hax 'n shit
Python C Shell Makefile
Permalink
Failed to load latest commit information.
codes Add Linux/x86_64 dup2 and execve /bin/sh shellcodes Jun 3, 2015
lib
practice Added some practicing material for aspiring exploit developers Oct 25, 2013
.gitignore
.gitmodules fix dARM module, hopefully? Oct 28, 2013
Makefile
README.md Oh my god, I wrote the start of a README on the plane. Oct 26, 2013
builder.py
codelibrary.py
codeparameters.py Add new code parameter type for newline terminated string, make outpu… Oct 22, 2013
colors.py simple ansi color helper Sep 14, 2011
dumpelf.py dumpelf module Oct 22, 2013
dumpsym.py fix dumpsym regression Mar 11, 2014
dwords.py add STDIN reading for dwords helper Mar 11, 2014
elf.py Add ELF endianness detection, now supports big endian ELFs as well Nov 2, 2013
elfwrap.py added elfwrap module, basic error handling in codelibrary and builder… Apr 22, 2015
fmt.py
lolsled.py
moneyshot.py
outputter.py hwords and qwords formatters Nov 2, 2014
pattern.py Moved pattern stuff to its own submodule Jan 6, 2013
rep.py repeater module Oct 22, 2013
rop.py
rop_arm.py ROP arm fixes Nov 7, 2013
shell.py
test_sc.c Made test_sc utility a bit smarter, added Makefile targets for 32bit/… Feb 10, 2013
test_sc_net.c Added shellcode tester tcp edition Feb 10, 2013
test_sc_win32.c added testkit Sep 15, 2011

README.md

Moneyshot

A collection of python scripts to aid you in the final steps of binary exploitation or during the construction of buffers.

This project is by no means any rocket-science, and many of these components might remind you of loose scripts that everyone has written at some point in time. ;-)

Dependencies

Moneyshot depends on:

  • python (2.x for now)
  • diStorm3 (for disassembly functionality)

There's some external libraries that moneyshot depends on as well. however, (local) installation of these is automatically done by setting up the git submodules. (See installation notes)

Installation

$ git clone https://github.com/blasty/moneyshot.git
$ cd moneyshot
$ git submodule init
$ git submodule update
$ cd lib/darm && make 

Usage

Running moneyshot.py without any arguments gives you an overview of all modules/commands currently implemented. If you supply an action without any arguments moneyshot will inform you about the usage of the specific module/action.

$ ./moneyshot.py
    __   __  ______.___   __  _____._  __._______._ __  ____._________
   /  \ /  \/  __  |    \|  |/  ___| \/  /\  ___/  |  |/ __  \__   __/
  /    '    \   /  |  |\    |   _|_\    /__\   \|     |   /  |  |  |
 /___\  /    \_____|__|  \__|______||__||______/|__|__|\_____|  |__|
      \/ _____\


  usage: moneyshot  [options]

  actions:
    * list     - list shellcodes
    * build    - build shellcodes
    * pattern  - build patterns
    * lolsled  - build a lolsled
    * format   - format input
    * fmt      - formatstring helper
    * rop      - ROP helper
    * rop-arm  - ARM ROP helper
    * rep      - String repeater
    * dwords   - binary format dwords
    * dumpsym  - dump symbols for given binary
    * dumpelf  - dump information for given binary

Todo

If you want to help out and improve moneyshot, that would be most welcome. I'm a very lazy coder so I only work in small spurts when I need a feature/fix myself. But if you send me sensible pull requests it is likely that I will merge them into the master repo. If you're looking for some inspiration of what to implement/fix:

  • The structure of my code sux, needs to be more pythonic, I suppose.
  • Commandline argument handling is a horrible hack, switch to argparse maybe.
  • The rop and rop-arm module are currently separated, but mostly equal logic-wise..
  • The ELF parser is an ugly and horrible hack, rewrite or replace with a proper lib
  • Assembling x86(-64)/ARM code is done using a system("gcc..") hack atm..
  • Mach-O support
  • PE (win) support
  • Make ROP module(s) agnostic of binary format (currently only ELF32/ELF64)
  • Turn moneyshot into an actual python module with a sane API, so we can import * from moneyshot
  • ROP gadget finding is nice, but we might be able to propose full ROP chains as well