From e3a5d44db18dd56f382e989f78fae81d4b3848f5 Mon Sep 17 00:00:00 2001 From: "hugo.lequien" Date: Wed, 20 Sep 2017 15:33:52 +0200 Subject: [PATCH] extended support for 64 bits, made the shell script more universal and removed unnecessary steps --- Makefile | 2 +- README.md | 28 ++++++---------------------- factory.sh | 52 ++++++++++++++++++++++++++++++++++++---------------- 3 files changed, 43 insertions(+), 39 deletions(-) diff --git a/Makefile b/Makefile index b484957..cc461b4 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ all: - ./factory.sh $(asm) + @./factory.sh $(asm) clean: rm -f *.bin *.o *.out diff --git a/README.md b/README.md index 9804107..72ce03f 100644 --- a/README.md +++ b/README.md @@ -24,33 +24,17 @@ saved as examples/shellcode.asm. make asm=examples/shellcode.asm ``` -::: x86 Shellcode Factory ::: - - -::: Your piece of art ::: - -examples/shellcode.out: file format elf32-i386 - - -Disassembly of section .text: - -08048060 <_start>: - 8048060: 31 db xor ebx,ebx - 8048062: 31 c0 xor eax,eax - 8048064: 40 inc eax - 8048065: cd 80 int 0x80 - -::: shellcode buffer generator ::: +::: x86(-64) Shellcode Factory ::: +::: Your shellcode ready to go ::: \x31\xdb\x31\xc0\x40\xcd\x80 -::: done, look at examples/shellcode.bin ::: -::: length: 7 +::: Your shellcode size : 7 ::: ``` -examples/shellcode.bin contains our precious shellcode :) +examples/shellcode.asm.bin contains our precious shellcode :) ## Requirements * nasm -* ld (gcc-multilib on x86_64) -* objdump +* xxd (usually bundled with your Linux distribution) +* awk (usually bundled with your Linux distribution) \ No newline at end of file diff --git a/factory.sh b/factory.sh index 9a2a754..3dfe588 100755 --- a/factory.sh +++ b/factory.sh @@ -8,19 +8,39 @@ fi asm=$1 name=${asm%%.*} -echo -e "\n::: x86 Shellcode Factory :::\n" - -nasm -felf32 $asm -ld -melf_i386 -o $name.out $name.o - -echo -e "\n::: Your piece of art :::" -objdump -d -Mintel $name.out - -echo -e "\n::: shellcode buffer generator :::\n" -objdump -d $name.out | grep '[0-9a-f]:' | grep -v 'file' | cut -f2 -d: | cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' | sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s | tee $name.bin -echo -ne `cat $name.bin` > $name.bin - -echo -e "\n::: done, look at $name.bin :::" -echo -n "::: length: " -wc -c $name.bin | cut -f1 -d' ' - +# Why /bin/echo rather than just 'echo' ? + +# '/bin/echo' is the GNU echo binary, 'echo' usually refers to the shell +# built-in function, and some popular shells don't handle the '-e' option +# When GNU echo does. +# By "popular shells" I mean default /bin/sh in Debian/Ubuntu based +# distribution is now dash which echo built-in doesn't handle '-e' + +/bin/echo -e "::: x86(-64) Shellcode Factory :::" + +# Checks if arch is specified, if not 32 bits is the default +header=$(head -n 1 $asm) +if ! echo $header | grep -E 'BITS ?(32|64)';then + tmpfile="/tmp/tmp_asm" + echo "BITS 32" > $tmpfile + cat $asm >> $tmpfile + nasm -f bin $tmpfile -o $asm.bin + else + nasm -f bin $asm -o $asm.bin + fi + +code=$(xxd -p $asm.bin | tr -d '\n') +code_sz=${#code} +i=0 + +/bin/echo -e '\n::: Your shellcode ready to go :::' + +awk "BEGIN {binstr=\"$code\" +for(i=1;i<$code_sz;i=i+2) +{ + printf \"\\\\x%s\", substr(binstr, i, 2) +}}" + +# Setting code_sz to the real size rather than the hexdump size +code_sz=$((code_sz/2)) +/bin/echo -e "\n\n::: Your shellcode size : $code_sz :::"