Metasploit pattern_create.rb 2 Code Creator

November 1st, 2009 by Damian Leave a reply »

UPDATE: Pattern2Code is now at V.03. This page has been updated with that version of code.

Pattern_create.rb is a great little tool that can be found in the /tools directory of your Metasploit framework. It is used to create a pattern of characters to a specified length which you can then inject into applications as a buffer overflow. Its sister script, pattern_offset.rb, is then  used to identify how many bytes from the start of the string a particular part of the pattern occurred.

pattern2code.py is a script I created to save me manually modifying the pattern_create.rb patterns to fit into my fuzzing code. Its simple to use and will output the pattern into either Python, Perl or C code.

Running the script is as simple as piping the output from pattern_create.rb into the pattern2code.py and specifying a name for the buffer, a length of each split, and the language output.

The instructions below can also be found in the script if required;

[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>
[+] <buffername> = Custom buffer name
[+] <length> = Length of each split
[+] <languagename> = Perl, Python or C
[+] <input> piped input from pattern_create.rb

Output examples:

# ./pattern_create.rb 180 | ./splitter.py overflowbuff 50 python

overflowbuff = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab”
overflowbuff += “6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A”
overflowbuff += “d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9″
overflowbuff += “Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9″

^ Python code output with a 50 character split.


# ./pattern_create.rb 260 | ./splitter.py newbuffer 40 perl

my $newbuffer =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A” .
“b3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac” .
“6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9″ .
“Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A” .
“f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag” .
“6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9″ .
“Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ Perl code output with 40 a character split


# ./pattern_create.rb 260 | ./splitter.py newbuffer 55 c

unsigned char newbuffer[] =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7A”
“b8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad”
“6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4″
“Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2A”
“h3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ C code output with a 55 character split.

Here is the code for your enjoyment :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
import sys

if len(sys.argv) != 4:
    print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
    print "+                                                      +"
    print "+                 pattern2code.py V0.03                +"
    print "+ Created by Damian Grace - http://www.damiangrace.com +"
    print "+       Restructure based on code by Jamie Gadd        +"
    print "+                                                      +"
    print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
    print "[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>"
    print "[+] <buffername> = Custom buffer name"
    print "[+] <length> = Length of each split"
    print "[+] <languagename> = Perl, Python or C"
    print "[+] <input> piped input from pattern_create.rb\n"
    print "[+] This program is for use with pattern_create.rb which comes"
    print "[+] bundled with Metasploit in the tools directory."
    print "[+] To make it executable: chmod 755 ./pattern2code.py"
    print "[+] While its in the tools directory run it like so:"
    print "[+] ./pattern_create.rb 2000 | ./pattern2code.py buffer python\n"
    sys.exit(2)

# read buffer name and split length
buffername = sys.argv[1]
splitlength = int(sys.argv[2])

# read pattern and remove newline
pattern = sys.stdin.read()[:-1]

# language options
language = {"perl":("my $"+buffername+" = \t\""+pattern[:splitlength], "\" .\n\t\t\"", "\";\n"),
            "python":(buffername+" = \t\""+pattern[:splitlength],"\"\n"+buffername+" += \"","\"\n"),
            "c":("unsigned char "+buffername+"[] = \""+pattern[:splitlength],"\" \\\n\t\t\"", "\";\n")}

# parse args
start,mid,end = language.get(sys.argv[3], ('','',''))

# main
sys.stdout.write(start)
for x in xrange(splitlength,len(pattern),splitlength):
    sys.stdout.write(mid+pattern[x:x+splitlength])
sys.stdout.write(end)

The code can also be downloaded here

Enjoy!

P.S. I would love to hear feedback on how to improve my code so please leave a comment…

  • Share/Bookmark

Posted in Coding, Metasploit, Tools

Tags:

You can follow any responses to this entry through the RSS 2.0 Feed. You can leave a response , or trackback from your own site.

Advertisement

Trackbacks /
Pingbacks

  1. Pattern2Code V.02 – Update » DamianGrace.com
  2. Update: pattern2code.v.03 » DamianGrace.com

Leave a Reply