Class: Ronin::Exploits::Exploit

Inherits:

Object

• Object
• Ronin::Exploits::Exploit

Includes:

Cacheable, Model::HasDescription, Model::HasLicense, Model::HasName, Model::HasVersion, Parameters, Controls::Behaviors, Verifiers, Payloads::HasPayload, UI::Output::Helpers

Defined in:

lib/ronin/exploits/exploit.rb

Direct Known Subclasses

Local, Remote

Instance Attribute Summary

• #encoded_payload ⇒ Object readonly

  The encoded payload.

• #encoders ⇒ Object readonly

  Encoders to run on the payload.

• #raw_payload ⇒ Object

  The raw unencoded payload.

• #restricted_chars ⇒ Object readonly

  Characters to restrict.

• #target ⇒ Target

  The current target to use in exploitation.

Class Method Summary

• .targeting_arch(name) ⇒ Array<Exploit>

  Finds all exploits which target a given architecture.

• .targeting_os(name) ⇒ Array<Exploit>

  Finds all exploits which target a given OS.

• .targeting_product(name) ⇒ Array<Exploit>

  Finds all exploits which target a given product.

• .written_by(name) ⇒ Array<Exploit>

  Finds all exploits written by a specific author.

• .written_for(name) ⇒ Array<Exploit>

  Finds all exploits written for a specific organization.

Instance Method Summary

• #arch ⇒ Arch

  The current targeted architecture.

• #author(attributes = {}) {|author| ... } ⇒ Object

  Adds a new author to the exploit.

• #behaviors ⇒ Array<Symbol>

  Lists the behaviors controlled by the exploit and the payload, if one is being used.

• #build!(options = {}, &block) ⇒ Object

  Builds the exploit and checks for restricted characters or patterns.

• #build_payload!(options = {}) ⇒ String

  Builds the current payload, saving the result to the @raw_payload instance variable.

• #built? ⇒ Boolean

  Specifies whether the exploit is built.

• #deploy! {|exploit| ... } ⇒ Exploit

  Verifies then deploys the exploit.

• #deployed? ⇒ Boolean

  Specifies whether the exploit has previously been deployed.

• #encode_payload(encoder = nil) {|payload| ... } ⇒ Array

  Adds a new encoder to the list of encoders to use for encoding the payload.

• #encode_payload! ⇒ String

  Encodes the current payload and saves the result in the @encoded_payload instance variable.

• #exploit!(options = {}) {|exploit| ... } ⇒ Exploit

  Builds, verified and then deploys the exploit.

• #initialize(attributes = {}) { ... } ⇒ Exploit constructor

  Creates a new Exploit object.

• #inspect ⇒ String

  Inspects the contents of the exploit.

• #os ⇒ OS

  The current targeted OS.

• #payload=(new_payload) ⇒ Payload

  Associates a payload with the exploit, and the exploit with the payload.

• #product ⇒ Product

  The current targeted product.

• #restrict(*chars) ⇒ Array<String>

  Adds new characters to the list of restricted characters.

• #targeted_archs ⇒ Array<Arch>

  The targeted architectures.

• #targeted_oses ⇒ Array<OS>

  The targeted OSes.

• #targeted_products ⇒ Array<Product>

  The targeted Products.

• #targeting(attributes = {}) {|target| ... } ⇒ Object

  Adds a new target to the exploit.

• #to_s ⇒ String

  Converts the exploit to a String.

• #use_target!(index_or_query = 0) {|target| ... } ⇒ Object

  Selects a target to use in exploitation.

• #verify! ⇒ true

  Verifies the exploit is built, properly configured, built and ready deployment.

Methods included from Verifiers

#verify_arch!, #verify_os!, #verify_product!, #verify_restricted!, #verify_target!

Methods included from Controls::Behaviors

#control, #control_helper, #control_model, #load_original!

Methods included from Payloads::HasPayload

#payload, #use_payload!, #use_payload_class, #use_payload_from!

