DigiDuck – Framework for Digiduck Development Boards Running ATTiny85 Processors & Micronucleus Bootloader

Framework for Digiduck Development Boards running ATTiny85 processors and micronucleus bootloader!

DigiDuck Installation

DigiDuck Framework (Referred to as DDF) is really simple to start and setup! There are no third party modules required for DDF! All you need to do is make sure you have Python 3.6+ (I used this to develop it but it should be backwards compatible *hopefully*). Clone this repository and enter the directory from the command line. Once inside the directory simply run:

python start.py

This will start the program and display the Welcome Screen shown above.

Also ReadSandsifter – The x86 Processor Fuzzer For Hidden Instructions & Hardware Bugs

Help Menu

There are three commands in this Framework! I wanted to make this as lightweight as possible so it only requires one command in order to get a payload onto your board.

Command: help

The help command displays this menu:

Command: show

The show command displays this menu:

All your available payloads will be shown here. However if you run the execute command they display again.

Execution

The third and last command in DDF is execute. The execute command will display the same menu as the show command, however from this menu you will input the payload name. You have to include .hex at the end of it or it won’t load correctly and ask you to enter it again.

execute command display.

Once you choose your payload you will be prompted to insert your desired board into the computer. From there it will install the desired payload and display this when completed:

Thats it! You can now go plug in your badUSB DigiSpark board into a computer and run the desired payload!

Payloads

Payloads are DigiSpark .ino hex files that are installed using the micronucleus bootloader to your ATTiny85 or other boards.

Current Payloads

All the current payloads are from Hak5’s RubberDucky scripts available here. If you are unsure of what a payload may do this is the place to go read about it. I’ll try to keep the payloads close to the same name but I don’t want you on Windows to be typing out too much since rlcompleter doesn’t work.

Creating a Payload

Head to the Duckyspark GitHub Page to see how to create your translated .ino file from a RubberDucky script. After that load your .ino file into Arduino IDE. Make sure Verbose is on inside Preferences and compile your code. Open the terminal output below and look for the .hex file location. It should be in a temp directory in your AppData or equivalent on MacOS. Here’s and example:

This is right above where it tells you to plug in your board!

Pull the payloadname.cpp.hex file from that folder and drag it into payloads inside the DDF framework. Run the program and your payload will be loaded into Available Payloads!

Feel free to contribute by adding custom or more payloads from the Rubber Ducky scripts above! Make a PR with the new payloads.

Credit: Duckyspark,Micronucleus & Hak5 RubberDucky Payloads

Clrinject – Injects C# EXE or DLL Assembly Into every CLR Runtime and AppDomain Of Another Process

Clrinject injects C# EXE or DLL Assembly into any CLR runtime and AppDomain of another process. The injected assembly can then access static instances of the injectee process’s classes and therefore affect it’s internal state.

Also ReadDocker Tor Hidden Service Nginx – Easily Setup A Hidden Service Inside The Tor Network

Clrinject Usage

clrinject-cli.exe -p <processId/processName> -a <assemblyFile>

Opens process with id <processId> or name <processName>, inject <assemblyFile> EXE and execute Main method.

Additional Options

  • -e Enumerates all loaded CLR Runtimes and created AppDomains.
  • -d <#> Inject only into <#>-th AppDomain. If no number or zero is specified, assembly is injected into every AppDomain.
  • -i <namespace>.<className> Create an instance of class <className> from namespace <namespace>.

Examples

Usage examples

  • clrinject-cli.exe -p victim.exe -e (Enumerate Runtimes and AppDomains from victim.exe)
  • clrinject-cli.exe -p 1234 -a "C:\Path\To\invader.exe" -d 2 (Inject invader.exe into second AppDomain from process with id 1234)
  • clrinject-cli.exe -p victim.exe -a "C:\Path\To\invader.dll" -i "Invader.Invader" (Create instance of Invader inside every AppDomain in victim.exe)
  • clrinject-cli64.exe -p victim64.exe -a "C:\Path\To\invader64.exe" (Inject x64 assembly into x64 process)

Injectable assembly example

Following code can be compiled as C# executable and then injected into a PowerShell process. This code accessees static instances of internal PowerShell classes to change console text color to green.

using System;
using System.Reflection;

using Microsoft.PowerShell;
using System.Management.Automation.Host;

namespace Invader
{
    class Invader
    {
        static void Main(string[] args)
        {
            try
            {
                var powerShellAssembly = typeof(ConsoleShell).Assembly;
                var consoleHostType = powerShellAssembly.GetType("Microsoft.PowerShell.ConsoleHost");
                var consoleHost = consoleHostType.GetProperty("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic).GetValue(null);

                var ui = (PSHostUserInterface)consoleHostType.GetProperty("UI").GetValue(consoleHost);
                ui.RawUI.ForegroundColor = ConsoleColor.Green;
            }
            catch (Exception e)
            {
                Console.WriteLine(e.ToString());
            }
        }
    }
}

Injection command:

clrinject-cli64.exe -p powershell.exe -a "C:\Path\To\invader64.exe"

Result:

clrinject

Sandsifter – The x86 Processor Fuzzer For Hidden Instructions & Hardware Bugs

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.

With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.

Also ReadTakeOver : Takeover Script Extracts CNAME Record Of All Subdomains At Once

To run a basic audit against your processor:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

The computer is systematically scanned for anomalous instructions. In the upper half, you can view the instructions that the sandsifter is currently testing on the processor. In the bottom half, the sandsifter reports anomalies it finds.

The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:

./summarize.py data/log

Typically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:

  • Software bug (for example, a bug in your hypervisor or disassembler),
  • Hardware bug (a bug in your CPU), or
  • Undocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)

Press ‘Q’ to quit and obtain a text based summary of the system scan:

The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis. For help analyzing your results, feel free to send the ./data/log file to xoreaxeaxeax@gmail.com. No personal information, other than the processor make, model, and revision (from /proc/cpuinfo) are included in this log.

Building

Sandsifter requires first installing the Capstone disassembler: http://www.capstone-engine.org/. Capstone can typically be installed with:

sudo apt-get install libcapstone3 libcapstone-dev
sudo pip install capstone

Sandsifter can be built with:

make

and is then run with

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

Flags

Flags are passed to the sifter with –flag, and to the injector with — -f.

Example:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

Sifter flags:

--len
	search for length differences in all instructions (instructions that
	executed differently than the disassembler expected, or did not
	exist when the disassembler expected them to

--dis
	search for length differences in valid instructions (instructions that
	executed differently than the disassembler expected)

--unk
	search for unknown instructions (instructions that the disassembler doesn't
	know about but successfully execute)

--ill
	the inverse of --unk, search for invalid disassemblies (instructions that do
	not successfully execute but that the disassembler acknowledges)

--tick
	periodically write the current instruction to disk

--save
	save search progress on exit

--resume
	resume search from last saved state

--sync
	write search results to disk as they are found

--low-mem
	do not store results in memory

Injector flags:

-b
	mode: brute force

-r
	mode: randomized fuzzing

-t
	mode: tunneled fuzzing

-d
	mode: externally directed fuzzing

-R
	raw output mode

-T
	text output mode

-x
	write periodic progress to stderr

-0
	allow null dereference (requires sudo)

-D
	allow duplicate prefixes

-N
	no nx bit support

-s seed
	in random search, seed value

-B brute_depth
	in brute search, maximum search depth

-P max_prefix
	maximum number of prefixes to search

-i instruction
	instruction at which to start search (inclusive)

-e instruction
	instruction at which to end search (exclusive)

-c core
	core on which to perform search

-X blacklist
	blacklist the specified instruction

-j jobs
	number of simultaneous jobs to run

-l range_bytes
	number of base instruction bytes in each sub range

Keys

m: Mode – change the search mode (brute force, random, or tunnel) for the sifter

q: Quit – exit the sifter

p: Pause – pause or unpause the search

Algorithms

The scanning supports four different search algorithms, which can be set at the command line, or cycled via hotkeys.

  • Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.
  • Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.
  • Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.
  • Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.

Tips

  • sudo

For best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis.

  • Prefixes

The primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag.

  • Colors

The interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with:

 export TERM='xterm-256color'
  • GUI

The interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.

In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly:

 sudo ./injector -P1 -t -0

To filter the results of a direct injector invocation, grep can be used. For example,

 sudo ./injector -P1 -r -0 | grep '\.r' | grep -v sigill

searches for instructions for which the processor and disassembler disagreed on the instruction length (grep ‘.r’), but the instruction successfully executed (grep -v sigill).

  • Targeted fuzzing

In many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated ‘lock’ prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags:

 sudo ./sifter.py --unk --dis --len --sync --tick -- -t -i f0f0 -e f0f1 -D -P15
  • Legacy systems

For scanning much older systems (i586 class processors, low memory systems), pass the –low-mem flag to the sifter and the -N flag to the injector:

 sudo ./sifter.py --unk --dis --len --sync --tick --low-mem -- -P1 -t -N

If you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning.

  • 32 vs. 64 bit

By default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.

To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.

Then sandsifter must be built for a 32 bit architecture:

 make CFLAGS=-m32

With this, the 32 bit instruction space can be explored on a 64 bit system.

Docker Tor Hidden Service Nginx – Easily Setup A Hidden Service Inside The Tor Network

Docker tor hidden service nginx is a tool to easily setup a hidden service inside the Tor network.

Generate the skeleton configuration for you hidden service, replace for your hidden service pattern name. Example, if you want to your hidden service contain the word ‘boss’, just use this word as argument. You can use regular expressions, like ^boss, will generate an address wich will start with ‘boss’. Be aware that bigger the pattern, more time it will take to generate it.

docker run -it --rm -v $(pwd)/web:/web \
       strm/tor-hiddenservice-nginx generate <pattern>

Create an container named ‘hiddensite’ to serve your generated hidden service

docker run -d --restart=always --name hiddensite -v $(pwd)/web:/web \
       strm/tor-hiddenservice-nginx

Also ReadAtlas – Quick SQLMap Tamper Suggester

Docker Tor Hidden Service Nginx Example

Let’s create a hidden service with the name beginning with strm.

docker pull strm/tor-hiddenservice-nginx

Wait to the container image be downloaded. And them we can generate our site skeleton:

$docker run -it --rm -v $(pwd)/web:/web strm/tor-hiddenservice-nginx generate ^strm
[+] Generating the address with mask: ^strm
[+] Found matching domain after 137072 tries: strmfyygjp5st54g.onion
[+] Generating nginx configuration for site  strmfyygjp5st54g.onion
[+] Creating www folder
[+] Generating index.html template

Now we have our skeleton generated, we can run the container with:

docker run -d --restart=always --name hiddensite \
       -v $(pwd)/web:/web strm/tor-hiddenservice-nginx

And you have the service running ! 🙂

Troubleshoot

  • 403 error on nginx, check your directory permissions and folder permissions. Nginx run as “hidden” user, his UID is 666, just check if you give this user access to the /web/www folder (in the case the folder mapped to it).

Build

docker build -t strm/tor-hiddenservice-nginx .

Run

docker run -d --restart=always --name hiddensite 
-v $(pwd)/web:/web strm/tor-hiddenservice-nginx

Shell

docker run -it --rm -v $(pwd)/web:/web 
--entrypoint /bin/bash strm/tor-hiddenservice-nginx

Dnsdiag – DNS Diagnostics and Performance Measurement Tools

Dnsdiag is a DNS Diagnostics and Performance Measurement Tools. Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.

You can measure the response time of any given DNS server for arbitrary requests using dnsping. Just like traditional ping utility, it gives you similar functionality for DNS requests.

