| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This branch features changes to Sploit's 'user-interface' and some QoL
fixes pertaining to target communications.
Sploit's logging module is rewritten to make the normal text
output more readable, and all console output is now globally
filtered through it.
Explicit daemon mode is removed (now implicit) to support a new
Sploit invocation method: shebangs!
Some logging inconsistencies are addressed in the comms
front-end, and Sploit now shuts down the output stream after
user-supplied scripts finish.
* sploit-io:
sploit: Automatically shutdown outgoing comms after script execution
sploit: Catch KeyboardInterrupt in Comm.readall()
sploit: Ensure the logonread option is restored by Comm.readuntil()
sploit: Add logonwrite option to comms
sploit: Check logonread in function Comm.readall()
sploit: Add startup banner
sploit: Rework logger
sploit: Remove -d/--daemon option
|
|
A new function, Comm.shutdown(), is added. It will close only the
stdout stream of the communications backend, potentially making the
termination of the target program more fluid.
The name 'shutdown' is chosen to emulate shutdown(2) from the low-level
socket api, which is used to close just part of a full-duplex file
descriptor. This is in contrast to 'close', which I would expect to
completely terminate the given object IO.
comm.shutdown() is now called by main.py, after the user script returns,
to ensure that the subsequent readall() doesn't get stuck because our
target is blocked reading its stdin.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If execution is stuck inside readall() (for example, due to blocked IO),
handling KeyboardInterrupt allows the user a way to get out, without
exiting the active script early or losing the data read so far.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This function has a momentary side-effect of switching self.logonread to
False. This patch ensures its original value is always restored, even
if an exception is raised.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If enabled, data sent to the target will be printed/logged as alt text,
similar to data directly printed by the user. Feature is off by
default.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This function will no longer mistakenly log data when logonread is set
to False.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This just adds a fancy 'SPLOIT' header to the beginning of Sploit's
startup preamble data. It has the ability to display a few lines of
text beside itself, but most of the things we've planned to put here are
not available yet, so just the operating mode is printed for now.
The SPLOIT text has a colored stripe which, at the moment, also
indicates the operating mode. This stripe was originally chosen to
balance out the amount of color present in the preamble text, but I've
grown to like it.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The log module is updated to support binary encodings, colors, and for
improved compatibility with Python's print() builtin.
Encoding semantics are switched up, since it seems like some of the more
interesting encoding modes (from a CTF perspective) actually use
bytes-like objects as their high-level form (that is, bytes are encoded
to another form, such as hex, then decoded back to the original form).
So the logged value is now passed to encode instead of decode, and only
if the object is of type 'bytes', as unicode strings are now considered
out-of-scope for this operation. Additionally, the bytes wrapper (b'')
is no longer visible in the logged content.
For readability, several standard colors have been defined for use
within Sploit:
- RED: Errors
- YELLOW: Warnings
- GREEN: Status messages / Startup messages
- WHITE: Target output
- GRAY: User output / Alt text
Logging functions now support an optional color option to select the
desired color, and have specific defaults based on who is invoking the
log (see below...)
Logging functions are now also fully compatible with the builtin print()
function. This is because Sploit now replaces the standard print() with
a logging function within the user's script (which is done to maintain
additional consistency of messages displayed in the console).
Function ilog (internal log) has default values tuned for the library's
convenience: Text goes to stderr, and is presented as status messages
(green).
Function elog (external log) has default values tuned for the user: Text
goes to stdout, and is presented as alt text to distinguish it from data
read from the target. Within the user context, 'print' refers to this
function.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
A couple of facts have influenced the decision to remove this option:
- If a sploit script uses a shebang to launch sploit, it is
tricky to specify this option. Specifically, one must add it
to their shebang line, which couples more information to the
script than was originally intended.
- Single-pass pipe mode wasn't all that useful. One can
accomplish the same thing by running pipe-daemon, and it is
easy to exit after one iteration. Electing to run normal pipe
mode requires you to know you only want to run once, which is
much more common when running via direct subprocess.
As a result of this change, running in pipe mode will now be equivalent to
the previous pipe-daemon mode, and subprocess target mode remains single
pass.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This program was the team's first attempt at some sort of utility to aid
with pwn payload delivery - and was never completed.
Remove the unfinished catcho program, as it is superseded by sploit, and
similar basic functionality can be achieved with cat and process
substitution.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Download is ~13GB (compressed) and the list is ~92GB in full, so I'm
adding the torrent as a reference instead.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Also, only list something under the total registered teams column if
additional information is actually available. This wasn't the case for
Buckeye, so its column is empty as well.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
https://github.com/Dusoleil/lib-des-gnux
Refactor exception handling and cleanup in main.py
Refactor exception handling to be simpler and easier to read/maintain
Manually call garbage collector after exec to handle some weird python
behavior.
* tag 'pull-sploit-error-handling' of https://github.com/Dusoleil/lib-des-gnux:
Manually run garbage collection after exec
Clean up exception handling in main.py
|
|
The import list is alphabetized and listed one per line, to prevent this
from becoming unwieldy as more modules are introduced.
__all__ has been shown to be redundant, given that explicit imports are
now done, so it is removed.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
class Payload is a tool for constructing stack-smash payloads and ROP
chains. Its design is intended to abstract away some of the more
tedious details of crafting a payload.
Payload utilizes mem.Symtbl internally to optionally manage a collection
of named offsets into its own buffer (these are usually in reference to
entities appended to the payload via its main API). Alternatively, the
API calls to append any entity will return the address of that entity as
well.
