Merge pull request #434 from m-1-k-3/exploit_sources

Add Packetstorm and Snyk PoC sources
e-m-b-a · Dec 16, 2022 · acd415e · acd415e
2 parents 6a341a5 + 055c276
commit acd415e
Show file tree

Hide file tree

Showing 7 changed files with 11,612 additions and 13 deletions.
diff --git a/config/PS_PoC_results.csv b/config/PS_PoC_results.csv
diff --git a/config/Snyk_PoC_results.csv b/config/Snyk_PoC_results.csv
diff --git a/config/report_templates/F20_vul_aggregator-post.sh b/config/report_templates/F20_vul_aggregator-post.sh
@@ -6,6 +6,10 @@ print_output "$(indent "${ORANGE}L$NC - local exploits")"
 print_output "$(indent "${ORANGE}D$NC - DoS exploits")"
 print_output "$(indent "${ORANGE}G$NC - PoC code found on Github (unknown exploit vector)")"
 write_link "https://github.com/trickest/cve"
+print_output "$(indent "${ORANGE}P$NC - PoC code found on Packetstormsecurity (unknown exploit vector)")"
+write_link "https://packetstormsecurity.com/files/tags/exploit/"
+print_output "$(indent "${ORANGE}S$NC - PoC code found on Snyk vulnerability database (unknown exploit vector)")"
+write_link "https://security.snyk.io/vuln"
 print_output "$(indent "${ORANGE}X$NC - Vulnerability is known as exploited")"
 write_link "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
 print_ln

diff --git a/helpers/helpers_emba_html_generator.sh b/helpers/helpers_emba_html_generator.sh
@@ -47,6 +47,8 @@ EXPLOIT_LINK="<a href=\"https://www.exploit-db.com/exploits/LINK\" title=\"LINK\
 CVE_LINK="<a href=\"https://nvd.nist.gov/vuln/detail/LINK\" title=\"LINK\" target=\"_blank\" >"
 CWE_LINK="<a href=\"https://cwe.mitre.org/data/definitions/LINK.html\" title=\"LINK\" target=\"_blank\" >"
 GITHUB_LINK="<a href=\"https://github.com/LINK\" title=\"LINKNAME\" target=\"_blank\" >"
+SNYK_LINK="<a href=\"https://security.snyk.io/vuln/LINK\" title=\"LINKNAME\" target=\"_blank\" >"
+PSS_LINK="<a href=\"https://packetstormsecurity.com/files/LINK\" title=\"LINKNAME\" target=\"_blank\" >"
 LICENSE_LINK="<a href=\"LINK\" title=\"LINK\" target=\"_blank\" >"
 MODUL_LINK="<a class=\"modul\" href=\"LINK\" title=\"LINK\" >"
 MODUL_INDEX_LINK="<a class=\"modul CLASS\" data=\"DATA\" href=\"LINK\" title=\"LINK\">"
@@ -262,6 +264,33 @@ add_link_tags() {
       done
     fi 
 
+    if ( grep -a -q -E 'Exploit.*Snyk' "$LINK_FILE" ) ; then
+      readarray -t SNYK_KEY_F < <( grep -a -n -o -E "Snyk: .*" "$LINK_FILE" | sed 's/Snyk: //' | uniq || true)
+      for SNYK_KEY in "${SNYK_KEY_F[@]}" ; do
+        SNYK_ID_LINE="$(echo "$SNYK_KEY" | cut -d ":" -f 1)"
+        SNYK_ID_STRING="$(echo "$SNYK_KEY" | cut -d ":" -f 2-)"
+        readarray -t SNYK_KEY_STRING_ARR < <(echo "$SNYK_ID_STRING" | tr " " "\n" | grep "SNYK-" | uniq)
+        for SNYK_KEY_ELEM in "${SNYK_KEY_STRING_ARR[@]}" ; do
