[Tool] Unique Pattern Generator for Exploit Development

CAUTION: I have realised, that this script gives wrong results after a certain length of characters. It’s not recommended for use. The intention for this script was for me to learn some coding – which I have. But I haven’ got the time at the moment to fix the errors. Hopefully, sometime in the future, I’ll be able to re-write the code. You can use corelanc0d3r’s pvefindaddr.py, which is an excellent script for Immunity Debugger.

Update: Thanks to corelanc0d3r for pointing out that my script does not generate an output same as the metasploit and pvefindaddr scripts. This is useful, as pointed by him, to anyone wishing to mix the outputs/offsets between the tools. I have made relevant changes to the code and also fixed another bug which prevented all offsets from being calculated.

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register.

Metasploit (version 3.0+) has a tool for both:
1) to generate the string pattern (tools/pattern_create.rb)
2) to find the offset of the required pattern (tools/pattern_offset.rb)

These are amazing utilities and really helpful for exploit development. However, the scripts are based on Ruby (in the Metasploit Framework) and it may not be possible for someone to carry the entire MSF.
Now people have come up with many alternate solutions and have made their own ports to different scripting languages based on these 2 utilities. I have been getting my hand dirty with Perl for sometime now, and this served as a good project for me to learn Perl.

So I have also developed a Perl script which combines these two functionality (i.e. pattern generation and offset search) into one script. The code is available at the end of this post. It’s not a complete port, but it be should be able to do the job most of the time.

There are two modes of operation:
1) Only one argument is provided which is the length of the string to be generated
(./gspattern.pl [length of string])
2) Both length of string and pattern whose offset is to be found are provided
(./gspattern.pl [length of string] [pattern to search] )

The script can handle multiple occurrences of the pattern (this would happen in cases where the string length is very large)

(Let me know if you find any bugs in the code. I am no expert programmer. Just getting my hands dirty in Perl.The script can currently generate strings of length upto 20306 characters.)

Thanks !

#!/usr/bin/perl -w
use strict;

# Generate/Search Pattern (gspattern.pl) v0.2
# Scripted by Wasim Halani (washal)
# Visit me at http://securitythoughts.wordpress.com/
# Thanks to hdm and the Metasploit team
# Special thanks to Peter Van Eeckhoutte(corelanc0d3r) for his amazing Exploit Development tutorials
# This script is to be used for educational purposes only.

my $ustart = 65;
my $uend = 90;
my $lstart = 97;
my $lend = 122;
my $nstart = 0;
my $nend = 9;
my $length ;
my $string = "";
my ($upper, $lower, $num);
my $searchflag = 0;
my $searchstring;

sub credits(){
    print "\nGenerate/Search Pattern \n";
    print "Scripted by Wasim Halani (washal)\n";
    print "http://securitythoughts.wordpress.com/\n";
    print "Version 0.2\n\n";
}

sub usage(){
    credits();
    print " Usage: \n";
    print " gspattern.pl  \n";
    print "         Will generate a string of given length. \n";
    print "\n";
    print " gspattern.pl   \n";
    print "         Will generate a string of given length,\n";
    print "         and display the offsets of pattern found.\n";
}

sub generate(){
    credits();
    $length = $ARGV[0];
    #print "Generating string for length : " .$length . "\n";
    if(length($string) == $length){
		finish();
    }
    #looping for the uppercase
    for($upper = $ustart; $upper <= $uend;$upper++){
		$string =$string.chr($upper);
		if(length($string) == $length){
			finish();
		}
		#looping for the lowercase
		for($lower = $lstart; $lower <= $lend;$lower++){
			$string =$string.chr($lower);
            if(length($string) == $length){
                finish();
			}
            #looping for the numeral
            for($num = $nstart; $num <= $nend;$num++){
                $string = $string.$num;
                if(length($string) == $length){
                    finish();
				}
				$string = $string.chr($upper);
				if(length($string) == $length){
					finish();
				}
				if($num != $nend){
                    $string = $string.chr($lower);
				}
				if(length($string) == $length){
					finish();
				}
			}
		}
    }
}

sub search(){
    my $offset = index($string,$searchstring);
    if($offset == -1){
		print "Pattern '".$searchstring."' not found\n";
		exit(1);
    }
    else{
		print "Pattern '".$searchstring."' found at offset(s) : ";
    }
    my $count = $offset;
    print $count." ";

    while($length){
        $offset = index($string,$searchstring,$offset+1);
        if($offset == -1){
			print "\n";
			exit(1);
		}
		print $offset ." ";
		$count = $count + $offset;
    }
    print "\n";
    exit(1);
}

sub finish(){
    print "String is : \n".$string ."\n\n";
    if($searchflag){
        search();
    }
    exit(1);
}

if(!$ARGV[0]){
    usage();
    #print "Going into usage..";
}
elsif ($ARGV[1]){
    $searchflag = 1;
    $searchstring = $ARGV[1];
    generate();
    #print "Going into pattern search...";
}
else {
     generate();
     #print "Going into string generation...";
}

About these ads

4 responses to this post.

  1. Excellent work sir !

    FYI : my pvefindaddr plugin for Immunity Debugger has this feature built in as well (so in case you only the debugger and the plugin, you can generate a unique pattern and calculate offsets directly from within the debugger too :-)

    http://www.corelan.be:8800/index.php/security/pvefindaddr-py-immunity-debugger-pycommand/

    !pvefindaddr pattern_create size
    !pvefindaddr pattern_offset value

    Reply

    • Posted by Wasim Halani on March 19, 2010 at 6:32 pm

      Thank you Peter.
      Your tutorials have been of great encouragement to me in learning Exploit Dev :-)
      Yes, I did try out your tool too. It certainly has many more useful features !!

      I wrote this script basically as a learning exercise. Do you see any bugs in it ?

      Reply

  2. Posted by raj3sh on January 19, 2011 at 4:07 pm

    wow .. was learning peters tutorial and googled about a perl script for pattern creator and offset finder(for windows)…and reached here .. script is not workin for me .. and found abt the plugin for debugger by peters reply and now am goin back to peters blog .. great

    thanks guys great work

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 299 other followers

%d bloggers like this: