From ad869c82dc3523ad33f4beaa8e810a1380fd1a80 Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Mon, 13 Mar 2017 10:41:54 +0000
Subject: [PATCH 1/8] added options to customize VirtualBox hw support from
 command line

---
 lib/templates/Vagrantfile.erb | 24 ++++++++++++++++++++----
 secgen.rb                     | 16 ++++++++++++++++
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/lib/templates/Vagrantfile.erb b/lib/templates/Vagrantfile.erb
index c024fd8a3..8fc3568b7 100644
--- a/lib/templates/Vagrantfile.erb
+++ b/lib/templates/Vagrantfile.erb
@@ -14,12 +14,28 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.define "<%= system.name %>" do |<%= system.name %>|
     config.vm.provider :virtualbox do |vb|
 <%= if (@options.has_key? :gui_output)
-"      vb.gui = true"
+"      vb.gui = true
+"
     else
 "      vb.gui = false
-      vb.customize ['modifyvm', :id, '--pae', 'on']
-      vb.customize ['modifyvm', :id, '--hwvirtex', 'off']
-      vb.customize ['modifyvm', :id, '--vtxvpid', 'off']"
+"
+    end -%>
+<%= if (@options.has_key? :nopae)
+"      vb.customize ['modifyvm', :id, '--pae', 'off']"
+    else
+"      vb.customize ['modifyvm', :id, '--pae', 'on']"
+    end -%>
+
+<%= if (@options.has_key? :hwvirtex)
+"      vb.customize ['modifyvm', :id, '--hwvirtex', 'on']"
+    else
+"      vb.customize ['modifyvm', :id, '--hwvirtex', 'off']"
+    end -%>
+
+<%= if (@options.has_key? :vtxvpid)
+"      vb.customize ['modifyvm', :id, '--vtxvpid', 'on']"
+    else
+"      vb.customize ['modifyvm', :id, '--vtxvpid', 'off']"
     end -%>
 <%= if (@options.has_key? :memory_per_vm)
 "      vb.memory = #{@options[:memory_per_vm]}"
diff --git a/secgen.rb b/secgen.rb
index 13b004f7b..eeab57877 100644
--- a/secgen.rb
+++ b/secgen.rb
@@ -19,6 +19,10 @@ def usage
    --project [output dir], -p [output dir]: directory for the generated project
               (output will default to #{default_project_dir})
    --help, -h: shows this usage information
+   --gui-output', '-g' gui output
+   --nopae: disable PAE support
+   --hwvirtex: enable HW virtex support
+   --vtxvpid: enable VTX support
 
    COMMANDS:
    run, r: builds project and then builds the VMs
@@ -128,6 +132,9 @@ opts = GetoptLong.new(
   [ '--project', '-p', GetoptLong::REQUIRED_ARGUMENT ],
   [ '--scenario', '-s', GetoptLong::REQUIRED_ARGUMENT ],
   [ '--gui-output', '-g', GetoptLong::NO_ARGUMENT],
+  [ '--nopae', GetoptLong::NO_ARGUMENT],
+  [ '--hwvirtex', GetoptLong::NO_ARGUMENT],
+  [ '--vtxvpid', GetoptLong::NO_ARGUMENT],
   [ '--memory-per-vm', GetoptLong::REQUIRED_ARGUMENT],
   [ '--total-memory', GetoptLong::REQUIRED_ARGUMENT],
   [ '--max-cpu-cores', GetoptLong::REQUIRED_ARGUMENT],
@@ -153,6 +160,15 @@ opts.each do |opt, arg|
     when '--gui-output'
       Print.info "Gui output set (virtual machines will be spawned)"
       options[:gui_output] = true
+    when '--nopae'
+      Print.info "no pae"
+      options[:nopae] = true
+    when '--hwvirtex'
+      Print.info "with HW virtualisation"
+      options[:hwvirtex] = true
+    when '--vtxvpid'
+      Print.info "with VT support"
+      options[:vtxvpid] = true
     when '--memory-per-vm'
       if options.has_key? :total_memory
         Print.info 'Total memory option specified before memory per vm option, defaulting to total memory value'

