unisec 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d93010e590d0ae588dfb31364036652eb19d5ab17b504fbb851495a2ca71d18d
-  data.tar.gz: b76c392938f2c804626b81efa227aaf44a65abec7ac63558144644e851b8d475
+  metadata.gz: 207fef6efc641ecf3ba11879d368cd2c6ac54f4d7001d948428c32a67e992e05
+  data.tar.gz: bec8d1577d59b146747a1346794df62ea7928feb47ca3c64e669636f91cdb9fa
 SHA512:
-  metadata.gz: bde0eb13806b6e6ac2a12d8889c7ef236bdc923e334d59409257a95101d48702aefe10cf83b6a3a2c5bd5d12ebe0170f52cfcaff2cc9c2177db8c455f9a5c6b1
-  data.tar.gz: 3f3d376b4549b846fee8af810ed134aca724eb377853b64bbe3f75562a33f4b799f7808554ad73211a4158a93feb989e4fc7ecc511babf233f7a6ebf358a17fb
+  metadata.gz: cb406f1c0b27575d84b497d5cec9a994f05a33f816630ebacd5013594997394c5b5473575d1a241193bb1e586bd3a7510c80a7597d9995f35cbb0f5b09882987
+  data.tar.gz: 994e93feae65577b462e85ac3450dbb4d8a7f6160d00f4a19fe21bae518de85846a2e4cb71668b7fee0c5afb2ea39932831d2e333e802ab048b6dbd5bd653cc1

