Eduardo T. [email protected] writes:
I am creating some exploits written in Ruby.
Hopefully those exploits are for good purposes, not bad. In any
case, your issues here are basic socket usage, so we’ll address
Most of my payloads are
TCP bind shells, Netcat works well for connecting to those bind
shells. But I thought, why not connect to the shell directly from Ruby
immediately after sending the payload. Currently I use this snippet
from a Ruby standard library sample I found somewhere:
You haven’t given us any indication of what facilities of netcat
you think are advantageous for your purposes, so I won’t comment
on that. But, I will note that unless you’re doing something much
more complicated than talking to a shell, simple use of ruby sockets
should suit your purposes.
send “cd /”. No output and subsequent commands are not processed. “/”
and “cd” are OK.
I’m not sure why you would only get one line from ls, but maybe
that’s part of your larger problem. Let’s look particularly at
your complaint about “cd /”. The problem here is almost certainly
that the prompt ($PS1 in Bourne-derived shells) is not sending
a New-Line, but your use of s.readline requires a New-Line before
it will return to you. Thus, you’re in deadlock situation.
Fixing this can be done in various ways.
First, you can just asynchronous stream the data in both directions.
By this, I mean that you can just ignore the data coming from the
remote shell and just send the data that you (a priori) know needs
to be sent.
If you do need to act based upon the returned data, you still have
a couple of alternatives. For any of this, however, I’d recommend
that you switch to using the socket primitives directly and avoid
the higher-level write/readline type of methods. (See the ruby
socket documentation on recv and send.) It’s not that you can’t
do the work from IO objects, just that things will be easier to
understand and have less “magic” going on between you and the
So, you could use a “go-ahead” mechanism. (See the early telnet
documents for a full explanation of this, e.g., RFC 854.) For
example, you could have the remote shell always send some token,
say ‘@’, when it’s done. Then you could wait for this before
Beyond that level of solution, you probably need to run multiple
threads in your client side, in a manner analogous to what you
would do hen interacting with a local child process via the IO.popen
method. In this case you would have one thread examining data
read from the remote shell and sending state change information
to another thread, which would be sending the relevant data. See
examples for popen – but remember that most examples of use of
popen will not be handling the problem with the lack of a New-Line.
You could also look at user-side telnet implementations, but here
it will be difficult to see the strategy amongst all the details
of character set translation and option negotiation.
Metasploit has its own library for this kind of
stuff. I think it is called Metasploit Rex. Looking at the sources I
see some references to Rex::IO::Stream. I find it complex and I would
like to avoid something that needs external libraries.
Sorry, never had occasion to look at them.
Can the above snippet be improved? Is there a better way of emulating
Netcat? Is it possible to use Net::Telnet? Thanks everyone.