bp, ip: ip
+        )
+
+        expect(buffer.length).to eq(length)
+
+        junk = subject.junk(length - (subject.nop.bytesize * nops) - payload.bytesize - (subject.platform[:machine_word].size * 2))
+
+        nop_pad = subject.nops(nops)
+
+        packed_ip = subject.pack(:machine_word,ip)
+        packed_bp = subject.pack(:machine_word,bp)
+
+        expect(buffer).to eq(junk + nop_pad + payload + packed_bp + packed_ip)
+      end
+    end
+  end
+end

data/spec/mixins/text_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+require 'ronin/exploits/mixins/text'
+
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Mixins::Text do
+  module TestTextMixin
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Mixins::Text
+    end
+  end
+
+  let(:exploit_class) { TestTextMixin::TestExploit }
+  subject { exploit_class.new }
+
+  it "must include Ronin::Support::Text::Random::Mixin" do
+    expect(exploit_class).to include(Ronin::Support::Text::Random::Mixin)
+  end
+
+  describe "#junk" do
+    let(:count) { 1024 }
+
+    it "must return a String of 'A' characters for the given count" do
+      expect(subject.junk(count)).to eq('A' * count)
+    end
+
+    context "when given a custom character" do
+      let(:char) { 'B' }
+
+      it "must return a String of the given characters for the given count" do
+        expect(subject.junk(char,count)).to eq(char * count)
+      end
+    end
+
+    context "when given a custom String" do
+      let(:string) { 'AB' }
+
+      it "must return a String of the given String repeated for the given count" do
+        expect(subject.junk(string,count)).to eq(string * count)
+      end
+    end
+  end
+end

data/spec/open_redirect_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+require 'ronin/exploits/open_redirect'
+
+describe Ronin::Exploits::OpenRedirect do
+  module TestOpenRedirect
+    class TestExploit < Ronin::Exploits::OpenRedirect
+      base_path   '/showthread.asp'
+      query_param 'id'
+    end
+  end
+
+  let(:exploit_class) { TestOpenRedirect::TestExploit }
+  let(:base_url)      { 'http://testasp.vulnweb.com' }
+  let(:redirect_url)  { 'http://evil.com/' }
+
+  subject do
+    exploit_class.new(
+      params: {
+        base_url:     base_url,
+        redirect_url: redirect_url
+      }
+    )
+  end
+
+  it "must inherite from Ronin::Exploits::ClientSideWebVuln" do
+    expect(described_class).to be < Ronin::Exploits::ClientSideWebVuln
+  end
+
+  describe ".exploit_type" do
+    subject { described_class }
+
+    it { expect(subject.exploit_type).to eq(:open_redirect) }
+  end
+
+  describe "#initialize" do
+    it "must default #payload to a Ronin::Payloads::Test::OpenRedirect payload" do
+      expect(subject.payload).to be_kind_of(Ronin::Payloads::Test::OpenRedirect)
+    end
+
+    context "when given the payload: keyword argument" do
+      let(:payload) { Ronin::Payloads::URLPayload.new }
+
+      subject do
+        exploit_class.new(
+          payload: payload,
+          params: {
+            base_url: base_url
+          }
+        )
+      end
+
+      it "must set #payload" do
+        expect(subject.payload).to be(payload)
+      end
+    end
+  end
+
+  describe "#vuln" do
+    it "must return a Ronin::Vulns::OpenRedirect object" do
+      expect(subject.vuln).to be_kind_of(Ronin::Vulns::OpenRedirect)
+    end
+
+    it "must set the #url attribute of the OpenRedirect vuln object" do
+      expect(subject.vuln.url).to eq(subject.url)
+    end
+
+    it "must set the #test_url attribute of the OpenRedirect vuln object to the 'redirect_url' param" do
+      expect(subject.vuln.test_url).to eq(redirect_url)
+    end
+  end
+end

