Archive for the ‘Tools’ category

Nmap 2010 User Survey

April 8th, 2010

Nmap are conducting a survey to find out how user interact with their products and other bits and pieces.

Help them help you by filling out the questionnaire. The need 5000 responses and at the time of writing have only received 231 so get cracking!

http://nmap.org/survey/

Share

No comments »

Posted in General, Tools

Tags:

Core Impact Pro with Metasploit Integration

February 17th, 2010

Core Security Technologies have just announced that the next version of Core Impact Pro (due out in April) will support Metasploit integration. It’s not a bad list of things you will be able to do too.

*  Bring a system compromised during testing with Metasploit into the IMPACT environment and deploy an IMPACT Pro Agent. The Agent is a patented, syscall proxy payload that allows users to:

1. Launch IMPACT Pro’s full range of automated penetration testing capabilities from the compromised system.
2. Leverage IMPACT’s broad selection of commercial-grade exploits, plus multiple pre- and post-exploitation capabilities for in-depth, comprehensive attack replication.
3. Pivot penetration tests to other systems, mimicking an attacker’s attempts at identifying and exploiting paths of weakness to backend systems and data.

* Use IMPACT Pro’s automated Rapid Penetration Test (RPT) to exploit vulnerabilities, then launch Metasploit’s db-autopwn feature and subsequently upload the results back into IMPACT Pro. This allows users with less training and expertise to view Metasploit testing information within the IMPACT environment.

I for one am looking forward to playing with this :)

Press Release

Blog Announcement

Share

No comments »

Posted in Core Impact, Metasploit, News, Tools

Tags:

Update: pattern2code.v.03

November 15th, 2009

Last week I had it pointed out to me by Jamie Gadd that v.02 was fatally flawed and, in fact, did not work at all.

Due to this embarrassing incident I have recoded pattern2code based on some code that Jamie provided. He is somewhat of a stella coder so this version looks much nicer than anything I have provided thus far.

The new code can be downloaded from the tools section and more information about the script can be found here.

Special thanks to Jamie for the feedback and showing my some new coding tricks.

Share

No comments »

Posted in Coding, Metasploit, Tools

Pattern2Code V.02 – Update

November 3rd, 2009

UPDATE: Jamie Gadd has nicely pointed out that the version 0.02 of this code is so flawed that it doesn’t even come close to working. I am at a loss to explain how I managed to upload such dysfunctional code. This code has now been removed from the site. The current version can be found here.
While the first version of Pattern2Code was functional, I was far from happy with the actual code. This version doesn’t add any new features, but the code is somewhat nicer. I have updated this post with v.02 and both versions can now be downloaded from the tools section.

Share

No comments »

Posted in Coding, Metasploit, Tools

Tags:

Metasploit pattern_create.rb 2 Code Creator

November 1st, 2009

UPDATE: Pattern2Code is now at V.03. This page has been updated with that version of code.

Pattern_create.rb is a great little tool that can be found in the /tools directory of your Metasploit framework. It is used to create a pattern of characters to a specified length which you can then inject into applications as a buffer overflow. Its sister script, pattern_offset.rb, is then  used to identify how many bytes from the start of the string a particular part of the pattern occurred.

pattern2code.py is a script I created to save me manually modifying the pattern_create.rb patterns to fit into my fuzzing code. Its simple to use and will output the pattern into either Python, Perl or C code.

Running the script is as simple as piping the output from pattern_create.rb into the pattern2code.py and specifying a name for the buffer, a length of each split, and the language output.

The instructions below can also be found in the script if required;

[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>
[+] <buffername> = Custom buffer name
[+] <length> = Length of each split
[+] <languagename> = Perl, Python or C
[+] <input> piped input from pattern_create.rb

Output examples:

# ./pattern_create.rb 180 | ./splitter.py overflowbuff 50 python

overflowbuff = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab”
overflowbuff += “6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A”
overflowbuff += “d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9″
overflowbuff += “Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9″

^ Python code output with a 50 character split.


# ./pattern_create.rb 260 | ./splitter.py newbuffer 40 perl

my $newbuffer =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2A” .
“b3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac” .
“6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9″ .
“Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A” .
“f3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag” .
“6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9″ .
“Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ Perl code output with 40 a character split


# ./pattern_create.rb 260 | ./splitter.py newbuffer 55 c

unsigned char newbuffer[] =
“Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7A”
“b8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad”
“6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4″
“Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2A”
“h3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai”;

^ C code output with a 55 character split.

Here is the code for your enjoyment :)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
import sys

if len(sys.argv) != 4:
    print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
    print "+                                                      +"
    print "+                 pattern2code.py V0.03                +"
    print "+ Created by Damian Grace - http://www.damiangrace.com +"
    print "+       Restructure based on code by Jamie Gadd        +"
    print "+                                                      +"
    print "++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
    print "[+] Usage: ./pattern2code.py <buffername> <length> <languagename> <input>"
    print "[+] <buffername> = Custom buffer name"
    print "[+] <length> = Length of each split"
    print "[+] <languagename> = Perl, Python or C"
    print "[+] <input> piped input from pattern_create.rb\n"
    print "[+] This program is for use with pattern_create.rb which comes"
    print "[+] bundled with Metasploit in the tools directory."
    print "[+] To make it executable: chmod 755 ./pattern2code.py"
    print "[+] While its in the tools directory run it like so:"
    print "[+] ./pattern_create.rb 2000 | ./pattern2code.py buffer python\n"
    sys.exit(2)

# read buffer name and split length
buffername = sys.argv[1]
splitlength = int(sys.argv[2])

# read pattern and remove newline
pattern = sys.stdin.read()[:-1]

# language options
language = {"perl":("my $"+buffername+" = \t\""+pattern[:splitlength], "\" .\n\t\t\"", "\";\n"),
            "python":(buffername+" = \t\""+pattern[:splitlength],"\"\n"+buffername+" += \"","\"\n"),
            "c":("unsigned char "+buffername+"[] = \""+pattern[:splitlength],"\" \\\n\t\t\"", "\";\n")}

# parse args
start,mid,end = language.get(sys.argv[3], ('','',''))

# main
sys.stdout.write(start)
for x in xrange(splitlength,len(pattern),splitlength):
    sys.stdout.write(mid+pattern[x:x+splitlength])
sys.stdout.write(end)

The code can also be downloaded here

Enjoy!

P.S. I would love to hear feedback on how to improve my code so please leave a comment…

Share

2 comments »

Posted in Coding, Metasploit, Tools

Tags: