Python tool that combines genbuf.pl and pattern_offset.rb

[linuxchuck]

Hello all.

This is a little python script I wrote not long ago while starting to learn Python. It's very straight forward. It combines the features of genbuf.pl and pattern_offset.rb into one all-python package.

If you do not know what those two scripts are for, they can be found with Metasploit, and are used to generate a unique pattern of characters that can be used during exploit development to locate where a given register is overwritten within that pattern.

This little script combines the features of both. (Yes, I know there are others out there, but I couldn't find it in Python, so I wrote this.)

Well, here it is... I'd love some comments, or suggestions to improve the script... Hell, you can just be brutal if you want.

Code:

#!/usr/bin/python
#######################################################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
# 
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
# 
# A copy of the GNU General Public License can be found at:
# http :// www .gnu .org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
#######################################################

#
# buftool.py:  By Linuxchuck
#
# Inspired by genbuf.pl, which uses Pex::Text::PatternCreate and also by
#   pattern_offset.rb found in the Metasploit Framework 3 tools directory.
#   Credit goes to the authors of those files.
#
# This script combines the function of both scripts into one package using
#   only Python.

import sys
import string

def usage():
    print "Usage: ", sys.argv[0], " <number> [string]"
    print "   <number> is the size of the buffer to generate."
    print "   [string] is the optional string to search for in the buffer."
    print ""
    print "   If [string] is provided, the buffer will not be printed, only the location"
    print "     of where the string starts in the buffer.  This search is CASE SENSITIVE!"
    sys.exit()

try:
    dummy = int(sys.argv[1])
except:
    usage()

if len(sys.argv) > 3:
    usage

if len(sys.argv) == 3:
    search = "TRUE"
    searchstr = sys.argv[2]
else:
    search = "FALSE"

stop = int(sys.argv[1]) / 3 + 1
patend = int(sys.argv[1])
patrange = range(0,stop,1)
first = 65
second = 97
third = 0
item = ""

for i in patrange:
    reset_first = "FALSE"
    reset_second = "FALSE"
    if third == 10:
        third = 0
        second += 1
    if second == 123:
        first +=1
        reset_second = "TRUE"
    if first == 92:
        reset_first = "TRUE"
    item += chr(first)
    item += chr(second)
    item += str(third)
    third += 1
    if reset_first == "TRUE":
        first = 65
    if reset_second == "TRUE":
        second = 97

if search != "TRUE":
    sys.stdout.write(item[0:patend])
else:
    location = item.find(searchstr)
    if location == -1:
        print sys.argv[2] + " not found in buffer."
        sys.exit()
    print location

[shamanvirtuel]

thx 4 contribute !

will throw an eye when i got time ....

[paddy3118]

Hi,
You don't need to use strings for True and False use the boolean literals True and False instead.

- Paddy

[linuxchuck]

Hi,
You don't need to use strings for True and False use the boolean literals True and False instead.

- Paddy

Ahh, so if I did that, could I simplify

Code:

if search != "TRUE":

to this:

Code:

if not search:

?

Thanks for the suggestion. I'm still learning as I go, and am glad to take any pointers I get along the way.

[Siph0n]

In case you didn't get the answer yet linuxchuck, yes you can do that.