def shellcode(args):
# Parsing arguments
if (not args):
print_help()
return
if (args[0] in [OPTION_LIST, OPTION_LIST_SHORT]):
func = list_shellcodes
elif (args[0] in [OPTION_ADD, OPTION_ADD_SHORT]):
func = add
elif (args[0] in [OPTION_REMOVE, OPTION_REMOVE_SHORT]):
func = remove
elif (args[0] in [OPTION_HELP, OPTION_HELP_SHORT]):
print_help()
return
else:
error("Error. Unknown option '{}'".format(args[0]))
return
if (len(args) == 1):
error("Architecture missing")
print(string_bold("\tSupported architectures")+": "+\
','.join([string_special(arch) for arch in Arch.available]))
elif (not args[1] in Arch.available):
error("Architecture {} not supported".format(string_special(args[1])))
print(string_bold("\tSupported architectures")+": "+\
','.join([string_special(arch) for arch in Arch.available]))
else:
func(args[1])
return
def strPython(self, bits, badBytes=[], init=True, noTab=False):
if (noTab):
tab = ''
else:
tab = '\t'
# Getting endianness to pack values
if (bits == 32):
endianness_str = "'<I'"
elif (bits == 64):
endianness_str = "'<Q'"
else:
raise Exception("{}-bits architecture not supported".format(bits))
pack_str = "p += pack(" + endianness_str + ","
res = ''
if (init):
res += tab + "from struct import pack\n"
res += tab + "p = ''"
for element in self.chain:
if (not isinstance(element, Gadget)):
padding_str = pack_str
padding_str += string_special(
'0x' + format(self.paddings[element][0], '0' +
str(bits / 4) + 'x')) + ")"
padding_str += " # " + self.paddings[element][1]
res += "\n" + tab + padding_str
else:
res += "\n"+tab+pack_str+string_special(validAddrStr(element, badBytes, bits)) +\
") # " + string_bold(element.asmStr)
return res
def show_shellcode():
print(string_bold('\n\t-------------------------------'))
print(string_bold("\tSelected shellcode - arch " + string_special(arch)))
print(string_bold('\t-------------------------------'))
(shellcode, info) = selected(arch)
print("\n\t{}\n\n{} - {} bytes".format( info, \
string_special(pack_shellcode(shellcode)), str(len(shellcode))))
def list_regs():
"""
List available registers
"""
print(banner([string_bold("Available registers")]))
for reg in sorted(Arch.regNameToNum.keys()):
if (reg == Arch.currentArch.ip):
print("\t" + string_special(reg) + " - instruction pointer")
elif (reg == Arch.currentArch.sp):
print("\t" + string_special(reg) + " - stack pointer")
else:
print("\t" + string_special(reg))
def select_shellcode(arch):
"""
Returns shellcode pair (shellcode, description)
"""
if (not shellcodes[arch]):
error("No shellcodes available for architecture " + arch)
return (None, None)
list_shellcodes(arch)
print("")
choice = None
ok = False
sys.stdout.write('\t' + string_ropg('> ') + 'Select a shellcode:\n')
while (not ok):
choice_input = prompt(u" > ")
try:
choice = int(choice_input)
if (choice >= 1 and choice <= len(shellcodes[arch])):
ok = True
else:
print(string_special("\tError. Invalid choice"))
except:
ok = False
return shellcodes[arch][choice - 1]
def build_call_linux64(funcName, funcArgs, constraint, assertion, clmax=None, optimizeLen=False):
# Arguments registers
# (Args should go in these registers for x64)
argsRegsNames = ['rdi','rsi','rdx','rcx', 'r8', 'r9']
argsRegs = [Arch.n2r(name) for name in argsRegsNames]
# Find the address of the fonction
(funcName2, funcAddr) = getFunctionAddress(funcName)
if( funcName2 is None ):
return "Couldn't find function '{}' in the binary".format(funcName)
# Check if bad bytes in function address
if( not constraint.badBytes.verifyAddress(funcAddr) ):
return "'{}' address ({}) contains bad bytes".format(funcName2, string_special('0x'+format(funcAddr, '0'+str(Arch.octets()*2)+'x')))
# Check how many arguments
if( len(funcArgs) > 6 ):
