ronin-exploits 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ruby.yml +14 -0
- data/.rubocop.yml +61 -0
- data/ChangeLog.md +13 -2
- data/Gemfile +5 -1
- data/Rakefile +3 -1
- data/bin/ronin-exploits +6 -7
- data/gemspec.yml +3 -3
- data/lib/ronin/exploits/advisory.rb +1 -0
- data/lib/ronin/exploits/cli/command.rb +1 -0
- data/lib/ronin/exploits/cli/commands/irb.rb +1 -0
- data/lib/ronin/exploits/cli/commands/list.rb +1 -0
- data/lib/ronin/exploits/cli/commands/new.rb +12 -1
- data/lib/ronin/exploits/cli/commands/run.rb +40 -21
- data/lib/ronin/exploits/cli/commands/show.rb +11 -8
- data/lib/ronin/exploits/cli/exploit_command.rb +4 -0
- data/lib/ronin/exploits/cli/exploit_methods.rb +4 -0
- data/lib/ronin/exploits/cli/ruby_shell.rb +1 -0
- data/lib/ronin/exploits/cli.rb +1 -0
- data/lib/ronin/exploits/client_side_web_vuln.rb +1 -0
- data/lib/ronin/exploits/exceptions.rb +1 -0
- data/lib/ronin/exploits/exploit.rb +20 -16
- data/lib/ronin/exploits/heap_overflow.rb +1 -0
- data/lib/ronin/exploits/lfi.rb +6 -6
- data/lib/ronin/exploits/loot/file.rb +2 -1
- data/lib/ronin/exploits/loot.rb +1 -0
- data/lib/ronin/exploits/memory_corruption.rb +1 -0
- data/lib/ronin/exploits/metadata/arch.rb +4 -0
- data/lib/ronin/exploits/metadata/cookie_param.rb +4 -0
- data/lib/ronin/exploits/metadata/default_filename.rb +4 -0
- data/lib/ronin/exploits/metadata/default_port.rb +4 -0
- data/lib/ronin/exploits/metadata/header_name.rb +4 -0
- data/lib/ronin/exploits/metadata/os.rb +4 -0
- data/lib/ronin/exploits/metadata/shouts.rb +17 -9
- data/lib/ronin/exploits/metadata/url_path.rb +4 -0
- data/lib/ronin/exploits/metadata/url_query_param.rb +4 -0
- data/lib/ronin/exploits/mixins/binary.rb +1 -0
- data/lib/ronin/exploits/mixins/file_builder.rb +3 -2
- data/lib/ronin/exploits/mixins/format_string.rb +4 -3
- data/lib/ronin/exploits/mixins/has_payload.rb +4 -3
- data/lib/ronin/exploits/mixins/has_targets.rb +1 -0
- data/lib/ronin/exploits/mixins/html.rb +4 -0
- data/lib/ronin/exploits/mixins/http.rb +24 -19
- data/lib/ronin/exploits/mixins/loot.rb +3 -2
- data/lib/ronin/exploits/mixins/nops.rb +4 -4
- data/lib/ronin/exploits/mixins/remote_tcp.rb +2 -1
- data/lib/ronin/exploits/mixins/remote_udp.rb +1 -0
- data/lib/ronin/exploits/mixins/seh.rb +1 -0
- data/lib/ronin/exploits/mixins/stack_overflow.rb +2 -1
- data/lib/ronin/exploits/mixins/text.rb +1 -0
- data/lib/ronin/exploits/mixins.rb +1 -0
- data/lib/ronin/exploits/open_redirect.rb +5 -4
- data/lib/ronin/exploits/params/base_url.rb +1 -0
- data/lib/ronin/exploits/params/bind_host.rb +1 -0
- data/lib/ronin/exploits/params/bind_port.rb +1 -0
- data/lib/ronin/exploits/params/filename.rb +3 -2
- data/lib/ronin/exploits/params/host.rb +1 -0
- data/lib/ronin/exploits/params/port.rb +3 -2
- data/lib/ronin/exploits/registry.rb +4 -0
- data/lib/ronin/exploits/rfi.rb +9 -6
- data/lib/ronin/exploits/root.rb +1 -0
- data/lib/ronin/exploits/seh_overflow.rb +9 -8
- data/lib/ronin/exploits/sqli.rb +11 -10
- data/lib/ronin/exploits/ssti.rb +5 -4
- data/lib/ronin/exploits/stack_overflow.rb +9 -8
- data/lib/ronin/exploits/target.rb +1 -0
- data/lib/ronin/exploits/test_result.rb +2 -1
- data/lib/ronin/exploits/use_after_free.rb +1 -0
- data/lib/ronin/exploits/version.rb +2 -1
- data/lib/ronin/exploits/web.rb +1 -0
- data/lib/ronin/exploits/web_vuln.rb +1 -0
- data/lib/ronin/exploits/xss.rb +5 -4
- data/lib/ronin/exploits.rb +1 -0
- data/man/ronin-exploits-irb.1 +1 -1
- data/man/ronin-exploits-irb.1.md +1 -1
- data/man/ronin-exploits-list.1 +1 -1
- data/man/ronin-exploits-list.1.md +1 -1
- data/man/ronin-exploits-new.1 +1 -1
- data/man/ronin-exploits-new.1.md +2 -2
- data/man/ronin-exploits-run.1 +1 -1
- data/man/ronin-exploits-run.1.md +1 -1
- data/man/ronin-exploits-show.1 +1 -1
- data/man/ronin-exploits-show.1.md +1 -1
- data/man/ronin-exploits.1 +1 -1
- data/man/ronin-exploits.1.md +1 -1
- data/ronin-exploits.gemspec +4 -3
- metadata +21 -2
data/lib/ronin/exploits/lfi.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -32,17 +33,17 @@ module Ronin
|
|
|
32
33
|
# ## Example
|
|
33
34
|
#
|
|
34
35
|
# require 'ronin/exploits/lfi'
|
|
35
|
-
#
|
|
36
|
+
#
|
|
36
37
|
# module Ronin
|
|
37
38
|
# module Exploits
|
|
38
39
|
# class MyExploit < LFI
|
|
39
|
-
#
|
|
40
|
+
#
|
|
40
41
|
# register 'my_exploit'
|
|
41
|
-
#
|
|
42
|
+
#
|
|
42
43
|
# base_path '/path/to/page.php'
|
|
43
44
|
# query_param 'template'
|
|
44
45
|
# depth 7
|
|
45
|
-
#
|
|
46
|
+
#
|
|
46
47
|
# end
|
|
47
48
|
# end
|
|
48
49
|
# end
|
|
@@ -66,8 +67,7 @@ module Ronin
|
|
|
66
67
|
:base64,
|
|
67
68
|
:rot13,
|
|
68
69
|
:zlib
|
|
69
|
-
],
|
|
70
|
-
desc: 'Optional filter-bypass strategy to use'
|
|
70
|
+
], desc: 'Optional filter-bypass strategy to use'
|
|
71
71
|
|
|
72
72
|
#
|
|
73
73
|
# Gets or sets the directory traversal depth for the LFI vulnerability.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -81,7 +82,7 @@ module Ronin
|
|
|
81
82
|
case @format
|
|
82
83
|
when :json then JSON.pretty_generate(@contents)
|
|
83
84
|
when :yaml then YAML.dump(@contents)
|
|
84
|
-
when :csv
|
|
85
|
+
when :csv
|
|
85
86
|
CSV.generate do |csv|
|
|
86
87
|
@contents.each do |row|
|
|
87
88
|
csv << row
|
data/lib/ronin/exploits/loot.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Gets or sets the exploit's targeted architecture.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target Cookie param of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Gets or sets the exploit's default filename.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Gets or sets the exploit's default port.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target HTTP Header name of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -39,6 +40,9 @@ module Ronin
