Ponce – IDA Plugin For Symbolic Execution Just One-Click Away!

Ponce (pronounced [ ‘poN θe ] pon-they ) is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.Why?Symbolic execution is not a new concept in the security community. It has been around for years but it is not until the last couple of years that open source projects like Triton and Angr have been created to address this need. Despite the availability of these projects, end users are often left to implement specific use cases themselves.We addressed these needs by creating Ponce, an IDA plugin that implements symbolic execution and taint analysis within the most used disassembler/debugger for reverse engineers.InstallationPonce works with both x86 and x64 binaries in IDA 6.8 and IDA 6.9x. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\ folder in your IDA installation directory.IDA 7.0.Ponce has initial support of IDA 7.0 for both x86 and x64 binaries in Windows. The plugin named Ponce64.dll should be copied from the latest_builds to the plugins\ folder in your IDA installation directory. Starting from version 7.0, IDA64 should be used to work with both x86 and x64 binaries.Don’t forget to register Ponce in plugins.cfg located in the same folder by adding the following line:Ponce Ponce Ctrl+Shift+Z 0 WINOS SupportPonce works on Windows, Linux and OSX natively!Use casesExploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don’t need to worry about setup timing. It’s ready to be used!The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won’t have to worry about the config window again.Use modesTainting engine: This engine is used to determine at every step of the binary’s execution which parts of memory and registers are controllable by the user input.Symbolic engine: This engine maintains a symbolic state of registers and part of memory at each step in a binary’s execution path.ExamplesUse symbolic execution to solve a crackMeHere we can see the use of the symbolic engine and how we can solve constrains:Passing simple aaaaa as argument.We first select the symbolic engine.We convert to symbolic the memory pointed by argv[1] (aaaaa)Identify the symbolic condition that make us win and solve it.Test the solution. The crackme source code can be found hereNegate and inject a conditionIn the next gif we can see the use of automatic tainting and how we can negate a condition and inject it in memory while debugging:We select the symbolic engine and set the option to symbolize argv.We identify the condition that needs to be satisfied to win the crackMe.We negate an inject the solution everytime a byte of our input is checked against the key.Finally we get the key elite that has been injected in memory and therefore reach the Win code. The crackme source code can be found hereUsing the tainting engine to track user controlled inputIn this example we can see the use of the tainting engine with cmake. We are:Passing a file as argument to cmake to have him parsing it.We select we want to use the tainting engineWe taint the buffer that “`fread()““ reads from the file.We resume the execution under the debugger control to see where the taint input is moved to.Ponce will rename the tainted functions. These are the functions that somehow the user has influence on, not the simply executed functions.Use Negate, Inject & RestoreIn the next example we are using the snapshot engine:Passing a file as argument.We select we want to use the symbolic engine.We taint the buffer that “`fread()““ reads from the file.We create a snapshot in the function that parses the buffer read from the file.When a condition is evaluated we negate it, inject the solution in memory and restore the snapshot with it.The solution will be “valid" so we will satisfy the existent conditions. The example source code can be found hereUsageIn this section we will list the different Ponce options as well as keyboard shortcuts:Access the configuration and taint/symbolic windows: Edit > Ponce > Show Config (Ctl+Shift+P and Ctl+Alt+T)Enable/Disable Ponce tracing (Ctl+Shift+E)Symbolize/taint a register (Ctl+Shift+R)Symbolize/taint memory. Can be done from the IDA View or the Hex View (Ctl+Shift+M)Solve formula (Ctl+Shift+S)Negate & Inject (Ctl+Shift+N)Negate, Inject & Restore Snaphot (Ctl+Shift+I)Create Execution Snapshot (Ctl+Shift+C)Restore Execution Snapshot (Ctl+Shift+S)Delete Execution Snapshot (Ctl+Shift+D)Execute Native (Ctl+Shift+F9)##Triton Ponce relies on the Triton framework to provide semantics, taint analysis and symbolic execution. Triton is an awesome Open Source project sponsored by Quarkslab and maintained mainly by Jonathan Salwan with a rich library. We would like to thank and endorse Jonathan’s work with Triton. You rock! :)BuildingWe provide compiled binaries for Ponce, but if you want to build your own plugin you can do so using Visual Studio 2013. We tried to make the building process as easy as possible:Clone the project with submodules: git clone –recursive https://github.com/illera88/PonceProject.gitOpen Build\PonceBuild\Ponce.sln: The project configuration is ready to use the includes and libraries shipped with the project that reside in external-libs\.The VS project has a Post-Build Event that will move the created binary plugin to the IDA plugin folder for you. copy /Y $(TargetPath) "C:\Program Files (x86)\IDA 6.9\plugins". NOTE: use your IDA installation path.The project has 4 build configurations:x86ReleaseStatic: will create the 32 bits version statically linking every third party library into a whole large plugin file.x86ReleaseZ3dyn: will create the 32 bits version statically linking every third party library but z3.lib.x64ReleaseStatic: will create the 64 bits version statically linking every third party library into a whole large plugin file.x64ReleaseZ3dyn: will create the 64 bits version statically linking every third party library but z3.lib.The static version of z3.lib is ~ 1.1Gb and the linking time is considerable. That’s the main reason why we have a building version that uses z3 dynamically (as a dll). If you are using z3 dynamically don’t forget to copy the libz3.dll file into the IDA’s directory.If you want to build Triton for linux or MacOsX check this file: https://github.com/illera88/Ponce/tree/master/builds/PonceBuild/nix/README.mdFAQWhy the name of Ponce?Juan Ponce de León (1474 – July 1521) was a Spanish explorer and conquistador. He discovered Florida in the United States. The IDA plugin will help you discover, explore and hopefully conquer the different paths in a binary.Can Ponce be used to analyze Windows, OS X and Linux binaries?Yes, you can natively use Ponce in IDA for Windows or remotely attach to a Linux or OS X box and use it. In the next Ponce version we will natively support Ponce for Linux and OS X IDA versions.How many instructions per second can handle Ponce?In our tests we reach to process 3000 instructions per second. We plan to use the PIN tracer IDA offers to increase the speed.Something is not working!Open an issue, we will solve it ASAP ;)I love your project! Can I collaborate?Sure! Please do pull requests and work in the opened issues. We will pay you in beers for help ;)LimitationsConcolic execution and Ponce have some problems:Symbolic memory load/write: When the index used to read a memory value is symbolic like in x = aray[symbolic_index] some problems arise that could lead on the loose of track of the tainted/symbolized user controled input.Triton doesn’t work very well with floating point instructions.AuthorsAlberto Garcia Illera (@algillera) alberto.garcia@salesforce.comFrancisco Oca (@francisco_oca) foca@salesforce.comDownload Ponce

