ronin-exploits 1.0.4 → 1.1.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5cfd3c025753ca4049f2ec1f5a61aa9442e6fb39dab803aed575cfddcfadd0e8
-  data.tar.gz: 48651dbef77525c74e9fbcdea6a7688f4048e2be5ce696a1301b408fb8d30e2f
+  metadata.gz: f1903994a4e01a78bb334adf97253e14d28c9aa3b0a96b1f20b396b3aace75a0
+  data.tar.gz: c7b6722919a752899b73dac910bbae6f5562e6e0f533c3911a5ffe531e673bde
 SHA512:
-  metadata.gz: 3c048f3293d44ec2c8615d56ee8c3ab363aa0393fa3fe50dc35b83875ab289b86f55fa28501a127138ee8eca3bc5bce077debee6b0992154294bcfbe825da840
-  data.tar.gz: 76486d06cf34785a94b867ca79cde13fe79da7a26e71896388fc5cd8c46ff0968e4484e8da854d99a7c02c084cd7e3edcae67f7dffec5fb014023e8e593d2f4a
+  metadata.gz: 81747617a07cc5cd43618afed1f1e3f80526214f9630ebd8baf7063667e4323c02f25e9f24e2332060f7c6fd3ce1330258ccedb95a17fbdb2633d5d020441e36
+  data.tar.gz: 1e2144a69c774293648426c2e7b9bbfab62df5d43cd36b25564e9d972bb2dbd138845216814d19bd73360744ca66a0c6bcaddad4ae1d111af14b92c3070894d5

data/.github/workflows/ruby.yml

@@ -12,6 +12,7 @@ jobs:
           - '3.0'
           - '3.1'
           - '3.2'
+          - '3.3'
           - jruby
           - truffleruby
     name: Ruby ${{ matrix.ruby }}

data/.gitignore

@@ -1,4 +1,5 @@
 /coverage
+/data/completions/ronin-exploits
 /doc
 /man/*.[0-9]
 /pkg

data/ChangeLog.md

@@ -1,3 +1,40 @@
+### 1.1.0 / 2024-XX-XX
+
+* Added {Ronin::Exploits::CommandInjection}.
+* Allow `:untested` as a value for {Ronin::Exploits::Exploit.quality}.
+* Renamed the `raw_user_agent` param to `user_agent_string` in
+  {Ronin::Exploits::Mixins::HTTP}.
+
+#### CLI
+
+* Added the `-T,--test` option to `ronin-exploits run` which will only run the
+  exploits {Ronin::Exploits::Exploit#test test} method to determine if the
+  target is vulnerable or not.
+* Added the `ronin-exploits completion` command to install shell completion
+  files for all `ronin-exploits` commands for Bash and Zsh shells.
+* The `ronin-exploits show` command can now print an example
+  `ronin-exploits run` command for the given exploit.
+* Use hyphenated values for `ronin-exploits new` options.
+
+### 1.0.5 / 2024-06-19
+
+#### CLI
+
+* Correctly assign the `-d` short flag to `--debug` and the `-D` short flag to
+  `--dry-run` for the `ronin-exploits run` command.
+* Multiple bug fixes to the `ronin-exploits new` command:
+  * Create the parent directory of the new exploit file, if it already doesn't
+    exist, when running `ronin-exploits new path/to/new_exploit.rb`.
+  * Fixed a bug where `ronin-exploits new -t open_redirect` was not being
+    accepted as a valid exploit type.
+  * Fixed a bug in `ronin-explotis new` where `-t xss` and `-t ssti` were not
+    adding placeholder `base_path` and `query_param` metadata attributes to the
+    newly generated exploit file.
+  * Fixed a typo in the example `escape_expr` metadata attribute added by
+    `ronin-exploits new -t ssti`.
+  * Fixed a spelling mistake in the new exploit template used by the
+    `ronin-exploits new` command.
+
 ### 1.0.4 / 2023-12-23
 
 * Documentation fixes.

data/Gemfile

@@ -11,7 +11,7 @@ end
 # gem 'fake_io', '~> 0.1', github: 'postmodern/fake_io.rb',
 #                          branch: 'main'
 
-# gem 'command_kit', '~> 0.4', github: 'postmodern/command_kit.rb',
+# gem 'command_kit', '~> 0.5', github: 'postmodern/command_kit.rb',
 #                              branch: 'main'
 
