summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2021-12-17sploit: Catch KeyboardInterrupt in Comm.readall()Malfurious1-3/+6
If execution is stuck inside readall() (for example, due to blocked IO), handling KeyboardInterrupt allows the user a way to get out, without exiting the active script early or losing the data read so far. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17sploit: Ensure the logonread option is restored by Comm.readuntil()Malfurious1-5/+7
This function has a momentary side-effect of switching self.logonread to False. This patch ensures its original value is always restored, even if an exception is raised. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17sploit: Add logonwrite option to commsMalfurious1-0/+2
If enabled, data sent to the target will be printed/logged as alt text, similar to data directly printed by the user. Feature is off by default. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17sploit: Check logonread in function Comm.readall()Malfurious1-1/+1
This function will no longer mistakenly log data when logonread is set to False. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17sploit: Add startup bannerMalfurious1-2/+12
This just adds a fancy 'SPLOIT' header to the beginning of Sploit's startup preamble data. It has the ability to display a few lines of text beside itself, but most of the things we've planned to put here are not available yet, so just the operating mode is printed for now. The SPLOIT text has a colored stripe which, at the moment, also indicates the operating mode. This stripe was originally chosen to balance out the amount of color present in the preamble text, but I've grown to like it. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17sploit: Rework loggerMalfurious3-28/+56
The log module is updated to support binary encodings, colors, and for improved compatibility with Python's print() builtin. Encoding semantics are switched up, since it seems like some of the more interesting encoding modes (from a CTF perspective) actually use bytes-like objects as their high-level form (that is, bytes are encoded to another form, such as hex, then decoded back to the original form). So the logged value is now passed to encode instead of decode, and only if the object is of type 'bytes', as unicode strings are now considered out-of-scope for this operation. Additionally, the bytes wrapper (b'') is no longer visible in the logged content. For readability, several standard colors have been defined for use within Sploit: - RED: Errors - YELLOW: Warnings - GREEN: Status messages / Startup messages - WHITE: Target output - GRAY: User output / Alt text Logging functions now support an optional color option to select the desired color, and have specific defaults based on who is invoking the log (see below...) Logging functions are now also fully compatible with the builtin print() function. This is because Sploit now replaces the standard print() with a logging function within the user's script (which is done to maintain additional consistency of messages displayed in the console). Function ilog (internal log) has default values tuned for the library's convenience: Text goes to stderr, and is presented as status messages (green). Function elog (external log) has default values tuned for the user: Text goes to stdout, and is presented as alt text to distinguish it from data read from the target. Within the user context, 'print' refers to this function. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17sploit: Remove -d/--daemon optionMalfurious1-23/+10
A couple of facts have influenced the decision to remove this option: - If a sploit script uses a shebang to launch sploit, it is tricky to specify this option. Specifically, one must add it to their shebang line, which couples more information to the script than was originally intended. - Single-pass pipe mode wasn't all that useful. One can accomplish the same thing by running pipe-daemon, and it is easy to exit after one iteration. Electing to run normal pipe mode requires you to know you only want to run once, which is much more common when running via direct subprocess. As a result of this change, running in pipe mode will now be equivalent to the previous pipe-daemon mode, and subprocess target mode remains single pass. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17Add short doc on the one_gadget tooldusoleil1-0/+57
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-17Remove curl example line from READMEdusoleil1-1/+0
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-16Add cheatsheet of common flags for curldusoleil1-0/+89
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-13Add a short doc with links to reqbin and hookbindusoleil1-0/+7
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-12-11Add writeup for Metasploit Community CTF 2021 / ClickracerMalfurious1-0/+427
Signed-off-by: Malfurious <m@lfurio.us>
2021-12-06Metasploit Community CTF 2021 resultsMalfurious1-0/+1
