metasploit-framework/tools/exploit/pattern_offset.rb

#!/usr/bin/env ruby

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

msfbase = __FILE__
while File.symlink?(msfbase)
  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end

$LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
$LOAD_PATH.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']

gem 'rex-text'

require 'optparse'

module PatternOffset
  class OptsConsole
    def self.parse(args)
      options = {}
      parser = OptionParser.new do |opt|
        opt.banner = "Usage: #{__FILE__} [options]\nExample: #{__FILE__} -q Aa3A\n[*] Exact match at offset 9"
        opt.separator ''
        opt.separator 'Options:'

        opt.on('-q', '--query Aa0A', String, "Query to Locate") do |query|
          options[:query] = query
        end

        opt.on('-l', '--length <length>', Integer, "The length of the pattern") do |len|
          options[:length] = len
        end

        opt.on('-s', '--sets <ABC,def,123>', Array, "Custom Pattern Sets") do |sets|
          options[:sets] = sets
        end

        opt.on_tail('-h', '--help', 'Show this message') do
          $stdout.puts opt
          exit
        end
      end

      parser.parse!(args)

      if options.empty?
        raise OptionParser::MissingArgument, 'No options set, try -h for usage'
      elsif options[:query].nil?
        raise OptionParser::MissingArgument, '-q <query> is required'
      elsif options[:length].nil? && options[:sets]
        raise OptionParser::MissingArgument, '-l <length> is required'
      end

      options[:sets] = nil unless options[:sets]
      options[:length] = 8192 unless options[:length]

      options
    end
  end

  class Driver
    def initialize
      begin
        @opts = OptsConsole.parse(ARGV)
      rescue OptionParser::ParseError => e
        $stderr.puts "[x] #{e.message}"
        exit
      end
    end

    def run
      require 'msfenv'
      require 'msf/core'
      require 'msf/base'
      require 'rex/text'

      query = (@opts[:query])

      if query.length >= 8 && query.hex > 0
        query = query.hex
      # However, you can also specify a four-byte string
      elsif query.length == 4
        query = query.unpack("V").first
      else
        # Or even a hex query that isn't 8 bytes long
        query = query.to_i(16)
      end

      buffer = Rex::Text.pattern_create(@opts[:length], @opts[:sets])
      offset = Rex::Text.pattern_offset(buffer, query)

      # Handle cases where there is no match by looking for "close" matches
      unless offset
        found = false
        $stderr.puts "[*] No exact matches, looking for likely candidates..."

        # Look for shifts by a single byte
        0.upto(3) do |idx|
          0.upto(255) do |c|
            nvb = [query].pack("V")
            nvb[idx, 1] = [c].pack("C")
            nvi = nvb.unpack("V").first

            off = Rex::Text.pattern_offset(buffer, nvi)
            if off
              mle = query - buffer[off, 4].unpack("V").first
              mbe = query - buffer[off, 4].unpack("N").first
              puts "[+] Possible match at offset #{off} (adjusted [ little-endian: #{mle} | big-endian: #{mbe} ] ) byte offset #{idx}"
              found = true
            end
          end
        end

        exit! if found

        # Look for 16-bit offsets
        [0, 2].each do |idx|
          0.upto(65535) do |c|
            nvb = [query].pack("V")
            nvb[idx, 2] = [c].pack("v")
            nvi = nvb.unpack("V").first

            off = Rex::Text.pattern_offset(buffer, nvi)
            if off
              mle = query - buffer[off, 4].unpack("V").first
              mbe = query - buffer[off, 4].unpack("N").first
              puts "[+] Possible match at offset #{off} (adjusted [ little-endian: #{mle} | big-endian: #{mbe} ] )"
              found = true
            end
          end
        end
      end

      while offset
        puts "[*] Exact match at offset #{offset}"
        offset = Rex::Text.pattern_offset(buffer, query, offset + 1)
      end
    end
  end
end

if __FILE__ == $PROGRAM_NAME
  driver = PatternOffset::Driver.new
  begin
    driver.run
  rescue ::StandardError => e
    $stderr.puts "[x] #{e.class}: #{e.message}"
    $stderr.puts "[*] If necessary, please refer to framework.log for more details."

