ronin-exploits 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/ruby.yml +14 -0
- data/.rubocop.yml +61 -0
- data/ChangeLog.md +13 -2
- data/Gemfile +5 -1
- data/Rakefile +3 -1
- data/bin/ronin-exploits +6 -7
- data/gemspec.yml +3 -3
- data/lib/ronin/exploits/advisory.rb +1 -0
- data/lib/ronin/exploits/cli/command.rb +1 -0
- data/lib/ronin/exploits/cli/commands/irb.rb +1 -0
- data/lib/ronin/exploits/cli/commands/list.rb +1 -0
- data/lib/ronin/exploits/cli/commands/new.rb +12 -1
- data/lib/ronin/exploits/cli/commands/run.rb +40 -21
- data/lib/ronin/exploits/cli/commands/show.rb +11 -8
- data/lib/ronin/exploits/cli/exploit_command.rb +4 -0
- data/lib/ronin/exploits/cli/exploit_methods.rb +4 -0
- data/lib/ronin/exploits/cli/ruby_shell.rb +1 -0
- data/lib/ronin/exploits/cli.rb +1 -0
- data/lib/ronin/exploits/client_side_web_vuln.rb +1 -0
- data/lib/ronin/exploits/exceptions.rb +1 -0
- data/lib/ronin/exploits/exploit.rb +20 -16
- data/lib/ronin/exploits/heap_overflow.rb +1 -0
- data/lib/ronin/exploits/lfi.rb +6 -6
- data/lib/ronin/exploits/loot/file.rb +2 -1
- data/lib/ronin/exploits/loot.rb +1 -0
- data/lib/ronin/exploits/memory_corruption.rb +1 -0
- data/lib/ronin/exploits/metadata/arch.rb +4 -0
- data/lib/ronin/exploits/metadata/cookie_param.rb +4 -0
- data/lib/ronin/exploits/metadata/default_filename.rb +4 -0
- data/lib/ronin/exploits/metadata/default_port.rb +4 -0
- data/lib/ronin/exploits/metadata/header_name.rb +4 -0
- data/lib/ronin/exploits/metadata/os.rb +4 -0
- data/lib/ronin/exploits/metadata/shouts.rb +17 -9
- data/lib/ronin/exploits/metadata/url_path.rb +4 -0
- data/lib/ronin/exploits/metadata/url_query_param.rb +4 -0
- data/lib/ronin/exploits/mixins/binary.rb +1 -0
- data/lib/ronin/exploits/mixins/file_builder.rb +3 -2
- data/lib/ronin/exploits/mixins/format_string.rb +4 -3
- data/lib/ronin/exploits/mixins/has_payload.rb +4 -3
- data/lib/ronin/exploits/mixins/has_targets.rb +1 -0
- data/lib/ronin/exploits/mixins/html.rb +4 -0
- data/lib/ronin/exploits/mixins/http.rb +24 -19
- data/lib/ronin/exploits/mixins/loot.rb +3 -2
- data/lib/ronin/exploits/mixins/nops.rb +4 -4
- data/lib/ronin/exploits/mixins/remote_tcp.rb +2 -1
- data/lib/ronin/exploits/mixins/remote_udp.rb +1 -0
- data/lib/ronin/exploits/mixins/seh.rb +1 -0
- data/lib/ronin/exploits/mixins/stack_overflow.rb +2 -1
- data/lib/ronin/exploits/mixins/text.rb +1 -0
- data/lib/ronin/exploits/mixins.rb +1 -0
- data/lib/ronin/exploits/open_redirect.rb +5 -4
- data/lib/ronin/exploits/params/base_url.rb +1 -0
- data/lib/ronin/exploits/params/bind_host.rb +1 -0
- data/lib/ronin/exploits/params/bind_port.rb +1 -0
- data/lib/ronin/exploits/params/filename.rb +3 -2
- data/lib/ronin/exploits/params/host.rb +1 -0
- data/lib/ronin/exploits/params/port.rb +3 -2
- data/lib/ronin/exploits/registry.rb +4 -0
- data/lib/ronin/exploits/rfi.rb +9 -6
- data/lib/ronin/exploits/root.rb +1 -0