Link: http://feedproxy.google.com/~r/PentestTools/~3/rD4UX2khHlQ/ponce-ida-plugin-for-symbolic-execution.html

PEDA – Python Exploit Development Assistance For GDB

PEDA – Python Exploit Development Assistance for GDBKey Features:Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debugging.Add commands to support debugging and exploit development (for a full list of commands use peda help):aslr — Show/set ASLR setting of GDBchecksec — Check for various security options of binarydumpargs — Display arguments passed to a function when stopped at a call instructiondumprop — Dump all ROP gadgets in specific memory rangeelfheader — Get headers information from debugged ELF fileelfsymbol — Get non-debugging symbol information from an ELF filelookup — Search for all addresses/references to addresses which belong to a memory rangepatch — Patch memory start at an address with string/hexstring/intpattern — Generate, search, or write a cyclic pattern to memoryprocinfo — Display various info from /proc/pid/pshow — Show various PEDA options and other settingspset — Set various PEDA options and other settingsreadelf — Get headers information from an ELF fileropgadget — Get common ROP gadgets of binary or libraryropsearch — Search for ROP gadgets in memorysearchmem|find — Search for a pattern in memory; support regex searchshellcode — Generate or download common shellcodes.skeleton — Generate python exploit code templatevmmap — Get virtual mapping address ranges of section(s) in debugged processxormem — XOR a memory region with a keyInstallationgit clone https://github.com/longld/peda.git ~/pedaecho “source ~/peda/peda.py" >> ~/.gdbinitecho "DONE! debug your program with gdb and enjoy"ScreenshotDownload Peda

Link: http://feedproxy.google.com/~r/PentestTools/~3/ewsDM7oK86w/peda-python-exploit-development.html

ROPGenerator – Tool That Helps You Building ROP Exploits By Finding And Chaining Gadgets Together

ROPGenerator is a tool that makes ROP exploits easy. It enables you to automatically find gadgets or build ROP chains. The current version supports x86 and x64 binaries.OverviewROPGenerator uses the tool ROPgadget (https://github.com/JonathanSalwan/ROPgadget) to extract gadgets from binaries and the barf-project (https://github.com/programa-stic/barf-project) to disassembly them. After gadgets are extracted, it analyzes them in order to compute their semantic and stores them according to their usefullness. Once the analysis is done, you can request ROPGenerator to automatically find gadgets or ROP chains by supplying semantic queries.ROPGenerator is written in python. The tool has python2-only dependencies so it runs under python2 so far.Please note that the current ROPGenerator version is still a beta under active development, therefore it might not work perfectly on some systems.Why using ROPGenerator ?Nice Command Line Interface : Enjoy a nice and smooth CLI with easy-to-use commandsSemantic gadget search : Find your gadgets quickly by only specifying the desired semanticsGadget chaining engine : No suitable single gadget ? ROPGenerator will build ROP chains for youFully automated exploit building : ROPGenerator can build entire exploits… all by itself !InstallationInstall ROPGeneratorYou can download the source and run$ python setup.py install$ ROPGeneratorInstall DependenciesROPGenerator depends on ROPgadget, prompt_toolkit, enum, python-magic, pwntools and barf v0.4.0:python-magic, enum, pwntools barf v0.4.0, and prompt_toolkit packages will be added automaticaly during installationROPgadget will also be installed automatically if you don’t have it already. However, the currently available package on pypi is not up-to-date. Therefore, it will be installed as “ROPgadget4ROPGenerator", a recent fork of ROPgadget.Getting startedROPGenerator is very easy to use ! For a quick starting guide, check ROPGenerator’s WikiScreenshotsGet helpLoad gadgets from a binaryEasily look for gadgets !Download ROPGenerator

