Implementing pattern_create and pattern_offset in Python

Like many projects, the last script I wrote was born from frustration and misery. I was navigating the exploitation module of the OSCP course when I got to using Metasploit’s pattern_create and pattern_offset scripts. I’d used them before, and knew I was about to experience the same frustration of copying endless lines of unique strings from a terminal to an entirely separate Windows VM all over again.

Sure, VM Tools works, but when I’m in exploitation mode, I don’t want to be flipping back and forth between VMs, copying strings with my mouse like a prehistoric animal. I don’t want to recite the “address” that EIP is trying to execute 50 times in my head just to forget it by the time I remember where pattern_offset is even located on my box!

So first I re-implemented Phillips321’s to work as a function, so that inserting a unique pattern of arbitrary length was as easy as:

import pattern_tools
junk = pattern_tools.pattern_create(1000)

Where junk contains Aa0Aa1Aa2Aa3Aa4A...Bg8Bg9Bh0Bh1Bh2B

I went on to replicate pattern_offset. An offset can be located using:

import pattern_tools
print pattern_tools.pattern_offset('AccessViolationAddressHere')

An example:

import pattern_tools
print pattern_tools.pattern_offset('69413269')
[*] Exact match at offset 247

In case you’re the type that likes to prefix your addresses with 0x, it supports that as well. You can download pattern_tools from my github. Feel free to do a pull request if you see an error, and leave a comment below if it helped you!

Leave a Reply

Your email address will not be published. Required fields are marked *