data/spec/params/base_url_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+require 'ronin/exploits/params/base_url'
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Params::BaseURL do
+  module TestBaseURLParam
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::BaseURL
+    end
+  end
+
+  describe ".included" do
+    subject { TestBaseURLParam::TestExploit }
+
+    it "must add a required 'base_url' param to the exploit class" do
+      expect(subject.params[:base_url]).to_not be_nil
+      expect(subject.params[:base_url].type).to be_kind_of(Ronin::Core::Params::Types::URI)
+      expect(subject.params[:base_url].required?).to be(true)
+      expect(subject.params[:base_url].desc).to eq("The base URL of the target")
+    end
+  end
+
+  let(:base_url) { URI('https://example.com:8080/') }
+  subject { TestBaseURLParam::TestExploit.new(params: {base_url: base_url}) }
+
+  describe "#host" do
+    it "must return the host value of the base URL" do
+      expect(subject.host).to eq(base_url.host)
+    end
+  end
+
+  describe "#port" do
+    it "must return the port value of the base URL" do
+      expect(subject.port).to eq(base_url.port)
+    end
+  end
+
+  describe "#url_for" do
+    context "when given an absolute path" do
+      let(:path) { '/foo' }
+
+      it "must return a URI::HTTP object" do
+        expect(subject.url_for(path)).to be_kind_of(URI::HTTP)
+      end
+
+      it "must override the path of the params[:base_url]" do
+        expect(subject.url_for(path).path).to eq(path)
+      end
+    end
+
+    context "when given a relative path" do
+      let(:path) { 'foo' }
+
+      it "must return a URI::HTTP object" do
+        expect(subject.url_for(path)).to be_kind_of(URI::HTTP)
+      end
+
+      it "must convert the path into an absolute path" do
+        expect(subject.url_for(path).path).to eq("/#{path}")
+      end
+    end
+
+    context "when given a fully qualified URL" do
+      let(:url) { "https://www.other.com/foo" }
+
+      it "must return the URL" do
+        expect(subject.url_for(url).to_s).to eq(url)
+      end
+    end
+  end
+end

data/spec/params/bind_host_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+require 'ronin/exploits/params/bind_host'
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Params::BindHost do
+  module TestBindHostParam
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::BindHost
+    end
+  end
+
+  describe ".included" do
+    subject { TestBindHostParam::TestExploit }
+
+    it "must add an optional 'bind_host' param to the exploit class" do
+      expect(subject.params[:bind_host]).to_not be_nil
+      expect(subject.params[:bind_host].required?).to be(false)
+      expect(subject.params[:bind_host].desc).to eq("Local host to bind to")
+    end
+  end
+
+  let(:bind_host) { 'localhost' }
+  subject do
+    TestBindHostParam::TestExploit.new(
+      params: {bind_host: bind_host}
+    )
+  end
+
+  describe "#bind_host" do
+    it "must return the bind_host param value" do
+      expect(subject.bind_host).to eq(bind_host)
+    end
+  end
+end

data/spec/params/bind_port_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper'
+require 'ronin/exploits/params/bind_port'
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Params::BindPort do
+  module TestBindPortParam
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::BindPort
+    end
+  end
+
+  describe ".included" do
+    subject { TestBindPortParam::TestExploit }
+
+    it "must add an optional 'bind_port' param to the exploit class" do
+      expect(subject.params[:bind_port]).to_not be_nil
+      expect(subject.params[:bind_port].type).to be_kind_of(Ronin::Core::Params::Types::Integer)
+      expect(subject.params[:bind_port].required?).to be(false)
+      expect(subject.params[:bind_port].desc).to eq("Local port to bind to")
+    end
+  end
+
+  let(:bind_port) { 9000 }
+  subject do
+    TestBindPortParam::TestExploit.new(
+      params: {bind_port: bind_port}
+    )
+  end
+
+  describe "#bind_port" do
+    it "must return the bind_port param value" do
+      expect(subject.bind_port).to eq(bind_port)
+    end
+  end
+end

