dash/Win32_Exploitation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

repo push

Browse Source
This commit is contained in:
c0decave
2021-09-10 12:39:21 +02:00
parent 37bb96d47f
commit e00ac3bf10
17 changed files with 5782 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
tools/eax_sub_encoder.py Normal file
View File

@@ -0,0 +1,191 @@
#!/usr/bin/python
#
# The following Python code will take shellcode (buf variable)
# and create SUB instructions that will generate shellcode four
# bytes at a time and push them to the stack.
#
# The trick with this code is that EAX needs to be zeroed out before
# each new set of SUB instructions. Also, the stack needs to be
# aligned to be where you can execute the pushed instructions. All of
# this is left to the reader.
#
# Author: Absane (blog.noobroot.comu)
# Modified by: Alton Johnson (alton.jx@gmail.com)
#
# Last Updated: March 12, 2015 (by Alton Johnson)
#
import sys, os, getopt
from random import choice
from sys import argv
total_length = 0
### CHARACTERS THAT ARE ALLOWED ###
code = ''
goodchars = []
# Add all characters to the "good character" list. Replaced with -g
for i in range(0, 256):
goodchars.append(format(i, "#04x").replace("0x", ""))
def compl(hexvalue):
return int("FFFFFFFF",16) - int(hexvalue,16)+1
def findvalues(code, carry, last):
total = 9999999999
wastetime = 99999
while (total != int(code,16)):
a = choice(goodchars)
b = choice(goodchars)
c = choice(goodchars)
total = int(a,16) + int(b,16) + int(c,16)+carry
if (( total - 256 == int(code,16) ) and (last != 1) & wastetime < 1):
return (a,b,c,1)
wastetime += -1
return (a,b,c,0)
def encode(x):
global code, total_length
y = x
endian = (y[6] + y[7]) + (y[4] + y[5]) + (y[2] + y[3]) + (y[0] + y[1])
twocompl = compl(endian)
k = str(hex(twocompl))[2:99].strip("L")
k = "0" * ( 8 - len(k) ) + k
first = k[0:2]
second= k[2:4]
third = k[4:6]
fourth= k[6:8]
a = findvalues(fourth,0,0)
b = findvalues(third,a[3],0)
c = findvalues(second,b[3],0)
d = findvalues(first,c[3],1)
output = ''
final = ''
plain = []
for i in range(0,3):
for k in (a,b,c,d):
output += "\\x" + k[i]
plain.append(k[i])
final += '\n\"\\x2d' + output + "\""
total_length += (len(output)/4+1)
final += "\t# SUB EAX," + plain[3] + plain[2] + plain[1] + plain[0]
output = ''
plain = []
code += "\n# Encoded: " + x
code += "\n\"" + r"\x25\x41\x41\x41\x41" + "\"\t# SUB EAX,41414141"
code += "\n\"" + r"\x25\x3E\x3E\x3E\x3E" + "\"\t# SUB EAX,3E3E3E3E"
code += final
code += "\n\"" + r"\x50" + "\"\t\t\t# PUSH EAX\n"
