Metasploit mailing list archives
Firewall/IDS/AV Stress Tester
From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 11 Jan 2006 12:43:00 -0600
On Wed, Jan 11, 2006 at 09:10:51PM +0500, vmukhi at vsnl.com wrote:
I am using the Metasploit Framework to write a Firewall/IDS/Anti Virus Stress testing product. Too many people I meet are convinced that if they use the above products, there networks are safe from intruders. Thus I wanted a product that will take a exploit and encode it with different encoders to see which signatures are caught by the Firewall/IDS/AV. I read an e-mail on this list that said that we even though we were allowed to specify an encoder the framework finally decided. I made the folllowing in the source code to achieve my objective. Am i doing the right thing. The code follows
Very cool. We're glad that you're finding the framework useful for this! It's great to see people already writing scripts and extensions to the 3.0 version. Judging from your code, the thing you are trying to accomplish is to just encode a specific buffer "\x90\xcc" with a few different encoders. You can accomplish this without having to implement an exploit or a payload. Here's how: require 'msf/base' framework = Msf::Simple::Framework.create count = (ARGV[1] || 1).to_i if ((encoder = framework.encoders.create(ARGV[0])) == nil) puts "Invalid encoder: #{ARGV[0]}" exit end count.times { |x| puts "#{x}: " + Rex::Text.to_hex(encoder.encode("\x90\xcc")) } This produces output like: $ ruby -I../lib manish.rb x86/shikata_ga_nai 10 0: \x2b\xc9\xb1\x02\xba\xee\xd1\x50\x90\xdd\xc4\xd9\x74\x24\xf4\x5e\x31\x56\x0e\x83\xc6\x04\x03\xb8\xdb\xb2\x65\xd4\x10\x32\x86 1: \xdb\xc3\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x02\xb8\xfa\x82\x31\xe9\x83\xc7\x04\x31\x47\x13\x03\xbd\x91\xd3\x1c\xd1\x5a\x13\xdf 2: \xdb\xd0\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x02\xba\x0f\xd6\x7b\x71\x31\x50\x17\x03\x50\x17\x83\xcf\xd2\x99\x84\x5f\x16\x5d\x67 3: \xb8\xc5\xb8\xfc\xc4\xd9\xcc\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x02\x31\x42\x12\x83\xc2\x04\x03\x87\xb6\x1e\x31\x97\x0b\xde\xba 4: \x29\xc9\xb1\x02\xbf\x6a\x9c\xac\x76\xda\xc0\xd9\x74\x24\xf4\x58\x31\x78\x0e\x03\x78\x0e\x83\x82\x60\x4e\x83\xc2\x55\x8f\x6c 5: \x33\xc9\xb1\x02\xbd\x63\xf4\x64\xa3\xdb\xd1\xd9\x74\x24\xf4\x5a\x31\x6a\x0e\x83\xc2\x04\x03\x09\xfe\x86\x56\x5d\x32\x46\x99 6: \x2b\xc9\xb1\x02\xb8\x9b\x55\x45\x4b\xdd\xc7\xd9\x74\x24\xf4\x5e\x31\x46\x0e\x03\x46\x0e\x83\x75\xa9\xa7\xbe\x19\x9e\x28\x41 7: \xba\x4d\xd4\xb9\x06\xd9\xf7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x02\x31\x56\x12\x03\x56\x12\x83\xa3\x28\x5b\xf3\xab\x1d\x9c\xfc 8: \xba\x3f\x56\x56\x6b\xdd\xc4\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1\x02\x31\x53\x12\x03\x53\x12\x83\xd4\xaa\xb4\x9e\xba\x9f\x39\x61 9: \x31\xc9\xb1\x02\xbd\x92\xb6\x4b\x89\xdb\xc5\xd9\x74\x24\xf4\x58\x31\x68\x0e\x03\x68\x0e\x83\x52\xb2\xa9\x7c\xc2\x77\x2d\x7f Does this seem similar to what you are trying to do, or did I miss the point a bit?
To achieve this we made the following changes in the file encoded_payload.rb found in folder lib/msf/core encoded_payload.rb #our code if ( pinst.datastore['Encoder'] ) preferred = framework.encoders[ pinst.datastore['Encoder'] ] encoders.unshift([pinst.datastore['Encoder'], preferred ]) end #their code encoders.each { |encname, encmod| self.encoder = encmod.new self.encoded = nil We simply copied some code written earlier so that the variables we set place our encoder first in the array and thus we can decide the encoder used. Is this the right way to write a stress test product.
We've corrected an issue that was making it so you couldn't define a specific encoder. The code is a bit different from what you've done, but the effect is the same. This will be included in the alpha2 release that we are hoping to put out on Friday. The bug was in the ExploitDriver class and proper support was not added to the Exploit class to propagate the information to the EncodedPayload class.
We have a site wwww.vijaymukhi.com where you see that I have used a zillion products and languages in the past. From all of them yours Metasploit Framework is not the best but by far the best framework I have ever used in my life. I believe that your product will change the way we write exploits and security tools. I have even learnt Ruby and written over 250 pages on it. You may not realize what a great service you have done people like me who teach OS internals. Some of the tools I plan now writing could not have been possible without your framework.
Very cool :) The encoders that were released with the alpha 1 release were not very robust. Our best x86 encoder (Shikata Ga Nai) will be included in the alpha 2 release. I've also made changes to the x86/jmp_call_additive encoder to make it polymorphic, but not to the extent that Shikata is. I'd be interested to see if you get better/worse results with the updated encoders.
An open offer, if any developer from your team comes to Mumbai/Bombay India please be my guest. You will be doing me a favour. My way of saying thank you for the great framework that you have build.
Thanks for the offer and we will be sure to do so :)
Current thread:
- Firewall/IDS/AV Stress Tester vmukhi at vsnl.com (Jan 11)
- Firewall/IDS/AV Stress Tester mmiller at hick.org (Jan 11)