Skip to content
Toolkit for manual buffer exploitation, which features a basic network socket fuzzer, offset pattern generator and detector, bad character identifier, shellcode carver, and a vanilla EIP exploiter
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
readme.md
requirements.txt
woollymammoth.py

readme.md

WoollyMammoth

Features

  • Basic network service fuzzer
  • EIP offset pattern creator
  • Offset pattern detector
  • Bad Character-set sender
  • Vanilla EIP overwrite exploiter
  • Shellcode carver (egghunters, larger payloads, anything!)

Installation

git clone https://github.com/ins1gn1a/WoollyMammoth
cd WoollyMammoth
pip3 install -r requirements.txt

Overview

woollymammoth.py --help
usage: woollymammoth.py [-h] {fuzz,offset,badchars,eip,exploit,carve} ...

Woolly Mammoth Fuzzing and Exploitation Toolkit

positional arguments:
  {fuzz,offset,badchars,eip,exploit,carve}
    fuzz                Socket-based fuzzer that allows command prefix
                        (optional)
    offset              Sending unique string pattern to identify EIP offset
                        in a debugger.
    badchars            Toolset to help identify bad character usage in target
                        applications.
    eip                 Enter the offset pattern hex string to identify the
                        offset value.
    exploit             Create buffer-overflow exploit on the command line
                        with optional prefix.
    carve               Stack manipulation carving (egghunters, shellcode,
                        etc)

optional arguments:
  -h, --help            show this help message and exit

Fuzzing

./woollymammoth.py fuzz -h
usage: woollymammoth.py fuzz [-h] --target TARGET --port PORT
                             [--prefix PREFIX]

optional arguments:
  -h, --help            show this help message and exit
  --prefix PREFIX       (Optional) Enter the prefix for the command.

Required Arguments:
  --target TARGET, -t TARGET
                        Enter the target host IP address.
  --port PORT, -p PORT  Enter the target port number.

Offset

./woollymammoth.py offset -h
usage: woollymammoth.py offset [-h] --target TARGET --port PORT
                               [--prefix PREFIX]

optional arguments:
  -h, --help            show this help message and exit
  --prefix PREFIX       (Optional) Enter the prefix for the command.

Required Arguments:
  --target TARGET, -t TARGET
                        Enter the target host IP address.
  --port PORT, -p PORT  Enter the target port number.

Bad Chars

woollymammoth.py badchars --help
usage: woollymammoth.py badchars [-h] --target TARGET --port PORT --buffer
                                 BUFFER [--offset OFFSET] [--prefix PREFIX]
                                 [--alpha] [--non-alpha]

optional arguments:
  -h, --help            show this help message and exit
  --offset OFFSET, -o OFFSET
                        Specify the buffer offset to prefix 'A' characters
                        before the bad characters (if not specified then bad
                        chars will be sent at the start of the payload)
  --prefix PREFIX       (Optional) Enter the prefix for the command.
  --alpha, -a           Only send alpha-characters
  --non-alpha, -n       Only send non-alpha characters

Required Arguments:
  --target TARGET, -t TARGET
                        Enter the target host IP address.
  --port PORT, -p PORT  Enter the target port number.
  --buffer BUFFER, -b BUFFER
                        Specify the buffer size

EIP

./woollymammoth.py eip -h
usage: woollymammoth.py eip [-h] --eip EIP

optional arguments:
  -h, --help         show this help message and exit

Required Arguments:
  --eip EIP, -e EIP  Enter the EIP value to identify offset code.

Exploit

./woollymammoth.py exploit -h
usage: woollymammoth.py exploit [-h] --target TARGET --port PORT --eip EIP
                                --offset OFFSET --shellcode SHELLCODE
                                [--prefix PREFIX] [--nops NOPS]

optional arguments:
  -h, --help            show this help message and exit
  --prefix PREFIX       (Optional) Enter the prefix for the command.
  --nops NOPS, -n NOPS  Enter the number of NOPs to send as an integer
                        (default: 10).

Required Arguments:
  --target TARGET, -t TARGET
                        Enter the target host IP address.
  --port PORT, -p PORT  Enter the target port number.
  --eip EIP, -e EIP     Enter the EIP JMP/PUSH;RET address as assembly
                        shellcode.
  --offset OFFSET, -o OFFSET
                        Enter the EIP offset value as an integer.
  --shellcode SHELLCODE, -s SHELLCODE
                        Enter the shellcode for the exploit.

Carve

./woollymammoth.py carve -h
usage: woollymammoth.py carve [-h] --shellcode EGGHUNTER [--esp CURR_ESP]
                              [--dest-esp DEST_ESP]

optional arguments:
  -h, --help            show this help message and exit
  --esp CURR_ESP, -e CURR_ESP
                        Enter the ESP value at the start of the carved
                        shellcode
  --dest-esp DEST_ESP, -d DEST_ESP
                        Enter the address that should contain the carved
                        shellcode

Required Arguments:
  --shellcode EGGHUNTER, -s EGGHUNTER
                        Enter the shellcode to be converted (e.g. an
                        egghunter)
You can’t perform that action at this time.