def add(arch):
print(banner([string_bold('Adding a new shellcode')]))
shellcode = ''
ok = False
while (not ok):
sys.stdout.write('\t' + string_ropg('> ') +
'Enter your shellcode as a string in hex format:\n')
shellcode_input = prompt(u" > ")
try:
shellcode = shellcode_input.replace('\\x', '').decode('hex')
ok = True
except:
ok = False
if (not ok):
print(
string_special(
"\tError. Your input is in wrong format or invalid"))
sys.stdout.write('\t' + string_ropg('> ') +
'Enter short shellcode name/description:\n')
info = ""
while (not info):
info = prompt(u" > ")
info = filter(lambda x: x in set(string.printable), info)
add_shellcode(arch, shellcode, info)
def list_regs():
"""
List available registers
"""
print(banner([string_bold("Available registers")]))
for reg in sorted(Arch.regNameToNum.keys()):
if (reg == Arch.currentArch.ip):
print("\t" + string_special(reg) + " - instruction pointer")
elif (reg == Arch.currentArch.sp):
print("\t" + string_special(reg) + " - stack pointer")
else:
print("\t" + string_special(reg))
def print_functions(func_list):
"""
func_list - list of pairs (str, int) = (funcName, funcAddress)
"""
space = 28
print(banner([string_bold("Available functions")]))
print("\tFunction" + " " * (space - 8) + "Address")
print("\t------------------------------------")
for (funcName, funcAddr) in sorted(func_list, key=lambda x: x[0]):
space2 = space - len(funcName)
if (space2 < 0):
space2 = 2
print("\t" + string_special(funcName) + " " * space2 + hex(funcAddr))
print("")
def list_shellcodes(arch):
global shellcodes
if (arch not in Arch.available):
error("Error. Architecture {} is not supported".format(arch))
return
if (not shellcodes[arch]):
error("No shellcodes available for architecture " + arch)
return
print(
banner([
string_bold("Available shellcodes for arch " +
string_special(arch))
]))
i = 0
for shellcode in shellcodes[arch]:
i = i + 1
number = "({})".format(string_bold(str(i)))
print("\n\t{} {}\n\t{} - {} bytes".format(number, shellcode[1], \
string_special(short_shellcode(shellcode[0])), str(len(shellcode[0]))))
OPTION_LMAX = '--max-length'
OPTION_LMAX_SHORT = '-m'
OPTION_VERBOSE = "--verbose"
OPTION_VERBOSE_SHORT = "-v"
OPTION_OUTFILE = '--output-file'
OPTION_OUTFILE_SHORT = '-o'
OPTION_PADDING_BYTE = '--padding-byte'
OPTION_PADDING_BYTE_SHORT = '-pb'
OPTION_PADDING_LEN = '--padding-len'
OPTION_PADDING_LEN_SHORT = '-pl'
CMD_PWN_HELP = banner([string_bold("'pwn' command"),\
string_special("(Generate full exploits)")])
CMD_PWN_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tpwn [OPTIONS] <subcommand> [SUBCOMMAND_OPTIONS]"
CMD_PWN_HELP += "\n\n\t"+string_bold("Subcommands")+":"
CMD_PWN_HELP += "\n\t(For more info use 'pwn <subcommand> -h')"
CMD_PWN_HELP += "\n\n\t\t"+string_special(CMD_DELIVER_SHELLCODE)+"\t Inject a shellcode an execute it"
CMD_PWN_HELP += "\n\n\t"+string_bold("Options")+":"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_LMAX_SHORT)+","+string_special(OPTION_LMAX)+" <int>\t Max length of the ROPChain in bytes"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_BYTE_SHORT)+","+string_special(OPTION_PADDING_BYTE)+" <byte> Byte for payload padding"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_LEN_SHORT)+","+string_special(OPTION_PADDING_LEN)+" <int>\t Length of payload padding"
CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\
string_special(OPTION_OUTPUT)+\
" <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ════════════════════ v1.2
"""
# Definitions of commands
CMD_HELP = "help"
CMD_LOAD = "load"
CMD_CONFIG = "config"
CMD_EXIT = "exit"
CMD_SEARCH = "semantic"
CMD_EXPLOIT = "exploit"
helpStr = banner([
string_bold('Main Commands'),
string_special('(For more info about a command type <cmd -h>)')
])
helpStr += '\n\t' + string_bold(
CMD_LOAD) + ': \t\tload gadgets from a binary file'
helpStr += '\n\n\t' + string_semantic(string_bold(CMD_SEARCH)) + \
': \tEnter semantic-mode (Search for'+'\n\t\t\tgadgets and ROPChains)'
helpStr += '\n\n\t' + string_exploit(string_bold(CMD_EXPLOIT)) + \
': \tEnter exploit-mode (Automated exploit'+'\n\t\t\tgeneration features)'
helpStr += '\n\n\t' + string_bold(CMD_HELP) + ': \t\tprint available commands'
helpStr += '\n\t' + string_bold(CMD_EXIT) + ': \t\texit ROPGenerator'
def main():
print(string_ropg(string_bold(ASCII_art)))
initLogs()
finish = False
################################
# DELIVER-SHELLCODE COMMAND #
################################
# Options
OPTION_ADDRESS = '--address'
OPTION_ADDRESS_SHORT = "-a"
OPTION_RANGE = "--address-range"
OPTION_RANGE_SHORT = "-r"
OPTION_HELP = '--help'
OPTION_HELP_SHORT = '-h'
CMD_DSHELL_HELP = banner([string_bold("'deliver-shellcode' command"),\
string_special("(Deliver a shellcode & Execute it)")])
CMD_DSHELL_HELP += "\n\n\t"+string_bold("Description:")+\
"\n\t\tThis method tries to create an executable memory area"+\
"\n\t\t, then copy a given shellcode into this area, and then"+\
"\n\t\t jump to execute this shellcode"
CMD_DSHELL_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_DSHELL_HELP += "\n\n\t\t" + string_special(
OPTION_ADDRESS_SHORT) + "," + string_special(
OPTION_ADDRESS) + " <int>\t Address where to deliver shellcode"
CMD_DSHELL_HELP += "\n\n\t\t" + string_special(
OPTION_RANGE_SHORT
) + "," + string_special(
OPTION_RANGE
) + " \t Memory space that can be used to\n\t\t\t<addr>,<addr>\t deliver the shellcode"
from ropgenerator.exploit.Scanner import initScanner
import ropgenerator.Architecture as Arch
from ropgenerator.IO import string_bold, info, string_special, banner, notify, error
from magic import from_file
from base64 import b16decode
from random import shuffle, random, randrange, Random
# Command options
OPTION_ARCH = '--arch'
OPTION_ARCH_SHORT = '-a'
OPTION_HELP = '--help'
OPTION_HELP_SHORT = '-h'
# Help for the load command
helpStr = banner([
string_bold("'load' command"),
string_special("(Load gadgets from a binary file)")
])
helpStr += "\n\n\t" + string_bold("Usage") + ":\tload [OPTIONS] <filename>"
helpStr += "\n\n\t" + string_bold("Options") + ":"
helpStr += "\n\t\t"+string_special(OPTION_ARCH_SHORT)+","+string_special(OPTION_ARCH)+\
" <arch>"+"\tmanualy specify architecture.\n\t\t\t\t\tAvailable: 'X86', 'X64'"
helpStr += "\n\n\t" + string_bold(
"Examples"
) + ":\n\t\tload /bin/ls\t\t(load gadgets from /bin/ls program)\n\t\tload ../test/vuln_prog\t(load gadgets from own binary)"
def print_help():
print(helpStr)
def getPlatformInfo(filename):
OPTION_KEEP_REGS = '--keep-regs'
OPTION_KEEP_REGS_SHORT = '-k'
OPTION_LIST = "--list"
OPTION_LIST_SHORT = "-l"
OPTION_FUNCTION = "--call"
OPTION_FUNCTION_SHORT = "-c"
OPTION_OFFSET="--offset"
OPTION_OFFSET_SHORT = "-off"
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
CMD_SYSCALL_HELP = banner([string_bold("'syscall' command"),\
string_special("(Call system functions with ROPChains)")])
CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tsyscall [OPTIONS]"
CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Options")+":"
CMD_SYSCALL_HELP += "\n\t\t"+string_special(OPTION_FUNCTION_SHORT)+","+\
