Merge pull request #52 from MaximeStor/master

Added module SourceCode
2016-03-12 21:19:49 +01:00 · 2016-03-12 21:19:49 +01:00 · a44bdfa7d4
parent be86737ca7 ab66cd255a
commit a44bdfa7d4
4 changed files with 76 additions and 1 deletions
--- a/bin/SourceCode.py
+++ b/bin/SourceCode.py
@ -0,0 +1,55 @@
+#!/usr/bin/env python2
+# -*-coding:UTF-8 -*
+import time
+from packages import Paste
+from pubsublogger import publisher
+from Helper import Process
+import re
+
+if __name__ == "__main__":
+    publisher.port = 6380
+    publisher.channel = "Script"
+    config_section = "SourceCode"
+    p = Process(config_section)
+    publisher.info("Finding Source Code")
+
+    critical = 0 # AS TO BE IMPORTANT, MIGHT BE REMOVED
+
+    #RELEVANTS LANGUAGES
+    shell = "[a-zA-Z0-9]+@[a-zA-Z0-9\-]+\:\~\$"
+    c = "\#include\ \<[a-z\/]+.h\>"
+    php = "\<\?php"
+    python = "import\ [\w]+"
+    bash = "#!\/[\w]*\/bash"
+    javascript = "function\(\)"
+    ruby = "require \ [\w]+"
+    adr = "0x[a-f0-9]{2}"
+
+    #asm = "\"((?s).{1}x[0-9a-f]{2}){3,}" ISSUES WITH FINDALL, pattern like \x54\xaf\x23\..
+ 
+    languages = [shell, c, php, bash, python, javascript, bash, ruby, adr]
+    regex = '|'.join(languages)
+    print regex
+
+    while True:
+        message = p.get_from_set()
+        if message is None:
+            publisher.debug("Script Source Code is Idling 10s")
+            print('Sleeping')
+            time.sleep(10)
+            continue
+
+        filepath, count = message.split()
+
+        paste = Paste.Paste(filepath)
+        content = paste.get_p_content()
+        match_set = set(re.findall(regex, content))
+        if len(match_set) == 0:
+            continue
+
+        to_print = 'SourceCode;{};{};{};{}'.format(paste.p_source, paste.p_date, paste.p_name, message)
+
+        if len(match_set) > critical:
+            publisher.warning(to_print)
+        else:
+            publisher.info(to_print)
--- a/bin/packages/modules.cfg
+++ b/bin/packages/modules.cfg
@ -27,7 +27,7 @@ subscribe = Redis_Words

 [Categ]
 subscribe = Redis_Global
-publish = Redis_CreditCards,Redis_Mail,Redis_Onion,Redis_Web,Redis_Credential
+publish = Redis_CreditCards,Redis_Mail,Redis_Onion,Redis_Web,Redis_Credential,Redis_SourceCode

 [CreditCards]
 subscribe = Redis_CreditCards
@ -56,5 +56,8 @@ subscribe = Redis_Credential
 [Phone]
 subscribe = Redis_Global

+[SourceCode]
+subscribe = Redis_SourceCode
+
 [Keys]
 subscribe = Redis_Global
--- a/doc/SourceCode.info
+++ b/doc/SourceCode.info
@ -0,0 +1,8 @@
+SourceCode listens to Global and select only keywords that are relevants to AIL's purpose (CVE, Exploits, Vulnerability,...), then send matching file to a new queue.
+
+SourceCode.py search for differents languages such as C, PHP, Python, BASH and some Unix shells with default configuration.
+
+Every records is send to the warning log because filters are high enough (hence the critical var set to 0 but can be changed).
+
+FOR NOW : Still have troubles detecting ASM 
+
--- a/files/SourceCode
+++ b/files/SourceCode
@ -0,0 +1,9 @@
+CVE
+exploit
+vulnerability
+payload
+uname
+chmod
+adduser
+base64_decode
+gzinflate