#! /usr/bin/env python3 from argparse import ArgumentParser from datetime import datetime from pathlib import Path from random import randint import binascii import ctypes import logging import subprocess import mmap whoami_shell = b"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x10\x00\x00\x00\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x77\x68\x6f\x61\x6d\x69\x00\x56\x57\x48\x89\xe6\x0f\x05" def example(): now = '{0:%Y%m%dT%H%M%S}'.format(datetime.utcnow()) parser = ArgumentParser( description='position independent code (PIC) mutation experiment.') parser.add_argument('-v', '--verbose', action='count') parser.add_argument('-s', '--seed', default='seed', help='path to PIC image.') parser.add_argument('-o', '--output', help='path to results directory.') args = parser.parse_args() log_level = logging.INFO log_format = logging.Formatter('%(message)s') if args.verbose: log_level = logging.DEBUG log_format = logging.Formatter( '%(levelname)s %(filename)s:%(lineno)d\n%(message)s\n') logger = logging.getLogger('sins') logger.setLevel(log_level) stream_handler = logging.StreamHandler() stream_handler.setLevel(log_level) stream_handler.setFormatter(log_format) logger.addHandler(stream_handler) if args.output: log_path = f'{args.output}/sins-{now}.log' file_handler = logging.FileHandler(log_path) file_handler.setLevel(log_level) file_handler.setFormatter(log_format) logger.addHandler(file_handler) logger.info(whoami_shell) shell_function(whoami_shell)() def shell_function(shellcode: bytes): exec_mem = mmap.mmap( -1, len(shellcode), prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC, flags=mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE) exec_mem.write(shellcode) ctypes_buffer = ctypes.c_int.from_buffer(exec_mem) function = ctypes.CFUNCTYPE(ctypes.c_int64)( ctypes.addressof(ctypes_buffer)) function._avoid_gc_for_mmap = exec_mem return function