
-An Exploit Dev Swiss Army Knife.

#Installation Copy lisa.py and .lldbinit to ~/ Use the following commands:

ant4g0nist$ cp lisa.py ~/lisa.py

ant4g0nist$ cp lldbinit ~/.lldbinit

ant4g0nist$ lldb
    lllllll   iiii
    l:::::l  i::::i
    l:::::l   iiii
    l::::l iiiiiii     ssssssssss     aaaaaaaaaaaaa
    l::::l i:::::i   ss::::::::::s    a::::::::::::a
    l::::l  i::::i ss:::::::::::::s   aaaaaaaaa:::::a
    l::::l  i::::i s::::::ssss:::::s           a::::a
    l::::l  i::::i  s:::::s  ssssss     aaaaaaa:::::a
    l::::l  i::::i    s::::::s        aa::::::::::::a
    l::::l  i::::i       s::::::s    a::::aaaa::::::a
    l::::l  i::::i ssssss   s:::::s a::::a    a:::::a
    l::::::li::::::is:::::ssss::::::sa::::a    a:::::a
    l::::::li::::::is::::::::::::::s a:::::aaaa::::::a
    l::::::li::::::i s:::::::::::ss   a::::::::::aa:::a
    lllllllliiiiiiii  sssssssssss      aaaaaaaaaa  aaaa
	-An Exploit Dev Swiss Army Knife. Version: v-ni

(lisa)target create tests/binaries/abort
(lisa)process launch -s
Process 1660 stopped
* thread #1: tid = 0x10801, 0x00007fff5fc01000 dyld`_dyld_start, stop reason = signal SIGSTOP
    frame #0: 0x00007fff5fc01000 dyld`_dyld_start
->  0x7fff5fc01000 <+0>: pop    rdi
    0x7fff5fc01001 <+1>: push   0x0
    0x7fff5fc01003 <+3>: mov    rbp, rsp
    0x7fff5fc01006 <+6>: and    rsp, -0x10
Process 1660 launched: '/Users/v0id/Documents/Research/lisa.py/tests/binaries/abort' (x86_64)

#Commands Available:

**exploitable** : checks if the crash is exploitable
	<!-- run this when the process stops cause of an exception -->


**shellcode**: Searches shell-storm for shellcode

	Syntax:   shellcode <option> <arg>

	Options:  -search <keyword>
	          -display <shellcode id>
	          -save <shellcode id>
	(lisa)shellcode -search osx
	Connecting to shell-storm.org...
	Found 17 shellcodes
	ScId	Size Title
	[312]	300  Osx/ppc - Bind Shell PORT TCP/8000 - encoder OSXPPCLongXOR - 300 bytes
	[127]	222  Osx/ppc - add inetd backdoor - 222 bytes
	[128]	219  Osx/ppc - Add user r00t - 219 bytes
	[761]	131  Osx/x86-64 - reverse tcp shellcode - 131 bytes
	[126]	122  Osx/ppc - create /tmp/suid - 122 bytes
	[129]	72   Osx/ppc - execve(/bin/sh,[/bin/sh],NULL)& exit() - 72 bytes
	[736]	51   Osx/x86-64 - setuid shell x86_64 - 51 bytes
	[130]	32   Osx/ppc - sync(), reboot() - 32 bytes
	[692]	24   Osx/x86 - execve(/bin/sh) - 24 byte
	[121]	n/a  Osx/ppc - remote findsock by recv() key shellcode
	[122]	n/a  Osx/ppc - Single Reverse TCP
	[123]	n/a  Osx/ppc - stager sock find peek
	[124]	n/a  Osx/ppc - stager sock find
	[125]	n/a  Osx/ppc - stager sock reverse
	[120]	n/a  Osx/ppc - shellcode execve(/bin/sh)
	[777]	n/a  Osx/x86-64 - universal ROP shellcode
	[786]	n/a  Osx/x86-64 - universal OSX dyld ROP shellcode	

**extract**: Extract a given architecture from a Universal binary

	Syntax: extract x86_64 /usr/lib/system/libsystem_kernel.dylib ./libsystem_kernel.dylib
	(lisa)extract x86_64 /usr/lib/system/libsystem_kernel.dylib ./libsystem_kernel.dylib

**pattern_create**: Creates a cyclic pattern of given length

	(lisa)pattern_create 100

**pattern_offset**: Finds the offset of a given pattern in cyclic pattern of n length

	(lisa)pattern_offset 100 Ad2A
	offsets: [96]

**ct**: Prints the context of execution

	[*] Disassembly :

	->  0x7fff8f6a4f06 <+10>: jae    0x7fff8f6a4f10            ; <+20>
	    0x7fff8f6a4f08 <+12>: mov    rdi, rax

