Merge pull request #2492 from blacklanternsecurity/dev

Dev -> Stable 2.6.0

Author: TheTechromancer

.github/workflows/version_updater.yml

@@ -36,12 +36,12 @@ jobs:
       - name: Get current version
         id: get-current-version
         run: |
-          version=$(grep -m 1 -oP '(?<=version": ")[^"]*' bbot/modules/deadly/nuclei.py)
+          version=$(grep -m 1 -oP '(?<=version": ")[^"]*' bbot/modules/nuclei.py)
           echo "current_version=$version" >> $GITHUB_ENV
       - name: Update version
         id: update-version
         if: env.latest_version != env.current_version
-        run: "sed -i '0,/\"version\": \".*\",/ s/\"version\": \".*\",/\"version\": \"${{ env.latest_version }}\",/g' bbot/modules/deadly/nuclei.py"
+        run: "sed -i '0,/\"version\": \".*\",/ s/\"version\": \".*\",/\"version\": \"${{ env.latest_version }}\",/g' bbot/modules/nuclei.py"
       - name: Create pull request to update the version
         if: steps.update-version.outcome == 'success'
         uses: peter-evans/create-pull-request@v7
@@ -50,7 +50,7 @@ jobs:
           commit-message: "Update nuclei"
           title: "Update nuclei to ${{ env.latest_version }}"
           body: |
-            This PR uses https://api.github.com/repos/projectdiscovery/nuclei/releases/latest to obtain the latest version of nuclei and update the version in bbot/modules/deadly/nuclei.py."
+            This PR uses https://api.github.com/repos/projectdiscovery/nuclei/releases/latest to obtain the latest version of nuclei and update the version in bbot/modules/nuclei.py."
 
             # Release notes:
             ${{ env.release_notes }}

bbot/core/helpers/command.py

@@ -123,7 +123,7 @@ async def run_live(self, *command, check=False, text=True, idle_timeout=None, **
                     proc.send_signal(SIGINT)
                     raise
                 except ValueError as e:
-                    command_str = " ".join([str(c) for c in command])
+                    command_str = " ".join(command)
                     log.warning(f"Error executing command {command_str}: {e}")
                     log.trace(traceback.format_exc())
                     continue
@@ -185,7 +185,9 @@ async def _spawn_proc(self, *command, **kwargs):
     try:
         command, kwargs = self._prepare_command_kwargs(command, kwargs)
     except SubprocessError as e:
-        log.warning(e)
+        command_str = " ".join([str(s) for s in command])
+        log.warning(f"Error running command: '{command_str}': {e}")
+        log.trace(traceback.format_exc())
         return None, None, None
     _input = kwargs.pop("input", None)
     if _input is not None:
@@ -279,6 +281,7 @@ def _prepare_command_kwargs(self, command, kwargs):
 
     if len(command) == 1 and isinstance(command[0], (list, tuple)):
         command = command[0]
+
     command = [str(s) for s in command]
 
     if not command:

bbot/core/helpers/depsinstaller/installer.py

@@ -32,6 +32,20 @@ class DepsInstaller:
         "bash": "bash",
         "which": "which",
         "tar": "tar",
+        "xz": [
+            {
+                "name": "Install xz-utils (Debian)",
+                "package": {"name": ["xz-utils"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] == 'Debian'",
+            },
+            {
+                "name": "Install xz (Non-Debian)",
+                "package": {"name": ["xz"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] != 'Debian'",
+            },
+        ],
         # debian why are you like this
         "7z": [
             {
@@ -53,6 +67,44 @@ class DepsInstaller:
                 "when": "ansible_facts['distribution'] == 'Fedora'",
             },
         ],
+        # to compile just about any tool, we need the openssl dev headers
+        "openssl": [
+            {
+                "name": "Install OpenSSL library and development headers (Debian/Ubuntu)",
+                "package": {"name": ["libssl-dev", "openssl"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] == 'Debian'",
+                "ignore_errors": True,
+            },
+            {
+                "name": "Install OpenSSL library and development headers (RedHat/CentOS/Fedora)",
+                "package": {"name": ["openssl", "openssl-devel"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Suse' ",
+                "ignore_errors": True,
+            },
+            {
+                "name": "Install OpenSSL library and development headers (Arch)",
+                "package": {"name": ["openssl"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] == 'Archlinux'",
+                "ignore_errors": True,
+            },
+            {
+                "name": "Install OpenSSL library and development headers (Alpine)",
+                "package": {"name": ["openssl", "openssl-dev"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] == 'Alpine'",
+                "ignore_errors": True,
+            },
+            {
+                "name": "Install OpenSSL library and development headers (FreeBSD)",
+                "package": {"name": ["openssl"], "state": "present"},
+                "become": True,
+                "when": "ansible_facts['os_family'] == 'FreeBSD'",
+                "ignore_errors": True,
+            },
+        ],
     }
 
     def __init__(self, parent_helper):
@@ -171,11 +223,6 @@ async def install_module(self, module):
         success = True
         preloaded = self.all_modules_preloaded[module]
 