Link: http://feedproxy.google.com/~r/PentestTools/~3/XTBQY7vfKCE/ropgenerator-tool-that-helps-you.html

ROPgadget – This Tool Lets You Search Your Gadgets On Your Binaries To Facilitate Your ROP Exploitation

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine – The older version can be found in the Archives directory but it will not be maintained.InstallIf you want to use ROPgadget, you have to install Capstone first.For the Capstone’s installation on nix machine:$ sudo pip install capstoneCapstone supports multi-platforms (windows, ios, android, cygwin…). For the cross-compilation, please refer to the https://github.com/aquynh/capstone/blob/master/COMPILE.TXT file.After Capstone is installed, ROPgadget can be used as a standalone tool:$ ROPgadget.pyOr installed into the Python site-packages library, and executed from $PATH.$ python setup.py install$ ROPgadgetOr installed from PyPi$ pip install ropgadget$ ROPgadgetUsageusage: ROPgadget.py [-h] [-v] [-c] [–binary ] [–opcode <opcodes>] [–string <string>] [–memstr <string>] [–depth <nbyte>] [–only <key>] [–filter <key>] [–range <start-end>] [–badbytes <byte>] [–rawArch <arch>] [–rawMode <mode>] [–re <re>] [–offset <hexaddr>] [–ropchain] [–thumb] [–console] [–norop] [–nojop] [–nosys] [–multibr] [–all] [–dump]optional arguments: -h, –help show this help message and exit -v, –version Display the ROPgadget’s version -c, –checkUpdate Checks if a new version is available –binary <binary> Specify a binary filename to analyze –opcode <opcodes> Search opcode in executable segment –string <string> Search string in readable segment –memstr <string> Search each byte in all readable segment –depth <nbyte> Depth for search engine (default 10) –only <key> Only show specific instructions –filter <key> Suppress specific instructions –range <start-end> Search between two addresses (0x…-0x…) –badbytes <byte> Rejects specific bytes in the gadget’s address –rawArch <arch> Specify an arch for a raw file –rawMode <mode> Specify a mode for a raw file –re <re> Regular expression –offset <hexaddr> Specify an offset for gadget addresses –ropchain Enable the ROP chain generation –thumb Use the thumb mode for the search engine (ARM only) –console Use an interactive console for search engine –norop Disable ROP search engine –nojop Disable JOP search engine –callPreceded Only show gadgets which are call-preceded (x86 only) –nosys Disable SYS search engine –multibr Enable multiple branch gadgets –all Disables the removal of duplicate gadgets –dump Outputs the gadget bytesScreenshotsDownload ROPgadget

Link: http://feedproxy.google.com/~r/PentestTools/~3/GLrMnvW88oo/ropgadget-this-tool-lets-you-search.html

Rp++ – Tool That Aims To Find ROP Sequences In PE/Elf/Mach-O X86/X64 Binaries

rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn’t support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I’m trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable.You can build very easily rp++ with CMake, it will generate a project file for your prefered IDE. There are some other things you will be able to do with rp++, like finding hexadecimal values, or strings, etc.Benchmark: Is it efficient ?Yeah, here are some benchmarks on Win7 x64, Intel i7 Q720 @ 1.6GHz, 4GB RAM:- Target: ntoskrnl.exe x64 version 6.1.7601.17790 D:\rp-win-x64.exe –file=ntoskrnl.exe –rop=8 > n ~80s for a total of 267356 gadgets found.- Target: chrome.exe x86 version 18.0.1025.168 D:\rp-win-x64.exe –file=chrome.exe –rop=8 > n ~13s for a total of 75459 gadgets found.- Target: cmd.exe x86 version v6.1.7600 D:\rp-win-x64.exe –file=cmd.exe –rop=8 > n ~15s for a total of 18818 gadgets found.- Target: bash x86 version 4.1.5.1 D:\rp-win-x64.exe –file=bash-x86 –rop=8 > n ~12s for a total of 45385 gadgets found.Screenshotsrp++ on Win7 x64 / Debian Squeeze x64 / FreeBSD x64 / Mac OSX Lion x64: How to use it ?USAGE:./rp++ [-hv] [-f ] [-i <1,2,3>] [-r <positive int>] [–raw=<archi>] [–atsyntax] [–unique] [–search-hexa=<\x90A\x90>] [–search-int=<int in hex>]OPTIONS: -f, –file=<binary path> give binary path -i, –info=<1,2,3> display information about the binary header -r, –rop=<positive int> find useful gadget for your future exploits, arg is the gadget maximum size in instructions –raw=<archi> find gadgets in a raw file, ‘archi’ must be in the following list: x86, x64 –atsyntax enable the at&t syntax –unique display only unique gadget –search-hexa=<\x90A\x90> try to find hex values –search-int=<int in hex> try to find a pointer on a specific integer value -h, –help print this help and exit -v, –version print version information and exitWhere I can download standalone binaries ?There are an x86 and an x64 versions for Windows (compiled with VS 2010 on Win7 x64), Linux (compiled with gcc 4.4.5 on Debian x64 6.0.1), FreeBSD (compiled with gcc 4.2.1 on FreeBSD 8.2) and Mac OSX (compiled with gcc 4.2.1 on OSX 10.7.3 ; not statically linked): https://github.com/0vercl0k/rp/downloadsHere are the sha1sums:a2e71e88a5c14c81ae184258184e5d83082f184d *rp-fbsd-x6429c2d5462865d28042bffe9e723d25c19f0da1f7 *rp-fbsd-x8657e23ef42954a08c9833099d87544e2166c58b94 *rp-lin-x64efcaf2a9584a23559e3e5b109eb37cbde89f8b29 *rp-lin-x865c612b3eff470b613ea06ebbbb882f0aaef8e3b4 *rp-osx-x642e32273b657b44d6b9a56e89ec2e2c2731713d87 *rp-osx-x86e5e6930eb469e92f79b59941330f23daf62800be *rp-win-x64.exef83d4d9f9e73a60a31e495e2fbd2404c560f1a27 *rp-win-x86.exeDownload Rp++