Constructor Details

#initialize(attributes = {}) { ... } ⇒ Exploit

Creates a new Exploit object.

Parameters:

• attributes (Hash) (defaults to: {}) —

  Additional attributes used to initialize the exploit’s model attributes and parameters.

Yields:

• If a block is given, it will be evaluated in the newly created Exploit object.

# File 'lib/ronin/exploits/exploit.rb', line 129

def initialize(attributes={},&block)
  super(attributes)

  initialize_params(attributes)

  @target = nil
  @built = false
  @deployed = false

  @restricted_chars = Chars::CharSet.new
  @encoders = []

  instance_eval(&block) if block
end

Dynamic Method Handling

This class handles dynamic methods through the method_missing method

#method_missing(name, *arguments, &block) ⇒ Object (protected)

Relays method calls to the payload, if the payload is a kind of Ronin::Payloads::Payload.

Since:

• 0.3.0

# File 'lib/ronin/exploits/exploit.rb', line 781

def method_missing(name,*arguments,&block)
  if @payload.kind_of?(Ronin::Payloads::Payload)
    return @payload.send(name,*arguments,&block)
  end

  super(name,*arguments,&block)
end

Instance Attribute Details

#encoded_payload ⇒ Object (readonly)

The encoded payload

# File 'lib/ronin/exploits/exploit.rb', line 116

def encoded_payload
  @encoded_payload
end

#encoders ⇒ Object (readonly)

Encoders to run on the payload

# File 'lib/ronin/exploits/exploit.rb', line 110

def encoders
  @encoders
end

#raw_payload ⇒ Object

The raw unencoded payload

# File 'lib/ronin/exploits/exploit.rb', line 113

def raw_payload
  @raw_payload
end

#restricted_chars ⇒ Object (readonly)

Characters to restrict

# File 'lib/ronin/exploits/exploit.rb', line 107

def restricted_chars
  @restricted_chars
end

#target ⇒ Target

Returns The current target to use in exploitation.

Returns:

• (Target) —

  The current target to use in exploitation.

# File 'lib/ronin/exploits/exploit.rb', line 395

def target
  @target ||= self.targets.first
end

Class Method Details

.targeting_arch(name) ⇒ Array<Exploit>

Finds all exploits which target a given architecture.

Parameters:

• name (String, Symbol) —

  The name of the architecture.

Returns:

• (Array<Exploit>) —

  The exploits targeting the architecture.

# File 'lib/ronin/exploits/exploit.rb', line 179

def self.targeting_arch(name)
  all(self.targets.arch.name => name.to_s)
end

.targeting_os(name) ⇒ Array<Exploit>

Finds all exploits which target a given OS.

Parameters:

• name (String, Symbol) —

  The name of the OS.

Returns:

• (Array<Exploit>) —

  The exploits targeting the OS.

# File 'lib/ronin/exploits/exploit.rb', line 192

def self.targeting_os(name)
  all(self.targets.os.name => name.to_s)
end

.targeting_product(name) ⇒ Array<Exploit>

Finds all exploits which target a given product.

Parameters:

• name (String, Symbol) —

  The name of the product.

Returns:

• (Array<Exploit>) —

  The exploits targeting the product.

# File 'lib/ronin/exploits/exploit.rb', line 205

def self.targeting_product(name)
  all(self.targets.product.name => "%#{name}%")
end

.written_by(name) ⇒ Array<Exploit>

Finds all exploits written by a specific author.

Parameters:

• name (String) —

  The name of the author.

Returns:

• (Array<Exploit>) —

  The exploits written by the author.

# File 'lib/ronin/exploits/exploit.rb', line 153

def self.written_by(name)
  all(self.authors.name.like => "%#{name}%")
end

.written_for(name) ⇒ Array<Exploit>

Finds all exploits written for a specific organization.

Parameters:

• name (String) —

  The name of the organization.

Returns:

• (Array<Exploit>) —

  The exploits written for the organization.