From 45543b2662a70e04df2c9650c2360c87419e6936 Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Mon, 13 Mar 2017 10:43:16 +0000
Subject: [PATCH 2/8] added debian 8.2 base

---
 .../debian_8.2_puppet_32/secgen_metadata.xml  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 modules/bases/debian_8.2_puppet_32/secgen_metadata.xml

diff --git a/modules/bases/debian_8.2_puppet_32/secgen_metadata.xml b/modules/bases/debian_8.2_puppet_32/secgen_metadata.xml
new file mode 100644
index 000000000..eb57a3ad8
--- /dev/null
+++ b/modules/bases/debian_8.2_puppet_32/secgen_metadata.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0"?>
+
+<base xmlns="http://www.github/cliffe/SecGen/base"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/base">
+  <name>Debian 8.2 32bit with Puppet</name>
+  <author>Mihai Ordean</author>
+  <module_license>GPLv3</module_license>
+  <description>Based on the Official Puppet Vagrant box. Debian 8.2 (jessie) 32-bit (i386), Puppet 4.3.2 / Puppet Enterprise 2015.3.2 (agent).</description>
+  <type>server</type>
+  <type>cli</type>
+
+  <platform>linux</platform>
+  <platform>unix</platform>
+  
+  <distro>Debian 8.2</distro>
+  <url>http://atlas.hashicorp.com/puppetlabs/boxes/debian-8.2-32-puppet/versions/1.0.1/providers/virtualbox.box</url>
+
+  <reference>https://atlas.hashicorp.com/puppetlabs</reference>
+  <software_license>various</software_license>
+
+</base>
\ No newline at end of file

From 6c97d81250df1190f12c3af6b1872131c091049b Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Mon, 13 Mar 2017 10:44:26 +0000
Subject: [PATCH 3/8] added gnome desktop env. for debian

---
 modules/utilities/unix/desktop/gnome/gnome.pp   |  1 +
 .../unix/desktop/gnome/manifests/install.pp     |  9 +++++++++
 .../unix/desktop/gnome/secgen_metadata.xml      | 17 +++++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 modules/utilities/unix/desktop/gnome/gnome.pp
 create mode 100644 modules/utilities/unix/desktop/gnome/manifests/install.pp
 create mode 100644 modules/utilities/unix/desktop/gnome/secgen_metadata.xml

diff --git a/modules/utilities/unix/desktop/gnome/gnome.pp b/modules/utilities/unix/desktop/gnome/gnome.pp
new file mode 100644
index 000000000..3fcb92668
--- /dev/null
+++ b/modules/utilities/unix/desktop/gnome/gnome.pp
@@ -0,0 +1 @@
+include gnome::install
diff --git a/modules/utilities/unix/desktop/gnome/manifests/install.pp b/modules/utilities/unix/desktop/gnome/manifests/install.pp
new file mode 100644
index 000000000..446aa8a8f
--- /dev/null
+++ b/modules/utilities/unix/desktop/gnome/manifests/install.pp
@@ -0,0 +1,9 @@
+class gnome::install{
+  case $operatingsystem {
+    'Debian': {
+      package { ['task-gnome-desktop']:
+        ensure => 'installed',
+      }
+    }
+  }
+}
diff --git a/modules/utilities/unix/desktop/gnome/secgen_metadata.xml b/modules/utilities/unix/desktop/gnome/secgen_metadata.xml
new file mode 100644
index 000000000..7fb9601ff
--- /dev/null
+++ b/modules/utilities/unix/desktop/gnome/secgen_metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>Gnome desktop environment</name>
+  <author>Mihai Ordean</author>
+  <module_license>Apache v2</module_license>
+  <description>Installs Gnome desktop environment</description>
+
+  <type>desktop_environment</type>
+  <platform>linux</platform>
+  
+  <requires>
+    <type>update</type>
+  </requires>
+</utility>

From d9391d384fd8afdec3d3d7ef84141007e5b4f4c7 Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Mon, 13 Mar 2017 15:10:17 +0000
Subject: [PATCH 4/8] added check to verify if leaked files is empty

