A modular Python tool for developing exploits, focusing on ROP chains to bypass DEP (Data Execution Prevention). It breaks the process into stages (crash, offset, badchars, full ROP) and generates payloads with a colored hexdump viewer for easy debugging.
Ethical Warning: For educational, CTF, or authorized lab use only. Do not test on unauthorized systems. The author is not responsible for misuse.
- Staged Development: From simple crashes to full ROP chains.
- Custom Shellcode: Position (start/end of payload), NOP placement (start/end/both/none), and markers (DEADBEEF for bounds).
- Colored Hexdump: Highlights EIP, shellcode, WPM template, badchars, NOPs, and custom values (e.g., 43434343).
- Badchar Detection: Scans payloads and alerts on issues.
- Auto-Send: Socket-based delivery to targets.
To set up and run kkdepexploit.py, follow these steps:
-
Clone the Repository: git clone https://github.com/YOUR_USERNAME/kkdepexploit.git cd kkdepexploit
-
Ensure Python Environment:
- Verify you have Python 3.8 or higher installed: python3 --version
- No additional libraries are required (socket, struct, argparse are built-in).
-
Make Executable (Linux/Mac): chmod +x kkdepexploit.py
-
Run Directly:
- Use Python to execute the script with your desired arguments (see Usage below).
Run kkdepexploit.py with command-line arguments to configure the target and exploit stage. Use the -h flag for a full list of options:
python3 kkdepexploit.py -h
This is a step-by-step guide to customize an exploit script for a specific target application. It covers modifications to key components like connection details, bad characters, shellcode, offsets, payload size, and ROP (Return-Oriented Programming) chain. The goal is to adapt the exploit to work against a particular vulnerability in a new environment, ensuring reliability and bypassing protections like DEP (Data Execution Prevention).
-
Change the function that connects to the application
Update the connection logic (e.g., socket setup inenviar_payload_ao_alvo) to match the target's protocol or authentication. This ensures the payload reaches the vulnerable part without early rejection. -
Change the port and IP
Modify the default IP and port in arguments or variables (e.g.,args.ipandargs.port). This targets the correct remote host and service, as different setups use non-standard ports. -
Change the badchars
Update theEXCLUIset with bytes that corrupt the payload (found via testing). This prevents payload mangling during transmission or processing, ensuring integrity. -
Change the shellcode to one with appropriate IP, port, and size
Replace the raw shellcode inget_final_shellcodewith a generated one (e.g., via msfvenom) matching your attacker's IP/port. Adjust for size to fit buffer constraints and avoid badchars. -
If changed, alter the shellcode size
UpdateSHELLCODE_TOTAL_SIZEto match the new shellcode length. This prevents overflows or underflows in padding, maintaining payload structure. -
Change the Offset
SetOFFSETto the exact byte count to overwrite EIP/SEH (found via pattern testing). This is crucial for controlling execution flow in buffer overflows. -
Change the payload size
AdjustSIZEto the buffer's capacity in the target app. This avoids crashes from oversized payloads or wasted space in undersized ones. -
Change ADDR_IAT
Update this address inbuild_rop_chainto the target's IAT. It allows dynamic resolution. -
Change TEMPLATE
Update this template with all the necessary fields for the call you are using to bypass the dep. -
Change all ROP instructions
Rebuild the ROP chain gadgets inbuild_rop_chainusing module-specific addresses (e.g., via mona.py). This adapts to the target's memory layout for stack pivoting and function calls.
Now, feedback: Does this Markdown meet your request? Do I need to adjust anything in the content or format before the next step?
-
Stage 1 (Simple Crash Test): Execute to send a large buffer and crash the target for vuln confirmation: python3 kkdepexploit.py -e 1 -i 192.168.1.100 -p 1337
-
Stage 4 (Full ROP with Shellcode at End, Markers, and Both-Side NOPs): Build and send a complete exploit with shellcode at the end, DEADBEEF markers, and NOPs on both sides, highlighting '43434343': python3 kkdepexploit.py -e 4 --shellcode-pos END --limits-shellcode --shellcode-nops both --highlight 43434343 -i 192.168.1.100 -p 1337
-
Custom Hexdump with Base Address: Run stage 4 with a custom memory base address and offset for detailed payload visualization: python3 kkdepexploit.py -e 4 --base-addr 0x00cbfd00 --payload-offset 100
| Argument | Description | Default |
|---|---|---|
| -i/--ip | Target IP | 192.168.122.115 |
| -p/--port | Target port | 3200 |
| -e/--estagio | Stage (1: crash, 2: offset, 3: badchars, 4: ROP) | 1 |
| --shellcode-pos | Shellcode position (START/END) | START |
| --limits-shellcode | Add DEADBEEF markers at shellcode start/end | False |
| --shellcode-nops | NOP position (begin/end/both/none) | both |
| --highlight | Hex value (8 chars) to highlight (e.g., 43434343) | None |
| --base-addr | Hex base address for hexdump | 0x00000000 |
| --payload-offset | Initial payload memory offset | 0 |
Edit at script top:
- OFFSET = 436: EIP control offset (find via msf-pattern_offset).
