def disas_thumb(buf, array_name="", row_width=16, fancy=False):
insns = struct.unpack("H" * (len(buf) / 2), buf)
out = ""
pos = 0
for insn in insns:
tmp = ""
if fancy:
tmp += colors.fg("cyan")
tmp += "%.8x: " % (pos)
if fancy:
tmp += colors.fg("red") + colors.bold()
tmp += "%08x " % (insn)
if fancy:
tmp += colors.end() + colors.fg("green")
tmp += str(darm.disasm_thumb(insn))
if fancy:
tmp += colors.end()
out += " " + tmp + "\n"
pos = pos + 2
return out
def disas_thumb(buf, array_name='', row_width=16, fancy=False):
insns = struct.unpack("H" * (len(buf) / 2), buf)
out = ""
pos = 0
for insn in insns:
tmp = ""
if fancy:
tmp += colors.fg('cyan')
tmp += "%.8x: " % (pos)
if fancy:
tmp += colors.fg('red') + colors.bold()
tmp += "%08x " % (insn)
if fancy:
tmp += colors.end() + colors.fg('green')
tmp += str(darm.disasm_thumb(insn))
if fancy:
tmp += colors.end()
out += " " + tmp + "\n"
pos = pos + 2
return out
def handle_parameters(shellcode, params):
for param in shellcode["parameters"]:
ok = False
while ok == False:
if param['name'] not in params:
params[param['name']] = param_stdin(param)
ok = validate(param, params[param['name']])
if ok == False:
print "validation for parameter " + param['name'],
print " (of type " + type_name(param['type']) + ") ",
print "failed with input " + params[param['name']]
del params[param['name']]
shellcode["code"] = shellcode["code"].replace(
param['placeholder'], output(param, params[param['name']]))
print >> sys.stderr, " " + colors.bold() + colors.fg(
'green') + "++" + colors.end(),
print >> sys.stderr, " parameter " + colors.bold(
) + param['name'] + colors.end(),
print >> sys.stderr, " set to '" + colors.bold() + params[
param['name']] + colors.end() + "'"
return shellcode
def code_array(buf, array_name = 'shellcode', row_width = 16, line_delimiter = '', fancy = False):
lines = []
out = array_name +" = \n"
for i in range(0, len(buf), row_width):
j = 0
linebuf = ''
while (j < row_width and (i+j) < len(buf)):
linebuf += "\\x%02x" % ( ord(buf[i+j]) )
j = j + 1
lines.append(linebuf);
for i in range(0, len(lines)-1):
if fancy:
out += "\t" + colors.bold() + colors.fg('magenta') + "\""
out += colors.fg("red") + lines[i]
out += colors.fg('magenta') + "\"" + colors.end()
out += line_delimiter + "\n"
else:
out += "\t\"%s\"%s\n" % ( lines[i], line_delimiter )
if fancy:
out += "\t" + colors.bold() + colors.fg('magenta') + "\""
out += colors.fg("red") + lines[len(lines)-1]
out += colors.fg('magenta') + "\"" + colors.end() + ";"
out += "\n\n"
# out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
else:
out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
return out
def code_array(buf, array_name = 'shellcode', row_width = 16, line_delimiter = '', fancy = False):
lines = []
out = array_name +" = \n"
for i in range(0, len(buf), row_width):
j = 0
linebuf = ''
while (j < row_width and (i+j) < len(buf)):
linebuf += "\\x%02x" % ( ord(buf[i+j]) )
j = j + 1
lines.append(linebuf);
for i in range(0, len(lines)-1):
if fancy:
out += "\t" + colors.bold() + colors.fg('magenta') + "\""
out += colors.fg("red") + lines[i]
out += colors.fg('magenta') + "\"" + colors.end()
out += line_delimiter + "\n"
else:
out += "\t\"%s\"%s\n" % ( lines[i], line_delimiter )
if fancy:
out += "\t" + colors.bold() + colors.fg('magenta') + "\""
out += colors.fg("red") + lines[len(lines)-1]
out += colors.fg('magenta') + "\"" + colors.end() + ";"
out += "\n\n"
# out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
else:
out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
return out
def main(args):
if len(args) != 1 and len(args) != 2:
print "usage:"
print " moneyshot lolsled <length> <words>"
print " moneyshot lolsled <dictionary>"
return
# some 'harmless' x86 insns, just inc's and dec's
whitelist=[
"A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O"
]
# length?
if args[0].isdigit():
rs = emu(args[1])
fstr = " CLOBBER: "
cl = False
for reg in rs:
if rs[reg] != 0:
fstr += "%s=%08x " % (reg, rs[reg])
cl = True
if cl == False:
fstr += "No clobbering, yay!"