Link: http://feedproxy.google.com/~r/PentestTools/~3/IY0eObzZgyM/rp-tool-that-aims-to-find-rop-sequences.html

Ropper – You Can Use Ropper To Display Information About Files In Different File Formats And You Can Find Gadgets To Build Rop Chains For Different Architectures (X86/X86_64, ARM/ARM64, MIPS, PowerPC)

You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architectures (x86/X86_64, ARM/ARM64, MIPS/MIPS64, PowerPC). For disassembly ropper uses the awesome Capstone Framework.NOTE: I recommend to use the dev version of ropper, because bugfixes are earlier available in dev branch.InstallInstall Capstone with PyPi:$ sudo pip install capstoneInstall filebytes with PyPi:$ sudo pip install filebytesOptional (not needed to run ropper just to look for gadgets):Install Keystone:$ sudo pip install keystone-engineInstall and execute Ropper$ python setup.py install$ ropperYou can also install Ropper with pip$ pip install ropperIf you want, you can use Ropper without installation$ ./Ropper.pyIf you don’t want to install filebytes, filebytes is a submodule of the ropper repository. This means you don’t need to install filebytes and ropper.$ git clone https://github.com/sashs/ropper.git$ cd ropper$ git submodule init$ git submodule update$ ./Ropper.pyTHIS FEATURE IS STILL UNDER DEVELOPEMENT! Ropper has a semantic search command, which offers the possiblity to search for gadgets. Due to a dependency, this command only works with python2 on linux, but I am working on porting this dependency to python3. Since python3 is default on some systems, ropper2 can be used to execute ropper with python2.$ ropper2 –file –semantic “<any constraint>"The following optional dependencies are needed to use semantic search:Install pyvex$ sudo pip install pyvexInstall z3py$ python scripts/mk_make.py$ cd build$ make$ sudo make installCurrently Possible Constraintsreg == reg – assign register to anotherreg == number – assign number to registerreg == [reg] – assign memory to registerreg += number/reg/[reg]reg -= number/reg/[reg]reg *= number/reg/[reg]reg /= number/reg/[reg]Constraint Exampleeax==1 !ebx – set eax to 1 and look for gadgets which does not clobber ebxUsageusage: Ropper.py [-h] [-v] [–console] [-f <file>] [-r] [-a <arch>] [–section <section>] [–string [<string>]] [–hex] [–asm <asm> [H|S|R] [<asm> [H|S|R] …]] [–disasm <opcode>] [–disassemble-address <address:length>] [-i] [-e] [–imagebase] [-c] [-s] [-S] [–imports] [–symbols] [–set <option>] [–unset <option>] [-I <imagebase>] [-p] [-j <reg>] [–stack-pivot] [–inst-count <n bytes>] [–search <regex>] [–quality <quality>] [–opcode <opcode>] [–instructions <instructions>] [–type <type>] [–detailed] [–all] [–cfg-only] [–chain <generator>] [-b <badbytes>] [–nocolor] [–clear-cache]You can use ropper to display information about binary files in different file formats and you can search for gadgets to build rop chains for different architecturessupported filetypes: ELF PE Mach-O Rawsupported architectures: x86 [x86] x86_64 [x86_64] MIPS [MIPS, MIPS64] ARM/Thumb [ARM, ARMTHUMB] ARM64 [ARM64] PowerPC [PPC, PPC64]available rop chain generators: execve (execve[=<cmd>], default /bin/sh) [Linux x86, x86_64] mprotect (mprotect=<address>:<size>) [Linux x86, x86_64] virtualprotect (virtualprotect=<address iat vp>:<size>) [Windows x86]optional arguments: -h, –help show this help message and exit -v, –version Print version –console Starts interactive commandline -f <file>, –file <file> The file to load -r, –raw Loads the file as raw file -a <arch>, –arch <arch> The architecture of the loaded file –section <section> The data of the this section should be printed –string [<string>] Looks for the string <string> in all data sections –hex Prints the selected sections in a hex format –asm <asm> [H|S|R] [<asm> [H|S|R] …] A string to assemble and a format of the output (H=HEX, S=STRING, R=RAW, default: H) –disasm <opcode> Opcode to disassemble (e.g. ffe4, 89c8c3, …) –disassemble-address <address:length> Disassembles instruction at address <address> (0x12345678:L3). The count of instructions to disassemble