tools/exploit/find_badchars.rb

#!/usr/bin/env ruby

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

#
# This script is intended to assist an exploit developer in deducing what
# "bad characters" exist for a given input path to a program.
#

msfbase = __FILE__
while File.symlink?(msfbase)
  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end

gem 'rex-text'

$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
require 'msfenv'

$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex'

OutStatus = "[*] "
OutError  = "[-] "

$args = Rex::Parser::Arguments.new(
  "-b" => [ true, "The list of characters to avoid: '\\x00\\xff'"                      ],
  "-h" => [ false, "Help banner"                                                       ],
  "-i" => [ true, "Read memory contents from the supplied file path"                   ],
  "-t" => [ true, "The format that the memory contents are in (empty to list)"         ])

def usage
  $stderr.puts("\n" + "    Usage: #{File.basename($0)} <options>\n" + $args.usage)
  exit
end

def show_format_list
  $stderr.puts("Supported formats:\n")
  $stderr.puts("  raw      raw binary data\n")
  $stderr.puts("  windbg   output from windbg's \"db\" command\n")
  $stderr.puts("  gdb      output from gdb's \"x/bx\" command\n")
  $stderr.puts("  hex      hex bytes like \"\\xFF\\x41\" or \"eb fe\"\n")
end

def debug_buffer(name, buf)
  str = "\n#{buf.length} bytes of "
  str << name
  str += ":" if buf.length > 0
  str += "\n\n"
  $stderr.puts str
  if buf.length > 0
    $stderr.puts Rex::Text.to_hex_dump(buf)
  end
end


# Input defaults
badchars = ''
fmt      = 'raw'
input    = $stdin

# Output
new_badchars = ''

# Parse the argument and rock it
$args.parse(ARGV) { |opt, idx, val|
  case opt
    when "-i"
      begin
        input = File.new(val)
      rescue
        $stderr.puts(OutError + "Failed to open file #{val}: #{$!}")
        exit
      end
    when "-b"
      badchars = Rex::Text.dehex(val)
    when "-t"
      if (val =~ /^(raw|windbg|gdb|hex)$/)
        fmt = val
      else
        if val.nil? or val.length < 1
          show_format_list
        else
          $stderr.puts(OutError + "Invalid format: #{val}")
        end
        exit
      end
    when "-h"
      usage
  end
}

if input == $stdin
  $stderr.puts(OutStatus + "Please paste the memory contents in \"" + fmt + "\" format below (end with EOF):\n")
end


# Working data set
from_msf = Rex::Text.charset_exclude(badchars)
from_dbg = ''


# Process the input
from_dbg = input.read
case fmt
  when "raw"
    # this should already be in the correct format :)

  when "windbg"
    translated = ''
    from_dbg.each_line do |ln|
      translated << ln.chomp[10,47].gsub!(/(-| )/, '')
    end
    from_dbg = Rex::Text.hex_to_raw(translated)

  when "gdb"
    translated = ''
    from_dbg.each_line do |ln|
      translated << ln.chomp.split(':')[1].gsub!(/0x/, '\x').gsub!(/ /, '')
    end
    from_dbg = Rex::Text.hex_to_raw(translated)

  when "hex"
    translated = ''
    from_dbg.each_line do |ln|
      translated << ln.chomp.gsub!(/ /,'')
    end
    from_dbg = Rex::Text.hex_to_raw(translated)
end


=begin
# Uncomment these to debug stuff ..
debug_buffer("BadChars", badchars)
debug_buffer("memory contents", from_dbg)
debug_buffer("Rex::Text.charset_exclude() output", from_msf)
=end


# Find differences between the two data sets
from_msf = from_msf.unpack('C*')
from_dbg = from_dbg.unpack('C*')
minlen = from_msf.length
minlen = from_dbg.length if from_dbg.length < minlen
(0..(minlen-1)).each do |idx|
  ch1 = from_msf[idx]
  ch2 = from_dbg[idx]
  if ch1 != ch2
    str = "Byte at index 0x%04x differs (0x%02x became 0x%02x)" % [idx, ch1, ch2]
    $stderr.puts OutStatus + str
    new_badchars << ch1
  end
end


# show the results
if new_badchars.length < 1
  $stderr.puts(OutStatus + "All characters matched, no new bad characters discovered.")
else
  $stderr.puts(OutStatus + "Proposed BadChars: \"" + Rex::Text.to_hex(new_badchars) + "\"")
end
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`#!/usr/bin/env ruby`
Add standardised header comments 2018-03-20 11:33:34 +00:00
			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

more cleanups 2010-05-03 17:13:09 +00:00			`#`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`# This script is intended to assist an exploit developer in deducing what`
			`# "bad characters" exist for a given input path to a program.`
			`#`

Update include paths to use absolute, support fastlib, etc 2012-02-04 00:38:21 -06:00			`msfbase = __FILE__`
			`while File.symlink?(msfbase)`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))`
Update include paths to use absolute, support fastlib, etc 2012-02-04 00:38:21 -06:00			`end`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00
fix tools that need rex-text to function 2016-07-05 02:33:45 -05:00			`gem 'rex-text'`

