_________ _______________ ________________________________ _______
__ ____/____ ___ ___/_|__ /______ ___ __/_ __ \_ __ \__ /__ /___ __ \___ __
_ / __ / / /____ \___/_ <_ ___/ __ / _ / / / / / /_ /__ __ \ / / /_ |/_/
/ /___ _ /_/ /____/ /____/ // /__ _ / / /_/ // /_/ /_ / _ /_/ / /_/ /__> <
\____/ _\__, / /____/ /____/ \___/ /_/ \____/ \____/ /_/ /_.___/\____/ /_/|_|
/____/
CySec Toolbox is a collection of cybersecuirty tools for CTF automation
- 1. About
- 2. Installation
- 3. The tools and directory structure
- 4. Roadmap
- 5. Contributing
- 6. Acknowledgments
- 7. Meta
These tools were developed during the POLIMI ODC 23-24 course for comfort, ease of use, and, most importantly, because it was fun. While initially designed for use in CTFs, there's nothing preventing you from incorporating them into your daily operations as well.
csarg and his toolbox
The majority of these tools are command-line scripts, requiring only BASH or Python for execution. Each script includes a help message accessible via the -h command line option, and a brief description of each tool is provided below.
❗️ Note: It is essential to thoroughly comprehend the functionality of any script you intend to utilize.
Tools vary, and their behavior may be unpredictable.
Always refer to the commented source code for comprehensive understanding.
Certain tools are built upon others to facilitate interaction and encourage automation. It's crucial to grasp the functionality of a script before execution. A comprehensive list of dependencies is available in /configurations/installed.txt. Familiarizing yourself with this list will help ensure the seamless operation of the tools.
"It eats assembly and produces optimized machine code! Basically a digital microorganism"
# writes to stdout the hex bytecodes of an assmebled assembly file given from stdin with 64 bit architecture
# if no file is provided, stdin is read
This script is tailored for shellcode CTFs, where crafting a specific shellcode and assembling it accurately is often required for a functional payload. While many individuals resort to web assemblers such as defuse.ca, I personally found them cumbersome due to the copy-pasting hurdle. genbin directly addresses this challenge by allowing you to write your assembly code in a file. It takes care of the assembly process and provides you with the hex bytecodes on stdout. This approach proves advantageous, as you can seamlessly call it from your script.py without relying on an internet connection. Moreover, it enhances code readability by eliminating the need for long hex strings, which may be unclear until de-assembled.
"The sweet honey. They always here when you need one (and they come in different flavors too)."
This directory comprises a compilation of useful shellcodes, each possessing unique properties that set them apart. By utilizing the genbin tool, you can easily extract code snippets from this directory, eliminating the need to write any assembly code in most cases.
"A script replicator! What is this "Blade Runner"??"
# creates in current working directory a template python file for pwning named "script.py"
# the generated script file is already set with the parameters passed in input
⚠️ This tool depends and it is built on top ofpwntools. You can view and installpwntoolshere.
One of the most important tools for automating CTFs as it automatically generates you a script.py template directly in your working directory. You can pass as command line parameters the IP, PORT and local EXECUTABLE file in order to find them again already set inside the template. There are 2 types of templates: /genscript/pwn_script.py for binary exploitation and /genscript/web_script.py for web app exploitation.
"A cold, emotionless hitman machine. What is this "Terminator??"
# search in an executable file a call for ptrace and NOPs it
# it can also NOP a particular bytes signature provided by input
This tool automates binary patching, specifically addressing scenarios in CTFs where executables employ measures such as ptrace calls or alarm functions to evade dynamic analysis. By default, the script searches and NOPs ptrace calls. NOPping involves substituting bytecode with consecutive NOP codes, effectively replacing the previous function with a "skip" instruction. Additionally, you can specify a particular bytecode, obtained through reverse engineering, to search for and NOP using command line options.
To identify the ptrace call, illtrace relies on two bytecode patterns:
- A sequence of consecutive instructions that load common parameters into registers for the
ptracecall. - A bytecode sequence checking for
if result == 0, a common flow indicating the use ofptracefor checking if it is being traced.
If the dynamic search yields no results, you can explicitly provide the bytecode signature discovered through reverse engineering.
