def add(arch): print(banner([string_bold('Adding a new shellcode')])) shellcode = '' ok = False while (not ok): sys.stdout.write('\t' + string_ropg('> ') + 'Enter your shellcode as a string in hex format:\n') shellcode_input = prompt(u" > ") try: shellcode = shellcode_input.replace('\\x', '').decode('hex') ok = True except: ok = False if (not ok): print( string_special( "\tError. Your input is in wrong format or invalid")) sys.stdout.write('\t' + string_ropg('> ') + 'Enter short shellcode name/description:\n') info = "" while (not info): info = prompt(u" > ") info = filter(lambda x: x in set(string.printable), info) add_shellcode(arch, shellcode, info)
def list_regs(): """ List available registers """ print(banner([string_bold("Available registers")])) for reg in sorted(Arch.regNameToNum.keys()): if (reg == Arch.currentArch.ip): print("\t" + string_special(reg) + " - instruction pointer") elif (reg == Arch.currentArch.sp): print("\t" + string_special(reg) + " - stack pointer") else: print("\t" + string_special(reg))
def print_functions(func_list): """ func_list - list of pairs (str, int) = (funcName, funcAddress) """ space = 28 print(banner([string_bold("Available functions")])) print("\tFunction" + " " * (space - 8) + "Address") print("\t------------------------------------") for (funcName, funcAddr) in sorted(func_list, key=lambda x: x[0]): space2 = space - len(funcName) if (space2 < 0): space2 = 2 print("\t" + string_special(funcName) + " " * space2 + hex(funcAddr)) print("")
def list_shellcodes(arch): global shellcodes if (arch not in Arch.available): error("Error. Architecture {} is not supported".format(arch)) return if (not shellcodes[arch]): error("No shellcodes available for architecture " + arch) return print( banner([ string_bold("Available shellcodes for arch " + string_special(arch)) ])) i = 0 for shellcode in shellcodes[arch]: i = i + 1 number = "({})".format(string_bold(str(i))) print("\n\t{} {}\n\t{} - {} bytes".format(number, shellcode[1], \ string_special(short_shellcode(shellcode[0])), str(len(shellcode[0]))))
OPTION_LMAX = '--max-length' OPTION_LMAX_SHORT = '-m' OPTION_VERBOSE = "--verbose" OPTION_VERBOSE_SHORT = "-v" OPTION_OUTFILE = '--output-file' OPTION_OUTFILE_SHORT = '-o' OPTION_PADDING_BYTE = '--padding-byte' OPTION_PADDING_BYTE_SHORT = '-pb' OPTION_PADDING_LEN = '--padding-len' OPTION_PADDING_LEN_SHORT = '-pl' CMD_PWN_HELP = banner([string_bold("'pwn' command"),\ string_special("(Generate full exploits)")]) CMD_PWN_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tpwn [OPTIONS] <subcommand> [SUBCOMMAND_OPTIONS]" CMD_PWN_HELP += "\n\n\t"+string_bold("Subcommands")+":" CMD_PWN_HELP += "\n\t(For more info use 'pwn <subcommand> -h')" CMD_PWN_HELP += "\n\n\t\t"+string_special(CMD_DELIVER_SHELLCODE)+"\t Inject a shellcode an execute it" CMD_PWN_HELP += "\n\n\t"+string_bold("Options")+":" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_LMAX_SHORT)+","+string_special(OPTION_LMAX)+" <int>\t Max length of the ROPChain in bytes" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_BYTE_SHORT)+","+string_special(OPTION_PADDING_BYTE)+" <byte> Byte for payload padding" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_LEN_SHORT)+","+string_special(OPTION_PADDING_LEN)+" <int>\t Length of payload padding" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\ string_special(OPTION_OUTPUT)+\ " <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ════════════════════ v1.2 """ # Definitions of commands CMD_HELP = "help" CMD_LOAD = "load" CMD_CONFIG = "config" CMD_EXIT = "exit" CMD_SEARCH = "semantic" CMD_EXPLOIT = "exploit" helpStr = banner([ string_bold('Main Commands'), string_special('(For more info about a command type <cmd -h>)') ]) helpStr += '\n\t' + string_bold( CMD_LOAD) + ': \t\tload gadgets from a binary file' helpStr += '\n\n\t' + string_semantic(string_bold(CMD_SEARCH)) + \ ': \tEnter semantic-mode (Search for'+'\n\t\t\tgadgets and ROPChains)' helpStr += '\n\n\t' + string_exploit(string_bold(CMD_EXPLOIT)) + \ ': \tEnter exploit-mode (Automated exploit'+'\n\t\t\tgeneration features)' helpStr += '\n\n\t' + string_bold(CMD_HELP) + ': \t\tprint available commands' helpStr += '\n\t' + string_bold(CMD_EXIT) + ': \t\texit ROPGenerator' def main(): print(string_ropg(string_bold(ASCII_art))) initLogs() finish = False
################################ # DELIVER-SHELLCODE COMMAND # ################################ # Options OPTION_ADDRESS = '--address' OPTION_ADDRESS_SHORT = "-a" OPTION_RANGE = "--address-range" OPTION_RANGE_SHORT = "-r" OPTION_HELP = '--help' OPTION_HELP_SHORT = '-h' CMD_DSHELL_HELP = banner([string_bold("'deliver-shellcode' command"),\ string_special("(Deliver a shellcode & Execute it)")]) CMD_DSHELL_HELP += "\n\n\t"+string_bold("Description:")+\ "\n\t\tThis method tries to create an executable memory area"+\ "\n\t\t, then copy a given shellcode into this area, and then"+\ "\n\t\t jump to execute this shellcode" CMD_DSHELL_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_DSHELL_HELP += "\n\n\t\t" + string_special( OPTION_ADDRESS_SHORT) + "," + string_special( OPTION_ADDRESS) + " <int>\t Address where to deliver shellcode" CMD_DSHELL_HELP += "\n\n\t\t" + string_special( OPTION_RANGE_SHORT ) + "," + string_special( OPTION_RANGE ) + " \t Memory space that can be used to\n\t\t\t<addr>,<addr>\t deliver the shellcode"
from ropgenerator.exploit.Scanner import initScanner import ropgenerator.Architecture as Arch from ropgenerator.IO import string_bold, info, string_special, banner, notify, error from magic import from_file from base64 import b16decode from random import shuffle, random, randrange, Random # Command options OPTION_ARCH = '--arch' OPTION_ARCH_SHORT = '-a' OPTION_HELP = '--help' OPTION_HELP_SHORT = '-h' # Help for the load command helpStr = banner([ string_bold("'load' command"), string_special("(Load gadgets from a binary file)") ]) helpStr += "\n\n\t" + string_bold("Usage") + ":\tload [OPTIONS] <filename>" helpStr += "\n\n\t" + string_bold("Options") + ":" helpStr += "\n\t\t"+string_special(OPTION_ARCH_SHORT)+","+string_special(OPTION_ARCH)+\ " <arch>"+"\tmanualy specify architecture.\n\t\t\t\t\tAvailable: 'X86', 'X64'" helpStr += "\n\n\t" + string_bold( "Examples" ) + ":\n\t\tload /bin/ls\t\t(load gadgets from /bin/ls program)\n\t\tload ../test/vuln_prog\t(load gadgets from own binary)" def print_help(): print(helpStr) def getPlatformInfo(filename):
OPTION_KEEP_REGS = '--keep-regs' OPTION_KEEP_REGS_SHORT = '-k' OPTION_LIST = "--list" OPTION_LIST_SHORT = "-l" OPTION_FUNCTION = "--call" OPTION_FUNCTION_SHORT = "-c" OPTION_OFFSET="--offset" OPTION_OFFSET_SHORT = "-off" OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" CMD_SYSCALL_HELP = banner([string_bold("'syscall' command"),\ string_special("(Call system functions with ROPChains)")]) CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tsyscall [OPTIONS]" CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Options")+":" CMD_SYSCALL_HELP += "\n\t\t"+string_special(OPTION_FUNCTION_SHORT)+","+\ string_special(OPTION_FUNCTION)+" <function>\t Call a system function" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_KEEP_REGS_SHORT)+","+string_special(OPTION_KEEP_REGS)+" <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OFFSET_SHORT)+","+\ string_special(OPTION_OFFSET)+" <int>\t Offset to add to gadget addresses" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_LIST_SHORT)+","+\ string_special(OPTION_LIST)+" [<system>]\t List supported functions" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\ string_special(OPTION_OUTPUT)+\ " <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
