[Tool] Unique Pattern Generator for Exploit Development

CAUTION: I have realised, that this script gives wrong results after a certain length of characters. It’s not recommended for use. The intention for this script was for me to learn some coding – which I have. But I haven’ got the time at the moment to fix the errors. Hopefully, sometime in the future, I’ll be able to re-write the code. You can use corelanc0d3r’s pvefindaddr.py, which is an excellent script for Immunity Debugger.

Update: Thanks to corelanc0d3r for pointing out that my script does not generate an output same as the metasploit and pvefindaddr scripts. This is useful, as pointed by him, to anyone wishing to mix the outputs/offsets between the tools. I have made relevant changes to the code and also fixed another bug which prevented all offsets from being calculated.

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register.

Metasploit (version 3.0+) has a tool for both:
1) to generate the string pattern (tools/pattern_create.rb)
2) to find the offset of the required pattern (tools/pattern_offset.rb)

These are amazing utilities and really helpful for exploit development. However, the scripts are based on Ruby (in the Metasploit Framework) and it may not be possible for someone to carry the entire MSF.
Now people have come up with many alternate solutions and have made their own ports to different scripting languages based on these 2 utilities. I have been getting my hand dirty with Perl for sometime now, and this served as a good project for me to learn Perl.

So I have also developed a Perl script which combines these two functionality (i.e. pattern generation and offset search) into one script. The code is available at the end of this post. It’s not a complete port, but it be should be able to do the job most of the time.

There are two modes of operation:
1) Only one argument is provided which is the length of the string to be generated
(./gspattern.pl [length of string])
2) Both length of string and pattern whose offset is to be found are provided
(./gspattern.pl [length of string] [pattern to search] )

The script can handle multiple occurrences of the pattern (this would happen in cases where the string length is very large)

(Let me know if you find any bugs in the code. I am no expert programmer. Just getting my hands dirty in Perl.The script can currently generate strings of length upto 20306 characters.)

Thanks !

#!/usr/bin/perl -w
use strict;

# Generate/Search Pattern (gspattern.pl) v0.2
# Scripted by Wasim Halani (washal)
# Visit me at https://securitythoughts.wordpress.com/
# Thanks to hdm and the Metasploit team
# Special thanks to Peter Van Eeckhoutte(corelanc0d3r) for his amazing Exploit Development tutorials
# This script is to be used for educational purposes only.

my $ustart = 65;
my $uend = 90;
my $lstart = 97;
my $lend = 122;
my $nstart = 0;
my $nend = 9;
my $length ;
my $string = "";
my ($upper, $lower, $num);
my $searchflag = 0;
my $searchstring;

sub credits(){
    print "\nGenerate/Search Pattern \n";
    print "Scripted by Wasim Halani (washal)\n";
    print "https://securitythoughts.wordpress.com/\n";
    print "Version 0.2\n\n";
}

sub usage(){
    credits();
    print " Usage: \n";
    print " gspattern.pl  \n";
    print "         Will generate a string of given length. \n";
    print "\n";
    print " gspattern.pl   \n";
    print "         Will generate a string of given length,\n";
    print "         and display the offsets of pattern found.\n";
}

sub generate(){
    credits();
    $length = $ARGV[0];
    #print "Generating string for length : " .$length . "\n";
    if(length($string) == $length){
		finish();
    }
    #looping for the uppercase
    for($upper = $ustart; $upper <= $uend;$upper++){
		$string =$string.chr($upper);
		if(length($string) == $length){
			finish();
		}
		#looping for the lowercase
		for($lower = $lstart; $lower <= $lend;$lower++){
			$string =$string.chr($lower);
            if(length($string) == $length){
                finish();
			}
            #looping for the numeral
            for($num = $nstart; $num <= $nend;$num++){
                $string = $string.$num;
                if(length($string) == $length){
                    finish();
				}
				$string = $string.chr($upper);
				if(length($string) == $length){
					finish();
				}
				if($num != $nend){
                    $string = $string.chr($lower);
				}
				if(length($string) == $length){
					finish();
				}
			}
		}
    }
}

sub search(){
    my $offset = index($string,$searchstring);
    if($offset == -1){
		print "Pattern '".$searchstring."' not found\n";
		exit(1);
    }
    else{
		print "Pattern '".$searchstring."' found at offset(s) : ";
    }
    my $count = $offset;
    print $count." ";

    while($length){
        $offset = index($string,$searchstring,$offset+1);
        if($offset == -1){
			print "\n";
			exit(1);
		}
		print $offset ." ";
		$count = $count + $offset;
    }
    print "\n";
    exit(1);
}

sub finish(){
    print "String is : \n".$string ."\n\n";
    if($searchflag){
        search();
    }
    exit(1);
}

if(!$ARGV[0]){
    usage();
    #print "Going into usage..";
}
elsif ($ARGV[1]){
    $searchflag = 1;
    $searchstring = $ARGV[1];
    generate();
    #print "Going into pattern search...";
}
else {
     generate();
     #print "Going into string generation...";
}

• exploit developemt
• metasploit
• perl