From 701d771aa509683ad512a7021db61f27055d9965 Mon Sep 17 00:00:00 2001 From: MaximeStor Date: Sat, 12 Mar 2016 11:21:29 +0100 Subject: [PATCH 1/2] Add first version of Source Code --- bin/SourceCode.py | 56 ++++++++++++++++++++++++++++++++++++++++ bin/packages/modules.cfg | 5 +++- files/SourceCode | 6 +++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 bin/SourceCode.py create mode 100644 files/SourceCode diff --git a/bin/SourceCode.py b/bin/SourceCode.py new file mode 100644 index 00000000..651cd089 --- /dev/null +++ b/bin/SourceCode.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python2 +# -*-coding:UTF-8 -* +import time +from packages import Paste +from pubsublogger import publisher +from Helper import Process +import re + +if __name__ == "__main__": + publisher.port = 6380 + publisher.channel = "Script" + config_section = "SourceCode" + p = Process(config_section) + publisher.info("Finding Source Code") + + critical = 0 # AS TO BE IMPORTANT + + shell = "[a-zA-Z0-9]+@[a-zA-Z0-9\-]+\:\~\$" + c = "\#include\ \<[a-z\/]+.h\>" + php = "\<\?php" + python = "import\ [\w]+" + bash = "#!\/[\w]*\/bash" + javascript = "function\(\)" + ruby = "require \ [\w]+" + adr = "0x[a-f0-9]{2}" + #asm = "\"((?s).{1}x[0-9a-f]{2}){3,}" ISSUES WITH FINDALL, pattern like \x54\xaf\x23\.. + + languages = [shell, c, php, bash, python, javascript, bash, ruby, adr] + regex = '|'.join(languages) + print regex + + while True: + message = p.get_from_set() + if message is None: + publisher.debug("Script Credential is Idling 10s") + print('Sleeping') + time.sleep(10) + continue + + filepath, count = message.split() + + paste = Paste.Paste(filepath) + content = paste.get_p_content() + match_set = set(re.findall(regex, content)) + if len(match_set) == 0: + continue + + to_print = 'SourceCode;{};{};{};{}'.format(paste.p_source, paste.p_date, paste.p_name, message) + + print filepath + print(match_set) + + if len(match_set) > critical: + publisher.warning(to_print) + else: + publisher.info(to_print) diff --git a/bin/packages/modules.cfg b/bin/packages/modules.cfg index 04887d09..94a2fee4 100644 --- a/bin/packages/modules.cfg +++ b/bin/packages/modules.cfg @@ -27,7 +27,7 @@ subscribe = Redis_Words [Categ] subscribe = Redis_Global -publish = Redis_CreditCards,Redis_Mail,Redis_Onion,Redis_Web,Redis_Credential +publish = Redis_CreditCards,Redis_Mail,Redis_Onion,Redis_Web,Redis_Credential,Redis_SourceCode [CreditCards] subscribe = Redis_CreditCards @@ -56,5 +56,8 @@ subscribe = Redis_Credential [Phone] subscribe = Redis_Global +[SourceCode] +subscribe = Redis_SourceCode + [Keys] subscribe = Redis_Global diff --git a/files/SourceCode b/files/SourceCode new file mode 100644 index 00000000..24cebcb2 --- /dev/null +++ b/files/SourceCode @@ -0,0 +1,6 @@ +CVE +exploit +vulnerability +payload +uname +gcc From ab66cd255ab48bdcbb9475d5ad30e67f4bef21e0 Mon Sep 17 00:00:00 2001 From: MaximeStor Date: Sat, 12 Mar 2016 12:30:38 +0100 Subject: [PATCH 2/2] Improve SourceCode, keywords and add description in /doc --- bin/SourceCode.py | 9 ++++----- doc/SourceCode.info | 8 ++++++++ files/SourceCode | 5 ++++- 3 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 doc/SourceCode.info diff --git a/bin/SourceCode.py b/bin/SourceCode.py index 651cd089..41120e69 100644 --- a/bin/SourceCode.py +++ b/bin/SourceCode.py @@ -13,8 +13,9 @@ if __name__ == "__main__": p = Process(config_section) publisher.info("Finding Source Code") - critical = 0 # AS TO BE IMPORTANT + critical = 0 # AS TO BE IMPORTANT, MIGHT BE REMOVED + #RELEVANTS LANGUAGES shell = "[a-zA-Z0-9]+@[a-zA-Z0-9\-]+\:\~\$" c = "\#include\ \<[a-z\/]+.h\>" php = "\<\?php" @@ -23,6 +24,7 @@ if __name__ == "__main__": javascript = "function\(\)" ruby = "require \ [\w]+" adr = "0x[a-f0-9]{2}" + #asm = "\"((?s).{1}x[0-9a-f]{2}){3,}" ISSUES WITH FINDALL, pattern like \x54\xaf\x23\.. languages = [shell, c, php, bash, python, javascript, bash, ruby, adr] @@ -32,7 +34,7 @@ if __name__ == "__main__": while True: message = p.get_from_set() if message is None: - publisher.debug("Script Credential is Idling 10s") + publisher.debug("Script Source Code is Idling 10s") print('Sleeping') time.sleep(10) continue @@ -47,9 +49,6 @@ if __name__ == "__main__": to_print = 'SourceCode;{};{};{};{}'.format(paste.p_source, paste.p_date, paste.p_name, message) - print filepath - print(match_set) - if len(match_set) > critical: publisher.warning(to_print) else: diff --git a/doc/SourceCode.info b/doc/SourceCode.info new file mode 100644 index 00000000..e3bafa10 --- /dev/null +++ b/doc/SourceCode.info @@ -0,0 +1,8 @@ +SourceCode listens to Global and select only keywords that are relevants to AIL's purpose (CVE, Exploits, Vulnerability,...), then send matching file to a new queue. + +SourceCode.py search for differents languages such as C, PHP, Python, BASH and some Unix shells with default configuration. + +Every records is send to the warning log because filters are high enough (hence the critical var set to 0 but can be changed). + +FOR NOW : Still have troubles detecting ASM + diff --git a/files/SourceCode b/files/SourceCode index 24cebcb2..22011b33 100644 --- a/files/SourceCode +++ b/files/SourceCode @@ -3,4 +3,7 @@ exploit vulnerability payload uname -gcc +chmod +adduser +base64_decode +gzinflate