Mimics a VMWare backdoor RPC Guest to Host Enhanced RPC Request, this can be used as a foundation for discovering Guest-to-host escapes:
Backdoor.exe
[+] Address of SendRPCRequest: 0x00007FF6843C1150
[+] Input: info-get guestinfo.ip
[+] Address of In Buffer: 0x00007FF6843C2298
[+] Size of In Buffer: 21
[+] Address of Out Buffer: 0x000001AD5D7F4EB0
[!] Press a key to continue...
[+] Sending RPC request...
[+] Output: 1 192.168.1.172
[+] Done!
Performs a noisy scan on target subnets. May be useful if scanning through proxies/pivots (where nmap is not playing nicely!)
usage: scanner.py [-h] [-c CONCURRENT] -r RHOSTS [-p PORTS] [-t TIMEOUT] [-v]
optional arguments:
-h, --help show this help message and exit
-c CONCURRENT, --concurrent CONCURRENT
Number of concurrent threads, default=100.
-r RHOSTS, --rhosts RHOSTS
The hosts to scan, use CIDR.
-p PORTS, --ports PORTS
The ports to scan (comma [,] delimited), use 'all' to scan for all ports.
-t TIMEOUT, --timeout TIMEOUT
The TCP timeout value, default = 1.5.
-v, --verbose Run the script verbosely.
Checks for bad characters in custom x86 shellcode. This is really useful when you have bad characters present and need to change the shellcode without using decoding (e.g., when using WriteProcessMemory in a ROP chain):
usage: bad-char-check.py [-h] [--asm ASM] --badchars BADCHARS [--scroll SCROLL] [--raw RAW] [--txt TXT] [--platform PLATFORM]
options:
-h, --help show this help message and exit
--asm ASM, -a ASM The asm instruction file to check.
--badchars BADCHARS, -b BADCHARS
The bad chars to highlight.
--scroll SCROLL, -s SCROLL
Set to scroll after number of lines output.
--raw RAW, -r RAW Raw file as an input, e.g., msfvenom output.
--txt TXT, -t TXT Space delimited text file as an input.
--platform PLATFORM, -p PLATFORM
Platform x86/x64.
The script can also be used to analyse an msfvenom raw file and a space delimited text file.
Simple script to convert an IP address to a 32-bit x86 push instruction:
python3 ./ip-to-hex.py 192.168.1.166
push 0xa601a8c0; # Push sin_addr (192.168.1.166)
Searches a loaded module for IAT references to APIs.
Searches an rp++ output for common ROP gadgets:
./rop-finder-general.py -f ../gadgets.txt -b "0x00 0x0a 0x80 0x81"
~-~-~(RoP fInDeR gEnErAl v1.0)~-~-~
0. Ref ESP/EBP Gadgets
1. MOV/XCHG Gadgets
2. PUSHAD Gadgets
3. Pointer Deref Gadgets
4. Save to Pointer Gadgets
5. POP Gadgets
6. PUSH-POP Gadgets
7. Zeroing Gadgets
8. INC Gadgets
9. DEC Gadgets
a. NEG Gadgets
b. ADD Gadgets
c. SUB Gadgets
d. Custom RegEx
e. Quit