data/lib/unisec/bidi.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require 'unisec/utils'
+require 'ctf_party'
+
+module Unisec
+  # Manipulation of bidirectional related content
+  class Bidi
+    # Attack using BiDi code points like RtLO, for example, for spoofing a domain name or a file name
+    class Spoof
+      # The target string to spoof (eg. URL, domain or file name)
+      # @return [String] the target string
+      attr_reader :target_display
+
+      # Set a new target string to spoof
+      #
+      # It will automatically set `@spoof_string` and `@spoof_payload` as well.
+      # @param input [String] the target string
+      # @param opts [Hash] optional parameters, see {Spoof.bidi_affix}
+      # @return [String] the target string
+      def set_target_display(input, **opts)
+        @target_display = input
+        @spoof_string = reverse(**opts)
+        @spoof_payload = bidi_affix(**opts)
+        @target_display
+      end
+
+      # The string for the spoofing attack without the BiDi characters
+      # @return [String] the spoof string (without BiDi)
+      attr_reader :spoof_string
+
+      # The string for the spoofing attack with the BiDi characters. (Spoof payload = spoof string + BiDi)
+      # @return [String] the spoof string (with BiDi)
+      attr_reader :spoof_payload
+
+      # @param input [String] the target string
+      # @param opts [Hash] optional parameters, see {Spoof.bidi_affix}
+      # @example
+      #   bd = Unisec::Bidi::Spoof.new('https://moc.example.org//:sptth')
+      #   bd.target_display # => "https://moc.example.org//:sptth"
+      #   bd.spoof_string # => "https://gro.elpmaxe.com//:sptth"
+      #   bd.spoof_payload => "‮https://gro.elpmaxe.com//:sptth‬"
+      def initialize(input, **opts)
+        opts[:index] ||= opts[:infix_pos]
+
+        @target_display = input
+        @spoof_string = reverse(**opts)
+        @spoof_payload = bidi_affix(**opts)
+      end
+
+      # Reverse the (sub)-string (grapheme cluster aware)
+      # @param target [String] string to reverse
+      # @param opts [Hash] optional parameters
+      # @option opts [String] :index Index at which the revese starts (before this position will be left untouched)
+      # @return [String] the reversed string
+      # @example
+      #   Unisec::Bidi::Spoof.reverse('document_anntxt.exe', index: 12)
+      #   # => "document_annexe.txt"
+      #
+      #   Unisec::Bidi::Spoof.reverse("🇫🇷🐓")
+      #   # => "🐓🇫🇷"
+      def self.reverse(target, **opts)
+        opts[:index] ||= 0
+
+        target[0...opts[:index]] + Unisec::Utils::String.grapheme_reverse(target[opts[:index]..])
+      end
+
+      # Call {Spoof.reverse} with `@target_display` as default input (target).
+      def reverse(**opts)
+        Spoof.reverse(@target_display, **opts)
+      end
+
+      # Inject BiDi characters into the input string
+      # @param input [String] input string
+      # @param opts [Hash] optional parameters
+      # @option opts [String] :prefix Prefix Bidi. Default: RLO (U+202E).
+      # @option opts [String] :suffix Suffix Bidi. Default: PDF (U+202C).
+      # @option opts [String] :infix_bidi Bidi injected at a chosen position. Default: none (empty string).
+      # @option opts [String] :infix_pos Position (index) where to inject an extra BiDi. Default: 0.
+      # @return [String] spoof payload (input string with injected BiDi)
+      # @example
+      #   # By default inject a RLO prefix, a PDF suffix and no infix.
+      #   Unisec::Bidi::Spoof.bidi_affix('acceis')
+      #   # => "‮acceis‬"
+      #
+      #   # RLI ... PDI
+      #   Unisec::Bidi::Spoof.bidi_affix('acceis', prefix: "\u{2067}", suffix: "\u{2069}")
+      #   # => "⁧acceis⁩"
+      #
+      #   # RLE ... PDF
+      #   Unisec::Bidi::Spoof.bidi_affix('acceis', prefix: "\u{202B}", suffix: "\u{202C}")
+      #   # => "‫acceis‬"
+      #
+      #   # RLO ... PDF
+      #   Unisec::Bidi::Spoof.bidi_affix('https://moc.example.org//:sptth', prefix: "\u{202E}", suffix: "\u{202C}")
+      #   # => "‮https://moc.example.org//:sptth‬"
+      #
+      #   # FSI RLO ... PDF PDI
+      #   Unisec::Bidi::Spoof.bidi_affix('https://moc.example.org//:sptth', prefix: "\u{2068 202E}", suffix: "\u{202C 2069}")
+      #   # => "⁨‮https://moc.example.org//:sptth‬⁩"
+      #
+      #   # RLM ...
+      #   Unisec::Bidi::Spoof.bidi_affix('unicode', prefix: "\u{200F}", suffix: '')
+      #   # => "‏unicode"
+      #
+      #   # For file name spoofing, it is useful to be able to inject just a RLO before the fake extension
+      #   # so we can void the prefix and suffix and just set the position of an infix
+      #   ex = Unisec::Bidi::Spoof.bidi_affix('document_anntxt.exe', prefix: '', suffix: '', infix_bidi: "\u{202E}", infix_pos: 12)
+      #   # => "document_ann‮txt.exe"
+      #   puts ex
+      #   # document_ann‮txt.exe
+      def self.bidi_affix(input, **opts)
+        opts[:prefix] ||= "\u{202E}" # RLO
+        opts[:suffix] ||= "\u{202C}" # PDF
+        opts[:infix_bidi] ||= ''
+        opts[:infix_pos] ||= 0
+
+        out = "#{opts[:prefix]}#{input}#{opts[:suffix]}"
+        out.insert(opts[:infix_pos], opts[:infix_bidi])
+        out
+      end
+
+      # Call {Spoof.bidi_affix} with `@spoof_string` as input.
+      def bidi_affix(**opts)
+        Spoof.bidi_affix(@spoof_string, **opts)
+      end
+
+      # Display a CLI-friendly output summurizing the spoof payload
+      #
+      # The light version displays only the spoof payload for easy piping with other commands.
+      # @param light [Boolean] `true` = light display (displays only the spoof payload for easy piping with other commands), `false` (default) = full display.
+      # @example
+      #   puts Unisec::Bidi::Spoof.new('noraj').display
+      #   # Target string: noraj
+      #   # Spoof payload (display) ⚠: ‮jaron‬
+      #   # Spoof string 🛈: jaron
+      #   # Spoof payload (hex): e280ae6a61726f6ee280ac
+      #   # Spoof payload (hex, escaped): \xe2\x80\xae\x6a\x61\x72\x6f\x6e\xe2\x80\xac
+      #   # Spoof payload (base64): 4oCuamFyb27igKw=
+      #   # Spoof payload (urlencode): %E2%80%AEjaron%E2%80%AC
+      #   # Spoof payload (code points): U+202E U+006A U+0061 U+0072 U+006F U+006E U+202C
+      #   #
+      #   #
+      #   #
+      #   # ⚠: for the spoof payload to display correctly, be sure your VTE has RTL support, e.g. see https://wiki.archlinux.org/title/Bidirectional_text#Terminal.
+      #   # 🛈: Does not contain the BiDi character (e.g. RtLO).
+      #
+      #   puts Unisec::Bidi::Spoof.new('noraj').display(light: true)
+      #   # ‮jaron‬
+      def display(light: false)
+        if light == false # full display
+          "Target string: #{@target_display}\n" \
+            "Spoof payload (display) ⚠: #{@spoof_payload}\n" \
+            "Spoof string 🛈: #{@spoof_string}\n" \
+            "Spoof payload (hex): #{@spoof_payload.to_hex}\n" \
+            "Spoof payload (hex, escaped): #{@spoof_payload.to_hex(prefixall: '\\x')}\n" \
+            "Spoof payload (base64): #{@spoof_payload.to_b64}\n" \
+            "Spoof payload (urlencode): #{@spoof_payload.urlencode}\n" \
+            "Spoof payload (code points): #{Unisec::Properties.chars2codepoints(@spoof_payload)}\n" \
+            "\n\n\n" \
+            '⚠: for the spoof payload to display correctly, be sure your VTE has RTL support, ' \
+            "e.g. see https://wiki.archlinux.org/title/Bidirectional_text#Terminal.\n" \
+            '🛈: Does not contain the BiDi character (e.g. RtLO).'
+        else # light display
+          @spoof_payload
+        end
+      end
+    end
+  end
+end