 # Ronin dependencies
@@ -23,8 +23,8 @@ end
 #                                 branch: 'main'
 # gem 'ronin-post_ex',  '~> 0.1', github: 'ronin-rb/ronin-post_ex',
 #                                 branch: 'main'
-# gem 'ronin-core',     '~> 0.1', github: 'ronin-rb/ronin-core',
-#                                 branch: 'main'
+# gem 'ronin-core', '~> 0.2', github: 'ronin-rb/ronin-core',
+#                             branch: 'main'
 # gem 'ronin-repos',    '~> 0.1', github: 'ronin-rb/ronin-repos',
 #                                 branch: 'main'
 # gem 'ronin-code-asm', '~> 1.0', github: 'ronin-rb/ronin-code-asm',
@@ -40,7 +40,7 @@ group :development do
   gem 'simplecov',       '~> 0.20'
 
   gem 'kramdown',        '~> 2.0'
-  gem 'kramdown-man',    '~> 0.1'
+  gem 'kramdown-man',    '~> 1.0'
 
   gem 'redcarpet',       platform: :mri
   gem 'yard',            '~> 0.9'
@@ -51,4 +51,6 @@ group :development do
   gem 'stackprof',       require: false, platform: :mri
   gem 'rubocop',         require: false, platform: :mri
   gem 'rubocop-ronin',   '~> 0.2', require: false, platform: :mri
+
+  gem 'command_kit-completion', '~> 0.2', require: false
 end

data/README.md

@@ -35,6 +35,7 @@ research and development.
   * [SEH Overflows][docs-seh-overflow]
   * [Heap Overflows][docs-heap-overflow]
   * [Use After Free (UAF)][docs-use-after-free]
+  * [Command Injection][docs-command-injection]
   * [Open Redirect][docs-open-redirect]
   * [Local File Inclusions (LFI)][docs-lfi]
   * [Remote File Inclusions (RFI)][docs-rfi]
@@ -54,6 +55,7 @@ research and development.
 [docs-seh-overflow]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/SEHOverflow.html
 [docs-heap-overflow]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/HeapOverflow.html
 [docs-use-after-free]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/UseAfterFree.html
+[docs-command-injection]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/CommandInjection.html
 [docs-open-redirect]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/OpenRedirect.html
 [docs-lfi]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/LFI.html
 [docs-rfi]: https://ronin-rb.dev/docs/ronin-exploits/Ronin/Exploits/RFI.html
@@ -84,6 +86,7 @@ Arguments:
     [ARGS ...]                       Additional arguments for the command
 
 Commands:
+    completion
     help
     irb
     list, ls
@@ -95,7 +98,7 @@ Commands:
 Generate a new exploit file:
 
 ```shell
-$ ronin-exploits new example_exploit.rb --type stack_overflow \
+$ ronin-exploits new example_exploit.rb --type stack-overflow \
     --arch x86 --os linux --software ExampleWare --software-version 1.2.3 \
     --author Postmodern --author-email "postmodern.mod3@gmail.com" \
     --summary "Example exploit" --description "This is an example."
@@ -157,7 +160,7 @@ Generate a ronin repository of your own exploits (and/or payloads):
 $ ronin-repos new my-repo
 $ cd my-repo/
 $ mkdir exploits
-$ ronin-exploits new exploits/my_exploit.rb --type stack_overflow \
+$ ronin-exploits new exploits/my_exploit.rb --type stack-overflow \
     --arch x86 --os linux --software ExampleWare --software-version 1.2.3 \
     --author You --author-email "you@example.com" \
     --summary "My exploit" --description "This is my example."
@@ -283,6 +286,29 @@ module Ronin
 end
 ```
 