- data/lib/ronin/exploits/seh_overflow.rb +9 -8
- data/lib/ronin/exploits/sqli.rb +11 -10
- data/lib/ronin/exploits/ssti.rb +5 -4
- data/lib/ronin/exploits/stack_overflow.rb +9 -8
- data/lib/ronin/exploits/target.rb +1 -0
- data/lib/ronin/exploits/test_result.rb +2 -1
- data/lib/ronin/exploits/use_after_free.rb +1 -0
- data/lib/ronin/exploits/version.rb +2 -1
- data/lib/ronin/exploits/web.rb +1 -0
- data/lib/ronin/exploits/web_vuln.rb +1 -0
- data/lib/ronin/exploits/xss.rb +5 -4
- data/lib/ronin/exploits.rb +1 -0
- data/man/ronin-exploits-irb.1 +1 -1
- data/man/ronin-exploits-irb.1.md +1 -1
- data/man/ronin-exploits-list.1 +1 -1
- data/man/ronin-exploits-list.1.md +1 -1
- data/man/ronin-exploits-new.1 +1 -1
- data/man/ronin-exploits-new.1.md +2 -2
- data/man/ronin-exploits-run.1 +1 -1
- data/man/ronin-exploits-run.1.md +1 -1
- data/man/ronin-exploits-show.1 +1 -1
- data/man/ronin-exploits-show.1.md +1 -1
- data/man/ronin-exploits.1 +1 -1
- data/man/ronin-exploits.1.md +1 -1
- data/ronin-exploits.gemspec +4 -3
- metadata +21 -2
data/lib/ronin/exploits/lfi.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -32,17 +33,17 @@ module Ronin
|
|
|
32
33
|
# ## Example
|
|
33
34
|
#
|
|
34
35
|
# require 'ronin/exploits/lfi'
|
|
35
|
-
#
|
|
36
|
+
#
|
|
36
37
|
# module Ronin
|
|
37
38
|
# module Exploits
|
|
38
39
|
# class MyExploit < LFI
|
|
39
|
-
#
|
|
40
|
+
#
|
|
40
41
|
# register 'my_exploit'
|
|
41
|
-
#
|
|
42
|
+
#
|
|
42
43
|
# base_path '/path/to/page.php'
|
|
43
44
|
# query_param 'template'
|
|
44
45
|
# depth 7
|
|
45
|
-
#
|
|
46
|
+
#
|
|
46
47
|
# end
|
|
47
48
|
# end
|
|
48
49
|
# end
|
|
@@ -66,8 +67,7 @@ module Ronin
|
|
|
66
67
|
:base64,
|
|
67
68
|
:rot13,
|
|
68
69
|
:zlib
|
|
69
|
-
],
|
|
70
|
-
desc: 'Optional filter-bypass strategy to use'
|
|
70
|
+
], desc: 'Optional filter-bypass strategy to use'
|
|
71
71
|
|
|
72
72
|
#
|
|
73
73
|
# Gets or sets the directory traversal depth for the LFI vulnerability.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -81,7 +82,7 @@ module Ronin
|
|
|
81
82
|
case @format
|
|
82
83
|
when :json then JSON.pretty_generate(@contents)
|
|
83
84
|
when :yaml then YAML.dump(@contents)
|
|
84
|
-
when :csv
|
|
85
|
+
when :csv
|
|
85
86
|
CSV.generate do |csv|
|
|
86
87
|
@contents.each do |row|
|
|
87
88
|
csv << row
|
data/lib/ronin/exploits/loot.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Gets or sets the exploit's targeted architecture.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target Cookie param of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Gets or sets the exploit's default filename.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Gets or sets the exploit's default port.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target HTTP Header name of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -39,6 +40,9 @@ module Ronin