	[*] Stack :

	0x7fff5fbff788: 0x8d36b4ec 0x00007fff 0x00000000 0x00000000
	0x7fff5fbff798: 0x5fbff7d0 0x00000307 0x5fbff7d0 0x00007fff
	0x7fff5fbff7a8: 0x00000000 0x00000000

	[*] Registers	:
	       rax = 0x0000000000000000
	       rbx = 0x0000000000000006
	       rcx = 0x00007fff5fbff788
	       rdx = 0x0000000000000000
	       rdi = 0x0000000000000307
	       rsi = 0x0000000000000006
	       rbp = 0x00007fff5fbff7b0
	       rsp = 0x00007fff5fbff788
	        r8 = 0x0000000000000000
	        r9 = 0x00007fff782e90c8  atexit_mutex + 24
	       r10 = 0x0000000008000000
	       r11 = 0x0000000000000206
	       r12 = 0x0000000000000000
	       r13 = 0x0000000000000000
	       r14 = 0x00007fff76fb8000  libsystem_pthread.dylib`_thread
	       r15 = 0x0000000000000000
	       rip = 0x00007fff8f6a4f06  libsystem_kernel.dylib`__pthread_kill + 10
	    rflags = 0x0000000000000206
	        cs = 0x0000000000000007
	        fs = 0x0000000000000000
	        gs = 0x0000000000000000

	[*] Jumping to	:0x7fff8f6a4f10

**s**: thread step-in

	[*] Disassembly :

	->  0x7fff5fc0102d <+45>: lea    r9, [rbp - 0x8]
	    0x7fff5fc01031 <+49>: call   0x7fff5fc01076            ; dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*)

	[*] Stack :

	0x7fff5fbff800: 0x00000000 0x00000000 0x00000000 0x00000000
	0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
	0x7fff5fbff820: 0x5fbff9f8 0x00007fff

	[*] Registers	:
	       rax = 0x0000000000000000
	       rbx = 0x0000000000000000
	       rcx = 0x0000000000000000
	       rdx = 0x00007fff5fbff820
	       rdi = 0x0000000100000000
	       rsi = 0x0000000000000001
	       rbp = 0x00007fff5fbff810
	       rsp = 0x00007fff5fbff800
	        r8 = 0x00007fff5fc00000  
	        r9 = 0x0000000000000000
	       r10 = 0x0000000000000000
	       r11 = 0x0000000000000000
	       r12 = 0x0000000000000000
	       r13 = 0x0000000000000000
	       r14 = 0x0000000000000000
	       r15 = 0x0000000000000000
	       rip = 0x00007fff5fc0102d  dyld`_dyld_start + 45
	    rflags = 0x0000000000000246
	        cs = 0x000000000000002b
	        fs = 0x0000000000000000
	        gs = 0x0000000000000000

**si**: thread step-into

	[*] Disassembly :

	->  0x7fff5fc01031 <+49>: call   0x7fff5fc01076            ; dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*)
	    0x7fff5fc01036 <+54>: mov    rdi, qword ptr [rbp - 0x8]

	[*] Stack :

	0x7fff5fbff800: 0x00000000 0x00000000 0x00000000 0x00000000
	0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
	0x7fff5fbff820: 0x5fbff9f8 0x00007fff

	[*] Registers	:
	       rax = 0x0000000000000000
	       rbx = 0x0000000000000000
	       rcx = 0x0000000000000000
	       rdx = 0x00007fff5fbff820
	       rdi = 0x0000000100000000
	       rsi = 0x0000000000000001
	       rbp = 0x00007fff5fbff810
	       rsp = 0x00007fff5fbff800
	        r8 = 0x00007fff5fc00000  
	        r9 = 0x00007fff5fbff808
	       r10 = 0x0000000000000000
	       r11 = 0x0000000000000000
	       r12 = 0x0000000000000000
	       r13 = 0x0000000000000000
	       r14 = 0x0000000000000000
	       r15 = 0x0000000000000000
	       rip = 0x00007fff5fc01031  dyld`_dyld_start + 49
	    rflags = 0x0000000000000246
	        cs = 0x000000000000002b
	        fs = 0x0000000000000000
	        gs = 0x0000000000000000

**so**: thread step-over
	[*] Disassembly :

	->  0x7fff5fc01036 <+54>: mov    rdi, qword ptr [rbp - 0x8]
	    0x7fff5fc0103a <+58>: cmp    rdi, 0x0

	[*] Stack :

	0x7fff5fbff800: 0x00000000 0x00000000 0x8e8765ad 0x00007fff
	0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
	0x7fff5fbff820: 0x5fbff9f8 0x00007fff