+Define a Command Injection exploit:
+
+```ruby
+require 'ronin/exploits/command_injection'
+require 'ronin/exploits/mixins/http'
+
+module Ronin
+  module Exploits
+    class MyExploit < CommandInjection
+
+      register 'my_exploit'
+
+      include Mixins::HTTP
+
+      def launch
+        http_post '/form.php', post_data: {var: "';#{payload}#"}
+      end
+
+    end
+  end
+end
+```
+
 Define an Open Redirect exploit:
 
 ```ruby
@@ -410,7 +436,7 @@ For real-world example ronin exploits, see the [example-exploits] repository.
 * [uri-query_params] ~> 0.6
 * [ronin-support] ~> 1.0
 * [ronin-code-sql] ~> 2.0
-* [ronin-core] ~> 0.1
+* [ronin-core] ~> 0.2
 * [ronin-repos] ~> 0.1
 * [ronin-payloads] ~> 0.1
 * [ronin-vulns] ~> 0.1
@@ -427,7 +453,7 @@ $ gem install ronin-exploits
 1. [Fork It!](https://github.com/ronin-rb/ronin-exploits/fork)
 2. Clone It!
 3. `cd ronin-exploits`
-4. `bundle install`
+4. `./scripts/setup`
 5. `git checkout -b my_feature`
 6. Code It!
 7. `bundle exec rake spec`
@@ -445,7 +471,7 @@ to be malicious software (malware) or malicious in nature.
 ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 payload crafting functionality.
 
-Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 ronin-exploits is free software: you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published
@@ -470,4 +496,4 @@ along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
 [ronin-repos]: https://github.com/ronin-rb/ronin-repos#readme
 [ronin-payloads]: https://github.com/ronin-rb/ronin-payloads#readme
 [ronin-post_ex]: https://github.com/ronin-rb/ronin-post_ex#readme
-[ronin-vulns]: https://github.com/ronin-rb/ronin-vulns#readme
+[ronin-vulns]: https://github.com/ronin-rb/ronin-vulns#readm

data/Rakefile

@@ -40,3 +40,13 @@ YARD::Rake::YardocTask.new
 
 require 'kramdown/man/task'
 Kramdown::Man::Task.new
+
+require 'command_kit/completion/task'
+CommandKit::Completion::Task.new(
+  class_file:  'ronin/exploits/cli',
+  class_name:  'Ronin::Exploits::CLI',
+  input_file:  'data/completions/ronin-exploits.yml',
+  output_file: 'data/completions/ronin-exploits'
+)
+
+task :setup => %w[man command_kit:completion]

data/data/completions/ronin-exploits

@@ -0,0 +1,111 @@
+# ronin-exploits completion                                -*- shell-script -*-
+
+# This bash completions script was generated by
+# completely (https://github.com/dannyben/completely)
+# Modifying it manually is not recommended
+
+_ronin-exploits_completions_filter() {
+  local words="$1"
+  local cur=${COMP_WORDS[COMP_CWORD]}
+  local result=()
+
+  if [[ "${cur:0:1}" == "-" ]]; then
+    echo "$words"
+  
+  else
+    for word in $words; do
+      [[ "${word:0:1}" != "-" ]] && result+=("$word")
+    done
+
+    echo "${result[*]}"
+
+  fi
+}
+
+_ronin-exploits_completions() {
+  local cur=${COMP_WORDS[COMP_CWORD]}
+  local compwords=("${COMP_WORDS[@]:1:$COMP_CWORD-1}")
+  local compline="${compwords[*]}"
+
+  case "$compline" in
+    'run'*'--payload-file')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'run'*'--read-payload')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'run'*'--encoder-file')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'run'*'--save-loot')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A directory -- "$cur" )
+      ;;
+
+    'run'*'--encoder')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "$(ronin-payloads encoders)")" -- "$cur" )
+      ;;
+
+    'run'*'--payload')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "$(ronin-payloads list)")" -- "$cur" )
+      ;;
+
+    'show'*'--file')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'completion'*)
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "--print --install --uninstall")" -- "$cur" )
+      ;;
+
+    'run'*'--file')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'show'*'-f')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'run'*'-f')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -- "$cur" )
+      ;;
+
+    'run'*'-L')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A directory -- "$cur" )
+      ;;
+
+    'run'*'-E')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "$(ronin-payloads encoders)")" -- "$cur" )
+      ;;
+
+    'run'*'-P')
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "$(ronin-payloads list)")" -- "$cur" )
+      ;;
+
+    'show'*)
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "--file -f --verbose -v $(ronin-exploits list)")" -- "$cur" )
+      ;;
+
+    'info'*)
