mgeeky/Exploit-Development-Tools mgeeky/Exploit-Development-Tools

  • Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 7 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mgeeky/Exploit-Development-Tools
github

mgeeky

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A bunch of my exploit development helper tools, collected in one place.

Exploit-Development-Tools

A bunch of my exploit development helper tools, that I've developed over time and used, collected in one place. Gathered mostly from my (gists) and/or HDD.

Tools of trade:

  • expdevBadChars - This is a Bad Characters highlighter intended to be used for exploit development purposes. It supports multiple input formats and is able to effectively convert from regex-matching format to the byte array.

    This makes this tool useful while we have for instance shellcode encoded as a Python string concatenation sequence and we want to quickly compare it with the OllyDbg memory that we just dumped (either in textual, printable form or in raw hex binary bytes).

    For more informations, go to: expdevBadChars

  • ascii-shellcode-encoder.py - ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm. (Gist)

    Example output:

        [*] Input buffer size: 32 bytes.
    [+] SHELLCODE ENCODED PROPERLY. Resulted length: 207 bytes
    
    --------------------------------------------------------------------------------
    %JMNU%521*TX-fMUU-fKUU-jPUUP\%JMNU%521*-bb3b-b060-t2C2-SSSSP-5qv7-0g7g-*b0b-7777P-PB0v-mmmm-v6vp-L8KaP-vvrv-4v0v-1K-w-ffffP-nn5n-uu*p-gf1t-iiiiP-VVVn-MmMM-StrS-Duv6P-%9Hx-0Bfk-84fz-ffffP-UUUU-gyUU-uzqq-xwkNP
    --------------------------------------------------------------------------------
    
    [+] HEX FORM:
    254a4d4e55253532312a54582d664d55552d664b55552d6a505555505c254a4d4e55253532312a2d626233622d623036302d743243322d53535353502d357176372d306737672d2a6230622d37373737502d504230762d6d6d6d6d2d763676702d4c384b61502d767672762d347630762d314b2d772d66666666502d6e6e356e2d75752a702d676631742d69696969502d5656566e2d4d6d4d4d2d537472532d44757636502d253948782d3042666b2d3834667a2d66666666502d555555552d677955552d757a71712d78776b4e50
    
    [+] ESCAPED-HEX FORM:
    \x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x54\x58\x2d\x66\x4d\x55\x55\x2d\x66\x4b\x55\x55\x2d\x6a\x50\x55\x55\x50\x5c\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x33\x62\x2d\x62\x30\x36\x30\x2d\x74\x32\x43\x32\x2d\x53\x53\x53\x53\x50\x2d\x35\x71\x76\x37\x2d\x30\x67\x37\x67\x2d\x2a\x62\x30\x62\x2d\x37\x37\x37\x37\x50\x2d\x50\x42\x30\x76\x2d\x6d\x6d\x6d\x6d\x2d\x76\x36\x76\x70\x2d\x4c\x38\x4b\x61\x50\x2d\x76\x76\x72\x76\x2d\x34\x76\x30\x76\x2d\x31\x4b\x2d\x77\x2d\x66\x66\x66\x66\x50\x2d\x6e\x6e\x35\x6e\x2d\x75\x75\x2a\x70\x2d\x67\x66\x31\x74\x2d\x69\x69\x69\x69\x50\x2d\x56\x56\x56\x6e\x2d\x4d\x6d\x4d\x4d\x2d\x53\x74\x72\x53\x2d\x44\x75\x76\x36\x50\x2d\x25\x39\x48\x78\x2d\x30\x42\x66\x6b\x2d\x38\x34\x66\x7a\x2d\x66\x66\x66\x66\x50\x2d\x55\x55\x55\x55\x2d\x67\x79\x55\x55\x2d\x75\x7a\x71\x71\x2d\x78\x77\x6b\x4e\x50
    
    [+] PYTHON COMPACT SEXY FORM:
    	shellcode += r"%JMNU%521*TX-fMUU-fK"
    	shellcode += r"UU-jPUUP\%JMNU%521*-"
    	shellcode += r"bb3b-b060-t2C2-SSSSP"
    	shellcode += r"-5qv7-0g7g-*b0b-7777"
    	shellcode += r"P-PB0v-mmmm-v6vp-L8K"
    	shellcode += r"aP-vvrv-4v0v-1K-w-ff"
    	shellcode += r"ffP-nn5n-uu*p-gf1t-i"
    	shellcode += r"iiiP-VVVn-MmMM-StrS-"
    	shellcode += r"Duv6P-%9Hx-0Bfk-84fz"
    	shellcode += r"-ffffP-UUUU-gyUU-uzq"
    	shellcode += r"q-xwkNP"