total_length += 11
def encoden(x):
global code, total_length
y = x
endian = (y[6] + y[7]) + (y[4] + y[5]) + (y[2] + y[3]) + (y[0] + y[1])
twocompl = compl(endian)
k = str(hex(twocompl))[2:99].strip("L")
k = "0" * ( 8 - len(k) ) + k
first = k[0:2]
second= k[2:4]
third = k[4:6]
fourth= k[6:8]
a = findvalues(fourth,0,0)
b = findvalues(third,a[3],0)
c = findvalues(second,b[3],0)
d = findvalues(first,c[3],1)
output = ''
final = ''
plain = []
for i in range(0,3):
for k in (a,b,c,d):
output += "\\x" + k[i]
plain.append(k[i])
final += '\\x2d' + output + ""
total_length += (len(output)/4+1)
output = ''
plain = []
code += "\n# Encoded: " + x
code += "\n\"" + r"\x25\x41\x41\x41\x41"
code += r"\x25\x3E\x3E\x3E\x3E"
code += final
code += r"\x50" + "\"" + "\""
total_length += 11
def main(shell):
global total_length
k = shell
while ( len(k)/2 % 4 != 0):
k += '90'
total_length += 1
z = ''
line = ''
rshell = []
for i in range(0, len(k), 8):
for j in range(0,8):
z += k[i + j]
line = z + line
rshell = [line] + rshell
line = ''
z = ''
for i in rshell:
encode(i)
for i in rshell:
encoden(i)
def help():
print ("\n Usage: %s <OPTIONS>" % argv[0])
print ("\n -s <string>\tEncode bytes from stdin (\\x00 format).")
print (" -f <file>\tEncodes shellcode from a file (\\x00 format).")
print (" -g <file>\tOptional parameter that restricts encoder to goodbytes. (\\x00 format).")
print ("\n Usage example: %s -s \"\\x75\\xE7\\xFF\\xE7\"" % argv[0])
print (" Usage example: %s -f shellcode.txt -g good_chars.txt\n" % argv[0])
exit()
def start(argv):
buf = ""
global code
global goodchars
if len(argv) < 1:
help()
try:
opts, args = getopt.getopt(argv, "f:s:g:")
except getopt.GetoptError as err:
print ("\n Error: %s" % err)
help()
for opt, arg in opts:
if opt == "-s":
buf = arg
buf = buf.replace("\\x","").replace("x","")
elif opt == "-g":
good_file = open(arg).read().replace("\n", "").replace("\\x", "").replace("\"", "")
goodchars = [good_file[i:i+2] for i in range(0, len(good_file), 2)][:-1]
elif opt == "-f":
try:
buf = open(arg).read().replace("\\x","").replace("\n","").replace("\"","")
except Exception as err:
print ("\n Error: %s" % err)
exit()
main(buf)
code = code[:-1]
print ("\nencoded_shellcode = (", code + "\n)")
if __name__ == "__main__":
try:
start(argv[1:])
print ("\nTotal length in bytes: " + str(total_length) + "\n")
except Exception as err:
print ("\n Error: %s" % err)
except KeyboardInterrupt:
print ("\nExiting per user's request (ctrl-c)")
exit()