string_special(OPTION_FUNCTION)+" <function>\t Call a system function"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_KEEP_REGS_SHORT)+","+string_special(OPTION_KEEP_REGS)+" <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OFFSET_SHORT)+","+\
string_special(OPTION_OFFSET)+" <int>\t Offset to add to gadget addresses"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_LIST_SHORT)+","+\
string_special(OPTION_LIST)+" [<system>]\t List supported functions"
CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\
string_special(OPTION_OUTPUT)+\
" <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
import string
import subprocess
OPTION_LIST = "--list"
OPTION_LIST_SHORT = "-l"
OPTION_ADD = "--add"
OPTION_ADD_SHORT = "-a"
OPTION_REMOVE = "--remove"
OPTION_REMOVE_SHORT = "-r"
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
CMD_SHELLCODE_HELP = banner([string_bold("'shellcode' command"),\
string_special("(Manage shellcodes for your exploits)")])
CMD_SHELLCODE_HELP += "\n\n\t"+string_bold("Usage")+\
"\n\t\tshellcode [OPTION] <arch>"
CMD_SHELLCODE_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_LIST_SHORT) + "," + string_special(
OPTION_LIST) + "\tList available shellcodes"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_ADD_SHORT) + "," + string_special(OPTION_ADD) + "\tAdd a shellcode"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_REMOVE_SHORT) + "," + string_special(
OPTION_REMOVE) + "\tRemove a previously added shellcode"
CMD_SHELLCODE_HELP += "\n\t\t" + string_special(
OPTION_HELP_SHORT) + "," + string_special(OPTION_HELP) + "\tShow this help"
CMD_SHELLCODE_HELP += "\n\n\t" + string_bold(
"Supported architectures") + ": " + ','.join(
OPTION_BAD_BYTES_SHORT = '-b'
OPTION_KEEP_REGS_SHORT = '-k'
OPTION_NB_RESULTS_SHORT = '-n'
OPTION_LMAX_SHORT = '-m'
OPTION_OUTPUT = '--output-format'
OPTION_OUTPUT_SHORT = '-f'
# Options for output
OUTPUT_CONSOLE = 'console'
OUTPUT_PYTHON = 'python'
OUTPUT_RAW = 'raw'
OUTPUT = None # The one choosen
# Help for the search command
CMD_FIND_HELP = banner([
string_bold("'query' command"),
string_special("(Find gadgets/ropchains that execute specific operations)")
])
CMD_FIND_HELP += "\n\n\t"+string_bold("Usage")+":\tfind [OPTIONS] <reg>=<expr>"+\
"\n\t\tfind [OPTIONS] <reg>=mem(<expr>)"+\
"\n\t\tfind [OPTIONS] mem(<expr>)=<expr>"+\
"\n\t\tfind [OPTIONS] int80"+\
"\n\t\tfind [OPTIONS] syscall"
CMD_FIND_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_FIND_HELP += "\n\t\t" + string_special(
OPTION_BAD_BYTES_SHORT
) + "," + string_special(
OPTION_BAD_BYTES
) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_FIND_HELP += "\n\n\t\t" + string_special(
OPTION_KEEP_REGS_SHORT
) + "," + string_special(
OPTION_BAD_BYTES = '--bad-bytes'
OPTION_BAD_BYTES_SHORT = '-b'
OPTION_CALL = "--call"
OPTION_CALL_SHORT = "-c"
OPTION_KEEP_REGS = '--keep-regs'
OPTION_KEEP_REGS_SHORT = '-k'
OPTION_LIST = "--list"
OPTION_LIST_SHORT = "-l"
OPTION_HELP = "--help"
OPTION_HELP_SHORT = "-h"
CMD_CALL_HELP = banner([string_bold("'call' command"),\
string_special("(Call functions with ROPChains)")])
CMD_CALL_HELP += "\n\n\t"+string_bold("Usage:")+\
"\n\t\tcall [OPTIONS]"
CMD_CALL_HELP += "\n\n\t" + string_bold("Options") + ":"
CMD_CALL_HELP += "\n\t\t"+string_special(OPTION_CALL_SHORT)+","+\
string_special(OPTION_CALL)+" <function>\t Call a function"
CMD_CALL_HELP += "\n\n\t\t" + string_special(
OPTION_BAD_BYTES_SHORT
) + "," + string_special(
OPTION_BAD_BYTES
) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')"
CMD_CALL_HELP += "\n\n\t\t" + string_special(
OPTION_KEEP_REGS_SHORT
) + "," + string_special(
OPTION_KEEP_REGS
) + " <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"