    It is possible also to generate list of SUB instructions to compute only one DWORD:

        kali $ ./ascii-shellcode-encoder.py 0x1688
    [*] Input buffer size: 4 bytes.
    [+] SHELLCODE ENCODED PROPERLY. Resulted length: 21 bytes
    
    --------------------------------------------------------------------------------
    -A777-i%%%-r2II-\ZZZP
    --------------------------------------------------------------------------------
    
    [+] HEX FORM:
    2d413737372d692525252d723249492d5c5a5a5a50
    
    [+] ESCAPED-HEX FORM:
    \x2d\x41\x37\x37\x37\x2d\x69\x25\x25\x25\x2d\x72\x32\x49\x49\x2d\x5c\x5a\x5a\x5a\x50
    
    [+] PYTHON COMPACT SEXY FORM:
    	shellcode += r"-A777-i%%%-r2II-\ZZZ"
    	shellcode += r"P"

  • format_string_vuln_gen.py - Format String vulnerability input generator to be used during exploit development stage at constructing stable x86 (32bit) input vectors. (Gist)

    Example usage scenario - Using Format String vulnerability, we want to overwrite two DWORDs at specified addresses with some specific values:

    root# ./gen_format_string.py 0xbffff50c,0xbffff514 14 $'\x90\x31\xe6\xb7' $'\x24\x3a\xf8\xb7' -n 1
      
    .:: x86/32bit Format string generator ::.
    - by mgeeky, 2016, v0.3a
     
    [>] Addresses to overwrite: ['0xbffff50c', '0xbffff514']
    (...)
    Resulted format string to use (116 bytes long / 0x74) padded in front with 1 dots to mimic offset:
    
    $'.\x0c\xf5\xff\xbf\x0e\xf5\xff\xbf\x14\xf5\xff\xbf\x16\xf5\xff\xbf%12671x%14$hn%34390x%15$hn%33342x%16$hn%32212x%17$hn'

  • lindump - simple process memory dumping utility based on ptrace

        :: lindump v0.1
    Simple Linux process memory dumping utility based on ptrace
    Mariusz Banach, '16
    
    Usage: lindump [options] <pid> [start [stop|Llen]]
    
    Arguments:
    	<pid>	Process ID
    	start	Dumping start address, may be 0x for hex, or not for dec.
    	stop	Upper address to reach while dumping.
    		When preceded with letter 'L' stands for length
    	Llen	Specifies number of bytes to dump. Also may be preceded with 0x (e.g. L0x10)
    
    Options:
    	-o	Memory dumps output directory (stdout hexdump otherwise, '-' for stdout)
    	-f	Force dumping of unreadable or inaccessible regions (still not a brute force)
    	-v	Verbose output.
    	-h	This cruft

  • dlresolve - dynamic symbol resolve utility useful while in need of obtainin symbol's address and it's offset relative to the libc's base (handy while crafting ASLR exploits)

        ./dlresolve system
    [+] libc comes from:		/lib/x86_64-linux-gnu/libc-2.19.so
    [+] libc loaded at:		0x7f44e2b24000
    [+] system located at:		0x7f44e2b65490
    [+] Offset from libc base:	0x00041490

  • python_memory_dump.py - Example of dumping memory from within Python's code, using ctypes.c_byte.from_address (Gist)

    Example usage:

        $ ./python_memory_dump.py 
    Hex dump from 0x000055b92c7c2000
    0000 | 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00  | .ELF............
    0010 | 03 00 3e 00 01 00 00 00 10 42 0d 00 00 00 00 00  | ..>......B......
    0020 | 40 00 00 00 00 00 00 00 38 4c 39 00 00 00 00 00  | @.......8.9.....
    0030 | 00 00 00 00 40 00 38 00 09 00 40 00 1e 00 1d 00  | [email protected]...@.....
    0040 | 06 00 00 00 05 00 00 00 40 00 00 00 00 00 00 00  | ........@.......
    0050 | 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  | @.......@.......
    0060 | 08 01 00 00 00 00 00 00 08 01 00 00 00 00 00 00  | ................
    0070 | 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00  | ................
    0080 | 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00  | 8.......8.......
    0090 | 38 02 00 00 00 00 00 00 1c 00 00 00 00 00 00 00  | 8...............
    00a0 | 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  | ................
    00b0 | 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00  | ................
    00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  | ................
    00d0 | 0c 2d 32 00 00 00 00 00 0c 2d 32 00 00 00 00 00  | .-2......-2.....
    00e0 | 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00  | .. .............
    00f0 | 38 39 32 00 00 00 00 00 38 39 52 00 00 00 00 00  | .92......9R.....

  • kernel_dump_seh.wds - Windbg script that dumps Structured Exception Handlers linked-list from Kernel Mode KPCR structure. Useful while working on Kernel-Mode SEH-based exploitation. (Gist) Example output:

     	0: kd> $$><C:\Users\ieuser\Desktop\dump_seh.wds
 	KPCR. = 0x8293dc00
 	KPCR.NtTib.ExceptionList = 0x829371ec

 	SEH[00]: Next: 0x82937254, Handler: 0x828d36f0
 	SEH[01]: Next: 0x82937ad4, Handler: 0x828d36f0
 	SEH[02]: Next: 0x82937c04, Handler: 0x828d36f0
 	SEH[03]: Next: 0x9a1092e4, Handler: 0x828d36f0
 	SEH[04]: Next: 0x9a1093ec, Handler: 0x828d36f0
 	SEH[05]: Next: 0x9a109a34, Handler: 0x8288aad6
 	SEH[06]: Next: 0x9a109b3c, Handler: 0x828d36f0
 	SEH[07]: Next: 0x9a10a184, Handler: 0x8288aad6
 	SEH[08]: Next: 0x9a10a28c, Handler: 0x828d36f0
 	SEH[09]: Next: 0x9a10a8d4, Handler: 0x8288aad6
 	SEH[10]: Next: 0x9a10a9dc, Handler: 0x828d36f0
 	SEH[11]: Next: 0x9a10b024, Handler: 0x8288aad6
 	SEH[12]: Next: 0x9a10b12c, Handler: 0x828d36f0
 	SEH[13]: Next: 0x9a10b76c, Handler: 0x8288aad6
 	SEH[14]: Next: 0x9a10bac0, Handler: 0x828d36f0
 	SEH[15]: Next: 0x35724134, Handler: 0x41367241
 		^-- Broken Handler.

  • printable.sh - One liner determining whether Metasploit's msfpescan's output addresses are printable (contain only ascii characters) or not. (Gist)

  • pexpect-interactive.py - Basic Python's pexpect usage routines in interactive process invocation. Especially handy when it comes to heap-overflow or Use-After-Free exploits, since such process interaction in python may be cumbersome without proper process I/O primitives. (Gist)

  • request2size.c - Simple utility calculating some basic heap chunk's characteristics like chunk size, bin index and it's range - according to original Doug Lea's heap allocator implementation. Useful while grasping Heap Overflow binning conditions. (Gist)

  • find-aslr-collision.sh - Find ASLR collision bash one-liner. (Gist) For the record:

    • x86 ( Linux protostar 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux) ASLR collision found after: 903 re-launch. (it takes no more than couple of seconds )

    • x86_64 ( Linux work 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux ) ASLR collision found after: 304610 re-launch. (it took roughly 16 minutes )

  • findInstr.sh - Ultra simple Assembly instruction grepper rolling byte-by-byte within target's .text section - to be used while looking for trampoline address for ROP/Exploit (Gist)

  • bin2shellcode.py - Binary blob to C-array simple converting script. Useful when embedding compiled binary shellcode within C program. (Gist)

  • execve.c - Example of simple execve("/bin/sh", ...) shellcode, embedded in C program. (Gist)

  • memory-occupied-by-process.sh - Bash oneliner counting number of bytes occupied by chosen (by PID) process. It works by iterating /proc/$PID/maps file, then computing each memory region range size, then adding it together. Kinda slow though. Worth to mention - it is terribly bad at performance, having written this oneliner I realized we can use /proc/$PID/smaps to obtain the same result much faster. (Gist)

  • shellc2bin.py - Shellcode 2 binary script that reads C-formatted array from Windows clipboard and converts it to binary output written to desired file. (Gist)

  • encshell.py - x86 Shellcode XOR-based encoder intended to do away forbidden chars. Came handy to me several times :-) (Gist)

  • shellcode_win32_netw_active.asm - Win32/x86 Reverse-Shell Shellcode written by hand, with dynamic API resolution.