405
tools/findjmp.cpp Normal file
View File

@@ -0,0 +1,405 @@
/*
Findjmp.c
written by Ryan Permeh - ryan at eeye - Summarily modified by I2S-LaB.com
http://www.eeye.com
Findjmp2.c (pop/pop/ret scanner, logging to file)
version by A.D - class101 at hat-squad
http://class101.org, http://www.hat-squad.com
This finds useful jump points in a dll. Once you overflow a buffer, by
looking in the various registers, it is likely that you will find a
reference to your code. This program will find addresses suitible to
overwrite eip that will return to your code.
It should be easy to modify this to search for other good jump points,
or specific code patterns within a dll.
It currently supports looking for:
1. jmp reg
2. call reg
3. push reg
ret
All three options result in the same thing, EIP being set to reg.
It also supports the following registers:
EAX
EBX
ECX
EDX
ESI
EDI
ESP
EBP
*/
#include <iostream.h>
#include <fstream.h>
#include <Windows.h>
#include <stdio.h>
FILE *fplog;
void usage();
void sep();
void iok(BYTE *curpos, char *reg);
void iok2(BYTE *curpos, char *reg);
void ook(BYTE *curpos, char *reg);
void ook2(BYTE *curpos, char *reg);
DWORD GetRegNum( char *reg );
void findjmp( char *dll, char *reg );
//This finds useful jump points in a dll. Once you overflow a buffer, by
//looking in the various registers, it is likely that you will find a
//reference to your code. This program will find addresses of suitible
//addresses of eip that will return to your code.
int main( int argc, char **argv )
{
if( argc <= 2 )
usage();
else
{
char dll[512], //holder for the dll to look in
reg[512]; // holder for the register
if ((fplog =fopen("findjmp.txt","r"))==NULL){
fplog =fopen("findjmp.txt","w");}
else fplog =fopen("findjmp.txt","a");
strncpy( dll, argv[1], 512 );
strncpy( reg, argv[2], 512 );
findjmp( dll, reg );
}
return 0;
}
//This prints the usage information.
void usage()
{
printf("\nFindjmp, Eeye, I2S-LaB\nFindjmp2, Hat-Squad\nFindJmp DLL registre\nEx: findjmp KERNEL32.DLL esp"\
"\nCurrently supported registre are: EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP\n" );
}
//findjmp is the workhorse. it loads the requested dll, and searches for
//the specific patterns for jmp reg, push reg ret, and call reg
void findjmp( char *dll,char *reg )
{
char reg1[]="eax";char reg2[]="ebx";
char reg3[]="ecx";char reg4[]="edx";
char reg5[]="esi";char reg6[]="edi";
char reg7[]="esp";char reg8[]="ebp";
BYTE jmppat[8][2]={ { 0xFF, 0xE0 }, { 0xFF, 0xE3 }, { 0xFF, 0xE1 }, { 0xFF, 0xE2 },
{ 0xFF, 0xE6 }, { 0xFF, 0xE7 }, { 0xFF, 0xE4 }, { 0xFF, 0xE5 } }; // patterns for jmp ops
BYTE callpat[8][2]={ { 0xFF, 0xD0 }, { 0xFF, 0xD3 }, { 0xFF, 0xD1 }, { 0xFF, 0xD2},
{ 0xFF, 0xD6 }, { 0xFF, 0xD7 }, { 0xFF, 0xD4 }, { 0xFF, 0xD5 } }; // patterns for call ops
BYTE pushretpat[8][2]={ { 0x50, 0xC3 }, { 0x53, 0xC3 }, { 0x51, 0xC3 }, { 0x52, 0xC3 },
{ 0x56, 0xC3 }, { 0x57, 0xC3 }, { 0x54, 0xC3 }, { 0x55, 0xC3 } }; // patterns for pushret ops
BYTE poppat[8][1]={ { 0x58 }, { 0x5B }, { 0x59 }, { 0x5A }, // patterns for pop,pop,ret
{ 0x5E }, { 0x5F }, { 0x5C }, { 0x5D },};
BYTE retn[1][1]={ 0xC3 }; // pattern for pop,pop,ret
BYTE retnbis[1][1]={ 0xC2 }; // pattern for pop,pop,ret
HMODULE loadedDLL; //base pointer for the loaded DLL
BYTE *curpos; //current position within the DLL
BYTE *curpos2; //subposition pop,pop,ret
DWORD regnum=GetRegNum(reg); // decimal representation of passed register
DWORD regnum1=GetRegNum(reg1);DWORD regnum2=GetRegNum(reg2);
DWORD regnum3=GetRegNum(reg3);DWORD regnum4=GetRegNum(reg4);
DWORD regnum5=GetRegNum(reg5);DWORD regnum6=GetRegNum(reg6);
DWORD regnum7=GetRegNum(reg7);DWORD regnum8=GetRegNum(reg8);
DWORD numaddr=0; //accumulator for addresses
if( regnum == -1 ) //check if register is useable
{ //it didn't load, time to bail
printf( "There was a problem understanding the register.\n"\
"Please check that it isa correct IA32 register name\n"\
"Currently supported are:\n "\
"EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP\n"\
);
exit(-1);
}
if( (loadedDLL=LoadLibraryA(dll)) == NULL) // check if DLL loaded correctly
{ //it didn't load, time to bail
