Skip to content

Home

Jump to bottom Edit New page
Chaithu edited this page Sep 2, 2016 · 4 revisions

Welcome to the lisa.py wiki!

#exploitable : checks if the crash is exploitable 

(lisa)exploitable

#shellcode: Searches shell-storm for shellcode

(lisa)shellcode 
Syntax:   shellcode <option> <arg>

Options:  -search <keyword>
          -display <shellcode id>
          -save <shellcode id>
(lisa)shellcode -search osx
Connecting to shell-storm.org...
Found 17 shellcodes
ScId    Size Title
[312]   300  Osx/ppc - Bind Shell PORT TCP/8000 - encoder OSXPPCLongXOR - 300 bytes
[127]   222  Osx/ppc - add inetd backdoor - 222 bytes
[128]   219  Osx/ppc - Add user r00t - 219 bytes
[761]   131  Osx/x86-64 - reverse tcp shellcode - 131 bytes
[126]   122  Osx/ppc - create /tmp/suid - 122 bytes
[129]   72   Osx/ppc - execve(/bin/sh,[/bin/sh],NULL)& exit() - 72 bytes
[736]   51   Osx/x86-64 - setuid shell x86_64 - 51 bytes
[130]   32   Osx/ppc - sync(), reboot() - 32 bytes
[692]   24   Osx/x86 - execve(/bin/sh) - 24 byte
[121]   n/a  Osx/ppc - remote findsock by recv() key shellcode
[122]   n/a  Osx/ppc - Single Reverse TCP
[123]   n/a  Osx/ppc - stager sock find peek
[124]   n/a  Osx/ppc - stager sock find
[125]   n/a  Osx/ppc - stager sock reverse
[120]   n/a  Osx/ppc - shellcode execve(/bin/sh)
[777]   n/a  Osx/x86-64 - universal ROP shellcode
[786]   n/a  Osx/x86-64 - universal OSX dyld ROP shellcode

#extract: Extract a given architecture from a Universal binary

(lisa)extract
Syntax: extract x86_64 /usr/lib/system/libsystem_kernel.dylib ./libsystem_kernel.dylib
(lisa)extract x86_64 /usr/lib/system/libsystem_kernel.dylib ./libsystem_kernel.dylib
(lisa)

#pattern_create: Creates a cyclic pattern of given length

(lisa)pattern_create 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

#pattern_offset: Finds the offset of a given pattern in cyclic pattern of n length

(lisa)pattern_offset 100 Ad2A
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
offsets: [96]
(lisa)

#ct: Prints the context of execution

(lisa)ct
[*] Disassembly :

libsystem_kernel.dylib`__pthread_kill:
->  0x7fff8f6a4f06 <+10>: jae    0x7fff8f6a4f10            ; <+20>
    0x7fff8f6a4f08 <+12>: mov    rdi, rax

[*] Stack :

0x7fff5fbff788: 0x8d36b4ec 0x00007fff 0x00000000 0x00000000
0x7fff5fbff798: 0x5fbff7d0 0x00000307 0x5fbff7d0 0x00007fff
0x7fff5fbff7a8: 0x00000000 0x00000000

[*] Registers   :
       rax = 0x0000000000000000
       rbx = 0x0000000000000006
       rcx = 0x00007fff5fbff788
       rdx = 0x0000000000000000
       rdi = 0x0000000000000307
       rsi = 0x0000000000000006
       rbp = 0x00007fff5fbff7b0
       rsp = 0x00007fff5fbff788
        r8 = 0x0000000000000000
        r9 = 0x00007fff782e90c8  atexit_mutex + 24
       r10 = 0x0000000008000000
       r11 = 0x0000000000000206
       r12 = 0x0000000000000000
       r13 = 0x0000000000000000
       r14 = 0x00007fff76fb8000  libsystem_pthread.dylib`_thread
       r15 = 0x0000000000000000
       rip = 0x00007fff8f6a4f06  libsystem_kernel.dylib`__pthread_kill + 10
    rflags = 0x0000000000000206
        cs = 0x0000000000000007
        fs = 0x0000000000000000
        gs = 0x0000000000000000