|
|
|
39
40
|
exploit.extend ClassMethods
|
|
40
41
|
end
|
|
41
42
|
|
|
43
|
+
#
|
|
44
|
+
# Class-methods.
|
|
45
|
+
#
|
|
42
46
|
module ClassMethods
|
|
43
47
|
#
|
|
44
48
|
# Gets or sets the exploit's targeted Operating System (OS).
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -28,13 +29,13 @@ module Ronin
|
|
|
28
29
|
# ### Example
|
|
29
30
|
#
|
|
30
31
|
# require 'ronin/exploits/metadata/shouts'
|
|
31
|
-
#
|
|
32
|
+
#
|
|
32
33
|
# class MyExploit < Exploit
|
|
33
|
-
#
|
|
34
|
+
#
|
|
34
35
|
# include Metadata::Shouts
|
|
35
|
-
#
|
|
36
|
+
#
|
|
36
37
|
# shouts ['Ultra Laser', 'Dr.Doom']
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# end
|
|
39
40
|
#
|
|
40
41
|
module Shouts
|
|
@@ -50,6 +51,9 @@ module Ronin
|
|
|
50
51
|
base.extend ClassMethods
|
|
51
52
|
end
|
|
52
53
|
|
|
54
|
+
#
|
|
55
|
+
# Class-methods.
|
|
56
|
+
#
|
|
53
57
|
module ClassMethods
|
|
54
58
|
#
|
|
55
59
|
# Gets or sets the exploit's shouts.
|
|
@@ -69,13 +73,17 @@ module Ronin
|
|
|
69
73
|
#
|
|
70
74
|
def shouts(new_shouts=nil)
|
|
71
75
|
if new_shouts
|
|
72
|
-
@shouts =
|
|
76
|
+
@shouts = if superclass.kind_of?(ClassMethods)
|
|
77
|
+
superclass.shouts + new_shouts
|
|
78
|
+
else
|
|
79
|
+
new_shouts
|
|
80
|
+
end
|
|
73
81
|
else
|
|
74
82
|
@shouts || if superclass.kind_of?(ClassMethods)
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
83
|
+
superclass.shouts
|
|
84
|
+
else
|
|
85
|
+
[]
|
|
86
|
+
end
|
|
79
87
|
end
|
|
80
88
|
end
|
|
81
89
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target URL path of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -38,6 +39,9 @@ module Ronin
|
|
|
38
39
|
exploit.extend ClassMethods
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
#
|
|
43
|
+
# Class-methods.
|
|
44
|
+
#
|
|
41
45
|
module ClassMethods
|
|
42
46
|
#
|
|
43
47
|
# Get or sets the target URL query param of the exploit.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -37,13 +38,13 @@ module Ronin
|
|
|
37
38
|
#
|
|
38
39
|
# def build
|
|
39
40
|
# # ...
|
|
40
|
-
#
|
|
41
|
+
#
|
|
41
42
|
# build_file do |file|
|
|
42
43
|
# # ...
|
|
43
44
|
# file.write(buffer)
|
|
44
45
|
# # ...
|
|
45
46
|
# end
|
|
46
|
-
#
|
|
47
|
+
#
|
|
47
48
|
# # ...
|
|
48
49
|
# end
|
|
49
50
|
#
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -56,7 +57,7 @@ module Ronin
|
|
|
56
57
|
|
|
57
58
|
buffer = String.new(encoding: Encoding::ASCII_8BIT)
|
|
58
59
|
buffer << pack(:machine_word,overwrite)
|
|
59
|
-
buffer << pack(:machine_word,overwrite + (machine_word.size
|
|
60
|
+
buffer << pack(:machine_word,overwrite + (machine_word.size / 2))
|
|
60
61
|
|
|
61
62
|
low_mask = 0xff
|
|
62
63
|
|
|
@@ -72,10 +73,10 @@ module Ronin
|
|
|
72
73
|
|
|
73
74
|
if low < high
|
|
74
75
|
low -= (machine_word.size * 2)
|
|
75
|
-
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,pop_length,high-low,pop_length+1)
|
|
76
|
+
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",low,pop_length,high - low,pop_length + 1)
|
|
76
77
|
else
|
|
77
78
|
high -= (machine_word.size * 2)
|
|
78
|
-
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,pop_length+1,low-high,pop_length)
|
|
79
|
+
buffer << format("%%.%ud%%%u$hn%%.%ud%%%u$hn",high,pop_length + 1,low - high,pop_length)
|
|
79
80
|
end
|
|
80
81
|
|
|
81
82
|
buffer << payload.to_s
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -32,11 +33,11 @@ module Ronin
|
|
|
32
33
|
# module Ronin
|
|
33
34
|
# module Exploits
|
|
34
35
|
# class MyExploit < Exploit
|
|
35
|
-
#
|
|
36
|
+
#
|
|
36
37
|
# include Mixins::HasPayload
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# payload_class Ronin::Payloads::JavaScriptPayload
