Ruby Reverse Shell

November 17, 2012

I’ve been working a lot with ruby lately, and having such a high level language makes so many tasks very simple. I’ve made up a primitive command execution reverse shell, as you can see below:

It takes in connection arguments and connects to a remote host. I just use netcat to receive the connection:

Since most things run ruby today, this could be very useful in most penetration testing situations, however, I wanted something that could be used in environments such as Windows. I looked into RubyScript2Exe which provides packaging of a ruby interpreter into a binary executable. It actually does not work with the current version of ruby, so I kept digging and found a gem called ocra which only works under Windows. So I installed ruby on my Windows 7 VM, grabbed the gem and ran ocra on my script:

So this was perfect and exciting! Then here’s the end result:

Since this has not been done before, and is custom code, we have a fully undetectable reverse shell binary!:

I’ll be expanding on this further, I’ll start looking into some file management capabilities, and more advanced shell functions as well as the possibility of encrypting the shell traffic to avoid detection.

Thanks for reading!

Update: Did some searching this morning and found that secjohn on github did something extremely similar, he even has a sleep on the reverse function for when it fails. He also mentions ocra! Pretty cool.

~Josh