1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-30 12:24:14 +01:00

Added enumerators for capabilities, kernel exploits, and package managers

This commit is contained in:
Caleb Stewart 2020-05-27 17:15:52 -04:00
parent 8dea0b61e8
commit da591f9a22
7 changed files with 1287 additions and 35 deletions

View File

@ -1,32 +0,0 @@
#!/usr/bin/env python3
import textwrap
import pwncat
from pwncat.commands.base import CommandDefinition
class Command(CommandDefinition):
PROG = "service"
ARGS = {}
def run(self, args):
with pwncat.victim.open("/tmp/pwncat", "w") as filp:
filp.write(
textwrap.dedent(
"""
#!/usr/bin/env bash
while [ 1 ]; do
echo "Running"
sleep 3
done
"""
).lstrip()
)
pwncat.victim.env(["chmod", "777", "/tmp/pwncat"])
pwncat.victim.create_service(
"pwncat", "test pwncat service", "/tmp/pwncat", "root", False
).start()

View File

@ -0,0 +1,53 @@
#!/usr/bin/env python3
import dataclasses
from typing import Generator, List
from colorama import Fore
import pwncat
from pwncat.enumerate import FactData
name = "pwncat.enumerate.capabilities"
provides = "file.caps"
per_user = True
always_run = False
@dataclasses.dataclass
class FileCapabilityData(FactData):
path: str
""" The path to the file """
caps: List[str]
""" List of strings representing the capabilities (e.g. "cap_net_raw+ep") """
def __str__(self):
line = f"{Fore.CYAN}{self.path}{Fore.RESET} -> ["
line += ",".join(
f"{Fore.BLUE if c != 'ep' else Fore.RED}{c}{Fore.RESET}" for c in self.caps
)
line += "]"
return line
def enumerate() -> Generator[FactData, None, None]:
"""
Enumerate executables with assigned capabilities
:return: generator of FileCapability data
"""
if pwncat.victim.which("getcap") is None:
return
with pwncat.victim.subprocess(f"getcap -r / 2>/dev/null", "r") as filp:
for line in filp:
line = line.strip().decode("utf-8")
# I don't know why this would happen, but just in case
if " = " not in line:
continue
filename, caps = [x.strip() for x in line.split(" = ")]
caps = caps.split(",")
yield FileCapabilityData(filename, caps)

File diff suppressed because it is too large Load Diff

View File

@ -9,7 +9,7 @@ from pwncat import util
import pwncat
name = "pwncat.enumerate.system"
provides = "system.version.kernel"
provides = "system.kernel.version"
per_user = False

View File

@ -0,0 +1,71 @@
#!/usr/bin/env python3
import dataclasses
from typing import Generator, List
from colorama import Fore
import pwncat
from pwncat.enumerate import FactData
name = "pwncat.enumerate.capabilities"
provides = "system.packages"
per_user = True
always_run = False
@dataclasses.dataclass
class PackageData(FactData):
"""
Information describing an installed package
"""
name: str
version: str
def __str__(self):
line = f"{Fore.CYAN}{self.name}{Fore.RESET}"
if self.version is not None:
line += f" version {Fore.BLUE}{self.version}{Fore.RESET}"
return line
def enumerate() -> Generator[FactData, None, None]:
"""
Enumerate installed packages agnostic to the underlying package manager
:return: generator of package data
"""
rpm = pwncat.victim.which("rpm")
if rpm is not None:
with pwncat.victim.subprocess(f"rpm -qa", "r") as filp:
for line in filp:
line = line.decode("utf-8").strip()
if "-" in line:
line = line.split("-")
package = "-".join(line[:-1])
version = line[-1]
else:
package = line
version = None
yield PackageData(package, version)
dpkg = pwncat.victim.which("dpkg")
if dpkg is not None:
with pwncat.victim.subprocess(f"dpkg -l", "r") as filp:
line = ""
try:
while not line.startswith("+"):
line = next(filp).strip().decode("utf-8")
except StopIteration:
line = None
if line is not None:
for line in filp:
line = line.strip().decode("utf-8")
line = [c for c in line.split(" ") if c != ""]
# This shouldn't happen
if len(line) < 3:
continue
package = line[1]
version = line[2]
yield PackageData(package, version)

View File

@ -2,5 +2,8 @@
This package contains privilege escalation methods based on enumeration facts.
This could be passwords that the enumeration module found, or private keys or
anything else of use.
anything else of use. This is just an organizational module. Nothing special
happens here compared to other privesc modules. It just helps me keep the
different methods straight.
"""