print fstr
# assume dictfile (find mode)
else:
words = open(args[0]).readlines()
for word in words:
ok = True
word = word.strip().upper()
for c in word:
if c not in whitelist:
ok = False
if not ok:
continue
fstr = colors.fg('cyan')
fstr += ">> "
fstr += colors.fg('green')
fstr += "'%15s' %s--> " % (word, colors.fg('white')+colors.bold())
fstr += colors.end() + colors.fg('red')
r = rop.disas_str(0, word)
fstr += ' ; '.join(r).lower()
rs = emu(word)
fstr += " CLOBBER: "
cl = False
for reg in rs:
if rs[reg] != 0:
fstr += "%s=%08x " % (reg, rs[reg])
cl = True
print fstr
print colors.end()
def disas_arm(buf, array_name = '', row_width = 16, fancy = False):
insns = struct.unpack("I"*(len(buf)/4), buf)
out = ""
pos = 0
for insn in insns:
tmp = ""
if fancy:
tmp += colors.fg('cyan')
tmp += "%.8x: " % (pos)
if fancy:
tmp += colors.fg('red') + colors.bold()
tmp += "%08x " % (insn)
if fancy:
tmp += colors.end() + colors.fg('green')
tmp += str(darm.disasm_armv7(insn))
if fancy:
tmp += colors.end()
out += " " + tmp + "\n"
pos = pos+4
return out
def c(buf, array_name = 'shellcode', row_width = 16, fancy = False):
if fancy:
name = colors.fg('green') + "unsigned " + colors.bold() + "char " + colors.end()
name += colors.bold() + array_name + "[]" + colors.end()
else:
name = "unsigned char " + array_name + "[]"
return code_array(buf, name, row_width, '', fancy);
def c(buf, array_name = 'shellcode', row_width = 16, fancy = False):
if fancy:
name = colors.fg('green') + "unsigned " + colors.bold() + "char " + colors.end()
name += colors.bold() + array_name + "[]" + colors.end()
else:
name = "unsigned char " + array_name + "[]"
return code_array(buf, name, row_width, '', fancy);
def main(args):
if len(args) != 1 and len(args) != 2:
print "usage:"
print " moneyshot lolsled <length> <words>"
print " moneyshot lolsled <dictionary>"
return
# some 'harmless' x86 insns, just inc's and dec's
whitelist=["A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O"]
# length?
if args[0].isdigit():
rs = emu(args[1])
fstr = " CLOBBER: "
cl = False
for reg in rs:
if rs[reg] != 0:
fstr += "%s=%08x " % (reg, rs[reg])
cl = True
if cl == False:
fstr += "No clobbering, yay!"
print fstr
# assume dictfile (find mode)
else:
words = open(args[0]).readlines()
for word in words:
ok = True
word = word.strip().upper()
for c in word:
if c not in whitelist:
ok = False
if not ok:
continue
fstr = colors.fg('cyan')
fstr += ">> "
fstr += colors.fg('green')
fstr += "'%15s' %s--> " % (word, colors.fg('white')+colors.bold())
fstr += colors.end() + colors.fg('red')
r = ezrop.disas_str(0, word)
fstr += ' ; '.join(r).lower()
rs = emu(word)
fstr += " CLOBBER: "
cl = False
for reg in rs:
if rs[reg] != 0:
fstr += "%s=%08x " % (reg, rs[reg])
cl = True
print fstr
print colors.end()
def main(args):
if len(args) != 1 and len(args) != 2:
print "usage: moneyshot dumpsym <filename> [filter]"
return
myelf = elf.fromfile(args[0])
sym_filter = ""
if len(args) == 2:
sym_filter = args[1]
if myelf.data[0:4] != "\x7F" + "ELF":
print "[!] '%s' is not a valid ELF file :(" % (file)
sys.exit(-1)
if myelf.elfwidth == 64:
sixtyfour = True
else:
sixtyfour = False
dynsym = myelf.section(".dynsym")
if dynsym == False:
print "ERROR: could not retrieve .dynsym section"
exit()
dynstr = myelf.section(".dynstr")
if dynstr == False:
print "ERROR: could not retrieve .dynstr section"
exit()
symbol_names = dynstr['data'].split("\x00")
symbol_info = {}
i = 0
while i < len(dynsym['data']):
if sixtyfour == True:
sym_entry = struct.unpack("<LQQBBH", dynsym['data'][i:(i + 24)])
i = i + 24
else:
sym_entry = struct.unpack("<LLLBBH", dynsym['data'][i:(i + 16)])
i = i + 16
name_len = dynstr['data'][(sym_entry[0] + 1):].find("\x00")
name = dynstr['data'][(sym_entry[0]):(sym_entry[0] + name_len + 1)]
if sym_filter != "" and name.find(sym_filter) == -1:
continue
fstr = colors.fg("green") + "[" + colors.bold() + "%08x" + colors.end(
) + colors.fg("green") + "]" + colors.end()