Signed-off-by: Malfurious <m@lfurio.us>
2021-11-28Commit notes from Killer Queen CTF 2021Malfurious2-0/+98
Signed-off-by: Malfurious <m@lfurio.us>
2021-11-22Remove unfinished tool catchoMalfurious1-204/+0
This program was the team's first attempt at some sort of utility to aid with pwn payload delivery - and was never completed. Remove the unfinished catcho program, as it is superseded by sploit, and similar basic functionality can be achieved with cat and process substitution. Signed-off-by: Malfurious <m@lfurio.us>
2021-11-21N1CTF 2021 resultsMalfurious1-0/+1
Signed-off-by: Malfurious <m@lfurio.us>
2021-11-21Killer Queen CTF 2021 resultsMalfurious1-0/+1
Signed-off-by: Malfurious <m@lfurio.us>
2021-10-26Add additional wordlists from KaliMalfurious181-1/+1295090
Signed-off-by: Malfurious <m@lfurio.us>
2021-10-26Add torrent of rockyou2021 wordlistMalfurious1-0/+0
Download is ~13GB (compressed) and the list is ~92GB in full, so I'm adding the torrent as a reference instead. Signed-off-by: Malfurious <m@lfurio.us>
2021-10-26Move wordlists obtained from github to new subdirectoryMalfurious6-0/+0
Signed-off-by: Malfurious <m@lfurio.us>
2021-10-26Add newer version of rockyou.txt from KaliMalfurious2-2/+0
Signed-off-by: Malfurious <m@lfurio.us>
2021-10-25BuckeyeCTF 2021 resultsMalfurious1-2/+3
Also, only list something under the total registered teams column if additional information is actually available. This wasn't the case for Buckeye, so its column is empty as well. Signed-off-by: Malfurious <m@lfurio.us>
2021-09-08Merge tag 'pull-sploit-error-handling' of ↵Malfurious1-22/+24
https://github.com/Dusoleil/lib-des-gnux Refactor exception handling and cleanup in main.py Refactor exception handling to be simpler and easier to read/maintain Manually call garbage collector after exec to handle some weird python behavior. * tag 'pull-sploit-error-handling' of https://github.com/Dusoleil/lib-des-gnux: Manually run garbage collection after exec Clean up exception handling in main.py
2021-09-07sploit: Clean main import fileMalfurious1-2/+8
The import list is alphabetized and listed one per line, to prevent this from becoming unwieldy as more modules are introduced. __all__ has been shown to be redundant, given that explicit imports are now done, so it is removed. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-07sploit: Add payload builder moduleMalfurious2-2/+66
class Payload is a tool for constructing stack-smash payloads and ROP chains. Its design is intended to abstract away some of the more tedious details of crafting a payload. Payload utilizes mem.Symtbl internally to optionally manage a collection of named offsets into its own buffer (these are usually in reference to entities appended to the payload via its main API). Alternatively, the API calls to append any entity will return the address of that entity as well. Returned (and looked-up) addresses are relative to the beginning of the payload by default. However, when the payload is constructed with a known base address value, these become absolute. This is useful for reusing addresses later in the payload body. class Placeholder is designed to be functionally compatible with bytearrays and bytestrings. When constructed, they take the value of 'zero', according to the current arch config. This facility enables some API's to detect whether a dummy value was passed as a required argument when said argument _may_ be unnecessary in niche situations. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-07sploit: Rename arch.nop to nopcodeMalfurious1-4/+4
This was the name I had originally intended to use while factoring architecture details out to the global scope. It's not terribly different, but I feel the new context warrants some additional clarity. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-07Manually run garbage collection after execdusoleil1-0/+3
Apparently python won't run garbage collection on stuff owned by the exec context if you define a function in the exec. This can lead to random leaks, but it is most impactful in daemon mode. If the globals dictionary given to exec isn't cleaned up, there will be a random reference to comm that still exists. This holds a reference to the Pipes object which prevents it from getting cleaned up before we try to make a new one. Making a new one needs the fifos to have been cleaned up, so it relies on the fact that the old one was supposed to be cleaned up. The most straightforward and non-intrusive way I could think to fix this was to just manually run the garbage collector after exec. This is able to find the leaked references and clean it all up. Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-07Clean up exception handling in main.pydusoleil1-22/+21
The handling from the daemon mode code will also work in the process and pipes cases. Putting it in a common location removes the need for the outer try/except. It is also easier to read/maintain in general. Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add Short Doc About proxychainsdusoleil1-0/+10
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add Example that Uses Custom Charsetdusoleil1-0/+1
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Update Incremental Examples to Use Short Flagdusoleil1-3/+3
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add Info About Issues with Small Workloaddusoleil1-0/+24
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add More Mask/Hybrid Attacks to Examplesdusoleil1-0/+6
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add Examples for Showing Cracks/Identifying Typedusoleil1-0/+2
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add --status Flag to Examplesdusoleil1-6/+6
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Fix Paths in Examplesdusoleil1-4/+4
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Remove "LIGHT"/"HEAVY" Descriptors from Examplesdusoleil1-2/+2
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add hashcat docdusoleil1-0/+101
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05Add iptables docdusoleil1-0/+147
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05sploit: Rename Comm instance to 'io'Malfurious1-1/+1
If the user's script contains from sploit import * then the exported 'comm' communication object is clobbered by the 'comm' source module. Switching the name to 'io' avoids this issue, is more to the point, and is even fewer characters to type. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-05sploit: Properly scope user-script executionMalfurious1-2/+2
Rather than implicitly inheriting names in scope for the user-script, this collection is sanitized and we only export the 'comm' communication object. This seems to be a safer way to operate and addresses an issue with sub-scopes in the user's script not functioning properly. (Previously, user-defined functions did not have access to globals, or library functions.) Additionally, the user's code is now passed through compile() to attach the original file name. This is useful for debugging / diagnostic situations, to make it more obvious if a crash originated from the user's script. Signed-off-by: Malfurious <m@lfurio.us> Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Merge tag 'pull-sploit-rework' of https://github.com/Dusoleil/lib-des-gnuxMalfurious18-329/+290
Rework Sploit Tool Rewrite core functionality with new design and UX considerations. Organize functionality into separate modules. Add support for various use cases including: -pip install -running the installed sploit command -running the sploit.py script -running python -m sploit -importing the modules from the python interpreter Add a "daemon" mode which will continue to rehost the exploit script on the same pipes until you are done. * tag 'pull-sploit-rework' of https://github.com/Dusoleil/lib-des-gnux: (25 commits) Change behavior for import sploit Add mem module for calculating memory offsets Handle Process destr when Process constr throws Reuse read() and readline() in the until() API Add readall() which reads until EOF Move comm toggles for consistency Add arch config module Add Config Toggles for Read/Write Extra Behavior Rewrite interact() to be Single Threaded Add Convenience Utility to readuntil() readlineuntil() Operates on an Array of Lines Correct read() Semantics Throw a BrokenPipeError on Broken Read Formatting Handle Exceptions in Daemon Mode Allow Exit with Ctrl+C without a Stacktrace Move "Read Rest of Output" Out of Destructor Better Shutdown Process for Pipes Better Shutdown Process for Target Program Better Info Messages ...
2021-09-02Change behavior for import sploitdusoleil1-0/+1
The statement import sploit will now import all of the sploit modules under the sploit namespace. Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Add mem module for calculating memory offsetsdusoleil2-1/+16
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Handle Process destr when Process constr throwsdusoleil1-0/+1
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Reuse read() and readline() in the until() APIdusoleil1-4/+5
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Add readall() which reads until EOFdusoleil2-2/+8
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Move comm toggles for consistencydusoleil1-3/+3
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-02Add arch config moduledusoleil2-1/+29
Add Arch class which specifies wordsize, endianness, alignment, and a nop code for an architecture. Add a couple predefined architectures for x86 and x86_64 Add a "configured" architecture which is set to x86_64 by default. Added btoi and itob functions which will convert to and from bytes and ints based on the current architecture config Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
2021-09-01Add Config Toggles for Read/Write Extra Behaviordusoleil1-5/+8
logonread can enable/disable logging the result of every read flushonwrite can enable/disable automatically flushing every write Signed-off-by: dusoleil <howcansocksbereal@gmail.com>