	[*] Registers	:
	       rax = 0x0000000100000f80  abort`main
	       rbx = 0x0000000000000000
	       rcx = 0x00007fff8e8765ad  libdyld.dylib`start + 1
	       rdx = 0x00007fff5fbff808
	       rdi = 0x00007fff5fc406a8  dyld`initialPoolContent + 2264
	       rsi = 0x0000000000000001
	       rbp = 0x00007fff5fbff810
	       rsp = 0x00007fff5fbff800
	        r8 = 0x00000000fffffffc
	        r9 = 0x00007fff782e90c8  atexit_mutex + 24
	       r10 = 0x00000000ffffffff
	       r11 = 0xffffffff00000000
	       r12 = 0x0000000000000000
	       r13 = 0x0000000000000000
	       r14 = 0x0000000000000000
	       r15 = 0x0000000000000000
	       rip = 0x00007fff5fc01036  dyld`_dyld_start + 54
	    rflags = 0x0000000000000202
	        cs = 0x000000000000002b
	        fs = 0x0000000000000000
	        gs = 0x0000000000000000

**sf**: thread step-in 'n' number of times

	(lisa)sf 4
	[*] Disassembly :

	->  0x7fff5fc0100a <+10>: sub    rsp, 0x10
	    0x7fff5fc0100e <+14>: mov    esi, dword ptr [rbp + 0x8]

	[*] Stack :

	0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
	0x7fff5fbff820: 0x5fbff9f8 0x00007fff 0x00000000 0x00000000
	0x7fff5fbff830: 0x5fbffa34 0x00007fff

	[*] Registers	:
	       rax = 0x0000000000000000
	       rbx = 0x0000000000000000
	       rcx = 0x0000000000000000
	       rdx = 0x0000000000000000
	       rdi = 0x0000000100000000
	       rsi = 0x0000000000000000
	       rbp = 0x00007fff5fbff810
	       rsp = 0x00007fff5fbff810
	        r8 = 0x0000000000000000
	        r9 = 0x0000000000000000
	       r10 = 0x0000000000000000
	       r11 = 0x0000000000000000
	       r12 = 0x0000000000000000
	       r13 = 0x0000000000000000
	       r14 = 0x0000000000000000
	       r15 = 0x0000000000000000
	       rip = 0x00007fff5fc0100a  dyld`_dyld_start + 10
	    rflags = 0x0000000000000202
	        cs = 0x000000000000002b
	        fs = 0x0000000000000000
	        gs = 0x0000000000000000

**dump**: Dump's Memory of the process in a given address range

	Syntax: dump outfile 0x6080000fe680 0x6080000fe680+1000
	(lisa)dump memorydump.bin 0x00007fff8e8765ad 0x00007fff8e8765ad+100
	100 bytes written to 'memorydump.bin'

	  rop(ROPgadget) lets you search your gadgets on a binary. It supports several 
	  file formats and architectures and uses the Capstone disassembler for
	  the search engine.

		formats supported: 
		  - ELF
		  - PE
		  - Mach-O
		  - Raw

		architectures supported:
		  - x86
		  - x86-64
		  - ARM
		  - ARM64
		  - MIPS
		  - PowerPC
		  - Sparc
		  rop --binary ./test-suite-binaries/elf-Linux-x86 
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --ropchain
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --depth 3
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --string "main"
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --string "m..n"
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --opcode c9c3
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|ret"
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|pop|xor|ret"
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --filter "xchg|add|sub"
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --norop --nosys
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --range 0x08041000-0x08042000
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --string main --range 0x080c9aaa-0x080c9aba
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --memstr "/bin/sh"
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --console
		  rop --binary ./test-suite-binaries/elf-Linux-x86 --badbytes "00|7f|42"
		  rop --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000
		  rop --binary ./test-suite-binaries/elf-ARMv7-ls --depth 5
		  rop --binary ./test-suite-binaries/elf-ARM64-bash --depth 5
		  rop --binary ./test-suite-binaries/raw-x86.raw --rawArch=x86 --rawMode=32		

(As of now, commiting exploitable command. Have to test the remaining code.)

You can test lisa.py against CrashWranglers's test cases

- Mona.py : https://github.com/corelan/mona

- Crashwrangler : https://developer.apple.com/library/mac/technotes/tn2334/_index.html

- Metasploit : https://github.com/rapid7/metasploit-framework

- PEDA :	https://github.com/longld/peda

- Phillips : https://www.phillips321.co.uk/2013/04/02/recreating-pattern_create-rb-in-python/

- Jonathan Salwan : http://shell-storm.org/shellcode/

- Capstone : http://www.capstone-engine.org

TODO: add support for macho in ropmaker