data/new/exploit.rb.erb
#!/usr/bin/env -S ronin-exploits run -f
require 'ronin/exploits/<%= @exploit_type[:file] -%>'
<%- if @networking_mixin -%>
require 'ronin/exploits/mixins/<%= @networking_mixin[:file] -%>'
<%- end -%>
<%- if @target -%>
require 'ronin/exploits/mixins/has_targets'
<%- end -%>
<%- if @has_payload -%>
require 'ronin/exploits/mixins/has_payload'
require 'ronin/payloads/<%= @has_payload[:file] -%>'
<%- end -%>
<%- if @loot -%>
require 'ronin/exploits/mixins/loot'
<%- end -%>
module Ronin
module Exploits
class <%= @class_name -%> < <%= @exploit_type[:class] %>
<%- if @networking_mixin || @has_payload || @target -%>
<%- if @networking_mixin -%>
include Mixins::<%= @networking_mixin[:module] %>
<%- end -%>
<%- if @has_payload -%>
include Mixins::HasPayload
<%- end -%>
<%- if @target -%>
include Mixins::HasTargets
<%- end -%>
<%- end -%>
<%- if @loot -%>
include Mixins::Loot
<%- end -%>
register '<%= @file_name -%>'
quality :poc
# release_date 'YYYY-MM-DD'
# disclosure_date 'YYYY-MM-DD'
<%- unless @advisories.empty? -%>
<%- @advisories.each do |advisory| -%>
advisory <%= advisory.inspect -%>
<%- end -%>
<%- else -%>
# advisory 'CVE-YYYY-XXXX'
# advisory 'GHSA-XXXXXX'
<%- end -%>
<%- if @author_email -%>
author <%= @author_name.inspect %>, email: <%= @author_email.inspect %>
<%- else -%>
author <%= @author_name.inspect %>
<%- end -%>
<%- if @summary -%>
summary <%= @summary.inspect %>
<%- else -%>
summary "FIX ME"
<%- end -%>
<%- if @description -%>
description <<~DESC
<%= @description %>
DESC
<%- else -%>
description <<~DESC
FIX ME
DESC
<%- end -%>
<%- unless @references.empty? -%>
references [
<%- @references.each do |url| -%>
<%= url.inspect -%><% if index < @references.length-1 %>,<% end %>
<%- end -%>
]
<%- else -%>
# references [
# "https://...",
# "https://..."
# ]
<%- end -%>
<%- if web_vuln_exploit? -%>
<%- if @exploit_type[:class] == 'LFI' -%>
# depth 7
<%- elsif @exploit_type[:class] == 'SQLI' -%>
# escape_quote true
# escape_parens true
# terminate true
<%- elsif @exploit_type[:class] == 'SSTI' -%>
# escape_expr ->(expr) { "{{#{expr}}}" }
<%- end -%>
<%- else -%>
<%- if @has_payload -%>
payload_class Payloads::<%= @has_payload[:class] %>
<%- end -%>
<%- if @target -%>
target <%= format_kwargs(@target) -%>
# target arch: '...', os: '...', software_version: '...' do |t|
# t.var1 = 'foo'
# t.var2 = 0x1234
# end
<%- end -%>
# #
# # Test whether the target systme is vulnerable.
# #
# def test
# # return Vulnerable('host is vulnerable')
# # return NotVulnerable('host is patched')
# # return Unknown('host may or may not be vulnerable')
# end
def build
<%- if stack_overflow_exploit? -%>
bp = 0x11223344
ip = 0xAABBCCEE
@buffer = buffer_overflow(length: 1024, nops: 16, payload: @payload, bp: bp, ip: ip)
<%- elsif seh_overflow_exploit? -%>
nseh = 0x11223344
seh = 0xAABBCCEE
@buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: @payload, nseh: nseh, seh: seh)
<%- elsif @has_payload -%>
@buffer = "EXPLOIT #{@payload}"
<%- else -%>
@buffer = "EXPLOIT"
<%- end -%>
end
def launch
<%- case @networking -%>
<%- when :remote_tcp -%>
@socket = tcp_connect
@socket.write(@buffer)
<%- when :remote_udp -%>
@socket = udp_connect
@socket.write(@buffer)
<%- when :http -%>
http_get(query_params: {'foo' => @buffer})
<%- end -%>
end
def cleanup
<%- case @networking -%>
<%- when :remote_tcp, :remote_udp -%>
@socket.close
<%- end -%>
end
<%- end -%>
end
end
end