"It's like a truffle dog but for gadgets"
# script for gadgets finding optimization
# it runs ROPgadget and puts the output to `gadgets` file
# it then parses gadgets with different `awk` filters and prints the outputs to `stdout`
# current filters are:
# - all lines that have only `pop` operations
# - all lines that contain a `mov rsp, ***` operation
⚠️ This tool depends and it is built on top ofROPgadget. You can view and installROPgadgethere.
gadget_finder serves as an automation tool for ROPgadget, streamlining the process by running the ROPgadget tool and applying specific filters to its output. These filters are the ones common to search for in a temptative of ROP attack scenario.
"You know what's better than one magic gadget? LOTS of magic gadgets!"
# This shell script takes an input file and searches for all the magic gadgets within it.
# It then proceeds to call the provided Python script with each discovered magic gadget offset as an argument.
⚠️ This tool depends and it is built on top ofone_gadget. You can view and installone_gadgethere.
Automation tool wrapped around one_gadget for magic gadget exploitation. It executes your exploitation script (e.g.: script.py) giving it in as command line argument "MAGIC_GADGET" the magic gadget's offset found first by running one_gadget, basically "bruteforcing" your exploit with magic gadgets.
It continues this process until discovering new offsets. This ensures ongoing interaction with your exploit script, allowing you to interrupt the execution at your discretion.
"Let's shake the black box and listen waht's inside."
# shell script that "analyzes" a libc shared object provided and outputs some common informations found on it
# It tries to understand if the libc version provided in input is using tcache
# and if yes, how it behaves (allocating, deallocating, key implementation, fastbin attack...)
# this script works with patchelf and check_tcache.c template c file
# it pathces the c file with patchelf with the libc and ld provided in input
# and then it compiles and runs the file and outputs to stdout what it discovered
⚠️ This tool depends and it is built on top ofpatchelf. You can view and installpatchelfhere.
Dynamic analysis tool for HEAP exploitation. It makes use of carefully crafted C programs to gather informations on the executable file in a black box manner.
Sometimes you are given a libc version wich is unknown or that has been opportunately modified. Exploiting ptmalloc heavily depends on the implementation of libc you're dealing with and getting to know a-priori the behavior of it might be helpful for speedingup operations and do less confusion.
This particular C file tries to understand if the libc used by it has T-Cache implementation and how it behaves.
"Surgeon on its work.. patching codes"
# Script that patches a binary file provided.
# It does provide NOP and ZERO out-of-the-box patches but it's possible
# to also inject via file your custum one.
Substitutres code in certain precise points. It provides already premade patches:
- NOP: Substitutes every byte from OFFSET with the
NOPopcode (0x90). It requires the bytes LENGTH of how much you want to patch. - ZERO: Substitutes every byte from OFFSET with the
NULLbyte (0x00). It requires the bytes LENGTH of how much you want to patch. - It's possible to provide in input also a custum binary file that will be used to overwrite from OFFSET. The tool also does boundaries chekcing on the OFFSET and LENGTH provided in input.
Simple shell script used for calling the python script. It passes all its command line arguments to the script.
Just a collection of slides and useful material to review during exploitation.
"Home is where you can double-quote automated."
This is a directory used for replicating and syncing the setup I'M comfortable with.
Here you can find all my settings file and instructions to refresh my mind on how to setup services.
I won't dwell my self on this part cause its very subjective to me but if you're interested or you don't understand something absoloutely contact me and I'll try to help you as I can 👍🏻!
- Create a Docker image containing the toolbox and all the dependent software already setup
- Enhance
configurations/directory content - Add more web app exploitation tools
- Add examples directory
- Improve
fuckmyhex.pyon its branch - Remove
ptracesignature search for illtrace or improve it - Improving
notes/material and adding more files
See the open issues for a full list of proposed features (and known issues).
Contributions are more than welcome! Here's a short video tutorial on how to open a pull request.
Finding bugs, testing, enhancing code or just helping with documentation is appreciated.
Don't hesitate to contact me even just for questions or suggestions.
Yes! If you want we can create together a universal CTF toolbox repo with the useful tools of everyone.
Contributors will get added to the list
csarg
CySec-toolbox by csarg is licensed under CC BY-NC-SA 4.0
