Archive for the ‘Coding’ category

Update: pattern2code.v.03

November 15th, 2009

Last week I had it pointed out to me by Jamie Gadd that v.02 was fatally flawed and, in fact, did not work at all.

Due to this embarrassing incident I have recoded pattern2code based on some code that Jamie provided. He is somewhat of a stella coder so this version looks much nicer than anything I have provided thus far.

The new code can be downloaded from the tools section and more information about the script can be found here.

Special thanks to Jamie for the feedback and showing my some new coding tricks.

  • Share/Bookmark

No comments »

Posted in Coding, Metasploit, Tools

Pattern2Code V.02 – Update

November 3rd, 2009

UPDATE: Jamie Gadd has nicely pointed out that the version 0.02 of this code is so flawed that it doesn’t even come close to working. I am at a loss to explain how I managed to upload such dysfunctional code. This code has now been removed from the site. The current version can be found here.
While the first version of Pattern2Code was functional, I was far from happy with the actual code. This version doesn’t add any new features, but the code is somewhat nicer. I have updated this post with v.02 and both versions can now be downloaded from the tools section.

  • Share/Bookmark

No comments »

Posted in Coding, Metasploit, Tools

Tags:

Metasploit pattern_create.rb 2 Code Creator

November 1st, 2009

UPDATE: Pattern2Code is now at V.03. This page has been updated with that version of code.

Pattern_create.rb is a great little tool that can be found in the /tools directory of your Metasploit framework. It is used to create a pattern of characters to a specified length which you can then inject into applications as a buffer overflow. Its sister script, pattern_offset.rb, is then  used to identify how many bytes from the start of the string a particular part of the pattern occurred.

pattern2code.py is a script I created to save me manually modifying the pattern_create.rb patterns to fit into my fuzzing code. Its simple to use and will output the pattern into either Python, Perl or C code.

Running the script is as simple as piping the output from pattern_create.rb into the pattern2code.py and specifying a name for the buffer, a length of each split, and the language output.

The instructions below can also be found in the script if required;

[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>
[+] <buffername> = Custom buffer name
[+] <length> = Length of each split
[+] <languagename> = Perl, Python or C
[+] <input> piped input from pattern_create.rb

Output examples:

# ./pattern_create.rb 180 | ./splitter.py overflowbuff 50 python

overflowbuff = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab”
overflowbuff += “6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A”
overflowbuff += “d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9″
overflowbuff += “Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9″

^ Python code output with a 50 character split.


# ./pattern_create.rb 260 | ./splitter.py newbuffer 40 perl

my $newbuffer =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A” .
“b3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac” .
“6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9″ .
“Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A” .
“f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag” .
“6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9″ .
“Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ Perl code output with 40 a character split


# ./pattern_create.rb 260 | ./splitter.py newbuffer 55 c

unsigned char newbuffer[] =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7A”
“b8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad”
“6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4″
“Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2A”
“h3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ C code output with a 55 character split.

Here is the code for your enjoyment :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
import sys

if len(sys.argv) != 4:
    print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
    print "+                                                      +"
    print "+                 pattern2code.py V0.03                +"
    print "+ Created by Damian Grace - http://www.damiangrace.com +"
    print "+       Restructure based on code by Jamie Gadd        +"
    print "+                                                      +"
    print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
    print "[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>"
    print "[+] <buffername> = Custom buffer name"
    print "[+] <length> = Length of each split"
    print "[+] <languagename> = Perl, Python or C"
    print "[+] <input> piped input from pattern_create.rb\n"
    print "[+] This program is for use with pattern_create.rb which comes"
    print "[+] bundled with Metasploit in the tools directory."
    print "[+] To make it executable: chmod 755 ./pattern2code.py"
    print "[+] While its in the tools directory run it like so:"
    print "[+] ./pattern_create.rb 2000 | ./pattern2code.py buffer python\n"
    sys.exit(2)

# read buffer name and split length
buffername = sys.argv[1]
splitlength = int(sys.argv[2])

# read pattern and remove newline
pattern = sys.stdin.read()[:-1]

# language options
language = {"perl":("my $"+buffername+" = \t\""+pattern[:splitlength], "\" .\n\t\t\"", "\";\n"),
            "python":(buffername+" = \t\""+pattern[:splitlength],"\"\n"+buffername+" += \"","\"\n"),
            "c":("unsigned char "+buffername+"[] = \""+pattern[:splitlength],"\" \\\n\t\t\"", "\";\n")}

# parse args
start,mid,end = language.get(sys.argv[3], ('','',''))

# main
sys.stdout.write(start)
for x in xrange(splitlength,len(pattern),splitlength):
    sys.stdout.write(mid+pattern[x:x+splitlength])
sys.stdout.write(end)

The code can also be downloaded here

Enjoy!

P.S. I would love to hear feedback on how to improve my code so please leave a comment…

  • Share/Bookmark

2 comments »

Posted in Coding, Metasploit, Tools

Tags:

Juniper firewall syslog parser – Part 1

September 5th, 2009

I was recently tasked with the job of locking down the rules on a new Juniper SSG firewall installation. Rather than just jumping in with a series of educated guesses followed by a ‘deny all’ rule, and potentially breaking chunks of the network. My preference is to implement a list of rules based on educated guesses followed by an ‘allow all’ rule that logs anything that hits it. Periodically throughout the next Days/Weeks/Months (circumstances dependent) the syslogs are evaluated and rules are added above the ‘allow all’ rule as necessary. Eventually, no legitimate traffic will be hitting the ‘allow all’ rule. At this time you can safely convert the ‘allow all’ to a ‘deny all’.

