Firewall/IDS/AV Stress Tester

[mmiller at hick.org (mmiller at hick.org)]

On Wed, Jan 11, 2006 at 09:10:51PM +0500, vmukhi at vsnl.com wrote:
> I am using the Metasploit Framework to write a Firewall/IDS/Anti Virus
> Stress testing product. Too many people I meet are convinced that if
> they use the above products, there networks are safe from intruders.
> Thus I wanted a product that will take a exploit and encode it with
> different encoders to see which signatures are caught by the
> Firewall/IDS/AV. I read an e-mail on this list that said that we even
> though we were allowed to specify an encoder the framework finally
> decided. I made the folllowing in the source code to achieve my
> objective. Am i doing the right thing. The code follows 

Very cool.  We're glad that you're finding the framework useful for this!  It's
great to see people already writing scripts and extensions to the 3.0 version.

Judging from your code, the thing you are trying to accomplish is to just
encode a specific buffer "\x90\xcc" with a few different encoders.  You can
accomplish this without having to implement an exploit or a payload.  Here's
how:

require 'msf/base'

framework = Msf::Simple::Framework.create
count = (ARGV[1] || 1).to_i

if ((encoder = framework.encoders.create(ARGV[0])) == nil)
   puts "Invalid encoder: #{ARGV[0]}"
   exit
end

count.times { |x|
   puts "#{x}: " + Rex::Text.to_hex(encoder.encode("\x90\xcc"))
}

This produces output like:

$ ruby -I../lib manish.rb x86/shikata_ga_nai 10
0: 
\x2b\xc9\xb1\x02\xba\xee\xd1\x50\x90\xdd\xc4\xd9\x74\x24\xf4\x5e\x31\x56\x0e\x83\xc6\x04\x03\xb8\xdb\xb2\x65\xd4\x10\x32\x86
1: 
\xdb\xc3\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x02\xb8\xfa\x82\x31\xe9\x83\xc7\x04\x31\x47\x13\x03\xbd\x91\xd3\x1c\xd1\x5a\x13\xdf
2: 
\xdb\xd0\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x02\xba\x0f\xd6\x7b\x71\x31\x50\x17\x03\x50\x17\x83\xcf\xd2\x99\x84\x5f\x16\x5d\x67
3: 
\xb8\xc5\xb8\xfc\xc4\xd9\xcc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x02\x31\x42\x12\x83\xc2\x04\x03\x87\xb6\x1e\x31\x97\x0b\xde\xba
4: 
\x29\xc9\xb1\x02\xbf\x6a\x9c\xac\x76\xda\xc0\xd9\x74\x24\xf4\x58\x31\x78\x0e\x03\x78\x0e\x83\x82\x60\x4e\x83\xc2\x55\x8f\x6c
5: 
\x33\xc9\xb1\x02\xbd\x63\xf4\x64\xa3\xdb\xd1\xd9\x74\x24\xf4\x5a\x31\x6a\x0e\x83\xc2\x04\x03\x09\xfe\x86\x56\x5d\x32\x46\x99
6: 
\x2b\xc9\xb1\x02\xb8\x9b\x55\x45\x4b\xdd\xc7\xd9\x74\x24\xf4\x5e\x31\x46\x0e\x03\x46\x0e\x83\x75\xa9\xa7\xbe\x19\x9e\x28\x41
7: 
\xba\x4d\xd4\xb9\x06\xd9\xf7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x02\x31\x56\x12\x03\x56\x12\x83\xa3\x28\x5b\xf3\xab\x1d\x9c\xfc
8: 
\xba\x3f\x56\x56\x6b\xdd\xc4\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1\x02\x31\x53\x12\x03\x53\x12\x83\xd4\xaa\xb4\x9e\xba\x9f\x39\x61
9: 
\x31\xc9\xb1\x02\xbd\x92\xb6\x4b\x89\xdb\xc5\xd9\x74\x24\xf4\x58\x31\x68\x0e\x03\x68\x0e\x83\x52\xb2\xa9\x7c\xc2\x77\x2d\x7f

Does this seem similar to what you are trying to do, or did I miss the point a
bit?

> To achieve this we made the following changes in the file encoded_payload.rb found in folder lib/msf/core
>
> encoded_payload.rb
> #our code
> if ( pinst.datastore['Encoder'] )
> preferred = framework.encoders[ pinst.datastore['Encoder'] ] 
> encoders.unshift([pinst.datastore['Encoder'], preferred ])
> end                   
> #their code                   
>                       encoders.each { |encname, encmod|
>                               self.encoder = encmod.new
>                               self.encoded = nil
>
> We simply copied some code written earlier so that the variables we set place
> our encoder first in the array and thus we can decide the encoder used. Is this
> the right way to write a stress test product.

We've corrected an issue that was making it so you couldn't define a specific
encoder.  The code is a bit different from what you've done, but the effect is
the same.  This will be included in the alpha2 release that we are hoping to
put out on Friday.  The bug was in the ExploitDriver class and proper support
was not added to the Exploit class to propagate the information to the
EncodedPayload class.

> We have a site wwww.vijaymukhi.com where you see that I have used a zillion
> products and languages in the past. From all of them yours Metasploit Framework
> is  not the best but by far the best framework I have ever used in my life. I
> believe that your product will change the way we write exploits and security
> tools. I have even learnt Ruby and written over 250 pages on it. You may not
> realize what a great service you have done people like me who teach OS
> internals. Some of the tools I plan now writing could not have been possible
> without your framework. 

Very cool :)  The encoders that were released with the alpha 1 release were 
not very robust.  Our best x86 encoder (Shikata Ga Nai) will be included in
the alpha 2 release.  I've also made changes to the x86/jmp_call_additive
encoder to make it polymorphic, but not to the extent that Shikata is.
I'd be interested to see if you get better/worse results with the updated
encoders.

> An open offer, if any developer from your team comes to Mumbai/Bombay India
> please be my guest. You will be doing me a favour. My  way of saying thank you
> for the great framework that you have build. 

Thanks for the offer and we will be sure to do so :)