|
|
|
39
40
|
exploit.extend ClassMethods
|
|
40
41
|
end
|
|
41
42
|
|
|
43
|
+
#
|
|
44
|
+
# Class-methods.
|
|
45
|
+
#
|
|
42
46
|
module ClassMethods
|
|
43
47
|
#
|
|
44
48
|
# Gets or sets the exploit's targeted Operating System (OS).
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -28,13 +29,13 @@ module Ronin
|
|
|
28
29
|
# ### Example
|
|
29
30
|
#
|
|
30
31
|
# require 'ronin/exploits/metadata/shouts'
|
|
31
|
-
#
|
|
32
|
+
#
|
|
32
33
|
# class MyExploit < Exploit
|
|
33
|
-
#
|
|
34
|
+
#
|
|
34
35
|
# include Metadata::Shouts
|
|
35
|
-
#
|
|
36
|
+
#
|
|
36
37
|
# shouts ['Ultra Laser', 'Dr.Doom']
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# end
|
|
39
40
|
#
|
|
40
41
|
module Shouts
|
|
@@ -50,6 +51,9 @@ module Ronin
|
|
|
50
51
|
base.extend ClassMethods
|
|
51
52
|
end
|
|
52
53
|
|
|
54
|
+
#
|
|
55
|
+
# Class-methods.
|
|
56
|
+
#
|
|
53
57
|
module ClassMethods
|
|
54
58
|
#
|
|
55
59
|
# Gets or sets the exploit's shouts.
|
|
@@ -69,13 +73,17 @@ module Ronin
|
|
|
69
73
|
#
|
|
70
74
|
def shouts(new_shouts=nil)
|
|
71
75
|
if new_shouts
|
|
72
|
-
@shouts =
|
|
76
|
+
@shouts = if superclass.kind_of?(ClassMethods)
|
|
77
|
+
superclass.shouts + new_shouts
|
|
78
|
+
else
|
|
79
|
+
new_shouts
|
|
80
|
+
end
|
|
73
81
|
else
|
|
74
82
|
@shouts || if superclass.kind_of?(ClassMethods)
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
83
|
+
superclass.shouts
|
|
84
|
+
else
|
|
85
|
+
[]
|
|
86
|
+
end
|
|
79
87
|
end
|
|
80
88
|
end
|
|
81
89
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target URL path of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target URL query param of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -37,13 +38,13 @@ module Ronin
|
|
|
37
38
|
#
|
|
38
39
|
# def build
|
|
39
40
|
# # ...
|
|
40
|
-
#
|
|
41
|
+
#
|
|
41
42
|
# build_file do |file|
|
|
42
43
|
# # ...
|
|
43
44
|
# file.write(buffer)
|
|
44
45
|
# # ...
|
|
45
46
|
# end
|
|
46
|
-
#
|
|
47
|
+
#
|
|
47
48
|
# # ...
|
|
48
49
|
# end
|
|
49
50
|
#
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -56,7 +57,7 @@ module Ronin
|
|
|
56
57
|
|
|
57
58
|
buffer = String.new(encoding: Encoding::ASCII_8BIT)
|
|
58
59
|
buffer << pack(:machine_word,overwrite)
|
|
59
|
-
buffer << pack(:machine_word,overwrite + (machine_word.size
|
|
60
|
+
buffer << pack(:machine_word,overwrite + (machine_word.size / 2))
|
|
60
61
|
|
|
61
62
|
low_mask = 0xff
|
|
62
63
|
|
|
@@ -72,10 +73,10 @@ module Ronin
|
|
|
72
73
|
|
|
73
74
|
if low < high
|
|
74
75
|
low -= (machine_word.size * 2)
|
|
75
|
-
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,pop_length,high-low,pop_length+1)
|
|
76
|
+
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,pop_length,high - low,pop_length + 1)
|
|
76
77
|
else
|
|
77
78
|
high -= (machine_word.size * 2)
|
|
78
|
-
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,pop_length+1,low-high,pop_length)
|
|
79
|
+
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,pop_length + 1,low - high,pop_length)
|
|
79
80
|
end
|
|
80
81
|
|
|
81
82
|
buffer << payload.to_s
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -32,11 +33,11 @@ module Ronin
|
|
|
32
33
|
# module Ronin
|
|
33
34
|
# module Exploits
|
|
34
35
|
# class MyExploit < Exploit
|
|
35
|
-
#
|
|
36
|
+
#
|
|
36
37
|
# include Mixins::HasPayload
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# payload_class Ronin::Payloads::JavaScriptPayload