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "$(ronin-exploits list)")" -- "$cur" )
+      ;;
+
+    'new'*)
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -A file -W "$(_ronin-exploits_completions_filter "--type -t --author -a --author-email -e --summary -S --description -D --advisory-id -I --reference -R --has-payload -P --networking -N --arch -A --os -O --os-version --software -S --software-version -V --loot -L")" -- "$cur" )
+      ;;
+
+    'run'*)
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "--file -f --param -p --dry-run -D --test -T --payload-file --read-payload --payload-string --payload -P --payload-param --encoder-file --encoder -E --encoder-param --target -t --target-arch -A --target-os -O --target-os-version --target-software -S --target-version -V --save-loot -L --debug -d --irb $(ronin-exploits list)")" -- "$cur" )
+      ;;
+
+    *)
+      while read -r; do COMPREPLY+=( "$REPLY" ); done < <( compgen -W "$(_ronin-exploits_completions_filter "--version -V help completion irb list new run show ls info")" -- "$cur" )
+      ;;
+
+  esac
+} &&
+complete -F _ronin-exploits_completions ronin-exploits
+
+# ex: filetype=sh

data/data/completions/ronin-exploits.yml

@@ -0,0 +1,12 @@
+---
+ronin-exploits show: &show
+  - $(ronin-exploits list)
+ronin-exploits info: *show
+ronin-exploits run:
+  - $(ronin-exploits list)
+ronin-exploits run*--encoder: &run_encoder
+  - $(ronin-payloads encoders)
+ronin-exploits run*-E: *run_encoder
+ronin-exploits run*--payload: &run_payload
+  - $(ronin-payloads list)
+ronin-exploits run*-P: *run_payload

data/data/new/exploit.rb.erb

@@ -44,7 +44,7 @@ module Ronin
       advisory <%= advisory.inspect -%>
       <%-   end -%>
       <%- else -%>
-      # advisory 'CVE-YYYY-NNNN'
+      # advisory 'CVE-YYYY-XXXX'
       # advisory 'GHSA-XXXXXX'
       <%- end -%>
 
@@ -81,6 +81,8 @@ module Ronin
       <%- end -%>
       <%- if web_vuln_exploit? -%>
 
+      base_path '/FIXME'
+      query_param 'FIXME'
       <%- if @exploit_type[:class] == 'LFI' -%>
       # depth 7
       <%- elsif @exploit_type[:class] == 'SQLI' -%>
@@ -88,7 +90,7 @@ module Ronin
       # escape_parens true
       # terminate true
       <%- elsif @exploit_type[:class] == 'SSTI' -%>
-      # escape_expr ->(expr) { "{{${expr}}}" }
+      # escape_expr ->(expr) { "{{#{expr}}}" }
       <%- end -%>
       <%- else -%>
       <%- if @has_payload -%>
@@ -106,7 +108,7 @@ module Ronin
       <%- end -%>
 
       # #
-      # # Test whether the target systme is vulnerable.
+      # # Test whether the target system is vulnerable.
       # #
       # def test
       #   # return Vulnerable('host is vulnerable')

data/gemspec.yml

@@ -24,7 +24,9 @@ metadata:
   rubygems_mfa_required: 'true'
 
 generated_files:
+  - data/completions/ronin-exploits
   - man/ronin-exploits.1
+  - man/ronin-exploits-completion.1
   - man/ronin-exploits-irb.1
   - man/ronin-exploits-list.1
   - man/ronin-exploits-new.1
@@ -39,7 +41,7 @@ dependencies:
   ronin-payloads: ~> 0.1, >= 0.1.1
   ronin-vulns: ~> 0.1, >= 0.1.1
   ronin-post_ex: ~> 0.1
-  ronin-core: ~> 0.1
+  ronin-core: ~> 0.2.0.rc1
   ronin-repos: ~> 0.1
 
 development_dependencies:

data/lib/ronin/exploits/advisory.rb

@@ -3,7 +3,7 @@
 # ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-exploits is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/exploits/cli/command.rb

@@ -3,7 +3,7 @@
 # ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-exploits is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/exploits/cli/commands/completion.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+#
+# ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
+# payload crafting functionality.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-exploits is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-exploits is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-exploits.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/exploits/root'
+require 'ronin/core/cli/completion_command'
+
+module Ronin
+  module Exploits
+    class CLI
+      module Commands
+        #
+        # Manages the shell completion rules for `ronin-exploits`.
+        #
+        # ## Usage
+        #
+        #     ronin-exploits completion [options]
+        #
+        # ## Options
+        #
+        #         --print                      Prints the shell completion file
+        #         --install                    Installs the shell completion file
+        #         --uninstall                  Uninstalls the shell completion file