return "Doesn't support function call with more than 6 arguments with Linux X64 calling convention :("
# Find a gadget for the fake return address
if( funcArgs ):
# Build the ropchain with the arguments
args_chain = popMultiple(map(lambda x,y:(x,)+y, argsRegs[:len(funcArgs)], funcArgs), constraint, assertion, clmax=clmax, optimizeLen=optimizeLen)
if( not args_chain):
return "Couldn't load arguments in registers"
else:
# No arguments
args_chain = ROPChain()
# Build call chain (function address + fake return address)
return args_chain.addPadding(funcAddr, comment=string_ropg(funcName2))
def remove_shellcode(arch, number):
global shellcodes
if (number < 1 or number > len(shellcodes[arch])):
print(string_special("\tInvalid shellcode number\n"))
return False
del shellcodes[arch][number - 1]
return True
def add(arch):
print(banner([string_bold('Adding a new shellcode')]))
shellcode = ''
ok = False
while (not ok):
sys.stdout.write('\t' + string_ropg('> ') +
'Enter your shellcode as a string in hex format:\n')
shellcode_input = prompt(u" > ")
try:
shellcode = shellcode_input.replace('\\x', '').decode('hex')
ok = True
except:
ok = False
if (not ok):
print(
string_special(
"\tError. Your input is in wrong format or invalid"))
sys.stdout.write('\t' + string_ropg('> ') +
'Enter short shellcode name/description:\n')
info = ""
while (not info):
info = prompt(u" > ")
info = filter(lambda x: x in set(string.printable), info)
add_shellcode(arch, shellcode, info)
def __str__(self):
res = self.ret + " " + string_bold(self.name)
res += "("
res += ', '.join(
[a[0] + " " + string_special(a[1]) for a in self.args])
res += ")"
return res
def list_shellcodes(arch):
global shellcodes
if (arch not in Arch.available):
error("Error. Architecture {} is not supported".format(arch))
return
if (not shellcodes[arch]):
error("No shellcodes available for architecture " + arch)
return
print(
banner([
string_bold("Available shellcodes for arch " +
string_special(arch))
]))
i = 0
for shellcode in shellcodes[arch]:
i = i + 1
number = "({})".format(string_bold(str(i)))
print("\n\t{} {}\n\t{} - {} bytes".format(number, shellcode[1], \
string_special(short_shellcode(shellcode[0])), str(len(shellcode[0]))))
def strConsole(self, bits, badBytes=[]):
res = ''
for element in self.chain:
if (not isinstance(element, Gadget)):
element_str = string_special('0x' + format(
self.paddings[element][0], '0' + str(bits / 4) + 'x'))
element_str += ' (' + self.paddings[element][1] + ')'
else:
valid_addr_str = validAddrStr(element, badBytes, bits)
if (not valid_addr_str):
error(
"Error! ROP-Chain gadget with no valid address. THIS SHOULD NOT HAPPEND (please report the bug for fixes)"
)
return ''
element_str = string_special(valid_addr_str) +\
" (" + string_bold(element.asmStr) + ")"
if (res != ''):
res += "\n\t" + element_str
else:
res += "\t" + element_str
return res
def build_call(funcName, funcArgs, constraint, assertion):
# Find the address of the fonction
(funcName2, funcAddr) = getFunctionAddress(funcName)
if (funcName2 is None):
return "Couldn't find function '{}' in the binary".format(funcName)
# Check if bad bytes in function address
if (not constraint.badBytes.verifyAddress(funcAddr)):
return "'{}' address ({}) contains bad bytes".format(
funcName2,
string_special('0x' + format(funcAddr, '0' +
str(Arch.octets() * 2) + 'x')))
# Find a gadget for the fake return address
offset = len(
funcArgs) * 8 - 8 # Because we do +8 at the beginning of the loop
skip_args_chains = []
i = 4
while (i > 0 and (not skip_args_chains)):
offset += 8
skip_args_chains = search(QueryType.MEMtoREG, Arch.ipNum(), \
(Arch.spNum(),offset), constraint, assertion, n=1)