|
|
39
|
-
#
|
|
40
|
+
#
|
|
40
41
|
# end
|
|
41
42
|
# end
|
|
42
43
|
# end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -24,6 +25,9 @@ require 'ronin/support/text/core_ext'
|
|
|
24
25
|
module Ronin
|
|
25
26
|
module Exploits
|
|
26
27
|
module Mixins
|
|
28
|
+
#
|
|
29
|
+
# Mixin which adds methods for building HTML.
|
|
30
|
+
#
|
|
27
31
|
module HTML
|
|
28
32
|
#
|
|
29
33
|
# Formats an HTML attribute name.
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -32,6 +33,22 @@ module Ronin
|
|
|
32
33
|
# @since 1.0.0
|
|
33
34
|
#
|
|
34
35
|
module HTTP
|
|
36
|
+
# Possible values for the `user_agent` param.
|
|
37
|
+
#
|
|
38
|
+
# @api private
|
|
39
|
+
HTTP_USER_AGENT_ALIASES = [
|
|
40
|
+
:random,
|
|
41
|
+
:chrome,
|
|
42
|
+
:firefox,
|
|
43
|
+
:safari,
|
|
44
|
+
:linux,
|
|
45
|
+
:macos,
|
|
46
|
+
:windows,
|
|
47
|
+
:iphone,
|
|
48
|
+
:ipad,
|
|
49
|
+
:android
|
|
50
|
+
] + Support::Network::HTTP::UserAgents::ALIASES.keys
|
|
51
|
+
|
|
35
52
|
#
|
|
36
53
|
# Adds the required `base_url` params to the exploit class.
|
|
37
54
|
#
|
|
@@ -49,19 +66,7 @@ module Ronin
|
|
|
49
66
|
|
|
50
67
|
exploit.param :http_password, desc: 'The HTTP Basic-Auth password'
|
|
51
68
|
|
|
52
|
-
|
|
53
|
-
:random,
|
|
54
|
-
:chrome,
|
|
55
|
-
:firefox,
|
|
56
|
-
:safari,
|
|
57
|
-
:linux,
|
|
58
|
-
:macos,
|
|
59
|
-
:windows,
|
|
60
|
-
:iphone,
|
|
61
|
-
:ipad,
|
|
62
|
-
:android
|
|
63
|
-
] + Support::Network::HTTP::UserAgents::ALIASES.keys
|
|
64
|
-
exploit.param :user_agent, Core::Params::Types::Enum.new(user_agent_ids), desc: 'The HTTP User-Agent to select'
|
|
69
|
+
exploit.param :user_agent, Core::Params::Types::Enum.new(HTTP_USER_AGENT_ALIASES), desc: 'The HTTP User-Agent to select'
|
|
65
70
|
|
|
66
71
|
exploit.param :raw_user_agent, desc: 'The raw HTTP User-Agent string to use'