[*] Jumping to  :0x7fff8f6a4f10
(lisa)

#s: thread step-in

(lisa)s
[*] Disassembly :

dyld`_dyld_start:
->  0x7fff5fc0102d <+45>: lea    r9, [rbp - 0x8]
    0x7fff5fc01031 <+49>: call   0x7fff5fc01076            ; dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*)

[*] Stack :

0x7fff5fbff800: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
0x7fff5fbff820: 0x5fbff9f8 0x00007fff

[*] Registers   :
       rax = 0x0000000000000000
       rbx = 0x0000000000000000
       rcx = 0x0000000000000000
       rdx = 0x00007fff5fbff820
       rdi = 0x0000000100000000
       rsi = 0x0000000000000001
       rbp = 0x00007fff5fbff810
       rsp = 0x00007fff5fbff800
        r8 = 0x00007fff5fc00000  
        r9 = 0x0000000000000000
       r10 = 0x0000000000000000
       r11 = 0x0000000000000000
       r12 = 0x0000000000000000
       r13 = 0x0000000000000000
       r14 = 0x0000000000000000
       r15 = 0x0000000000000000
       rip = 0x00007fff5fc0102d  dyld`_dyld_start + 45
    rflags = 0x0000000000000246
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

#si: thread step-into

(lisa)si
[*] Disassembly :

dyld`_dyld_start:
->  0x7fff5fc01031 <+49>: call   0x7fff5fc01076            ; dyldbootstrap::start(macho_header const*, int, char const**, long, macho_header const*, unsigned long*)
    0x7fff5fc01036 <+54>: mov    rdi, qword ptr [rbp - 0x8]

[*] Stack :

0x7fff5fbff800: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
0x7fff5fbff820: 0x5fbff9f8 0x00007fff

[*] Registers   :
       rax = 0x0000000000000000
       rbx = 0x0000000000000000
       rcx = 0x0000000000000000
       rdx = 0x00007fff5fbff820
       rdi = 0x0000000100000000
       rsi = 0x0000000000000001
       rbp = 0x00007fff5fbff810
       rsp = 0x00007fff5fbff800
        r8 = 0x00007fff5fc00000  
        r9 = 0x00007fff5fbff808
       r10 = 0x0000000000000000
       r11 = 0x0000000000000000
       r12 = 0x0000000000000000
       r13 = 0x0000000000000000
       r14 = 0x0000000000000000
       r15 = 0x0000000000000000
       rip = 0x00007fff5fc01031  dyld`_dyld_start + 49
    rflags = 0x0000000000000246
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

#so: thread step-over

(lisa)so
[*] Disassembly :

dyld`_dyld_start:
->  0x7fff5fc01036 <+54>: mov    rdi, qword ptr [rbp - 0x8]
    0x7fff5fc0103a <+58>: cmp    rdi, 0x0

[*] Stack :

0x7fff5fbff800: 0x00000000 0x00000000 0x8e8765ad 0x00007fff
0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
0x7fff5fbff820: 0x5fbff9f8 0x00007fff

[*] Registers   :
       rax = 0x0000000100000f80  abort`main
       rbx = 0x0000000000000000
       rcx = 0x00007fff8e8765ad  libdyld.dylib`start + 1
       rdx = 0x00007fff5fbff808
       rdi = 0x00007fff5fc406a8  dyld`initialPoolContent + 2264
       rsi = 0x0000000000000001
       rbp = 0x00007fff5fbff810
       rsp = 0x00007fff5fbff800
        r8 = 0x00000000fffffffc
        r9 = 0x00007fff782e90c8  atexit_mutex + 24
       r10 = 0x00000000ffffffff
       r11 = 0xffffffff00000000
       r12 = 0x0000000000000000
       r13 = 0x0000000000000000
       r14 = 0x0000000000000000
       r15 = 0x0000000000000000
       rip = 0x00007fff5fc01036  dyld`_dyld_start + 54
    rflags = 0x0000000000000202
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