---
 lib/.DS_Store                                 | Bin 12292 -> 0 bytes
 lib/templates/.DS_Store                       | Bin 6148 -> 0 bytes
 .../secgen_functions/manifests/leak_file.pp   |  32 ++++++++++--------
 .../name_based_username/secgen_local/local.rb |   2 +-
 .../parameterised_accounts.xml                |  14 ++++++--
 5 files changed, 29 insertions(+), 19 deletions(-)
 delete mode 100644 lib/.DS_Store
 delete mode 100644 lib/templates/.DS_Store

diff --git a/lib/.DS_Store b/lib/.DS_Store
deleted file mode 100644
index 691b1bbaba4da0e0408dd9138065d7191db3bf7d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12292
zcmeI1PiqrF6u{p!soh|OT!b7vte$cRlBH5TcvwOd>#2}J!B%uPTbke|8?qZCq|wFC
z;MWkrs~^If2wpwuRqz<!o0-Pl>_!xVw)m#Zyy?6@Gy8j+-M$n6L}TPx02Kf*u#+rb
z#384Vo_eOO>6I%e1^NRx&<77j(B1Jf*1W(3m;e)C0!)AjoCN~-&ZcH8dG9MNk4%6G
z{Femi`CwuvX=@oPDIXm;$Pxf$5tn7dIo1Kv$JEl+GFDQ$VoX&%2<<9#i6N9b>P<37
zX=@oPsoX&*cMy7Kp(_+2cSk={nuD;F<dF$5fh+;4-AmAh0DAb7sNaLO>jy4s=>v5a
zdlmb}Y=&d5hdT}j+T)Eo@VjADuYVA0h2r{!4Wm>tHV^l^eJ>a{f>GZK4_cjI-0FHq
zt}}cn=aCbQ!iF=Hnq4RAphnL3g22c5p|;-ddQs<5xiXnp+x41h)u%OcV%4{|YUa%w
zx2DsQVU)_RjLX-q-@do!oJ^m;h~<$%=qCqUQoql~mpIEo;Dv49#l6WbN9`Y5t#;5G
zs4&*2e5+p2Y<i=p4e-8Te3iC2v3h~`8&-o(a>rc?mJ{n~YuNXL{xNFR$s;(z%nrcE
z?9x2k@sqg~AJLL>Ys_<-@%Tr%-C9*{GZ&Q3ZAP8W?bUaZbjB)?+Xru7qYdRF$7-J2
zUs$DcYcGklklS^YPaMPai8p%~AfZj1^!}F<3ZB-^Pne@kpUfoR0zAVz%1_@%YoAe5
zoykT<r&j0t-qDwuykGQEnt1j5&nr&QKKS+|$s+MNU(lo}%ZG~IXCdb@91l!j1q2Ez
zMuqDCJIlZSU%^fsf(bBzvr0e|o2_O8Pj~tk^5Q|M);6&}#!ijwVkM;u4rD^>vK&V_
z|A!&YO|7%FjFm(Uw!i*Gz#r8G{Qj3o;(-Y;0Vco%m;e)C0!)AjFaajO1egF5U;<3w
H+!6Qzyd;h?

diff --git a/lib/templates/.DS_Store b/lib/templates/.DS_Store
deleted file mode 100644
index 2ee34ff66ed9c1fa7ec34b34646a7439d6b61b4c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6148
zcmeHKyH3ME5S)b+ktmXq@=7Ws{=kX?5;Z>nhKMF25|7mG_-vScfUpb&4F#H&cIR%r
z<FlvmdI8w#<?akv0+`bs@#<k}e%*ay2bD1*o%guG1D??npC;AcC!D*$o{W1uj`$m#
zV#8d2x!v9N+g;B}f6NQ|$y*p#GASShq<|EV0#e|23V83O&5sflrGONW0-p-__o2}p
zyTTzcJ{=4(0uX0RhjAUV1hIL7*cA?m%+M^U#H3n{7?yPATh(=iLt@flaWd~yCtFP@
z7N;}cq8!#GDoOz<Fjn9&w@dH;=ky=u|1n8BDIf*@l>#<fU#(YsrRuGdm-AlR=-2cQ
qV{Mc(L@OpnE9S;q@$r|s=4)Q>3Wvm?Gaq!Kegs?>nH2a71>ON=6ddXR