data/lib/unisec/cli/bidi.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'dry/cli'
+require 'unisec'
+require 'unisec/utils'
+
+module Unisec
+  module CLI
+    module Commands
+      # CLI sub-commands `unisec bidi xxx` for the class {Unisec::Bidi} from the lib.
+      module Bidi
+        # Command `unisec bidi spoof`
+        #
+        # Example:
+        #
+        # ```plaintext
+        # $ unisec bidi spoof noraj
+        # Target string: noraj
+        # Spoof payload (display) ⚠: ‮jaron‬
+        # Spoof string 🛈: jaron
+        # Spoof payload (hex): e280ae6a61726f6ee280ac
+        # Spoof payload (hex, escaped): \xe2\x80\xae\x6a\x61\x72\x6f\x6e\xe2\x80\xac
+        # Spoof payload (base64): 4oCuamFyb27igKw=
+        # Spoof payload (urlencode): %E2%80%AEjaron%E2%80%AC
+        # Spoof payload (code points): U+202E U+006A U+0061 U+0072 U+006F U+006E U+202C
+        #
+        #
+        #
+        # ⚠: for the spoof payload to display correctly, be sure your VTE has RTL support, e.g. see https://wiki.archlinux.org/title/Bidirectional_text#Terminal.
+        # 🛈: Does not contain the BiDi character (e.g. RtLO).
+        #
+        # $ unisec bidi spoof 'document_annexe.txt' --prefix '' --suffix '' --infix-bidi $'\U202E' --infix-pos 12 --light=true
+        # document_ann‮txt.exe
+        # ```
+        class Spoof < Dry::CLI::Command
+          desc 'Craft a payload for BiDi attacks (for example, for spoofing a domain name or a file name)'
+
+          argument :input, required: true,
+                           desc: 'String input'
+          option :light, default: false, values: %w[true false],
+                         desc: 'true = light display (displays only the spoof payload for easy piping with other ' \
+                               'commands), false = full display'
+          option :prefix, default: nil, desc: 'Prefix Bidi. Default: RLO (U+202E).'
+          option :suffix, default: nil, desc: 'Suffix Bidi. Default: PDF (U+202C).'
+          option :infix_bidi, default: nil, desc: 'Bidi injected at a chosen position. Default: none (empty string).'
+          option :infix_pos, default: nil, desc: 'Spoof payload (input string with injected BiDi)'
+
+          # Craft a payload for BiDi attacks
+          # @param input [String] Input string to spoof
+          # @param options [Hash] optional parameters, see {Unisec::Bidi::Spoof.bidi_affix}
+          def call(input: nil, **options)
+            to_bool = ->(str) { ['true', true].include?(str) }
+            light = to_bool.call(options.fetch(:light))
+            infix_pos = options[:infix_pos].to_i unless options[:infix_pos].nil?
+            puts Unisec::Bidi::Spoof.new(input, prefix: options[:prefix], suffix: options[:suffix],
+                                                infix_bidi: options[:infix_bidi],
+                                                infix_pos: infix_pos).display(light: light)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/unisec/cli/cli.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'unisec/cli/bidi'
 require 'unisec/cli/confusables'
 require 'unisec/cli/hexdump'
 require 'unisec/cli/properties'
@@ -17,6 +18,7 @@ module Unisec
 