printf( "There was a problem Loading the requested DLL.\n"\
"Please check that it is in your path and readable\n" );
exit(-1);
}
else
{
sep();
fprintf(fplog,"Findjmp, Eeye, I2S-LaB\nFindjmp2, Hat-Squad\n");
printf("\nFindjmp, Eeye, I2S-LaB\nFindjmp2, Hat-Squad\n");
printf( "Scanning %s for code useable with the %s register\n", dll, reg ); //we loaded the dll correctly, time to scan it
fprintf(fplog,"Scanning %s for code useable with the %s register\n", dll, reg ); //we loaded the dll correctly, time to scan it
sep();
curpos=(BYTE*)loadedDLL; //set curpos at start of DLL
curpos2=(BYTE*)loadedDLL; //pop,pop,ret subscan.
__try
{
while(1)
{
Sleep(1/10);
if( !memcmp( curpos, jmppat[regnum], 2) ) //check for jmp match
{
printf( "0x%X\tjmp %s\n", curpos, reg ); // we have a jmp match
fprintf(fplog,"0x%X\tjmp %s\n", curpos, reg ); // we have a jmp match
numaddr++;
}
else if( !memcmp( curpos, callpat[regnum],2) ) //check for call match
{
printf( "0x%X\tcall %s\n", curpos, reg ); // we have a call match
fprintf(fplog,"0x%X\tcall %s\n", curpos, reg );
numaddr++;
}
else if( !memcmp(curpos,pushretpat[regnum], 2) ) //check for push/ret match
{
printf( "0x%X\tpush %s - ret\n", curpos, reg ); // we have a pushret match
fprintf(fplog,"0x%X\tpush %s - ret\n", curpos, reg ); // we have a jmp match
numaddr++;
}
else if( !memcmp(curpos,poppat[regnum], 1) ) //check for pop/pop/ret match
{
curpos2++;
if( !memcmp(curpos2,poppat[regnum1], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum2], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum3], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum4], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum5], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum6], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum7], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
if( !memcmp(curpos2,poppat[regnum8], 1) )
{
curpos2++;
if( !memcmp(curpos2,retn, 1) )
{
iok(curpos, reg); // we have a popopret match
ook(curpos, reg); // we have a popopret match
numaddr++;
}
if( !memcmp(curpos2,retnbis, 1) )
{
iok2(curpos, reg); // we have a popopret match
ook2(curpos, reg); // we have a popopret match
numaddr++;
}
curpos2--;curpos2--;goto loop;
}
curpos2--;
}
loop:
curpos++;
curpos2++;
}
}
__except(1)
{
sep();
fprintf( fplog,"Finished Scanning %s for code useable with the %s register\n", dll, reg );
printf( "Finished Scanning %s for code useable with the %s register\n", dll, reg );
printf( "Found %d usable addresses\n", numaddr );
fprintf( fplog,"Found %d usable addresses\n", numaddr );sep();fprintf( fplog,"\n\n\n");
}
}
}
DWORD GetRegNum( char *reg )
{
DWORD ret=-1;
if( !stricmp( reg, "eax") )
{
ret=0;
}
else if( !stricmp( reg, "ebx") )
{
ret=1;
}
else if( !stricmp( reg, "ecx") )
{
ret=2;
}
else if( !stricmp( reg, "edx") )
{
ret=3;
}
else if( !stricmp( reg, "esi") )
{
ret=4;
}
else if( !stricmp( reg, "edi") )
{
ret=5;
}
else if( !stricmp( reg, "esp") )
{
ret=6;
}
else if( !stricmp( reg, "ebp") )
{
ret=7;
}
return ret; //return our decimal register number
}
void sep()
{
fprintf(fplog,"----------------------------------------------------------------------------\n");
}
void iok(BYTE *curpos, char *reg)
{
printf( "0x%X\tpop %s - pop - ret\n", curpos, reg ); // we have a popopret match
}
void iok2(BYTE *curpos, char *reg)
{
printf( "0x%X\tpop %s - pop - retbis\n", curpos, reg ); // we have a popopret match
}
void ook(BYTE *curpos, char *reg)
{
fprintf(fplog,"0x%X\tpop %s - pop - ret\n", curpos, reg ); // we have a jmp match
}
void ook2(BYTE *curpos, char *reg)
{
fprintf(fplog,"0x%X\tpop %s - pop - retbis\n", curpos, reg ); // we have a jmp match
}
// EOF

BIN
tools/findjmp.exe Normal file
View File

Binary file not shown.

15
tools/findpattern.py Normal file
View File

@@ -0,0 +1,15 @@
#!/usr/bin/python3
from pwn import *
def main():
address = raw_input("[+] Enter address from debugger: ").strip()
hex_address = "0x" + address
unpacked = p32(int(hex_address, 16))
print("[+] Offset is: " + str(cyclic_find(unpacked)))
if __name__ == "__main__":
main()

5171
tools/pvefindaddr.py Normal file
View File

File diff suppressed because it is too large Load Diff