- EXCLUI = {0x00, ...}: Known badchars.
- SHELLCODE_TOTAL_SIZE = 400: Fixed shellcode size (includes NOPs/markers).
- shellcode_offset_from_template = 404: Distance from WPM template to shellcode (for END pos).
- Stage 1: Large buffer to crash and confirm vuln.
- Stage 2: Offset-based payload to control EIP (e.g., 'BBBB' in EIP).
- Stage 3: Byte test string (0x00-0xFF, badchars as 'A') post-EIP.
- Stage 4: WPM template + ROP chain + shellcode. Auto-pads for alignment (END pos uses NOPs between ROP/shellcode).
Hexdump colors (ANSI-supported terminals):
- Light Blue: Shellcode range.
- Orange: WPM template.
- Light Green: 41414141 ('A' padding).
- Cyan: 43434343 (ROP example).
- Dark Blue: NOPs in shellcode.
- Dark Green: General NOPs.
- Light Yellow: DEADBEEF (if enabled).
- Flashing Red: Badchars.
- Badchars Found: Update EXCLUI and regenerate shellcode with msfvenom (-b '\x00\x01...').
- ROP Fails: Verify gadgets with ROPgadget/Mona.py. Adjust addrs like ADDR_IAT.
- No Colors in Hexdump: Use ANSI-compatible terminal (e.g., VSCode, iTerm).
Forks and PRs welcome! Test on labs like VulnHub or PWK.
MIT License. See LICENSE.
- Exploiting Format String Vulnerabilities (scut/team teso).
- Exploit Writing Tutorial Part 10: Uniting DEP with ROP (corelanc0d3r).
- Offensive Shellcode from Scratch (Rishalin Pillay).
- Modern x86 Assembly Language Programming (Daniel Kusswurm).
- OffSec PWK/OSEP materials (EXP-301 OSED).
Description: Scans a PE file by simulating its loading into memory (Memory Image), searching for codecaves (zero-filled regions, high-zero regions) and sections suitable for shellcode injection or ROP chains. It is essential for determining reliable injection points in exploit development. Key Features: Finds both file-backed and memory-only (VirtualSize > SizeOfRawData) cavities. Allows filtering candidates by section permissions (R-X, RWX, R-W, etc.). Usage:
python3 KKCodeCave.py <file>
python3 KKCodeCave.py target.exe --executable-only --min-size 512
python3 KKCodeCave.py target.exe --rwx-only --want 5
Description: A powerful WinDbg/pykd script designed for filtering loaded modules based on security properties (ASLR, NX, SafeSEH, CFG) and checking for bad characters in the module's base address. This is the first step in ROP chain creation to identify non-ASLR, safe module bases for return addresses.
Key Features: Provides full module protection status. Supports explicit exclusion of Microsoft/Windows modules. Filters modules whose base address contains bad bytes (e.g., \x00). Supports Little-Endian (LE) and Big-Endian (BE) checks.
Usage (WinDbg/pykd):
!KKBinModules.py Z:\path\to\script.py <badchars_csv> <high_bytes_count> [flags]
!KKBinModules.py Z:\path\to\script.py 00,0a,0d 2 --exclude-ms --drop-aslr
!KKBinModules.py Z:\path\to\script.py 00 2 --strict # Implies --drop-aslr
Description: A post-processing script for cleaning ROP gadgets generated by tools like rp++ or ROPgadget. It enforces strict safety rules by removing gadgets that contain unsafe instructions (e.g., call, jmp, conditional branches, context-altering instructions) and eliminating any gadget whose address contains bad characters.
Key Features: Dedupes gadgets (keeps only the best/cleanest address for each instruction sequence). Includes a --dirty-fallback option to retain the best candidates, even if their address is "dirty," when no "clean" alternative exists.
Usage:
python KKCleanGadgets.py <input.txt> <output.txt>
python KKCleanGadgets.py dirty_gadgets.txt clean_gadgets.txt
python KKCleanGadgets.py input.txt final.txt --dirty-fallback`
Description: A comprehensive scanner for PE files (DLL/EXE) to check for explicit imports of specific Windows API functions (e.g., VirtualAlloc, WriteProcessMemory) via the Import Address Table (IAT) or Delay-Import Table. Crucial for "ret-to-IAT" ROP techniques.
Key Features: Reports the IAT Virtual Address (VA), Relative Virtual Address (RVA), and the byte range of the IAT slot. Attempts to resolve imports by ordinal. Also searches for the API name as ASCII and UTF-16-LE strings in the binary.
Usage:
python KKIATSearch.py -d .
python KKIATSearch.py --apis VirtualAlloc,VirtualProtect -d . -v
python KKIATSearch.py --dir C:\Windows\System32 --apis LoadLibraryA --read-iat
Built with ❤️ for the offensive security community.