diff --git a/modules/build/puppet/secgen_functions/manifests/leak_file.pp b/modules/build/puppet/secgen_functions/manifests/leak_file.pp
index bcbb1304e..19bdc65dc 100644
--- a/modules/build/puppet/secgen_functions/manifests/leak_file.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_file.pp
@@ -1,20 +1,22 @@
 define secgen_functions::leak_file($leaked_filename, $storage_directory, $strings_to_leak, $owner = 'root', $group = 'root', $mode = '0777', $leaked_from = '' ) {
-  $path_to_leak = "$storage_directory/$leaked_filename"
+  if ($leaked_filename != ''){
+    $path_to_leak = "$storage_directory/$leaked_filename"
 
-  # If the file already exists append to it, otherwise create it.
-  if (defined(File[$path_to_leak])){
-    notice("File with that name already defined, appending leaked strings instead...")
-    exec { "$leaked_from-$path_to_leak":
-      path    => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
-      command => "echo $strings_to_leak >> $path_to_leak",
-    }
-  } else {
-    file { $path_to_leak:
-      ensure   => present,
-      owner    => $owner,
-      group    => $group,
-      mode     => $mode,
-      content  => template('secgen_functions/overshare.erb')
+    # If the file already exists append to it, otherwise create it.
+    if (defined(File[$path_to_leak])){
+      notice("File with that name already defined, appending leaked strings instead...")
+      exec { "$leaked_from-$path_to_leak":
+        path    => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'],
+        command => "echo $strings_to_leak >> $path_to_leak",
+      }
+    } else {
+      file { $path_to_leak:
+        ensure   => present,
+        owner    => $owner,
+        group    => $group,
+        mode     => $mode,
+        content  => template('secgen_functions/overshare.erb')
+      }
     }
   }
 }
diff --git a/modules/generators/content/name_based_username/secgen_local/local.rb b/modules/generators/content/name_based_username/secgen_local/local.rb
index b946701c4..d3abea0c7 100644
--- a/modules/generators/content/name_based_username/secgen_local/local.rb
+++ b/modules/generators/content/name_based_username/secgen_local/local.rb
@@ -13,7 +13,7 @@ class NameBasedUsernameGenerator < StringEncoder
 
   # Generate a username based on a random adjective and a random noun
   def encode_all
-    self.outputs << Faker::Internet.user_name(self.name, %w(- _))
+    self.outputs << Faker::Internet.user_name(self.name, %w(nil _))
   end
 
   def get_options_array
diff --git a/scenarios/parameterised_examples/encoder_examples/parameterised_accounts.xml b/scenarios/parameterised_examples/encoder_examples/parameterised_accounts.xml
index fc468d04d..7523abc38 100644
--- a/scenarios/parameterised_examples/encoder_examples/parameterised_accounts.xml
+++ b/scenarios/parameterised_examples/encoder_examples/parameterised_accounts.xml
@@ -6,10 +6,18 @@
 	<!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
 	<system>
 		<system_name>storage_server</system_name>
-		<base platform="linux"/>
-
-		<vulnerability module_path=".*parameterised_accounts"/>
+		<base platform="linux" distro="Debian 7.8"/>
 
+		<vulnerability module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<generator type="account">
+					<input into="username">
+						<value>example_username</value>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+		
 		<network type="private_network" range="dhcp"/>
 	</system>
 </scenario>

From 4f122a5ff672df8834cd4d4bd914747022935be4 Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Mon, 13 Mar 2017 15:12:46 +0000
Subject: [PATCH 5/8] added seccourse.xml scenario

