CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/tools/exploit/egghunter.rb
Views: 1904
#!/usr/bin/env ruby12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##6begin7msfbase = __FILE__8while File.symlink?(msfbase)9msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))10end11$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))12require 'msfenv'13require 'rex'14require 'optparse'15require 'rex/exploitation/egghunter'1617module Egghunter18class OptsConsole19def self.parse(args)20options = {}21parser = OptionParser.new do |opt|22opt.banner = "Usage: #{__FILE__} [options]\nExample: #{__FILE__} -f python -e W00T"23opt.separator ''24opt.separator 'Specific options:'2526opt.on('-f', '--format <String>', "See --list-formats for a list of supported output formats") do |v|27options[:format] = v28end2930opt.on('-b', '--badchars <String>', "(Optional) Bad characters to avoid for the egg") do |v|31options[:badchars] = v32end3334opt.on('-e', '--egg <String>', "The egg (Please give 4 bytes)") do |v|35options[:eggtag] = v36end3738opt.on('-p', '--platform <String>', "(Optional) Platform") do |v|39options[:platform] = v40end4142opt.on('--startreg <String>', "(Optional) The starting register") do |v|43# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter44options[:startreg] = v45end4647opt.on('--forward', "(Optional) To search forward") do |v|48# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter49options[:searchforward] = true50end5152opt.on('--depreg <String>', "(Optional) The DEP register") do |v|53# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter54options[:depreg] = v55end5657opt.on('--depdest <String>', "(Optional) The DEP destination") do |v|58# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter59options[:depdest] = v60end6162opt.on('--depsize <Integer>', "(Optional) The DEP size") do |v|63# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter64options[:depsize] = v65end6667opt.on('--depmethod <String>', "(Optional) The DEP method to use (virtualprotect/virtualalloc/copy/copy_size)") do |v|68# Do not change this key. This should matching the one in Rex::Exploitation::Egghunter69options[:depmethod] = v70end7172opt.on('-a', '--arch <String>', "(Optional) Architecture") do |v|73# Although this is an option, this is currently useless because we don't have x64 egghunters74options[:arch] = v75end7677opt.on('--list-formats', "List all supported output formats") do78options[:list_formats] = true79end8081opt.on('-v', '--var-name <name>', String, '(Optional) Specify a custom variable name to use for certain output formats') do |v|82options[:var_name] = v83end8485opt.on_tail('-h', '--help', 'Show this message') do86$stdout.puts opt87exit88end89end9091parser.parse!(args)9293if options.empty?94raise OptionParser::MissingArgument, 'No options set, try -h for usage'95elsif options[:format].blank? && !options[:list_formats]96raise OptionParser::MissingArgument, '-f is required'97elsif options[:eggtag].blank? && !options[:list_formats]98raise OptionParser::MissingArgument, '-e is required'99elsif options[:format] && !::Msf::Simple::Buffer.transform_formats.include?(options[:format])100raise OptionParser::InvalidOption, "#{options[:format]} is not a valid format"101elsif options[:depsize] && options[:depsize] !~ /^\d+$/102raise OptionParser::InvalidOption, "--depsize must be a Integer"103end104105options[:badchars] = '' unless options[:badchars]106options[:platform] = 'windows' unless options[:platform]107options[:arch] = ARCH_X86 unless options[:arch]108options[:var_name] = 'buf' unless options[:var_name]109110options111end112end113114class Driver115def initialize116begin117@opts = OptsConsole.parse(ARGV)118rescue OptionParser::ParseError => e119$stderr.puts "[x] #{e.message}"120exit121end122end123124def run125# list_formats should check first126if @opts[:list_formats]127list_formats128return129end130131egghunter = Rex::Exploitation::Egghunter.new(@opts[:platform], @opts[:arch])132raw_code = egghunter.hunter_stub('', @opts[:badchars], @opts)133output_stream = $stdout134output_stream.binmode135output_stream.write ::Msf::Simple::Buffer.transform(raw_code, @opts[:format], @opts[:var_name])136$stderr.puts137end138139private140141def list_formats142$stderr.puts "[*] Supported output formats:"143$stderr.puts ::Msf::Simple::Buffer.transform_formats.join(", ")144end145146end147end148149150if __FILE__ == $PROGRAM_NAME151driver = Egghunter::Driver.new152begin153driver.run154rescue ::Exception => e155elog(e)156$stderr.puts "[x] #{e.class}: #{e.message}"157$stderr.puts "[*] If necessary, please refer to framework.log for more details."158end159end160rescue SignalException => e161puts("Aborted! #{e}")162end163164165