ronin-exploits 0.3.1 → 1.0.0.beta2

data/lib/ronin/exploits/heap_overflow.rb

@@ -0,0 +1,50 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/memory_corruption'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a head overflow exploit.
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class HeapOverflow < MemoryCorruption
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :heap_overflow
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/lfi.rb

@@ -0,0 +1,141 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/web_vuln'
+
+require 'ronin/vulns/lfi'
+
+module Ronin
+  module Exploits
+    #
+    # Represents a [Local File Inclusion (LFI)][LFI] exploit.
+    #
+    # [LFI]: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
+    #
+    # ## Example
+    #
+    #     require 'ronin/exploits/lfi'
+    #     
+    #     module Ronin
+    #       module Exploits
+    #         class MyExploit < LFI
+    #     
+    #           register 'my_exploit'
+    #    
+    #           base_path '/path/to/page.php'
+    #           query_param 'template'
+    #           depth 7
+    #    
+    #         end
+    #       end
+    #     end
+    #
+    # @api public
+    #
+    # @since 1.0.0
+    #
+    class LFI < WebVuln
+
+      references [
+        'https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion'
+      ]
+
+      param :os, Enum[:unix, :windows], default: :unix,
+                                        desc: 'Which OS to target'
+
+      param :filter_bypass, Enum[
+                              :null_byte,
+                              :double_escape,
+                              :base64,
+                              :rot13,
+                              :zlib
+                            ],
+                            desc: 'Optional filter-bypass strategy to use'
+
+      #
+      # Gets or sets the directory traversal depth for the LFI vulnerability.
+      #
+      # @param [Integer, nil] new_depth
+      #   The optional new directory trasversal depth to set.
+      #
+      # @return [Integer]
+      #   The LFI vulnerability's directory traverse depth.
+      #   Defaults to `Ronin::Vulns::LFI::DEFAULT_DEPTH`.
+      #
+      # @example
+      #   depth 7
+      #
+      def self.depth(new_depth=nil)
+        if new_depth
+          @depth = new_depth
+        else
+          @depth || if superclass < LFI
+                      superclass.depth
+                    else
+                      Vulns::LFI::DEFAULT_DEPTH
+                    end
+        end
+      end
+
+      param :depth, Integer, default: depth,
+                             desc: 'The number of directories to escape up'
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :lfi
+      end
+
+      #
+      # The directory traversal depth for the LFI exploit.
+      #
+      # @return [Integer]
+      #
+      # @see depth
+      #
+      def depth
+        self.class.depth
+      end
+
+      #
+      # The Local File Inclusion (LFI) vulnerability to exploit.
+      #
+      # @return [Ronin::Vulns::LFI]
+      #
+      def vuln
+        @vuln ||= Vulns::LFI.new(
+                    url, os:            params[:os],
+                         depth:         depth,
+                         filter_bypass: params[:filter_bypass],
+                         **web_vuln_kwargs
+                  )
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/loot/file.rb

@@ -0,0 +1,113 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'json'
+require 'yaml'
+require 'csv'
+require 'fileutils'
+
+module Ronin
+  module Exploits
+    class Loot
+      #
+      # Represents a loot file.
+      #
+      # @api private
+      #
+      # @since 1.0.0
+      #
+      class File
+
+        # The file name or relative path of the loot file.
+        #
+        # @return [String]
+        attr_reader :path
+
+        # The contents of the loot file.
+        #
+        # @return [String, Array, Hash, #to_s]
+        attr_reader :contents
+
+        # The desired output format for the loot file.
+        #
+        # @return [:json, :yaml, :csv, nil]
+        attr_reader :format
+
+        #
+        # Initializes the loot file.
+        #
+        # @param [Stirng] path
+        #   The file name or relative path of the loot file.
+        #
+        # @param [String, Array, Hash, #to_s] contents
+        #   The contents of the loot file.
+        #
+        # @param [:json, :yaml, :csv, nil] format
+        #   The optional output format to serialize the loot file data as.
+        #
+        def initialize(path,contents, format: nil)
+          @path     = path
+          @contents = contents
+          @format   = format
+        end
+
+        #
+        # Converts the loot file into a String.
+        #
+        # @return [String]
+        #   The contents of the loot file.
+        #
+        # @raise [NotImplementedError]
+        #   The {#format} value is not supported.
+        #
+        def to_s
+          case @format
+          when :json then JSON.pretty_generate(@contents)
+          when :yaml then YAML.dump(@contents)
+          when :csv 
+            CSV.generate do |csv|
+              @contents.each do |row|
+                csv << row
+              end
+            end
+          when nil
+            @contents.to_s
+          else
+            raise(NotImplementedError,"unsupported loot format: #{@format.inspect}")
+          end
+        end
+
+        #
+        # Saves the loot file to the output directory.
+        #
+        # @param [String] output_dir
+        #   The output directory to save the loot file into.
+        #
+        def save(output_dir)
+          absolute_path = ::File.join(output_dir,@path)
+
+          FileUtils.mkdir_p(::File.dirname(absolute_path))
+          ::File.binwrite(absolute_path,self.to_s)
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/exploits/loot.rb