+        #     -h, --help                       Print help information
+        #
+        # ## Examples
+        #
+        #     ronin-exploits completion --print
+        #     ronin-exploits completion --install
+        #     ronin-exploits completion --uninstall
+        #
+        # @since 1.1.0
+        #
+        class Completion < Core::CLI::CompletionCommand
+
+          completion_file File.join(ROOT,'data','completions','ronin-exploits')
+
+          man_dir File.join(ROOT,'man')
+          man_page 'ronin-exploits-completion.1'
+
+          description 'Manages the shell completion rules for ronin-exploits'
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/exploits/cli/commands/irb.rb

@@ -3,7 +3,7 @@
 # ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-exploits is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/exploits/cli/commands/list.rb

@@ -3,7 +3,7 @@
 # ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-exploits is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/exploits/cli/commands/new.rb

@@ -3,7 +3,7 @@
 # ronin-exploits - A Ruby library for ronin-rb that provides exploitation and
 # payload crafting functionality.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-exploits is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -45,7 +45,7 @@ module Ronin
         #
         # ## Options
         #
-        #     -t exploit|heap_overflow|stack_overflow|web|open_redirect|lfi|rfi|sqli|ssti|xss,
+        #     -t exploit|heap-overflow|stack-overflow|command-injection|web|open-redirect|lfi|rfi|sqli|ssti|xss,
         #         --type                       The type for the new exploit
         #     -a, --author NAME                The name of the author
         #     -e, --author-email EMAIL         The email address of the author
@@ -84,31 +84,41 @@ module Ronin
               class: 'Exploit'
             },
 
-            heap_overflow: {
+            "heap-overflow": {
               file:  'heap_overflow',
               class: 'HeapOverflow'
             },
 
-            stack_overflow: {
+            "stack-overflow": {
               file:  'stack_overflow',
               class: 'StackOverflow'
             },
 
-            seh_overflow: {
+            "seh-overflow": {
               file:  'seh_overflow',
               class: 'SEHOverflow'
             },
 
-            user_after_free: {
+            "user-after-free": {
               file:  'use_after_free',
               class: 'UseAfterFree'
             },
 
+            "command-injection": {
+              file:  'command_injection',
+              class: 'CommandInjection'
+            },
+
             web: {
               file:  'web',
               class: 'Web'
             },
 
+            "open-redirect": {
+              file:  'open_redirect',
+              class: 'OpenRedirect'
+            },
+
             lfi: {
               file:  'lfi',
               class: 'LFI'
@@ -137,12 +147,12 @@ module Ronin
 
           # Mapping of network mixins and their file/module names.
           NETWORKING_TYPES = {
-            remote_tcp: {
+            "remote-tcp": {
               file:   'remote_tcp',
               module: 'RemoteTCP'
             },
 
-            remote_udp: {
+            "remote-udp": {
               file:   'remote_udp',
               module: 'RemoteUDP'
             },
@@ -283,9 +293,12 @@ module Ronin
           #   The path to the new exploit file.
           #
           def run(file)
+            @directory  = File.dirname(file)
             @file_name  = File.basename(file,File.extname(file))
             @class_name = CommandKit::Inflector.camelize(@file_name)
 
+            mkdir @directory unless @directory == '.'
+
             erb "exploit.rb.erb", file
             chmod '+x', file
           end
@@ -298,17 +311,13 @@ module Ronin
           # @return [String]
           #
           def format_kwargs(kwargs)
-            args = []
-
-            kwargs.each do |key,value|
-              args << "#{key}: #{value.inspect}"
-            end
-
-            return args.join(', ')
+            kwargs.map { |key,value|
+              "#{key}: #{value.inspect}"
+            }.join(', ')
           end
 
           # Web exploit class names.
-          WEB_VULN_EXPLOITS = %w[LFI RFI SQLI]
+          WEB_VULN_EXPLOITS = %w[OpenRedirect LFI RFI SQLI SSTI XSS]
 
           #
           # Determines if the exploit type is `stack_overflow`.