i -= 1
if (not skip_args_chains):
return "Couldn't build ROP-Chain"
skip_args_chain = skip_args_chains[0]
# Build the ropchain with the arguments
args_chain = ROPChain()
arg_n = len(funcArgs)
for arg in reversed(funcArgs):
if (isinstance(arg, int)):
args_chain.addPadding(arg,
comment="Arg{}: {}".format(
arg_n, string_ropg(hex(arg))))
arg_n -= 1
else:
return "Type of argument '{}' not supported yet :'(".format(arg)
# Build call chain (function address + fake return address)
call_chain = ROPChain()
call_chain.addPadding(funcAddr, comment=string_ropg(funcName2))
skip_args_addr = int(
validAddrStr(skip_args_chain.chain[0], constraint.getBadBytes(),
Arch.bits()), 16)
call_chain.addPadding(skip_args_addr,
comment="Address of: " +
string_bold(str(skip_args_chain.chain[0])))
return call_chain.addChain(args_chain)
def print_functions(func_list):
"""
func_list - list of pairs (str, int) = (funcName, funcAddress)
"""
space = 28
print(banner([string_bold("Available functions")]))
print("\tFunction" + " " * (space - 8) + "Address")
print("\t------------------------------------")
for (funcName, funcAddr) in sorted(func_list, key=lambda x: x[0]):
space2 = space - len(funcName)
if (space2 < 0):
space2 = 2
print("\t" + string_special(funcName) + " " * space2 + hex(funcAddr))
print("")
def build_call_linux86(funcName, funcArgs, constraint, assertion, clmax=None, optimizeLen=False):
# Find the address of the fonction
(funcName2, funcAddr) = getFunctionAddress(funcName)
if( funcName2 is None ):
return "Couldn't find function '{}' in the binary".format(funcName)
# Check if bad bytes in function address
if( not constraint.badBytes.verifyAddress(funcAddr) ):
return "'{}' address ({}) contains bad bytes".format(funcName2, string_special('0x'+format(funcAddr, '0'+str(Arch.octets()*2)+'x')))
# Check if lmax too small
if( (1 + len(funcArgs) + (lambda x: 1 if len(x)>0 else 0)(funcArgs)) > clmax ):
return "Not enough bytes to call function '{}'".format(funcName)
# Find a gadget for the fake return address
if( funcArgs ):
offset = (len(funcArgs)-1)*Arch.octets() # Because we do +octets() at the beginning of the loop
skip_args_chains = []
i = 4 # Try 4 more maximum
while( i > 0 and (not skip_args_chains)):
offset += Arch.octets()
skip_args_chains = search(QueryType.MEMtoREG, Arch.ipNum(), \
(Arch.spNum(),offset), constraint, assertion, n=1, optimizeLen=optimizeLen)
i -= 1
if( not skip_args_chains ):
return "Couldn't build ROP-Chain"
skip_args_chain = skip_args_chains[0]
else:
# No arguments
skip_args_chain = None
# Build the ropchain with the arguments
args_chain = ROPChain()
arg_n = len(funcArgs)
for arg in reversed(funcArgs):
if( isinstance(arg, int) ):
args_chain.addPadding(arg, comment="Arg{}: {}".format(arg_n, string_ropg(hex(arg))))
arg_n -= 1
else:
return "Type of argument '{}' not supported yet :'(".format(arg)
# Build call chain (function address + fake return address)
call_chain = ROPChain()
call_chain.addPadding(funcAddr, comment=string_ropg(funcName2))
if( funcArgs ):
skip_args_addr = int( validAddrStr(skip_args_chain.chain[0], constraint.getBadBytes(), Arch.bits()) ,16)
call_chain.addPadding(skip_args_addr, comment="Address of: "+string_bold(str(skip_args_chain.chain[0])))
return call_chain.addChain(args_chain)
def remove(arch):
if (not shellcodes[arch]):
error("No shellcodes to remove for architecture " + arch)
return
list_shellcodes(arch)
print("")
choice = ''
ok = False
sys.stdout.write('\t' + string_ropg('> ') +
'Select a shellcode to remove:\n')
while (not ok):
choice_input = prompt(u" > ")
try:
choice = int(choice_input)
ok = remove_shellcode(arch, choice)
if (not ok):
print(string_special("\tError. Invalid choice"))
