def shellcode(args): # Parsing arguments if (not args): print_help() return if (args[0] in [OPTION_LIST, OPTION_LIST_SHORT]): func = list_shellcodes elif (args[0] in [OPTION_ADD, OPTION_ADD_SHORT]): func = add elif (args[0] in [OPTION_REMOVE, OPTION_REMOVE_SHORT]): func = remove elif (args[0] in [OPTION_HELP, OPTION_HELP_SHORT]): print_help() return else: error("Error. Unknown option '{}'".format(args[0])) return if (len(args) == 1): error("Architecture missing") print(string_bold("\tSupported architectures")+": "+\ ','.join([string_special(arch) for arch in Arch.available])) elif (not args[1] in Arch.available): error("Architecture {} not supported".format(string_special(args[1]))) print(string_bold("\tSupported architectures")+": "+\ ','.join([string_special(arch) for arch in Arch.available])) else: func(args[1]) return
def strPython(self, bits, badBytes=[], init=True, noTab=False): if (noTab): tab = '' else: tab = '\t' # Getting endianness to pack values if (bits == 32): endianness_str = "'<I'" elif (bits == 64): endianness_str = "'<Q'" else: raise Exception("{}-bits architecture not supported".format(bits)) pack_str = "p += pack(" + endianness_str + "," res = '' if (init): res += tab + "from struct import pack\n" res += tab + "p = ''" for element in self.chain: if (not isinstance(element, Gadget)): padding_str = pack_str padding_str += string_special( '0x' + format(self.paddings[element][0], '0' + str(bits / 4) + 'x')) + ")" padding_str += " # " + self.paddings[element][1] res += "\n" + tab + padding_str else: res += "\n"+tab+pack_str+string_special(validAddrStr(element, badBytes, bits)) +\ ") # " + string_bold(element.asmStr) return res
def show_shellcode(): print(string_bold('\n\t-------------------------------')) print(string_bold("\tSelected shellcode - arch " + string_special(arch))) print(string_bold('\t-------------------------------')) (shellcode, info) = selected(arch) print("\n\t{}\n\n{} - {} bytes".format( info, \ string_special(pack_shellcode(shellcode)), str(len(shellcode))))
def list_regs(): """ List available registers """ print(banner([string_bold("Available registers")])) for reg in sorted(Arch.regNameToNum.keys()): if (reg == Arch.currentArch.ip): print("\t" + string_special(reg) + " - instruction pointer") elif (reg == Arch.currentArch.sp): print("\t" + string_special(reg) + " - stack pointer") else: print("\t" + string_special(reg))
def select_shellcode(arch): """ Returns shellcode pair (shellcode, description) """ if (not shellcodes[arch]): error("No shellcodes available for architecture " + arch) return (None, None) list_shellcodes(arch) print("") choice = None ok = False sys.stdout.write('\t' + string_ropg('> ') + 'Select a shellcode:\n') while (not ok): choice_input = prompt(u" > ") try: choice = int(choice_input) if (choice >= 1 and choice <= len(shellcodes[arch])): ok = True else: print(string_special("\tError. Invalid choice")) except: ok = False return shellcodes[arch][choice - 1]
def build_call_linux64(funcName, funcArgs, constraint, assertion, clmax=None, optimizeLen=False): # Arguments registers # (Args should go in these registers for x64) argsRegsNames = ['rdi','rsi','rdx','rcx', 'r8', 'r9'] argsRegs = [Arch.n2r(name) for name in argsRegsNames] # Find the address of the fonction (funcName2, funcAddr) = getFunctionAddress(funcName) if( funcName2 is None ): return "Couldn't find function '{}' in the binary".format(funcName) # Check if bad bytes in function address if( not constraint.badBytes.verifyAddress(funcAddr) ): return "'{}' address ({}) contains bad bytes".format(funcName2, string_special('0x'+format(funcAddr, '0'+str(Arch.octets()*2)+'x'))) # Check how many arguments if( len(funcArgs) > 6 ): return "Doesn't support function call with more than 6 arguments with Linux X64 calling convention :(" # Find a gadget for the fake return address if( funcArgs ): # Build the ropchain with the arguments args_chain = popMultiple(map(lambda x,y:(x,)+y, argsRegs[:len(funcArgs)], funcArgs), constraint, assertion, clmax=clmax, optimizeLen=optimizeLen) if( not args_chain): return "Couldn't load arguments in registers" else: # No arguments args_chain = ROPChain() # Build call chain (function address + fake return address) return args_chain.addPadding(funcAddr, comment=string_ropg(funcName2))
def remove_shellcode(arch, number): global shellcodes if (number < 1 or number > len(shellcodes[arch])): print(string_special("\tInvalid shellcode number\n")) return False del shellcodes[arch][number - 1] return True
def add(arch): print(banner([string_bold('Adding a new shellcode')])) shellcode = '' ok = False while (not ok): sys.stdout.write('\t' + string_ropg('> ') + 'Enter your shellcode as a string in hex format:\n') shellcode_input = prompt(u" > ") try: shellcode = shellcode_input.replace('\\x', '').decode('hex') ok = True except: ok = False if (not ok): print( string_special( "\tError. Your input is in wrong format or invalid")) sys.stdout.write('\t' + string_ropg('> ') + 'Enter short shellcode name/description:\n') info = "" while (not info): info = prompt(u" > ") info = filter(lambda x: x in set(string.printable), info) add_shellcode(arch, shellcode, info)
def __str__(self): res = self.ret + " " + string_bold(self.name) res += "(" res += ', '.join( [a[0] + " " + string_special(a[1]) for a in self.args]) res += ")" return res
def list_shellcodes(arch): global shellcodes if (arch not in Arch.available): error("Error. Architecture {} is not supported".format(arch)) return if (not shellcodes[arch]): error("No shellcodes available for architecture " + arch) return print( banner([ string_bold("Available shellcodes for arch " + string_special(arch)) ])) i = 0 for shellcode in shellcodes[arch]: i = i + 1 number = "({})".format(string_bold(str(i))) print("\n\t{} {}\n\t{} - {} bytes".format(number, shellcode[1], \ string_special(short_shellcode(shellcode[0])), str(len(shellcode[0]))))
def strConsole(self, bits, badBytes=[]): res = '' for element in self.chain: if (not isinstance(element, Gadget)): element_str = string_special('0x' + format( self.paddings[element][0], '0' + str(bits / 4) + 'x')) element_str += ' (' + self.paddings[element][1] + ')' else: valid_addr_str = validAddrStr(element, badBytes, bits) if (not valid_addr_str): error( "Error! ROP-Chain gadget with no valid address. THIS SHOULD NOT HAPPEND (please report the bug for fixes)" ) return '' element_str = string_special(valid_addr_str) +\ " (" + string_bold(element.asmStr) + ")" if (res != ''): res += "\n\t" + element_str else: res += "\t" + element_str return res
def build_call(funcName, funcArgs, constraint, assertion): # Find the address of the fonction (funcName2, funcAddr) = getFunctionAddress(funcName) if (funcName2 is None): return "Couldn't find function '{}' in the binary".format(funcName) # Check if bad bytes in function address if (not constraint.badBytes.verifyAddress(funcAddr)): return "'{}' address ({}) contains bad bytes".format( funcName2, string_special('0x' + format(funcAddr, '0' + str(Arch.octets() * 2) + 'x'))) # Find a gadget for the fake return address offset = len( funcArgs) * 8 - 8 # Because we do +8 at the beginning of the loop skip_args_chains = [] i = 4 while (i > 0 and (not skip_args_chains)): offset += 8 skip_args_chains = search(QueryType.MEMtoREG, Arch.ipNum(), \ (Arch.spNum(),offset), constraint, assertion, n=1) i -= 1 if (not skip_args_chains): return "Couldn't build ROP-Chain" skip_args_chain = skip_args_chains[0] # Build the ropchain with the