fstr += " '" + colors.fg(
"red") + colors.bold() + "%s" + colors.end() + "'"
print fstr % (sym_entry[1], name)
def do_ropfind(file, match_string):
gadgets = []
myelf = elf.fromfile(file)
if myelf.data[0:4] != "\x7F"+"ELF":
print "[!] '%s' is not a valid ELF file :(" % (file)
sys.exit(-1)
# figure out parameter
if re.search("^[0-9a-f\?]+$", match_string) != None:
pattern = match_string
else:
pattern = assemble_str(match_string)
print "[!] pattern: '%s'" % pattern
for section_name in myelf.strtable:
if section_name == "":
continue
section = myelf.section(section_name)
# check for PROGBITS type
if section['type'] != 1:
continue
matches = findstr(section['data'], pattern)
if len(matches) == 0:
continue
pstr = colors.fg('cyan') + ">> section '" + colors.bold() + section_name + colors.end()
pstr += colors.fg('cyan') + "' [" + colors.bold() + str(len(matches)) + colors.end()
pstr += colors.fg('cyan') + " hits]"
m = 0
for match in matches:
if match[1] in gadgets:
continue
if m == 0:
print pstr
m = 1
disas = disas_str(section['addr'] + match[0], binascii.unhexlify(match[1]))
fstr = colors.fg('cyan') + " \_ " + colors.fg('green') + "%08x [" + colors.bold() + match[1] + colors.end()
fstr += colors.fg('green') + "] "+ colors.bold() + "-> " + colors.end()
fstr += colors.fg('red') + ' ; '.join(disas).lower() + colors.end()
print fstr % (section['addr'] + match[0])
gadgets.append(match[1])
if m == 1:
print ""
def main(args):
if len(args) != 1 and len(args) != 2:
print "usage: moneyshot dumpsym <filename> [filter]"
return
myelf = elf.fromfile(args[0])
sym_filter = ""
if len(args) == 2:
sym_filter = args[1]
if myelf.data[0:4] != "\x7F"+"ELF":
print "[!] '%s' is not a valid ELF file :(" % (file)
sys.exit(-1)
if myelf.elfwidth == 64:
sixtyfour = True
else:
sixtyfour = False
dynsym = myelf.section(".dynsym")
if dynsym == False:
print "ERROR: could not retrieve .dynsym section"
exit()
dynstr = myelf.section(".dynstr")
if dynstr == False:
print "ERROR: could not retrieve .dynstr section"
exit()
symbol_names = dynstr['data'].split("\x00")
symbol_info = {}
i = 0
while i < len(dynsym['data']):
if sixtyfour == True:
sym_entry = struct.unpack("<LQQBBH", dynsym['data'][i:(i+24)])
i = i+24
else:
sym_entry = struct.unpack("<LLLBBH", dynsym['data'][i:(i+16)])
i = i+16
name_len = dynstr['data'][(sym_entry[0]+1):].find("\x00")
name = dynstr['data'][ (sym_entry[0]) : (sym_entry[0]+name_len+1) ]
if sym_filter != "" and name.find(sym_filter) == -1:
continue
fstr = colors.fg("green") + "[" + colors.bold() + "%08x" + colors.end() + colors.fg("green") + "]" + colors.end()
fstr += " '" + colors.fg("red") + colors.bold() + "%s" + colors.end() + "'"
print fstr % (sym_entry[1], name)
def print_codes(codes, depth=0):
for key in codes.keys():
if "description" in codes[key]:
second_col = "%s%4d%s bytes -- %s" % (
colors.fg('green'), get_code_size(
codes[key]), colors.end(), codes[key]['description'])
print " " * (depth + 1) + key.ljust(40 - (depth * 2)) + second_col
else:
print " " * (depth + 1) + colors.bold() + key + colors.end()
print_codes(codes[key], depth + 1)
def print_codes(codes, depth=0):
for key in codes.keys():
if "description" in codes[key]:
second_col = "%s%4d%s bytes -- %s" % (
colors.fg("green"),
get_code_size(codes[key]),
colors.end(),
codes[key]["description"],
)
print " " * (depth + 1) + key.ljust(40 - (depth * 2)) + second_col
else:
print " " * (depth + 1) + colors.bold() + key + colors.end()
print_codes(codes[key], depth + 1)
def do_ropfind_raw(file, match_string, single):
gadgets = []
sixtyfour = True
data = open(file).read()
# figure out parameter
if re.search("^[0-9a-f\?]+$", match_string) != None:
pattern = match_string
else:
pattern = assemble_str(match_string, sixtyfour)
print "[!] pattern: '%s'" % pattern
matches = findstr(data, pattern)
if len(matches) == 0:
return
pstr = colors.fg(
'cyan') + ">> section '" + colors.bold() + "RAW" + colors.end()
pstr += colors.fg('cyan') + "' [" + colors.bold() + str(
len(matches)) + colors.end()
pstr += colors.fg('cyan') + " hits]"
m = 0
for match in matches:
if single and match[1] in gadgets:
continue
if m == 0:
print pstr
m = 1
disas = disas_str(match[0], binascii.unhexlify(match[1]), sixtyfour)
fstr = colors.fg('cyan') + " \_ " + colors.fg(
'green') + "%08x [" + colors.bold() + match[1] + colors.end()
fstr += colors.fg(
'green') + "] " + colors.bold() + "-> " + colors.end()
fstr += colors.fg('red') + ' ; '.join(disas).lower() + colors.end()
print fstr % (match[0])
gadgets.append(match[1])
if m == 1:
print ""
def do_ropfind_raw(file, match_string, single):
gadgets = []
sixtyfour = True
data = open(file).read()
# figure out parameter
if re.search("^[0-9a-f\?]+$", match_string) != None:
pattern = match_string
else:
pattern = assemble_str(match_string, sixtyfour)
print "[!] pattern: '%s'" % pattern
matches = findstr(data, pattern)
if len(matches) == 0:
return
pstr = colors.fg('cyan') + ">> section '" + colors.bold() + "RAW" + colors.end()
pstr += colors.fg('cyan') + "' [" + colors.bold() + str(len(matches)) + colors.end()
pstr += colors.fg('cyan') + " hits]"
m = 0
for match in matches:
if single and match[1] in gadgets:
continue
if m == 0:
print pstr
m = 1
disas = disas_str(match[0], binascii.unhexlify(match[1]), sixtyfour)
fstr = colors.fg('cyan') + " \_ " + colors.fg('green') + "%08x [" + colors.bold() + match[1] + colors.end()
fstr += colors.fg('green') + "] "+ colors.bold() + "-> " + colors.end()
fstr += colors.fg('red') + ' ; '.join(disas).lower() + colors.end()
print fstr % (match[0])
gadgets.append(match[1])
if m == 1:
print ""
def header():
art = """
___ ___ __._____ ___ __.__ __ ____. ___ __
/ \ | \| | __ \ \/ /| | | |/ __ \ \| |
/ \ \ | |\ | / / \ / | |__| | / | |\ |
/__/ \__\|__| \__|__|\__\ |__| |_____|__|\_____|__| \__|
"""
sys.stderr.write(colors.bold() + colors.fg('cyan') + art + colors.end() + "\n\n")
def banner():
asquee = """
__ __ ______.___ __ _____._ __._______._ __ ____._________
/ \ / \/ __ | \| |/ ___| \/ /\ ___/ | |/ __ \__ __/
/ ' \ / | |\ | _|_\ /__\ \| | / | | |
/___\ / \_____|__| \__|______||__||______/|__|__|\_____| |__|
\/ _____\\ """
sys.stderr.write(colors.bold() + colors.fg('cyan') + asquee + colors.end() + "\n\n")
def banner():
asquee = """
__ __ ______.___ __ _____._ __._______._ __ ____._________
/ \ / \/ __ | \| |/ ___| \/ /\ ___/ | |/ __ \__ __/
/ ' \ / | |\ | _|_\ /__\ \| | / | | |
/___\ / \_____|__| \__|______||__||______/|__|__|\_____| |__|
\/ _____\\ """
sys.stderr.write(colors.bold() + colors.fg('cyan') + asquee +
colors.end() + "\n\n")
def python(buf, array_name='shellcode', row_width=16, fancy=False):
lines = []
out = ""
for i in range(0, len(buf), row_width):
j = 0
linebuf = ''
while (j < row_width and (i + j) < len(buf)):
linebuf += "\\x%02x" % (ord(buf[i + j]))
j = j + 1
lines.append(linebuf)
for i in range(0, len(lines) - 1):
if fancy:
if i == 0:
out += array_name + " = " + colors.bold() + colors.fg(
'magenta') + "\""
else:
out += array_name + " += " + colors.bold() + colors.fg(
'magenta') + "\""
out += colors.fg("red") + lines[i]
out += colors.fg('magenta') + "\"\n" + colors.end()
else:
if i == 0:
out += array_name + " = \"%s\"\n" % (lines[i])
else:
out += array_name + " += \"%s\"\n" % (lines[i])
if fancy:
out += array_name + " += " + colors.bold() + colors.fg(
'magenta') + "\""
out += colors.fg("red") + lines[len(lines) - 1]
out += colors.fg('magenta') + "\"" + colors.end() + ";"
out += "\n\n"
# out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
else:
out += array_name + " += \"%s\";\n\n" % (lines[len(lines) - 1])
return out
def python(buf, array_name = 'shellcode', row_width = 16, fancy = False):
lines = []
out = ""
for i in range(0, len(buf), row_width):
j = 0
linebuf = ''
while (j < row_width and (i+j) < len(buf)):
linebuf += "\\x%02x" % ( ord(buf[i+j]) )
j = j + 1
lines.append(linebuf);
