Merge branch 'master' of https://github.com/cliffe/SecGen

lib/schemas/vulnerability_metadata_schema.xsd

@@ -9,6 +9,7 @@
       <xs:enumeration value="info_leak"/>
       <xs:enumeration value="user"/>
       <xs:enumeration value="root"/>
+      <xs:enumeration value="none"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:simpleType name="accessOptions">
@@ -55,7 +56,7 @@
   </xs:simpleType>
   <xs:simpleType name="MSFregexp">
     <xs:restriction base="xs:string">
-      <xs:pattern value="exploit/[a-zA-Z0-9_\-/]+"/>
+      <xs:pattern value="(exploit|auxiliary)/[a-zA-Z0-9_\-/]+"/>
     </xs:restriction>
   </xs:simpleType>
   <xs:simpleType name="randType">

modules/services/unix/http/apache_bash_cgi/apache_bash_cgi.pp

@@ -0,0 +1 @@
+require apache_bash_cgi::init

modules/services/unix/http/apache_bash_cgi/files/test.cgi

@@ -0,0 +1,7 @@
+#!/bin/bash 
+echo "Content-type: text/plain"
+echo $(env)
+echo
+echo "Hi"
+bash --version
+bash /dev/null

modules/services/unix/http/apache_bash_cgi/manifests/init.pp

@@ -0,0 +1,11 @@
+class apache_bash_cgi::init {
+  file { '/usr/lib/cgi-bin/':
+    ensure => directory,
+  }
+
+  file { '/usr/lib/cgi-bin/test.cgi':
+    ensure => file,
+    source => 'puppet:///modules/apache_bash_cgi/test.cgi',
+    mode => '755',
+  }
+}

modules/services/unix/http/apache_bash_cgi/secgen_metadata.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+
+<service xmlns="http://www.github/cliffe/SecGen/service"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/service">
+  <name>Apache Bash CGI</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>Hosts a bash CGI script on a default apache installation.</description>
+
+  <type>httpd</type>
+  <platform>unix</platform>
+
+  <reference>https://httpd.apache.org/</reference>
+  <software_license>Apache v2</software_license>
+
+  <requires>
+    <module_path>modules/services/unix/http/apache</module_path>
+  </requires>
+
+</service>

modules/services/unix/smb/samba/secgen_metadata.xml

@@ -5,10 +5,11 @@
          xsi:schemaLocation="http://www.github/cliffe/SecGen/service">
   <name>Samba file share Server</name>
   <author>example42</author>
+  <author>Jason Keighley</author>
   <module_license>Apache v2</module_license>
   <description>An installation of Samba</description>
 
-  <type>file_share</type>
+  <type>smb</type>
   <platform>linux</platform>
 
   <!--optional details-->
@@ -16,7 +17,7 @@
   <software_name>samba</software_name>
   <software_license>Apache v2</software_license>
 
-  <!--Cannot co-exist with other apache installations-->
+  <!--Cannot co-exist with other samba installations-->
   <conflict>
     <software_name>samba</software_name>
   </conflict>
@@ -25,10 +26,4 @@
     <type>update</type>
   </requires>
 
-</service>
-
-<!-- REQUIRES unix_update MODULE TO BE CALLED FIRST -->
-<!-- ALSO REQUIRES -->
-<!--example42/puppi (>=2.0.0)-->
-<!--example42/firewall (>=2.0.0)-->
-<!--example42/monitor (>=2.0.0)-->
+</service>

modules/utilities/unix/scanners/nmap/manifests/install.pp

@@ -0,0 +1,5 @@
+class nmap::install {
+  package { 'nmap':
+    ensure => installed,
+  }
+}

modules/utilities/unix/scanners/nmap/nmap.pp

@@ -0,0 +1 @@
+include nmap::install

modules/utilities/unix/scanners/nmap/secgen_metadata.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>Nmap Security Scanner</name>
+  <author>Thomas Shaw</author>
+  <module_license>Apache v2</module_license>
+  <description>Nmap network host, service and security scanner.</description>
+
+  <type>utility</type>
+  <platform>linux</platform>
+
+  <!--optional details-->
+  <reference>https://nmap.org/</reference>
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+</utility>

modules/utilities/unix/smb/smbclient/manifests/install.pp

@@ -0,0 +1,5 @@
+class smbclient::install {
+  package { 'smbclient':
+    ensure => 'installed',
+  }
+}