can be specified (0x….:L…) -i, –info Shows file header [ELF/PE/Mach-O] -e Shows EntryPoint –imagebase Shows ImageBase [ELF/PE/Mach-O] -c, –dllcharacteristics Shows DllCharacteristics [PE] -s, –sections Shows file sections [ELF/PE/Mach-O] -S, –segments Shows file segments [ELF/Mach-O] –imports Shows imports [ELF/PE] –symbols Shows symbols [ELF] –set <option> Sets options. Available options: aslr nx –unset <option> Unsets options. Available options: aslr nx -I <imagebase> Uses this imagebase for gadgets -p, –ppr Searches for ‘pop reg; pop reg; ret’ instructions [only x86/x86_64] -j <reg>, –jmp <reg> Searches for ‘jmp reg’ instructions (-j reg[,reg…]) [only x86/x86_64] –stack-pivot Prints all stack pivot gadgets –inst-count <n bytes> Specifies the max count of instructions in a gadget (default: 6) –search <regex> Searches for gadgets –quality <quality> The quality for gadgets which are found by search (1 = best) –opcode <opcode> Searchs for opcodes (e.g. ffe4 or ffe? or ff??) –instructions <instructions> Searchs for instructions (e.g. "jmp esp", "pop eax; ret") –type <type> Sets the type of gadgets [rop, jop, sys, all] (default: all) –detailed Prints gadgets more detailed –all Does not remove duplicate gadgets –cfg-only Filters out gadgets which fail the Microsoft CFG check. Only for PE files which are compiled with CFG check enabled (check DllCharachteristics) [PE] –chain <generator> Generates a ropchain [generator parameter=value[ parameter=value]] -b <badbytes>, –badbytes <badbytes> Set bytes which should not contains in gadgets –nocolor Disables colored output –clear-cache Clears the cacheexample uses: [Generic] ./Ropper.py ./Ropper.py –file /bin/ls –console [Informations] ./Ropper.py –file /bin/ls –info ./Ropper.py –file /bin/ls –imports ./Ropper.py –file /bin/ls –sections ./Ropper.py –file /bin/ls –segments ./Ropper.py –file /bin/ls –set nx ./Ropper.py –file /bin/ls –unset nx ./Ropper.py –file /bin/ls –inst-count 5 ./Ropper.py –file /bin/ls –search "sub eax" –badbytes 000a0d ./Ropper.py –file /bin/ls –search "sub eax" –detail ./Ropper.py –file /bin/ls –filter "sub eax" ./Ropper.py –file /bin/ls –inst-count 5 –filter "sub eax" ./Ropper.py –file /bin/ls –opcode ffe4 ./Ropper.py –file /bin/ls –opcode ffe? ./Ropper.py –file /bin/ls –opcode ??e4 ./Ropper.py –file /bin/ls –detailed ./Ropper.py –file /bin/ls –ppr –nocolor ./Ropper.py –file /bin/ls –jmp esp,eax ./Ropper.py –file /bin/ls –type jop ./Ropper.py –file /bin/ls –chain execve ./Ropper.py –file /bin/ls –chain "execve cmd=/bin/sh" –badbytes 000a0d ./Ropper.py –file /bin/ls –chain "mprotect address=0xbfdff000 size=0x21000" ./Ropper.py –file /bin/ls /lib/libc.so.6 –console [Assemble/Disassemble] ./Ropper.py –asm "jmp esp" ./Ropper.py –asm "mov eax, ecx; ret" ./Ropper.py –disasm ffe4 [Search] ./Ropper.py –file /bin/ls –search <searchstring> ? any character % any string Example: ./Ropper.py –file /bin/ls –search "mov e?x" 0x000067f1: mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax 0x00006d03: mov eax, esi; pop ebx; pop esi; pop edi; pop ebp; ret ; 0x00006d6f: mov ebx, esi; mov esi, dword ptr [esp + 0x18]; add esp, 0x1c; ret ; 0x000076f8: mov eax, dword ptr [eax]; mov byte ptr [eax + edx], 0; add esp, 0x18; pop ebx; ret ; ./Ropper.py –file /bin/ls –search "mov [%], edx" 0x000067ed: mov dword ptr [esp + 4], edx; mov edx, dword ptr [ebp + 0x14]; mov dword ptr [esp], edx; call eax; 0x00006f4e: mov dword ptr [ecx + 0x14], edx; add esp, 0x2c; pop ebx; pop esi; pop edi; pop ebp; ret ; 0x000084b8: mov dword ptr [eax], edx; ret ; 0x00008d9b: mov dword ptr [eax], edx; add esp, 0x18; pop ebx; ret ; ./Ropper.py –file /bin/ls –search "mov [%], edx" –quality 1 0x000084b8: mov dword ptr [eax], edx; ret ;; ret ;Use ropper in Scripts#!