for i in range(0, len(lines)-1):
if fancy:
if i == 0:
out += array_name + " = " + colors.bold() + colors.fg('magenta') + "\""
else:
out += array_name + " += " + colors.bold() + colors.fg('magenta') + "\""
out += colors.fg("red") + lines[i]
out += colors.fg('magenta') + "\"\n" + colors.end()
else:
if i == 0:
out += array_name + " = \"%s\"\n" % ( lines[i] )
else:
out += array_name + " += \"%s\"\n" % ( lines[i] )
if fancy:
out += array_name + " += " + colors.bold() + colors.fg('magenta') + "\""
out += colors.fg("red") + lines[len(lines)-1]
out += colors.fg('magenta') + "\"" + colors.end() + ";"
out += "\n\n"
# out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
else:
out += array_name + " += \"%s\";\n\n" % ( lines[len(lines)-1] )
return out
def python(buf, array_name="shellcode", row_width=16, fancy=False):
lines = []
out = ""
for i in range(0, len(buf), row_width):
j = 0
linebuf = ""
while j < row_width and (i + j) < len(buf):
linebuf += "\\x%02x" % (ord(buf[i + j]))
j = j + 1
lines.append(linebuf)
for i in range(0, len(lines) - 1):
if fancy:
if i == 0:
out += array_name + " = " + colors.bold() + colors.fg("magenta") + '"'
else:
out += array_name + " += " + colors.bold() + colors.fg("magenta") + '"'
out += colors.fg("red") + lines[i]
out += colors.fg("magenta") + '"\n' + colors.end()
else:
if i == 0:
out += array_name + ' = "%s"\n' % (lines[i])
else:
out += array_name + ' += "%s"\n' % (lines[i])
if fancy:
out += array_name + " += " + colors.bold() + colors.fg("magenta") + '"'
out += colors.fg("red") + lines[len(lines) - 1]
out += colors.fg("magenta") + '"' + colors.end() + ";"
out += "\n\n"
# out += "\t\"%s\";\n\n" % ( lines[len(lines)-1] )
else:
out += array_name + ' += "%s";\n\n' % (lines[len(lines) - 1])
return out
def handle_parameters(shellcode, params):
for param in shellcode["parameters"]:
ok = False
while ok == False:
if param["name"] not in params:
params[param["name"]] = param_stdin(param)
ok = validate(param, params[param["name"]])
if ok == False:
print "validation for parameter " + param["name"],
print " (of type " + type_name(param["type"]) + ") ",
print "failed with input " + params[param["name"]]
del params[param["name"]]
shellcode["code"] = shellcode["code"].replace(param["placeholder"], output(param, params[param["name"]]))
print >> sys.stderr, " " + colors.bold() + colors.fg("green") + "++" + colors.end(),
print >> sys.stderr, " parameter " + colors.bold() + param["name"] + colors.end(),
print >> sys.stderr, " set to '" + colors.bold() + params[param["name"]] + colors.end() + "'"
return shellcode
def disas(buf, array_name = '', row_width = 16, fancy = False, sixtyfour = False):
parser = optparse.OptionParser()
if sixtyfour == True:
parser.set_defaults(dt=distorm3.Decode64Bits)
else:
parser.set_defaults(dt=distorm3.Decode32Bits)
options, args = parser.parse_args([])
disas = distorm3.Decode(0, buf, options.dt)
out = ''
for (offset, size, instruction, hexdump) in disas:
tmp = ''
if fancy:
tmp += colors.fg('cyan')
tmp += "%.8x: " % (offset)
if fancy:
tmp += colors.fg('red')
tmp += hexdump
tmp += " " * (20-len(hexdump))
if fancy:
tmp += colors.fg('green')
tmp += instruction
if fancy:
tmp += colors.end()
out += " " + tmp + "\n"
return out.lower()
def disas(buf, array_name='', row_width=16, fancy=False, sixtyfour=False):
parser = optparse.OptionParser()
if sixtyfour == True:
parser.set_defaults(dt=distorm3.Decode64Bits)
else:
parser.set_defaults(dt=distorm3.Decode32Bits)
options, args = parser.parse_args([])
disas = distorm3.Decode(0, buf, options.dt)
out = ''
for (offset, size, instruction, hexdump) in disas:
tmp = ''
if fancy:
tmp += colors.fg('cyan')
tmp += "%.8x: " % (offset)
if fancy:
tmp += colors.fg('red')
tmp += hexdump
tmp += " " * (20 - len(hexdump))
if fancy:
tmp += colors.fg('green')
tmp += instruction
if fancy:
tmp += colors.end()
out += " " + tmp + "\n"
return out.lower()
def do_ezrop(text):
i = 0
while i < len(text['data']):
