66 lines
2.1 KiB
Python
Executable File
66 lines
2.1 KiB
Python
Executable File
#! /usr/bin/env python3
|
|
from argparse import ArgumentParser
|
|
from datetime import datetime
|
|
from pathlib import Path
|
|
from random import randint
|
|
import binascii
|
|
import ctypes
|
|
import logging
|
|
import subprocess
|
|
import mmap
|
|
|
|
whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05"
|
|
|
|
|
|
def example():
|
|
now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow())
|
|
parser = ArgumentParser(
|
|
description='position independent code (PIC) mutation experiment.')
|
|
parser.add_argument('-v', '--verbose', action='count')
|
|
parser.add_argument('-s', '--seed', default='seed',
|
|
help='path to PIC image.')
|
|
parser.add_argument('-o', '--output', help='path to results directory.')
|
|
args = parser.parse_args()
|
|
|
|
log_level = logging.INFO
|
|
log_format = logging.Formatter('%(message)s')
|
|
|
|
if args.verbose:
|
|
log_level = logging.DEBUG
|
|
log_format = logging.Formatter(
|
|
'%(levelname)s %(filename)s:%(lineno)d\n%(message)s\n')
|
|
|
|
logger = logging.getLogger('sins')
|
|
logger.setLevel(log_level)
|
|
|
|
stream_handler = logging.StreamHandler()
|
|
stream_handler.setLevel(log_level)
|
|
stream_handler.setFormatter(log_format)
|
|
logger.addHandler(stream_handler)
|
|
|
|
if args.output:
|
|
log_path = f'{args.output}/sins-{now}.log'
|
|
file_handler = logging.FileHandler(log_path)
|
|
file_handler.setLevel(log_level)
|
|
file_handler.setFormatter(log_format)
|
|
logger.addHandler(file_handler)
|
|
|
|
logger.info(whoami_shell)
|
|
shell_function(whoami_shell)()
|
|
|
|
|
|
def shell_function(shellcode: bytes):
|
|
exec_mem = mmap.mmap(
|
|
-1, len(shellcode),
|
|
prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
|
|
flags=mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)
|
|
|
|
exec_mem.write(shellcode)
|
|
|
|
ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
|
|
function = ctypes.CFUNCTYPE(ctypes.c_int64)(
|
|
ctypes.addressof(ctypes_buffer))
|
|
function._avoid_gc_for_mmap = exec_mem
|
|
|
|
return function
|