Nytro Posted July 30, 2018 Report Posted July 30, 2018 Exploit-Development-Tools A bunch of my exploit development helper tools, that I've developed over time and used, collected in one place. Gathered mostly from my (gists) and/or HDD. Tools of trade: expdevBadChars - This is a Bad Characters highlighter intended to be used for exploit development purposes. It supports multiple input formats and is able to effectively convert from regex-matching format to the byte array. This makes this tool useful while we have for instance shellcode encoded as a Python string concatenation sequence and we want to quickly compare it with the OllyDbg memory that we just dumped (either in textual, printable form or in raw hex binary bytes). For more informations, go to: expdevBadChars ascii-shellcode-encoder.py - ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm. (Gist) Example output: [*] Input buffer size: 32 bytes. [+] SHELLCODE ENCODED PROPERLY. Resulted length: 207 bytes -------------------------------------------------------------------------------- %JMNU%521*TX-fMUU-fKUU-jPUUP\%JMNU%521*-bb3b-b060-t2C2-SSSSP-5qv7-0g7g-*b0b-7777P-PB0v-mmmm-v6vp-L8KaP-vvrv-4v0v-1K-w-ffffP-nn5n-uu*p-gf1t-iiiiP-VVVn-MmMM-StrS-Duv6P-%9Hx-0Bfk-84fz-ffffP-UUUU-gyUU-uzqq-xwkNP -------------------------------------------------------------------------------- [+] HEX FORM: 254a4d4e55253532312a54582d664d55552d664b55552d6a505555505c254a4d4e55253532312a2d626233622d623036302d743243322d53535353502d357176372d306737672d2a6230622d37373737502d504230762d6d6d6d6d2d763676702d4c384b61502d767672762d347630762d314b2d772d66666666502d6e6e356e2d75752a702d676631742d69696969502d5656566e2d4d6d4d4d2d537472532d44757636502d253948782d3042666b2d3834667a2d66666666502d555555552d677955552d757a71712d78776b4e50 [+] ESCAPED-HEX FORM: \x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x54\x58\x2d\x66\x4d\x55\x55\x2d\x66\x4b\x55\x55\x2d\x6a\x50\x55\x55\x50\x5c\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x33\x62\x2d\x62\x30\x36\x30\x2d\x74\x32\x43\x32\x2d\x53\x53\x53\x53\x50\x2d\x35\x71\x76\x37\x2d\x30\x67\x37\x67\x2d\x2a\x62\x30\x62\x2d\x37\x37\x37\x37\x50\x2d\x50\x42\x30\x76\x2d\x6d\x6d\x6d\x6d\x2d\x76\x36\x76\x70\x2d\x4c\x38\x4b\x61\x50\x2d\x76\x76\x72\x76\x2d\x34\x76\x30\x76\x2d\x31\x4b\x2d\x77\x2d\x66\x66\x66\x66\x50\x2d\x6e\x6e\x35\x6e\x2d\x75\x75\x2a\x70\x2d\x67\x66\x31\x74\x2d\x69\x69\x69\x69\x50\x2d\x56\x56\x56\x6e\x2d\x4d\x6d\x4d\x4d\x2d\x53\x74\x72\x53\x2d\x44\x75\x76\x36\x50\x2d\x25\x39\x48\x78\x2d\x30\x42\x66\x6b\x2d\x38\x34\x66\x7a\x2d\x66\x66\x66\x66\x50\x2d\x55\x55\x55\x55\x2d\x67\x79\x55\x55\x2d\x75\x7a\x71\x71\x2d\x78\x77\x6b\x4e\x50 [+] PYTHON COMPACT SEXY FORM: shellcode += r"%JMNU%521*TX-fMUU-fK" shellcode += r"UU-jPUUP\%JMNU%521*-" shellcode += r"bb3b-b060-t2C2-SSSSP" shellcode += r"-5qv7-0g7g-*b0b-7777" shellcode += r"P-PB0v-mmmm-v6vp-L8K" shellcode += r"aP-vvrv-4v0v-1K-w-ff" shellcode += r"ffP-nn5n-uu*p-gf1t-i" shellcode += r"iiiP-VVVn-MmMM-StrS-" shellcode += r"Duv6P-%9Hx-0Bfk-84fz" shellcode += r"-ffffP-UUUU-gyUU-uzq" shellcode += r"q-xwkNP" It is possible also to generate list of SUB instructions to compute only one DWORD: kali $ ./ascii-shellcode-encoder.py 0x1688 [*] Input buffer size: 4 bytes. [+] SHELLCODE ENCODED PROPERLY. Resulted length: 21 bytes -------------------------------------------------------------------------------- -A777-i%%%-r2II-\ZZZP -------------------------------------------------------------------------------- [+] HEX FORM: 2d413737372d692525252d723249492d5c5a5a5a50 [+] ESCAPED-HEX FORM: \x2d\x41\x37\x37\x37\x2d\x69\x25\x25\x25\x2d\x72\x32\x49\x49\x2d\x5c\x5a\x5a\x5a\x50 [+] PYTHON COMPACT SEXY FORM: shellcode += r"-A777-i%%%-r2II-\ZZZ" shellcode += r"P" format_string_vuln_gen.py - Format String vulnerability