       # Mapping between the (sub-)commands as seen by the user
       # on the command-line interface and the CLI modules in the lib
+      register 'bidi spoof', Bidi::Spoof
       register 'confusables list', Confusables::List
       register 'confusables randomize', Confusables::Randomize
       register 'grep', Grep

data/lib/unisec/cli/hexdump.rb

@@ -22,12 +22,21 @@ module Unisec
         desc 'Hexdump in all Unicode encodings'
 
         argument :input, required: true,
-                         desc: 'String input'
+                         desc: 'String input. Read from STDIN if equal to -.'
+
+        option :enc, default: nil, values: %w[utf8 utf16be utf16le utf32be utf32le],
+                     desc: 'Output only in the specified encoding.'
 
         # Hexdump of all Unicode encodings.
         # @param input [String] Input string to encode
-        def call(input: nil, **)
-          puts Unisec::Hexdump.new(input).display
+        def call(input: nil, **options)
+          input = $stdin.read.chomp if input == '-'
+          if options[:enc].nil?
+            puts Unisec::Hexdump.new(input).display
+          else
+            # using send() is safe here thanks to the value whitelist
+            puts puts Unisec::Hexdump.send(options[:enc], input)
+          end
         end
       end
     end

data/lib/unisec/utils.rb

@@ -98,6 +98,16 @@ module Unisec
           :string
         end
       end
+
+      # Reverse a string by graphemes (not by code points)
+      # @return [String] the reversed string
+      # @example
+      #   b = "\u{1f1eb}\u{1f1f7}\u{1F413}" # => "🇫🇷🐓"
+      #   b.reverse # => "🐓🇷🇫"
+      #   Unisec::Utils::String.grapheme_reverse(b) # => "🐓🇫🇷"
+      def self.grapheme_reverse(str)
+        str.grapheme_clusters.reverse.join
+      end
     end
   end
 end

data/lib/unisec/version.rb

@@ -2,5 +2,5 @@
 
 module Unisec
   # Version of unisec library and app
-  VERSION = '0.0.3'
+  VERSION = '0.0.4'
 end

data/lib/unisec.rb

@@ -2,6 +2,7 @@
 
 require 'unisec/version'
 
+require 'unisec/bidi'
 require 'unisec/confusables'
 require 'unisec/hexdump'
 require 'unisec/properties'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unisec
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Alexandre ZANNI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-18 00:00:00.000000000 Z
+date: 2024-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ctf-party
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: dry-cli
   requirement: !ruby/object:Gem::Requirement
@@ -99,6 +99,8 @@ files:
 - bin/unisec
 - data/DerivedName.txt
 - lib/unisec.rb
+- lib/unisec/bidi.rb
+- lib/unisec/cli/bidi.rb
 - lib/unisec/cli/cli.rb
 - lib/unisec/cli/confusables.rb
 - lib/unisec/cli/hexdump.rb
@@ -145,7 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Unicode Security Toolkit