/usr/bin/env pythonfrom ropper import RopperService# not all options need to be givenoptions = {‘color’ : False, # if gadgets are printed, use colored output: default: False ‘badbytes’: ’00’, # bad bytes which should not be in addresses or ropchains; default: ” ‘all’ : False, # Show all gadgets, this means to not remove double gadgets; default: False ‘inst_count’ : 6, # Number of instructions in a gadget; default: 6 ‘type’ : ‘all’, # rop, jop, sys, all; default: all ‘detailed’ : False} # if gadgets are printed, use detailed output; default: Falsers = RopperService(options)##### change options ######rs.options.color = Truers.options.badbytes = ’00’rs.options.badbytes = ”rs.options.all = True##### open binaries ####### it is possible to open multiple filesrs.addFile(‘test-binaries/ls-x86’)rs.addFile(‘ls’, bytes=open(‘test-binaries/ls-x86′,’rb’).read()) # other possiblityrs.addFile(‘ls_raw’, bytes=open(‘test-binaries/ls-x86′,’rb’).read(), raw=True, arch=’x86′)##### close binaries ######rs.removeFile(‘ls’)rs.removeFile(‘ls_raw’)# Set architecture of a binary, so it is possible to look for gadgets for a different architecture# It is useful for ARM if you want to look for ARM gadgets or Thumb gadgets# Or if you opened a raw filels = ‘test-binaries/ls-x86’rs.setArchitectureFor(name=ls, arch=’x86′)rs.setArchitectureFor(name=ls, arch=’x86_64′)rs.setArchitectureFor(name=ls, arch=’ARM’)rs.setArchitectureFor(name=ls, arch=’ARMTHUMB’)rs.setArchitectureFor(name=ls, arch=’ARM64′)rs.setArchitectureFor(name=ls, arch=’MIPS’)rs.setArchitectureFor(name=ls, arch=’MIPS64′)rs.setArchitectureFor(name=ls, arch=’PPC’)rs.setArchitectureFor(name=ls, arch=’PPC64′)rs.setArchitectureFor(name=ls, arch=’x86′)##### load gadgets ####### load gadgets for all opened filesrs.loadGadgetsFor() # load gadgets for only one opened filels = ‘test-binaries/ls-x86’rs.loadGadgetsFor(name=ls)# change gadget typers.options.type = ‘jop’rs.loadGadgetsFor() rs.options.type = ‘rop’rs.loadGadgetsFor() # change instruction countrs.options.inst_count = 10rs.loadGadgetsFor() ##### print gadgets #######rs.printGadgetsFor() # print all gadgetsrs.printGadgetsFor(name=ls)##### Get gadgets ######gadgets = rs.getFileFor(name=ls).gadgets##### search pop pop ret ######pprs = rs.searchPopPopRet(name=ls) # looks for ppr only in ‘test-binaries/ls-x86’pprs = rs.searchPopPopRet() # looks for ppr in all opened filesfor file, ppr in pprs.items(): for p in ppr: print p##### load jmp reg ######jmp_regs = rs.searchJmpReg(name=ls, regs=[‘esp’, ‘eax’]) # looks for jmp reg only in ‘test-binaries/ls-x86’jmp_regs = rs.searchJmpReg(regs=[‘esp’, ‘eax’])jmp_regs = rs.searchJmpReg() # looks for jmp esp in all opened filesfor file, jmp_reg in jmp_regs.items(): for j in jmp_reg: print j##### search opcode ######ls = ‘test-binaries/ls-x86’gadgets_dict = rs.searchOpcode(opcode=’ffe4′, name=ls)gadgets_dict = rs.searchOpcode(opcode=’ffe?’)gadgets_dict = rs.searchOpcode(opcode=’??e4′)for file, gadgets in gadgets_dict.items(): for g in gadgets: print g##### search instructions ######ls = ‘test-binaries/ls-x86’for file, gadget in rs.search(search=’mov e?x’, name=ls): print file, gadgetfor file, gadget in rs.search(search=’mov [e?x%]’): print file, gadget result_dict = rs.searchdict(search=’mov eax’)for file, gadgets in result_dict.items(): print file for gadget in gadgets: print gadget##### assemble instructions ######hex_string = rs.asm(‘jmp esp’)print ‘"jmp esp" assembled to hex string =’, hex_stringraw_bytes = rs.asm(‘jmp esp’, format=’raw’)print ‘"jmp esp" assembled to raw bytes =’, raw_bytesstring = rs.asm(‘jmp esp’, format=’string’)print ‘"jmp esp" assembled to string =’,stringarm_bytes = rs.asm(‘bx sp’, arch=’ARM’)print ‘"bx sp" assembled to hex string =’, arm_bytes##### disassemble bytes #######arm_instructions = rs.disasm(arm_bytes, arch=’ARM’)print arm_bytes, ‘disassembled to "%s"’ % arm_instructions# Change the imagebase, this also change the imagebase for all loaded gadgets of this binaryrs.setImageBaseFor(name=ls, imagebase=0x0)# reset image basers.setImageBaseFor(name=ls, imagebase=None)gadgets = rs.getFileFor(name=ls).gadgets# gadget addressprint hex(gadgets[0].address)# get instruction bytes of gadgetprint bytes(gadgets[0].bytes).encode(‘hex’)# remove all gadgets containing bad bytes in addressrs.options.badbytes = ‘000a0d’ # gadgets are filtered automaticallyProject pagehttp://scoding.de/ropperScreenshotsDownload Ropper