|
|
39
|
-
#
|
|
40
|
+
#
|
|
40
41
|
# end
|
|
41
42
|
# end
|
|
42
43
|
# end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -24,6 +25,9 @@ require 'ronin/support/text/core_ext'
|
|
|
24
25
|
module Ronin
|
|
25
26
|
module Exploits
|
|
26
27
|
module Mixins
|
|
28
|
+
#
|
|
29
|
+
# Mixin which adds methods for building HTML.
|
|
30
|
+
#
|
|
27
31
|
module HTML
|
|
28
32
|
#
|
|
29
33
|
# Formats an HTML attribute name.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -32,6 +33,22 @@ module Ronin
|
|
|
32
33
|
# @since 1.0.0
|
|
33
34
|
#
|
|
34
35
|
module HTTP
|
|
36
|
+
# Possible values for the `user_agent` param.
|
|
37
|
+
#
|
|
38
|
+
# @api private
|
|
39
|
+
HTTP_USER_AGENT_ALIASES = [
|
|
40
|
+
:random,
|
|
41
|
+
:chrome,
|
|
42
|
+
:firefox,
|
|
43
|
+
:safari,
|
|
44
|
+
:linux,
|
|
45
|
+
:macos,
|
|
46
|
+
:windows,
|
|
47
|
+
:iphone,
|
|
48
|
+
:ipad,
|
|
49
|
+
:android
|
|
50
|
+
] + Support::Network::HTTP::UserAgents::ALIASES.keys
|
|
51
|
+
|
|
35
52
|
#
|
|
36
53
|
# Adds the required `base_url` params to the exploit class.
|
|
37
54
|
#
|
|
@@ -49,19 +66,7 @@ module Ronin
|
|
|
49
66
|
|
|
50
67
|
exploit.param :http_password, desc: 'The HTTP Basic-Auth password'
|
|
51
68
|
|
|
52
|
-
|
|
53
|
-
:random,
|
|
54
|
-
:chrome,
|
|
55
|
-
:firefox,
|
|
56
|
-
:safari,
|
|
57
|
-
:linux,
|
|
58
|
-
:macos,
|
|
59
|
-
:windows,
|
|
60
|
-
:iphone,
|
|
61
|
-
:ipad,
|
|
62
|
-
:android
|
|
63
|
-
] + Support::Network::HTTP::UserAgents::ALIASES.keys
|
|
64
|
-
exploit.param :user_agent, Core::Params::Types::Enum.new(user_agent_ids), desc: 'The HTTP User-Agent to select'
|
|
69
|
+
exploit.param :user_agent, Core::Params::Types::Enum.new(HTTP_USER_AGENT_ALIASES), desc: 'The HTTP User-Agent to select'
|
|
65
70
|
|
|
66
71
|
exploit.param :raw_user_agent, desc: 'The raw HTTP User-Agent string to use'
