ronin-exploits 0.3.1 → 1.0.0.beta2

data/lib/ronin/exploits/mixins/remote_udp.rb

@@ -0,0 +1,264 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/support/network/udp/mixin'
+require 'ronin/exploits/params/host'
+require 'ronin/exploits/params/port'
+require 'ronin/exploits/params/bind_host'
+require 'ronin/exploits/params/bind_port'
+
+module Ronin
+  module Exploits
+    module Mixins
+      #
+      # Adds UDP helper methods for communicating with a remote host.
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module RemoteUDP
+        include Support::Network::UDP::Mixin
+
+        #
+        # Includes {Params::Host}, {Params::Port}, {Params::BindHost}, and
+        # {Params::BindPort} into the exploit class that is including
+        # {Mixins::RemoteUDP}.
+        #
+        # @param [Class<Exploit>] exploit
+        #   The exploit class that is including {Mixins::RemoteUDP}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.include Params::Host
+          exploit.include Params::Port
+          exploit.include Params::BindHost
+          exploit.include Params::BindPort
+        end
+
+        #
+        # Tests whether a remote UDP port is open.
+        #
+        # @param [String] host
+        #   The host to connect to.
+        #
+        # @param [Integer] port
+        #   The port to connect to.
+        #
+        # @param [Hash{Symbol => Object}] kwargs
+        #   Additional keyword arguments for {#udp_connect}.
+        #
+        # @option kwargs [String, nil] :bind_host
+        #   The local host to bind to.
+        #
+        # @option kwargs [Integer, nil] :bind_port
+        #   The local port to bind to.
+        #
+        # @option kwargs [Integer] :timeout (5)
+        #   The maximum time to attempt connecting.
+        #
+        # @return [Boolean, nil]
+        #   Specifies whether the remote UDP port is open.
+        #   If no data or ICMP error were received, `nil` will be returned.
+        #
+        # @example
+        #   udp_open?
+        #   # => true
+        #
+        # @example Using a timeout:
+        #   udp_open?(timeout: 5)
+        #   # => nil
+        #
+        def udp_open?(host=params[:host],port=params[:port],
+                      bind_host: params[:bind_host],
+                      bind_port: params[:bind_port],
+                      **kwargs)
+          if debug?
+            print_debug "Testing if #{host}:#{port} is open ..."
+          end
+
+          super(host,port, bind_host: bind_host,
+                           bind_port: bind_port,
+                           **kwargs)
+        end
+
+        #
+        # Creates a new UDPSocket object connected to a given host and port.
+        #
+        # @param [String] host
+        #   The host to connect to.
+        #
+        # @param [Integer] port
+        #   The port to connect to.
+        #
+        # @param [String, nil] bind_host
+        #   The local host to bind to.
+        #
+        # @param [Integer, nil] bind_port
+        #   The local port to bind to.
+        #
+        # @yield [socket]
+        #   If a block is given, it will be passed the newly created socket.
+        #   Once the block returns the socket will be closed.
+        #
+        # @yieldparam [UDPsocket] socket
+        #   The newly created UDP socket.
+        #
+        # @return [UDPSocket, nil]
+        #   The newly created UDP socket object. If a block is given a `nil`
+        #   will be returned.
+        #
+        # @example
+        #   udp_connect
+        #   # => #<UDPSocket:fd 5, AF_INET, 192.168.122.165, 48313>
+        #
+        # @example
+        #   udp_connect do |socket|
+        #     # ...
+        #   end
+        #
+        # @see https://rubydoc.info/stdlib/socket/UDPSocket
+        #
+        def udp_connect(host=params[:host],port=params[:port],
+                        bind_host: params[:bind_host],
+                        bind_port: params[:bind_port],
+                        &block)
+          if debug?
+            print_debug "Connecting to #{host}:#{port} ..."
+          end
+
+          super(host,port, bind_host: bind_host,
+                           bind_port: bind_port,
+                           &block)
+        end
+
+        #
+        # Creates a new UDPSocket object, connected to a given host and port.
+        # The given data will then be written to the newly created UDPSocket.
+        #
+        # @param [String] data
+        #   The data to send through the connection.
+        #
+        # @param [String] host
+        #   The host to connect to.
+        #
+        # @param [Integer] port
+        #   The port to connect to.
+        #
+        # @param [String, nil] bind_host
+        #   The local host to bind to.
+        #
+        # @param [Integer, nil] bind_port
+        #   The local port to bind to.
+        #
+        # @yield [socket]
+        #   If a block is given, it will be passed the newly created socket.
+        #
+        # @yieldparam [UDPsocket] socket
+        #   The newly created UDPSocket object.
+        #
+        # @return [UDPSocket]
+        #   The newly created UDPSocket object.
+        #
+        def udp_connect_and_send(data,host=params[:host],port=params[:port],
+                                 bind_host: params[:bind_host],
+                                 bind_port: params[:bind_port],
+                                 &block)
+          if debug?
+            print_debug "Connecting to #{host}:#{port} and sending #{data.inspect} ..."
+          end
+
+          super(data,host,port, bind_host: bind_host,
+                                bind_port: bind_port,
+                                &block)
+        end
+
+        #
+        # Reads the banner from the service running on the given host and
+        # port.
+        #
+        # @param [String] host
+        #   The host to connect to.
+        #
+        # @param [Integer] port
+        #   The port to connect to.
+        #
+        # @param [String, nil] bind_host
+        #   The local host to bind to.
+        #
+        # @param [Integer, nil] bind_port
+        #   The local port to bind to.
+        #
+        # @yield [banner]
+        #   If a block is given, it will be passed the grabbed banner.
+        #
+        # @yieldparam [String] banner
+        #   The grabbed banner.
+        #
+        # @return [String]
+        #   The grabbed banner.
+        #
+        def udp_banner(host=params[:host],port=params[:port], bind_host: params[:bind_host], bind_port: params[:bind_port])
+          if debug?
+            print_debug "Fetching the banner for #{host}:#{port} ..."
+          end
+
+          super(host,port,bind_host: bind_host, bind_port: bind_port)
+        end
+
+        #
+        # Connects to a specified host and port, sends the given data and then
+        # closes the connection.
+        #
+        # @param [String] data
+        #   The data to send through the connection.
+        #
+        # @param [String] host
+        #   The host to connect to.
+        #
+        # @param [Integer] port
+        #   The port to connect to.
+        #
+        # @param [String, nil] bind_host
+        #   The local host to bind to.
+        #
+        # @param [Integer, nil] bind_port
+        #   The local port to bind to.
+        #
+        # @return [true]
+        #   The data was successfully sent.
+        #
+        # @example
+        #   buffer = "GET /" + ('A' * 4096) + "\n\r"
+        #   udp_send(buffer)
+        #   # => true
+        #
+        def udp_send(data,host=params[:host],port=params[:port], bind_host: params[:bind_host], bind_port: params[:bind_port])
+          if debug?
+            print_debug "Sending #{data.inspect} to #{host}:#{port} ..."
+          end
+
+          super(data,host,port, bind_host: bind_host, bind_port: bind_port)
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/mixins/seh.rb