# File 'lib/ronin/exploits/exploit.rb', line 166

def self.written_for(name)
  all(self.authors.organization.like => "%#{name}%")
end

Instance Method Details

#arch ⇒ Arch

Returns The current targeted architecture.

Returns:

• (Arch) —

  The current targeted architecture.

# File 'lib/ronin/exploits/exploit.rb', line 403

def arch
  target.arch if target
end

#author(attributes = {}) {|author| ... } ⇒ Object

Adds a new author to the exploit.

Examples:

author :name => 'Anonymous',
       :email => 'anon@example.com',
       :organization => 'Anonymous LLC'

Parameters:

• attributes (Hash) (defaults to: {}) —

  Additional attributes to create the ExploitAuthor object with.

Yields:

• (author) —

  If a block is given, it will be passed the newly created author object.

Yield Parameters:

• author (ExploitAuthor) —

  The author object tied to the exploit.

# File 'lib/ronin/exploits/exploit.rb', line 227

def author(attributes={},&block)
  self.authors << ExploitAuthor.new(attributes,&block)
end

#behaviors ⇒ Array<Symbol>

Lists the behaviors controlled by the exploit and the payload, if one is being used.

Returns:

• (Array<Symbol>) —

  The combined behaviors controlled by the exploit.

# File 'lib/ronin/exploits/exploit.rb', line 323

def behaviors
  total_behaviors = super

  if @payload
    total_behaviors = (total_behaviors + @payload.behaviors).uniq
  end

  return total_behaviors
end

#build!(options = {}, &block) ⇒ Object

Builds the exploit and checks for restricted characters or patterns.

Parameters:

• options (Hash) (defaults to: {}) —

  Additional options to also use as parameters.

# File 'lib/ronin/exploits/exploit.rb', line 533

def build!(options={},&block)
  self.params = options

  print_debug "Exploit parameters: #{self.params.inspect}"

  @built = false

  build_payload!(options)
  encode_payload!

  print_info "Building exploit ..."

  build
  
  print_info "Exploit built!"

  @built = true

  if block
    if block.arity == 1
      block.call(self)
    else
      block.call()
    end
  end

  return self
end

#build_payload!(options = {}) ⇒ String

Builds the current payload, saving the result to the @raw_payload instance variable.

Parameters:

• options (Hash) (defaults to: {}) —

  Additional options to build the paylod with.

Returns:

• (String) —

  The built payload.

See Also:

• Payload#build!

Since:

• 0.3.0

# File 'lib/ronin/exploits/exploit.rb', line 481

def build_payload!(options={})
  if @payload
    @raw_payload = ''

    @payload.build!(options)
    @raw_payload = @payload.raw_payload
  else
    @raw_payload ||= ''
  end

  return @raw_payload
end

#built? ⇒ Boolean

Returns Specifies whether the exploit is built.

Returns:

• (Boolean) —

  Specifies whether the exploit is built.

# File 'lib/ronin/exploits/exploit.rb', line 523

def built?
  @built == true
end

#deploy! {|exploit| ... } ⇒ Exploit

Verifies then deploys the exploit. If a payload has been set, the payload will also be deployed.

Yields:

• (exploit) —

  If a block is given, it will be passed the deployed exploit.

Yield Parameters:

• exploit (Exploit) —

  The deployed exploit.

Returns:

• (Exploit) —

  The deployed exploit.

Raises:

• (ExploitNotBuilt) —

  The exploit has not been built, and cannot be deployed.

# File 'lib/ronin/exploits/exploit.rb', line 609

def deploy!(&block)
  verify!

  print_info "Deploying exploit ..."
  @deployed = false

  deploy()

  print_info "Exploit deployed!"
  @deployed = true

  @payload.deploy!() if @payload

  if block
    if block.arity == 1
      block.call(self)
    else
      block.call()
    end
  end

  return self
end

#deployed? ⇒ Boolean

Returns Specifies whether the exploit has previously been deployed.