if text['data'][i] == "\xc3":
block_len = 10
while block_len > 1:
start = i - block_len
end = start + block_len + 1
disas = distorm3.Decode(text['addr'] + start,
text['data'][start:end], options.dt)
if disas[len(disas) - 1][2] == "RET" and match_disas(
disas, sys.argv[2]) and ok_disas(disas):
found_start = False
for (offset, size, instruction, hexdump) in disas:
if instruction.find(sys.argv[2]) != -1:
found_start = True
if found_start == True:
out = colors.fg('cyan')
out += "%.8x: " % (offset)
out += colors.fg('red')
out += hexdump
out += " " * (20 - len(hexdump))
out += colors.fg('green')
out += instruction + colors.end()
print out
print "=" * 50
i = i + block_len
break
block_len = block_len - 1
i = i + 1
def do_ezrop(text):
i = 0
while i < len(text['data']):
if text['data'][i] == "\xc3":
block_len = 10
while block_len > 1:
start = i - block_len
end = start + block_len + 1
disas = distorm3.Decode(text['addr'] + start, text['data'][start:end], options.dt)
if disas[len(disas)-1][2] == "RET" and match_disas(disas, sys.argv[2]) and ok_disas(disas):
found_start = False
for (offset, size, instruction, hexdump) in disas:
if instruction.find(sys.argv[2]) != -1:
found_start = True
if found_start == True:
out = colors.fg('cyan')
out += "%.8x: " % (offset)
out += colors.fg('red')
out += hexdump
out += " " * (20-len(hexdump))
out += colors.fg('green')
out += instruction + colors.end()
print out
print "=" * 50
i = i + block_len
break
block_len = block_len - 1
i = i + 1
def hexdump(buf, array_name='shellcode', row_width=16, fancy=False):
# build horizontal marker
out = " | "
for i in range(0, row_width):
if fancy:
out += "%02x " % (i)
#out += colors.bold() + colors.fg('yellow') + ("%02x " % (i)) + colors.end()
else:
out += "%02x " % (i)
out += "|\n"
delim_row = " +--------+"
delim_row += "-" * (row_width * 3 + 1) + "+" + "-" * (row_width + 1) + "-+"
if fancy:
out += colors.bold() + delim_row + colors.end() + "\n"
else:
out += delim_row + "\n"
for i in range(0, len(buf), row_width):
if fancy:
out += colors.bold() + " | " + colors.fg("cyan") + (
"%06x" % (i)) + " | " + colors.end()
else:
out += " | %06x | " % (i)
for j in range(0, row_width):
if i + j < len(buf):
if fancy:
str = colors.fg('red') + ("%02x " % (ord(buf[i + j])))
if (i + j) % 8 >= 4:
out += colors.bold() + str + colors.end()
else:
out += str + colors.end()
else:
out += "%02x " % (ord(buf[i + j]))
else:
out += " "
asciiz = ''
for j in range(0, row_width):
if i + j < len(buf):
c = ord(buf[i + j])
if c >= 0x20 and c <= 0x7e:
asciiz += buf[i + j]
else:
asciiz += '.'
else:
asciiz += ' '
if fancy:
out += colors.bold() + "| " + colors.fg(
'green') + asciiz + colors.end() + colors.bold(
) + " |" + colors.end() + "\n"
else:
out += "| " + asciiz + " |\n"
if fancy:
out += colors.bold() + delim_row + colors.end() + "\n"
else:
out += delim_row + "\n"
return out
def hexdump(buf, array_name = 'shellcode', row_width = 16, fancy = False):
# build horizontal marker
out = " | "
for i in range(0, row_width):
if fancy:
out += "%02x " % (i)
#out += colors.bold() + colors.fg('yellow') + ("%02x " % (i)) + colors.end()
else:
out += "%02x " % (i)
out += "|\n"
delim_row = " +--------+";
delim_row += "-" * (row_width*3 + 1) + "+" + "-" * (row_width+1) + "-+"
if fancy:
out += colors.bold() + delim_row + colors.end() + "\n"
else:
out += delim_row + "\n"
for i in range(0, len(buf), row_width):
if fancy:
out += colors.bold() + " | " + colors.fg("cyan") + ("%06x" % (i)) + " | " + colors.end()
else:
out += " | %06x | " % (i)
for j in range(0, row_width):
if i+j < len(buf):
if fancy:
str = colors.fg('red') + ("%02x " % (ord(buf[i+j])))
if (i+j)%8 >= 4:
out += colors.bold() + str + colors.end()
else:
out += str + colors.end()
else:
out += "%02x " % (ord(buf[i+j]))
else:
out += " "
asciiz = ''
for j in range(0, row_width):
if i+j < len(buf):
c = ord(buf[i+j])
if c >= 0x20 and c <= 0x7e:
asciiz += buf[i+j]
else:
asciiz += '.'