modules/utilities/unix/smb/smbclient/secgen_metadata.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>Samba client</name>
+  <author>Jason Keighley</author>
+  <module_license>Apache v2</module_license>
+  <description>An installation of smbclient</description>
+
+  <type>smb</type>
+  <platform>linux</platform>
+
+  <!--optional details-->
+  <software_name>smbclient</software_name>
+  <software_license>Apache v2</software_license>
+
+  <!--Cannot co-exist with other smbclient installations-->
+  <conflict>
+    <software_name>smbclient</software_name>
+  </conflict>
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+</utility>

modules/utilities/unix/smb/smbclient/smbclient.pp

@@ -0,0 +1 @@
+class { smbclient::install: }

modules/vulnerabilities/unix/access_control_misconfigurations/uid_less_root/manifests/change_uid_permissions.pp

@@ -0,0 +1,9 @@
+class uid_less_root::change_uid_permissions ($file_input = [], $user = 'root') {
+  $file_input.each |$file, $permission_code| {
+    file { $file:
+      mode => $permission_code,
+      owner => $user,
+    }
+    notice("File {$file} permissions have been checked.")
+  }
+}

modules/vulnerabilities/unix/access_control_misconfigurations/uid_less_root/secgen_metadata.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Access control mis-configurations uid less</name>
+  <author>Jason Keighley</author>
+  <module_license>Apache v2</module_license>
+  <description>Mis-configure files to enable root privileges</description>
+
+  <type>access_control_mis-configurations</type>
+  <privilege>root</privilege>
+  <access>local</access>
+  <platform>unix</platform>
+
+  <!--optional vulnerability details-->
+  <!--optional breadcrumb (info that is leaked and required to exploit)-->
+  <!--<breadcrumb></breadcrumb>-->
+  <!--optional hints-->
+  <hint>Text viewer permission misconfiguration</hint>
+  <solution>Less editor running as user root</solution>
+  <!--Cannot co-exist with other installations-->
+</vulnerability>

modules/vulnerabilities/unix/access_control_misconfigurations/uid_less_root/uid_less_root.pp

@@ -0,0 +1,7 @@
+class {'uid_less_root::change_uid_permissions':
+  user => 'root',
+  file_input => {
+    '/bin/less' => '4777',
+    '/usr/bin/less' => '4777',
+  },
+}

modules/vulnerabilities/unix/bash/shellshock/manifests/install.pp

@@ -0,0 +1,19 @@
+class shellshock::install{
+
+  file { '/usr/local/src/bash-4.1.tar.gz':
+    ensure => file,
+    source => 'puppet:///modules/shellshock/bash-4.1.tar.gz',
+  }
+
+  exec { 'unpack-bash-tar':
+    cwd         => '/usr/local/src',
+    command     => '/bin/tar -xzf /usr/local/src/bash-4.1.tar.gz',
+    creates     => '/usr/local/src/bash-4.1/',
+  }
+
+  exec { 'configure-make-make-install-bash':
+    cwd     => '/usr/local/src/bash-4.1/',
+    command => '/bin/bash /usr/local/src/bash-4.1/configure; /usr/bin/make; /usr/bin/make install;',
+    require => Exec['unpack-bash-tar'],
+  }
+}

modules/vulnerabilities/unix/bash/shellshock/secgen_metadata.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Bashbug / Shellshock</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>Installs GNU bash version 4.1 which contains the bashbug / shellshock vulnerability.</description>
+
+  <type>bash</type>
+  <privilege>none</privilege>
+  <access>local</access>
+  <platform>unix</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>medium</difficulty>
+  <cve>CVE-2014-6271</cve>
+  <cvss_base_score>10</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+
+  <reference>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271</reference>
+  <reference>http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability</reference>
+  <software_name>bash</software_name>
+  <software_license>GPLv3+</software_license>
+
+</vulnerability>

modules/vulnerabilities/unix/bash/shellshock/shellshock.pp

@@ -0,0 +1 @@
+include shellshock::install

modules/vulnerabilities/unix/local/setuid_nmap/manifests/init.pp

@@ -0,0 +1,5 @@
+class setuid_nmap::init {
+  file { '/usr/bin/nmap':
+    mode => '4755',
+  }
+}

modules/vulnerabilities/unix/local/setuid_nmap/secgen_metadata.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Nmap Setuid</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>Nmap setuid local privilege escalation</description>
+
+  <type>access_controls</type>
+  <privilege>root</privilege>
+  <access>local</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>medium</difficulty>
+
+  <requires>
+    <module_path>modules/utilities/unix/scanners/nmap</module_path>
+  </requires>
+
+</vulnerability>

modules/vulnerabilities/unix/local/setuid_nmap/setuid_nmap.pp

@@ -0,0 +1 @@
+include setuid_nmap::init

modules/vulnerabilities/unix/smb/samba_public_writable_share/files/smb_conf_public_share_definition

@@ -0,0 +1,15 @@
+#
+# Insecure Public share definition
+#
+[public]
+comment = Public Share
+# Path to directory
+path = /tmp
+# Allow writing to share
+read only = no
+# Force connections as guests
+guest ok = yes
+locking = no
+# Sets the umask for files/directories created on this share
+force create mode = 777
+force directory mode = 777

modules/vulnerabilities/unix/smb/samba_public_writable_share/manifests/install.pp

@@ -0,0 +1,19 @@
+class samba_public_writable_share::install {
+
+  concat { '/etc/samba/smb.conf':
+    ensure => present,
+  }
+
+  concat::fragment { 'smb-conf-base':
+    source => '/etc/samba/smb.conf',
+    target => '/etc/samba/smb.conf',
+    order => '01',
+  }
+
+  concat::fragment { 'smb-conf-public-share-definition':
+    source => 'puppet:///modules/samba_public_writable_share/smb_conf_public_share_definition',
+    target => '/etc/samba/smb.conf',
+    order => '02',
+  }
+
+}

modules/vulnerabilities/unix/smb/samba_public_writable_share/samba_public_writable_share.pp

@@ -0,0 +1 @@
+require samba_public_writable_share::install

modules/vulnerabilities/unix/smb/samba_public_writable_share/secgen_metadata.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability ">
+  <name>Samba Public Writable Share</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>
+    Samba file server configured with a public anonymously accessible share with read / write permissions.
+  </description>
+
+  <type>samba</type>
+  <privilege>user</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>low</difficulty>
+
+  <!--optional details-->
+  <reference>http://allarsblog.com/2015/11/07/Setting-Up-Samba-No-Security/</reference>
+  <software_name>smbd</software_name>
+  <software_license>MIT</software_license>
+
+  <requires>
+    <module_path>modules/services/unix/smb/samba</module_path>
+  </requires>
+
+</vulnerability>

modules/vulnerabilities/unix/smb/samba_symlink_traversal/files/smb_conf_wide_links

@@ -0,0 +1,3 @@
+# wide links for symlink traversal ( enabled by default in versions <= 3.4.5 )
+wide links = yes
+follow symlinks = yes

modules/vulnerabilities/unix/smb/samba_symlink_traversal/manifests/install.pp

@@ -0,0 +1,23 @@
+class samba_symlink_traversal::install {
+
+  # Insert the 'allow insecure wide links = yes' line into the [global] section
+  exec { 'sed-insert-global-allow-insecure-wide-links':
+    command => "/bin/sed -i \'/\\[global\\]/a allow insecure wide links = yes\' /etc/samba/smb.conf"
+  }
+
+  concat { '/etc/samba/smb.conf':
+    ensure => present,
+  }
+
+  concat::fragment { 'smb-conf-base':
+    source => '/etc/samba/smb.conf',
+    target => '/etc/samba/smb.conf',
+    order => '01',
+  }
+
+  concat::fragment { 'smb-conf-wide-links':
+    source => 'puppet:///modules/samba_symlink_traversal/smb_conf_wide_links',
+    target => '/etc/samba/smb.conf',
+    order => '03',
+  }
+}

modules/vulnerabilities/unix/smb/samba_symlink_traversal/samba_symlink_traversal.pp