#sf: thread step-in 'n' number of times

(lisa)sf 4
[*] Disassembly :

dyld`_dyld_start:
->  0x7fff5fc0100a <+10>: sub    rsp, 0x10
    0x7fff5fc0100e <+14>: mov    esi, dword ptr [rbp + 0x8]

[*] Stack :

0x7fff5fbff810: 0x00000000 0x00000000 0x00000001 0x00000000
0x7fff5fbff820: 0x5fbff9f8 0x00007fff 0x00000000 0x00000000
0x7fff5fbff830: 0x5fbffa34 0x00007fff

[*] Registers   :
       rax = 0x0000000000000000
       rbx = 0x0000000000000000
       rcx = 0x0000000000000000
       rdx = 0x0000000000000000
       rdi = 0x0000000100000000
       rsi = 0x0000000000000000
       rbp = 0x00007fff5fbff810
       rsp = 0x00007fff5fbff810
        r8 = 0x0000000000000000
        r9 = 0x0000000000000000
       r10 = 0x0000000000000000
       r11 = 0x0000000000000000
       r12 = 0x0000000000000000
       r13 = 0x0000000000000000
       r14 = 0x0000000000000000
       r15 = 0x0000000000000000
       rip = 0x00007fff5fc0100a  dyld`_dyld_start + 10
    rflags = 0x0000000000000202
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x0000000000000000

#dump: Dump's Memory of the process in a given address range

(lisa)dump
Syntax: dump outfile 0x6080000fe680 0x6080000fe680+1000
(lisa)dump memorydump.bin 0x00007fff8e8765ad 0x00007fff8e8765ad+100
100 bytes written to 'memorydump.bin'
(lisa)

#rop: rop(ROPgadget) lets you search your gadgets on a binary. It supports several file formats and architectures and uses the Capstone disassembler for the search engine.

(lisa)rop
    description:
      ROPgadget lets you search your gadgets on a binary. It supports several 
      file formats and architectures and uses the Capstone disassembler for
      the search engine.

    formats supported: 
      - ELF
      - PE
      - Mach-O
      - Raw

    architectures supported:
      - x86
      - x86-64
      - ARM
      - ARM64
      - MIPS
      - PowerPC
      - Sparc
      epilog=examples:
      rop --binary ./test-suite-binaries/elf-Linux-x86 
      rop --binary ./test-suite-binaries/elf-Linux-x86 --ropchain
      rop --binary ./test-suite-binaries/elf-Linux-x86 --depth 3
      rop --binary ./test-suite-binaries/elf-Linux-x86 --string "main"
      rop --binary ./test-suite-binaries/elf-Linux-x86 --string "m..n"
      rop --binary ./test-suite-binaries/elf-Linux-x86 --opcode c9c3
      rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|ret"
      rop --binary ./test-suite-binaries/elf-Linux-x86 --only "mov|pop|xor|ret"
      rop --binary ./test-suite-binaries/elf-Linux-x86 --filter "xchg|add|sub"
      rop --binary ./test-suite-binaries/elf-Linux-x86 --norop --nosys
      rop --binary ./test-suite-binaries/elf-Linux-x86 --range 0x08041000-0x08042000
      rop --binary ./test-suite-binaries/elf-Linux-x86 --string main --range 0x080c9aaa-0x080c9aba
      rop --binary ./test-suite-binaries/elf-Linux-x86 --memstr "/bin/sh"
      rop --binary ./test-suite-binaries/elf-Linux-x86 --console
      rop --binary ./test-suite-binaries/elf-Linux-x86 --badbytes "00|7f|42"
      rop --binary ./test-suite-binaries/Linux_lib64.so --offset 0xdeadbeef00000000
      rop --binary ./test-suite-binaries/elf-ARMv7-ls --depth 5
      rop --binary ./test-suite-binaries/elf-ARM64-bash --depth 5
      rop --binary ./test-suite-binaries/raw-x86.raw --rawArch=x86 --rawMode=32
Add a custom footer
Add a custom sidebar
Clone this wiki locally