-        # ansible tasks
-        ansible_tasks = preloaded["deps"]["ansible"]
-        if ansible_tasks:
-            success &= self.tasks(module, ansible_tasks)
-
         # apt
         deps_apt = preloaded["deps"]["apt"]
         if deps_apt:
@@ -196,7 +243,7 @@ async def install_module(self, module):
         deps_common = preloaded["deps"]["common"]
         if deps_common:
             for dep_common in deps_common:
-                if self.setup_status.get(dep_common, False) is True:
+                if self.setup_status.get(dep_common, False) is True and self.deps_behavior != "force_install":
                     log.debug(
                         f'Skipping installation of dependency "{dep_common}" for module "{module}" since it is already installed'
                     )
@@ -206,6 +253,11 @@ async def install_module(self, module):
                 self.setup_status[dep_common] = result
                 success &= result
 
+        # ansible tasks
+        ansible_tasks = preloaded["deps"]["ansible"]
+        if ansible_tasks:
+            success &= self.tasks(module, ansible_tasks)
+
         return success
 
     async def pip_install(self, packages, constraints=None):

bbot/core/helpers/misc.py

@@ -831,7 +831,9 @@ def rand_string(length=10, digits=True, numeric_only=False):
     return "".join(random.choice(pool) for _ in range(length))
 
 
-def truncate_string(s, n):
+def truncate_string(s: str, n: int) -> str:
+    if not isinstance(s, str):
+        raise ValueError(f"Expected string, got {type(s)}")
     if len(s) > n:
         return s[: n - 3] + "..."
     else:
@@ -1309,7 +1311,7 @@ def make_netloc(host, port=None):
     return f"{host}:{port}"
 
 
-def which(*executables):
+def which(*executables, path=None):
     """Finds the full path of the first available executable from a list of executables.
 
     Args:
@@ -1325,7 +1327,7 @@ def which(*executables):
     import shutil
 
     for e in executables:
-        location = shutil.which(e)
+        location = shutil.which(e, path=path)
         if location:
             return location
 
@@ -1642,7 +1644,7 @@ def filesize(f):
     return 0
 
 
-def rm_rf(f):
+def rm_rf(f, ignore_errors=False):
     """Recursively delete a directory
 
     Args:
@@ -1653,7 +1655,7 @@ def rm_rf(f):
     """
     import shutil
 
-    shutil.rmtree(f)
+    shutil.rmtree(f, ignore_errors=ignore_errors)
 
 
 def clean_old(d, keep=10, filter=lambda x: True, key=latest_mtime, reverse=True, raise_error=False):

bbot/core/helpers/names_generator.py

@@ -50,6 +50,7 @@
     "delicious",
     "demented",
     "demonic",
+    "demonstrative",
     "depraved",
     "depressed",
     "deranged",
@@ -172,6 +173,7 @@
     "pasty",
     "peckish",
     "pedantic",
+    "pensive",
     "pernicious",
     "perturbed",
     "perverted",
@@ -201,8 +203,10 @@
     "reckless",
     "reductive",
     "ripped",
+    "ruthless",
     "sadistic",
     "satanic",
+    "saucy",
     "savvy",
     "scheming",
     "schizophrenic",
@@ -668,6 +672,7 @@
     "tracy",
     "travis",
     "treebeard",
+    "trent",
     "triss",
     "tyler",
     "tyrell",

bbot/core/helpers/web/engine.py

@@ -208,7 +208,7 @@ async def _acatch(self, url, raise_error):
                 raise
             else:
                 log.warning(
-                    f"Invalid URL (possibly due to dangerous redirect) on request to : {url}: {truncate_string(e, 200)}"
+                    f"Invalid URL (possibly due to dangerous redirect) on request to : {url}: {truncate_string(str(e), 200)}"
                 )
                 log.trace(traceback.format_exc())
         except ssl.SSLError as e:

bbot/core/shared_deps.py

@@ -108,6 +108,24 @@
         "when": "ansible_facts['os_family'] == 'Debian'",
         "ignore_errors": True,
     },
+    {
+        "name": "Get latest Chromium version (Darwin x86_64)",
+        "uri": {
+            "url": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac%2FLAST_CHANGE?alt=media",
+            "return_content": True,
+        },
+        "register": "chromium_version_darwin_x86_64",
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'x86_64'",
+    },
+    {
+        "name": "Get latest Chromium version (Darwin arm64)",
+        "uri": {
+            "url": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac_Arm%2FLAST_CHANGE?alt=media",
+            "return_content": True,
+        },
+        "register": "chromium_version_darwin_arm64",
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'arm64'",
+    },
     {
         "name": "Download Chromium (Debian)",
         "unarchive": {
@@ -119,6 +137,26 @@
         "when": "ansible_facts['os_family'] == 'Debian'",
         "ignore_errors": True,
     },
+    {
+        "name": "Download Chromium (Darwin x86_64)",
+        "unarchive": {
+            "src": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac%2F{{ chromium_version_darwin_x86_64.content }}%2Fchrome-mac.zip?alt=media",
+            "remote_src": True,
+            "dest": "#{BBOT_TOOLS}",
+            "creates": "#{BBOT_TOOLS}/chrome-mac",
+        },
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'x86_64'",
+    },
+    {
+        "name": "Download Chromium (Darwin arm64)",
+        "unarchive": {
+            "src": "https://www.googleapis.com/download/storage/v1/b/chromium-browser-snapshots/o/Mac_Arm%2F{{ chromium_version_darwin_arm64.content }}%2Fchrome-mac.zip?alt=media",
+            "remote_src": True,
+            "dest": "#{BBOT_TOOLS}",
+            "creates": "#{BBOT_TOOLS}/chrome-mac",
+        },
+        "when": "ansible_facts['os_family'] == 'Darwin' and ansible_facts['architecture'] == 'arm64'",
+    },
     # Because Ubuntu is a special snowflake, we have to bend over backwards to fix the chrome sandbox
     # see https://chromium.googlesource.com/chromium/src/+/main/docs/security/apparmor-userns-restrictions.md
     {

bbot/modules/apkpure.py

@@ -22,7 +22,7 @@ async def setup(self):
         if output_folder:
             self.output_dir = Path(output_folder) / "apk_files"
         else:
-            self.output_dir = self.helpers.temp_dir / "apk_files"
+            self.output_dir = self.scan.temp_dir / "apk_files"
         self.helpers.mkdir(self.output_dir)
         return await super().setup()
 

bbot/modules/aspnet_bin_exposure.py

@@ -0,0 +1,80 @@
+from bbot.modules.base import BaseModule
+
+
+class aspnet_bin_exposure(BaseModule):
+    watched_events = ["URL"]
+    produced_events = ["VULNERABILITY"]
+    flags = ["active", "safe", "web-thorough"]
+    meta = {
+        "description": "Check for ASP.NET Security Feature Bypasses (CVE-2023-36899 and CVE-2023-36560)",
+        "created_date": "2025-01-28",
+        "author": "@liquidsec",
+    }
+
+    in_scope_only = True
+    test_dlls = [
+        "Telerik.Web.UI.dll",
+        "Newtonsoft.Json.dll",
+        "System.Net.Http.dll",
+        "EntityFramework.dll",
+        "AjaxControlToolkit.dll",
+    ]
+
+    @staticmethod
+    def normalize_url(url):
+        return str(url.rstrip("/") + "/").lower()
+
+    def _incoming_dedup_hash(self, event):
+        return hash(self.normalize_url(event.data))
+
+    async def handle_event(self, event):
+        normalized_url = self.normalize_url(event.data)
+        for test_dll in self.test_dlls:
+            for technique in ["b/(S(X))in/###DLL_PLACEHOLDER###/(S(X))/", "(S(X))/b/(S(X))in/###DLL_PLACEHOLDER###"]:
+                test_url = f"{normalized_url}{technique.replace('###DLL_PLACEHOLDER###', test_dll)}"
+                self.debug(f"Sending test URL: [{test_url}]")
+                kwargs = {"method": "GET", "allow_redirects": False, "timeout": 10}
+                test_result = await self.helpers.request(test_url, **kwargs)
+                if test_result:
+                    if test_result.status_code == 200 and (
+                        "content-type" in test_result.headers
+                        and "application/x-msdownload" in test_result.headers["content-type"]
+                    ):
+                        self.debug(
+                            f"Got positive result for probe with test url: [{test_url}]. Status Code: [{test_result.status_code}] Content Length: [{len(test_result.content)}]"
+                        )
+
+                        if test_result.status_code == 200 and (
+                            "content-type" in test_result.headers
+                            and "application/x-msdownload" in test_result.headers["content-type"]
+                        ):
+                            confirm_url = (
+                                f"{normalized_url}{technique.replace('###DLL_PLACEHOLDER###', 'oopsnotarealdll.dll')}"
+                            )
+                            confirm_result = await self.helpers.request(confirm_url, **kwargs)
+
+                            if confirm_result and (
+                                confirm_result.status_code != 200
+                                or not (
+                                    "content-type" in confirm_result.headers
+                                    and "application/x-msdownload" in confirm_result.headers["content-type"]
+                                )
+                            ):
+                                description = f"IIS Bin Directory DLL Exposure. Detection Url: [{test_url}]"
+                                await self.emit_event(
+                                    {
+                                        "severity": "HIGH",
+                                        "host": str(event.host),
+                                        "url": normalized_url,
+                                        "description": description,
+                                    },
+                                    "VULNERABILITY",
+                                    event,
+                                    context="{module} detected IIS Bin Directory DLL Exposure vulnerability",
+                                )
+                                return True
+
+    async def filter_event(self, event):
+        if "dir" in event.tags:
+            return True
+        return False