|
|
67
72
|
|
|
@@ -145,22 +150,22 @@ module Ronin
|
|
|
145
150
|
#
|
|
146
151
|
# @option kwargs [String, nil] :query
|
|
147
152
|
# The query-string to append to the request path.
|
|
148
|
-
#
|
|
153
|
+
#
|
|
149
154
|
# @option kwargs [Hash, nil] :query_params
|
|
150
155
|
# The query-params to append to the request path.
|
|
151
|
-
#
|
|
156
|
+
#
|
|
152
157
|
# @option kwargs [String, nil] :body
|
|
153
158
|
# The body of the request.
|
|
154
|
-
#
|
|
159
|
+
#
|
|
155
160
|
# @option kwargs [Hash, String, nil] :form_data
|
|
156
161
|
# The form data that may be sent in the body of the request.
|
|
157
|
-
#
|
|
162
|
+
#
|
|
158
163
|
# @option kwargs [String, nil] :user (http_user)
|
|
159
164
|
# The user to authenticate as.
|
|
160
|
-
#
|
|
165
|
+
#
|
|
161
166
|
# @option kwargs [String, nil] :password (http_password)
|
|
162
167
|
# The password to authenticate with.
|
|
163
|
-
#
|
|
168
|
+
#
|
|
164
169
|
# @option kwargs [Hash{Symbol,String => String}, nil] :headers
|
|
165
170
|
# Additional HTTP headers to use for the request.
|
|
166
171
|
#
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -31,7 +32,7 @@ module Ronin
|
|
|
31
32
|
# module Ronin
|
|
32
33
|
# module Exploits
|
|
33
34
|
# class MyExploit < Exploit
|
|
34
|
-
#
|
|
35
|
+
#
|
|
35
36
|
# include Mixins::Loot
|
|
36
37
|
#
|
|
37
38
|
# def launch
|
|
@@ -52,7 +53,7 @@ module Ronin
|
|
|
52
53
|
# # add CSV data
|
|
53
54
|
# loot.add('foo.csv', data, format: :csv)
|
|
54
55
|
# end
|
|
55
|
-
#
|
|
56
|
+
#
|
|
56
57
|
# end
|
|
57
58
|
# end
|
|
58
59
|
# end
|
|
@@ -45,10 +45,10 @@ module Ronin
|
|
|
45
45
|
#
|
|
46
46
|
# @api private
|
|
47
47
|
NOPS = {
|
|
48
|
-
x86: "\x90".b,
|
|
49
|
-
x86_64: "\x90".b,
|
|
50
|
-
arm: "\x05P\xa0\xe1".b,
|
|
51
|
-
arm64: "\xe5\x03\x05\xaa".b
|
|
48
|
+
x86: "\x90".b, # nop
|
|
49
|
+
x86_64: "\x90".b, # nop
|
|
50
|
+
arm: "\x05P\xa0\xe1".b, # mov r5, r5
|
|
51
|
+
arm64: "\xe5\x03\x05\xaa".b # mov x5, x5
|
|
52
52
|
# TODO: mips
|
|
53
53
|
# TODO: mips64
|
|
54
54
|
# TODO: ppc
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -129,7 +130,7 @@ module Ronin
|
|
|
129
130
|
# @example
|
|
130
131
|
# @socket = tcp_connect
|
|
131
132
|
# # => TCPSocket
|
|
132
|
-
#
|
|
133
|
+
#
|
|
133
134
|
# @example
|
|
134
135
|
# tcp_connect do |socket|
|
|
135
136
|
# socket.write("GET /\n\n")
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -102,7 +103,7 @@ module Ronin
|
|
|
102
103
|
# @example
|
|
103
104
|
# ebp = 0x06eb9090 # short jump 6 bytes
|
|
104
105
|
# eip = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
|
|
105
|
-
#
|
|
106
|
+
#
|
|
106
107
|
# buffer = buffer_overflow(length: 1024, nops: 16, payload: payload, bp: ebp, ip: eip)
|
|
107
108
|
#
|
|
108
109
|
def buffer_overflow(length: , nops: nil, payload: , bp: , ip: )
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -34,16 +35,16 @@ module Ronin
|
|
|
34
35
|
# ## Example
|
|
35
36
|
#
|
|
36
37
|
# require 'ronin/exploits/open_redirect'
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# module Ronin