---
 scenarios/seccourse.xml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 scenarios/seccourse.xml

diff --git a/scenarios/seccourse.xml b/scenarios/seccourse.xml
new file mode 100644
index 000000000..f86c81ad3
--- /dev/null
+++ b/scenarios/seccourse.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<system>
+		<system_name>course_vm</system_name>
+		<base platform="linux" distro="Debian 8.2"/>
+		<!--base platform="linux" distro="Debian 7.8"/-->
+
+		<!--utility module_path=".*gnome"/-->
+
+		<vulnerability module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<generator type="account">
+					<input into="username">
+						<value>admin</value>
+					</input>
+					<input into="password">
+						<value>test</value>
+					</input>
+					<input into="super_user">
+						<value>true</value>
+					</input>
+					<input into="leaked_filenames">
+						<value></value>
+					</input>
+					<input into="strings_to_leak">
+						<value></value>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+
+
+
+		<network type="private_network" range="dhcp"/>
+	</system>
+
+</scenario>

From 46827cd22c3d73634ab16fd2624806a0356704d9 Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Fri, 17 Mar 2017 16:32:59 +0000
Subject: [PATCH 6/8] added ssh_leaked_keys module

---
 .../system/ssh_leaked_keys/files/.ssh.tar.gz  | Bin 0 -> 1795 bytes
 .../ssh_leaked_keys/manifests/account.pp      |  42 ++++++++++++++++++
 .../system/ssh_leaked_keys/manifests/init.pp  |  16 +++++++
 .../ssh_leaked_keys/secgen_metadata.xml       |  34 ++++++++++++++
 .../system/ssh_leaked_keys/ssh_leaked_keys.pp |   1 +
 scenarios/seccourse.xml                       |  18 +++++++-
 6 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 modules/vulnerabilities/unix/system/ssh_leaked_keys/files/.ssh.tar.gz
 create mode 100644 modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/account.pp
 create mode 100644 modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/init.pp
 create mode 100644 modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
 create mode 100644 modules/vulnerabilities/unix/system/ssh_leaked_keys/ssh_leaked_keys.pp

