{"id":13390860,"url":"https://github.com/ChrisTheCoolHut/Zeratool","last_synced_at":"2025-03-13T15:32:16.946Z","repository":{"id":33449503,"uuid":"138416745","full_name":"ChrisTheCoolHut/Zeratool","owner":"ChrisTheCoolHut","description":"Automatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems","archived":false,"fork":false,"pushed_at":"2023-09-10T17:51:53.000Z","size":2725,"stargazers_count":1112,"open_issues_count":8,"forks_count":147,"subscribers_count":33,"default_branch":"master","last_synced_at":"2024-10-16T07:41:43.043Z","etag":null,"topics":["aeg","angr","buffer-overflow","ctf","shellcode","solver"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ChrisTheCoolHut.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-06-23T16:27:24.000Z","updated_at":"2024-10-14T13:07:30.000Z","dependencies_parsed_at":"2022-07-16T07:47:02.256Z","dependency_job_id":"941173f6-14da-474f-9f0a-faa16b1d38a0","html_url":"https://github.com/ChrisTheCoolHut/Zeratool","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FZeratool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FZeratool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FZeratool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ChrisTheCoolHut%2FZeratool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ChrisTheCoolHut","download_url":"https://codeload.github.com/ChrisTheCoolHut/Zeratool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221380090,"owners_count":16809018,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aeg","angr","buffer-overflow","ctf","shellcode","solver"],"created_at":"2024-07-30T14:01:31.730Z","updated_at":"2024-10-25T03:30:49.715Z","avatar_url":"https://github.com/ChrisTheCoolHut.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# Zeratool v2.2\nAutomatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems\n\nThis tool uses [angr](https://github.com/angr/angr) to concolically analyze binaries by hooking printf and looking for [unconstrained paths](https://github.com/angr/angr-doc/blob/master/docs/examples.md#vulnerability-discovery). These program states are then weaponized for remote code execution through [pwntools](https://github.com/Gallopsled/pwntools) and a series of script tricks. Finally the payload is tested locally then submitted to a remote CTF server to recover the flag.\n\n[![asciicast](https://asciinema.org/a/457964.svg)](https://asciinema.org/a/457964)\n\n## Version 2.2 changes\n\nZeratool now supports remote libc leaking with buffer overflows. When a `puts` or `printf` call is present, Zeratool will leak out remote GOT entries and submit them to an online libc searching database to find offsets without the need for a local copy of the library.\n\n[See remote libc leak in action!](https://asciinema.org/a/LL2ASZkIwEdwR0xsnzMb3oFLp)\n\nZeratool supports some basic ret2dlresolve chaining for 64bit binaries. See the example below on how to run it.\n\n## Version 2.1 changes\n\nZeratool now supports some smart rop chain generation. During a buffer overflow\nZeratool will attempt to leak a libc address and compute the base address and build a execve(/bin/sh,NULL,NULL) chain or system(/bin/sh) chain.\n\n## Installing\nZeratool has been tested on Ubuntu 16.04 through 20.04. Please install [radare2](https://github.com/radareorg/radare2) first\n\n    pip install zeratool\n    \n## Usage\nZeratool is a python script which accept a binary as an argument and optionally a linked libc library, and a CTF Server connection information\n\n```\n[chris:~/Zeratool] zerapwn.py -h\nusage: zerapwn.py [-h] [-l LIBC] [-u URL] [-p PORT] [-v] [--force_shellcode] [--force_dlresolve] [--skip_check] [--no_win] [--format_only] [--overflow_only] file\n\npositional arguments:\n  file                  File to analyze\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -l LIBC, --libc LIBC  libc to use\n  -u URL, --url URL     Remote URL to pwn\n  -p PORT, --port PORT  Remote port to pwn\n  -v, --verbose         Verbose mode\n  --force_shellcode     Set overflow pwn mode to point to shellcode\n  --force_dlresolve     Set overflow pwn mode to use ret2dlresolve\n  --skip_check          Skip first check and jump right to exploiting\n  --no_win              Skip win function checking\n  --format_only         Only run format strings check\n  --overflow_only       Only run overflow check\n\n```\n\n## Exploit Types\nZeratool is designed around weaponizing buffer overflows and format string vulnerabilities and currently supports a couple types:\n\n * Buffer Overflow\n   * Point program counter to win function\n   * Point program counter to shellcode\n   * Point program counter to rop chain\n     * Rop chains will attempt to leak a libc function\n     * Rop chains will then execve(/bin/sh) or system(/bin/sh)\n     * Can attempt a ret2dlresolve ropchain\n     * Can attempt to use puts/printf to leak remote libc\n * Format String\n   * Point GOT entry to win function\n   * Point GOT entry to shellcode\n\n## Examples\nCheckout the samples.sh file. The file contains several examples of Zeratool automatically solving exploitable CTF problems.\n\n\n```\n#!/bin/bash\n# Buffer Overflows with win functions\nzerapwn.py tests/bin/bof_win_32\nzerapwn.py tests/bin/bof_win_64\n# Buffer Overflows with ropping\nzerapwn.py tests/bin/bof_nx_32\nzerapwn.py tests/bin/bof_nx_64\n# Buffer Overflow with ropping and libc leak\nzerapwn.py tests/bin/bof_nx_64 -l tests/bin/libc.so.6_amd64\n\n#Format string leak\nzerapwn.py tests/bin/read_stack_32\nzerapwn.py tests/bin/read_stack_64\n#Format string point to win function\nzerapwn.py challenges/medium_format\n#Format string point to shellcode\n#zerapwn.py challenges/hard_format #This one sometimes needs to be run twice\n\n# Buffer overflow point to shellcode\n# Turn off aslr \n# echo 0 | sudo tee /proc/sys/kernel/randomize_va_space\nzerapwn.py tests/bin/bof_32 --force_shellcode\nzerapwn.py tests/bin/bof_64 --force_shellcode\n\n# Remote libc leak\nsocat TCP4-LISTEN:7903,tcpwrap=script,reuseaddr,fork EXEC:./bof_nx_64\nzerapwn.py tests/bin/bof_nx_64 -u localhost -p 7903 --skip_check --overflow_only\n\n# Ret2dlresolve\nzerapwn.py tests/bin/bof_dlresolve_64 --force_dlresolve --skip_check --overflow_only --no_win\n```\n\n[Long Asciinema with Three Solves](https://asciinema.org/a/188001)\n\n## Run the tests!\nTox and Pytest are used to verify that Zeratool is working correctly.\n```\ntox .\n```\n\n## FAQ\nQ. Why doesn't Zeratool work against my simple exploitable?\n\nA. Zeratool is held together by scotch tape and dreams. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FChrisTheCoolHut%2FZeratool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FChrisTheCoolHut%2FZeratool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FChrisTheCoolHut%2FZeratool/lists"}