arguments args_chain = ROPChain() arg_n = len(funcArgs) for arg in reversed(funcArgs): if (isinstance(arg, int)): args_chain.addPadding(arg, comment="Arg{}: {}".format( arg_n, string_ropg(hex(arg)))) arg_n -= 1 else: return "Type of argument '{}' not supported yet :'(".format(arg) # Build call chain (function address + fake return address) call_chain = ROPChain() call_chain.addPadding(funcAddr, comment=string_ropg(funcName2)) skip_args_addr = int( validAddrStr(skip_args_chain.chain[0], constraint.getBadBytes(), Arch.bits()), 16) call_chain.addPadding(skip_args_addr, comment="Address of: " + string_bold(str(skip_args_chain.chain[0]))) return call_chain.addChain(args_chain)
def print_functions(func_list): """ func_list - list of pairs (str, int) = (funcName, funcAddress) """ space = 28 print(banner([string_bold("Available functions")])) print("\tFunction" + " " * (space - 8) + "Address") print("\t------------------------------------") for (funcName, funcAddr) in sorted(func_list, key=lambda x: x[0]): space2 = space - len(funcName) if (space2 < 0): space2 = 2 print("\t" + string_special(funcName) + " " * space2 + hex(funcAddr)) print("")
def build_call_linux86(funcName, funcArgs, constraint, assertion, clmax=None, optimizeLen=False): # Find the address of the fonction (funcName2, funcAddr) = getFunctionAddress(funcName) if( funcName2 is None ): return "Couldn't find function '{}' in the binary".format(funcName) # Check if bad bytes in function address if( not constraint.badBytes.verifyAddress(funcAddr) ): return "'{}' address ({}) contains bad bytes".format(funcName2, string_special('0x'+format(funcAddr, '0'+str(Arch.octets()*2)+'x'))) # Check if lmax too small if( (1 + len(funcArgs) + (lambda x: 1 if len(x)>0 else 0)(funcArgs)) > clmax ): return "Not enough bytes to call function '{}'".format(funcName) # Find a gadget for the fake return address if( funcArgs ): offset = (len(funcArgs)-1)*Arch.octets() # Because we do +octets() at the beginning of the loop skip_args_chains = [] i = 4 # Try 4 more maximum while( i > 0 and (not skip_args_chains)): offset += Arch.octets() skip_args_chains = search(QueryType.MEMtoREG, Arch.ipNum(), \ (Arch.spNum(),offset), constraint, assertion, n=1, optimizeLen=optimizeLen) i -= 1 if( not skip_args_chains ): return "Couldn't build ROP-Chain" skip_args_chain = skip_args_chains[0] else: # No arguments skip_args_chain = None # Build the ropchain with the arguments args_chain = ROPChain() arg_n = len(funcArgs) for arg in reversed(funcArgs): if( isinstance(arg, int) ): args_chain.addPadding(arg, comment="Arg{}: {}".format(arg_n, string_ropg(hex(arg)))) arg_n -= 1 else: return "Type of argument '{}' not supported yet :'(".format(arg) # Build call chain (function address + fake return address) call_chain = ROPChain() call_chain.addPadding(funcAddr, comment=string_ropg(funcName2)) if( funcArgs ): skip_args_addr = int( validAddrStr(skip_args_chain.chain[0], constraint.getBadBytes(), Arch.bits()) ,16) call_chain.addPadding(skip_args_addr, comment="Address of: "+string_bold(str(skip_args_chain.chain[0]))) return call_chain.addChain(args_chain)
def remove(arch): if (not shellcodes[arch]): error("No shellcodes to remove for architecture " + arch) return list_shellcodes(arch) print("") choice = '' ok = False sys.stdout.write('\t' + string_ropg('> ') + 'Select a shellcode to remove:\n') while (not ok): choice_input = prompt(u" > ") try: choice = int(choice_input) ok = remove_shellcode(arch, choice) if (not ok): print(string_special("\tError. Invalid choice")) except: ok = False print("") notify('Shellcode removed')