diff --git a/modules/vulnerabilities/unix/system/ssh_leaked_keys/files/.ssh.tar.gz b/modules/vulnerabilities/unix/system/ssh_leaked_keys/files/.ssh.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..e9e48beeb07ee0813a234fe14b79fb084ba77965
GIT binary patch
literal 1795
zcmV+e2mJUSiwFQE*~?e}1MSvHucOKt2H>;iSDZcS%M505r7#&V^I$M+A|^A~W}bh2
z+$V|Dx=JgHs1rq(XH$Ygs!#Qys`s~HD4>sD3x1;r;`@kD1pMRpPag;dlPE>t7><0v
z2twfa$0zZN>-sVcW7L0se!Q}*D6{&f-~GG!|5Lwx?|+&8wI8Biw#N4clQ8_V{$nUY
z{h|LTg<>C{@Gq<A2Y>SZfBTLVL|Ol|9p=-tWsh-%Pelm6W&ll=g_e<7hEX`i5}1Z=
zM6_zCxgSw1kt<0`%WELnQQL@>_6P#7&ik>3#QcW(-gN-FJuzR^K=>QC$=k&$aNLtn
z6U<uhNvsh5Dv=1{6uZ<w9f=1&H8H2dVW~q=a&sCTm?FYj%~o6z3A1kHh!9*rODX79
zSrcAV14oQr;)Y4hoXx-Y1XT*Xd1nVYzDErv*}!_vZZH0J4G^eEc4YM7&4lfB5wn!)
z;zDsP1>OXLp5qXYvRHd9Fe0MUgEr%_BQ+Ul2%0jCwkM0b>+Ps}!ErejdY@V;>!rR-
z^|`y8H9R!@6rVXC-qo%jb2RPKnr)Xc0XShbLDA}5YYrF(HdK}Kd~8(glyJ6i*HT>O
z5liM7i(#4Oz1ae;+naqaHrvaGp#;(%vB%rvVcC33iK_2jG<RQ5F^)Q>EZ1|v#Acye
z%Y##Q_<Ap#L?DEYx8j%VW%>yMnoC2dqZc6+g-@(I8&|tpY(fuQehdTi<f0>GIHe{@
zQ7J!P98z7a<u+41=UUNa#sPDiJVlM%c!zHh+}87aRhNvjsxsk>SdHG>N=AkU-G$kg
z3oIvQy?Va4a~ye{rLqL@Ym$|0l5&j=p%$7i19l3p<-=~7b#giHGAKrDo=L@RMd4<^
zIg!cst9|ro7I2lp1E*at+Lm*|wyA9~6CZ8SUar9_m1%IH5{81c`(!ilpm}wQ-8V#~
z$bv;CNb7gU@JfJ_pP8IoxjYaUnDab_MeZ&9oY=^Oqk4x7lTkU6?}T9u24tu?bF;cg
z0#V)!rK)p)wsM@v7i|UeW6cqVyx5_vw;vLXpL)}G5(<84CqArPGoeLy5ylPW{fU1x
z&24fL3Al@;id9fHRUCylgLD^CXVJWCfrjJSuLN8ZGj$o%aEV=pFwKyI#VR~~RlEg0
z0`#Q>npf%~j<cWF={i99DW|=YY}b&~548fXT8m=Aouglb!`@yOd8VFhP-!#n@Yw{M
zVb}HNXK5?K$q|h{63j*yMsp#AgqtHnh1qaeg7C}-DA}zg>2Ejw)Sj7m*h&Hi0a(IE
zqqsKaz+%+>bdEGeO<Ee_h4W?@yM$p4f6a$?$*d!)Y0o(Qq+`jnoF6N=dn#a$oe+1C
za0?S<UaU5)Hh3b=#j-s~_=Jqh;8=S;>#|=J(?T~@{ajB7nWa1X3{J`b5Xpmic0GP3
z#dgLTBz(3N-96Z<&PD1$!H>*jz%yP$P=AKbkdi<eh#*0-hUIDBnGh(JWU!hT+9#G>
zpnxZs3)(LVn_FBDt3?YBFZe_bWWBBn4WeE_%*!-_ljFX-O|}J4v-b&Qomo|e%Zea1
zOw0}sMsx8#^teWXDy>7|REVY*G8^51v`^+vWPt=@Tj&bj8JJlE)D~XEhKt&bVWb!I
zIoSrK8Li?T2XdiJT%Vm#%^OSw(Z(xBZ|NxCZiaUuv1A0O!ZSMStK>bsb%`}I^p1+A
zR@T1E!~J#>w=T?;kyHa|o0~d73yL~($b-=oN^60!(RgnUF3r3>u48&*_dTu~nJ$X1
zcnNi`>XkMHX|7J<n72bkDP9{5v=PL00aMHh6s&J#W&DtzekT&MEw#F;Z<*!o5L-QR
z6A}j!j9<Br-xqQso}ga$8}s|`z}K}R=={IFZvNNT;h)YA`R})Oihs!(U-|DH=zo^~
zN%W8TA0v<>|NU3I+yCv|`%mVL#q>SmkS#%l?~i|vBk$LY#Z_n?M@BV)6BegSsU<0T
zvGerYz4A!g?4lwwZbI*;h`ooQ=WM;cfRV93V_B6e`N>IDalHo+LDuB0mY_0Hz5XP(
zqP*jnH?1KIrAl8}Ss%y!Mafa3fARwOh}q?yvYCS29+wJEF~ZQv;_(=$>PilYvf(44
zUP5rLC)pY3llV?|bXO&*BzW%wS5NKg2A+4*M`BloY)N850-M@NXmzG{Ww%D@u`XI-
z*kazj#u4el^n~`!QdTuK;N)xW&a{3rL#?jzVsOTImPRg^g41-<wF|ddd$kVNOYCY>
zH=%rpj%Xs*9J0u+0O29m>KvW3s)Y~3#fvkzJ!4PxQfn)g=cf1hkALbfNfLcSFce0}
l;{ZGy4u`|xa5x+ehr{7;I2;a#!{P8B`x`m)UPS;X006YTakc;e

