| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This _should_ be accurate for ARMv7-a at least (including thumb mode).
We might want to later include ARMv8 details, which would primarily
include a 64-bit profile - I just don't have the details at the moment.
A namedtuple is now used as the implementation of type 'Arch', which
allows the definitions to be much more compact and table-like,
aiding readability.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Pulling an assortment of tools documentation from Dusoleil. I did fix 1
minor conflict in the readme file.
* tag 'pull-duso-tool-docs' of https://github.com/Dusoleil/lib-des-gnux: (21 commits)
Remove 'sudo' from install command.
Fix typo in for loop in asm rep prefix doc
Add install/uninstall instructions to radare doc
Add radare2 command cheatsheet
Add doc about fixing a ptrace error in debugger.
Add doc about the rep prefix on an x86 instruction
Add short doc on the one_gadget tool
Remove curl example line from README
Add cheatsheet of common flags for curl
Add a short doc with links to reqbin and hookbin
Add Short Doc About proxychains
Add Example that Uses Custom Charset
Update Incremental Examples to Use Short Flag
Add Info About Issues with Small Workload
Add More Mask/Hybrid Attacks to Examples
Add Examples for Showing Cracks/Identifying Type
Add --status Flag to Examples
Fix Paths in Examples
Remove "LIGHT"/"HEAVY" Descriptors from Examples
Add hashcat doc
...
|
|
This issue was discovered a while back, during one of the CTFs, and was
particularly a problem with the 32-bit shellcode. Because the third
kernel argument register was not being set by the payload, we would
essentially pass garbage.
I'm only committing this now, as I've recently been able to reproduce
the related failure and demonstrate this patch working. I never
actually observed the 64-bit shellcode fail for this reason on a target,
but it is also patched for correctness.
Argument 3 to execve() is the environment pointer, a pointer to array of
strings to define the process's environment variables. Although this
argument should point to an empty array (ptr to NULL) if empty, Linux
allows the pointer itself to be NULL in this case - thus the xor of the
register.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Apparently, install.sh will automatically elevate privileges as it
needs.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This branch features changes to Sploit's 'user-interface' and some QoL
fixes pertaining to target communications.
Sploit's logging module is rewritten to make the normal text
output more readable, and all console output is now globally
filtered through it.
Explicit daemon mode is removed (now implicit) to support a new
Sploit invocation method: shebangs!
Some logging inconsistencies are addressed in the comms
front-end, and Sploit now shuts down the output stream after
user-supplied scripts finish.
* sploit-io:
sploit: Automatically shutdown outgoing comms after script execution
sploit: Catch KeyboardInterrupt in Comm.readall()
sploit: Ensure the logonread option is restored by Comm.readuntil()
sploit: Add logonwrite option to comms
sploit: Check logonread in function Comm.readall()
sploit: Add startup banner
sploit: Rework logger
sploit: Remove -d/--daemon option
|
|
A new function, Comm.shutdown(), is added. It will close only the
stdout stream of the communications backend, potentially making the
termination of the target program more fluid.
The name 'shutdown' is chosen to emulate shutdown(2) from the low-level
socket api, which is used to close just part of a full-duplex file
descriptor. This is in contrast to 'close', which I would expect to
completely terminate the given object IO.
comm.shutdown() is now called by main.py, after the user script returns,
to ensure that the subsequent readall() doesn't get stuck because our
target is blocked reading its stdin.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If execution is stuck inside readall() (for example, due to blocked IO),
handling KeyboardInterrupt allows the user a way to get out, without
exiting the active script early or losing the data read so far.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This function has a momentary side-effect of switching self.logonread to
False. This patch ensures its original value is always restored, even
if an exception is raised.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
If enabled, data sent to the target will be printed/logged as alt text,
similar to data directly printed by the user. Feature is off by
default.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This function will no longer mistakenly log data when logonread is set
to False.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This just adds a fancy 'SPLOIT' header to the beginning of Sploit's
startup preamble data. It has the ability to display a few lines of
text beside itself, but most of the things we've planned to put here are
not available yet, so just the operating mode is printed for now.
The SPLOIT text has a colored stripe which, at the moment, also
indicates the operating mode. This stripe was originally chosen to
balance out the amount of color present in the preamble text, but I've
grown to like it.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The log module is updated to support binary encodings, colors, and for
improved compatibility with Python's print() builtin.
Encoding semantics are switched up, since it seems like some of the more
interesting encoding modes (from a CTF perspective) actually use
bytes-like objects as their high-level form (that is, bytes are encoded
to another form, such as hex, then decoded back to the original form).