except:
ok = False
print("")
notify('Shellcode removed')
import subprocess
OPTION_LIST = "--list"
OPTION_LIST_SHORT = "-l"
OPTION_ADD = "--add"
OPTION_ADD_SHORT = "-a"
OPTION_REMOVE = "--remove"
OPTION_REMOVE_SHORT = "-r"
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
CMD_SHELLCODE_HELP = banner([string_bold("'shellcode' command"),\
string_special("(Manage shellcodes for your exploits)")])
CMD_SHELLCODE_HELP += "\n\n\t"+string_bold("Usage")+\
"\n\t\tshellcode [OPTION] <arch>"
CMD_SHELLCODE_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_LIST_SHORT) + "," + string_special(
OPTION_LIST) + "\tList available shellcodes"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_ADD_SHORT) + "," + string_special(OPTION_ADD) + "\tAdd a shellcode"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_REMOVE_SHORT) + "," + string_special(
OPTION_REMOVE) + "\tRemove a previously added shellcode"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_HELP_SHORT) + "," + string_special(OPTION_HELP) + "\tShow this help"
CMD_SHELLCODE_HELP += "\n\n\t" + string_bold(
"Supported architectures") + ": " + ','.join(
import ropgenerator.Architecture as Arch
from ropgenerator.IO import string_bold, info, string_special, banner, notify, error
from magic import from_file
from base64 import b16decode
from random import shuffle, random, randrange, Random
# Command options
OPTION_ARCH = '--arch'
OPTION_ARCH_SHORT = '-a'
OPTION_HELP = '--help'
OPTION_HELP_SHORT = '-h'
# Help for the load command
helpStr = banner([
string_bold("'load' command"),
string_special("(Load gadgets from a binary file)")
])
helpStr += "\n\n\t" + string_bold("Usage") + ":\tload [OPTIONS] <filename>"
helpStr += "\n\n\t" + string_bold("Options") + ":"
helpStr += "\n\t\t"+string_special(OPTION_ARCH_SHORT)+","+string_special(OPTION_ARCH)+\
" <arch>"+"\tmanualy specify architecture.\n\t\t\t\t\tAvailable: 'X86', 'X64'"
helpStr += "\n\n\t" + string_bold(
"Examples"
) + ":\n\t\tload /bin/ls\t\t(load gadgets from /bin/ls program)\n\t\tload ../test/vuln_prog\t(load gadgets from own binary)"
def print_help():
print(helpStr)
def getPlatformInfo(filename):
# DELIVER-SHELLCODE COMMAND #
################################
# Options
OPTION_ADDRESS = '--address'
OPTION_ADDRESS_SHORT = "-a"
OPTION_RANGE = "--address-range"
OPTION_RANGE_SHORT = "-r"
OPTION_HELP = '--help'
OPTION_HELP_SHORT = '-h'
CMD_DSHELL_HELP = banner([string_bold("'deliver-shellcode' command"),\
string_special("(Deliver a shellcode & Execute it)")])
CMD_DSHELL_HELP += "\n\n\t"+string_bold("Description:")+\
"\n\t\tThis method tries to create an executable memory area"+\
"\n\t\t, then copy a given shellcode into this area, and then"+\
"\n\t\t jump to execute this shellcode"
CMD_DSHELL_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_DSHELL_HELP += "\n\n\t\t" + string_special(
OPTION_ADDRESS_SHORT) + "," + string_special(
OPTION_ADDRESS) + " <int>\t Address where to deliver shellcode"
CMD_DSHELL_HELP += "\n\n\t\t" + string_special(
OPTION_RANGE_SHORT
) + "," + string_special(
OPTION_RANGE
) + " \t Memory space that can be used to\n\t\t\t<addr>,<addr>\t deliver the shellcode"
OPTION_KEEP_REGS_SHORT = '-k'
OPTION_LIST = "--list"
OPTION_LIST_SHORT = "-l"
OPTION_FUNCTION = "--call"
OPTION_FUNCTION_SHORT = "-c"
OPTION_OFFSET="--offset"
OPTION_OFFSET_SHORT = "-off"
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
CMD_SYSCALL_HELP = banner([string_bold("'syscall' command"),\
string_special("(Call system functions with ROPChains)")])
CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tsyscall [OPTIONS]"
CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Options")+":"
CMD_SYSCALL_HELP += "\n\t\t"+string_special(OPTION_FUNCTION_SHORT)+","+\
string_special(OPTION_FUNCTION)+" <function>\t Call a system function"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_KEEP_REGS_SHORT)+","+string_special(OPTION_KEEP_REGS)+" <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OFFSET_SHORT)+","+\
string_special(OPTION_OFFSET)+" <int>\t Offset to add to gadget addresses"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_LIST_SHORT)+","+\
string_special(OPTION_LIST)+" [<system>]\t List supported functions"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\
string_special(OPTION_OUTPUT)+\
" <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
OPTION_SHORTEST = '--shortest'
OPTION_SHORTEST_SHORT = '-s'
OPTION_LMAX = '--max-length'
OPTION_LMAX_SHORT = '-m'
OPTION_OFFSET = '--offset'
OPTION_OFFSET_SHORT = '-off'
CMD_CALL_HELP = banner([string_bold("'call' command"),\
string_special("(Call functions with ROPChains)")])
CMD_CALL_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tcall [OPTIONS]"
CMD_CALL_HELP += "\n\n\t"+string_bold("Options")+":"
CMD_CALL_HELP += "\n\t\t"+string_special(OPTION_CALL_SHORT)+","+\
string_special(OPTION_CALL)+" <function>\t Call a function"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_KEEP_REGS_SHORT)+","+string_special(OPTION_KEEP_REGS)+" <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_OFFSET_SHORT)+","+string_special(OPTION_OFFSET)+" <int>\t Offset to add to gadget addresses"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_LMAX_SHORT)+","+string_special(OPTION_LMAX)+" <int>\t Max length of the ROPChain in bytes"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_SHORTEST_SHORT)+","+string_special(OPTION_SHORTEST)+"\t\t Find the shortest matching ROP-Chains"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_LIST_SHORT)+","+\
string_special(OPTION_LIST)+"\t\t List available functions"
CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\
string_special(OPTION_OUTPUT)+\
" <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
OPTION_BAD_BYTES_SHORT = '-b'
OPTION_CALL = "--call"
OPTION_CALL_SHORT = "-c"
OPTION_KEEP_REGS = '--keep-regs'
OPTION_KEEP_REGS_SHORT = '-k'
OPTION_LIST = "--list"
OPTION_LIST_SHORT = "-l"
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
CMD_CALL_HELP = banner([string_bold("'call' command"),\
string_special("(Call functions with ROPChains)")])
CMD_CALL_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tcall [OPTIONS]"
CMD_CALL_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_CALL_HELP += "\n\t\t"+string_special(OPTION_CALL_SHORT)+","+\
string_special(OPTION_CALL)+" <function>\t Call a function"
CMD_CALL_HELP += "\n\n\t\t" + string_special(
OPTION_BAD_BYTES_SHORT
) + "," + string_special(
OPTION_BAD_BYTES
) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_CALL_HELP += "\n\n\t\t" + string_special(
OPTION_KEEP_REGS_SHORT
) + "," + string_special(
OPTION_KEEP_REGS
) + " <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"
OPTION_KEEP_REGS_SHORT = '-k'
OPTION_NB_RESULTS_SHORT = '-n'
OPTION_LMAX_SHORT = '-m'
OPTION_OUTPUT = '--output-format'
OPTION_OUTPUT_SHORT = '-f'
# Options for output
OUTPUT_CONSOLE = 'console'
OUTPUT_PYTHON = 'python'
OUTPUT_RAW = 'raw'
OUTPUT = None # The one choosen
# Help for the search command
CMD_FIND_HELP = banner([
string_bold("'query' command"),
string_special("(Find gadgets/ropchains that execute specific operations)")
])
CMD_FIND_HELP += "\n\n\t"+string_bold("Usage")+":\tfind [OPTIONS] <reg>=<expr>"+\
"\n\t\tfind [OPTIONS] <reg>=mem(<expr>)"+\
"\n\t\tfind [OPTIONS] mem(<expr>)=<expr>"+\
"\n\t\tfind [OPTIONS] int80"+\
"\n\t\tfind [OPTIONS] syscall"