data/spec/params/filename_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+require 'ronin/exploits/params/filename'
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Params::Filename do
+  module TestFilenameParam
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::Filename
+    end
+
+    class TextExploitWithDefaultFilename < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::Filename
+      default_filename 'exploit.docx'
+    end
+  end
+
+  describe ".included" do
+    subject { TestFilenameParam::TestExploit }
+
+    it "must include Ronin::Exploits::Metadata::DefaultFilename" do
+      expect(subject).to include(Ronin::Exploits::Metadata::DefaultFilename)
+    end
+
+    it "must add a required 'filename' param to the exploit class" do
+      expect(subject.params[:filename]).to_not be_nil
+      expect(subject.params[:filename].type).to be_kind_of(Ronin::Core::Params::Types::String)
+      expect(subject.params[:filename].required?).to be(true)
+      expect(subject.params[:filename].default).to be_kind_of(Proc)
+      expect(subject.params[:filename].desc).to eq("The filename for the exploit")
+    end
+  end
+
+  let(:exploit_class) { TestFilenameParam::TestExploit }
+
+  let(:filename) { 'my-file.txt' }
+
+  subject do
+    exploit_class.new(
+      params: {filename: filename}
+    )
+  end
+
+  describe "#filename" do
+    it "must return the filename param value" do
+      expect(subject.filename).to eq(filename)
+    end
+
+    context "when no filename param value is set" do
+      subject do
+        exploit_class.new
+      end
+
+      it "must require a filename value" do
+        expect {
+          subject.validate_params
+        }.to raise_error(Ronin::Core::Params::RequiredParam,"param 'filename' requires a value")
+      end
+    end
+
+    context "when the exploit class defines a default_filename" do
+      context "and the filename param value is set" do
+        it "must override the default_filename value" do
+          expect(subject.filename).to eq(filename)
+        end
+      end
+
+      context "but no filename param value has been set" do
+        let(:exploit_class) { TestFilenameParam::TextExploitWithDefaultFilename }
+        subject { exploit_class.new }
+
+        it "must default to the default_filename value" do
+          expect(subject.filename).to eq(exploit_class.default_filename)
+        end
+      end
+    end
+  end
+end

data/spec/params/host_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+require 'ronin/exploits/params/host'
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Params::Host do
+  module TestHostParam
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::Host
+    end
+  end
+
+  describe ".included" do
+    subject { TestHostParam::TestExploit }
+
+    it "must add a required 'host' param to the exploit class" do
+      expect(subject.params[:host]).to_not be_nil
+      expect(subject.params[:host].required?).to be(true)
+      expect(subject.params[:host].desc).to eq("Remote host to connect to")
+    end
+  end
+
+  let(:host) { 'example.com' }
+  subject do
+    TestHostParam::TestExploit.new(
+      params: {host: host}
+    )
+  end
+
+  describe "#host" do
+    it "must return the host param value" do
+      expect(subject.host).to eq(host)
+    end
+  end
+end

data/spec/params/port_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+require 'ronin/exploits/params/port'
+require 'ronin/exploits/exploit'
+
+describe Ronin::Exploits::Params::Port do
+  module TestPortParam
+    class TestExploit < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::Port
+    end
+
+    class TextExploitWithDefaultPort < Ronin::Exploits::Exploit
+      include Ronin::Exploits::Params::Port
+      default_port 123
+    end
+  end
+
+  describe ".included" do
+    subject { TestPortParam::TestExploit }
+
+    it "must include Ronin::Exploits::Metadata::DefaultPort" do
+      expect(subject).to include(Ronin::Exploits::Metadata::DefaultPort)
+    end
+
+    it "must add a required 'port' param to the exploit class" do
+      expect(subject.params[:port]).to_not be_nil
+      expect(subject.params[:port].type).to be_kind_of(Ronin::Core::Params::Types::Integer)
+      expect(subject.params[:port].required?).to be(true)
+      expect(subject.params[:port].default).to be_kind_of(Proc)
+      expect(subject.params[:port].desc).to eq("Remote port to connect to")
+    end
+  end
+
+  let(:exploit_class) { TestPortParam::TestExploit }
+
+  let(:port) { 1337 }
+
+  subject do
+    exploit_class.new(
+      params: {port: port}
+    )
+  end
+
+  describe "#port" do
+    it "must return the port param value" do
+      expect(subject.port).to eq(port)
+    end
+
+    context "when no port param value is set" do
+      subject do
+        exploit_class.new
+      end
+
+      it "must require a port value" do
+        expect {
+          subject.validate_params
+        }.to raise_error(Ronin::Core::Params::RequiredParam,"param 'port' requires a value")
+      end
+    end
+
+    context "when the exploit class defines a default_port" do
+      context "and the port param value is set" do
+        it "must override the default_port value" do
+          expect(subject.port).to eq(port)
+        end
+      end
+
+      context "but no port param value has been set" do
+        let(:exploit_class) { TestPortParam::TextExploitWithDefaultPort }
+        subject { exploit_class.new }
+
+        it "must default to the default_port value" do
+          expect(subject.port).to eq(exploit_class.default_port)
+        end
+      end
+    end
+  end
+end

