metasploit-framework/spec/tools/virustotal_spec.rb

require 'spec_helper'

load Metasploit::Framework.root.join('tools/exploit/virustotal.rb').to_path

require 'msfenv'
require 'msf/base'
require 'digest/sha2'

RSpec.describe VirusTotalUtility do

  context "Classes" do
    let(:api_key) do
      'FAKE_API_KEY'
    end

    let(:filename) do
      'MALWARE.EXE'
    end

    let(:malware_data) do
      'DATA'
    end

    describe VirusTotalUtility::ToolConfig do
      context "Class methods" do

        let(:tool_config) do
          VirusTotalUtility::ToolConfig.new
        end

        context ".Initializer" do
          it "should init the config file path as Metasploit's default config path" do
            tool_config.instance_variable_get(:@config_file).should eq(Msf::Config.config_file)
          end

          it "should init the group name as 'VirusTotal'" do
            tool_config.instance_variable_get(:@group_name).should eq('VirusTotal')
          end
        end
      end
    end

    describe VirusTotalUtility::VirusTotal do
      context "Class methods" do

        let(:malware_sha256) do
          Digest::SHA256.hexdigest(malware_data)
        end

        let(:sample) do
          {
            'filename' => filename,
            'data'     => malware_data,
            'sha256'   => malware_sha256
          }
        end

        let(:boundary) do
          'THEREAREMANYLIKEITBUTTHISISMYDATA'
        end

        let(:scan_sample_opts) do
          opts = {
            'boundary' => boundary,
            'api_key'  => api_key,
            'filename' => filename,
            'data'     => malware_data
          }

          return opts
        end

        let(:retrieve_report_opts) do
          opts = {
            'uri'       => '/vtapi/v2/file/report',
            'method'    => 'POST',
            'vhost'     => 'www.virustotal.com',
            'vars_post' => {
              'apikey'   => api_key,
              'resource' => malware_sha256
            }
          }

          return opts
        end

        let(:vt) do
          file = double(File, read: malware_data)
          File.stub(:open).with(filename, 'rb') {|&block| block.yield file}
          VirusTotalUtility::VirusTotal.new({'api_key'=>api_key, 'sample'=>filename})
        end

        context ".Initializer" do
          it "should have an API key" do
            vt.instance_variable_get(:@api_key).should eq(api_key)
          end

          it "should have a checksum for the malware sample" do
            vt.instance_variable_get(:@sample_info)['sha256'].should eq(malware_sha256)
          end
        end

        context "._load_sample" do
          it "should contain sample info including data, filename, and sha256" do
            vt.send(:_load_sample, filename).should eq(sample)
          end
        end

        context ".scan_sample" do
          it "should return with data" do
            vt.stub(:_execute_request).and_return('')
            vt.scan_sample.should eq('')
          end
        end

        context ".retrieve_report" do
          it "should return with data" do
            vt.stub(:_execute_request).and_return('')
            vt.retrieve_report.should eq('')
          end
        end

        context "._execute_request" do
          it "should return status code 204" do
            res = double(Rex::Proto::Http::Response)
            res.stub(:code).and_return(204)
            vt.stub(:send_request_cgi).with(scan_sample_opts).and_return(res)
            expect { vt.send(:_execute_request, scan_sample_opts) }.to raise_error(RuntimeError)
          end

          it "should return status code 403" do
            res = double(Rex::Proto::Http::Response)
            res.stub(:code).and_return(403)
            vt.stub(:send_request_cgi).with(scan_sample_opts).and_return(res)
            expect { vt.send(:_execute_request, scan_sample_opts) }.to raise_error(RuntimeError)
          end
        end

        context "._create_upload_data" do

          let(:form_opts) do
            {
              'boundary' => boundary,
              'api_key'  => api_key,
              'filename' => filename,
              'data'     => malware_data
            }
          end

          before(:each) do
            @upload_data = vt.send(:_create_upload_data, form_opts)
          end

          it "should create form-data with a boundary" do
            @upload_data.should match(/#{boundary}/)
          end

          it "should create form-data with the API key" do
            @upload_data.should match(/#{api_key}/)
          end

          it "should create form-data with the malware filename" do
            @upload_data.should match(/#{filename}/)
          end

          it "should create form-data with the malware data" do
            @upload_data.should match(/#{malware_data}/)
          end
        end
      end
    end


    describe VirusTotalUtility::Driver do
      # Get stdout:
      # http://stackoverflow.com/questions/11349270/test-output-to-command-line-with-rspec
      def get_stdout(&block)
        out = $stdout
        $stdout = fake = StringIO.new
        begin
          yield
        ensure
          $stdout = out
        end
        fake.string
      end

      before do
        $stdin = StringIO.new("Y\n")
      end

      after do
        $stdin = STDIN
      end

      let(:driver) do
        argv = "-k #{api_key} -f #{filename}".split
        options = {
          'samples' => filename,
          'api_key' => api_key,
          'delay'   => 60
        }

        VirusTotalUtility::OptsConsole.stub(:parse).with(anything).and_return(options)


        tool_config = double("tool_config")
        VirusTotalUtility::ToolConfig.stub(:new).and_return(tool_config)
        tool_config.stub(:has_privacy_waiver?).and_return(true)
        tool_config.stub(:load_api_key).and_return(api_key)
        tool_config.stub(:save_privacy_waiver)
        tool_config.stub(:save_api_key).with(anything)

        d = nil

        out = get_stdout {
          d = VirusTotalUtility::Driver.new
        }

        d
      end

      context ".Class methods" do

        context ".initialize" do
          it "should return a Driver object" do
            driver.class.should eq(VirusTotalUtility::Driver)
          end
        end

        context ".ask_privacy" do
          it "should have a link of VirusTotal's terms of service" do
            tos = 'https://www.virustotal.com/en/about/terms-of-service'
            out = get_stdout { driver.ack_privacy }
            out.should match(/#{tos}/)
          end
        end

        context ".generate_report" do
          it "should show a report" do
            res = {
              "scans" => {
                "Bkav" => { "detected" => false, "version" => "1.3.0.4613", "result" => nil, "update" => "20140107" }
              },
              "response_code" => 1
            }

            out = get_stdout { driver.generate_report(res, filename) }
            out.should match(/#{res['scans']['Bkav']['version']}/)
          end
        end
      end
    end
  end
end
Add rspec 2014-01-08 08:34:43 +00:00			`require 'spec_helper'`

Update rspec 2015-10-06 20:42:31 +00:00			`load Metasploit::Framework.root.join('tools/exploit/virustotal.rb').to_path`
Add rspec 2014-01-08 08:34:43 +00:00
			`require 'msfenv'`
			`require 'msf/base'`
			`require 'digest/sha2'`

decribe -> RSpec.describe MSP-13484 Disabled expose_dsl_globally in spec_helper, so need to qualify top-level describe. 2015-10-16 20:57:04 +00:00			`RSpec.describe VirusTotalUtility do`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context "Classes" do`
Add rspec 2014-01-08 08:34:43 +00:00			`let(:api_key) do`
			`'FAKE_API_KEY'`
			`end`

			`let(:filename) do`
			`'MALWARE.EXE'`
			`end`

			`let(:malware_data) do`
			`'DATA'`
			`end`

Put classes under a module 2014-01-12 21:54:56 +00:00			`describe VirusTotalUtility::ToolConfig do`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context "Class methods" do`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:tool_config) do`
Put classes under a module 2014-01-12 21:54:56 +00:00			`VirusTotalUtility::ToolConfig.new`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`end`

			`context ".Initializer" do`
			`it "should init the config file path as Metasploit's default config path" do`
			`tool_config.instance_variable_get(:@config_file).should eq(Msf::Config.config_file)`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`it "should init the group name as 'VirusTotal'" do`
			`tool_config.instance_variable_get(:@group_name).should eq('VirusTotal')`
			`end`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00			`end`

Put classes under a module 2014-01-12 21:54:56 +00:00			`describe VirusTotalUtility::VirusTotal do`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context "Class methods" do`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:malware_sha256) do`
			`Digest::SHA256.hexdigest(malware_data)`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:sample) do`
			`{`
			`'filename' => filename,`
			`'data' => malware_data,`
			`'sha256' => malware_sha256`
			`}`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:boundary) do`
			`'THEREAREMANYLIKEITBUTTHISISMYDATA'`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:scan_sample_opts) do`
			`opts = {`
			`'boundary' => boundary,`
			`'api_key' => api_key,`
			`'filename' => filename,`
			`'data' => malware_data`
			`}`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`return opts`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:retrieve_report_opts) do`
			`opts = {`
			`'uri' => '/vtapi/v2/file/report',`
			`'method' => 'POST',`
			`'vhost' => 'www.virustotal.com',`
			`'vars_post' => {`
			`'apikey' => api_key,`
			`'resource' => malware_sha256`
			`}`
			`}`

			`return opts`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:vt) do`
			`file = double(File, read: malware_data)`
			`File.stub(:open).with(filename, 'rb') {\|&block\| block.yield file}`
Put classes under a module 2014-01-12 21:54:56 +00:00			`VirusTotalUtility::VirusTotal.new({'api_key'=>api_key, 'sample'=>filename})`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".Initializer" do`
			`it "should have an API key" do`
			`vt.instance_variable_get(:@api_key).should eq(api_key)`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`it "should have a checksum for the malware sample" do`
			`vt.instance_variable_get(:@sample_info)['sha256'].should eq(malware_sha256)`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context "._load_sample" do`
			`it "should contain sample info including data, filename, and sha256" do`
			`vt.send(:_load_sample, filename).should eq(sample)`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".scan_sample" do`
			`it "should return with data" do`
			`vt.stub(:_execute_request).and_return('')`
			`vt.scan_sample.should eq('')`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".retrieve_report" do`
			`it "should return with data" do`
			`vt.stub(:_execute_request).and_return('')`
			`vt.retrieve_report.should eq('')`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context "._execute_request" do`
			`it "should return status code 204" do`
			`res = double(Rex::Proto::Http::Response)`
			`res.stub(:code).and_return(204)`
			`vt.stub(:send_request_cgi).with(scan_sample_opts).and_return(res)`
			`expect { vt.send(:_execute_request, scan_sample_opts) }.to raise_error(RuntimeError)`
			`end`

			`it "should return status code 403" do`
			`res = double(Rex::Proto::Http::Response)`
			`res.stub(:code).and_return(403)`
			`vt.stub(:send_request_cgi).with(scan_sample_opts).and_return(res)`
			`expect { vt.send(:_execute_request, scan_sample_opts) }.to raise_error(RuntimeError)`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context "._create_upload_data" do`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:form_opts) do`
			`{`
			`'boundary' => boundary,`
			`'api_key' => api_key,`
			`'filename' => filename,`
			`'data' => malware_data`
			`}`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`before(:each) do`
			`@upload_data = vt.send(:_create_upload_data, form_opts)`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`it "should create form-data with a boundary" do`
			`@upload_data.should match(/#{boundary}/)`
			`end`

			`it "should create form-data with the API key" do`
			`@upload_data.should match(/#{api_key}/)`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`it "should create form-data with the malware filename" do`
			`@upload_data.should match(/#{filename}/)`
			`end`

			`it "should create form-data with the malware data" do`
			`@upload_data.should match(/#{malware_data}/)`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00			`end`
			`end`


Put classes under a module 2014-01-12 21:54:56 +00:00			`describe VirusTotalUtility::Driver do`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`# Get stdout:`
			`# http://stackoverflow.com/questions/11349270/test-output-to-command-line-with-rspec`
			`def get_stdout(&block)`
			`out = $stdout`
			`$stdout = fake = StringIO.new`
			`begin`
			`yield`
			`ensure`
			`$stdout = out`
			`end`
			`fake.string`
Add rspec 2014-01-08 08:34:43 +00:00			`end`

Update rpsec and the script 2014-01-08 19:22:38 +00:00			`before do`
			`$stdin = StringIO.new("Y\n")`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`after do`
			`$stdin = STDIN`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`let(:driver) do`
			`argv = "-k #{api_key} -f #{filename}".split`
			`options = {`
			`'samples' => filename,`
			`'api_key' => api_key,`
			`'delay' => 60`
			`}`
Add rspec 2014-01-08 08:34:43 +00:00
Put classes under a module 2014-01-12 21:54:56 +00:00			`VirusTotalUtility::OptsConsole.stub(:parse).with(anything).and_return(options)`
Add rspec 2014-01-08 08:34:43 +00:00

Update rpsec and the script 2014-01-08 19:22:38 +00:00			`tool_config = double("tool_config")`
Put classes under a module 2014-01-12 21:54:56 +00:00			`VirusTotalUtility::ToolConfig.stub(:new).and_return(tool_config)`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`tool_config.stub(:has_privacy_waiver?).and_return(true)`
			`tool_config.stub(:load_api_key).and_return(api_key)`
			`tool_config.stub(:save_privacy_waiver)`
			`tool_config.stub(:save_api_key).with(anything)`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`d = nil`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`out = get_stdout {`
Put classes under a module 2014-01-12 21:54:56 +00:00			`d = VirusTotalUtility::Driver.new`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`}`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`d`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".Class methods" do`
Add rspec 2014-01-08 08:34:43 +00:00
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".initialize" do`
			`it "should return a Driver object" do`
Put classes under a module 2014-01-12 21:54:56 +00:00			`driver.class.should eq(VirusTotalUtility::Driver)`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`end`
Add rspec 2014-01-08 08:34:43 +00:00			`end`

Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".ask_privacy" do`
			`it "should have a link of VirusTotal's terms of service" do`
			`tos = 'https://www.virustotal.com/en/about/terms-of-service'`
			`out = get_stdout { driver.ack_privacy }`
			`out.should match(/#{tos}/)`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00			`end`

Update rpsec and the script 2014-01-08 19:22:38 +00:00			`context ".generate_report" do`
			`it "should show a report" do`
			`res = {`
			`"scans" => {`
			`"Bkav" => { "detected" => false, "version" => "1.3.0.4613", "result" => nil, "update" => "20140107" }`
Add method scan_by_checksum for virustotal.rb Allows the user to scan files based on checksusm (without actually uploading them to VT) 2014-01-12 21:45:16 +00:00			`},`
			`"response_code" => 1`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`}`

			`out = get_stdout { driver.generate_report(res, filename) }`
			`out.should match(/#{res['scans']['Bkav']['version']}/)`
			`end`
			`end`
Add rspec 2014-01-08 08:34:43 +00:00			`end`
			`end`
			`end`
Update rpsec and the script 2014-01-08 19:22:38 +00:00			`end`