import string import subprocess OPTION_LIST = "--list" OPTION_LIST_SHORT = "-l" OPTION_ADD = "--add" OPTION_ADD_SHORT = "-a" OPTION_REMOVE = "--remove" OPTION_REMOVE_SHORT = "-r" OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" CMD_SHELLCODE_HELP = banner([string_bold("'shellcode' command"),\ string_special("(Manage shellcodes for your exploits)")]) CMD_SHELLCODE_HELP += "\n\n\t"+string_bold("Usage")+\ "\n\t\tshellcode [OPTION] <arch>" CMD_SHELLCODE_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_LIST_SHORT) + "," + string_special( OPTION_LIST) + "\tList available shellcodes" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_ADD_SHORT) + "," + string_special(OPTION_ADD) + "\tAdd a shellcode" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_REMOVE_SHORT) + "," + string_special( OPTION_REMOVE) + "\tRemove a previously added shellcode" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_HELP_SHORT) + "," + string_special(OPTION_HELP) + "\tShow this help" CMD_SHELLCODE_HELP += "\n\n\t" + string_bold( "Supported architectures") + ": " + ','.join(
OPTION_BAD_BYTES_SHORT = '-b' OPTION_KEEP_REGS_SHORT = '-k' OPTION_NB_RESULTS_SHORT = '-n' OPTION_LMAX_SHORT = '-m' OPTION_OUTPUT = '--output-format' OPTION_OUTPUT_SHORT = '-f' # Options for output OUTPUT_CONSOLE = 'console' OUTPUT_PYTHON = 'python' OUTPUT_RAW = 'raw' OUTPUT = None # The one choosen # Help for the search command CMD_FIND_HELP = banner([ string_bold("'query' command"), string_special("(Find gadgets/ropchains that execute specific operations)") ]) CMD_FIND_HELP += "\n\n\t"+string_bold("Usage")+":\tfind [OPTIONS] <reg>=<expr>"+\ "\n\t\tfind [OPTIONS] <reg>=mem(<expr>)"+\ "\n\t\tfind [OPTIONS] mem(<expr>)=<expr>"+\ "\n\t\tfind [OPTIONS] int80"+\ "\n\t\tfind [OPTIONS] syscall" CMD_FIND_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_FIND_HELP += "\n\t\t" + string_special( OPTION_BAD_BYTES_SHORT ) + "," + string_special( OPTION_BAD_BYTES ) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_FIND_HELP += "\n\n\t\t" + string_special( OPTION_KEEP_REGS_SHORT ) + "," + string_special(
OPTION_BAD_BYTES = '--bad-bytes' OPTION_BAD_BYTES_SHORT = '-b' OPTION_CALL = "--call" OPTION_CALL_SHORT = "-c" OPTION_KEEP_REGS = '--keep-regs' OPTION_KEEP_REGS_SHORT = '-k' OPTION_LIST = "--list" OPTION_LIST_SHORT = "-l" OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" CMD_CALL_HELP = banner([string_bold("'call' command"),\ string_special("(Call functions with ROPChains)")]) CMD_CALL_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tcall [OPTIONS]" CMD_CALL_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_CALL_HELP += "\n\t\t"+string_special(OPTION_CALL_SHORT)+","+\ string_special(OPTION_CALL)+" <function>\t Call a function" CMD_CALL_HELP += "\n\n\t\t" + string_special( OPTION_BAD_BYTES_SHORT ) + "," + string_special( OPTION_BAD_BYTES ) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_CALL_HELP += "\n\n\t\t" + string_special( OPTION_KEEP_REGS_SHORT ) + "," + string_special( OPTION_KEEP_REGS ) + " <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"