|
|
67
72
|
|
|
@@ -145,22 +150,22 @@ module Ronin
|
|
|
145
150
|
#
|
|
146
151
|
# @option kwargs [String, nil] :query
|
|
147
152
|
# The query-string to append to the request path.
|
|
148
|
-
#
|
|
153
|
+
#
|
|
149
154
|
# @option kwargs [Hash, nil] :query_params
|
|
150
155
|
# The query-params to append to the request path.
|
|
151
|
-
#
|
|
156
|
+
#
|
|
152
157
|
# @option kwargs [String, nil] :body
|
|
153
158
|
# The body of the request.
|
|
154
|
-
#
|
|
159
|
+
#
|
|
155
160
|
# @option kwargs [Hash, String, nil] :form_data
|
|
156
161
|
# The form data that may be sent in the body of the request.
|
|
157
|
-
#
|
|
162
|
+
#
|
|
158
163
|
# @option kwargs [String, nil] :user (http_user)
|
|
159
164
|
# The user to authenticate as.
|
|
160
|
-
#
|
|
165
|
+
#
|
|
161
166
|
# @option kwargs [String, nil] :password (http_password)
|
|
162
167
|
# The password to authenticate with.
|
|
163
|
-
#
|
|
168
|
+
#
|
|
164
169
|
# @option kwargs [Hash{Symbol,String => String}, nil] :headers
|
|
165
170
|
# Additional HTTP headers to use for the request.
|
|
166
171
|
#
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -31,7 +32,7 @@ module Ronin
|
|
|
31
32
|
# module Ronin
|
|
32
33
|
# module Exploits
|
|
33
34
|
# class MyExploit < Exploit
|
|
34
|
-
#
|
|
35
|
+
#
|
|
35
36
|
# include Mixins::Loot
|
|
36
37
|
#
|
|
37
38
|
# def launch
|
|
@@ -52,7 +53,7 @@ module Ronin
|
|
|
52
53
|
# # add CSV data
|
|
53
54
|
# loot.add('foo.csv', data, format: :csv)
|
|
54
55
|
# end
|
|
55
|
-
#
|
|
56
|
+
#
|
|
56
57
|
# end
|
|
57
58
|
# end
|
|
58
59
|
# end
|
|
@@ -45,10 +45,10 @@ module Ronin
|
|
|
45
45
|
#
|
|
46
46
|
# @api private
|
|
47
47
|
NOPS = {
|
|
48
|
-
x86: "\x90".b,
|
|
49
|
-
x86_64: "\x90".b,
|
|
50
|
-
arm: "\x05P\xa0\xe1".b,
|
|
51
|
-
arm64: "\xe5\x03\x05\xaa".b
|
|
48
|
+
x86: "\x90".b, # nop
|
|
49
|
+
x86_64: "\x90".b, # nop
|
|
50
|
+
arm: "\x05P\xa0\xe1".b, # mov r5, r5
|
|
51
|
+
arm64: "\xe5\x03\x05\xaa".b # mov x5, x5
|
|
52
52
|
# TODO: mips
|
|
53
53
|
# TODO: mips64
|
|
54
54
|
# TODO: ppc
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -129,7 +130,7 @@ module Ronin
|
|
|
129
130
|
# @example
|
|
130
131
|
# @socket = tcp_connect
|
|
131
132
|
# # => TCPSocket
|
|
132
|
-
#
|
|
133
|
+
#
|
|
133
134
|
# @example
|
|
134
135
|
# tcp_connect do |socket|
|
|
135
136
|
# socket.write("GET /\n\n")
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -102,7 +103,7 @@ module Ronin
|
|
|
102
103
|
# @example
|
|
103
104
|
# ebp = 0x06eb9090 # short jump 6 bytes
|
|
104
105
|
# eip = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL
|
|
105
|
-
#
|
|
106
|
+
#
|
|
106
107
|
# buffer = buffer_overflow(length: 1024, nops: 16, payload: payload, bp: ebp, ip: eip)
|
|
107
108
|
#
|
|
108
109
|
def buffer_overflow(length: , nops: nil, payload: , bp: , ip: )
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -34,16 +35,16 @@ module Ronin
|
|
|
34
35
|
# ## Example
|
|
35
36
|
#
|
|
36
37
|
# require 'ronin/exploits/open_redirect'
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# module Ronin
|
|
39
40
|
