Class: OffensiveComputing::MalwareSearch

Inherits:

Object

Object
OffensiveComputing::MalwareSearch

Defined in:: lib/offensivecomputing/offensivecomputing.rb

Constant Summary collapse

@@baseurl =

"http://www.offensivecomputing.net"

@@user_agent =

"Ruby/#{RUBY_VERSION} offensivecomputing rubygem (https://github.com/chrislee35/offensivecomputing)"

Instance Attribute Summary collapse

#cookie ⇒ Object readonly

Returns the value of attribute cookie.

Instance Method Summary collapse

#_get(path, params = nil) ⇒ Object
#_post(path, params = nil) ⇒ Object
#_request(request, url) ⇒ Object
#download(malwareresult, filename = nil) ⇒ Object
#initialize(username, password) ⇒ MalwareSearch constructor

A new instance of MalwareSearch.
#search(hash) ⇒ Object

Constructor Details

#initialize(username, password) ⇒ `MalwareSearch`

Returns a new instance of MalwareSearch.

# File 'lib/offensivecomputing/offensivecomputing.rb', line 11

def initialize(username, password)
	# login and get a cookie
	# handle failures
	params = {'edit[name]' => username, 'edit[pass]' => password, 'edit[form_id]' => 'user_login_block'}
	@cookie = nil
	@referer = @@baseurl
	_post("?q=node&destination=node&op=Log+in", params)
end

Instance Attribute Details

Returns the value of attribute cookie.



10
11
12

# File 'lib/offensivecomputing/offensivecomputing.rb', line 10

def cookie
  @cookie
end

Instance Method Details

#_get(path, params = nil) ⇒ `Object`

# File 'lib/offensivecomputing/offensivecomputing.rb', line 48

def _get(path, params=nil)
	url = URI.parse "#{@@baseurl}/#{path}"
	data = nil
	path = url.path
	if params and params.length > 0
		data = params.map { |k,v|
			"#{k}=#{v}".gsub(/([^ a-zA-Z0-9_.-=]+)/) do
				'%' + $1.unpack('H2' * $1.bytesize).join('%').upcase
			end.tr(' ', '+')
		}.join("&")
	end
	if data and url.query
		path += "?#{url.query}&#{data}"
	elsif data
		path += "?#{data}"
	elsif url.query
		path += "?#{url.query}"
	end
	request = Net::HTTP::Get.new(path)
	_request(request, url)
end

#_post(path, params = nil) ⇒ `Object`

# File 'lib/offensivecomputing/offensivecomputing.rb', line 36

def _post(path, params=nil)
	url = URI.parse "#{@@baseurl}/#{path}"
	path = url.path
	if url.query
		path += "?"+url.query
	end
	#puts path
	request = Net::HTTP::Post.new(path)
	request.set_form_data(params) if params
	_request(request, url)
end

#_request(request, url) ⇒ `Object`

# File 'lib/offensivecomputing/offensivecomputing.rb', line 20

def _request(request, url)
	request.add_field("User-Agent", @@user_agent)
	request.add_field("Referer", @referer)
	request.add_field("Cookie", @cookie) if @cookie

	http = Net::HTTP.new(url.host, url.port)
	if url.scheme == 'https'
		http.use_ssl = true
		http.verify_mode = OpenSSL::SSL::VERIFY_NONE
		http.verify_depth = 5
	end
	resp = http.request(request)
	@cookie = resp.header["set-cookie"].split(/[,; ]+/).find_all{|x| x=~ /PHPSESSID/}.last if resp.header["set-cookie"]
	resp.body
end

#download(malwareresult, filename = nil) ⇒ `Object`

# File 'lib/offensivecomputing/offensivecomputing.rb', line 137

def download(malwareresult,filename=nil)
	if malwareresult.respond_to? :dlurl and malwareresult.dlurl
		doc = _get(malwareresult.dlurl)
		if filename
			File.open(filename,'w') do |f|
				f.write(doc)
			end
		end
		doc
	end
end

#search(hash) ⇒ `Object`

# File 'lib/offensivecomputing/offensivecomputing.rb', line 70

def search(hash)
	params = {'search'=>hash} # 'slowsearch'=>'on'
	body = _post('?q=ocsearch', params)
	records = []
	table = body.match(/<\!\-\- begin content.*?<\!\-\- end content \-\->/).to_s
	if table
		urls = table.scan(/download[^\"]+/)
		arr = table.gsub(/<.*?>/,"\t").gsub(/\s*\t+/,"\t").split(/\t/)
		#pp arr
		field = nil
		rec = {}
		avname = nil
		arr.each do |item|
			if item == "infected"
				records << MalwareResult.new(rec[:md5],rec[:sha1],rec[:sha256],rec[:filename],rec[:added],rec[:magic],rec[:packer],rec[:avresults],rec[:tags],rec[:dlurl], self)
			elsif item == "MD5:"
				field = :md5
			elsif item == "SHA1:"
				field = :sha1
			elsif item == "SHA256:"
				field = :sha256
			elsif item == "Original Submitted Filename:"
				field = :filename
			elsif item == "Date Added:"
				field = :added
			elsif item == "Magic File Type:"
				field = :magic
			elsif item == "Packer Signature:"
				field = :packer
			elsif item == "Anti-Virus Results:"
				field = :avresults
			elsif item == "Tags:"
				field = :tags
			elsif item == "Add a tag:"
				field = nil
			elsif item == "Download Sample"
				rec[:dlurl] = urls.shift
			elsif field == :md5 and item =~ /^[0-9a-f]{32}$/
				rec[field] = item
			elsif field == :sha1 and item =~ /^[0-9a-f]{40}$/
				rec[field] = item
			elsif field == :sha256 and item =~ /^[0-9a-f]{64}$/
				rec[field] = item
			elsif field == :filename
				rec[field] = item
			elsif field == :added and item =~ /^\d{4}\-\d{2}\-\d{2}/
				rec[field] = Time.parse("#{item} +0000").utc
			elsif field == :magic
				rec[field] = item
			elsif field == :avresults
				#puts "DEBUG: avresults #{item}"
				rec[field] = [] unless rec[field]
				if avname
					rec[field] << AVResult.new(avname,item)
					avname = nil
				else
					avname = item
				end
			elsif field == :tags
				rec[field] = [] unless rec[field]
				rec[field] << item
			end
		end
	end
	records
end

Class: OffensiveComputing::MalwareSearch

Constant Summary collapse

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(username, password) ⇒ MalwareSearch

Instance Attribute Details

#cookie ⇒ Object (readonly)

Instance Method Details

#_get(path, params = nil) ⇒ Object

#_post(path, params = nil) ⇒ Object

#_request(request, url) ⇒ Object

#download(malwareresult, filename = nil) ⇒ Object

#search(hash) ⇒ Object

#initialize(username, password) ⇒ `MalwareSearch`

#cookie ⇒ `Object` (readonly)

#_get(path, params = nil) ⇒ `Object`

#_post(path, params = nil) ⇒ `Object`

#_request(request, url) ⇒ `Object`

#download(malwareresult, filename = nil) ⇒ `Object`

#search(hash) ⇒ `Object`