Merge pull request #88 from meehien/master

Some minor changes

lib/templates/Vagrantfile.erb

@@ -14,12 +14,28 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.define "<%= system.name %>" do |<%= system.name %>|
     config.vm.provider :virtualbox do |vb|
 <%= if (@options.has_key? :gui_output)
-"      vb.gui = true"
+"      vb.gui = true
+"
     else
 "      vb.gui = false
-      vb.customize ['modifyvm', :id, '--pae', 'on']
-      vb.customize ['modifyvm', :id, '--hwvirtex', 'off']
-      vb.customize ['modifyvm', :id, '--vtxvpid', 'off']"
+"
+    end -%>
+<%= if (@options.has_key? :nopae)
+"      vb.customize ['modifyvm', :id, '--pae', 'off']"
+    else
+"      vb.customize ['modifyvm', :id, '--pae', 'on']"
+    end -%>
+
+<%= if (@options.has_key? :hwvirtex)
+"      vb.customize ['modifyvm', :id, '--hwvirtex', 'on']"
+    else
+"      vb.customize ['modifyvm', :id, '--hwvirtex', 'off']"
+    end -%>
+
+<%= if (@options.has_key? :vtxvpid)
+"      vb.customize ['modifyvm', :id, '--vtxvpid', 'on']"
+    else
+"      vb.customize ['modifyvm', :id, '--vtxvpid', 'off']"
     end -%>
 <%= if (@options.has_key? :memory_per_vm)
 "      vb.memory = #{@options[:memory_per_vm]}"

modules/build/puppet/secgen_functions/manifests/leak_file.pp

@@ -1,20 +1,22 @@
 define secgen_functions::leak_file($leaked_filename, $storage_directory, $strings_to_leak, $owner = 'root', $group = 'root', $mode = '0777', $leaked_from = '' ) {
-  $path_to_leak = "$storage_directory/$leaked_filename"
+  if ($leaked_filename != ''){
+    $path_to_leak = "$storage_directory/$leaked_filename"
 
-  # If the file already exists append to it, otherwise create it.
-  if (defined(File[$path_to_leak])){
-    notice("File with that name already defined, appending leaked strings instead...")
-    exec { "$leaked_from-$path_to_leak":
-      path    => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
-      command => "echo $strings_to_leak >> $path_to_leak",
-    }
-  } else {
-    file { $path_to_leak:
-      ensure   => present,
-      owner    => $owner,
-      group    => $group,
-      mode     => $mode,
-      content  => template('secgen_functions/overshare.erb')
+    # If the file already exists append to it, otherwise create it.
+    if (defined(File[$path_to_leak])){
+      notice("File with that name already defined, appending leaked strings instead...")
+      exec { "$leaked_from-$path_to_leak":
+        path    => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
+        command => "echo $strings_to_leak >> $path_to_leak",
+      }
+    } else {
+      file { $path_to_leak:
+        ensure   => present,
+        owner    => $owner,
+        group    => $group,
+        mode     => $mode,
+        content  => template('secgen_functions/overshare.erb')
+      }
     }
   }
 }

modules/generators/content/name_based_username/secgen_local/local.rb

@@ -13,7 +13,7 @@ class NameBasedUsernameGenerator < StringEncoder
 
   # Generate a username based on a random adjective and a random noun
   def encode_all
-    self.outputs << Faker::Internet.user_name(self.name, %w(- _))
+    self.outputs << Faker::Internet.user_name(self.name, %w(nil _))
   end
 
   def get_options_array

modules/utilities/unix/desktop/gnome/gnome.pp

@@ -0,0 +1 @@
+include gnome::install

modules/utilities/unix/desktop/gnome/manifests/install.pp

@@ -0,0 +1,9 @@
+class gnome::install{
+  case $operatingsystem {
+    'Debian': {
+      package { ['task-gnome-desktop']:
+        ensure => 'installed',
+      }
+    }
+  }
+}