+          HTML_LINK="$(echo "$SNYK_LINK" | sed -e "s@LINKNAME@$SNYK_KEY_ELEM@g" | sed -e "s@LINK@$SNYK_KEY_ELEM@g")""$SNYK_KEY_ELEM""$LINK_END"
+          LINK_COMMAND_ARR+=( "$SNYK_ID_LINE"'s@'"$SNYK_KEY_ELEM"'@'"$HTML_LINK"'@' )
+        done
+      done
+    fi
+
+    if ( grep -a -q -E 'Exploit.*PSS' "$LINK_FILE" ) ; then
+      readarray -t PSS_KEY_F < <( grep -a -n -o -E "PSS: .*" "$LINK_FILE" | sed 's/PSS: //' | uniq || true)
+      for PSS_KEY in "${PSS_KEY_F[@]}" ; do
+        PSS_ID_LINE="$(echo "$PSS_KEY" | cut -d ":" -f 1)"
+        PSS_ID_STRING="$(echo "$PSS_KEY" | cut -d ":" -f 2-)"
+        readarray -t PSS_KEY_STRING_ARR < <(echo "$PSS_ID_STRING" | tr " " "\n" | grep -E "[0-9]+/.*\.html" | uniq)
+        for PSS_KEY_NAME in "${PSS_KEY_STRING_ARR[@]}" ; do
+          # PSS_KEY_NAME="$(echo "$PSS_KEY_ELEM" | tr "/" "_")"
+          HTML_LINK="$(echo "$PSS_LINK" | sed -e "s@LINKNAME@$PSS_KEY_NAME@g" | sed -e "s@LINK@$PSS_KEY_NAME@g")""$PSS_KEY_NAME""$LINK_END"
+          LINK_COMMAND_ARR+=( "$PSS_ID_LINE"'s@'"$PSS_KEY_NAME"'@'"$HTML_LINK"'@' )
+        done
+      done
+    fi
+
     # CVE links
     if ( grep -a -q -E '(CVE)' "$LINK_FILE" ) ; then
       readarray -t CVE_IDS < <( grep -a -n -E -o 'CVE-[0-9]{4}-[0-9]{4,7}' "$LINK_FILE" | uniq || true)

diff --git a/helpers/packet_storm_crawler.sh b/helpers/packet_storm_crawler.sh
@@ -0,0 +1,124 @@
+#!/bin/bash
+
+URL="https://packetstormsecurity.com/files/tags/exploit/page"
+LINKS="packet_storm_links.txt"
+SAVE_PATH="/tmp/packet_storm"
+EMBA_CONFIG_PATH="./config/"
+
+if ! [[ -d "$EMBA_CONFIG_PATH" ]]; then
+  echo "[-] No EMBA config directory found! Please start this crawler from the EMBA directory"
+  exit 1
+fi
+
+## Color definition
+GREEN="\033[0;32m"
+ORANGE="\033[0;33m"
+NC="\033[0m"  # no color
+
+if [[ -d "$SAVE_PATH" ]]; then
+  rm -r "$SAVE_PATH"
+fi
+if ! [[ -d "$SAVE_PATH/advisory" ]]; then
+  mkdir -p "$SAVE_PATH/advisory"
+fi
+
+echo "[*] Generating URL list for packetstorm advisories"
+ID=1
+CUR_SLEEP_TIME=1
+echo "CVE;advisory name;advisory URL;exploit type (local/remote)" > "$SAVE_PATH"/PS_PoC_results.csv
+
+while ( true ); do
+  FAIL_CNT=0
+  while ! lynx -dump -hiddenlinks=listonly "$URL""$ID" > "$SAVE_PATH"/"$LINKS"; do 
+    ((CUR_SLEEP_TIME+=$(shuf -i 1-5 -n 1)))
+    ((FAIL_CNT+=1))
+    if [[ "$FAIL_CNT" -gt 20 ]]; then
+      echo "[-] No further download possible ... exit now"
+      exit 1
+    fi
+    echo "[-] Error downloading $URL$ID ... waiting for $CUR_SLEEP_TIME seconds"
+    sleep "$CUR_SLEEP_TIME"
+  done
+  CUR_SLEEP_TIME=1
+
+  if grep -q "No Results Found" "$SAVE_PATH"/"$LINKS"; then
+    echo "[-] Finished downloading exploits from packetstormsecurity.com with page$ID ... exit now"
+    break
+  fi
+
+  echo ""
+  echo "[*] Generating list of URLs of packetstorm advisory page $ID"