You can also trace the path your DNS request takes to destination to make sure it is not being redirected or hijacked. This can be done by comparing different DNS queries being sent to the same DNS server using dnstraceroute and observe if there is any difference between the path.

dnseval evaluates multiple DNS resolvers and helps you choose the best DNS server for your network. While it is highly recommended to use your own DNS resolver and never trust any third-party DNS server, but in case you need to choose the best DNS forwarder for your network, dnseval lets you compare different DNS servers from performance (latency) and reliability (loss) point of view.

Also ReadDex2jar – Tools To Work With Android .dex & Java .class Files

Dnsdiag Requirements

  • Python3
  • dnspython
  • cymruwhois

Installation

There are several ways that you can use this toolset. However using the sourcecode is always recommended.

From Source Code

  1. You can checkout this git repo and its submodules
git clone https://github.com/farrokhi/dnsdiag.git
cd dnsdiag
pip3 install -r requirements.txt
  1. You can alternatively install the package using pip:
pip3 install dnsdiag

Dnsping

dnsping pings a DNS resolver by sending an arbitrary DNS query for given number of times:

% ./dnsping.py -c 3 -t AAAA -s 8.8.8.8 dnsdiag.org
dnsping.py DNS: 8.8.8.8:53, hostname: dnsdiag.org, rdatatype: AAAA
4 bytes from 8.8.8.8: seq=0   time=123.509 ms
4 bytes from 8.8.8.8: seq=1   time=115.726 ms
4 bytes from 8.8.8.8: seq=2   time=117.351 ms

--- 8.8.8.8 dnsping statistics ---
3 requests transmitted, 3 responses received,   0% lost
min=115.726 ms, avg=118.862 ms, max=123.509 ms, stddev=4.105 ms

This script calculates minimum, maximum and average response time as well as jitter (stddev)

Dnstraceroute

dnstraceroute is a traceroute utility to figure out the path that your DNS request is passing through to get to its destination. You may want to compare it to your actual network traceroute and make sure your DNS traffic is not routed to any unwanted path.

% ./dnstraceroute.py --expert -C -t A -s 8.8.4.4 facebook.com
dnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A
1	192.168.0.1 (192.168.0.1) 1 ms
2	192.168.28.177 (192.168.28.177) 4 ms
3	192.168.0.1 (192.168.0.1) 693 ms
4	172.19.4.17 (172.19.4.17) 3 ms
5	google-public-dns-b.google.com (8.8.4.4) 8 ms

=== Expert Hints ===
 [*] public DNS server is next to a private IP address (possible hijacking)

Using --expert will instruct dnstraceroute to print expert hints (such as warnings of possible DNS traffic hijacking).

Dnseval

dnseval is a bulk ping utility that sends an arbitrary DNS query to a give list of DNS servers. This script is meant for comparing response time of multiple DNS servers at once:

% ./dnseval.py -t AAAA -f public-servers.txt -c10 yahoo.com
server           avg(ms)     min(ms)     max(ms)     stddev(ms)  lost(%)  ttl     flags
------------------------------------------------------------------------------------------------------
8.8.8.8          270.791     215.599     307.498     40.630      %0       298     QR -- -- RD RA -- --
8.8.4.4          222.955     171.753     307.251     60.481      %10      291     QR -- -- RD RA -- --
ns.ripe.net      174.855     160.949     187.458     10.099      %0       289     QR -- -- RD RA -- --
4.2.2.1          172.798     163.892     189.918     7.823       %0       287     QR -- -- RD RA -- --
4.2.2.2          178.594     169.158     184.696     5.067       %0       285     QR -- -- RD RA -- --
4.2.2.3          153.574     138.509     173.439     12.015      %0       284     QR -- -- RD RA -- --
4.2.2.4          153.182     141.023     162.323     6.700       %0       282     QR -- -- RD RA -- --
4.2.2.5          154.840     141.557     163.889     7.195       %0       281     QR -- -- RD RA -- --
209.244.0.3      156.270     147.320     161.365     3.958       %0       279     QR -- -- RD RA -- --
209.244.0.4      159.329     151.283     163.726     3.958       %0       278     QR -- -- RD RA -- --
195.46.39.39     171.098     163.612     181.147     5.067       %0       276     QR -- -- RD RA -- --
195.46.39.40     175.335     160.920     185.618     8.726       %0       274     QR -- -- RD RA -- --

