I've been working on the GSOC Project 14 in recent months. We are meant to start a new tool which can replay the collected exploit traces.
We know that during the process of exploit replay, there're many fields need to be changed in the original application messages. Some of them are platform independent, and the others are platform specific. Platform-independent variables are those changed each time we exploit, like timestamp, cookie, length, etc. And platform-specific variables are those changed only if the target system is changed, like target address, return address point to the shellcode.
As a preprocessing stage, all the variables need to be marked out in the application messages, so we have a Discoverer module to extract the common exploit template from a pack of exploit traces aiming at certain vulnerability. Then the rest part of this article is a brief introduction about how to perform replay with the exploit template.
Replayer do the following work:
I have done some experiments based on the ms08-067 vulnerability. First I used Metasploit to attack a xp sp2 target host and captured the packets. Then made it into exploit template. After that, I used Replayer to perform an attack to a xp sp3 host. Here's the result:
The hex data transfered between two machines are saved into 'dataflow.txt' which is also attached.
In this version of replayer, following variable types are taken into consideration:
Because I don't know how to upload file here, here's the link to the attachment:
a exploit template sample
dataflow.txt