Note: Before I get flamed. I am referring to outbound traffic only and not to traffic coming from the internet or from any DMZ. Traffic coming from non-trusted sources should be restricted as much as possible at all times.

Sounds great in theory right? But anyone that has ever looked over firewall syslogs realises the sheer quantity of information is completely overwhelming and would take a team of very dedicated (and boring) individuals to retrieve the relevant information by hand. Software products exist to do this sort of work, but I saw an opportunity to further hone my coding ability. Perl is my weapon of choice for this script as it has fantastic Regex capabilities that can be used to pull out all the required information. From here we will dump it all into a database where it can be manipulated at will.

The primary focus when starting this project was getting the Regular Expressions (Regex) correctly functioning. The original plan was to create one Regex that could do all the work for me… but as you can see in a second, this created an unwieldy beast. The Regex below was my first attempt (and it wasn’t even complete).

1
m/^.+?\=(.+?)\sproto\=(\d+?).+?\=(.+?)\s.+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?).+?\=(\d+?)/;

Breaking this up into manageable chunks seemed like a much smarter way of going about it. The next code revision, while taking up more lines, takes on a much nicer to read form. The code below simply grabs the info and prints it to the screen. This is my debugging measure to ensure that everything is working correctly before moving onto the next phase. Database..

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/perl
use strict;
use warnings;

open(SYSLOG,"20090903-syslog");

foreach my $line (&lt;SYSLOG&gt;)
{
chomp($line);

# Sep  3 15:05:23 172.16.1.250 FW: NetScreen device_id=FW  [Root]system-notification-00257(traffic): start_time="2009-09-03 15:11:58" duration=60
$line =~ m/((.+?\s+?){3})(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+?([A-Z]+?):.+?"(.+?)".+?\=(\d+?)\s(.*)/;    #Grab Device Name, Start Time and Duration
print "Date: $1\tDevice Name: $3 $4\tStart_Time: $5\tDuration: $6\t\n";

if ($7)        # Ensures valid syslog entry.
{
$line = $7;

# policy_id=1 service=Network Time proto=17 src zone=Trust dst zone=Untrust
$line =~ m/^.+?\=(\d+?).+?\=(.+?)\sproto\=(\d+?)\s.+?\=(.+?)\s.+?\=(.+?)\s(.*)/;    # Grabs PolicyID, Service, Protocol, Src_Zone and Dst_Zone.
print "\nPolicy_ID: $1\tService: $2\tProto: $3\tSrc_Zone: $4\t\tDst_Zone: $5\n";
$line = $6;

#action=Permit sent=98 rcvd=94 src=172.16.1.2 dst=200.200.200.200 src_port=123 dst_port=123
$line =~ m/^.+?\=(.+?)\s.+?\=(\d+?)\s.+?\=(\d+?)\s.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d+?)\s.+?\=(\d+?)\s(.*)/; # Grabs Action, Sent, Rcvd, Src, Dst, Src_port and Dst_port
print "Action: $1\tSent: $2\tRcvd: $3\tSrc: $4\tDest: $5\tSrc_Port: $6\tDst_port: $7\n";
$line = $8;

#src-xlated ip=200.200.200.200 port=16221 dst-xlated ip=200.200.200.200 port=123 session_id=47889 reason=Close - AGE OUT
$line =~ m/^.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d+?)\s.+?\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s.+?\=(\d+?)\s.+?(\d+?)\s.+?\=(.*)/; # Grabs Xlated src and dst ip's and ports, session id and reason
print "Xlate_src: $1\tXlate_src_port: $2\tXlate_dst: $3\tXlate_dst_port: $4\tSessionID: $5\tReason: $6\n";
}
}
close(SYSLOG);

I added a section of the syslog in comment form prior to each Regex so you can see what the program is currently working on.

Part 2 will see the move from screen print to database insertion as well as some more data manipulation to provide clear, concise rules to be added to the firewall rule set.

Check back soon to see Part 2 or add me to your RSS feed to be notified automatically.

I would love to hear comments from experienced coders on how they would have tackled this project.

  • Share/Bookmark

No comments »

Posted in Coding, Firewalls

Tags:

To Perl or to Python? That is the question…

August 18th, 2009

Perl has been my programming language of choice for quite some time now. I haven’t put enough time into it be be a very good programmer, but I have been slowly making progress. Lately however, I find myself considering using python instead.

So why did I choose Perl in the first place?

I was steered into Perl by a very knowledgeable mate of mine who has always been there to help me nut out some of my teething problems along the way. Syntax wise there are a few things that I really like about Perl. Things like variables, hashes and arrays  are always prefixed with a ‘$’, ‘%’, and @ symbols respectively and blocks of code are encapsulated in curly brackets. This makes my simple code much easier to read. Unfortunately the same syntax joy can cause syntax heartache too. Perl can be a real nightmare to read, especially after going back to your code after a month or two.

Then why Python?

Python is meant to be a lot easier to code with. Sometimes I find myself fighting with a piece of Perl for hours and getting no-where. I am hoping that Python might help me with this problem (at least a little bit :) ). The research I have been doing shows that a majority of Perl users that take the time to learn Python end up using Python as their preferred language. Then if you look at the number of large organizations that are using Python, handy tools such as Scapy and the speed of which Python is taking off in popularity and the choice seems fairly clear.

I will miss my curly bracket bounding and pretty variables, but hopefully the feeling of this shortfall will be short lived. Perl will always have a soft spot in my heart so I don’t think I will ever be able to leave it entirely.

I have the O’Reilly book ‘Learning Python‘ by Mark Lutz and have whipped through the first 4 chapters… so far so good.Although we still haven’t gotten to actually coding anything yet :S

I’ll keep you posted

  • Share/Bookmark

2 comments »

Posted in Coding