Returned (and looked-up) addresses are relative to the beginning of the
payload by default. However, when the payload is constructed with a
known base address value, these become absolute. This is useful for
reusing addresses later in the payload body.
class Placeholder is designed to be functionally compatible with
bytearrays and bytestrings. When constructed, they take the value of
'zero', according to the current arch config. This facility enables
some API's to detect whether a dummy value was passed as a required
argument when said argument _may_ be unnecessary in niche situations.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This was the name I had originally intended to use while factoring
architecture details out to the global scope. It's not terribly
different, but I feel the new context warrants some additional clarity.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Apparently python won't run garbage collection on stuff owned by the
exec context if you define a function in the exec. This can lead to
random leaks, but it is most impactful in daemon mode. If the globals
dictionary given to exec isn't cleaned up, there will be a random
reference to comm that still exists. This holds a reference to the
Pipes object which prevents it from getting cleaned up before we try to
make a new one. Making a new one needs the fifos to have been cleaned
up, so it relies on the fact that the old one was supposed to be
cleaned up.
The most straightforward and non-intrusive way I could think to fix this
was to just manually run the garbage collector after exec. This is able
to find the leaked references and clean it all up.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The handling from the daemon mode code will also work in the process and
pipes cases. Putting it in a common location removes the need for the
outer try/except. It is also easier to read/maintain in general.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If the user's script contains
from sploit import *
then the exported 'comm' communication object is clobbered by the 'comm'
source module. Switching the name to 'io' avoids this issue, is more
to the point, and is even fewer characters to type.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Rather than implicitly inheriting names in scope for the user-script,
this collection is sanitized and we only export the 'comm' communication
object. This seems to be a safer way to operate and addresses an issue
with sub-scopes in the user's script not functioning properly.
(Previously, user-defined functions did not have access to globals, or
library functions.)
Additionally, the user's code is now passed through compile() to attach
the original file name. This is useful for debugging / diagnostic
situations, to make it more obvious if a crash originated from the
user's script.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Rework Sploit Tool
Rewrite core functionality with new design and UX considerations.
Organize functionality into separate modules.
Add support for various use cases including:
-pip install
-running the installed sploit command
-running the sploit.py script
-running python -m sploit
-importing the modules from the python interpreter
Add a "daemon" mode which will continue to rehost the exploit script on
the same pipes until you are done.
* tag 'pull-sploit-rework' of https://github.com/Dusoleil/lib-des-gnux: (25 commits)
Change behavior for import sploit
Add mem module for calculating memory offsets
Handle Process destr when Process constr throws
Reuse read() and readline() in the until() API
Add readall() which reads until EOF
Move comm toggles for consistency
Add arch config module
Add Config Toggles for Read/Write Extra Behavior
Rewrite interact() to be Single Threaded
Add Convenience Utility to readuntil()
readlineuntil() Operates on an Array of Lines
Correct read() Semantics
Throw a BrokenPipeError on Broken Read
Formatting
Handle Exceptions in Daemon Mode
Allow Exit with Ctrl+C without a Stacktrace
Move "Read Rest of Output" Out of Destructor
Better Shutdown Process for Pipes
Better Shutdown Process for Target Program
Better Info Messages
...
|
|
The statement import sploit will now import all of the sploit modules
under the sploit namespace.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Add Arch class which specifies wordsize, endianness, alignment, and a
nop code for an architecture.
Add a couple predefined architectures for x86 and x86_64
Add a "configured" architecture which is set to x86_64 by default.
Added btoi and itob functions which will convert to and from bytes and
ints based on the current architecture config
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
logonread can enable/disable logging the result of every read
flushonwrite can enable/disable automatically flushing every write
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
readuntil() and readlineuntil() will now automatically bind() a
predicate and given arguments to produce the single function predicate
required.
The 'until' module will provide convenience utilities for use with
readuntil() and readlineuntil(). For now, it contains functools.partial
renamed as bind(), lastline() which can call a predicate with the last
element of the array of lines given from readlineuntil(), and simplified
versions of re.search and re.fullmatch renamed as contains and equals.
These allow us to write powerful and legible statements like:
comm.readlineuntil(lastline,contains,b'Enter')
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Instead of only operating on and returning the last line read,
readlineuntil() will now check the predicate against an array of all
lines read and return that array when the predicate is true.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The BufferedReader's .read() doesn't behave as expected. It reads
EXACTLY size bytes and will block until there are enough available to
read.
os.read() does what we expect. It will read UP TO size bytes and only
block if there is nothing available to read.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If the user presses Ctrl+C while waiting on a connection, we want to
gracefully exit.
If the user presses Ctrl+C during the script, we want to stop executing
the script and restart the loop.
If any other exception happens during the script, we want to print out
the stacktrace as normal, but continue the loop.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
With the "read rest of output" code in the Comm destructor, it would
continue to read output even in situations where some error happened and
we expect sploit to die or when the user presses Ctrl+C to end sploit.
By moving it to the end of the script running code in main, it behaves
more intuitively.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Handle all of the edge cases when shutting down in Pipes mode.
e.g.
If the pipes are broken (tried to write after the program died)
If the fifos don't exist anymore (sometimes tempfile cleans them up
before the destructor finishes when certain errors happen)
If the object attributes for the streams and fifo paths aren't set (this
can happen if the constructor didn't finish. e.g. the user cancels while
waiting on a connection)
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If we need to wait on the target program to die, we don't want to just
wait forever with no indication to the user. Instead, only call wait if
the program is still alive, inform the user that we are doing this, and
give them the ability to forcefully kill the target program with Ctrl+C.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
