GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ChrisTheCoolHut → Zeratool

ChrisTheCoolHut / Zeratool

Licence: gpl-3.0
Automatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems

Programming Languages

python
139335 projects - #7 most used programming language
shellcode
44 projects

Labels

ctfsolver

Projects that are alternatives of or similar to Zeratool

Awesome Privilege Escalation
A curated list of awesome privilege escalation
Stars: ✭ 413 (-29.28%)
Mutual labels:  ctf
Juice Shop
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
Stars: ✭ 6,270 (+973.63%)
Mutual labels:  ctf
Vroom
Vehicle Routing Open-source Optimization Machine
Stars: ✭ 533 (-8.73%)
Mutual labels:  solver
Convex.jl
A Julia package for disciplined convex programming
Stars: ✭ 417 (-28.6%)
Mutual labels:  solver
Mbe
Course materials for Modern Binary Exploitation by RPISEC
Stars: ✭ 4,674 (+700.34%)
Mutual labels:  ctf
Security Tools
Collection of small security tools, mostly in Bash and Python. CTFs, Bug Bounty and other stuff.
Stars: ✭ 509 (-12.84%)
Mutual labels:  ctf
Review the national post Graduate entrance examination
🌟复习考研的那些事儿(清华912考研)~~
Stars: ✭ 399 (-31.68%)
Mutual labels:  ctf
Platypus
🔨 A modern multiple reverse shell sessions manager wrote in go
Stars: ✭ 559 (-4.28%)
Mutual labels:  ctf
Captfencoder
CaptfEncoder是一款跨平台网络安全工具套件,提供网络安全相关编码转换、古典密码、密码学、特殊编码等工具,并聚合各类在线工具。
Stars: ✭ 473 (-19.01%)
Mutual labels:  ctf
Rootthebox
A Game of Hackers (CTF Scoreboard & Game Manager)
Stars: ✭ 527 (-9.76%)
Mutual labels:  ctf
Brutesploit
BruteSploit is a collection of method for automated Generate, Bruteforce and Manipulation wordlist with interactive shell. That can be used during a penetration test to enumerate and maybe can be used in CTF for manipulation,combine,transform and permutation some words or file text :p
Stars: ✭ 424 (-27.4%)
Mutual labels:  ctf
Ctf Wiki
Come and join us, we need you!
Stars: ✭ 5,305 (+808.39%)
Mutual labels:  ctf
Choco Solver
An open-source Java library for Constraint Programming
Stars: ✭ 518 (-11.3%)
Mutual labels:  solver
Pwndra
A collection of pwn/CTF related utilities for Ghidra
Stars: ✭ 417 (-28.6%)
Mutual labels:  ctf
Name That Hash
🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 3000+ other hashes ☄ Comes with a neat web app 🔥
Stars: ✭ 540 (-7.53%)
Mutual labels:  ctf
Newbie Security List
网络安全学习资料,欢迎补充
Stars: ✭ 402 (-31.16%)
Mutual labels:  ctf
Stowaway
👻Stowaway -- Multi-hop Proxy Tool for pentesters
Stars: ✭ 500 (-14.38%)
Mutual labels:  ctf
Ctf web
a project aim to collect CTF web practices .
Stars: ✭ 564 (-3.42%)
Mutual labels:  ctf
Weblogger
针对ctf线下赛流量抓取(php)、真实环境流量抓取分析的工具
Stars: ✭ 547 (-6.34%)
Mutual labels:  ctf
Ctf Tools
CTF 工具集合
Stars: ✭ 524 (-10.27%)
Mutual labels:  ctf
View All Similar Projects ➔

Zeratool

Automatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems

This tool uses angr to concolically analyze binaries by hooking printf and looking for unconstrained paths. These program states are then weaponized for remote code execution through pwntools and a series of script tricks. Finally the payload is tested locally then submitted to a remote CTF server to recover the flag.

asciicast

Installing

Zeratool has been tested on Ubuntu 16.04 and the install script is setup for Ubuntu 12.04 to Ubuntu 18.04

./install.sh

Usage

Zeratool is a python script which accept a binary as an argument and optionally a linked libc library, and a CTF Server connection information

[chris:~/Zeratool] [angr] python zeratool.py -h
usage: zeratool.py [-h] [-l LIBC] [-u URL] [-p PORT] [-v] file

positional arguments:
  file                  File to analyze

optional arguments:
  -h, --help            show this help message and exit
  -l LIBC, --libc LIBC  libc to use
  -u URL, --url URL     Remote URL to pwn
  -p PORT, --port PORT  Remote port to pwn
  -v, --verbose         Verbose mode

Exploit Types

Zeratool is designed around weaponizing buffer overflows and format string vulnerabilities and currently supports a couple types:

  • Buffer Overflow
    • Point program counter to win function
    • Point program counter to shellcode
    • Point program counter to rop chain
      • Rop chains need a libc base address
      • one-gadget and ropper are used rop chain building
  • Format String
    • Point GOT entry to win function
    • Point GOT entry to shellcode

Zeratool has room to grow and future iterations of Zeratool will include information disclosure discovery and linking those leaks to an offset for general ASLR bypasses.

Examples

Checkout the samples.sh file. The file contains several examples of Zeratool automatically solving exploitable CTF problems.

Long Asciinema with Three Solves

#!/bin/bash
#Buffer Overflows with win functions
python zeratool.py challenges/ret -u ctf.hackucf.org -p 9003
python zeratool.py challenges/bof3 -u ctf.hackucf.org -p 9002
python zeratool.py challenges/bof2 -u ctf.hackucf.org -p 9001
python zeratool.py challenges/bof1 -u ctf.hackucf.org -p 9000

#Down for the summer
#python zeratool.py challenges/easy_format -u tctf.competitivecyber.club -p 7801
#python zeratool.py challenges/medium_format -u tctf.competitivecyber.club -p 7802

#Format string leak
python zeratool.py challenges/easy_format
#Format string point to win function
python zeratool.py challenges/medium_format
#Format string point to shellcode
python zeratool.py challenges/hard_format #This one sometimes needs to be run twice

#Buffer overflow point to shellcode
python zeratool.py challenges/demo_bin

FAQ

Q. Why doesn't Zeratool work against my simple exploitable?

A. Zeratool is held together by scotch tape and dreams.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].