@@ -0,0 +1,119 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/loot/file'
+
+require 'fileutils'
+
+module Ronin
+  module Exploits
+    #
+    # Represents an exploit's loot store.
+    #
+    # @api private
+    #
+    # @since 1.0.0
+    #
+    class Loot
+
+      include Enumerable
+
+      #
+      # Initializes the loot store.
+      #
+      def initialize
+        @files = {}
+      end
+
+      #
+      # Adds a captured loot file to the loot store.
+      #
+      # @param [String] path
+      #   The file name or relative path for the loot file.
+      #
+      # @param [String, Array, Hash, #to_s] contents
+      #   The contents of the loot file.
+      #
+      # @param [Hash{Symbol => Object}] kwargs
+      #   Additional keyword arguments for {File#initialize}.
+      #
+      # @option kwargs [:json, :yaml, :csv, nil] :format
+      #   Optional export format to use.
+      #
+      # @api public
+      #
+      def add(path,contents,**kwargs)
+        @files[path] = File.new(path,contents,**kwargs)
+      end
+
+      #
+      # Accesses a loot file in the loot store.
+      #
+      # @param [String] path
+      #   The file name or relative path for the loot file.
+      #
+      # @return [File, nil]
+      #   The matching loot file for the given path.
+      #
+      def [](path)
+        @files[path]
+      end
+
+      #
+      # Enumerates over each loot file.
+      #
+      # @yield [file]
+      #   The given block will be passed each loot file.
+      #
+      # @yieldparam [File] file
+      #   A loot file in the loot store.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def each(&block)
+        @files.each_value(&block)
+      end
+
+      #
+      # Determines if the loot store is empty or not.
+      #
+      # @return [Boolean]
+      #
+      def empty?
+        @files.empty?
+      end
+
+      #
+      # Saves the loot files to the output directory.
+      #
+      # @param [String] output_dir
+      #
+      def save(output_dir)
+        FileUtils.mkdir_p(output_dir)
+
+        @files.each_value do |file|
+          file.save(output_dir)
+        end
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/memory_corruption.rb

@@ -0,0 +1,53 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/exploit'
+require 'ronin/exploits/metadata/arch'
+require 'ronin/exploits/metadata/os'
+
+module Ronin
+  module Exploits
+    #
+    # Base-class that represents all memory corruption type exploits.
+    #
+    # @since 1.0.0
+    #
+    class MemoryCorruption < Exploit
+
+      include Metadata::Arch
+      include Metadata::OS
+
+      #
+      # Returns the type or kind of exploit.
+      #
+      # @return [Symbol]
+      #
+      # @note
+      #   This is used internally to map an exploit class to a printable type.
+      #
+      # @api private
+      #
+      def self.exploit_type
+        :memory_corruption
+      end
+
+    end
+  end
+end

