Directory structure changes

.idea/SecGen.iml

@@ -1,79 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module type="RUBY_MODULE" version="4">
-  <component name="ModuleRunConfigurationManager">
-    <configuration default="false" name="vulnerability_processor_tests" type="RubyRunConfigurationType" factoryName="Ruby" temporary="true">
-      <module name="SecGen" />
-      <RUBY_RUN_CONFIG NAME="RUBY_ARGS" VALUE="-e $stdout.sync=true;$stderr.sync=true;load($0=ARGV.shift)" />
-      <RUBY_RUN_CONFIG NAME="WORK DIR" VALUE="$MODULE_DIR$/tests/helper_tests" />
-      <RUBY_RUN_CONFIG NAME="SHOULD_USE_SDK" VALUE="false" />
-      <RUBY_RUN_CONFIG NAME="ALTERN_SDK_NAME" VALUE="" />
-      <RUBY_RUN_CONFIG NAME="myPassParentEnvs" VALUE="true" />
-      <envs />
-      <EXTENSION ID="BundlerRunConfigurationExtension" bundleExecEnabled="true" />
-      <EXTENSION ID="JRubyRunConfigurationExtension" NailgunExecEnabled="false" />
-      <EXTENSION ID="RubyCoverageRunConfigurationExtension" enabled="false" sample_coverage="true" track_test_folders="true" runner="rcov">
-        <COVERAGE_PATTERN ENABLED="true">
-          <PATTERN REGEXPS="/.rvm/" INCLUDED="false" />
-        </COVERAGE_PATTERN>
-      </EXTENSION>
-      <RUBY_RUN_CONFIG NAME="SCRIPT_PATH" VALUE="$MODULE_DIR$/tests/helper_tests/vulnerability_processor_tests.rb" />
-      <RUBY_RUN_CONFIG NAME="SCRIPT_ARGS" VALUE="" />
-      <method />
-    </configuration>
-    <configuration default="false" name="secgen" type="RubyRunConfigurationType" factoryName="Ruby" temporary="true">
-      <module name="SecGen" />
-      <RUBY_RUN_CONFIG NAME="RUBY_ARGS" VALUE="-e $stdout.sync=true;$stderr.sync=true;load($0=ARGV.shift)" />
-      <RUBY_RUN_CONFIG NAME="WORK DIR" VALUE="$MODULE_DIR$" />
-      <RUBY_RUN_CONFIG NAME="SHOULD_USE_SDK" VALUE="false" />
-      <RUBY_RUN_CONFIG NAME="ALTERN_SDK_NAME" VALUE="" />
-      <RUBY_RUN_CONFIG NAME="myPassParentEnvs" VALUE="true" />
-      <envs />
-      <EXTENSION ID="BundlerRunConfigurationExtension" bundleExecEnabled="true" />
-      <EXTENSION ID="JRubyRunConfigurationExtension" NailgunExecEnabled="false" />
-      <EXTENSION ID="RubyCoverageRunConfigurationExtension" enabled="false" sample_coverage="true" track_test_folders="true" runner="rcov">
-        <COVERAGE_PATTERN ENABLED="true">
-          <PATTERN REGEXPS="/.rvm/" INCLUDED="false" />
-        </COVERAGE_PATTERN>
-      </EXTENSION>
-      <RUBY_RUN_CONFIG NAME="SCRIPT_PATH" VALUE="$MODULE_DIR$/secgen.rb" />
-      <RUBY_RUN_CONFIG NAME="SCRIPT_ARGS" VALUE="-r" />
-      <method />
-    </configuration>
-    <configuration default="false" name="systemreader" type="RubyRunConfigurationType" factoryName="Ruby" temporary="true">
-      <module name="SecGen" />
-      <RUBY_RUN_CONFIG NAME="RUBY_ARGS" VALUE="-e $stdout.sync=true;$stderr.sync=true;load($0=ARGV.shift)" />
-      <RUBY_RUN_CONFIG NAME="WORK DIR" VALUE="$MODULE_DIR$" />
-      <RUBY_RUN_CONFIG NAME="SHOULD_USE_SDK" VALUE="false" />
-      <RUBY_RUN_CONFIG NAME="ALTERN_SDK_NAME" VALUE="" />
-      <RUBY_RUN_CONFIG NAME="myPassParentEnvs" VALUE="true" />
-      <envs />
-      <EXTENSION ID="BundlerRunConfigurationExtension" bundleExecEnabled="true" />
-      <EXTENSION ID="JRubyRunConfigurationExtension" NailgunExecEnabled="false" />
-      <EXTENSION ID="RubyCoverageRunConfigurationExtension" enabled="false" sample_coverage="true" track_test_folders="true" runner="rcov">
-        <COVERAGE_PATTERN ENABLED="true">
-          <PATTERN REGEXPS="/.rvm/" INCLUDED="false" />
-        </COVERAGE_PATTERN>
-      </EXTENSION>
-      <RUBY_RUN_CONFIG NAME="SCRIPT_PATH" VALUE="$MODULE_DIR$/lib/systemreader.rb" />
-      <RUBY_RUN_CONFIG NAME="SCRIPT_ARGS" VALUE="" />
-      <method />
-    </configuration>
-  </component>
+<module version="4">
   <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$">
-      <sourceFolder url="file://$MODULE_DIR$/tests" isTestSource="true" />
-      <excludeFolder url="file://$MODULE_DIR$/projects" />
-      <excludeFolder url="file://$MODULE_DIR$/projects/Project1" />
-    </content>
-    <orderEntry type="inheritedJdk" />
     <orderEntry type="sourceFolder" forTests="false" />
-    <orderEntry type="library" scope="PROVIDED" name="bundler (v1.10.4, ruby-2.0.0-p645) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="mini_portile2 (v2.0.0, ruby-2.0.0-p645) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="minitest (v5.8.4, ruby-2.0.0-p645) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="nokogiri (v1.6.7.1, ruby-2.0.0-p645) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="rake (v10.5.0, ruby-2.0.0-p645) [gem]" level="application" />
-    <orderEntry type="library" scope="PROVIDED" name="xml-simple (v1.1.5, ruby-2.0.0-p645) [gem]" level="application" />
-    <orderEntry type="library" name="stub [puppet module]" level="application" />
   </component>
-  <component name="PuppetLibraryUpdateService" isEnabled="true" />
 </module>

config/config

@@ -1 +0,0 @@
-Configuration will go here

config/scenario.xml

@@ -2,7 +2,7 @@
 	<!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
 	<system id="storageserver" os="linux" basebox="puppettest" url="" >
 		<vulnerabilities>
-			<vulnerability privilege="user" access="remote" type="" cve=""></vulnerability>
+			<vulnerability privilege="" access="" type="other" cve=""></vulnerability>
 		</vulnerabilities>
 		<!-- secure services will be provided, if matching insecure ones have not been selected -->
 		<!--<services>-->

lib/Vagrantfile

@@ -38,7 +38,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   # the path on the host to the actual folder. The second argument is
   # the path on the guest to mount the folder. And the optional third
   # argument is a set of non-required options.
-  # config.vm.synced_folder "../data", "/vagrant_data"
+  # config.vm.synced_folder "../templates", "/vagrant_data"
 
   # Provider-specific configuration so you can fine-tune various
   # backing providers for Vagrant. These expose provider-specific options.

lib/filecreator.rb

@@ -30,7 +30,9 @@ class FileCreator
 		controller = ERBController.new
 		controller.systems = systems
 		vagrant_template = ERB.new(File.read(VAGRANT_TEMPLATE_FILE), 0, '<>')
-		File.delete("#{PROJECTS_DIR}/Project#{build_number}/Vagrantfile")
+		if File.exists?("#{PROJECTS_DIR}/Project#{build_number}/Vagrantfile")
+			File.delete("#{PROJECTS_DIR}/Project#{build_number}/Vagrantfile")
+		end
 		puts "#{PROJECTS_DIR}/Project#{build_number}/Vagrantfile file has been created"
 		File.open("#{PROJECTS_DIR}/Project#{build_number}/Vagrantfile", 'w') { |file| file.write(vagrant_template.result(controller.get_binding)) }
 		

