Exploitation Tools

TAS

A tiny framework for easily manipulate the tty and create fake binaries.

How it works?

The framework has three main functions, tas_execv, tas_forkpty, and tas_tty_loop.

• tas_execv: It is a function similar to execv, but it doesn’t re-execute the current binary, something very useful for creating fake binaries.

• tas_forkpty: Is the same as forkpty, but it fills a custom structure, check forkpty man page for more details.

• tas_tty_loop: here is where the manipulation of the tty happen, you can set a hook function for the input and output, so it is possible to store the keys typed by the user or manipulate the terminal output. (see leet-shell).

This is a superficial overview, check the codes in tas/fakebins/fun folders to understand how it really works.

SUID3NUM

A standalone python script which utilizes python’s built-in modules to find SUID bins, separate default bins from custom bins, cross-match those with bins in GTFO Bin’s repository & auto-exploit those, all with colors!

Donut

Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.

Postenum

Postenum is a clean, nice and easy tool for basic/advanced privilege escalation vectors/techniques. Postenum tool is intended to be executed locally on a Linux box.

Be more than a normal user. be the ROOT.