Link: http://feedproxy.google.com/~r/PentestTools/~3/TIPVwZVtIOQ/ropper-you-can-use-ropper-to-display.html

BARF – A multiplatform open source Binary Analysis and Reverse engineering Framework

The analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering. Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities. BARF is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and interoperation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated. The BARF project includes BARF and related tools and packages. So far the project is composed of the following items: BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework PyAsmJIT : A JIT for the Intel x86_64 and ARM architecture. Tools built upon BARF : BARFgadgets : Lets you search , classifiy and verify ROP gadgets inside a binary program. BARFcfg : Lets you recover the control-flow graph of the functions of a binary program. BARFcg : Lets you recover the call graph of the functions of a binary program. For more information, see: BARF: A multiplatform open source Binary Analysis and Reverse engineering Framework (Whitepaper) [ en ] BARFing Gadgets (ekoparty2014 presentation) [ es ] Current status: Latest Release v0.3 URL https://github.com/programa-stic/barf-project/releases/tag/v0.3 Change Log https://github.com/programa-stic/barf-project/blob/v0.3/CHANGELOG.md All packages were tested on Ubuntu 16.04 (x86_64). BARF BARF is a Python package for binary analysis and reverse engineering. It can: Load binary programs in different formats ( ELF , PE , etc), It supports the Intel x86 architecture for 32 and 64 bits, It supports the ARM architecture for 32 bits, It operates on an intermediate language ( REIL ) thus all analysis algorithm are architecture-agnostic, It has integration with Z3 and CVC4 SMT solvers which means that you can express fragments of code as formulae and check restrictions on them. It is currently under development . Installation BARF depends on the following SMT solvers: Z3 : A high-performance theorem prover being developed at Microsoft Research. CVC4 : An efficient open-source automatic theorem prover for satisfiability modulo theories (SMT) problems. The following command installs BARF on your system: $ sudo python setup.py installYou can also install it locally: $ sudo python setup.py install –user Notes Only one SMT solver is needed in order to work. You may choose between Z3 and CVC4 or install both. You can use the barf-install-solver.sh script which downloads and install both solver. To run some tests you need to install PyAsmJIT first. Quickstart This is a very simple example which shows how to open a binary file and print each instruction with its translation to the intermediate language ( REIL ). from barf import BARF# Open binary file.barf = BARF(“examples/bin/x86/branch1")# Print assembly instruction.for addr, asm_instr, reil_instrs in barf.translate(): print("0x{addr:08x} {instr}".format(addr=addr, instr=asm_instr)) # Print REIL translation. for reil_instr in reil_instrs: print("{indent:11s} {instr}".format(indent="", instr=reil_instr))We can also recover the CFG and save it to a .dot file. # Recover CFG.cfg = barf.recover_cfg()# Save CFG to a .dot file.cfg.save("branch1_cfg")We can check restrictions on code using a SMT solver. For instance, suppose you have the following code: 80483ed: 55 push ebp 80483ee: 89 e5 mov ebp,esp 80483f0: 83 ec 10 sub esp,0x10 80483f3: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 80483f6: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] 80483f9: 01 d0 add eax,edx 80483fb: 83 c0 05 add eax,0x5 80483fe: 89 45 fc mov DWORD PTR [ebp-0x4],eax 8048401: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 8048404: c9 leave 8048405: c3 retAnd you want to know what values you have to assign to memory locations ebp-0x4 , ebp-0x8 and ebp-0xc in order to obtain a specific value in eax register after executing the code. First, we add the instructions to the analyzer component. from barf import BARF# Open ELF filebarf = BARF("examples/bin/x86/constraint1")# Add instructions to analyze.for addr, asm_instr, reil_instrs in barf.translate(0x80483ed, 0x8048401): for reil_instr in reil_instrs: barf.code_analyzer.add_instruction(reil_instr)Then, we generate expressions for each variable of interest # Get smt expression for eax and ebp registerseap = barf.code_analyzer.get_register_expr("eax")ebp = barf.code_analyzer.get_register_expr("ebp")# Get smt expressions for memory locations (each one of 4 bytes)a = barf.code_analyzer.get_memory_expr(ebp-0x8, 4)b = barf.code_analyzer.get_memory_expr(ebp-0xc, 4)c = barf.code_analyzer.get_memory_expr(ebp-0x4, 4)And add the desired restrictions on them. # Set range for variablesbarf.code_analyzer.set_preconditions([a >= 2, a <= 100])barf.code_analyzer.set_preconditions([b >= 2, b <= 100])# Set desired value for the resultbarf.code_analyzer.set_postcondition(c == 13)Finally, we check is the restrictions we establish can be resolved. # Check satisfiability.if barf.code_analyzer.check() == ‘sat’: print("SAT!") # Get concrete value for expressions. eax_val = barf.code_analyzer.get_expr_value(eax) a_val = barf.code_analyzer.get_expr_value(a) b_val = barf.code_analyzer.get_expr_value(b) c_val = barf.code_analyzer.get_expr_value(c) # Print values. print("eax : 0x{0:%08x} ({0})".format(eax_val)) print("ebp : 