@@ -0,0 +1,136 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/mixins/text'
+require 'ronin/exploits/mixins/binary'
+require 'ronin/exploits/mixins/nops'
+
+module Ronin
+  module Exploits
+    module Mixins
+      #
+      # Methods for building Structured Exception Handler (SEH) buffer
+      # overflows.
+      #
+      # ## Example
+      #
+      #     include Mixins::SEH
+      #
+      #     def build
+      #       nseh = 0x06eb9090 # short jump 6 bytes
+      #       seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+      #
+      #       buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)
+      #       # ...
+      #     end
+      #
+      # If you want more control over how the buffer is constructed:
+      #
+      #     include Mixins::SEH
+      #
+      #     def build
+      #       nseh = 0x06eb9090 # short jump 6 bytes
+      #       seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+      #
+      #       buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload
+      #       # ...
+      #     end
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module SEH
+        include Text
+        include Binary
+        include NOPS
+
+        #
+        # Creates a SEH record.
+        #
+        # @param [Integer] nseh
+        #   The address to the next SEH record.
+        #
+        # @param [Integer] seh
+        #   The address to the SEH exception handler for the record that we
+        #   want to call.
+        #
+        # @return [String]
+        #   The SEH record.
+        #
+        # @example
+        #   nseh = 0x06eb9090 # short jump 6 bytes
+        #   seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+        #
+        #   buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload
+        #
+        # @api public
+        #
+        def seh_record(nseh,seh)
+          pack(:machine_word,nseh) + pack(:machine_word,seh)
+        end
+
+        #
+        # Builds a SEH buffer overflow.
+        #
+        # @param [Integer] length
+        #   The desired length of the buffer.
+        #
+        # @param [Integer, nil] nops
+        #   The optional amount of NOPs to add before the payload.
+        #
+        # @param [#to_s] payload
+        #   The payload to add to the buffer.
+        #
+        # @param [Integer] nseh
+        #   The address to the next SEH record.
+        #
+        # @param [Integer] seh
+        #   The address to the SEH exception handler for the record that we
+        #   want to call.
+        #
+        # @return [String]
+        #   The SEH buffer overflow.
+        #
+        # @example
+        #   nseh = 0x06eb9090 # short jump 6 bytes
+        #   seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+        #
+        #   buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)
+        #
+        # @api public
+        #
+        def seh_buffer_overflow(length: , nops: nil, payload: , nseh: , seh: )
+          payload = payload.to_s
+          payload = self.nops(nops) + payload if nops
+
+          seh_record = self.seh_record(nseh,seh)
+
+          buffer = String.new(encoding: Encoding::ASCII_8BIT)
+          buffer << junk(length - payload.bytesize - seh_record.bytesize)
+          buffer << payload
+          buffer << seh_record
+
+          return buffer
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/mixins/stack_overflow.rb