Fix base path 2015-10-06 10:30:52 -05:00			`$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))`
Cutting over rails3 to master. 2012-04-15 23:35:38 -05:00			`require 'msfenv'`
Update include paths to use absolute, support fastlib, etc 2012-02-04 00:38:21 -06:00
			`$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`require 'rex'`

			`OutStatus = "[*] "`
			`OutError = "[-] "`

			`$args = Rex::Parser::Arguments.new(`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`"-b" => [ true, "The list of characters to avoid: '\\x00\\xff'" ],`
			`"-h" => [ false, "Help banner" ],`
			`"-i" => [ true, "Read memory contents from the supplied file path" ],`
			`"-t" => [ true, "The format that the memory contents are in (empty to list)" ])`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00
			`def usage`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`$stderr.puts("\n" + " Usage: #{File.basename($0)} <options>\n" + $args.usage)`
			`exit`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`

			`def show_format_list`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`$stderr.puts("Supported formats:\n")`
			`$stderr.puts(" raw raw binary data\n")`
			`$stderr.puts(" windbg output from windbg's \"db\" command\n")`
			`$stderr.puts(" gdb output from gdb's \"x/bx\" command\n")`
			`$stderr.puts(" hex hex bytes like \"\\xFF\\x41\" or \"eb fe\"\n")`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`

			`def debug_buffer(name, buf)`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`str = "\n#{buf.length} bytes of "`
			`str << name`
			`str += ":" if buf.length > 0`
			`str += "\n\n"`
			`$stderr.puts str`
			`if buf.length > 0`
			`$stderr.puts Rex::Text.to_hex_dump(buf)`
			`end`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`


			`# Input defaults`
			`badchars = ''`
			`fmt = 'raw'`
			`input = $stdin`

			`# Output`
			`new_badchars = ''`

Remove a couple more instances of "shit" 2014-03-04 15:00:48 -06:00			`# Parse the argument and rock it`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`$args.parse(ARGV) { \|opt, idx, val\|`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`case opt`
			`when "-i"`
			`begin`
			`input = File.new(val)`
			`rescue`
			`$stderr.puts(OutError + "Failed to open file #{val}: #{$!}")`
			`exit`
			`end`
			`when "-b"`
Prefer Rex::Text.dehex over Rex::Text.hex_to_raw 2019-08-14 20:23:25 -05:00			`badchars = Rex::Text.dehex(val)`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`when "-t"`
			`if (val =~ /^(raw\|windbg\|gdb\|hex)$/)`
			`fmt = val`
			`else`
			`if val.nil? or val.length < 1`
			`show_format_list`
			`else`
			`$stderr.puts(OutError + "Invalid format: #{val}")`
			`end`
			`exit`
			`end`
			`when "-h"`
			`usage`
			`end`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`}`

			`if input == $stdin`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`$stderr.puts(OutStatus + "Please paste the memory contents in \"" + fmt + "\" format below (end with EOF):\n")`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`



			`# Working data set`
			`from_msf = Rex::Text.charset_exclude(badchars)`
			`from_dbg = ''`


			`# Process the input`
			`from_dbg = input.read`
			`case fmt`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`when "raw"`
			`# this should already be in the correct format :)`

			`when "windbg"`
			`translated = ''`
			`from_dbg.each_line do \|ln\|`
			`translated << ln.chomp[10,47].gsub!(/(-\| )/, '')`
			`end`
			`from_dbg = Rex::Text.hex_to_raw(translated)`
fix tools that need rex-text to function 2016-07-05 02:33:45 -05:00
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`when "gdb"`
			`translated = ''`
			`from_dbg.each_line do \|ln\|`
			`translated << ln.chomp.split(':')[1].gsub!(/0x/, '\x').gsub!(/ /, '')`
			`end`
			`from_dbg = Rex::Text.hex_to_raw(translated)`

			`when "hex"`
			`translated = ''`
			`from_dbg.each_line do \|ln\|`
			`translated << ln.chomp.gsub!(/ /,'')`
			`end`
			`from_dbg = Rex::Text.hex_to_raw(translated)`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`



			`=begin`
			`# Uncomment these to debug stuff ..`
			`debug_buffer("BadChars", badchars)`
			`debug_buffer("memory contents", from_dbg)`
			`debug_buffer("Rex::Text.charset_exclude() output", from_msf)`
			`=end`


			`# Find differences between the two data sets`
fix badchars tool 2011-07-05 16:22:39 +00:00			`from_msf = from_msf.unpack('C*')`
			`from_dbg = from_dbg.unpack('C*')`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`minlen = from_msf.length`
			`minlen = from_dbg.length if from_dbg.length < minlen`
			`(0..(minlen-1)).each do \|idx\|`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`ch1 = from_msf[idx]`
			`ch2 = from_dbg[idx]`
			`if ch1 != ch2`
			`str = "Byte at index 0x%04x differs (0x%02x became 0x%02x)" % [idx, ch1, ch2]`
			`$stderr.puts OutStatus + str`
			`new_badchars << ch1`
			`end`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`


			`# show the results`
			`if new_badchars.length < 1`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`$stderr.puts(OutStatus + "All characters matched, no new bad characters discovered.")`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`else`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`$stderr.puts(OutStatus + "Proposed BadChars: \"" + Rex::Text.to_hex(new_badchars) + "\"")`
first pass at badchars checking tool 2009-12-19 09:57:41 +00:00			`end`