  end
end
/usr/bin/ruby vs /usr/bin/env ruby git-svn-id: file:///home/svn/incoming/trunk@3242 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-17 14:46:23 +08:00			`#!/usr/bin/env ruby`
some useful tools, msfweb daemonize, fix pattern creation git-svn-id: file:///home/svn/incoming/trunk@3197 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-09 08:03:52 +08:00
Add standardised header comments 2018-03-20 19:33:34 +08:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

Update include paths to use absolute, support fastlib, etc 2012-02-04 14:38:21 +08:00			`msfbase = __FILE__`
			`while File.symlink?(msfbase)`
Retab all the things (except external/) 2013-10-01 02:47:53 +08:00			`msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))`
Update include paths to use absolute, support fastlib, etc 2012-02-04 14:38:21 +08:00			`end`

fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`$LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))`
			`$LOAD_PATH.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']`
some useful tools, msfweb daemonize, fix pattern creation git-svn-id: file:///home/svn/incoming/trunk@3197 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-09 08:03:52 +08:00
fix tools that need rex-text to function 2016-07-05 15:33:45 +08:00			`gem 'rex-text'`

Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`require 'optparse'`

			`module PatternOffset`
			`class OptsConsole`
			`def self.parse(args)`
			`options = {}`
			`parser = OptionParser.new do \|opt\|`
speed up options parsing (only require framework when running) 2016-05-14 22:47:08 +08:00			`opt.banner = "Usage: #{__FILE__} [options]\nExample: #{__FILE__} -q Aa3A\n[*] Exact match at offset 9"`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`opt.separator ''`
Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`opt.separator 'Options:'`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00
			`opt.on('-q', '--query Aa0A', String, "Query to Locate") do \|query\|`
			`options[:query] = query`
Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`end`

whitespace and remove useless comments 2016-05-14 10:45:41 +08:00			`opt.on('-l', '--length <length>', Integer, "The length of the pattern") do \|len\|`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`options[:length] = len`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`end`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00
whitespace and remove useless comments 2016-05-14 10:45:41 +08:00			`opt.on('-s', '--sets <ABC,def,123>', Array, "Custom Pattern Sets") do \|sets\|`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`options[:sets] = sets`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`end`
whitespace and remove useless comments 2016-05-14 10:45:41 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`opt.on_tail('-h', '--help', 'Show this message') do`
			`$stdout.puts opt`
			`exit`
			`end`
			`end`
Some examples of use 2012-11-21 02:30:27 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`parser.parse!(args)`
Some examples of use 2012-11-21 02:30:27 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`if options.empty?`
			`raise OptionParser::MissingArgument, 'No options set, try -h for usage'`
speed up options parsing (only require framework when running) 2016-05-14 22:47:08 +08:00			`elsif options[:query].nil?`
Update pattern_offset.rb 2016-04-15 03:29:57 +08:00			`raise OptionParser::MissingArgument, '-q <query> is required'`
speed up options parsing (only require framework when running) 2016-05-14 22:47:08 +08:00			`elsif options[:length].nil? && options[:sets]`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`raise OptionParser::MissingArgument, '-l <length> is required'`
			`end`
Some examples of use 2012-11-21 02:30:27 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`options[:sets] = nil unless options[:sets]`
Change default pattern length Changed from 1024 to 8192 per previous version. 2016-07-04 04:08:54 +08:00			`options[:length] = 8192 unless options[:length]`
whitespace and remove useless comments 2016-05-14 10:45:41 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`options`
			`end`
			`end`
Handle non-hex input properly 2012-11-20 12:13:21 +08:00
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`class Driver`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`def initialize`
			`begin`
			`@opts = OptsConsole.parse(ARGV)`
			`rescue OptionParser::ParseError => e`
			`$stderr.puts "[x] #{e.message}"`
			`exit`
Retab all the things (except external/) 2013-10-01 02:47:53 +08:00			`end`
			`end`
whitespace and remove useless comments 2016-05-14 10:45:41 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`def run`
speed up options parsing (only require framework when running) 2016-05-14 22:47:08 +08:00			`require 'msfenv'`
			`require 'msf/core'`
			`require 'msf/base'`
			`require 'rex/text'`

Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`query = (@opts[:query])`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`if query.length >= 8 && query.hex > 0`
Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`query = query.hex`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`# However, you can also specify a four-byte string`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`elsif query.length == 4`
Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`query = query.unpack("V").first`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`else`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`# Or even a hex query that isn't 8 bytes long`
Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`query = query.to_i(16)`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`end`
Retab all the things (except external/) 2013-10-01 02:47:53 +08:00
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`buffer = Rex::Text.pattern_create(@opts[:length], @opts[:sets])`
Update pattern_offset.rb 2016-04-15 03:11:02 +08:00			`offset = Rex::Text.pattern_offset(buffer, query)`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`# Handle cases where there is no match by looking for "close" matches`
			`unless offset`
			`found = false`
			`$stderr.puts "[*] No exact matches, looking for likely candidates..."`

			`# Look for shifts by a single byte`
			`0.upto(3) do \|idx\|`
			`0.upto(255) do \|c\|`
			`nvb = [query].pack("V")`
			`nvb[idx, 1] = [c].pack("C")`
			`nvi = nvb.unpack("V").first`

			`off = Rex::Text.pattern_offset(buffer, nvi)`
			`if off`
			`mle = query - buffer[off, 4].unpack("V").first`
			`mbe = query - buffer[off, 4].unpack("N").first`
			`puts "[+] Possible match at offset #{off} (adjusted [ little-endian: #{mle} \| big-endian: #{mbe} ] ) byte offset #{idx}"`
			`found = true`
			`end`
			`end`
			`end`

			`exit! if found`

			`# Look for 16-bit offsets`
			`[0, 2].each do \|idx\|`
			`0.upto(65535) do \|c\|`
			`nvb = [query].pack("V")`
			`nvb[idx, 2] = [c].pack("v")`
			`nvi = nvb.unpack("V").first`

			`off = Rex::Text.pattern_offset(buffer, nvi)`
			`if off`
			`mle = query - buffer[off, 4].unpack("V").first`
			`mbe = query - buffer[off, 4].unpack("N").first`
			`puts "[+] Possible match at offset #{off} (adjusted [ little-endian: #{mle} \| big-endian: #{mbe} ] )"`
			`found = true`
			`end`
			`end`
			`end`
			`end`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00
			`while offset`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`puts "[*] Exact match at offset #{offset}"`
			`offset = Rex::Text.pattern_offset(buffer, query, offset + 1)`
Retab all the things (except external/) 2013-10-01 02:47:53 +08:00			`end`
			`end`
			`end`
Try harder for non-exact matches 2012-11-20 09:42:54 +08:00			`end`

Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`if __FILE__ == $PROGRAM_NAME`
			`driver = PatternOffset::Driver.new`
			`begin`
			`driver.run`
fix odd indentation and style issues 2016-05-14 11:06:18 +08:00			`rescue ::StandardError => e`
Update pattern_offset.rb Test 2016-04-15 00:59:36 +08:00			`$stderr.puts "[x] #{e.class}: #{e.message}"`
			`$stderr.puts "[*] If necessary, please refer to framework.log for more details."`

			`end`
update pattern_offset to show all ocurrences git-svn-id: file:///home/svn/framework3/trunk@7425 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-10 01:50:53 +08:00			`end`