else:
asciiz += ' '
if fancy:
out += colors.bold() + "| " + colors.fg('green') + asciiz + colors.end() + colors.bold() + " |" + colors.end() + "\n"
else:
out += "| " + asciiz + " |\n"
if fancy:
out += colors.bold() + delim_row + colors.end() + "\n"
else:
out += delim_row + "\n"
return out
def main(argv=None):
if argv is None:
argv = sys.argv[1:]
# ....................................................
# options and defaults
optionsUsePreloadLibrary = False
# ...................................................
# parse command line arguments (argparse)
parser = argparse.ArgumentParser()
parser.add_argument('--log-data',
help='gvki will log data to binary files',
action='store_true',
default=False)
parser.add_argument('--interceptions-per-kernel',
help='The maximum number of kernels to intercept. 0 is unlimited. Default: 0',
default='0')
parser.add_argument('--preprocess',
help='Specifies to preprocess the intercepted kernels',
action='store_true',
default=False)
parser.add_argument('--preprocessor',
help='Specifies the preprocessor command to use',
default='cpp')
parser.add_argument('--preload-library',
help='Specifies to use preload library.',
default='')
parser.add_argument('--working-dir',
help='Specifies where the gvki-n folders will be created',
default='')
parser.add_argument('--verbose',
help='Prints script debug messages',
action='store_true',
default=False)
parser.add_argument('programcommand',
nargs='*',
help='The program to run')
args = parser.parse_args(argv)
if (args.preload_library != ''):
optionsUsePreloadLibrary = True
# ..............................................
# check for missing arguments and prepare variables
if len(args.programcommand) == 0:
print('Please specify program to run')
printUsage()
if (args.working_dir == ''):
scriptWorkingDir = os.path.abspath(os.getcwd()) + os.sep
else:
scriptWorkingDir = os.path.abspath(args.working_dir) + os.sep
# ..........................................................................
# Initialize Errors log
numberGvkiErrors = 0
gvkiErrorsLog = open(os.path.join(scriptWorkingDir, 'gvkiErrorsLog.txt'), 'a')
# ..........................................................
# debug: print parsed arguments
if (args.verbose):
print("log data " + str(args.log_data))
print("preprocess " + str(args.preprocess))
print("interceptions " + str(args.interceptions_per_kernel))
print("preprocessor " + args.preprocessor)
print("preload " + str(optionsUsePreloadLibrary))
print("preloadlib " + args.preload_library)
print("workdir " + args.working_dir)
print(args.programcommand)
# ..............................................................
# get initial directory structure
initialDirectoriesList = []
for walkroot, walkdirs, walkfiles in os.walk(scriptWorkingDir):
for dirnames in walkdirs:
initialDirectoriesList.append(dirnames)
# .........................................................
# set environment variables for gvki and preloading
addPreloadEnv(optionsUsePreloadLibrary, args.preload_library)
addLogDataEnv(args.log_data)
addInterceptionsEnv(args.interceptions_per_kernel)
addWorkingDirEnv(args.working_dir)
commandToRun = args.programcommand
if args.verbose:
print('Env variables: LD, WORKDIR, LOGDATA, LIMITINTERC')
os.system('printenv LD_PRELOAD')
os.system('printenv ' + ENV_GVKI_WORKING_DIR)
os.system('printenv ' + ENV_GVKI_LOG_DATA)
os.system('printenv ' + ENV_GVKI_LIMIT_INTERCEPTIONS)
print("running command " + str(commandToRun))
# ........................................................
# run program
code = subprocess.call(commandToRun, shell=True)
if code == gvki_errors.UNSUPPORTED_SVMP_ARG: # gvki signals unsupported 2.0 functions
print(colors.red() + 'GVKI has detected an unsupported OpenCL 2.0 function call.' + colors.end())
print(colors.red() + 'Files logged from command ' + ' '.join(commandToRun) + ' are not reliable.\n' + colors.end())
numberGvkiErrors += 1
gvkiErrorsLog.write('Error SVMPointer unsupported in ' + ' '.join(commandToRun) + '\n\n')
elif code == gvki_errors.UNSUPPORTED_PROGRAM_FROM_BINARY: # gvki signals clCreateProgramFromBinary unsupported call
print(colors.red() + 'GVKI has detected an unsupported clCreateProgramFromBinary call.' + colors.end())
print(colors.red() + 'Files logged from command ' + ' '.join(commandToRun) + ' are not reliable.\n' + colors.end())
numberGvkiErrors += 1
gvkiErrorsLog.write('Error clCreateProgramWithBinary unsupported in ' + ' '.join(commandToRun) + '\n\n')
else:
# ...........................................................
# get final directory structure and make difference
finalDirectoriesList = []
gvkiDirectoriesList = []
for walkroot, walkdirs, walkfiles in os.walk(scriptWorkingDir):
for dirnames in walkdirs:
finalDirectoriesList.append(dirnames)
for dirname in initialDirectoriesList:
finalDirectoriesList.remove(dirname)
for dirname in finalDirectoriesList:
if (dirname[0:5] == 'gvki-'):
gvkiDirectoriesList.append(dirname)
if args.verbose:
print(gvkiDirectoriesList)
if (len(gvkiDirectoriesList) == 0):
print(colors.red() + "\nNo gvki folders generated. Did you recompile with the gvki folder or did you run using the gvki preload library?\n" + colors.end())
# .............................................................
# run preprocessor
if (args.preprocess):
for gvkiDirName in gvkiDirectoriesList:
kernel_preprocess.main(['--dir', scriptWorkingDir + os.sep + gvkiDirName, '--preprocessor', args.preprocessor])
# ..........................................................................
# print final status
if numberGvkiErrors > 0:
print(colors.red() + str(numberGvkiErrors) + ' errors encountered.' + colors.end())
print(colors.red() + 'Please see ' + scriptWorkingDir + os.sep + 'gvkiErrorsLog.txt for details' + colors.end())
gvkiErrorsLog.close()
def do_ropfind(file, match_string):
gadgets = []
myelf = elf.fromfile(file)
if myelf.data[0:4] != "\x7F" + "ELF":
print "[!] '%s' is not a valid ELF file :(" % (file)
sys.exit(-1)
# figure out parameter
if re.search("^[0-9a-f\?]+$", match_string) != None:
pattern = match_string
else:
pattern = assemble_str(match_string)
print "[!] pattern: '%s'" % pattern
for section_name in myelf.strtable:
if section_name == "":
continue
section = myelf.section(section_name)
# check for PROGBITS type
if section["type"] != 1:
continue
matches = findstr(section["data"], pattern)
if len(matches) == 0:
continue
pstr = colors.fg("cyan") + ">> section '" + colors.bold() + section_name + colors.end()
pstr += colors.fg("cyan") + "' [" + colors.bold() + str(len(matches)) + colors.end()
pstr += colors.fg("cyan") + " hits]"
m = 0
for match in matches:
if match[1] in gadgets:
continue
if m == 0:
print pstr
m = 1
disas = disas_str(section["addr"] + match[0], binascii.unhexlify(match[1]), True)
fstr = colors.fg("cyan") + " \_ " + colors.fg("green") + "%08x [" + colors.bold() + match[1] + colors.end()
fstr += colors.fg("green") + "] " + colors.bold() + "-> " + colors.end()
fstr += (
colors.fg("red")
+ "("
+ colors.bold()
+ "Thumb"
+ colors.end()
+ colors.fg("red")
+ ") "
+ " ; ".join(disas).lower()
+ colors.end()
)
print fstr % (section["addr"] + match[0] + 1)
gadgets.append(match[1])
if (len(binascii.unhexlify(match[1])) % 4) == 0:
disas = disas_str(section["addr"] + match[0], binascii.unhexlify(match[1]), False)
fstr = (
colors.fg("cyan") + " \_ " + colors.fg("green") + "%08x [" + colors.bold() + match[1] + colors.end()
)
fstr += colors.fg("green") + "] " + colors.bold() + "-> " + colors.end()
fstr += (
colors.fg("red")
+ "("
+ colors.bold()
+ "ARM"
+ colors.end()
+ colors.fg("red")
+ " ) "
+ " ; ".join(disas).lower()
+ colors.end()
)
if not (len(disas) == 1 and (disas[0] == "" or disas[0] == "None")):
print fstr % (section["addr"] + match[0])
gadgets.append(match[1])
if m == 1:
print ""
def param_stdin(parameter):
print >> sys.stderr, "%s >> [%s (%s)]: %s" % (colors.bold(), parameter["name"], parameter["type"], colors.end()),
line = sys.stdin.readline()
return line.replace("\n", "")
def param_stdin(parameter):
print >> sys.stderr, "%s >> [%s (%s)]: %s" % (
colors.bold(), parameter['name'], parameter['type'], colors.end()),
line = sys.stdin.readline()
return line.replace("\n", "")