modules/utilities/unix/desktop/gnome/secgen_metadata.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>Gnome desktop environment</name>
+  <author>Mihai Ordean</author>
+  <module_license>Apache v2</module_license>
+  <description>Installs Gnome desktop environment</description>
+
+  <type>desktop_environment</type>
+  <platform>linux</platform>
+  
+  <requires>
+    <type>update</type>
+  </requires>
+</utility>

modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/account.pp

@@ -0,0 +1,42 @@
+define ssh_leaked_keys::account($username, $password, $strings_to_leak, $leaked_filenames) {
+  ::accounts::user { $username:
+    shell      => '/bin/bash',
+    password   => pw_hash($password, 'SHA-512', 'mysalt'),
+    managehome => true,
+    home_mode  => '0755',
+    sshkeys    => [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj2gbaOju+u3bdwiMcd2JRgdFqmgaMyRhj6eCu2f8aBfZZVSyrNw+aOzlbILIjIlCHjhUfY/56n6XnH/iaLVr8IpGIz43VuxZ0/dKrjQerbbrJKg25rlDE+kbBwfdBeK3XkJj0d35ON6hkks7jU6scKy4t5LJZ+vnuISs98Gz1t9qjcdHEV5eYNdRjX+FzPW1bTI/RHHAZ53upuEpNArTITn29tnhp5sybDTUba6T09u2rowijn3s46mvqF9NXPZMnjghsStbvHtCYuY8uXNMJCyQzjxsUJbTMuqu2DZ2t2cGnC1wITE/4ZCpNC9gBLQ4ssJVbe0pF3lLJnMx3ggPV $username" ],
+  }
+
+  # Leak strings in a text file in the users home directory
+  ::secgen_functions::leak_files { "$username-file-leak":
+    storage_directory => "/home/$username/",
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => $username,
+    group             => $username,
+    mode              => '0600',
+    leaked_from       => "accounts_$username",
+  }
+
+  file { "/home/$username/.ssh.tar.gz":
+    owner  => $username,
+    group  => $username,
+    mode   => '0644',
+    ensure => file,
+    source => 'puppet:///modules/ssh_leaked_keys/.ssh.tar.gz',
+    notify => Exec['unpack'],
+  }
+
+  exec { 'unpack':
+    cwd     => "/home/$username/",
+    command => "tar -xzf /home/$username/.ssh.tar.gz",
+    path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+    notify => Exec['setperm'],
+  }
+
+  exec { 'setperm':
+    cwd     => "/home/$username/",
+    command => "sudo chown -R $username:$username /home/$username/.ssh",
+    path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+  }
+}

modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/init.pp

@@ -0,0 +1,16 @@
+class ssh_leaked_keys::init {
+  $json_inputs = base64('decode', $::base64_inputs)
+  $secgen_parameters = parsejson($json_inputs)
+
+  $accounts = $secgen_parameters['accounts']
+  $accounts.each |$raw_account| {
+      $account = parsejson($raw_account)
+      $username = $account['username']
+      ssh_leaked_keys::account { "ssh_leaked_keys_$username":
+        username         => $username,
+        password         => $account['password'],
+        strings_to_leak  => $account['strings_to_leak'],
+        leaked_filenames => $account['leaked_filenames']
+      }
+    }
+}

modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Leaked SSH keys module</name>
+  <author>Mihai Ordean</author>
+  <author>Puppet Labs</author>
+  <module_license>Apache v2</module_license>
+  <description>Adds a ssh enabled account which has keys leaked in user dir.</description>
+
+  <type>system</type>
+  <privilege>none</privilege>
+  <access>local</access>
+  <platform>linux</platform>
+
+  <read_fact>accounts</read_fact>
+
+  <default_input into="accounts">
+    <generator type="account">
+      <input into="password">
+        <generator module_path="modules/generators/random/random_base64"/>
+      </input>
+    </generator>
+  </default_input>
+
+  <!--optional details-->
+  <reference>https://forge.puppet.com/puppetlabs/accounts</reference>
+
+  <requires>
+    <module_path>utilities/unix/system/accounts</module_path>
+  </requires>
+
+</vulnerability>

modules/vulnerabilities/unix/system/ssh_leaked_keys/ssh_leaked_keys.pp

@@ -0,0 +1 @@
+require ssh_leaked_keys::init

scenarios/examples/parameterised_examples/encoder_examples/parameterised_accounts.xml