import subprocess OPTION_LIST = "--list" OPTION_LIST_SHORT = "-l" OPTION_ADD = "--add" OPTION_ADD_SHORT = "-a" OPTION_REMOVE = "--remove" OPTION_REMOVE_SHORT = "-r" OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" CMD_SHELLCODE_HELP = banner([string_bold("'shellcode' command"),\ string_special("(Manage shellcodes for your exploits)")]) CMD_SHELLCODE_HELP += "\n\n\t"+string_bold("Usage")+\ "\n\t\tshellcode [OPTION] <arch>" CMD_SHELLCODE_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_LIST_SHORT) + "," + string_special( OPTION_LIST) + "\tList available shellcodes" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_ADD_SHORT) + "," + string_special(OPTION_ADD) + "\tAdd a shellcode" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_REMOVE_SHORT) + "," + string_special( OPTION_REMOVE) + "\tRemove a previously added shellcode" CMD_SHELLCODE_HELP += "\n\t\t" + string_special( OPTION_HELP_SHORT) + "," + string_special(OPTION_HELP) + "\tShow this help" CMD_SHELLCODE_HELP += "\n\n\t" + string_bold( "Supported architectures") + ": " + ','.join(
import ropgenerator.Architecture as Arch from ropgenerator.IO import string_bold, info, string_special, banner, notify, error from magic import from_file from base64 import b16decode from random import shuffle, random, randrange, Random # Command options OPTION_ARCH = '--arch' OPTION_ARCH_SHORT = '-a' OPTION_HELP = '--help' OPTION_HELP_SHORT = '-h' # Help for the load command helpStr = banner([ string_bold("'load' command"), string_special("(Load gadgets from a binary file)") ]) helpStr += "\n\n\t" + string_bold("Usage") + ":\tload [OPTIONS] <filename>" helpStr += "\n\n\t" + string_bold("Options") + ":" helpStr += "\n\t\t"+string_special(OPTION_ARCH_SHORT)+","+string_special(OPTION_ARCH)+\ " <arch>"+"\tmanualy specify architecture.\n\t\t\t\t\tAvailable: 'X86', 'X64'" helpStr += "\n\n\t" + string_bold( "Examples" ) + ":\n\t\tload /bin/ls\t\t(load gadgets from /bin/ls program)\n\t\tload ../test/vuln_prog\t(load gadgets from own binary)" def print_help(): print(helpStr) def getPlatformInfo(filename):
# DELIVER-SHELLCODE COMMAND # ################################ # Options OPTION_ADDRESS = '--address' OPTION_ADDRESS_SHORT = "-a" OPTION_RANGE = "--address-range" OPTION_RANGE_SHORT = "-r" OPTION_HELP = '--help' OPTION_HELP_SHORT = '-h' CMD_DSHELL_HELP = banner([string_bold("'deliver-shellcode' command"),\ string_special("(Deliver a shellcode & Execute it)")]) CMD_DSHELL_HELP += "\n\n\t"+string_bold("Description:")+\ "\n\t\tThis method tries to create an executable memory area"+\ "\n\t\t, then copy a given shellcode into this area, and then"+\ "\n\t\t jump to execute this shellcode" CMD_DSHELL_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_DSHELL_HELP += "\n\n\t\t" + string_special( OPTION_ADDRESS_SHORT) + "," + string_special( OPTION_ADDRESS) + " <int>\t Address where to deliver shellcode" CMD_DSHELL_HELP += "\n\n\t\t" + string_special( OPTION_RANGE_SHORT ) + "," + string_special( OPTION_RANGE ) + " \t Memory space that can be used to\n\t\t\t<addr>,<addr>\t deliver the shellcode"
OPTION_KEEP_REGS_SHORT = '-k' OPTION_LIST = "--list" OPTION_LIST_SHORT = "-l" OPTION_FUNCTION = "--call" OPTION_FUNCTION_SHORT = "-c" OPTION_OFFSET="--offset" OPTION_OFFSET_SHORT = "-off" OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" CMD_SYSCALL_HELP = banner([string_bold("'syscall' command"),\ string_special("(Call system functions with ROPChains)")]) CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tsyscall [OPTIONS]" CMD_SYSCALL_HELP += "\n\n\t"+string_bold("Options")+":" CMD_SYSCALL_HELP += "\n\t\t"+string_special(OPTION_FUNCTION_SHORT)+","+\ string_special(OPTION_FUNCTION)+" <function>\t Call a system function" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_KEEP_REGS_SHORT)+","+string_special(OPTION_KEEP_REGS)+" <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OFFSET_SHORT)+","+\ string_special(OPTION_OFFSET)+" <int>\t Offset to add to gadget addresses" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_LIST_SHORT)+","+\ string_special(OPTION_LIST)+" [<system>]\t List supported functions" CMD_SYSCALL_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\ string_special(OPTION_OUTPUT)+\ " <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" OPTION_SHORTEST = '--shortest' OPTION_SHORTEST_SHORT = '-s' OPTION_LMAX = '--max-length' OPTION_LMAX_SHORT = '-m' OPTION_OFFSET = '--offset' OPTION_OFFSET_SHORT = '-off' CMD_CALL_HELP = banner([string_bold("'call' command"),\ string_special("(Call functions with ROPChains)")]) CMD_CALL_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tcall [OPTIONS]" CMD_CALL_HELP += "\n\n\t"+string_bold("Options")+":" CMD_CALL_HELP += "\n\t\t"+string_special(OPTION_CALL_SHORT)+","+\ string_special(OPTION_CALL)+" <function>\t Call a function" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_KEEP_REGS_SHORT)+","+string_special(OPTION_KEEP_REGS)+" <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_OFFSET_SHORT)+","+string_special(OPTION_OFFSET)+" <int>\t Offset to add to gadget addresses" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_LMAX_SHORT)+","+string_special(OPTION_LMAX)+" <int>\t Max length of the ROPChain in bytes" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_SHORTEST_SHORT)+","+string_special(OPTION_SHORTEST)+"\t\t Find the shortest matching ROP-Chains" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_LIST_SHORT)+","+\ string_special(OPTION_LIST)+"\t\t List available functions" CMD_CALL_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\ string_special(OPTION_OUTPUT)+\ " <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
OPTION_BAD_BYTES_SHORT = '-b' OPTION_CALL = "--call" OPTION_CALL_SHORT = "-c" OPTION_KEEP_REGS = '--keep-regs' OPTION_KEEP_REGS_SHORT = '-k' OPTION_LIST = "--list" OPTION_LIST_SHORT = "-l" OPTION_HELP = "--help" OPTION_HELP_SHORT = "-h" CMD_CALL_HELP = banner([string_bold("'call' command"),\ string_special("(Call functions with ROPChains)")]) CMD_CALL_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tcall [OPTIONS]" CMD_CALL_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_CALL_HELP += "\n\t\t"+string_special(OPTION_CALL_SHORT)+","+\ string_special(OPTION_CALL)+" <function>\t Call a function" CMD_CALL_HELP += "\n\n\t\t" + string_special( OPTION_BAD_BYTES_SHORT ) + "," + string_special( OPTION_BAD_BYTES ) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_CALL_HELP += "\n\n\t\t" + string_special( OPTION_KEEP_REGS_SHORT ) + "," + string_special( OPTION_KEEP_REGS ) + " <regs>\t Registers that shouldn't be modified.\n\t\t\t\t\t Expected format is a list of registers \n\t\t\t\t\t separated by comas (e.g '-k edi,eax')"
OPTION_KEEP_REGS_SHORT = '-k' OPTION_NB_RESULTS_SHORT = '-n' OPTION_LMAX_SHORT = '-m' OPTION_OUTPUT = '--output-format' OPTION_OUTPUT_SHORT = '-f' # Options for output OUTPUT_CONSOLE = 'console' OUTPUT_PYTHON = 'python' OUTPUT_RAW = 'raw' OUTPUT = None # The one choosen # Help for the search command CMD_FIND_HELP = banner([ string_bold("'query' command"), string_special("(Find gadgets/ropchains that execute specific operations)") ]) CMD_FIND_HELP += "\n\n\t"+string_bold("Usage")+":\tfind [OPTIONS] <reg>=<expr>"+\ "\n\t\tfind [OPTIONS] <reg>=mem(<expr>)"+\ "\n\t\tfind [OPTIONS] mem(<expr>)=<expr>"+\ "\n\t\tfind [OPTIONS] int80"+\ "\n\t\tfind [OPTIONS] syscall" CMD_FIND_HELP += "\n\n\t" + string_bold("Options") + ":" CMD_FIND_HELP += "\n\t\t" + string_special( OPTION_BAD_BYTES_SHORT ) + "," + string_special( OPTION_BAD_BYTES ) + " <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_FIND_HELP += "\n\n\t\t" + string_special( OPTION_KEEP_REGS_SHORT ) + "," + string_special(
