JoYo
/
scrap-is-not-scrap
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

passing and ret params to shellcode

master
JoYo 2019-02-18 23:16:25 +00:00
parent d0a9a38ede
commit f5c7a4375d
3 changed files with 48 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sins/__init__.py
View File

@ -1,3 +1,3 @@
#! /usr/bin/env python3 #! /usr/bin/env python3
from .run import example, shell_function from .run import example, shell_func
# from .orm import SeedNode # from .orm import SeedNode

4
sins/__main__.py
View File

@ -1,4 +1,4 @@
#! /usr/bin/env python3 #! /usr/bin/env python3
from .run import example from .run import sins
example() sins()

51
sins/run.py
View File

@ -10,15 +10,30 @@ import subprocess
import mmap import mmap
whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05" whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05"
seed_shell = b'U\x90H\x89\xe5\x90H\x89}\xf8\x90H\x8bE\xf8\x90]\x90\xc3'
def shell_func(shellcode: bytes):
exec_mem = mmap.mmap(
-1, len(shellcode),
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
flags=mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)
exec_mem.write(shellcode)
ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
function = ctypes.CFUNCTYPE(ctypes.c_uint, ctypes.c_uint)(
ctypes.addressof(ctypes_buffer))
function._avoid_gc_for_mmap = exec_mem
return function
def example(): def sins():
now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow()) now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow())
parser = ArgumentParser( parser = ArgumentParser(
description='position independent code (PIC) mutation experiment.') description='position independent code (PIC) mutation experiment.')
parser.add_argument('-v', '--verbose', action='count') parser.add_argument('-v', '--verbose', action='count')
parser.add_argument('-s', '--seed', default='seed', parser.add_argument('-s', '--seed', help='path to PIC image.')
help='path to PIC image.')
parser.add_argument('-o', '--output', help='path to results directory.') parser.add_argument('-o', '--output', help='path to results directory.')
args = parser.parse_args() args = parser.parse_args()
@ -45,11 +60,25 @@ def example():
file_handler.setFormatter(log_format) file_handler.setFormatter(log_format)
logger.addHandler(file_handler) logger.addHandler(file_handler)
logger.info(whoami_shell) logger.info(now)
shell_function(whoami_shell)()
seed_data = seed_shell
def shell_function(shellcode: bytes): if args.seed:
seed = Path(args.seed)
with seed.open('rb') as seed_file:
seed_data = seed_file.read()
logger.info(f'seed_data\n{seed_data}')
logger.info(f'seed_len: {len(seed_data)}')
seed = shell_func(seed_shell)
ret_val = seed(ctypes.c_uint(len(seed_data)))
logger.info(f'ret_val: {ret_val}')
def func_void(shellcode: bytes):
exec_mem = mmap.mmap( exec_mem = mmap.mmap(
-1, len(shellcode), -1, len(shellcode),
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC, prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
@ -63,3 +92,13 @@ def shell_function(shellcode: bytes):
function._avoid_gc_for_mmap = exec_mem function._avoid_gc_for_mmap = exec_mem
return function return function
def example():
logging.basicConfig(level=logging.DEBUG)
logging.info(whoami_shell)
logging.info('wtfm8')
whoami = func_void(whoami_shell)
ret_val = whoami()
# whoami doesn't ret
logging.info(ret_val)