literal 0
HcmV?d00001

diff --git a/modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/account.pp b/modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/account.pp
new file mode 100644
index 000000000..9f1e6dd2e
--- /dev/null
+++ b/modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/account.pp
@@ -0,0 +1,42 @@
+define ssh_leaked_keys::account($username, $password, $strings_to_leak, $leaked_filenames) {
+  ::accounts::user { $username:
+    shell      => '/bin/bash',
+    password   => pw_hash($password, 'SHA-512', 'mysalt'),
+    managehome => true,
+    home_mode  => '0755',
+    sshkeys    => [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj2gbaOju+u3bdwiMcd2JRgdFqmgaMyRhj6eCu2f8aBfZZVSyrNw+aOzlbILIjIlCHjhUfY/56n6XnH/iaLVr8IpGIz43VuxZ0/dKrjQerbbrJKg25rlDE+kbBwfdBeK3XkJj0d35ON6hkks7jU6scKy4t5LJZ+vnuISs98Gz1t9qjcdHEV5eYNdRjX+FzPW1bTI/RHHAZ53upuEpNArTITn29tnhp5sybDTUba6T09u2rowijn3s46mvqF9NXPZMnjghsStbvHtCYuY8uXNMJCyQzjxsUJbTMuqu2DZ2t2cGnC1wITE/4ZCpNC9gBLQ4ssJVbe0pF3lLJnMx3ggPV $username" ],
+  }
+
+  # Leak strings in a text file in the users home directory
+  ::secgen_functions::leak_files { "$username-file-leak":
+    storage_directory => "/home/$username/",
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => $username,
+    group             => $username,
+    mode              => '0600',
+    leaked_from       => "accounts_$username",
+  }
+
+  file { "/home/$username/.ssh.tar.gz":
+    owner  => $username,
+    group  => $username,
+    mode   => '0644',
+    ensure => file,
+    source => 'puppet:///modules/ssh_leaked_keys/.ssh.tar.gz',
+    notify => Exec['unpack'],
+  }
+
+  exec { 'unpack':
+    cwd     => "/home/$username/",
+    command => "tar -xzf /home/$username/.ssh.tar.gz",
+    path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+    notify => Exec['setperm'],
+  }
+
+  exec { 'setperm':
+    cwd     => "/home/$username/",
+    command => "sudo chown -R $username:$username /home/$username/.ssh",
+    path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+  }
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/init.pp b/modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/init.pp
new file mode 100644
index 000000000..a48fcd25b
--- /dev/null
+++ b/modules/vulnerabilities/unix/system/ssh_leaked_keys/manifests/init.pp
@@ -0,0 +1,16 @@
+class ssh_leaked_keys::init {
+  $json_inputs = base64('decode', $::base64_inputs)
+  $secgen_parameters = parsejson($json_inputs)
+
+  $accounts = $secgen_parameters['accounts']
+  $accounts.each |$raw_account| {
+      $account = parsejson($raw_account)
+      $username = $account['username']
+      ssh_leaked_keys::account { "ssh_leaked_keys_$username":
+        username         => $username,
+        password         => $account['password'],
+        strings_to_leak  => $account['strings_to_leak'],
+        leaked_filenames => $account['leaked_filenames']
+      }
+    }
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml b/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
new file mode 100644
index 000000000..d82f5b562
--- /dev/null
+++ b/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Leaked SSH keys module</name>
+  <author>Mihai Ordean</author>
+  <author>Puppet Labs</author>
+  <module_license>Apache v2</module_license>
+  <description>Adds a ssh enabled account which has keys leaked in user dir.</description>
+
+  <type>system</type>
+  <privilege>none</privilege>
+  <access>local</access>
+  <platform>linux</platform>
+
+  <read_fact>accounts</read_fact>
+
+  <default_input into="accounts">
+    <generator type="account">
+      <input into="password">
+        <generator module_path="modules/generators/random/random_base64"/>
+      </input>
+    </generator>
+  </default_input>
+
+  <!--optional details-->
+  <reference>https://forge.puppet.com/puppetlabs/accounts</reference>
+
+  <requires>
+    <module_path>utilities/unix/system/accounts</module_path>
+  </requires>
+
+</vulnerability>
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/system/ssh_leaked_keys/ssh_leaked_keys.pp b/modules/vulnerabilities/unix/system/ssh_leaked_keys/ssh_leaked_keys.pp
new file mode 100644
index 000000000..9260b14b3
--- /dev/null
+++ b/modules/vulnerabilities/unix/system/ssh_leaked_keys/ssh_leaked_keys.pp
@@ -0,0 +1 @@
+require ssh_leaked_keys::init
\ No newline at end of file
diff --git a/scenarios/seccourse.xml b/scenarios/seccourse.xml
index f86c81ad3..d858305b7 100644
--- a/scenarios/seccourse.xml
+++ b/scenarios/seccourse.xml
@@ -9,7 +9,7 @@
 		<base platform="linux" distro="Debian 8.2"/>
 		<!--base platform="linux" distro="Debian 7.8"/-->
 
