Friday, January 16, 2009

Update to byakugan’s identBuf and memDiff functionality

I've added the ability to import files into tracked buffers, and also added the ability to make use of them as a memDiff input type. This means a new format for the !jutsu identBuf command:

!jutsu identBuf TYPE NAME [VALUE SIZE]

Depending on the TYPE, the rest of the command may have different parts. Lets examine the currently supported types:

The ascii type acts in the same way as you're used to. It requires a name, and a value which will be tracked, but no size. The string will be null terminated as normal.

!jutsu identBuf ascii myAsciiBuf CatImAKittyCatAndIDanceDanceDance

The msfpattern input type has been enhanced to allow for you to provide a custom name. It requires a name and a size, but no value. Future enhancements may involve multiple msfpatterns starting where the last left off in the pattern so as to not confuse multiple pattern buffers with one another. The format looks like this:

!jutsu identBuf msfpattern myMsfPattern 16

The file input type will suck in a file of any format and register it as a tracked buffer. It requires a name, and takes the file path as a value. It also requires a size to be input. Future enhancements may include ability to provide an offset into the file to start reading from. Let me know if you'd like to see this. Currently though, the format looks like:

!jutsu identBuf file myFileBuf C:\msf3\input.bin 64

Note that listing non-ascii buffers with !jutsu listBuf may result in some funny output, but this wont break anything...

All binaries are updated with these new changes.

1 comment:

  1. Hi, I was wondering how you guys go about extracting shellcode/exploits from within office documents. Wondering what tools/techniques you guys use.

    thanks and love the blog.


Post a Comment