@@ -6,10 +6,18 @@
 	<!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
 	<system>
 		<system_name>storage_server</system_name>
-		<base platform="linux"/>
-
-		<vulnerability module_path=".*parameterised_accounts"/>
+		<base platform="linux" distro="Debian 7.8"/>
 
+		<vulnerability module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<generator type="account">
+					<input into="username">
+						<value>example_username</value>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+		
 		<network type="private_network" range="dhcp"/>
 	</system>
 </scenario>

scenarios/seccourse.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<system>
+		<system_name>course_vm</system_name>
+		<!--base platform="linux" distro="Debian 8.2"/-->
+		<base platform="linux" distro="Debian 7.8"/>
+
+		<utility module_path=".*gnome"/>
+
+		<vulnerability module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<generator type="account">
+					<input into="username">
+						<value>admin</value>
+					</input>
+					<input into="password">
+						<value>test</value>
+					</input>
+					<input into="super_user">
+						<value>true</value>
+					</input>
+					<input into="leaked_filenames">
+						<value></value>
+					</input>
+					<input into="strings_to_leak">
+						<value></value>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+
+		<vulnerability module_path=".*ssh_leaked_keys">
+			<input into="accounts">
+				<generator type="account">
+					<input into="leaked_filenames">
+						<value>flag.txt</value>
+					</input>
+					<input into="password">
+						<generator module_path="modules/generators/random/random_base64"/>
+					</input>
+					<input into="strings_to_leak">
+						<generator module_path="modules/generators/random/random_base64"/>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+
+
+
+		<network type="private_network" range="dhcp"/>
+	</system>
+
+</scenario>

secgen.rb

@@ -19,6 +19,10 @@ def usage
    --project [output dir], -p [output dir]: directory for the generated project
               (output will default to #{default_project_dir})
    --help, -h: shows this usage information
+   --gui-output', '-g' gui output
+   --nopae: disable PAE support
+   --hwvirtex: enable HW virtex support
+   --vtxvpid: enable VTX support
 
    COMMANDS:
    run, r: builds project and then builds the VMs
@@ -128,6 +132,9 @@ opts = GetoptLong.new(
   [ '--project', '-p', GetoptLong::REQUIRED_ARGUMENT ],
   [ '--scenario', '-s', GetoptLong::REQUIRED_ARGUMENT ],
   [ '--gui-output', '-g', GetoptLong::NO_ARGUMENT],
+  [ '--nopae', GetoptLong::NO_ARGUMENT],
+  [ '--hwvirtex', GetoptLong::NO_ARGUMENT],
+  [ '--vtxvpid', GetoptLong::NO_ARGUMENT],
   [ '--memory-per-vm', GetoptLong::REQUIRED_ARGUMENT],
   [ '--total-memory', GetoptLong::REQUIRED_ARGUMENT],
   [ '--max-cpu-cores', GetoptLong::REQUIRED_ARGUMENT],
@@ -153,6 +160,15 @@ opts.each do |opt, arg|
     when '--gui-output'
       Print.info "Gui output set (virtual machines will be spawned)"
       options[:gui_output] = true
+    when '--nopae'
+      Print.info "no pae"
+      options[:nopae] = true
+    when '--hwvirtex'
+      Print.info "with HW virtualisation"
+      options[:hwvirtex] = true
+    when '--vtxvpid'
+      Print.info "with VT support"
+      options[:vtxvpid] = true
     when '--memory-per-vm'
       if options.has_key? :total_memory
         Print.info 'Total memory option specified before memory per vm option, defaulting to total memory value'