# -*- coding: utf-8 -*- """ /$$$$$$$$ /$$$$$$$ /$$$$$$$$ /$$$$$$ | $$_____/| $$__ $$|__ $$__//$$__ $$ | $$ | $$ \ $$ | $$ | $$ \__/ | $$$$$ | $$$$$$$/ | $$ | $$$$$$ | $$__/ | $$__ $$ | $$ \____ $$ | $$ | $$ \ $$ | $$ /$$ \ $$ | $$$$$$$$| $$ | $$ | $$ | $$$$$$/ |________/|__/ |__/ |__/ \______/ Copyright (C) 2010-2015 HackSys Team This file is part of Exploit Reliability Testing System. Exploit Reliability Testing System is used to test reliability of hitting EIP=0x41414141. This system is aimed at finding how much an exploit is reliable. See the file 'LICENSE' for copying permission. Author : Ashfaq Ansari Contact: ashfaq_ansari1989[at]hotmail.com Website: http://hacksys.vfreaks.com """ __author__ = 'Ashfaq Ansari' __version__ = '1.0' import os import sys import shutil import subprocess import threading class ExploitReliabilityTestingSystem(object): """ This class is the heart of Exploit Reliability Testing System. """ def __init__(self, cdb, log, program, args=''): """ This is the constructor for ERTS :param cdb: cdb.exe path :param log: log path :param program: program to launch :param args: program arguments """ # validate if cdb, log and program exists if not os.path.exists(cdb): raise AttributeError('Please validate CDB path') elif not os.path.exists(log): try: os.mkdir(os.path.dirname(log)) except OSError: raise AttributeError('Please validate LOG path') elif not os.path.exists(program): raise AttributeError('Please validate PROGRAM path') self.cdb = cdb self.log = log self.program = program self.args = args self.process = None def run(self, file_path, timeout=60): """ This is used to run the process with timeout using threading :param file_path: file path to open :param timeout: timeout in seconds """ # validate args and timeout parameter if file_path is None: raise AttributeError('Please validate program FILEPATH') elif timeout is None and type(timeout) == str: raise AttributeError('Please validate TIMEOUT') def __launch_process(): # prepare the process argument process_args = self.cdb + ' ' + '-g -G -o -c ".logopen ' + self.log + \ ';r;.logclose;q" "' + self.program + '" ' + self.args + \ ' ' + file_path self.process = subprocess.Popen(process_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) # wait for the process to exit self.process.communicate() # prepare the thread to run the process process_thread = threading.Thread(target=__launch_process) # start the thread process_thread.start() # now join the thread process_thread.join(timeout=timeout) # check if the thread is still alive if process_thread.is_alive(): # seems that the process did not crash # let's kill the process self.process.terminate() # let's terminate the child thread process_thread.join() def is_crash_reliable(self, eip): """ This is used to check if the crash was reliable by checking the EIP from the crash log :param eip: EIP register value to compare :return: True/False """ # validate EIP as string if type(eip) != str: raise AttributeError('Please validate EIP') log = open(self.log).read() if 'eip={0}'.format(eip) in log: return True else: return False if __name__ == "__main__": # constants HEADER = ''' /$$$$$$$$ /$$$$$$$ /$$$$$$$$ /$$$$$$ | $$_____/| $$__ $$|__ $$__//$$__ $$ | $$ | $$ \ $$ | $$ | $$ \__/ | $$$$$ | $$$$$$$/ | $$ | $$$$$$ | $$__/ | $$__ $$ | $$ \____ $$ | $$ | $$ \ $$ | $$ /$$ \ $$ | $$$$$$$$| $$ | $$ | $$ | $$$$$$/ |________/|__/ |__/ |__/ \______/ Exploit Reliability System Version: {0} '''.format(__version__) # fine tune these values MAX_RUN = 10 TIMEOUT = 60 EIP = '41414141' FILE_PATH = 'http://localhost:8000/exploit.html' CDB_PATH = 'C:\\Program Files\\Debugging Tools for Windows (x86)\\cdb.exe' PROGRAM_PATH = 'C:\\Program Files\\Internet Explorer\\iexplore.exe' PROGRAM_ARGS = '' LOG_PATH = 'C:\\Logs\\' + os.path.basename(PROGRAM_PATH) + '.log' reliable_crash_count = 0 reliability = 0 # print target details print HEADER print 'Target EIP: {0}'.format(EIP) print 'Target Application: {0}\n'.format(os.path.basename(PROGRAM_PATH)) # create the instance of Exploit Reliability # TestingSystem class erts = ExploitReliabilityTestingSystem(cdb=CDB_PATH, log=LOG_PATH, program=PROGRAM_PATH, args=PROGRAM_ARGS) # run the application and count the number of crashes for i in range(0, MAX_RUN): # run the target application erts.run(file_path=FILE_PATH, timeout=TIMEOUT) # now check if the crash is reliable if erts.is_crash_reliable(eip=EIP): reliable_crash_count += 1 # now determine the exploit reliability reliability = (reliable_crash_count * 100) / MAX_RUN # print the status on screen sys.stdout.write("\r[{0}] Live Reliability Rating: {1}%".format(i + 1, reliability)) sys.stdout.flush() # delete the log directory shutil.rmtree(path=os.path.dirname(LOG_PATH)) print '\n' print 'Exploit Reliability Rating: {0}%'.format(reliability)