Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mgeeky/exploit-development-tools

A bunch of my exploit development helper tools, collected in one place.
https://github.com/mgeeky/exploit-development-tools

development exploit tools

Last synced: 2 months ago
JSON representation

A bunch of my exploit development helper tools, collected in one place.

Host: GitHub
URL: https://github.com/mgeeky/exploit-development-tools
Owner: mgeeky
License: gpl-3.0
Created: 2017-08-10T06:45:27.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2022-09-02T11:15:35.000Z (over 2 years ago)
Last Synced: 2024-05-02T02:10:01.873Z (8 months ago)
Topics: development, exploit, tools
Language: Python
Size: 59.6 KB
Stars: 141
Watchers: 11
Forks: 45
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

## Exploit-Development-Tools

A bunch of my exploit development helper tools, that I've developed over time and used, collected in one place. Gathered mostly from my ([gists](https://gist.github.com/mgeeky)) and/or HDD.

---

## Tools of trade:

- **`expdevBadChars`** - This is a Bad Characters highlighter intended to be used for exploit development purposes. It supports multiple input formats and is able to effectively convert from regex-matching format to the byte array.

> This makes this tool useful while we have for instance shellcode encoded as a Python string concatenation sequence and we want to quickly compare it with the OllyDbg memory that we just dumped (either in textual, printable form or in raw hex binary bytes).

For more informations, go to: [expdevBadChars](https://github.com/mgeeky/expdevBadChars)

- **`ascii-shellcode-encoder.py`** - ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm. ([Gist](https://gist.github.com/mgeeky/8a118c69312b35a9db7f19f61c7a6b3c))

Example output:
```
[*] Input buffer size: 32 bytes.
[+] SHELLCODE ENCODED PROPERLY. Resulted length: 207 bytes

--------------------------------------------------------------------------------
%JMNU%521*TX-fMUU-fKUU-jPUUP\%JMNU%521*-bb3b-b060-t2C2-SSSSP-5qv7-0g7g-*b0b-7777P-PB0v-mmmm-v6vp-L8KaP-vvrv-4v0v-1K-w-ffffP-nn5n-uu*p-gf1t-iiiiP-VVVn-MmMM-StrS-Duv6P-%9Hx-0Bfk-84fz-ffffP-UUUU-gyUU-uzqq-xwkNP
--------------------------------------------------------------------------------

[+] HEX FORM:
254a4d4e55253532312a54582d664d55552d664b55552d6a505555505c254a4d4e55253532312a2d626233622d623036302d743243322d53535353502d357176372d306737672d2a6230622d37373737502d504230762d6d6d6d6d2d763676702d4c384b61502d767672762d347630762d314b2d772d66666666502d6e6e356e2d75752a702d676631742d69696969502d5656566e2d4d6d4d4d2d537472532d44757636502d253948782d3042666b2d3834667a2d66666666502d555555552d677955552d757a71712d78776b4e50

[+] ESCAPED-HEX FORM:
\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x54\x58\x2d\x66\x4d\x55\x55\x2d\x66\x4b\x55\x55\x2d\x6a\x50\x55\x55\x50\x5c\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x33\x62\x2d\x62\x30\x36\x30\x2d\x74\x32\x43\x32\x2d\x53\x53\x53\x53\x50\x2d\x35\x71\x76\x37\x2d\x30\x67\x37\x67\x2d\x2a\x62\x30\x62\x2d\x37\x37\x37\x37\x50\x2d\x50\x42\x30\x76\x2d\x6d\x6d\x6d\x6d\x2d\x76\x36\x76\x70\x2d\x4c\x38\x4b\x61\x50\x2d\x76\x76\x72\x76\x2d\x34\x76\x30\x76\x2d\x31\x4b\x2d\x77\x2d\x66\x66\x66\x66\x50\x2d\x6e\x6e\x35\x6e\x2d\x75\x75\x2a\x70\x2d\x67\x66\x31\x74\x2d\x69\x69\x69\x69\x50\x2d\x56\x56\x56\x6e\x2d\x4d\x6d\x4d\x4d\x2d\x53\x74\x72\x53\x2d\x44\x75\x76\x36\x50\x2d\x25\x39\x48\x78\x2d\x30\x42\x66\x6b\x2d\x38\x34\x66\x7a\x2d\x66\x66\x66\x66\x50\x2d\x55\x55\x55\x55\x2d\x67\x79\x55\x55\x2d\x75\x7a\x71\x71\x2d\x78\x77\x6b\x4e\x50

[+] PYTHON COMPACT SEXY FORM:
shellcode += r"%JMNU%521*TX-fMUU-fK"
shellcode += r"UU-jPUUP\%JMNU%521*-"
shellcode += r"bb3b-b060-t2C2-SSSSP"
shellcode += r"-5qv7-0g7g-*b0b-7777"
shellcode += r"P-PB0v-mmmm-v6vp-L8K"
shellcode += r"aP-vvrv-4v0v-1K-w-ff"
shellcode += r"ffP-nn5n-uu*p-gf1t-i"
shellcode += r"iiiP-VVVn-MmMM-StrS-"
shellcode += r"Duv6P-%9Hx-0Bfk-84fz"
shellcode += r"-ffffP-UUUU-gyUU-uzq"
shellcode += r"q-xwkNP"
```

It is possible also to generate list of SUB instructions to compute only one **DWORD**:

```
kali $ ./ascii-shellcode-encoder.py 0x1688
[*] Input buffer size: 4 bytes.
[+] SHELLCODE ENCODED PROPERLY. Resulted length: 21 bytes

--------------------------------------------------------------------------------
-A777-i%%%-r2II-\ZZZP
--------------------------------------------------------------------------------

[+] HEX FORM:
2d413737372d692525252d723249492d5c5a5a5a50

[+] ESCAPED-HEX FORM:
\x2d\x41\x37\x37\x37\x2d\x69\x25\x25\x25\x2d\x72\x32\x49\x49\x2d\x5c\x5a\x5a\x5a\x50

[+] PYTHON COMPACT SEXY FORM:
shellcode += r"-A777-i%%%-r2II-\ZZZ"
shellcode += r"P"
```

- **`format_string_vuln_gen.py`** - Format String vulnerability input generator to be used during exploit development stage at constructing stable x86 (32bit) input vectors. ([Gist](https://gist.github.com/mgeeky/3c983e89f8988812ed78d1d5597ad728))

_Example usage scenario - Using Format String vulnerability, we want to overwrite two DWORDs at specified addresses with some specific values:_

```
root# ./gen_format_string.py 0xbffff50c,0xbffff514 14 $'\x90\x31\xe6\xb7' $'\x24\x3a\xf8\xb7' -n 1

.:: x86/32bit Format string generator ::.
- by mgeeky, 2016, v0.3a

[>] Addresses to overwrite: ['0xbffff50c', '0xbffff514']
(...)
Resulted format string to use (116 bytes long / 0x74) padded in front with 1 dots to mimic offset:

$'.\x0c\xf5\xff\xbf\x0e\xf5\xff\xbf\x14\xf5\xff\xbf\x16\xf5\xff\xbf%12671x%14$hn%34390x%15$hn%33342x%16$hn%32212x%17$hn'
```

- **`lindump`** - simple process memory dumping utility based on ptrace

```
:: lindump v0.1
Simple Linux process memory dumping utility based on ptrace
Mariusz Banach, '16

Usage: lindump [options] [start [stop|Llen]]

Arguments:
Process ID
start Dumping start address, may be 0x for hex, or not for dec.
stop Upper address to reach while dumping.
When preceded with letter 'L' stands for length
Llen Specifies number of bytes to dump. Also may be preceded with 0x (e.g. L0x10)

Options:
-o Memory dumps output directory (stdout hexdump otherwise, '-' for stdout)
-f Force dumping of unreadable or inaccessible regions (still not a brute force)
-v Verbose output.
-h This cruft
```

- **`dlresolve`** - dynamic symbol resolve utility useful while in need of obtainin symbol's address and it's offset relative to the libc's base (handy while crafting ASLR exploits)

```
./dlresolve system
[+] libc comes from: /lib/x86_64-linux-gnu/libc-2.19.so
[+] libc loaded at: 0x7f44e2b24000
[+] system located at: 0x7f44e2b65490
[+] Offset from libc base: 0x00041490
```

- **`python_memory_dump.py`** - Example of dumping memory from within Python's code, using _ctypes.c_byte.from_address_ ([Gist](https://gist.github.com/mgeeky/6a8fa7814efb6c8ad783c3c76c791c4c))

Example usage:
```
$ ./python_memory_dump.py
Hex dump from 0x000055b92c7c2000
0000 | 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 | .ELF............
0010 | 03 00 3e 00 01 00 00 00 10 42 0d 00 00 00 00 00 | ..>......B......
0020 | 40 00 00 00 00 00 00 00 38 4c 39 00 00 00 00 00 | @.......8.9.....
0030 | 00 00 00 00 40 00 38 00 09 00 40 00 1e 00 1d 00 | [email protected]...@.....
0040 | 06 00 00 00 05 00 00 00 40 00 00 00 00 00 00 00 | ........@.......
0050 | 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 | @.......@.......
0060 | 08 01 00 00 00 00 00 00 08 01 00 00 00 00 00 00 | ................
0070 | 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 | ................
0080 | 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00 | 8.......8.......
0090 | 38 02 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 | 8...............
00a0 | 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 | ................
00b0 | 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 0c 2d 32 00 00 00 00 00 0c 2d 32 00 00 00 00 00 | .-2......-2.....
00e0 | 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 | .. .............
00f0 | 38 39 32 00 00 00 00 00 38 39 52 00 00 00 00 00 | .92......9R.....
```

- **`kernel_dump_seh.wds`** - Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure. Useful while working on Kernel-Mode SEH-based exploitation. ([Gist](https://gist.github.com/mgeeky/0be059d9395721865b3dcb5d5a96cbed))
Example output:
```
0: kd> $$>
(https://github.com/mgeeky)
```