# module Exploits
|
|
40
41
|
# class MyExploit < OpenRedirect
|
|
41
|
-
#
|
|
42
|
+
#
|
|
42
43
|
# register 'my_exploit'
|
|
43
|
-
#
|
|
44
|
+
#
|
|
44
45
|
# base_path '/path/to/page.php'
|
|
45
46
|
# query_param 'url'
|
|
46
|
-
#
|
|
47
|
+
#
|
|
47
48
|
# end
|
|
48
49
|
# end
|
|
49
50
|
# end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -33,7 +34,7 @@ module Ronin
|
|
|
33
34
|
# Setting the default port value:
|
|
34
35
|
#
|
|
35
36
|
# include Params::Filename
|
|
36
|
-
#
|
|
37
|
+
#
|
|
37
38
|
# default_filename 'exploit.docx'
|
|
38
39
|
#
|
|
39
40
|
# @api public
|
|
@@ -53,7 +54,7 @@ module Ronin
|
|
|
53
54
|
def self.included(exploit)
|
|
54
55
|
exploit.include Metadata::DefaultFilename
|
|
55
56
|
exploit.param :filename, String, required: true,
|
|
56
|
-
default: ->{ exploit.default_filename },
|
|
57
|
+
default: -> { exploit.default_filename },
|
|
57
58
|
desc: 'The filename for the exploit'
|
|
58
59
|
end
|
|
59
60
|
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -33,7 +34,7 @@ module Ronin
|
|
|
33
34
|
# Setting the default port value:
|
|
34
35
|
#
|
|
35
36
|
# include Params::Port
|
|
36
|
-
#
|
|
37
|
+
#
|
|
37
38
|
# default_port 143
|
|
38
39
|
#
|
|
39
40
|
# @api public
|
|
@@ -53,7 +54,7 @@ module Ronin
|
|
|
53
54
|
def self.included(exploit)
|
|
54
55
|
exploit.include Metadata::DefaultPort
|
|
55
56
|
exploit.param :port, Integer, required: true,
|
|
56
|
-
default: ->{ exploit.default_port },
|
|
57
|
+
default: -> { exploit.default_port },
|
|
57
58
|
desc: 'Remote port to connect to'
|
|
58
59
|
end
|
|
59
60
|
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -22,6 +23,9 @@ require 'ronin/core/class_registry'
|
|
|
22
23
|
require 'ronin/repos/class_dir'
|
|
23
24
|
|
|
24
25
|
module Ronin
|
|
26
|
+
#
|
|
27
|
+
# Namespace for `ronin-exploits`.
|
|
28
|
+
#
|
|
25
29
|
module Exploits
|
|
26
30
|
include Core::ClassRegistry
|
|
27
31
|
include Repos::ClassDir
|
data/lib/ronin/exploits/rfi.rb
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
1
2
|
#
|
|
2
3
|
# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
|
|
3
4
|
# payload crafting functionality.
|
|
@@ -34,16 +35,16 @@ module Ronin
|
|
|
34
35
|
# ## Example
|
|
35
36
|
#
|
|
36
37
|
# require 'ronin/exploits/rfi'
|
|
37
|
-
#
|
|
38
|
+
#
|
|
38
39
|
# module Ronin
|
|
39
40
|
# module Exploits
|
|
40
41
|
# class MyExploit < RFI
|
|
41
|
-
#
|
|
42
|
+
#
|
|
42
43
|
# register 'my_exploit'
|
|
43
|
-
#
|
|
44
|
+
#
|
|
44
45
|
# base_path '/path/to/page.php'
|
|
45
46
|
# query_param 'template'
|
|
46
|
-
#
|
|
47
|
+
#
|
|
47
48
|
# end
|
|
48
49
|
# end
|
|
49
50
|
# end
|
|
@@ -64,8 +65,10 @@ module Ronin
|
|
|
64
65
|
|
|
65
66
|
param :test_script_url, String, desc: 'The URL for the RFI test script'
|
|
66
67
|
|
|
67
|
-
param :filter_bypass, Enum[
|
|
68
|
-
|
|
68
|
+
param :filter_bypass, Enum[
|
|
69
|
+
:null_byte,
|
|
70
|
+
:double_encode
|
|
71
|
+
], desc: 'Optional filter bypass strategy'
|
|
69
72
|
|
|
70
73
|
#
|
|
71
74
|
# Returns the type or kind of exploit.
|
data/lib/ronin/exploits/root.rb
CHANGED