Last active
August 9, 2021 08:37
-
-
Save oaass/8d63f5cc91c6837a42b3 to your computer and use it in GitHub Desktop.
A small program to help making patterns to use in overflows, and also find the offset based on the value of EIP after overflowing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| #################### #################### | |
| # # | |
| # Written by Ole Aass (2015) # | |
| # Inspired by Metasploit's pattern_(create|offset).rb # | |
| # # | |
| #################### #################### | |
| import sys | |
| def offset(eip, pattern, endian): | |
| eip = eip.decode('hex'); | |
| eip = eip[::-1] if endian is 'little' else eip | |
| if pattern is None: | |
| pattern = create(10000) | |
| return pattern.index(eip) | |
| def create(length): | |
| uppermap = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | |
| lowermap = "abcdefghijklmnopqrstuvwxyz" | |
| digitmap = "0123456789" | |
| pattern = '' | |
| x = y = z = 0 | |
| while True: | |
| if len(pattern) < length: | |
| pattern += uppermap[x] | |
| if len(pattern) < length: | |
| pattern += lowermap[y] | |
| if len(pattern) < length: | |
| pattern += digitmap[z] | |
| if len(pattern) >= length: | |
| break | |
| z += 1 | |
| if x is 25: | |
| x = 0 | |
| if y is 25: | |
| y = 0 | |
| x += 1 | |
| if z is 10: | |
| z = 0 | |
| y += 1 | |
| return pattern | |
| if sys.argv[1] == '-c': | |
| try: | |
| length = int(sys.argv[2]) | |
| print create(length) | |
| except: | |
| print 'Usage: %s -c <int:length>'%(sys.argv[0]) | |
| elif '-o' in sys.argv[1]: | |
| try: | |
| eip = sys.argv[2] | |
| pattern = None if not len(sys.argv) is 4 else sys.argv[3] | |
| endian = 'big' if sys.argv[1] == '-ob' else 'little' | |
| offset = offset(eip, pattern, endian) | |
| print '[+] Offset found at %d bytes'%(offset) | |
| except ValueError: | |
| print '[-] Unable to locate offset.' | |
| except: | |
| print 'Usage: %s <-ol|-ob> <eip> [pattern]'%(sys.argv[0]) | |
| elif sys.argv[1] == '-h': | |
| print """ | |
| #################### #################### | |
| # # | |
| # Written by Ole Aass (2015) # | |
| # Inspired by Metasploit's pattern_(create|offset).rb # | |
| # # | |
| #################### #################### | |
| Switches: | |
| -c <int:length> Create pattern | |
| -ol|-ob <eip> l = little, b = big endian | |
| Usage examples: | |
| Create pattern | |
| python pattern.py -c 250 Creates a 250 bytes long pattern | |
| Find offset at which a match was found | |
| python pattern.py -ol 63413563 | |
| python pattern.py -ol 63413563 Pattern | |
| """ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Update: It now returns the actual number of bytes specified with -c instead of bytes*3.