CMD_FIND_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_FIND_HELP += "\n\t\t" + string_special(
OPTION_BAD_BYTES_SHORT
) + "," + string_special(
OPTION_BAD_BYTES
) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_FIND_HELP += "\n\n\t\t" + string_special(
OPTION_KEEP_REGS_SHORT
) + "," + string_special(
"""
# Definitions of commands
CMD_HELP = "help"
CMD_LOAD = "load"
CMD_CONFIG = "config"
CMD_EXIT = "exit"
CMD_SEARCH = "semantic"
CMD_EXPLOIT = "exploit"
helpStr = banner([
string_bold('Main Commands'),
string_special('(For more info about a command type <cmd -h>)')
])
helpStr += '\n\t' + string_bold(
CMD_LOAD) + ': \t\tload gadgets from a binary file'
helpStr += '\n\n\t' + string_semantic(string_bold(CMD_SEARCH)) + \
': \tEnter semantic-mode (Search for'+'\n\t\t\tgadgets and ROPChains)'
helpStr += '\n\n\t' + string_exploit(string_bold(CMD_EXPLOIT)) + \
': \tEnter exploit-mode (Automated exploit'+'\n\t\t\tgeneration features)'
helpStr += '\n\n\t' + string_bold(CMD_HELP) + ': \t\tprint available commands'
helpStr += '\n\t' + string_bold(CMD_EXIT) + ': \t\texit ROPGenerator'
def main():
print(string_ropg(string_bold(ASCII_art)))
initLogs()
finish = False
OPTION_LMAX_SHORT = '-m'
OPTION_VERBOSE = "--verbose"
OPTION_VERBOSE_SHORT = "-v"
OPTION_OUTFILE = '--output-file'
OPTION_OUTFILE_SHORT = '-o'
OPTION_PADDING_BYTE = '--padding-byte'
OPTION_PADDING_BYTE_SHORT = '-pb'
OPTION_PADDING_LEN = '--padding-len'
OPTION_PADDING_LEN_SHORT = '-pl'
CMD_PWN_HELP = banner([string_bold("'pwn' command"),\
string_special("(Generate full exploits)")])
CMD_PWN_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tpwn [OPTIONS] <subcommand> [SUBCOMMAND_OPTIONS]"
CMD_PWN_HELP += "\n\n\t"+string_bold("Subcommands")+":"
CMD_PWN_HELP += "\n\t(For more info use 'pwn <subcommand> -h')"
CMD_PWN_HELP += "\n\n\t\t"+string_special(CMD_DELIVER_SHELLCODE)+"\t Inject a shellcode an execute it"
CMD_PWN_HELP += "\n\n\t"+string_bold("Options")+":"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_LMAX_SHORT)+","+string_special(OPTION_LMAX)+" <int>\t Max length of the ROPChain in bytes"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_BYTE_SHORT)+","+string_special(OPTION_PADDING_BYTE)+" <byte> Byte for payload padding"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_LEN_SHORT)+","+string_special(OPTION_PADDING_LEN)+" <int>\t Length of payload padding"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\
string_special(OPTION_OUTPUT)+\
" <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
from magic import from_file
from base64 import b16decode
from random import shuffle, random, randrange, Random
# Command options
OPTION_ARCH = '--arch'
OPTION_ARCH_SHORT = '-a'
OPTION_ROPGADGET_OPTIONS = '--ropgadget-opts'
OPTION_HELP = '--help'
OPTION_HELP_SHORT = '-h'
OPTION_ROPGADGET_OPTIONS_SHORT = '-r'
# Help for the load command
helpStr = banner([
string_bold("'load' command"),
string_special("(Load gadgets from a binary file)")
])
helpStr += "\n\n\t" + string_bold("Usage") + ":\tload [OPTIONS] <filename>"
helpStr += "\n\n\t" + string_bold("Options") + ":"
helpStr += "\n\t\t"+string_special(OPTION_ARCH_SHORT)+","+string_special(OPTION_ARCH)+\
" <arch>"+"\t\tmanualy specify architecture.\n\t\t\t\t\t\tAvailable: 'X86', 'X64'"
helpStr += '\n\n\t\t'+string_special(OPTION_ROPGADGET_OPTIONS_SHORT)+","+string_special(OPTION_ROPGADGET_OPTIONS)+\
" <opts>"+"\textra options for ROPgadget.\n\t\t\t\t\t\t<opts> must be a list of\n\t\t\t\t\t\toptions between ''"+\
"\n\t\t\t\t\t\te.g: \"-depth 4\""
helpStr += "\n\n\t" + string_bold(
"Examples"
) + ":\n\t\tload /bin/ls\t\t(load gadgets from /bin/ls program)\n\t\tload ../test/vuln_prog\t(load gadgets from own binary)"
def print_help():
print(helpStr)