@@ -0,0 +1 @@
+require samba_symlink_traversal::install

modules/vulnerabilities/unix/smb/samba_symlink_traversal/secgen_metadata.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability ">
+  <name>Samba Symlink Traversal</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>
+    Samba file server configured with a public anonymously accessible share with read / write permissions and the
+    unix extensions = yes, wide links = yes and allow insecure wide links = yes settings.
+  </description>
+
+  <type>samba</type>
+  <privilege>user</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>low</difficulty>
+
+  <!--optional details-->
+  <reference>https://www.samba.org/samba/news/symlink_attack.html</reference>
+  <reference>https://www.rapid7.com/db/modules/auxiliary/admin/smb/samba_symlink_traversal</reference>
+  <software_name>smbd</software_name>
+  <software_license>MIT</software_license>
+
+  <!--optional hints-->
+  <msf_module>auxiliary/admin/smb/samba_symlink_traversal</msf_module>
+
+  <requires>
+    <module_path>modules/services/unix/smb/samba</module_path>
+    <module_path>modules/vulnerabilities/unix/smb/samba_public_writable_share</module_path>
+  </requires>
+
+</vulnerability>

scenarios/simple_examples/access_control_misconfigurations_uid_less_root.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
+  <system>
+    <system_name>access_control_misconfigurations_root</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path="modules/vulnerabilities/unix/access_control_misconfigurations/uid_less_root"></vulnerability>
+
+    <network type="private_network" range="dhcp"></network>
+  </system>
+
+</scenario>

scenarios/simple_examples/samba_service.xml

@@ -4,12 +4,12 @@
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
 
-  <!-- an example remote storage system, with a remotely exploitable vulnerability that can then be escalated to root -->
+  <!-- A secure samba service -->
   <system>
     <system_name>samba_service</system_name>
     <base platform="linux"/>
 
-    <service module_path="modules/services/unix/file_share/samba"></service>
+    <service module_path="modules/services/unix/smb/samba"></service>
 
     <network type="private_network" range="dhcp"></network>
   </system>

scenarios/simple_examples/samba_symlink_traversal_vulnerability.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <!-- an example remote storage system running samba, with a misconfiguration vulnerability which enables symlink traversal -->
+  <system>
+    <system_name>samba_service</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path="modules/vulnerabilities/unix/smb/samba_symlink_traversal"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>

scenarios/simple_examples/setuid_nmap_escalation_vulnerability.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+  <system>
+    <system_name>box_with_remote_user_level_vuln_and_setuid_nmap_priv_escalation</system_name>
+    <base platform="linux"/>
+
+    <!--We need a remote user privilege vulnerability so we can escalate to root with setuid_nmap -->
+    <vulnerability access="remote" privilege="user"/>
+    <vulnerability module_path="modules/vulnerabilities/unix/local/setuid_nmap"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+</scenario>

scenarios/simple_examples/shellshock_apache_vulnerability.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>storage_server</system_name>
+    <base platform="linux"/>
+
+    <service module_path="modules/services/unix/http/apache_bash_cgi"/>
+    <vulnerability module_path="modules/vulnerabilities/unix/bash/shellshock"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>

scenarios/simple_examples/shellshock_vulnerability.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>storage_server</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path="modules/vulnerabilities/unix/bash/shellshock"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>

scenarios/simple_examples/smbclient_utility.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>smbclient_utility</system_name>
+    <base platform="linux"/>
+
+    <utility module_path="modules/utilities/unix/smb/smbclient"></utility>
+
+    <network type="private_network" range="dhcp"></network>
+  </system>
+
+</scenario>

secgen.rb

@@ -25,6 +25,7 @@ def usage
    build-project, p: builds project (vagrant and puppet config), but does not build VMs
    build-vms [/project/dir], v [project #]: builds VMs from a previously generated project
               (use in combination with --project [dir])
+   list-scenarios: lists all scenarios that can be used with the --scenario option
 "
   exit
 end
@@ -101,6 +102,13 @@ def default_project_dir
   "#{PROJECTS_DIR}/SecGen#{Time.new.strftime("%Y%m%d_%H%M")}"
 end
 
+def list_scenarios
+  Print.info "Full paths to scenario files are displayed below"
+  Dir["#{ROOT_DIR}/scenarios/**/*"].select{ |file| !File.directory? file}.each_with_index do |scenario_name, scenario_number|
+    Print.std "#{scenario_number}) #{scenario_name}"
+  end
+end
+
 # end of method declarations
 # start of program execution
 
@@ -195,6 +203,9 @@ case ARGV[0]
       usage
       exit
     end
+  when 'list-scenarios'
+    list_scenarios
+    exit
   else
     Print.err "Command not valid: #{ARGV[0]}"
     usage