+
+  mapfile -t MARKERS < <(grep -zoP "\n   \[[0-9]+\].*" "$SAVE_PATH"/"$LINKS" | grep -a -v '\]packet storm\|Register\|Login\|SERVICES_TAB')
+
+  for ((index=0; index < ${#MARKERS[@]}; index++)); do
+    CVEs=()
+    REMOTE=0
+    LOCAL=0
+    DoS=0
+    MSF=0
+    TYPE="unknown"
+
+    # init marker with name:
+    # e.g.: [22]Spitfire CMS 1.0.475 PHP Object Injection
+    CURRENT_MARKER=$(echo "${MARKERS[index]}" | cut -d '[' -f2 | cut -d ']' -f1)
+    # the name is after the first marker
+    ADV_NAME=$(echo "${MARKERS[index]}" | cut -d '[' -f2 | cut -d ']' -f2)
+
+    # with the following search we are going to find the URL of the marker
+    ADV_URL=$(grep " $CURRENT_MARKER\.\ " "$SAVE_PATH"/"$LINKS" | awk '{print $2}' | sort -u)
+    NEXT_MARKER=$(echo "${MARKERS[index+1]}" | cut -d '[' -f2 | cut -d ']' -f1)
+    if [[ -z "$NEXT_MARKER" ]]; then
+      NEXT_MARKER=$(grep -E "Back\[[0-9]+\]" "$SAVE_PATH"/"$LINKS" | cut -d '[' -f2 | cut -d ']' -f1)
+    fi
+
+    # we do not store metasploit exploits as we already have the MSF database in EMBA
+    MSF=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "metasploit.com\|This Metasploit module")
+    REMOTE=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "tags .*remote")
+    LOCAL=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "tags .*local")
+    DoS=$(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -c "tags .*denial of service")
+
+    if [[ "$REMOTE" -gt 0 ]]; then
+      TYPE="remote"
+    fi
+    if [[ "$LOCAL" -gt 0 ]]; then
+      # if it is not unknown it is remote and we have now remote/local
+      if ! [[ "$TYPE" == "unknown" ]]; then
+        TYPE="$TYPE""/local"
+      else
+        TYPE="local"
+      fi
+    fi
+    if [[ "$DoS" -gt 0 ]]; then
+      if ! [[ "$TYPE" == "unknown" ]]; then
+        TYPE="$TYPE""/DoS"
+      else
+        TYPE="DoS"
+      fi
+    fi
+
+    mapfile -t CVEs < <(sed '/\['"$CURRENT_MARKER"'\]/,/\['"$NEXT_MARKER"'\]/!d' "$SAVE_PATH"/"$LINKS" | grep -o -E "\[[0-9]+\]CVE-[0-9]+-[0-9]+" \
+      | sed 's/\[[0-9]*\]//' | sort -u)
+    if [[ -v CVEs ]]; then
+      for CVE in "${CVEs[@]}";do
+        echo -e "[+] Found PoC for $ORANGE$CVE$NC in advisory $ORANGE$ADV_NAME$NC / $ORANGE$ADV_URL$NC"
+        if [[ "$MSF" -eq 0 ]]; then
+          echo "$CVE;$ADV_NAME;$ADV_URL;$TYPE" >> "$SAVE_PATH"/PS_PoC_results.csv
+        fi
+      done
+    fi
+  done
+  ((ID+=1))
+
+  sleep "$CUR_SLEEP_TIME"
+done
+
+sed -i '/\;\;\;/d' "$SAVE_PATH"/PS_PoC_results.csv
+
+if [[ -f "$SAVE_PATH"/PS_PoC_results.csv ]] && [[ -d "$EMBA_CONFIG_PATH" ]]; then
+  mv "$SAVE_PATH"/PS_PoC_results.csv "$EMBA_CONFIG_PATH"
+  rm -r "$SAVE_PATH"
+  echo -e "${GREEN}[+] Successfully stored generated PoC file in EMBA configuration directory."