Returns:

• (Boolean) —

  Specifies whether the exploit has previously been deployed.

# File 'lib/ronin/exploits/exploit.rb', line 589

def deployed?
  @deployed == true
end

#encode_payload(encoder = nil) {|payload| ... } ⇒ Array

Adds a new encoder to the list of encoders to use for encoding the payload.

Examples:

exploit.encode_payload(some_encoder)

exploit.encode_payload do |payload|
  # ...
end

Parameters:

• encoder (#encode) (defaults to: nil) —

  The payload encoder object to use. Must provide an encode method.

Yields:

• (payload) —

  If a block is given, and an encoder object is not, the block will be used to encode the payload.

Yield Parameters:

• payload (String) —

  The payload to be encoded.

Returns:

• (Array) —

  The new list of encoders to use to encode the payload.

Raises:

• (RuntimeError) —

  The payload encoder object does not provide an encode method.

• (ArgumentError) —

  Either a payload encoder object or a block can be given.

# File 'lib/ronin/exploits/exploit.rb', line 302

def encode_payload(encoder=nil,&block)
  if encoder
    unless encoder.respond_to?(:encode)
      raise(RuntimeError,"The payload encoder must provide an encode method",caller)
    end

    @encoders << encoder
  elsif (encoder.nil? && block)
    @encoders << block
  else
    raise(ArgumentError,"either a payload encoder or a block can be given",caller)
  end
end

#encode_payload! ⇒ String

Encodes the current payload and saves the result in the @encoded_payload instance variable.

Returns:

• (String) —

  The encoded payload.

# File 'lib/ronin/exploits/exploit.rb', line 501

def encode_payload!
  @encoded_payload = @raw_payload.to_s

  @encoders.each do |encoder|
    print_debug "Encoding payload: #{@encoded_payload.dump}"

    new_payload = if encoder.respond_to?(:encode)
                    encoder.encode(@encoded_payload)
                  elsif encoder.respond_to?(:call)
                    encoder.call(@encoded_payload)
                  end

    @encoded_payload = (new_payload || @encoded_payload).to_s
  end

  return @encoded_payload
end

#exploit!(options = {}) {|exploit| ... } ⇒ Exploit

Builds, verified and then deploys the exploit.

Parameters:

• options (Hash) (defaults to: {}) —

  Additional options to build the exploit with.

Options Hash (options):

• :dry_run (Boolean) — default: false —

  Specifies whether to do a dry-run of the exploit, where the exploit will be built, verified but not deployed.

Yield Parameters:

• exploit (Exploit) —

  The deployed exploit.

Returns:

• (Exploit) —

  The deployed exploit.

• (Exploit) —

  The deployed exploit.

Since:

• 0.3.0

# File 'lib/ronin/exploits/exploit.rb', line 654

def exploit!(options={},&block)
  build!(options)

  unless options[:dry_run]
    deploy!(&block)
  end

  return self
end

#inspect ⇒ String

Inspects the contents of the exploit.

Returns:

• (String) —

  The inspected exploit.

# File 'lib/ronin/exploits/exploit.rb', line 686

def inspect
  str = "#{self.class}: #{self}"
  str << " #{self.params.inspect}" unless self.params.empty?

  return "#<#{str}>"
end

#os ⇒ OS

Returns The current targeted OS.

Returns:

• (OS) —

  The current targeted OS.

# File 'lib/ronin/exploits/exploit.rb', line 411

def os
  target.os if target
end

#payload=(new_payload) ⇒ Payload

Associates a payload with the exploit, and the exploit with the payload.

Parameters:

• new_payload (Payload) —

  The new payload to associate with the exploit.

Returns:

• (Payload) —

  The new payload.

Since:

• 0.3.0

# File 'lib/ronin/exploits/exploit.rb', line 435

def payload=(new_payload)
  if (@payload && new_payload.nil?)
    @payload.exploit = nil
  end

  super(new_payload)

  if @payload
    print_info "Using payload: #{new_payload}"

    @payload.exploit = self
  end

  return @payload
end

#product ⇒ Product

Returns The current targeted product.

