{"id":18449088,"url":"https://github.com/shellphish/puppeteer","last_synced_at":"2025-04-08T01:32:43.362Z","repository":{"id":32895033,"uuid":"36489598","full_name":"shellphish/puppeteer","owner":"shellphish","description":null,"archived":false,"fork":false,"pushed_at":"2015-05-29T07:53:36.000Z","size":196,"stargazers_count":26,"open_issues_count":0,"forks_count":8,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-03-23T03:51:16.932Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shellphish.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-29T07:51:52.000Z","updated_at":"2025-02-25T13:32:20.000Z","dependencies_parsed_at":"2022-09-05T23:11:42.718Z","dependency_job_id":null,"html_url":"https://github.com/shellphish/puppeteer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shellphish%2Fpuppeteer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shellphish%2Fpuppeteer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shellphish%2Fpuppeteer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shellphish%2Fpuppeteer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shellphish","download_url":"https://codeload.github.com/shellphish/puppeteer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247760657,"owners_count":20991522,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T07:18:27.379Z","updated_at":"2025-04-08T01:32:43.133Z","avatar_url":"https://github.com/shellphish.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# puppeteer\n\npuppeteer was an attempt to create an exploit framework, but it ended up being too overengineered and wasn't used too much. It's here for posterity.\n\n# Old README:\n\n\nIt's time for a framework for super l337 exploit development!\n\nWe spent a lot of time, and a lot of implementation effort, making programs dance the way we want them. Why not automate some of that?\n\nThe general idea is that we will do the most while implementing the least. The design is as follows:\n\n- the hacker creates a subclass of Manipulator, and implements the vulnerabilities they find (memory write, memory disclosure, printf vuln, whatever)\n- that's it! Ideally, the system does the rest.\n\nManipulator is a class that, given some vulns, manipulates the program to do all sorts of zany stuff. We'll see how it works out in the end, but my current plan is to create another class, Puppetmaster, that'll handle creating multiple manipulators (for example, if memory disclosures end up crashing the program), or maybe Manipulator will take care of that itself. Anything could happen!\n\n## Where to start?\n\nTo use this thing, you need to implement a subclass of Manipulator.\n\n**\\_\\_init\\_\\_**\n\nYour \\_\\_init\\_\\_ should make a connection to the program, or spawn it up, or whatever it is you're doing.\n\n**The Vulnerabilities**\n\nVulns are implemented by creating a method with a decorator. There are default decorators for each action (the memory\\_read below), and decorators that take options (the printf\\_flags below).\n\n\tclass YourFace(puppeteer.Manipulator):\n\t\tdef __init__(self):\n\t\t\t# stuff\n\n\t\t@puppeteer.memory_read\n\t\tdef some_leet_shit(self, addr, length):\n\t\t\t# l33t it up!\n\n\t\t@puppeteer.printf_flags(bytes_to_fmt=244):\n\t\tdef lol(self, fmt):\n\t\t\t# ohnoes!\n\nAnd with that, at some point in the future, you will be done. libc will be found and utilized to its full potential, and BOOM.\n\nIdeally, we'd be able to automatically find the offset for the printf, too, so you can just use @printf instead of @printf\\_flags!\n\n## Features\n\n- targeted read\n- targeted write\n- printf stuff\n\n- PLT redirection\n- callsite preparation\n\n## TODO\n\n- stack overwrite\n- command injection\n- blind command injection\n\n- return addr overwrite\n- library dumping\n- stack frame dumping\n- environment dumping\n- information leak (ASLR)\n- execute command\n- read file(s)\n- dump out process maps?\n\n- maybe have some idalink support for determining more stuff automatically?\n- rop stuff (at least find the cleanup gadgets automatically)\n- identify the base address of libc, or just dump it\n- implement the pwntools library searching stuff\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshellphish%2Fpuppeteer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshellphish%2Fpuppeteer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshellphish%2Fpuppeteer/lists"}