@@ -0,0 +1,124 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/mixins/binary'
+require 'ronin/exploits/mixins/nops'
+require 'ronin/exploits/mixins/text'
+
+module Ronin
+  module Exploits
+    module Mixins
+      #
+      # Methods for building Stack Overflow buffers.
+      #
+      # ## Example
+      #
+      #     include Mixins::StackOverflow
+      #
+      #     def build
+      #       ebp = 0x06eb9090
+      #       eip = 0x1001ae86
+      #
+      #       buffer = buffer_overflow(length: 1024, nops: 16, payload: payload, bp: ebp, ip: eip)
+      #       # ...
+      #     end
+      #
+      # If you want more control over how the buffer is constructed:
+      #
+      #     include Mixins::StackOverflow
+      #
+      #     def build
+      #       ebp = 0x06eb9090
+      #       eip = 0x1001ae86
+      #
+      #       buffer = junk(1024) + nops(16) + payload + stack_frame(ebp,eip)
+      #       # ...
+      #     end
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module StackOverflow
+        include Binary
+        include NOPS
+        include Text
+
+        #
+        # Creates a new stack frame.
+        #
+        # @param [Integer] bp
+        #   The stack base pointer address.
+        #
+        # @param [Integer] ip
+        #   The instruction pointer address.
+        #
+        # @return [String]
+        #   The new stack frame.
+        #
+        def stack_frame(bp,ip)
+          pack(:machine_word,bp) + pack(:machine_word,ip)
+        end
+
+        #
+        # Builds the stack overflow buffer containing the payload, nops, and a
+        # stack frame.
+        #
+        # @param [Integer] length
+        #   The desired total length of the buffer.
+        #
+        # @param [Integer, nil] nops
+        #   The amount of NOP padding before the payload.
+        #
+        # @param [#to_s] payload
+        #   The payload to add to the buffer.
+        #
+        # @param [Integer] bp
+        #   The stack base pointer address.
+        #
+        # @param [Integer] ip
+        #   The instruction pointer address.
+        #
+        # @return [String]
+        #   The built buffer.
+        #
+        # @example
+        #   ebp = 0x06eb9090 # short jump 6 bytes
+        #   eip = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
+        #   
+        #   buffer = buffer_overflow(length: 1024, nops: 16, payload: payload, bp: ebp, ip: eip)
+        #
+        def buffer_overflow(length: , nops: nil, payload: , bp: , ip: )
+          payload = payload.to_s
+          payload = self.nops(nops) + payload if nops
+
+          stack_frame = self.stack_frame(bp,ip)
+
+          buffer = String.new(encoding: Encoding::ASCII_8BIT)
+          buffer << junk(length - payload.bytesize - stack_frame.bytesize)
+          buffer << payload
+          buffer << stack_frame
+
+          return buffer
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/mixins/text.rb

@@ -0,0 +1,65 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/support/text/random/mixin'
+
+module Ronin
+  module Exploits
+    module Mixins
+      #
+      # Generates random text data.
+      #
+      # ## Example
+      #
+      #   include Mixins::Text
+      #
+      #   def build
+      #     buffer = 'GET /' + random_alpha_numeric(5) + '/' + junk(1024) + payload
+      #     # ...
+      #   end
+      #
+      # @api public
+      #
+      # @since 1.0.0
+      #
+      module Text
+        include Support::Text::Random::Mixin
+
+        #
+        # Creates a String of junk data.
+        #
+        # @param [String] char
+        #   The character or String or repeat.
+        #
+        # @param [Integer] count
+        #   The number of times to repeat the character or String.
+        #
+        # @return [String]
+        #   The junk data String.
+        #
+        # @api public
+        #
+        def junk(char='A',count)
+          char * count
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/mixins.rb

@@ -0,0 +1,32 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/mixins/binary'
+require 'ronin/exploits/mixins/file_builder'
+require 'ronin/exploits/mixins/format_string'
+require 'ronin/exploits/mixins/has_payload'
+require 'ronin/exploits/mixins/has_targets'
+require 'ronin/exploits/mixins/http'
+require 'ronin/exploits/mixins/text'
+require 'ronin/exploits/mixins/nops'
+require 'ronin/exploits/mixins/remote_tcp'
+require 'ronin/exploits/mixins/remote_udp'
+require 'ronin/exploits/mixins/seh'
+require 'ronin/exploits/mixins/stack_overflow'