+else
+  echo "[-] Not able to copy generated PoC file to configuration directory $EMBA_CONFIG_PATH"
+fi
diff --git a/helpers/snyk_crawler.sh b/helpers/snyk_crawler.sh
@@ -0,0 +1,148 @@
+#!/bin/bash
+
+URL="https://security.snyk.io/vuln"
+LINKS="snyk_adv_links.txt"
+SAVE_PATH="/tmp/snyk"
+EMBA_CONFIG_PATH="./config/"
+
+if ! [[ -d "$EMBA_CONFIG_PATH" ]]; then
+  echo "[-] No EMBA config directory found! Please start this crawler from the EMBA directory"
+  exit 1
+fi
+
+## Color definition
+GREEN="\033[0;32m"
+ORANGE="\033[0;33m"
+NC="\033[0m"  # no color
+
+if [[ -d "$SAVE_PATH" ]]; then
+  rm "$SAVE_PATH"
+fi
+if ! [[ -d "$SAVE_PATH/vuln" ]]; then
+  mkdir -p "$SAVE_PATH/vuln"
+fi
+
+echo "[*] Generating URL list for snyk advisories"
+ID=1
+# this approach will end after 31 pages:
+while lynx -dump -hiddenlinks=listonly "$URL"/"$ID" | grep "$URL/SNYK" >> "$SAVE_PATH"/"$LINKS"; do
+  echo -e "[*] Generating list of URLs of Snyk advisory page $ORANGE$ID$NC / $ORANGE$URL$ID$NC"
+  ((ID+=1))
+done
+
+# some filters we can use to get further results:
+APPLICATIONS=("cargo" "cocoapods" "composer" "golang" "hex" "maven" "npm" "nuget" "pip" \
+  "rubygems" "unmanaged" "alpine" "linux" "alpine" "amzn" "centos" "debian" "oracle" "rhel" \
+  "sles" "ubuntu")
+
+for APPLICATION in "${APPLICATIONS[@]}"; do
+  ID=1
+  while lynx -dump -hiddenlinks=listonly "$URL"/"$APPLICATION"/"$ID" | grep "$URL/SNYK" >> "$SAVE_PATH"/"$LINKS"; do
+    echo -e "[*] Generating list of URLs of Snyk advisory page $ORANGE$ID$NC / application $ORANGE$APPLICATION$NC / URL $ORANGE$URL/$APPLICATION/$ID$NC"
+    ((ID+=1))
+  done
+done
+
+# remove the numbering at the beginning of every entry:
+sed 's/.*http/http/' "$SAVE_PATH"/"$LINKS" | sort -u > "$SAVE_PATH"/"$LINKS"_sorted
+
+ADV_CNT="$(wc -l "$SAVE_PATH"/"$LINKS"_sorted | awk '{print $1}')"
+echo -e "[*] Detected $ORANGE$ADV_CNT$NC advisories for download"
+echo ""
+
+ID=1
+while read -r ADV; do
+  ((ID+=1))
+  FILENAME="$(echo "$ADV" | rev | cut -d '/' -f1 | rev)"
+  if [[ -f "$SAVE_PATH/vuln/$FILENAME" ]]; then
+    echo -e "[-] Already downloaded $ORANGE$FILENAME$NC"
+    continue
+  fi
+  echo -e "[*] Downloading $ORANGE$FILENAME$NC ($ORANGE$ID$NC/$ORANGE$ADV_CNT$NC) to $ORANGE$SAVE_PATH/vuln/$FILENAME$NC"
+  wget "$ADV" -O "$SAVE_PATH"/vuln/"$FILENAME"
+done < "$SAVE_PATH"/"$LINKS"_sorted
+
+echo -e "[*] Finished downloading $ORANGE$ADV_CNT$NC advisories to $ORANGE$SAVE_PATH/vuln$NC"
+echo ""
+
+echo -e "[*] The following advisories have PoC code included:"
+PoC_CNT=0
+# removed exploit-db as we already have it in EMBA
+#echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;exploit-db;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv
+echo "CVE;advisory name;advisory URL;unknown PoC;Github PoC;Curl PoC;XML PoC;" > "$SAVE_PATH"/Snyk_PoC_results.csv
+
+while IFS= read -r -d '' ADV; do
+  PoC_PoC="no"
+  PoC_GH="no"
+  PoC_EDB="no"
+  PoC_CURL="no"
+  PoC_XML="no"
+  CVE="NA"
+  ADV_NAME=$(basename "$ADV")
+  ADV_URL="$URL"/"$ADV_NAME"
+
+  # unsure if this is good enough:
+  PoC_PoC=$(grep -c -a "PoC" "$ADV")
+  PoC="$PoC_PoC"
+  if [[ "$PoC_PoC" -gt 0 ]]; then
+    PoC_PoC="yes"
+  else
+    PoC_PoC="no"
+  fi
+  # GitHub PoC references:
+  PoC_GH=$(grep -a -c "GitHub PoC" "$ADV")
+  ((PoC+="$PoC_GH"))
+  if [[ "$PoC_GH" -gt 0 ]]; then
+    PoC_GH="yes"
+  else
+    PoC_GH="no"
+  fi
+  # removed exploit-db as we already have it in EMBA
+  # exploit-db references:
+  #PoC_EDB=$(grep -a -c -E "https://www.exploit-db.com/exploits/[0-9]+" "$ADV")
+  #((PoC+="$PoC_EDB"))
+  #if [[ "$PoC_EDB" -gt 0 ]]; then
+  #  PoC_EDB="yes"
+  #else
+  #  PoC_EDB="no"
+  #fi
+  # curl http exploits:
+  PoC_CURL=$(grep -a -c "curl http" "$ADV")
+  ((PoC+="$PoC_CURL"))
+  if [[ "$PoC_CURL" -gt 0 ]]; then
+    PoC_CURL="yes"
+  else
+    PoC_CURL="no"
+  fi
+  # xml exploits:
+  PoC_XML=$(grep -a -c "For example the below code contains" "$ADV")
+  ((PoC+="$PoC_XML"))
+  if [[ "$PoC_XML" -gt 0 ]]; then
+    PoC_XML="yes"
+  else
+    PoC_XML="no"
+  fi
+  mapfile -t CVEs < <(grep -a -o -E "<title>.*CVE-[0-9]{4}-[0-9]+.*</title>" "$ADV" | \
+    grep -o -E "CVE-[0-9]{4}-[0-9]+" | sort -u)
+
+  if [[ "$PoC" -gt 0 ]] && [[ "${#CVEs[@]}" -gt 0 ]]; then
+    for CVE in "${CVEs[@]}"; do
+      echo -e "[+] Found PoC for $ORANGE$CVE$NC in advisory $ORANGE$ADV_NAME$NC (unknown PoC: $ORANGE$PoC_PoC$NC / Github: $ORANGE$PoC_GH$NC / exploit-db: $ORANGE$PoC_EDB$NC / Curl: $ORANGE$PoC_CURL$NC / XML: $ORANGE$PoC_XML$NC)"
+      # removed exploit-db as we already have it in EMBA
+      #echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_EDB;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv
+      echo "$CVE;$ADV_NAME;$ADV_URL;$PoC_PoC;$PoC_GH;$PoC_CURL;$PoC_XML;" >> "$SAVE_PATH"/Snyk_PoC_results.csv
+      ((PoC_CNT+=1))
+    done
+  fi
+done < <(find "$SAVE_PATH"/vuln/ -type f -print0)
+
+if [[ -f "$SAVE_PATH"/Snyk_PoC_results.csv ]] && [[ -d "$EMBA_CONFIG_PATH" ]]; then
+  mv "$SAVE_PATH"/Snyk_PoC_results.csv "$EMBA_CONFIG_PATH"
+  rm -r "$SAVE_PATH"
+  echo -e "${GREEN}[+] Successfully stored generated PoC file in EMBA configuration directory."
+else
+  echo "[-] Not able to copy generated PoC file to configuration directory $EMBA_CONFIG_PATH"
+fi
+
+echo ""
+echo -e "${GREEN}[+] Found $ORANGE$PoC_CNT$GREEN advisories with PoC code"