lib/helpers/bootstrap.rb

@@ -1,3 +1,4 @@
+require 'fileutils'
 class Bootstrap
 
   def bootstrap
@@ -7,10 +8,13 @@ class Bootstrap
       create_directory_structure
       move_vulnerability_puppet_files
       move_secure_service_puppet_files
+      move_build_puppet_files
     else #if mount does exist, purge the puppet directory and copy the files
       purge_puppet_files
+      create_directory_structure
       move_secure_service_puppet_files
       move_vulnerability_puppet_files
+      move_build_puppet_files
     end
     puts 'Application Bootstrapped'
   end
@@ -20,32 +24,83 @@ class Bootstrap
   def create_directory_structure
     print 'Mount directory not present, creating..'
     Dir.mkdir("#{ROOT_DIR}/mount")
-    puts ' Complete'
     print 'Creating Puppet directory..'
     Dir.mkdir("#{ROOT_DIR}/mount/puppet")
+    print 'Creating Puppet module directory..'
+    Dir.mkdir("#{ROOT_DIR}/mount/puppet/module")
+    print 'Creating Puppet manifest directory..'
+    Dir.mkdir("#{ROOT_DIR}/mount/puppet/manifest")
     puts ' Complete'
   end
 
   def move_vulnerability_puppet_files
-    puts 'Moving vulnerabilities'
-    Dir.glob("#{ROOT_DIR}/modules/vulnerabilities/**/**/puppet/**/*.pp").each do |puppet_file|
-      puts "Moving #{puppet_file} to mount/puppet."
-      FileUtils.copy(puppet_file, "#{ROOT_DIR}/mount/puppet")
+    puts 'Moving vulnerability manifests'
+    Dir.glob("#{ROOT_DIR}/modules/vulnerabilities/**/**/**/*.pp").each do |puppet_file|
+      puts "Moving #{puppet_file} to mount/puppet/manifest/"
+      FileUtils.copy(puppet_file, "#{ROOT_DIR}/mount/puppet/manifest/")
+    end
+
+    puts 'Moving vulnerability modules'
+    Dir.glob("#{ROOT_DIR}/modules/vulnerabilities/**/**/**/module/**").each do |puppet_module_directory|
+      root_directory_length = ROOT_DIR.split('/').count
+      module_name = puppet_module_directory.split('/')[root_directory_length + 4]
+      module_path = "#{ROOT_DIR}/mount/puppet/module/#{module_name}"
+
+      if(Dir.exists?(module_path))
+        puts "Moving #{puppet_module_directory} to #{module_path}"
+        FileUtils.cp_r(puppet_module_directory, module_path)
+      else
+        Dir.mkdir("#{ROOT_DIR}/mount/puppet/module/#{module_name}")
+        puts "Moving #{puppet_module_directory} to #{module_path}"
+        FileUtils.cp_r(puppet_module_directory, module_path)
+      end
+
+      puts 'Moving vulnerability templates'
+
     end
   end
 
   def move_secure_service_puppet_files
-    puts 'Moving secure services'
-    Dir.glob("#{ROOT_DIR}/modules/services/**/**/puppet/**/*.pp").each do |puppet_file|
-      puts "Moving #{puppet_file} to mount/puppet."
-      FileUtils.copy(puppet_file, "#{ROOT_DIR}/mount/puppet")
+    puts 'Moving secure service puppet files'
+    Dir.glob("#{ROOT_DIR}/modules/services/**/**/puppet/module/*.pp").each do |puppet_file|
+      puts "Moving #{puppet_file} to mount/puppet/module"
+      FileUtils.copy(puppet_file, "#{ROOT_DIR}/mount/puppet/module")
+    end
+    Dir.glob("#{ROOT_DIR}/modules/services/**/**/puppet/manifest/*.pp").each do |puppet_file|
+      puts "Moving #{puppet_file} to mount/puppet/manifest."
+      FileUtils.copy(puppet_file, "#{ROOT_DIR}/mount/puppet/manifest")
     end
   end
 