Returns:

• (Product) —

  The current targeted product.

# File 'lib/ronin/exploits/exploit.rb', line 419

def product
  target.product if target
end

#restrict(*chars) ⇒ Array<String>

Adds new characters to the list of restricted characters.

Examples:

restrict 0x00, "\n"
# => #<Chars::CharSet: {"\0", "\n"}>

Parameters:

• chars (Array<String>) —

  The character to restrict.

Returns:

• (Array<String>) —

  The new list of restricted characters.

# File 'lib/ronin/exploits/exploit.rb', line 266

def restrict(*chars)
  @restricted_chars += chars
end

#targeted_archs ⇒ Array<Arch>

Returns The targeted architectures.

Returns:

• (Array<Arch>) —

  The targeted architectures.

# File 'lib/ronin/exploits/exploit.rb', line 337

def targeted_archs
  self.targets.map { |target| target.arch }.compact
end

#targeted_oses ⇒ Array<OS>

Returns The targeted OSes.

Returns:

• (Array<OS>) —

  The targeted OSes.

# File 'lib/ronin/exploits/exploit.rb', line 345

def targeted_oses
  self.targets.map { |target| target.os }.compact
end

#targeted_products ⇒ Array<Product>

Returns The targeted Products.

Returns:

• (Array<Product>) —

  The targeted Products.

# File 'lib/ronin/exploits/exploit.rb', line 353

def targeted_products
  self.targets.map { |target| target.product }.compact
end

#targeting(attributes = {}) {|target| ... } ⇒ Object

Adds a new target to the exploit.

Examples:

targeting do |target|
  target.arch :i686
  target.os :name => 'Linux'
end

Parameters:

• attributes (Hash) (defaults to: {}) —

  Additional attributes to create the target with.

Yields:

• (target) —

  If a block is given, it will be passed the newly created target.

Yield Parameters:

• target (Target) —

  The newly created target.

# File 'lib/ronin/exploits/exploit.rb', line 249

def targeting(attributes={},&block)
  self.targets << Target.new(attributes,&block)
end

#to_s ⇒ String

Converts the exploit to a String.

Returns:

• (String) —

  The name and version of the exploit.

# File 'lib/ronin/exploits/exploit.rb', line 670

def to_s
  if (self.name && self.version)
    "#{self.name} #{self.version}"
  elsif self.name
    self.name
  elsif self.version
    self.version
  end
end

#use_target!(index_or_query = 0) {|target| ... } ⇒ Object

Selects a target to use in exploitation.

Examples:

use_target!(2)

use_target!(Target.arch.name => 'i686')

use_target! { |target| target.arch == Arch.i686 }

Parameters:

• index_or_query (Integer, Hash) (defaults to: 0) —

  The index within #targets or a query to select the target.

Yields:

• (target) —

  If a block is given, it will be used to select the desired target from #targets.

Yield Parameters:

• target (Target) —

  The potential target to review.

Since:

• 0.3.0

# File 'lib/ronin/exploits/exploit.rb', line 381

def use_target!(index_or_query=0,&block)
  @target = if block
              self.targets.find(&block)
            elsif index_or_query.kind_of?(Hash)
              self.targets.first(index_or_query)
            elsif index_or_query.kind_of?(Integer)
              self.targets[index_or_query]
            end
end

#verify! ⇒ true

Verifies the exploit is built, properly configured, built and ready deployment.

Returns:

• (true) —

  The exploit is built and ready for deployment.

Raises:

• (ExploitNotBuilt) —

  The exploit has not been built, and cannot be deployed.

# File 'lib/ronin/exploits/exploit.rb', line 572

def verify!
  unless built?
    raise(ExploitNotBuilt,"cannot deploy an unbuilt exploit",caller)
  end

  print_info "Verifying exploit ..."

  verify

  print_info "Exploit verified!"
  return true
end