data/spec/rfi_spec.rb

@@ -0,0 +1,107 @@
+require 'spec_helper'
+require 'ronin/exploits/rfi'
+
+describe Ronin::Exploits::RFI do
+  module TestRFI
+    class TestExploit < Ronin::Exploits::RFI
+      base_path '/showimage.php'
+      query_param 'file'
+    end
+  end
+
+  let(:exploit_class) { TestRFI::TestExploit }
+
+  let(:base_url) { 'http://testphp.vulnweb.com' }
+
+  subject do
+    exploit_class.new(
+      params: {
+        base_url: base_url
+      }
+    )
+  end
+
+  describe ".exploit_type" do
+    subject { described_class }
+
+    it { expect(subject.exploit_type).to eq(:rfi) }
+  end
+
+  describe "#vuln" do
+    it "must return a Ronin::Vulns::RFI object" do
+      expect(subject.vuln).to be_kind_of(Ronin::Vulns::RFI)
+    end
+
+    it "must set the #url attribute of the RFI vuln object" do
+      expect(subject.vuln.url).to eq(subject.url)
+    end
+
+    it "must infer the #test_scrript_url from the #url attribute" do
+      expect(subject.vuln.test_script_url).to eq(Ronin::Vulns::RFI.test_script_for(subject.vuln.url))
+    end
+
+    context "when the 'test_script_url' param is set" do
+      let(:test_script_url) { 'https://myhost.com/path/to/test_script.php' }
+
+      subject do
+        exploit_class.new(
+          params: {
+            base_url:        base_url,
+            test_script_url: test_script_url
+          }
+        )
+      end
+
+      it "must set the #test_script_url for the RFI vuln object" do
+        expect(subject.vuln.test_script_url).to eq(test_script_url)
+      end
+    end
+
+    it "must not set the #filter_bypass attribute of the RFI vuln object by default" do
+      expect(subject.vuln.filter_bypass).to be(nil)
+    end
+
+    context "when the 'filter_bypass' param is set" do
+      let(:filter_bypass) { :double_encode }
+
+      subject do
+        exploit_class.new(
+          params: {
+            base_url:      base_url,
+            filter_bypass: filter_bypass
+          }
+        )
+      end
+
+      it "must set the #filter_bypass attribute of the RFI vuln object to the 'filter_bypass' param" do
+        expect(subject.vuln.filter_bypass).to eq(filter_bypass)
+      end
+    end
+  end
+
+  describe "#launch" do
+    module TestRFI
+      class RFIPayload < Ronin::Payloads::URLPayload
+        url 'https://example.com/path/to/payload.php'
+      end
+    end
+
+    let(:payload_class) { TestRFI::RFIPayload }
+    let(:payload)       { payload_class.new   }
+
+    subject do
+      exploit_class.new(
+        payload: payload,
+        params: {
+          base_url: base_url
+        }
+      )
+    end
+
+    it "must call #exploit on the #vuln object with the #payload" do
+      expect(subject.vuln).to receive(:exploit).with(payload)
+
+      subject.launch
+    end
+  end
+end

data/spec/seh_overflow_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+require 'ronin/exploits/seh_overflow'
+
+describe Ronin::Exploits::SEHOverflow do
+  it "must inherit from Ronin::Exploits::MemoryCorruption" do
+    expect(described_class).to be < Ronin::Exploits::MemoryCorruption
+  end
+
+  it "must include Ronin::Exploits::Mixins::SEH" do
+    expect(described_class).to include(Ronin::Exploits::Mixins::SEH)
+  end
+
+  describe ".exploit_type" do
+    subject { described_class }
+
+    it { expect(subject.exploit_type).to eq(:seh_overflow) }
+  end
+end

data/spec/spec_helper.rb

@@ -1,12 +1,8 @@
-require 'rubygems'
-gem 'rspec', '>=1.2.8'
-require 'spec'
+require 'rspec'
+require 'simplecov'
 
-require 'ronin/exploits/version'
-require 'ronin/ui/output'
+SimpleCov.start
 
-include Ronin
-
-UI::Output.silent = true
-
-require 'helpers/database'
+RSpec.configure do |specs|
+  specs.filter_run_excluding :network
+end