0x{0:%08x} ({0})".format(ebp_val)) print(" a : 0x{0:%08x} ({0})".format(a_val)) print(" b : 0x{0:%08x} ({0})".format(b_val)) print(" c : 0x{0:%08x} ({0})".format(c_val))else: print("UNSAT!")You can see these and more examples in the examples directory. Overview The framework is divided in three main components: core , arch and analysis . Core This component contains essential modules: REIL : Provides definitions for the REIL language. It, also, implements an emulator and a parser . SMT : Provides means to interface with Z3 SMT solver. Also, it provides functionality to translate REIL instructions to SMT expressions. BI : The Binary Interface module is responsible for loading binary files for processing (it uses [PEFile] and [PyELFTools].) Arch Each supported architecture is provided as a subcomponent which contains the following modules. Architecture : Describes the architecture, i.e., registers, memory address size. Translator : Provides translators to REIL for each supported instruction. Disassembler : Provides disassembling functionalities (it uses Capstone.) Parser : Transforms instruction in string to object form (provided by the Instruction module.) Analysis So far this component consists of two modules: Control-Flow Graph , Call Graph and Code Analyzer . The first two, provides functionality for CFG and CG recovery, respectively. The latter, its a high-level interface to the SMT-solver-related functionalities. Directory Structure barf/ Framework’s main directory.doc/ Documentation.examples/ Basic example scripts that show various functionalities.scripts/ Installation scripts.tests/ BARF package tests.tools/ Tools build upon BARF. Notes SMT solver interfacing is provided by the file core/smt/smtlibv2.py taken from PySymEmu . Tools BARFgadgets BARFgadgets is a Python script built upon BARF that lets you search , classifiy and verify ROP gadgets inside a binary program. The search stage finds all ret -, jmp – and call -ended gadgets inside the binary. The classification stage classifies previously found gadgets according to the following types: No-Operation, Move Register, Load Constant, Arithmetic/Logical Operation, Load Memory, Store Memory, Arithmetic/Logical Load, Arithmetic/Logical Store and Undefined. This is done through instruction emulation. Finally, the verification stage consists of using a SMT solver to verify the semantic assigned to each gadget in the second stage. usage: BARFgadgets [-h] [–version] [–bdepth BDEPTH] [–idepth IDEPTH] [-u] [-c] [-v] [-o OUTPUT] [-t] [–sort {addr,depth}] [–color] [–show-binary] [–show-classification] filenameTool for finding, classifying and verifying ROP gadgets.positional arguments: filename Binary file name.optional arguments: -h, –help show this help message and exit –version Display version. –bdepth BDEPTH Gadget depth in number of bytes. –idepth IDEPTH Gadget depth in number of instructions. -u, –unique Remove duplicate gadgets (in all steps). -c, –classify Run gadgets classification. -v, –verify Run gadgets verification (includes classification). -o OUTPUT, –output OUTPUT Save output to file. -t, –time Print time of each processing step. –sort {addr,depth} Sort gadgets by address or depth (number of instructions) in ascending order. –color Format gadgets with ANSI color sequences, for output in a 256-color terminal or console. –show-binary Show binary code for each gadget. –show-classification Show classification for each gadget.For more information, see README . BARFcfg BARFcfg is a Python script built upon BARF that lets you recover the control-flow graph of a binary program. usage: BARFcfg [-h] [-s SYMBOL_FILE] [-a] [-o RECOVER_ONE] [-f {graph,text}] [-t] [-d OUTPUT_DIR] [-b] [-r] filenameTool for recovering CFG of a binary.positional arguments: filename Binary file name.optional arguments: -h, –help show this help message and exit -s SYMBOL_FILE, –symbol-file SYMBOL_FILE Load symbols from file. -a, –recover-all Recover all functions. -o RECOVER_ONE, –recover-one RECOVER_ONE Recover specified function. -f {graph,text}, –format {graph,text} Output format. -t, –time Print process time. -d OUTPUT_DIR, –output-dir OUTPUT_DIR Ouput directory. -b, –brief Brief output. -r, –show-reil Show REIL translation.For more information, see README . BARFcg BARFcg is a Python script built upon BARF that lets you recover the call graph of a binary program. usage: BARFcg [-h] [-s SYMBOL_FILE] [-a] [-t] filenameTool for recovering CG of a binary.positional arguments: filename Binary file name.optional arguments: -h, –help show this help message and exit -s SYMBOL_FILE, –symbol-file SYMBOL_FILE Load symbols from file. -a, –recover-all Recover all functions. -t, –time Print process time.For more information, see README . PyAsmJIT PyAsmJIT is a Python package for x86_64/ARM assembly code generation and execution. This package was developed in order to test BARF instruction translation from x86_64/ARM to REIL. The main idea is to be able to run fragments of code natively. Then, the same fragment is translated to REIL and executed in a REIL VM. Finally, both final contexts (the one obtained through native execution and the one from emulation) are compare for differences. For more information, see PyAsmJit . Download BARF

Link: http://feedproxy.google.com/~r/PentestTools/~3/sy2otH3qVr8/barf-multiplatform-open-source-binary.html