""" # Definitions of commands CMD_HELP = "help" CMD_LOAD = "load" CMD_CONFIG = "config" CMD_EXIT = "exit" CMD_SEARCH = "semantic" CMD_EXPLOIT = "exploit" helpStr = banner([ string_bold('Main Commands'), string_special('(For more info about a command type <cmd -h>)') ]) helpStr += '\n\t' + string_bold( CMD_LOAD) + ': \t\tload gadgets from a binary file' helpStr += '\n\n\t' + string_semantic(string_bold(CMD_SEARCH)) + \ ': \tEnter semantic-mode (Search for'+'\n\t\t\tgadgets and ROPChains)' helpStr += '\n\n\t' + string_exploit(string_bold(CMD_EXPLOIT)) + \ ': \tEnter exploit-mode (Automated exploit'+'\n\t\t\tgeneration features)' helpStr += '\n\n\t' + string_bold(CMD_HELP) + ': \t\tprint available commands' helpStr += '\n\t' + string_bold(CMD_EXIT) + ': \t\texit ROPGenerator' def main(): print(string_ropg(string_bold(ASCII_art))) initLogs() finish = False
OPTION_LMAX_SHORT = '-m' OPTION_VERBOSE = "--verbose" OPTION_VERBOSE_SHORT = "-v" OPTION_OUTFILE = '--output-file' OPTION_OUTFILE_SHORT = '-o' OPTION_PADDING_BYTE = '--padding-byte' OPTION_PADDING_BYTE_SHORT = '-pb' OPTION_PADDING_LEN = '--padding-len' OPTION_PADDING_LEN_SHORT = '-pl' CMD_PWN_HELP = banner([string_bold("'pwn' command"),\ string_special("(Generate full exploits)")]) CMD_PWN_HELP += "\n\n\t"+string_bold("Usage:")+\ "\n\t\tpwn [OPTIONS] <subcommand> [SUBCOMMAND_OPTIONS]" CMD_PWN_HELP += "\n\n\t"+string_bold("Subcommands")+":" CMD_PWN_HELP += "\n\t(For more info use 'pwn <subcommand> -h')" CMD_PWN_HELP += "\n\n\t\t"+string_special(CMD_DELIVER_SHELLCODE)+"\t Inject a shellcode an execute it" CMD_PWN_HELP += "\n\n\t"+string_bold("Options")+":" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_BAD_BYTES_SHORT)+","+string_special(OPTION_BAD_BYTES)+" <bytes>\t Bad bytes for payload.\n\t\t\t\t\t Expected format is a list of bytes \n\t\t\t\t\t separated by comas (e.g '-b 0A,0B,2F')" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_LMAX_SHORT)+","+string_special(OPTION_LMAX)+" <int>\t Max length of the ROPChain in bytes" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_BYTE_SHORT)+","+string_special(OPTION_PADDING_BYTE)+" <byte> Byte for payload padding" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_PADDING_LEN_SHORT)+","+string_special(OPTION_PADDING_LEN)+" <int>\t Length of payload padding" CMD_PWN_HELP += "\n\n\t\t"+string_special(OPTION_OUTPUT_SHORT)+","+\ string_special(OPTION_OUTPUT)+\ " <fmt> Output format for ropchains.\n\t\t\t\t\t Expected format is one of the\n\t\t\t\t\t following: "+\
from magic import from_file from base64 import b16decode from random import shuffle, random, randrange, Random # Command options OPTION_ARCH = '--arch' OPTION_ARCH_SHORT = '-a' OPTION_ROPGADGET_OPTIONS = '--ropgadget-opts' OPTION_HELP = '--help' OPTION_HELP_SHORT = '-h' OPTION_ROPGADGET_OPTIONS_SHORT = '-r' # Help for the load command helpStr = banner([ string_bold("'load' command"), string_special("(Load gadgets from a binary file)") ]) helpStr += "\n\n\t" + string_bold("Usage") + ":\tload [OPTIONS] <filename>" helpStr += "\n\n\t" + string_bold("Options") + ":" helpStr += "\n\t\t"+string_special(OPTION_ARCH_SHORT)+","+string_special(OPTION_ARCH)+\ " <arch>"+"\t\tmanualy specify architecture.\n\t\t\t\t\t\tAvailable: 'X86', 'X64'" helpStr += '\n\n\t\t'+string_special(OPTION_ROPGADGET_OPTIONS_SHORT)+","+string_special(OPTION_ROPGADGET_OPTIONS)+\ " <opts>"+"\textra options for ROPgadget.\n\t\t\t\t\t\t<opts> must be a list of\n\t\t\t\t\t\toptions between ''"+\ "\n\t\t\t\t\t\te.g: \"-depth 4\"" helpStr += "\n\n\t" + string_bold( "Examples" ) + ":\n\t\tload /bin/ls\t\t(load gadgets from /bin/ls program)\n\t\tload ../test/vuln_prog\t(load gadgets from own binary)" def print_help(): print(helpStr)