Credit: Babak Farrokhi

TakeOver : Takeover Script Extracts CNAME Record Of All Subdomains At Once

Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain sub.example.com that points to an external service such as GitHub. If the Github page is removed by its owner and forgot to remove the DNS entry that points to GitHub service. An attacker can simply takeover subdomain by adding CNAME file containing the sub.example.com.

Also ReadXenoScan – Open source memory scanner written in C++

Here is the command that checks CNAME record of a subdomain.

$dig CNAME apt.shopify.com --> apt.shopify.com.s3-website-us-east-1.amazonaws.com.

There are a lot of sites having thousands of subdomain and it’s really hard to check each subdomain. Here we got a script that shows CNAME record for each domain. It takes a file name as an input and perform some action and finally produce it output, which shows CNAME record for each domain. The input file should contain a list of subdomains.

There are some fingerprints should be analysed when service is deleted and DNS entry remains as it is. The attacker get this error when visiting vulnerable subdomain such as “There isn’t a Github Pages site here.” or view below image for more detail.

TakeOver Video Tutorial

Atlas – Quick SQLMap Tamper Suggester

Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS, the tool is based on returned status code.

Atlas Installation

$ git clone https://github.com/m4ll0k/Atlas.git atlas
$ cd atlas
$ python atlas.py

Also ReadDex2jar – Tools To Work With Android .dex & Java .class Files

Usage

$ python atlas.py --url http://site.com/index.php?id=Price_ASC --payload="-1234 AND 4321=4321-- AAAA" --dbms=mysql --random-agent -v

ScreenShot

Example

  1. Run SQLMap:
$ python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3

Price_ASC') AND 8716=4837 AND ('yajr'='yajr is blocked by WAF/IDS/IPS, now trying with Atlas:

$ python atlas.py --url 'http://site.com/index.php?id=Price_ASC' --payload="') AND 8716=4837 AND ('yajr'='yajr" --random-agent -v

At this point:

$ python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3 --tamper=versionedkeywords,...

Dex2jar – Tools To Work With Android .dex & Java .class Files

Dex2jar is a tool to work with android .dex and java .class files.

  • dex-reader/writer: Read/write the Dalvik Executable (.dex) file. It has a light weight API similar with ASM.
  • d2j-dex2jar: Convert .dex file to .class files (zipped as jar)
  • smali/baksmali: disassemble dex to smali files and assemble dex from smali files. different implementation to smali/baksmali, same syntax, but we support escape in type desc “Lcom/dex2jar\t\u1234;”
  • other tools: d2j-decrypt-string

Also ReadMalwoverview – Tool To Perform An Initial & Quick Triage On A Directory Containing Malware Samples

Dex2jar Utilization

sh d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk

And the output file will be apk_to_decompile-dex2jar.jar.

XenoScan – Open source memory scanner written in C++

XenoScan is a memory scanner which can be used to scan the memory of processes to locate the specific locations of important values. These types of tools are typically used when hacking video games, as they allow one to locate the values representing the game’s state in memory.

XenoScan is written in C++ with a Lua frontend, and I’ve been working on advanced functionality that goes beyond anything that has been in any other memory scanners I’ve seen. Notably, it has a way to enumerate and return all complex data structures (such as std::list and std::map) in the target’s memory space, and it can even scan for any class instances and group the discovered instances by their underlying types.

Also ReadDbgShell – A PowerShell Front-End For The Windows Debugger Engine

XenoScan Sub-projects

XenoLua

XenoLua is a wrapper around Lua that provides a ton of functionality. Most notably, it provides a LuaVariant class which wraps the functionality of converting between C/C++ and Lua types. Additionally, it has helper functions for working with Lua in the LuaPrimitive class.