input generator to be used during exploit development stage at constructing stable x86 (32bit) input vectors. (Gist) Example usage scenario - Using Format String vulnerability, we want to overwrite two DWORDs at specified addresses with some specific values: root# ./gen_format_string.py 0xbffff50c,0xbffff514 14 $'\x90\x31\xe6\xb7' $'\x24\x3a\xf8\xb7' -n 1 .:: x86/32bit Format string generator ::. - by mgeeky, 2016, v0.3a [>] Addresses to overwrite: ['0xbffff50c', '0xbffff514'] (...) Resulted format string to use (116 bytes long / 0x74) padded in front with 1 dots to mimic offset: $'.\x0c\xf5\xff\xbf\x0e\xf5\xff\xbf\x14\xf5\xff\xbf\x16\xf5\xff\xbf%12671x%14$hn%34390x%15$hn%33342x%16$hn%32212x%17$hn' lindump - simple process memory dumping utility based on ptrace :: lindump v0.1 Simple Linux process memory dumping utility based on ptrace Mariusz B., '16 Usage: lindump [options] <pid> [start [stop|Llen]] Arguments: <pid> Process ID start Dumping start address, may be 0x for hex, or not for dec. stop Upper address to reach while dumping. When preceded with letter 'L' stands for length Llen Specifies number of bytes to dump. Also may be preceded with 0x (e.g. L0x10) Options: -o Memory dumps output directory (stdout hexdump otherwise, '-' for stdout) -f Force dumping of unreadable or inaccessible regions (still not a brute force) -v Verbose output. -h This cruft dlresolve - dynamic symbol resolve utility useful while in need of obtainin symbol's address and it's offset relative to the libc's base (handy while crafting ASLR exploits) ./dlresolve system [+] libc comes from: /lib/x86_64-linux-gnu/libc-2.19.so [+] libc loaded at: 0x7f44e2b24000 [+] system located at: 0x7f44e2b65490 [+] Offset from libc base: 0x00041490 python_memory_dump.py - Example of dumping memory from within Python's code, using ctypes.c_byte.from_address (Gist) Example usage: $ ./python_memory_dump.py Hex dump from 0x000055b92c7c2000 0000 | 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 | .ELF............ 0010 | 03 00 3e 00 01 00 00 00 10 42 0d 00 00 00 00 00 | ..>......B...... 0020 | 40 00 00 00 00 00 00 00 38 4c 39 00 00 00 00 00 | @.......8.9..... 0030 | 00 00 00 00 40 00 38 00 09 00 40 00 1e 00 1d 00 | ....@.8...@..... 0040 | 06 00 00 00 05 00 00 00 40 00 00 00 00 00 00 00 | ........@....... 0050 | 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 | @.......@....... 0060 | 08 01 00 00 00 00 00 00 08 01 00 00 00 00 00 00 | ................ 0070 | 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 | ................ 0080 | 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00 | 8.......8....... 0090 | 38 02 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 | 8............... 00a0 | 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 | ................ 00b0 | 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 0c 2d 32 00 00 00 00 00 0c 2d 32 00 00 00 00 00 | .-2......-2..... 00e0 | 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 | .. ............. 00f0 | 38 39 32 00 00 00 00 00 38 39 52 00 00 00 00 00 | .92......9R..... kernel_dump_seh.wds - Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure. Useful while working on Kernel-Mode SEH-based exploitation. (Gist) Example output: 0: kd> $$><C:\Users\ieuser\Desktop\dump_seh.wds KPCR. = 0x8293dc00 KPCR.NtTib.ExceptionList = 0x829371ec SEH[00]: Next: 0x82937254, Handler: 0x828d36f0 SEH[01]: Next: 0x82937ad4, Handler: 0x828d36f0 SEH[02]: Next: 0x82937c04, Handler: 0x828d36f0 SEH[03]: Next: 0x9a1092e4, Handler: 0x828d36f0 SEH[04]: Next: 0x9a1093ec, Handler: 0x828d36f0 SEH[05]: Next: 0x9a109a34, Handler: 0x8288aad6 SEH[06]: Next: 0x9a109b3c, Handler: 0x828d36f0 SEH[07]: Next: 0x9a10a184, Handler: 0x8288aad6 SEH[08]: Next: 0x9a10a28c, Handler: 0x828d36f0 SEH[09]: Next: 0x9a10a8d4, Handler: 0x8288aad6 SEH[10]: Next: 0x9a10a9dc, Handler: 0x828d36f0 SEH[11]: Next: 0x9a10b024, Handler: 0x8288aad6 SEH[12]: Next: 0x9a10b12c, Handler: 0x828d36f0 SEH[13]: Next: 0x9a10b76c, Handler: 0x8288aad6 SEH[14]: Next: 0x9a10bac0, Handler: 0x828d36f0 SEH[15]: Next: 0x35724134, Handler: 0x41367241 ^-- Broken Handler. printable.sh - One liner determining whether Metasploit's msfpescan's output addresses are printable (contain only ascii characters) or not. (Gist) pexpect-interactive.py - Basic Python's pexpect usage routines in interactive process invocation. Especially handy when it comes to heap-overflow or Use-After-Free exploits, since such process interaction in python may be cumbersome without proper process I/O primitives. (Gist) request2size.c - Simple utility calculating some basic heap chunk's characteristics like chunk size, bin index and it's range - according to original Doug Lea's heap allocator implementation. Useful while grasping Heap Overflow binning conditions. (Gist) find-aslr-collision.sh - Find ASLR collision bash one-liner. (Gist) For the record: x86 ( Linux protostar 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux) ASLR collision found after: 903 re-launch. (it takes no more than couple of seconds ) x86_64 ( Linux work 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux ) ASLR collision found after: 304610 re-launch. (it took roughly 16 minutes ) findInstr.sh - Ultra simple Assembly instruction grepper rolling byte-by-byte within target's .text section - to be used while looking for trampoline address for ROP/Exploit (Gist) bin2shellcode.py - Binary blob to C-array simple converting script. Useful when embedding compiled binary shellcode within C program. (Gist) execve.c - Example of simple execve("/bin/sh", ...) shellcode, embedded in C program. (Gist) memory-occupied-by-process.sh - Bash oneliner counting number of bytes occupied by chosen (by PID) process. It works by iterating /proc/$PID/maps file, then computing each memory region range size, then adding it together. Kinda slow though. Worth to mention - it is terribly bad at performance, having written this oneliner I realized we can use /proc/$PID/smaps to obtain the same result much faster. (Gist) shellc2bin.py - Shellcode 2 binary script that reads C-formatted array from Windows clipboard and converts it to binary output written to desired file. (Gist) encshell.py - x86 Shellcode XOR-based encoder intended to do away forbidden chars. Came handy to me several times (Gist) shellcode_win32_netw_active.asm - Win32/x86 Reverse-Shell Shellcode written by hand, with dynamic API resolution. shellcode_win32_spawn_cmd.asm - Win32/x86 Spawn CMD shellcode with dynamic API resolution. Sursa: https://github.com/mgeeky/Exploit-Development-Tools Quote
Tejvil Posted September 13, 2018 Report Posted September 13, 2018 (edited) Salut scuze ca te deranjez ,ai putea sa imi recomanzi niste carti ,mai basic despre windows/linux exploit development si privilege escalation ,am facut si eu ceva exploituri ,dar as vrea sa cunosc mai multe le-am pus aici : https://www.exploit-db.com/author/?a=9434 Edited September 13, 2018 by Tejvil Quote
Nytro Posted September 13, 2018 Author Report Posted September 13, 2018 Hacking, the art of exploitation Dar gasesti multe tutoriale pe Google. Quote
sleed Posted September 14, 2018 Report Posted September 14, 2018 https://github.com/FabioBaroni/awesome-exploit-development https://github.com/wtsxDev/reverse-engineering https://www.vulnhub.com/ https://ctflearn.com/index.php https://hackinparis.com/archives/ 1 Quote
sleed Posted September 14, 2018 Report Posted September 14, 2018 @ Pentru memory dump: https://zeltser.com/memory-acquisition-with-dumpit-for-dfir-2/ -> 1 Quote