Jump to content
begood

[Tool] Unique Pattern Generator for Exploit Development

By begood, in Programe hacking

Recommended Posts

begood Newbie

begood

Posted
Posted

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register.

Metasploit (version 3.0+) has a tool for both:

1) to generate the string pattern (tools/pattern_create.rb)

2) to find the offset of the required pattern (tools/pattern_offset.rb)

These are amazing utilities and really helpful for exploit development. However, the scripts are based on Ruby (in the Metasploit Framework) and it may not be possible for someone to carry the entire MSF.

Now people have come up with many alternate solutions and have made their own ports to different scripting languages based on these 2 utilities. I have been getting my hand dirty with Perl for sometime now, and this served as a good project for me to learn Perl.

So I have also developed a Perl script which combines these two functionality (i.e. pattern generation and offset search) into one script. The code is available at the end of this post. It’s not a complete port, but it be should be able to do the job most of the time.

There are two modes of operation:

1) Only one argument is provided which is the length of the string to be generated

(./gspattern.pl [length of string])

2) Both length of string and pattern whose offset is to be found are provided

(./gspattern.pl [length of string] [pattern to search] )

The script can handle multiple occurrences of the pattern (this would happen in cases where the string length is very large)

(Let me know if you find any bugs in the code. I am no expert programmer. Just getting my hands dirty in Perl.The script can currently generate strings of length upto 20306 characters.)

#!/usr/bin/perl -w
use strict;

# Generate/Search Pattern (gspattern.pl) v0.1
# Scripted by Wasim Halani (washal)
# Visit me at http://securitythoughts.wordpress.com/
# Thanks to hdm and the Metasploit team
# Special thanks to Peter Van Eeckhoutte(corelanc0d3r) for his amazing Exploit Development tutorials
# This script is to be used for educational purposes only. 

my $ustart = 65;
my $uend = 90;
my $lstart = 97;
my $lend = 122;
my $nstart = 0;
my $nend = 9;
my $length ;
my $string = "";
my ($upper, $lower, $num);
my $searchflag = 0;
my $searchstring;
my $skip='FALSE';

sub credits(){
    print "\nGenerate/Search Pattern \n";
    print "Scripted by Wasim Halani (washal)\n";
    print "http://securitythoughts.wordpress.com/\n";
    print "Version 0.1\n\n";
}

sub usage(){
    credits();
    print " Usage: \n";
    print " gspattern.pl <length of buffer> \n";
    print "         Will generate a string of given length. \n";
    print "\n";
    print " gspattern.pl <length of buffer> <search pattern> \n";
    print "         Will generate a string of given length,\n";
    print "         and display the offsets of pattern found.\n";
}

sub generate(){
    credits();
    $length = $ARGV[0];
    #print "Generating string for length : " .$length . "\n";
    if(length($string) == $length){
	finish();
    }
    #looping for the uppercase
    for($upper = $ustart; $upper <= $uend;$upper++){
	$string =$string.chr($upper);
	if(length($string) == $length){
	    finish();
	}
	$skip = 'FALSE';
	#looping for the lowercase
	for($lower = $lstart; $lower <= $lend;$lower++){
            if(!$skip){
			$string =$string.chr($lower);
			}
            if(length($string) == $length){
                finish();
			}
            #looping for the numeral
            for($num = $nstart; $num <= $nend;$num++){
                $string = $string.$num;
                if(length($string) == $length){
                    finish();
				}
				$string = $string.chr($upper);
				if(length($string) == $length){
					finish();
                }
				$string = $string.chr($lower);
				if(length($string) == $length){
                    finish();
				}
				$skip = 'TRUE';
			}
		}
    }
}

sub search(){
    my $offset = index($string,$searchstring);
    if($offset == -1){
	print "Pattern not found\n";
	exit(1);
    }
    else{
	print "Pattern found at offset(s) : ";
    }
    my $count = $offset;
    print $count." ";

    while($count < $length){
        $offset = index($string,$searchstring,$offset+1);
        if($offset == -1){
	    print "\n";
            exit(1);
	}
	print $offset ." ";
        $count = $count + $offset;
    }
    print "\n";
    exit(1);
}

sub finish(){
    print "String is : \n".$string ."\n";
    if($searchflag){
        search();
    }
    exit(1);
}

if(!$ARGV[0]){
    usage();
    #print "Going into usage..";
}
elsif ($ARGV[1]){
    $searchflag = 1;
    $searchstring = $ARGV[1];
    generate();
    #print "Going into pattern search...";
}
else {
     generate();
     #print "Going into string generation...";
}

[Tool] Unique Pattern Generator for Exploit Development Security Thoughts

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...