XenoScanEngine

XenoScanEngine is the meat of the project. It contains the code for the scanning, data structure detection, and everything else.

XenoScanLua

XenoScanLua ties XenoScanEngine to XenoLua to provide a Lua-scriptable frontend for the scanner. Currently, this is the only entry-point to the scanner.

Additionally, this project contains some test code that ensures everything is working properly. A test is a combination of a .cpp, a .h, and a .lua file. For examples on how to use the scanner, you can check out the .lua test files.

Compiling

XenoScan uses CMake, and has been tested with Visual Studio 2017. In theory, you should be able to build the code with any modernish compiler, as long as you use CMake to generate the project files. Before you can compile, you will need to make sure you’ve checked out the submodules. Once that’s done, you’ll also have to build the luajit submodule so XenoScan can link against the libraries.

If you’re using Visual Studio, this should be easy. Simply run buildmsvc2017.bat from a Developer Command Prompt for VS. As an example, to build a project for Visual Studio 2017, I run

cd C:\path\to\XenoScan
buildmsvc2017.bat

Which would make a file named XenoScan.sln appear in my build directory (e.g. C:\path\to\XenoScan\build).

The main development of XenoScan is done on this version of Visual Studio.

Platform

The code is designed to be platform-agnostic. Theoretically, to compile on any other platform, you would need to

  1. Create project/make files for your target IDE/compiler.
  2. Remove the ScannerTargetWindows.cpp and ScannerTargetWindows.h files from the project.
  3. Implement the ScannerTarget interface for your platform.
  4. Add your implementation to the project.
  5. ???? profit

Features

Basic scanning functionality supports the following types:

  • Integral types*:
    • int8_t
    • uint8_t
    • int16_t
    • uint16_t
    • int32_t
    • uint32_t
    • int64_t
    • uint64_t
  • float
  • double
  • ascii strings
  • wide strings
  • Custom data structures (think C++ struct)
    • Can consist of any combination integral and decimal types

* Lua frontend may choke on 64-bit integers, but the scanner library supports them.

Scanning supports the following types of matching:

  • Equal to
  • Greater than
  • Greater than or equal to
  • Less than
  • Less than or equal to
  • Ranges (min <= check <= max)

Additionally, there is functionality to detect all instances of the following types:

  • std::map
  • std::list
  • Any class with a virtual-function table

Credit: hackermans

HeapHopper – A Bounded Model Checking Framework For Heap-Implementations

HeapHopper is a bounded model checking framework for Heap-implementation. 

HeapHopper Setup

sudo apt update && sudo apt install build-essential python-dev virtualenvwrapper
git clone https://github.com/angr/heaphopper.git && cd ./heaphopper
mkvirtualenv -ppython2 heaphopper
pip install -e .

Required Packages

build-essential python-dev virtualenvwrapper

Required Python-Packages

ana angr cle claripy IPython psutil pyelftools pyyaml

Also ReadDarkSpiritz – A Penetration Testing Framework For UNIX Systems

Examples

# Gen zoo of permutations
heaphopper.py gen -c analysis.yaml

#  Trace instance
make -C tests
heaphopper.py  trace -c tests/how2heap_fastbin_dup/analysis.yaml -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Gen PoC
heaphopper.py poc -c tests/how2heap_fastbin_dup/analysis.yaml -r tests/how2heap_fastbin_dup/fastbin_dup.bin-result.yaml -d tests/how2heap_fastbin_dup/fastbin_dup.bin-desc.yaml -s tests/how2heap_fastbin_dup/fastbin_dup.c -b tests/how2heap_fastbin_dup/fastbin_dup.bin

# Tests
cd tests
# Show source
cat how2heap_fastbin_dup/fastbin_dup.c
# Run tests
./run_tests.py
# Show PoC source
cat pocs/malloc_non_heap/fastbin_dup.bin/poc_0_0.c
# Run PoC
./run_poc.sh pocs/malloc_non_heap/fastbin_dup.bin/bin/poc_0_0.bin