data/lib/ronin/exploits/metadata/arch.rb

@@ -0,0 +1,83 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    module Metadata
+      #
+      # Metadata mixin that allows an exploit to define which architecture it
+      # specifically targets.
+      #
+      module Arch
+        #
+        # Adds an {ClassMethods#arch arch} metadata attribute to the exploit.
+        #
+        # @param [Class<Ronin::Exploits::Exploit>] exploit
+        #   The exploit class that is including {Metadata::Arch}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.extend ClassMethods
+        end
+
+        module ClassMethods
+          #
+          # Gets or sets the exploits's targetted architecture.
+          #
+          # @param [:x86, :x86_64, :ia64, :amd64, :ppc, :ppc64, :mips, :mips_le, :mips_be, :mips64, :mips64_le, :mips64_be, :arm, :arm_le, :arm_be, :arm64, :arm64_le, :arm64_be, nil] new_arch
+          #   The optional new architecture to set.
+          #
+          # @return [:x86, :x86_64, :ia64, :amd64, :ppc, :ppc64, :mips, :mips_le, :mips_be, :mips64, :mips64_le, :mips64_be, :arm, :arm_le, :arm_be, :arm64, :arm64_le, :arm64_be, nil]
+          #   The exploit's architecture.
+          #
+          # @example
+          #   arch :x86_64
+          #
+          # @api public
+          #
+          def arch(new_arch=nil)
+            if new_arch
+              @arch = new_arch
+            else
+              @arch ||= if superclass.kind_of?(ClassMethods)
+                          superclass.arch
+                        end
+            end
+          end
+        end
+
+        #
+        # The architecture that the exploit targets.
+        #
+        # @return [:x86, :x86_64, :ia64, :amd64, :ppc, :ppc64, :mips, :mips_le, :mips_be, :mips64, :mips64_le, :mips64_be, :arm, :arm_le, :arm_be, :arm64, :arm64_le, :arm64_be, nil]
+        #   The exploit's architecture.
+        #
+        # @see ClassMethods#arch
+        #
+        # @api public
+        #
+        def arch
+          self.class.arch
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/metadata/cookie_param.rb

@@ -0,0 +1,80 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    module Metadata
+      #
+      # Adds a {CookieParam::ClassMethods#cookie_param cookie_param} metadata
+      # attribute to an exploit class.
+      #
+      module CookieParam
+        #
+        # Adds {ClassMethods} to the exploit class.
+        #
+        # @param [Class<Exploit>] exploit
+        #   The exploit class including {CookieParam}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.extend ClassMethods
+        end
+
+        module ClassMethods
+          #
+          # Get or sets the target Cookie param of the exploit.
+          #
+          # @param [String, nil] new_cookie_param
+          #   The optional new Cookie param value to set.
+          #
+          # @return [String, nil]
+          #   The set Cookie param value.
+          #
+          # @api public
+          #
+          def cookie_param(new_cookie_param=nil)
+            if new_cookie_param
+              @cookie_param = new_cookie_param
+            else
+              @cookie_param ||= if superclass.kind_of?(ClassMethods)
+                                  superclass.cookie_param
+                                end
+            end
+          end
+        end
+
+        #
+        # The target Cookie param of the exploit.
+        #
+        # @return [String, nil]
+        #   The Cookie param name to exploit.
+        #
+        # @api public
+        #
+        # @see ClassMethods#cookie_param
+        #
+        def cookie_param
+          self.class.cookie_param
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/metadata/default_filename.rb

@@ -0,0 +1,69 @@
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Exploits
+    module Metadata
+      #
+      # Metadata mixin that allows an exploit to define a default filename.
+      #
+      module DefaultFilename
+        #
+        # Adds an {ClassMethods#default_filename default_filename} metadata
+        # attribute to the exploit.
+        #
+        # @param [Class<Ronin::Exploits::Exploit>] exploit
+        #   The exploit class that is including {Metadata::DefaultFilename}.
+        #
+        # @api private
+        #
+        def self.included(exploit)
+          exploit.extend ClassMethods
+        end
+
+        module ClassMethods
+          #
+          # Gets or sets the exploits's default filename.
+          #
+          # @param [Integer, nil] new_default_filename
+          #   The optional new default filename to set.
+          #
+          # @return [Integer, nil]
+          #   The exploit's default filename.
+          #
+          # @example
+          #   default_filename 'exploit.docx'
+          #
+          # @api public
+          #
+          def default_filename(new_default_filename=nil)
+            if new_default_filename
+              @default_filename = new_default_filename
+            else
+              @default_filename ||= if superclass.kind_of?(ClassMethods)
+                                      superclass.default_filename
+                                    end
+            end
+          end
+        end
+      end
+    end
+  end
+end