-  def purge_puppet_files
-    puts 'Purging puppets directory.'
-    Dir.glob("#{ROOT_DIR}/mount/puppet/*.pp").each do |puppet_file|
-    File.delete(puppet_file)
+  def move_build_puppet_files
+
+    puts 'Moving build puppet module files'
+    Dir.glob("#{ROOT_DIR}/modules/build/puppet/**/module/*.pp").each do |puppet_file|
+      root_directory_length = ROOT_DIR.split('/').count
+      module_name = puppet_file.split('/')[root_directory_length + 3]
+      module_path = "#{ROOT_DIR}/mount/puppet/module/#{module_name}"
+      if(Dir.exists?(module_path))
+        Dir.mkdir("#{module_path}/manifests")
+        puts "Moving #{puppet_file} to #{module_path}"
+        FileUtils.copy(puppet_file, "#{module_path}/manifests")
+      else
+        Dir.mkdir("#{ROOT_DIR}/mount/puppet/module/#{module_name}")
+        Dir.mkdir("#{ROOT_DIR}/mount/puppet/module/#{module_name}/manifests")
+        puts "Moving #{puppet_file} to #{module_path}"
+        FileUtils.copy(puppet_file, "#{module_path}/manifests")
+      end
+    end
+    Dir.glob("#{ROOT_DIR}/modules/build/puppet/**/manifest/*.pp").each do |puppet_file|
+      puts "Moving #{puppet_file} to mount/puppet/manifest."
+      FileUtils.copy(puppet_file, "#{ROOT_DIR}/mount/puppet/manifest")
     end
   end
+
+  def move_files
+
+  end
+
+  def purge_puppet_files
+    FileUtils.rm_rf("#{ROOT_DIR}/mount")
+  end
 end

lib/objects/vulnerability.rb

@@ -1,7 +1,7 @@
 require_relative('../constants.rb')
 
 class Vulnerability
-    attr_accessor :type, :privilege, :access ,:puppets, :details, :ports, :name, :cve, :files, :scripts
+    attr_accessor :type, :privilege, :access ,:puppets, :details, :ports, :name, :cve, :files, :scripts, :platform
 
     def initialize(type='', privilege='', access='', puppets=[], details='', ports=[], platform ='', name='', cve='', files=[], scripts=[])
       @type = type

lib/templates/vagrantbase.erb

@@ -17,6 +17,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     <% end %>
     <%= systems.id %>.vm.synced_folder "<%= MOUNT_DIR %>", "/mount"
     end
+    config.vm.provision :shell, :inline => "sed -i 's/squeeze/wheezy/g' /etc/apt/sources.list"
     config.vm.provision :shell, :inline => "apt-get update --fix-missing"
 
 
@@ -28,19 +29,20 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     #a vulnerability has 1 or many puppets
     <% systems.vulns.each do |vulnerability| %>
 
-        <% vulnerability.puppets.each do |puppet| %>
             <% vulnerability_name = vulnerability.name %>
             config.vm.provision "puppet" do | <%=vulnerability_name%> |
-            <%=vulnerability_name%>.manifests_path= "<%="#{vulnerability.puppet_path}/manifest" %>"
+
+            <%=vulnerability_name%>.module_path = "<%="#{ROOT_DIR}/mount/puppet/module/#{vulnerability_name}"%>"
+            <%=vulnerability_name%>.manifests_path = "<%="#{ROOT_DIR}/mount/puppet/manifest"%>"
             <%=vulnerability_name%>.manifest_file = "<%=vulnerability_name%>.pp"
             end
-        <% end %>
+
     <% end %>
 
     # clean up script which clears history from the VMs and clobs files together
     config.vm.provision "puppet" do |cleanup|
-    cleanup.module_path = "<%="#{PATH_TO_CLEANUP}module"%>"
-    cleanup.manifests_path = "<%="#{PATH_TO_CLEANUP}manifest"%>"
+    cleanup.module_path = "<%="#{ROOT_DIR}/modules/build/puppet/cleanup/module"%>"
+    cleanup.manifests_path = "<%="#{ROOT_DIR}/modules/build/puppet/cleanup"%>"
     cleanup.manifest_file = "cleanup.pp"
     end
 

modules/build/puppet/cleanup/module/cleanup/manifests/config.pp

@@ -1,4 +1,4 @@
-  class cleanup::config {
+class cleanup::config {
 # removes bash history
   exec { "rm":
       command => "rm -rf .bash_history",

modules/build/puppet/manifest/default.pp

@@ -1 +0,0 @@
-

modules/modules

@@ -1 +0,0 @@
-Vulnerabilities, Services, Users, Bases and Networks will go in here

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/module/vsftpd_234_backdoor/manifests/install.pp

