#!/usr/bin/env -S ronin-exploits run -f require 'ronin/exploits/<%= @exploit_type[:file] -%>' <%- if @networking_mixin -%> require 'ronin/exploits/mixins/<%= @networking_mixin[:file] -%>' <%- end -%> <%- if @target -%> require 'ronin/exploits/mixins/has_target' <%- end -%> <%- if @has_payload -%> require 'ronin/exploits/mixins/has_payload' require 'ronin/payloads/<%= @has_payload[:file] -%>' <%- end -%> <%- if @loot -%> require 'ronin/exploits/mixins/loot' <%- end -%> module Ronin module Exploits class <%= @class_name -%> < <%= @exploit_type[:class] %> <%- if @networking_mixin || @has_payload || @target -%> <%- if @networking_mixin -%> include Mixins::<%= @networking_mixin[:module] %> <%- end -%> <%- if @has_payload -%> include Mixins::HasPayload <%- end -%> <%- if @target -%> include Mixins::HasTargets <%- end -%> <%- end -%> <%- if @loot -%> include Mixins::Loot <%- end -%> register '<%= @file_name -%>' quality :poc # release_date 'YYYY-MM-DD' # disclosure_date 'YYYY-MM-DD' <%- unless @advisories.empty? -%> <%- @advisories.each do |advisory| -%> advisory '<%= advisory -%>' <%- end -%> <%- else -%> # advisory 'CVE-YYYY-NNNN' # advisory 'GHSA-XXXXXX' <%- end -%> <%- if @author_email -%> author '<%= @author_name %>', email: '<%= @author_email -%>' <%- else -%> author '<%= @author_name %>' <%- end -%> <%- if @summary -%> summary "<%= @summary %>" <%- else -%> # summary "FIX ME" <%- end -%> <%- if @description -%> description <<~DESC <%= @description %> DESC <%- else -%> # description <<~DESC # FIX ME # DESC <%- end -%> <%- unless @references.empty? -%> references [ <%- @references.each do |url| -%> <%= url.inspect -%><% if index < @references.length-1 %>,<% end %> <%- end -%> ] <%- else -%> # references [ # "https:/...", # "https:/..." # ] <%- end -%> <%- if web_vuln_exploit? -%> <%- if @exploit_type[:class] == 'LFI' -%> # depth 7 <%- elsif @exploit_type[:class] == 'SQLI' -%> # escape_quote true # escape_parens true # terminate true <%- elsif @exploit_type[:class] == 'SSTI' -%> # escape_expr ->(expr) { "{{${expr}}}" } <%- end -%> <%- else -%> <%- if @has_payload -%> payload_class Payloads::<%= @has_payload[:class] %> <%- end -%> <%- if @target -%> target <%= format_kwargs(@target) -%> # target arch: '...', os: '...', software_version: '...' do |t| # t.var1 = 'foo' # t.var2 = 0x1234 # end <%- end -%> # # # # Test whether the target systme is vulnerable. # # # def test # # return Vulnerable('host is vulnerable') # # return NotVulnerable('host is patched') # # return Unknown('host may or may not be vulnerable') # end def build <%- if stack_overflow_exploit? -%> bp = 0x11223344 ip = 0xAABBCCEE @buffer = buffer_overflow(length: 1024, nops: 16, payload: @payload, bp: bp, ip: ip) <%- elsif seh_overflow_exploit? -%> nseh = 0x11223344 seh = 0xAABBCCEE @buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: @payload, nseh: nseh, seh: seh) <%- elsif @has_payload -%> @buffer = "EXPLOIT #{@payload}" <%- else -%> @buffer = "EXPLOIT" <%- end -%> end def launch <%- case @networking -%> <%- when :remote_tcp -%> @socket = tcp_connect @socket.write(@buffer) <%- when :remote_udp -%> @socket = udp_connect @socket.write(@buffer) <%- when :http -%> http_get(query_params: {'foo' => @buffer}) <%- end -%> end def cleanup <%- case @networking -%> <%- when :remote_tcp, :remote_udp -%> @socket.close <%- end -%> end <%- end -%> end end end