-		<!--utility module_path=".*gnome"/-->
+		<utility module_path=".*gnome"/>
 
 		<vulnerability module_path=".*parameterised_accounts">
 			<input into="accounts">
@@ -33,6 +33,22 @@
 			</input>
 		</vulnerability>
 
+		<vulnerability module_path=".*ssh_leaked_keys">
+			<input into="accounts">
+				<generator type="account">
+					<input into="leaked_filenames">
+						<value>flag.txt</value>
+					</input>
+					<input into="password">
+						<generator module_path="modules/generators/random/random_base64"/>
+					</input>
+					<input into="strings_to_leak">
+						<generator module_path="modules/generators/random/random_base64"/>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+
 
 
 		<network type="private_network" range="dhcp"/>

From bcc764ea11b59f9b68815eeda45f5ccde6066654 Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Fri, 17 Mar 2017 16:51:27 +0000
Subject: [PATCH 7/8] seccourse will use base debian 7.8

---
 scenarios/seccourse.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scenarios/seccourse.xml b/scenarios/seccourse.xml
index d858305b7..96b045ea4 100644
--- a/scenarios/seccourse.xml
+++ b/scenarios/seccourse.xml
@@ -6,8 +6,8 @@
 
 	<system>
 		<system_name>course_vm</system_name>
-		<base platform="linux" distro="Debian 8.2"/>
-		<!--base platform="linux" distro="Debian 7.8"/-->
+		<!--base platform="linux" distro="Debian 8.2"/-->
+		<base platform="linux" distro="Debian 7.8"/>
 
 		<utility module_path=".*gnome"/>
 

From 86192340d765e4e05be1ced83080a7f08a2c02be Mon Sep 17 00:00:00 2001
From: Mihai Ordean <research@mihaiordean.com>
Date: Sat, 18 Mar 2017 08:54:49 +0000
Subject: [PATCH 8/8] removed debian 8.2

---
 .../debian_8.2_puppet_32/secgen_metadata.xml  | 22 -------------------
 1 file changed, 22 deletions(-)
 delete mode 100644 modules/bases/debian_8.2_puppet_32/secgen_metadata.xml

diff --git a/modules/bases/debian_8.2_puppet_32/secgen_metadata.xml b/modules/bases/debian_8.2_puppet_32/secgen_metadata.xml
deleted file mode 100644
index eb57a3ad8..000000000
--- a/modules/bases/debian_8.2_puppet_32/secgen_metadata.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<?xml version="1.0"?>
-
-<base xmlns="http://www.github/cliffe/SecGen/base"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://www.github/cliffe/SecGen/base">
-  <name>Debian 8.2 32bit with Puppet</name>
-  <author>Mihai Ordean</author>
-  <module_license>GPLv3</module_license>
-  <description>Based on the Official Puppet Vagrant box. Debian 8.2 (jessie) 32-bit (i386), Puppet 4.3.2 / Puppet Enterprise 2015.3.2 (agent).</description>
-  <type>server</type>
-  <type>cli</type>
-
-  <platform>linux</platform>
-  <platform>unix</platform>
-  
-  <distro>Debian 8.2</distro>
-  <url>http://atlas.hashicorp.com/puppetlabs/boxes/debian-8.2-32-puppet/versions/1.0.1/providers/virtualbox.box</url>
-
-  <reference>https://atlas.hashicorp.com/puppetlabs</reference>
-  <software_license>various</software_license>
-
-</base>
\ No newline at end of file