|
|
39
40
|
# module Exploits
|
|
40
41
|
# class MyExploit < OpenRedirect
|
|
41
|
-
#
|
|
42
|
+
#
|
|
42
43
|
# register 'my_exploit'
|
|
43
|
-
#
|
|
44
|
+
#
|
|
44
45
|
# base_path '/path/to/page.php'
|
|
45
46
|
# query_param 'url'
|
|
46
|
-
#
|
|
47
|
+
#
|
|
47
48
|
# end
|
|
48
49
|
# end
|
|
49
50
|
# end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -33,7 +34,7 @@ module Ronin
|
|
|
33
34
|
# Setting the default port value:
|
|
34
35
|
#
|
|
35
36
|
# include Params::Filename
|
|
36
|
-
#
|
|
37
|
+
#
|
|
37
38
|
# default_filename 'exploit.docx'
|
|
38
39
|
#
|
|
39
40
|
# @api public
|
|
@@ -53,7 +54,7 @@ module Ronin
|
|
|
53
54
|
def self.included(exploit)
|
|
54
55
|
exploit.include Metadata::DefaultFilename
|
|
55
56
|
exploit.param :filename, String, required: true,
|
|
56
|
-
default: ->{ exploit.default_filename },
|
|
57
|
+
default: -> { exploit.default_filename },
|
|
57
58
|
desc: 'The filename for the exploit'
|
|
58
59
|
end
|
|
59
60
|
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -33,7 +34,7 @@ module Ronin
|
|
|
33
34
|
# Setting the default port value:
|
|
34
35
|
#
|
|
35
36
|
# include Params::Port
|
|
36
|
-
#
|
|
37
|
+
#
|
|
37
38
|
# default_port 143
|
|
38
39
|
#
|
|
39
40
|
# @api public
|
|
@@ -53,7 +54,7 @@ module Ronin
|
|
|
53
54
|
def self.included(exploit)
|
|
54
55
|
exploit.include Metadata::DefaultPort
|
|
55
56
|
exploit.param :port, Integer, required: true,
|
|
56
|
-
default: ->{ exploit.default_port },
|
|
57
|
+
default: -> { exploit.default_port },
|
|
57
58
|
desc: 'Remote port to connect to'
|
|
58
59
|
end
|
|
59
60
|
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -22,6 +23,9 @@ require 'ronin/core/class_registry'
|
|
|
22
23
|
require 'ronin/repos/class_dir'
|
|
23
24
|
|
|
24
25
|
module Ronin
|
|
26
|
+
#
|
|
27
|
+
# Namespace for `ronin-exploits`.
|
|
28
|
+
#
|
|
25
29
|
module Exploits
|
|
26
30
|
include Core::ClassRegistry
|
|
27
31
|
include Repos::ClassDir
|
data/lib/ronin/exploits/rfi.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -34,16 +35,16 @@ module Ronin
|
|
|
34
35
|
# ## Example
|
|
35
36
|
#
|
|
36
37
|
# require 'ronin/exploits/rfi'
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# module Ronin
|
|
39
40
|
# module Exploits
|
|
40
41
|
# class MyExploit < RFI
|
|
41
|
-
#
|
|
42
|
+
#
|
|
42
43
|
# register 'my_exploit'
|
|
43
|
-
#
|
|
44
|
+
#
|
|
44
45
|
# base_path '/path/to/page.php'
|
|
45
46
|
# query_param 'template'
|
|
46
|
-
#
|
|
47
|
+
#
|
|
47
48
|
# end
|
|
48
49
|
# end
|
|
49
50
|
# end
|
|
@@ -64,8 +65,10 @@ module Ronin
|
|
|
64
65
|
|
|
65
66
|
param :test_script_url, String, desc: 'The URL for the RFI test script'
|
|
66
67
|
|
|
67
|
-
param :filter_bypass, Enum[
|
|
68
|
-
|
|
68
|
+
param :filter_bypass, Enum[
|
|
69
|
+
:null_byte,
|
|
70
|
+
:double_encode
|
|
71
|
+
], desc: 'Optional filter bypass strategy'
|
|
69
72
|
|
|
70
73
|
#
|
|
71
74
|
# Returns the type or kind of exploit.
|
data/lib/ronin/exploits/root.rb
CHANGED