So the logged value is now passed to encode instead of decode, and only
if the object is of type 'bytes', as unicode strings are now considered
out-of-scope for this operation. Additionally, the bytes wrapper (b'')
is no longer visible in the logged content.
For readability, several standard colors have been defined for use
within Sploit:
- RED: Errors
- YELLOW: Warnings
- GREEN: Status messages / Startup messages
- WHITE: Target output
- GRAY: User output / Alt text
Logging functions now support an optional color option to select the
desired color, and have specific defaults based on who is invoking the
log (see below...)
Logging functions are now also fully compatible with the builtin print()
function. This is because Sploit now replaces the standard print() with
a logging function within the user's script (which is done to maintain
additional consistency of messages displayed in the console).
Function ilog (internal log) has default values tuned for the library's
convenience: Text goes to stderr, and is presented as status messages
(green).
Function elog (external log) has default values tuned for the user: Text
goes to stdout, and is presented as alt text to distinguish it from data
read from the target. Within the user context, 'print' refers to this
function.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
A couple of facts have influenced the decision to remove this option:
- If a sploit script uses a shebang to launch sploit, it is
tricky to specify this option. Specifically, one must add it
to their shebang line, which couples more information to the
script than was originally intended.
- Single-pass pipe mode wasn't all that useful. One can
accomplish the same thing by running pipe-daemon, and it is
easy to exit after one iteration. Electing to run normal pipe
mode requires you to know you only want to run once, which is
much more common when running via direct subprocess.
As a result of this change, running in pipe mode will now be equivalent to
the previous pipe-daemon mode, and subprocess target mode remains single
pass.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This program was the team's first attempt at some sort of utility to aid
with pwn payload delivery - and was never completed.
Remove the unfinished catcho program, as it is superseded by sploit, and
similar basic functionality can be achieved with cat and process
substitution.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Download is ~13GB (compressed) and the list is ~92GB in full, so I'm
adding the torrent as a reference instead.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Also, only list something under the total registered teams column if
additional information is actually available. This wasn't the case for
Buckeye, so its column is empty as well.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
https://github.com/Dusoleil/lib-des-gnux
Refactor exception handling and cleanup in main.py
Refactor exception handling to be simpler and easier to read/maintain
Manually call garbage collector after exec to handle some weird python
behavior.
* tag 'pull-sploit-error-handling' of https://github.com/Dusoleil/lib-des-gnux:
Manually run garbage collection after exec
Clean up exception handling in main.py
|
|
The import list is alphabetized and listed one per line, to prevent this
from becoming unwieldy as more modules are introduced.
__all__ has been shown to be redundant, given that explicit imports are
now done, so it is removed.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
class Payload is a tool for constructing stack-smash payloads and ROP
chains. Its design is intended to abstract away some of the more
tedious details of crafting a payload.
Payload utilizes mem.Symtbl internally to optionally manage a collection
of named offsets into its own buffer (these are usually in reference to
entities appended to the payload via its main API). Alternatively, the
API calls to append any entity will return the address of that entity as
well.
Returned (and looked-up) addresses are relative to the beginning of the
payload by default. However, when the payload is constructed with a
known base address value, these become absolute. This is useful for
reusing addresses later in the payload body.
class Placeholder is designed to be functionally compatible with
bytearrays and bytestrings. When constructed, they take the value of
'zero', according to the current arch config. This facility enables
some API's to detect whether a dummy value was passed as a required
argument when said argument _may_ be unnecessary in niche situations.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
This was the name I had originally intended to use while factoring
architecture details out to the global scope. It's not terribly
different, but I feel the new context warrants some additional clarity.
Signed-off-by: Malfurious <m@lfurio.us>
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Apparently python won't run garbage collection on stuff owned by the
exec context if you define a function in the exec. This can lead to
random leaks, but it is most impactful in daemon mode. If the globals
dictionary given to exec isn't cleaned up, there will be a random
reference to comm that still exists. This holds a reference to the
Pipes object which prevents it from getting cleaned up before we try to
make a new one. Making a new one needs the fifos to have been cleaned
up, so it relies on the fact that the old one was supposed to be
cleaned up.
The most straightforward and non-intrusive way I could think to fix this
was to just manually run the garbage collector after exec. This is able
to find the leaked references and clean it all up.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
The handling from the daemon mode code will also work in the process and
pipes cases. Putting it in a common location removes the need for the
outer try/except. It is also easier to read/maintain in general.
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