@@ -1,11 +1,12 @@
   #copies and unpacks vsftpd_234_backdoor saves it to usr/local/sbin and executes it for startup
   class vsftpd_234_backdoor::install {
-    exec { 'unzip-vsftpd':
-		command     => 'tar xzf vsftpd-2.3.4.tar.gz && mv vsftpd-2.3.4 /home/vagrant/vsftpd-2.3.4',
-		path => '/bin',
-		cwd         => "/mount/files/shell",
-		creates     => "/home/vagrant/vsftpd-2.3.4/vsftpd",
-		notify	 => Exec['make-vsftpd']
+
+      exec { 'unzip-vsftpd':
+		  command     => 'tar xzf vsftpd-2.3.4.tar.gz && mv vsftpd-2.3.4 /home/vagrant/vsftpd-2.3.4',
+		  path => '/bin',
+      cwd => '/mount/puppet/module/vsftpd_234_backdoor/vsftpd_234_backdoor/files',
+		  creates     => "/home/vagrant/vsftpd-2.3.4/vsftpd",
+		  notify	 => Exec['make-vsftpd']
 	}
 
 	exec { 'make-vsftpd':
@@ -16,9 +17,8 @@
 		require     => Exec["unzip-vsftpd"],
 	}
 
-
 	exec { 'copy-vsftpd':
-		command     => '/mount/files/shell/copyvsftpd.sh',
+		command     => '/mount/puppet/module/vsftpd_234_backdoor/vsftpd_234_backdoor/files/copyvsftpd.sh',
 		cwd         => "/home/vagrant/vsftpd-2.3.4",
 		creates     => "/usr/local/sbin/vsftpd",
 		notify	 => User['ftp'],
@@ -33,11 +33,11 @@
       home       => '/var/ftp',
       notify	 => Exec['start-vsftpd'],
       require     => Exec["copy-vsftpd"],
-      managehome => true,
+      managehome => true
     }
 
     exec { 'start-vsftpd':
-		command     => '/mount/files/shell/startvsftpd.sh',
+		command     => '/mount/puppet/module/vsftpd_234_backdoor/vsftpd_234_backdoor/files/startvsftpd.sh',
 		require     => User["ftp"],
 	}
 }

modules/vulnerabilities/unix/misc/distcc_exec/module/distcc_exec/manifests/distcc_config.pp

@@ -1,4 +1,4 @@
-class distcc_exec::config {
+class distcc_exec::distcc_config {
 
   package { 'distcc':
       ensure => installed
@@ -11,12 +11,12 @@ class distcc_exec::config {
     owner   => 'root',
     group   => 'root',
     mode    => '0777',
-    content  => template('../data/distcc.erb')
+    content  => template('distcc.erb')
   }
 
 
   service { 'distcc':
-    ensure => running,
+    ensure => running
 }
 }
 

modules/vulnerabilities/unix/other/mountable_nfs/module/mountable_nfs/manifests/config.pp

@@ -1,4 +1,4 @@
-class nfs::config {
+class mountable_nfs::config {
 
   package { ['nfs-kernel-server', 'nfs-common', 'portmap']:
       ensure => installed
@@ -11,7 +11,7 @@ class nfs::config {
     owner   => 'root',
     group   => 'root',
     mode    => '0777',
-    content  => template('nfslewis/exports.erb')
+    content  => template('mountable_nfs/templates/exports.erb')
   }
 
   exec { "exportfs":

modules/vulnerabilities/unix/other/mountable_nfs/mountable_nfs.pp

@@ -0,0 +1 @@
+include mountable_nfs::config

modules/vulnerabilities/unix/other/writeable_shadow/module/writeable_shadow/manifests/config.pp

@@ -1,4 +1,4 @@
-class writableshadow::config {
+class writeable_shadow::config {
 
   file { '/etc/shadow':
     ensure  => present,

modules/vulnerabilities/unix/other/writeable_shadow/secgen_metadata.xml

@@ -0,0 +1,12 @@
+<vulnerability
+        type="other"
+        cve=""
+        privilege="user"
+        access="remote"
+        details="Changes access on shadow file to 777"
+        platform="unix"
+        name="writeable_shadow">
+  <puppets>
+    <puppet>writeable_shadow</puppet>
+  </puppets>
+</vulnerability>

modules/vulnerabilities/unix/other/writeable_shadow/writeable_shadow.pp

@@ -0,0 +1 @@
+include writeable_shadow::config

secgen.rb

@@ -6,8 +6,6 @@ require_relative 'lib/systemreader.rb'
 require_relative 'lib/vagrant.rb'
 require_relative 'lib/helpers/bootstrap'
 
-puts 'SecGen - Creates virtualised security scenarios'
-puts 'Licensed GPLv3 2014-16'
 
 def usage
   puts 'Usage: