Vulnerable client-server application (VuCSA) 1.0

.gitignore

@@ -0,0 +1,9 @@
+# Gradle
+.gradle
+gradle**
+# Eclipse, Idea, ...
+.settings
+.idea
+bin
+build
+doc

CHANGELOG.md

@@ -0,0 +1,16 @@
+# Changelog
+
+All notable changes to this project will are documented in this changelog file.
+
+## [1.0.0] - 2022-01-01
+### Added
+- common functionality
+- server and client implementation
+- 7 basic challenges
+    - Buffer Over-read (simulated)
+    - Command Execution
+    - SQL Injection
+    - Enumeration
+    - XML
+    - Horizontal Access Control
+    - Vertical Access Control

README.md

@@ -0,0 +1,41 @@
+# ![Vulnerable Client-Server Application (VuCSA)](http://vucsa.warxim.com/img/logo.png)
+# Vulnerable Client-Server Application (VuCSA)
+Vulnerable client-server application (VuCSA) is made for learning/presenting how to perform penetration tests of non-http thick clients.
+It is written in Java (with JavaFX graphical user interface).
+
+Currently the vulnerable application contains the following challenges:
+1. Buffer Over-read (simulated)
+2. Command Execution
+3. SQL Injection
+4. Enumeration
+5. XML
+6. Horizontal Access Control
+7. Vertical Access Control
+
+If you want to know how to solve these challenges, take a look at the [PETEP website](http://petep.warxim.com/methodology/), 
+which describes how to use the open-source tool PETEP to exploit them.
+
+**Tip:** Before you start hacking, do not forget to check the data structure of messages bellow.
+
+## How to Run
+In order to run the vulnerable server and client, you can use one of releases on GitHub
+or run gradle assemble, which creates distribution packages (for both Windows and Unix).
+These packages contain sh/bat scripts that will run the server and client using JVM.
+
+## Project Structure
+Project is divided into three modules:
+- **vulnerable-common** - common functionality for both client and server (including protocol processing utilities)
+- **vulnerable-client** - vulnerable client with JavaFX GUI
+- **vulnerable-server** - vulnerable server for terminal use
+
+## Data Structure
+Messages transmitted between server and client have the following simple format:
+
+    [type][target][length][payload]
+      32b    32b     32b     ???
+
+These four parts have the following meaning:
+- **type** - type of the message (used for serialization/deserialization)
+- **target** - target handler that will receive the message 
+- **length** - length of the payload
+- **payload** - data serialized into bytes

build.gradle

@@ -0,0 +1,42 @@
+plugins {
+    id 'java'
+    id 'application'
+}
+
+group 'com.warxim'
+version '1.0'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    compile project(":vucsa-common")
+    compile project(":vucsa-client")
+    compile project(":vucsa-server")
+}
+
+distributions {
+    main {
+        distributionBaseName = "vucsa"
+        contents {
+            from("LICENSE.md") {
+                into ""
+            }
+
+            from("CHANGELOG.md") {
+                into ""
+            }
+
+            from("scripts") {
+                into ""
+            }
+
+            from("vucsa-server/server") {
+                into "server"
+            }
+
+            startScripts.onlyIf {false}
+        }
+    }
+}

scripts/client.bat

@@ -0,0 +1,12 @@
+@echo off
+set JAVA_EXE=java.exe
+set JAVAW_EXE=javaw.exe
+set DIRNAME=%~dp0
+set APP_HOME=%DIRNAME%
+set CMD_LINE_ARGS=%*
+set DEFAULT_JVM_OPTS=
+set CLASSPATH=%APP_HOME%\lib\*
+set MAIN_CLASS="com.warxim.vucsa.client.Main"
+
+rem Start Vulnerable Client with GUI (without console).
+start "" /b "%JAVAW_EXE%" %DEFAULT_JVM_OPTS% -classpath "%CLASSPATH%" %MAIN_CLASS% %CMD_LINE_ARGS%

scripts/client.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+JAVA="java"
+APP_HOME="`pwd`"
+DEFAULT_JVM_OPTS=
+CMD_LINE_ARGS=$@
+CLASSPATH=$APP_HOME/lib/*
+MAIN_CLASS="com.warxim.vucsa.client.Main"
+LOG_FILE=client.log
+
+nohup $JAVA -cp "$CLASSPATH" $MAIN_CLASS $CMD_LINE_ARGS > $LOG_FILE & 

scripts/server.bat

@@ -0,0 +1,12 @@
+@echo off
+set JAVA_EXE=java.exe
+set JAVAW_EXE=javaw.exe
+set DIRNAME=%~dp0
+set APP_HOME=%DIRNAME%
+set CMD_LINE_ARGS=%*
+set DEFAULT_JVM_OPTS=
+set CLASSPATH=%APP_HOME%\lib\*
+set MAIN_CLASS="com.warxim.vucsa.server.Main"
+
+rem Start Vulnerable Server without GUI (let console open).
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% -classpath "%CLASSPATH%" %MAIN_CLASS% %CMD_LINE_ARGS%

scripts/server.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+JAVA="java"
+APP_HOME="`pwd`"
+DEFAULT_JVM_OPTS=
+CMD_LINE_ARGS=$@
+CLASSPATH=$APP_HOME/lib/*
+MAIN_CLASS="com.warxim.vucsa.server.Main"
+LOG_FILE=server.log
+
+$JAVA -cp "$CLASSPATH" $MAIN_CLASS $CMD_LINE_ARGS

settings.gradle

@@ -0,0 +1,6 @@
+rootProject.name = 'VuCSA'
+
+include 'vucsa-common'
+include 'vucsa-client'
+include 'vucsa-server'
+

vucsa-client/build.gradle

@@ -0,0 +1,59 @@
+plugins {
+    id 'java-library'
+    id 'java'
+    id 'eclipse'
+    id 'application'
+    id 'org.openjfx.javafxplugin' version '0.0.13'
+}
+
+javafx {
+    version = "11.0.2"
+    modules = ['javafx.controls', 'javafx.fxml', 'javafx.web']
+}
+
+group 'com.warxim'
+version '1.0'
+mainClassName = 'com.warxim.vucsa.client.Main'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    implementation project(':vucsa-common')
+
+    compileOnly 'org.projectlombok:lombok:1.18.24'
+    annotationProcessor 'org.projectlombok:lombok:1.18.24'
+
+    implementation group: 'org.openjfx', name: 'javafx-base', version: javafx.version, classifier: 'win'
+    implementation group: 'org.openjfx', name: 'javafx-base', version: javafx.version, classifier: 'mac'
+    implementation group: 'org.openjfx', name: 'javafx-base', version: javafx.version, classifier: 'linux'
+    implementation group: 'org.openjfx', name: 'javafx-controls', version: javafx.version, classifier: 'win'
+    implementation group: 'org.openjfx', name: 'javafx-controls', version: javafx.version, classifier: 'mac'
+    implementation group: 'org.openjfx', name: 'javafx-controls', version: javafx.version, classifier: 'linux'
+    implementation group: 'org.openjfx', name: 'javafx-fxml', version: javafx.version, classifier: 'win'
+    implementation group: 'org.openjfx', name: 'javafx-fxml', version: javafx.version, classifier: 'mac'
+    implementation group: 'org.openjfx', name: 'javafx-fxml', version: javafx.version, classifier: 'linux'
+    implementation group: 'org.openjfx', name: 'javafx-graphics', version: javafx.version, classifier: 'win'
+    implementation group: 'org.openjfx', name: 'javafx-graphics', version: javafx.version, classifier: 'mac'
+    implementation group: 'org.openjfx', name: 'javafx-graphics', version: javafx.version, classifier: 'linux'
+    implementation group: 'org.openjfx', name: 'javafx-media', version: javafx.version, classifier: 'win'
+    implementation group: 'org.openjfx', name: 'javafx-media', version: javafx.version, classifier: 'mac'
+    implementation group: 'org.openjfx', name: 'javafx-media', version: javafx.version, classifier: 'linux'
+    implementation group: 'org.openjfx', name: 'javafx-web', version: javafx.version, classifier: 'win'
+    implementation group: 'org.openjfx', name: 'javafx-web', version: javafx.version, classifier: 'mac'
+    implementation group: 'org.openjfx', name: 'javafx-web', version: javafx.version, classifier: 'linux'
+}
+
+// Export com.sun.javafx.css (for css editing)
+application {
+    applicationDefaultJvmArgs = [
+            "--add-opens=javafx.graphics/com.sun.javafx.css=ALL-UNNAMED"
+    ]
+    executableDir = ''
+}
+
+// Set run working directory to build/run
+File runningDir = new File('build/run')
+runningDir.mkdirs()
+tasks.run.workingDir = runningDir

vucsa-client/src/main/java/com/warxim/vucsa/client/Bundle.java

@@ -0,0 +1,63 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2021 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see <https://www.gnu.org/licenses/>.
+ */
+package com.warxim.vucsa.client;
+
+import com.warxim.vucsa.client.core.ClientManager;
+import lombok.Getter;
+
+/**
+ * Singleton for client assets.
+ */
+@Getter
+public final class Bundle {
+    /**
+     * Singleton instance.
+     */
+    private static volatile Bundle instance;
+
+    /**
+     * Client manager
+     */
+    private final ClientManager clientManager;
+
+    private Bundle() {
+        clientManager = new ClientManager();
+    }
+
+    /**
+     * Creates instance of bundle or returns existing instance if it exists.
+     * @return Bundle instance
+     */
+    public static Bundle getInstance() {
+        if (instance == null) {
+            synchronized(Bundle.class) {
+                if (instance == null) {
+                    instance = new Bundle();
+                }
+            }
+        }
+
+        return instance;
+    }
+
+    /**
+     * Destroys the bundle.
+     */
+    public void destroy() {
+        // nothing to destroy
+    }
+}

vucsa-client/src/main/java/com/warxim/vucsa/client/Main.java

@@ -0,0 +1,49 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2021 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see <https://www.gnu.org/licenses/>.
+ */
+package com.warxim.vucsa.client;
+
+import com.warxim.vucsa.client.gui.GuiApplication;
+import com.warxim.vucsa.client.gui.GuiBundle;
+import com.warxim.vucsa.client.gui.dialog.Dialogs;
+import javafx.application.Application;
+
+/**
+ * Main client application class.
+ */
+public final class Main {
+    public static void main(String... args) {
+        init();
+        launch();
+    }
+
+    /**
+     * Initializes GUI bundle.
+     */
+    private static void init() {
+        var guiBundle = GuiBundle.getInstance();
+        Dialogs.setDefaultIcon(guiBundle.getLogo());
+    }
+
+    /**
+     * Launches GUI application.
+     */
+    private static void launch() {
+        Application.launch(GuiApplication.class);
+    }
+
+    private Main() {}
+}

vucsa-client/src/main/java/com/warxim/vucsa/client/challenge/ChallengeController.java

@@ -0,0 +1,35 @@
+/*
+ * Vulnerable Client-Server Application (VuCSA)
+ *
+ * Copyright (C) 2021 Michal Válka
+ *
+ * This program is free software: you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program. If
+ * not, see <https://www.gnu.org/licenses/>.
+ */
+package com.warxim.vucsa.client.challenge;
+
+import com.warxim.vucsa.client.Bundle;
+import com.warxim.vucsa.common.message.Message;
+
+/**
+ * Base class of challenge controllers.
+ */
+public abstract class ChallengeController {
+    /**
+     * Sends message using client manager.
+     * @param message Message to be sent
+     * @return {@code true} if the message has been successfully sent
+     */
+    protected boolean sendMessage(Message message) {
+        var clientManager = Bundle.getInstance().getClientManager();
+        return clientManager.sendMessage(message);
+    }
+}