  • shellcode_win32_spawn_cmd.asm - Win32/x86 Spawn CMD shellcode with dynamic API resolution.

β˜• Show Support β˜•

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! πŸ’ͺ

Author

   Mariusz Banach / mgeeky, 21
   <mb [at] binary-offensive.com>
   (https://github.com/mgeeky)

More Repositories

1

Penetration-Testing-Tools

A collection of more than 170+ tools, scripts, cheatsheets and other loots that I've developed over years for Red Teaming/Pentesting/IT Security audits purposes.
PowerShell
2,514
star
2

ThreadStackSpoofer

Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
C++
1,035
star
3

cobalt-arsenal

My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
PowerShell
1,033
star
4

RedWarden

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
Python
922
star
5

ShellcodeFluctuation

An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
C++
922
star
6

ProtectMyTooling

Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured with artifacts watermarking, IOCs collection & PE Backdooring. You feed it with your implant, it does a lot of sneaky things and spits out obfuscated executable.
PowerShell
869
star
7

PackMyPayload

A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
Python
853
star
8

decode-spam-headers

A script that helps you understand why your E-Mail ended up in Spam
Python
558
star
9

Stracciatella

OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
C#
494
star
10

ElusiveMice

Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
C
417
star
11

tomcatWarDeployer

Apache Tomcat auto WAR deployment & pwning penetration testing tool.
Python
409
star
12

UnhookMe

UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware
C++
341
star
13

SharpWebServer

Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality
C#
279
star
14

AzureRT

AzureRT - A Powershell module implementing various Azure Red Team tactics
PowerShell
227
star
15

expdevBadChars

Bad Characters highlighter for exploit development purposes supporting multiple input formats while comparing.
Python
202
star
16

msidump

MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.
Python
191
star
17

RobustPentestMacro

This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
VBScript
144
star
18

VisualBasicObfuscator

Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.
Python
135
star
19

msi-shenanigans

Proof of Concept code and samples presenting emerging threat of MSI installer files.
Python
77
star
20

PE-library

Lightweight Portable Executable parsing library and a demo peParser application.
C++
72
star
21

HEVD_Kernel_Exploit

Exploits pack for the Windows Kernel mode driver HackSysExtremeVulnerableDriver written for educational purposes.
C++
63
star
22

procmon-filters

SysInternals' Process Monitor filters repository - collected from various places and made up by myself. To be used for quick Behavioral analysis of testing specimens. Inspired and based on Lenny Zeltser's collection.
58
star
23

PhishingPost

PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter
PHP
56
star
24

burpContextAwareFuzzer

BurpSuite's payload-generation extension aiming at applying fuzzed test-cases depending on the type of payload (integer, string, path; JSON; XML; GWT; binary) and following encoding-scheme applied originally.
Python
39
star
25

CustomXMLPart

A PoC weaponising CustomXMLPart for hiding malware code inside of Office document structures.
VBA
37
star
26

dirbuster

wfuzz, SecLists and john -based dirbusting / forceful browsing script intended to be used during web pentest assingments
Shell
34
star
27

ntfs-journal-viewer

Utterly simple NTFS Journal dumping utility. Handy when it comes to Computer Forensics and Malware Forensics Ops.
C
33
star
28

digitalocean-app-redirector

Reverse-HTTP Redirector via DigitalOcean Apps Platform
Python
27
star
29

LISET

Light System Examination Toolkit (LISET) - logs & activity & configuration gathering utility that comes handy in fast Windows incident response (either forensic or malware oriented).
Batchfile
27
star
30

RPISEC-MBE-Solutions

Solutions to the RPISEC MBE / Modern Binary Exploitation VM & course.
Python
19
star
31

prc_xchk

User-mode process cross-checking utility intended to detect naive malware hiding itself by hooking IAT/EAT.
C++
17
star
32

PEInfo

Another Portable Executable files analysing stuff
C++
17
star
33

mgeeky

9
star
34

stegano1

College project implementing some of the compression and image steganographic algorithms.
C++
5
star
35

DISASM

Simple disassembling library (currently only x86)
C++
4
star
36

linux-utils

Some linux utils I've coded and decided to share.
C
2
star
37

Symulacja-Reaktora-Jadrowego

(Polish only) Program przygotowywany na uczelnie w ramach kursu "Symulacje Komputerowe". Przedstawia hipotetyczna prace reaktora jadrowego w roznych stanach i konfiguracjach.
MATLAB
1
star